Date: Thu, 5 Jul 2007 10:11:58 -0300 From: "Gilberto Villani Brito" <linux@giboia.org> To: "FreeBSD (PF)" <freebsd-pf@freebsd.org> Subject: Re: Issue with PF on FreeBSD 6.2.5? Message-ID: <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> In-Reply-To: <20070705062546.BF688267E13@mx.levier.org> References: <20070705062546.BF688267E13@mx.levier.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/07/07, Laurent LEVIER <llevier@argosnet.com> wrote: > Hi All, > > I am currently setting up a ChilliSpot server using the conup/condown command. > Since the LAN will also be publicly available, I am using Chilli as UAM. > > These con* scripts are launched with additional arguments (IP > address, device) when a user is authenticated ont he HotSpot > This way, I can update firewall rules dynamically to allow the > authenticated user to pass...or to no longer pass when session is over. > > Apparently, best way to solve this with pf is to use tables, since an > anchor permits to add a rule, but not to delete the added rule (at > least I did not find how to). > > But it seems it does not fully work for me. > If you read at my pf.conf file at the end of this email, you will see > I created a table "public_granted" that is associated with 2 rules: > 1) a rdr to redirect to Squid transparently (rule is before the one > redirecting transparently to Chilli authentication server) > 2) a pass in quick rule to allow new user to pass through. > > The problem I have is: > - When the public_granted table is updated with a new IP address, pf > let the user pass through. > - But when I delete this @IP from the table, pf keeps allowing the > user to pass through. > > I appreciate all advices to help me solving this weird situation. > > Thanks in advance > > My pf.conf: > ### Options > # pf configuration > set block-policy return > set state-policy if-bound > > # localhost > set skip on lo0 > > ### Declarations > # Interface declaration > if_ext="nve0" # Internet Interface > if_int="bge0" # Public access Interface > if_wifi="tun0" # WiFi Hotspot Interface > > # Subnets declaration > net_public= "192.168.254.0/24" > net_wifi_admin="192.168.253.252/30" > > # IP declaration > ip_ext_me="192.168.0.100" > ip_wifi_me="192.168.254.1" > ip_wifi_admin_me="192.168.253.253" > ip_hotspot="192.168.253.254" > > ### Tables! > table <public_granted> > > ### Redirections > # Squid redirection for authenticated users on Public > rdr on $if_int proto tcp from <public_granted> to 0.0.0.0/0 port 80 > -> localhost port 8080 > rdr on $if_wifi proto tcp from <public_granted> to 0.0.0.0/0 port 80 > -> localhost port 8080 > # Authentication portal for Public > rdr on $if_int proto tcp from $net_public to any port 80 -> > $ip_wifi_me port 3990 > rdr on $if_wifi proto tcp from $net_public to any port 80 -> > $ip_wifi_me port 3990 > > ### NAT > # Public to me on Internet side > nat on $if_ext from $net_public to any -> $ip_ext_me > > ### Filtering > # Hotspot is a typical network client > pass out quick from any to any keep state > > # Who can admin me? > pass in log quick on $if_ext proto tcp from any to $ip_ext_me port = 22 > > ## Logs from Public access side > # Syslog from access point sent to me > pass in log quick on $if_int proto udp from $ip_hotspot to > $ip_wifi_admin_me port = 514 > > # DHCP > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 67 > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 68 > > # DNS for Public > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 53 > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 53 > # DNS for WiFi > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 53 > pass in log quick on $if_wifi proto udp from $net_public to > $ip_wifi_me port = 53 > > # Authentication portal for Public > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 3990 > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 443 > # Authentication portal for Wifi > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 3990 > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 443 > > # Ping is granted to authenticated users (public_granted table) > pass in log quick on $if_wifi proto icmp from <public_granted> to > $ip_wifi_me keep state > > # Closing rule for Public & WiFi > block in log quick from any to $ip_wifi_me > block in log quick from any to $ip_wifi_admin_me > > ## HotSpot LAN configuration > # Table public_granted: contains granted users on Radius > pass in log quick on $if_int from <public_granted> to any keep state > pass in log quick on $if_wifi from <public_granted> to any keep state > > # Finally block & log everything > block in log from any to any > > Laurent LEVIER > Systems & Networks Senior Security Expert, CISSP CISM > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi Laurent, I have the same problem, but this is because PF works with sessions, on end of a session it will block the next session. -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6e6841490707050611l66b7b705h2889dcaf8a2fc784>