Nope. That's how it is supposed to work. The point of authpf is for the user to say "this IP is me" - if that IP could perhaps not be him, well, this is not an application for authpf. I.E. if your users are coming in from a NAT, you should rethink what you are doing.
-Bob * Chris Youb <[EMAIL PROTECTED]> [2007-06-25 15:15]: > When multiple users with the same source IP want access through the firewall > authpf grants access to the newly authenticating user and kicks off the > previous user. Is there a way to turn off this behaviour so both users > maintain authpf tables? > > Works: > 1a. [EMAIL PROTECTED] -> authpf -> maintains logon > 1b. [EMAIL PROTECTED] -> authpf -> logs on > > Doesn't Work: > 2a. [EMAIL PROTECTED] -> authpf -> gets kicked off > 2b. [EMAIL PROTECTED] -> authpf -> logs on > > > Real-life example: > > Step #1 xuser authenticates from IP_1; xuser has access to firewall > firewall# pfctl -s Anchors -v > authpf > authpf/bfisher(25933) > authpf/xuser(1308) > authpf/rarthur(15647) > authpf/schatterjee(31961) > > Step #2 cyoub authenticates from IP_2; both xuser and cyoub have access to > firewall > firewall# pfctl -s Anchors -v > authpf > authpf/bfisher(25933) > authpf/cyoub(2104) > authpf/xuser(1308) > authpf/rarthur(15647) > authpf/schatterjee(31961) > > Step #3 cyoub authenticates from IP_1; ONLY cyoub has access to firewall as > he was the last to login. xuser is kicked off??? > firewall# pfctl -s Anchors -v > authpf > authpf/bfisher(25933) > authpf/cyoub(27921) > authpf/rarthur(15647) > authpf/schatterjee(31961) > > firewall# pfctl -a "authpf/cyoub(27921)" -s rules > pass in quick on bge0 inet from 10.0.1.47 to 172.16.0.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.8.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.12.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.80.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.48.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep > state > pass in quick on bge0 inet from 10.0.1.47 to 172.16.28.0/22 flags S/SA keep > state > -- > View this message in context: > http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-previous-user-tf3978999.html#a11295667 > Sent from the openbsd user - misc mailing list archive at Nabble.com. > -- #!/usr/bin/perl if ((not 0 && not 1) != (! 0 && ! 1)) { print "Larry and Tom must smoke some really primo stuff...\n"; }