Use PF to keep unauthorized users off the network.
Firewalling gateways have traditionally been used to block traffic from specific services or machines. Instead of watching IP addresses and port numbers, an authenticated gateway allows you to regulate traffic to or from machines based on a user’s credentials. With an authenticated gateway, a user will have to log in and authenticate himself to the gateway in order to gain access to the protected network. This can be useful in many situations, such as restricting Internet access or restricting a wireless segment to be used only by authorized users.
With the release of OpenBSD 3.1, you can implement this functionality
through the use of PF and the
authpf also provides an audit trail by logging
usernames, originating IP addresses, and the time that they
authenticated with the gateway, as well as when they logged off the
To set up authentication with
you’ll first need to create an account on the
gateway for each user. Specify
as the shell, and be sure to add
authpf as a valid
/etc/shells. When a user logs in
authpf will obtain the
user’s name and IP address through the environment.
After doing this, a template file containing NAT and filter rules is
read in, and the username and IP address are applied to it. The
resulting rules are then added to the running configuration. When the
user logs out (i.e., types
^C), the rules ...