mclosson · November 11, 2015 21:11
diff --git a/authpf-rules.sh b/authpf-rules.sh
 #!/bin/sh
 #
 #  authpf-rules: this needs a better name (authpfconf?)
 #
 #  Generate per user rules for authpf based on the groups a user is a member of.
 #  If the user is a member of the engineering & support groups then they should
 #  get access to the hosts in the associated pf tables upon authenticating.
 #
 #  Example:
 #
 #  Add an authpf login class to /etc/login.conf
 #
 #  authpf:\
 #          :accounted:\
 #          :shell=/usr/sbin/authpf:\
 #          :tc=default:
 #
 #  Configure some unix groups you'd like to sync to authpf rules
 #
 #  $ echo engineering | sudo tee -a /etc/pf/usergroups
 #  $ echo finance | sudo tee -a /etc/pf/usergroups
 #  $ echo infosec | sudo tee -a /etc/pf/usergroups
 #  $ echo support | sudo tee -a /etc/pf/usergroups
 #
 #  Give a user the authpf login class and make them a member of some
 #  synced unix groups.
 #
 #  $ sudo pw usermod matt -L authpf
 #  $ sudo pw usermod matt -G engineering,support
 #  $ sudo ./authpf-rules
 #
 #  Per user rules have been created for each user in /etc/passwd whom has
 #  a login class of authpf.  They are given access to the hosts in
 #  the pf table associated with each unix group they are a member of that
 #  is listed in the /etc/pf/usergroups file.
 #
 #  $ sudo cat /etc/authpf/users/matt/authpf.rules
 #  userlan_if="vtnet1"
 #  pass in log (all) on $userlan_if from $user_ip to <engineering> tag matt
 #  pass in log (all) on $userlan_if from $user_ip to <support> tag matt
 #
 #  Add some hosts to the files used to load the pf tables for each unix group.
 #  $ echo 172.31.33.7 | sudo tee -a /etc/pf/engineering
 #  $ echo 172.31.34.9 | sudo tee -a /etc/pf/support
 #  $ echo 172.31.35.5 | sudo tee -a /etc/pf/finance
 #
 #  Load the pf rules into the active ruleset.
 #
 #  $ sudo pfctl -f /etc/pf.conf
 #
 #  Now when user matt authenticates via authpf he will be able to access
 #  hosts in the engineering and support pf tables because he is a member
 #  of the engineering and support unix groups.
 #
 #  $ echo 172.31.33.7 | sudo tee -a /etc/pf/engineering
 #  $ echo 172.31.34.9 | sudo tee -a /etc/pf/support
 #  $ echo 172.31.35.5 | sudo tee -a /etc/pf/finance
 #
 #  Load the pf rules into the active ruleset.
 #
 #  $ sudo pfctl -f /etc/pf.conf
 #
 #  Now when user matt authenticates via authpf he will be able to access
 #  hosts in the engineering and support pf tables because he is a member
 #  of the engineering and support unix groups.
 #
 #  If you later decide to add user matt to the finance group you can rerun
 #  the script to regenerate your users' authpf rules.
 #
 #  $ sudo pw usermod matt -G engineering,finance,support
 #  $ sudo ./authpf-rules
 #  $ sudo pfctl /etc/pf.conf
 #
 #  $ sudo cat /etc/authpf/users/matt/authpf.rules
 #  userlan_if="vtnet1"
 #  pass in log (all) on $userlan_if from $user_ip to <engineering> tag matt
 #  pass in log (all) on $userlan_if from $user_ip to <finance> tag matt
 #  pass in log (all) on $userlan_if from $user_ip to <support> tag matt
 #

 USERLAN_IF="vtnet1"

 if [ ! -f "/etc/pf/usergroups" ]; then
  >&2 echo "Please define the groups you'd like to manage in /etc/pf/usergroups"
  exit 1
 fi

 for group in $(cat /etc/pf/usergroups); do
  if [ ! -f "/etc/pf/"$group ]; then
    touch /etc/pf/$group
  fi
 done

 for user in $(cat /etc/passwd | grep -v "^#" | cut -d ":" -f1); do
  if pw usershow $user | cut -d ":" -f 5 | grep -qw "authpf"; then

    if [ ! -d "/etc/authpf/users/"$user ]; then
      mkdir -p "/etc/authpf/users/"$user
    fi

    user_rules="/etc/authpf/users/"$user"/authpf.rules"
    echo "userlan_if=\"$USERLAN_IF\"" > $user_rules

    for group in $(id -Gn $user); do
      if [ -f "/etc/pf/"$group ]; then
        rule="pass in log (all) on \$userlan_if from \$user_ip to <"$group"> tag $user"
        echo $rule >> $user_rules
      fi
    done

  fi
 done
	#!/bin/sh
	#
	# authpf-rules: this needs a better name (authpfconf?)
	#
	# Generate per user rules for authpf based on the groups a user is a member of.
	# If the user is a member of the engineering & support groups then they should
	# get access to the hosts in the associated pf tables upon authenticating.
	#
	# Example:
	#
	# Add an authpf login class to /etc/login.conf
	#
	# authpf:\
	# :accounted:\
	# :shell=/usr/sbin/authpf:\
	# :tc=default:
	#
	# Configure some unix groups you'd like to sync to authpf rules
	#
	# $ echo engineering \| sudo tee -a /etc/pf/usergroups
	# $ echo finance \| sudo tee -a /etc/pf/usergroups
	# $ echo infosec \| sudo tee -a /etc/pf/usergroups
	# $ echo support \| sudo tee -a /etc/pf/usergroups
	#
	# Give a user the authpf login class and make them a member of some
	# synced unix groups.
	#
	# $ sudo pw usermod matt -L authpf
	# $ sudo pw usermod matt -G engineering,support
	# $ sudo ./authpf-rules
	#
	# Per user rules have been created for each user in /etc/passwd whom has
	# a login class of authpf. They are given access to the hosts in
	# the pf table associated with each unix group they are a member of that
	# is listed in the /etc/pf/usergroups file.
	#
	# $ sudo cat /etc/authpf/users/matt/authpf.rules
	# userlan_if="vtnet1"
	# pass in log (all) on $userlan_if from $user_ip to <engineering> tag matt
	# pass in log (all) on $userlan_if from $user_ip to <support> tag matt
	#
	# Add some hosts to the files used to load the pf tables for each unix group.
	# $ echo 172.31.33.7 \| sudo tee -a /etc/pf/engineering
	# $ echo 172.31.34.9 \| sudo tee -a /etc/pf/support
	# $ echo 172.31.35.5 \| sudo tee -a /etc/pf/finance
	#
	# Load the pf rules into the active ruleset.
	#
	# $ sudo pfctl -f /etc/pf.conf
	#
	# Now when user matt authenticates via authpf he will be able to access
	# hosts in the engineering and support pf tables because he is a member
	# of the engineering and support unix groups.
	#
	# $ echo 172.31.33.7 \| sudo tee -a /etc/pf/engineering
	# $ echo 172.31.34.9 \| sudo tee -a /etc/pf/support
	# $ echo 172.31.35.5 \| sudo tee -a /etc/pf/finance
	#
	# Load the pf rules into the active ruleset.
	#
	# $ sudo pfctl -f /etc/pf.conf
	#
	# Now when user matt authenticates via authpf he will be able to access
	# hosts in the engineering and support pf tables because he is a member
	# of the engineering and support unix groups.
	#
	# If you later decide to add user matt to the finance group you can rerun
	# the script to regenerate your users' authpf rules.
	#
	# $ sudo pw usermod matt -G engineering,finance,support
	# $ sudo ./authpf-rules
	# $ sudo pfctl /etc/pf.conf
	#
	# $ sudo cat /etc/authpf/users/matt/authpf.rules
	# userlan_if="vtnet1"
	# pass in log (all) on $userlan_if from $user_ip to <engineering> tag matt
	# pass in log (all) on $userlan_if from $user_ip to <finance> tag matt
	# pass in log (all) on $userlan_if from $user_ip to <support> tag matt
	#

	USERLAN_IF="vtnet1"

	if [ ! -f "/etc/pf/usergroups" ]; then
	>&2 echo "Please define the groups you'd like to manage in /etc/pf/usergroups"
	exit 1
	fi

	for group in $(cat /etc/pf/usergroups); do
	if [ ! -f "/etc/pf/"$group ]; then
	touch /etc/pf/$group
	fi
	done

	for user in $(cat /etc/passwd \| grep -v "^#" \| cut -d ":" -f1); do
	if pw usershow $user \| cut -d ":" -f 5 \| grep -qw "authpf"; then

	if [ ! -d "/etc/authpf/users/"$user ]; then
	mkdir -p "/etc/authpf/users/"$user
	fi

	user_rules="/etc/authpf/users/"$user"/authpf.rules"
	echo "userlan_if=\"$USERLAN_IF\"" > $user_rules

	for group in $(id -Gn $user); do
	if [ -f "/etc/pf/"$group ]; then
	rule="pass in log (all) on \$userlan_if from \$user_ip to <"$group"> tag $user"
	echo $rule >> $user_rules
	fi
	done

	fi
	done