OpenBSD
 » 
openbsd user - misc

 « Return to Thread: authpf allows only one user from the same source ip; kicks off previous user

authpf allows only one user from the same source ip; kicks off previous user

by Chris Youb :: Rate this Message:

Reply to Author | View in Thread

When multiple users with the same source IP want access through the firewall authpf grants access to the newly authenticating user and kicks off the previous user.  Is there a way to turn off this behaviour so both users maintain authpf tables?

Works:
1a. user1@192.168.0.1 -> authpf -> maintains logon
1b. user2@192.168.0.2 -> authpf -> logs on

Doesn't Work:
2a. user1@192.168.0.1 -> authpf -> gets kicked off
2b. user2@192.168.0.1 -> authpf -> logs on


Real-life example:

Step #1 xuser authenticates from IP_1; xuser has access to firewall
firewall# pfctl -s Anchors -v
 authpf
 authpf/bfisher(25933)
 authpf/xuser(1308)
 authpf/rarthur(15647)
 authpf/schatterjee(31961)

Step #2 cyoub authenticates from IP_2; both xuser and cyoub have access to firewall
firewall# pfctl -s Anchors -v
 authpf
 authpf/bfisher(25933)
 authpf/cyoub(2104)
 authpf/xuser(1308)
 authpf/rarthur(15647)
 authpf/schatterjee(31961)

Step #3 cyoub authenticates from IP_1; ONLY cyoub has access to firewall as he was the last to login.  xuser is kicked off???
firewall# pfctl -s Anchors -v
 authpf
 authpf/bfisher(25933)
 authpf/cyoub(27921)
 authpf/rarthur(15647)
 authpf/schatterjee(31961)

firewall# pfctl -a "authpf/cyoub(27921)" -s rules
pass in quick on bge0 inet from 10.0.1.47 to 172.16.0.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.8.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.12.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.80.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.48.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep state
pass in quick on bge0 inet from 10.0.1.47 to 172.16.28.0/22 flags S/SA keep state

 « Return to Thread: authpf allows only one user from the same source ip; kicks off previous user

Free embeddable forum powered by Nabble Forum Help