Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?

[Lars <sunberg () gmail com>]

Hello!

I think I have the solution to your problem.. I have made it myself
and I dont know if the source is quite ready to go public.. I need to
cleanup the code, please contact me if anyone want to help me out
here!

My solution is using OPIE S/key. I have done it like this:
 - A perl script witch uses Auth::opie cpan. I'v compiled the perl
script to make it suidbit root so the apache web use can use it (need
access to /etc/opiekeys).
 - PHP talks to the perl executable. PHP tell you the usuall s/key
challange and you need to respond the right answer.
 - If login is ok, it sets a phpsession cookie and adds your ip adress
in a allowed list. It actually generates an htaccess files and sets
the php sessionID to be allowed and the ip to be allowed.
 - Inside the logged in "place" I have another php script, that one
comunicates with iptables. I have added the www user to sudoers and
added so it can executa iptables without any hassle.. This script open
up for one specific port to one specific ip.
 - You can also use the "control" script to delete authenticated php
sessions and allowed ip's. You can also delete IP's you have added to
the port allow list.

If you want to see how it works, please contact me.
If you want to try it, tell me and I can make a test page for you..
If you want to help to clean the code, please tell. Its not a mess,
and i'v tought about security from the start, so it should be secure.
But the main problem is that its a mix of several programming
languages. Perl to talk to the opie backend, php to talk to perl and
show the login page, bash to generate htaccess file and keep track of
logs and such. I really want to get rid of bash in this case.

If any one else thinks this sounds interesting, tell me. I want to
make it public but I dont know if anyone wants to use this..

Thanks
 Lars

On Nov 19, 2007 11:09 PM, Albert T <albert.t680333 () gmail com> wrote:
> Hello.
>
> I'm in the process of setting up my own network for my small office.
>
> I've set up a small/lightweight FreeBSD-based firewall at the "edge"
> of my network.
>
> It's running the PF firewall.  I've got that working well for simple usage.
>
> I understand how to set up OpenVPN passthrough from a remote client
> that has a VPN client; but, that requires the remote user to (a) have
> the OpenVPN client, and/or (b) have "shell" access.
>
> I'd like to do something a bit different -- client-less and
> browser-only -- but I'm simply not sure how best to go about it.
>
> Here's a description of what I'm shooting for.
>
> I've installed the Lighttpd web server on the firewall.
>
> I'd like to have Lighttpd listen on, and serve up a page/form at, one
> of my several IP addresses.
>
> That form should be an "S/KEY" / "OPIE" authentication form.  A user
> would navigate to that URL, enter OTP credentials (from a OTP
> calculator, currently a J2ME).
>
> If the credentials are VERIFIED, then I'd like to "talk to" the PF
> firewall, and have it open port80 access at a different IP address to
> ONLY the authenticating IP address, and for a limited time (say, 1
> hour).
>
> If the credentials are NOT VERIFIED, and there are for example 3
> failed attempt within 15 minutes, then PF would be told to BLOCK ip
> access from that IP for a given amount of time (say 24 hours).
>
> Like I said, I'm not sure how to best go about this.  Getting to this
> point was not the easiset thing in the world, but reading and patience
> paid off.  But doing *this* -- I'm now having much luck even figuring
> out how to narrow nown my searching.
>
> I'd guess that some sort of PHP or CGI script on the Lighttpd
> page/site would need to have that "listen and control" logic.
>
> Is this a good way to go about this?
>
> Can anyone point me in the direction of an EXISTING OpenSource
> solution somewhere?
>
> Thanks a bunch,
>
> Albert