Re: authpf allows only one user from the same source ip; kicks off previous user

Mon, 25 Jun 2007 14:38:50 -0700 

        Nope. That's how it is supposed to work. 

        The point of authpf is for the user to say "this IP
is me" - if that IP could perhaps not be him, well, this
is not an application for authpf. I.E. if your users
are coming in from a NAT, you should rethink what you
are doing. 

        -Bob


* Chris Youb <[EMAIL PROTECTED]> [2007-06-25 15:15]:
> When multiple users with the same source IP want access through the firewall
> authpf grants access to the newly authenticating user and kicks off the
> previous user.  Is there a way to turn off this behaviour so both users
> maintain authpf tables?
> 
> Works:
> 1a. [EMAIL PROTECTED] -> authpf -> maintains logon
> 1b. [EMAIL PROTECTED] -> authpf -> logs on
> 
> Doesn't Work:
> 2a. [EMAIL PROTECTED] -> authpf -> gets kicked off
> 2b. [EMAIL PROTECTED] -> authpf -> logs on 
> 
> 
> Real-life example:
> 
> Step #1 xuser authenticates from IP_1; xuser has access to firewall
> firewall# pfctl -s Anchors -v
>  authpf
>  authpf/bfisher(25933)
>  authpf/xuser(1308)
>  authpf/rarthur(15647)
>  authpf/schatterjee(31961)
> 
> Step #2 cyoub authenticates from IP_2; both xuser and cyoub have access to
> firewall
> firewall# pfctl -s Anchors -v
>  authpf
>  authpf/bfisher(25933)
>  authpf/cyoub(2104)
>  authpf/xuser(1308)
>  authpf/rarthur(15647)
>  authpf/schatterjee(31961)
> 
> Step #3 cyoub authenticates from IP_1; ONLY cyoub has access to firewall as
> he was the last to login.  xuser is kicked off???
> firewall# pfctl -s Anchors -v
>  authpf
>  authpf/bfisher(25933)
>  authpf/cyoub(27921)
>  authpf/rarthur(15647)
>  authpf/schatterjee(31961)
> 
> firewall# pfctl -a "authpf/cyoub(27921)" -s rules
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.0.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.8.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.12.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.80.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.48.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.28.0/22 flags S/SA keep
> state
> -- 
> View this message in context: 
> http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-previous-user-tf3978999.html#a11295667
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
> 

-- 
#!/usr/bin/perl
if ((not 0 && not 1) !=  (! 0 && ! 1)) {
   print "Larry and Tom must smoke some really primo stuff...\n"; 
}

Reply via email to