Re: PF and LDAP

[Marcello Cruz]

Thanks Chris! Thanks everybody! I was not clear, my mistake. I'm sorry.
The idea is to allow traffic from a computer on the inside network to pass 
the traffic to the outside network (Internet) using some directory service 
based on LDAP (Active Directory).

Users in the LAN sometimes need to use other PCs than usual or the PC should 
be used by lots of users. I should be good if the firewall rules could be 
created to allow/deny based on the user of the PC instead of the IP Address. 
Note that the PC and the firewall are distinct computers. For example, 
certain firewalls integrate the firewall rules with some kind of LDAP Server 
the same way as Squid does (I know Squid is a proxy server).

Maybe it is not a smart idea, and if so, I4d like to know why (if possible)? 
Is there another way to do the same without compromising the security? I 
thought about authpf, but I'm trying to avoid future problems regarding 
security.

Rgds,
Marcello

----- Original Message ----- 
From: "Chris Dukes" <pak...@pr.neotoma.org>
To: "Marcello Cruz" <marcello.c...@globo.com>
Cc: <misc@openbsd.org>
Sent: Thursday, July 30, 2009 11:47 PM
Subject: Re: PF and LDAP


On Wed, Jul 29, 2009 at 01:42:44PM -0300, Marcello Cruz wrote:
Dear all,

Is there a way to use LDAP in a rule to allow or deny based on the user
instead of the IP Address?

Okay, I'm going to be literal here...

ypldap to map LDAP to NIS.
Configure the box to allow users to be resolved by NIS as well as local 
files.
Use the "user" parameter on the pf rule.
There's an example in the pf.conf manpage.

The idea is to permit the traffic from an inside user to access, for 
example,
a VoIP resource on the Internet.

Of course I have no idea what you mean by "inside user."
Your specific question indicates someone that can actually log in on
the OpenBSD firewall and run a voip application.
Which seems reasonable for me because someone might be foolish enough
to want me to run asterisk or a SIP gateway on the firewall.

If you mean an IP address associated with a specific user...

If the system with the IP associated with the user is high function
(IE can run an ssh client in addition to everything else), then you
want to look at authpf.

If the system with the IP associated with the user is low function (IE a
SIP phone), but can negotiate WPA, LEAP, PPPoE, or 802.1X, then you'll 
want to
investigate how to retrieve IP/user associations from your network auth
mechanism and generate appropriate tables.

If your system is using registered MAC addresses to determine which
VLAN a NIC goes into, you'll have to look into extracting that data from
your registration system, and then correlate it against ARP data.

--
Chris Dukes