- fix a few exit cases that would exit with no log

- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
  to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@

2 files changed, 77 insertions, 33 deletions

diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index 141aecf7d6a..b6977da2fce 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.30 2003/08/17 23:24:47 henning Exp $
+.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $
 .\"
 .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>.  All rights reserved.
 .\"
@@ -84,9 +84,9 @@ shared by all
 processes.
 By default, the
 .Pa anchor
-name "authpf" is used, and the ruleset names equal the PIDs of the
+name "authpf" is used, and the ruleset names equal the username and PID of the
 .Nm
-processes.
+processes as "username(pid)".
 The following rules need to be added to the main ruleset
 .Pa /etc/pf.conf
 in order to cause evaluation of any
@@ -263,7 +263,8 @@ by creating an appropriate
 .Pa /etc/authpf/authpf.conf
 file.
 .Sh EXAMPLES
-\fBControl Files\fP - To illustrate the user-specific access control
+.Sy Control Files
+\- To illustrate the user-specific access control
 mechanisms, let us consider a typical user named bob.
 Normally, as long as bob can authenticate himself, the
 .Nm
@@ -298,7 +299,8 @@ file.
 Though bob is listed in the allow file, he is prevented from using
 this gateway due to the existence of a ban file.
 .Pp
-\fBDistributed Authentication\fP - It is often desirable to interface with a
+.Sy Distributed Authentication
+\- It is often desirable to interface with a
 distributed password system rather than forcing the sysadmins to keep a large
 number of local password files in sync.
 The
@@ -332,7 +334,8 @@ Using a default password file, all users will get
 as their shell except for root who will get
 .Pa /bin/csh .
 .Pp
-\fBSSH Configuration\fP - As stated earlier,
+.Sy SSH Configuration
+\- As stated earlier,
 .Xr sshd 8
 must be properly configured to detect and defeat network attacks.
 To that end, the following options should be added to
@@ -346,7 +349,8 @@ ClientAliveCountMax 3
 This ensures that unresponsive or spoofed sessions are terminated within a
 minute, since a hijacker should not be able to spoof ssh keepalive messages.
 .Pp
-\fBBanners\fP - Once authenticated, the user is shown the contents of
+.Sy Banners
+\- Once authenticated, the user is shown the contents of
 .Pa /etc/authpf/authpf.message .
 This message may be a screen-full of the appropriate use policy, the contents
 of
@@ -366,7 +370,8 @@ problem so we can fix it, please phone 1-900-314-1597 or send
 an email to remove@bulkmailerz.net.
 .Ed
 .Pp
-\fBPacket Filter Rules\fP - In areas where this gateway is used to protect a
+.Sy Packet Filter Rules
+\- In areas where this gateway is used to protect a
 wireless network (a hub with several hundred ports), the default rule set as
 well as the per-user rules should probably allow very few things beyond
 encrypted protocols like
@@ -378,15 +383,14 @@ On a securely switched network, with plug-in jacks for visitors who are
 given authentication accounts, you might want to allow out everything.
 In this context, a secure switch is one that tries to prevent address table
 overflow attacks.
-The examples below assume a switched wired net.
 .Pp
 Example
 .Pa /etc/pf.conf :
 .Bd -literal
 # by default we allow internal clients to talk to us using
 # ssh and use us as a dns server.
-internal_if=\&"fxp1\&"
-gateway_addr=\&"10.0.1.1\&"
+internal_if="fxp1"
+gateway_addr="10.0.1.1"
 nat-anchor authpf
 rdr-anchor authpf
 binat-anchor authpf
@@ -398,26 +402,28 @@ pass in quick on $internal_if proto udp from any to $gateway_addr \e
 anchor authpf
 .Ed
 .Pp
-Example
-.Pa /etc/authpf/authpf.rules :
+.Sy For a switched, wired net
+\- This example
+.Pa /etc/authpf/authpf.rules
+makes no real restrictions; it turns the IP address on and off, logging
+TCP connections.
 .Bd -literal
-# no real restrictions here, basically turn the network jack off or on.
-
-external_if = \&"xl0\&"
-internal_if = \&"fxp0\&"
+external_if = "xl0"
+internal_if = "fxp0"
 
 pass in log quick on $internal_if proto tcp from $user_ip to any \e
       keep state
 pass in quick on $internal_if from $user_ip to any
 .Ed
 .Pp
-Another example
+.Sy For a wireless or shared net
+\- This example
 .Pa /etc/authpf/authpf.rules
-for an insecure network (such as a public wireless network) where
+could be used for an insecure network (such as a public wireless network) where
 we might need to be a bit more restrictive.
 .Bd -literal
-internal_if=\&"fxp1\&"
-ipsec_gw=\&"10.2.3.4\&"
+internal_if="fxp1"
+ipsec_gw="10.2.3.4"
 
 # rdr ftp for proxying by ftp-proxy(8)
 rdr on $internal_if proto tcp from $user_ip to any port 21 \e
@@ -433,6 +439,32 @@ pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e
       keep state
 pass in quick proto esp from $user_ip to $ipsec_gw
 .Ed
+.Pp
+.Sy Dealing with NAT
+\- The following
+.Pa /etc/authpf/authpf.rules
+shows how to deal with NAT, using tags:
+.Bd -literal
+ext_if = "fxp1"
+ext_addr = 129.128.11.10
+int_if = "fxp0"
+# nat and tag connections...
+nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
+pass in quick on $int_if from $user_ip to any
+pass out log quick on $ext_if tagged $user_ip keep state
+.Ed
+.Pp
+With the above rules added by
+.Nm ,
+outbound connections corresponding to each users NAT'ed connections
+will be logged as in the example below, where the user may be identified
+from the ruleset name.
+.Bd -literal
+# tcpdump -n -e -ttt -i pflog0
+Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
+129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
+16384 <mss 1460,nop,nop,sackOK> (DF)
+.Ed
 .Sh FILES
 .Bl -tag -width "/etc/authpf/authpf.conf" -compact
 .It Pa /etc/authpf/authpf.conf
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index f326148d8ad..f610ea7e898 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authpf.c,v 1.71 2003/11/14 15:31:07 henning Exp $	*/
+/*	$OpenBSD: authpf.c,v 1.72 2003/12/10 04:10:37 beck Exp $	*/
 
 /*
  * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org).
@@ -92,12 +92,6 @@ main(int argc, char *argv[])
 	char		*cp;
 	uid_t		 uid;
 
-	if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
-	    (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
-		syslog(LOG_ERR, "pid too large for ruleset name");
-		exit(1);
-	}
-
 	config = fopen(PATH_CONFFILE, "r");
 
 	if ((cp = getenv("SSH_TTY")) == NULL) {
@@ -125,7 +119,6 @@ main(int argc, char *argv[])
 		    "cannot determine IP from SSH_CLIENT %s", ipsrc);
 		exit(1);
 	}
-
 	/* open the pf device */
 	dev = open(PATH_DEVFILE, O_RDWR);
 	if (dev == -1) {
@@ -154,6 +147,18 @@ main(int argc, char *argv[])
 		goto die;
 	}
 
+	if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)",
+	    luser, (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
+		syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld",
+		    luser, (long)getpid(), (long)getpid());
+		if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
+		    (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
+			syslog(LOG_ERR, "pid too large for ruleset name");
+			goto die;
+		}
+	}
+
+
 	/* Make our entry in /var/authpf as /var/authpf/ipaddr */
 	n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc);
 	if (n < 0 || (u_int)n >= sizeof(pidfile)) {
@@ -236,15 +241,22 @@ main(int argc, char *argv[])
 	seteuid(getuid());
 	setuid(getuid());
 
-	if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser))
+	openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
+
+	if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
+		syslog(LOG_INFO, "user %s prohibited", luser);
 		do_death(0);
+	}
 
-	openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
-	if (config == NULL || read_config(config))
+	if (config == NULL || read_config(config)) {
+		syslog(LOG_INFO, "bad or nonexistent %s", PATH_CONFFILE);
 		do_death(0);
+	}
 
-	if (remove_stale_rulesets())
+	if (remove_stale_rulesets()) {
+		syslog(LOG_INFO, "error removing stale rulesets");
 		do_death(0);
+	}
 
 	/* We appear to be making headway, so actually mark our pid */
 	rewind(pidfp);