[ previous ] [ next ] [ threads ]
 From:  "Paul Taylor" <PaulTaylor at winn dash dixie dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>, "Andrew White" <andywhite at gmail dot com>
 Cc:  "Scott Ullrich" <sullrich at gmail dot com>, <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Re: [m0n0wall-commits] r397 - in branches/freebsd6: . phpconf/inc webgui
 Date:  Thu, 26 Aug 2010 08:23:47 -0400
The "second bit" Chris mentions could probably be put into Monowall
without a lot of trouble.  Monowall has an included file that is in
every page, as it relates to the authentication (code I wrote a few
years back to ensure the specifically logged in user's priv's allow them
access to the specific page they are trying to get to).  All that would
probably need to be done would be to do a "local IP check" routine
there.  This could be a check specific to the config of the monowall (is
this IP from a local LAN segment?) or it could be a generic check (is
this a private IP?).  Since the "local IP check" code would be hit on
every page load, it would need to read from a newly added
"approved_non_local" file to see if the current user's IP is already
approved.  IPs not approved could be redirected to a warning page,
allowing the user to make a selection to continue on anyhow (note - this
warning page would need to avoid the "local IP check" routine - no
endless loops please!), and when the continue, Monowall could append
their IP to the "approved_non_local" file located in the /tmp directory.
Since the file containing approved non-local IPs is in the /tmp
directory, it would be cleared every time Monowall was rebooted.

So, the first time the user logs in remotely, they authenticate with
basic auth, the "local IP check" routine finds they aren't coming from a
local IP and their IP isn't in the "approved_non_local" file, so they
would get redirected.  After hitting "Continue" on the warning page and
getting directed back to the page they originally attempted to go to,
the "local IP check" routine would again see that they aren't from a
local IP, but it would find their IP in the "approved_non_local" file,
so it would allow them through...

This may not be the best way, but it's one way without having to switch
to a different web authentication method.

-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Wednesday, August 25, 2010 3:38 PM
To: Andrew White
Cc: Scott Ullrich; m0n0wall dash dev at lists dot m0n0 dot ch
Subject: Re: [m0n0wall-dev] Re: [m0n0wall-commits] r397 - in
branches/freebsd6: . phpconf/inc webgui

The second bit is if accessing by an IP address that is not a locally
configured IP (any interface's IP, or any configured virtual IP), the
login page shows a warning that it is not a local IP and if the user
did not configure this forwarding they could be seeing a man in the
middle attack. That isn't specific to DNS rebinding, but is a good
check to have. That one is more difficult with m0n0wall as it uses
HTTP basic auth, these checks were added to pfSense 2.0 which uses
session auth where it can easily display a warning on the login
screen. In that case, login is still permitted, it's just a warning.