On Thu, Nov 27, 2014 at 05:09:02PM +0100, Martin Hanson wrote: > Hi > > So I am looking into authpf and I am wondering about some real world > applications. > > I have a bunch of users, but I also have just a bunch of machines. > > The machines cannot login via SSH and should not try to do so (via some > script or otherwise). However, these machines needs access 24/7. > > So I was thinking about fixing rules to those machines before any > anchors for users, but I cannot see how this provides any security at > all - and bear with me if I am overlooking something. > > If say machine 192.168.0.2 and 192.168.0.3 needs unrestricted access to > the net, then wont it be as easy as "Joe" changing his machines IP > address to 192.168.0.2 to gain access without authentication?
Here is a case where you trust the machines, but do not trust Joe. Commonly, trusted servers are deployed on network segments that are separate from untrusted users - via Ethernet segments or VLANs. It is also possible to use VPNs to provide functional separation of servers from users, if separate Ethernet tiers is not possible. > And what about other kinds of access? Now I get a brand new box in that > needs a fresh installation of some Linux distribution that we install > over HTTP. This new box doesn't come with a SSH console and the install > disk doesn't provide a console with SSH during installation. The provisioning if performed on the untrusted network, would require the distribution server to be accessible. Simple enough with a pass rule to your organization's deployment server. > Then I am beginning to see signs of "network segmentation" in my head, > but that kindda makes authpf more or less useless then - unless I need > to grant different people different access on the same segment I can > just segment the entire net. > > Anyway, I hope I make sense! :) > > How do you use authpf in real life? > > Kind regards.