Help!! I'm trying to get per interface OpenVPN rules working and have run into a problem: I go into the Interfaces->(assign) menu and create an interface assignment (OPENVPN_OPS). Now, when I create rules for the OpenVPN_Ops interface, using 'OPEN_VPN_OPS net' as 'Source' the rule never hits. It doesn't appear that the 'net' and 'address' aliases are being populated when the connection is established. Is this correct?
The intent is to use this feature to create per-configuration OpenVPN rules then further refine the rules using Client Specific Overrides. In the end we want to be able to provide some general, very restrictive rules for users based on how they connect (think general function, i.e. accounting, tech support, dev, it, etc) then open up additional resources based on identity (CSO's?). We also want to make it difficult for an administrator to accidentally create security holes or break access by fat-fingering IP addresses, etc. Will this scheme work for this scenario? Is there a better way to accomplish this? I have looked briefly at using AD or Radius to push rules to the FW ... would this work better? I still don't like that, apparently, this would move some of the functionality into the authentication mechanisms. Also, I don't believe AD or Radius work with CSO's. I don't want to create a maintenance nightmare as we scale up. Appreciate any assistance or suggestions. -- Paul Beriswill PDF Complete Inc | www.pdfcomplete.com<http://www.pdfcomplete.com/> 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.com<mailto:paul.berisw...@pdfcomplete.com> [cid:part3.03050603.06030406@pdfcomplete.com]<http://www.pdfcomplete.com/>
_______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list