💾 Archived View for perso.pw › blog › articles › openbsd-authpf.gmi captured on 2023-06-16 at 16:19:25. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-05-24)
-=-=-=-=-=-=-
A neat feature in OpenBSD is the program authpf, an authenticating gateway using SSH.
Basically, it allows to dynamically configure the local firewall PF by connecting/disconnecting into a user account over SSH, either to toggle an IP into a table or rules through a PF anchor.
This program is very useful for the following use case:
Of course, you can be creative and imagine other use cases.
This method is actually different from using a VPN, it doesn't have encryption extra cost but is less secure in the sense it only authenticates an IP or username, so if you use it over the Internet, the triggered rule may also benefit to people using the same IP as yours. However, it's much simpler to set up because users only have to share their public SSH key, while setting up a VPN is another level of complexity and troubleshooting.
In the following example, you manage a small office OpenBSD router, but you only want Chloe's workstation to reach the Internet with the NAT. We need to create her a dedicated account, set the shell to authpf, deploy her SSH key and configure PF.
# useradd -m -s /usr/sbin/authpf chloe # echo "$ssh_key" >> ~chloe/.ssh/authorized_keys # touch /etc/authpf/authpf.conf /etc/authpf/authpf/rules
Now, you can edit `/etc/pf.conf` and use the default table name `authpf_users`. With the following PF snippet, we will only allow authenticated users to go through the NAT.
table <authpf_users> persist match out on egress inet from <authpf_users> to any nat-to (egress)
Reload your firewall, and when Chloe will connect, she will be able to go through the NAT.
The program authpf is an efficient tool for the network administrator's toolbox. And with the use of PF anchors, you can really extend its potential as you want, it's really not limited to tables.
The man page contains a lot of extra information for customization, you should definitely read it if you plan to use authpf.
It's possible to ban users, for various reasons you may want to block someone with a message asking to reach the help desk. This can be done by creating a file name after the username, like in the following example for user `chloe`: `/etc/authpf/banned/chloe`, the file text content will be displayed to the user upon connection.
It's possible to write a custom greeting message displayed upon connection, this can be global or per user, just write a message in `/etc/authpf/authpf.message` for a global one, or `/etc/authpf/users/chloe/authpf.message` for user `chloe`.