Shorewall users - May 2008 - walled garden - how ?

I want to implement a walled garden on my router.
Is there a module for shorewall which would set it up easily ?

Otherwise, how can I achieve this ?

I can create a new zone and define default policy for this zone as
"deny"
when going outside to ppp0 interface.

I can also define a redirection to my web server''s login page and ask
for
username/password pair.
Then if the password is correct I can use "iptables" to insert a
"permit" to
"any" from the host IP address to ppp0 on top of the related chain.
But which chain should I use and what could be the correct use of
"iptables"
command ?

Also, how can I delete this rule after a certain time period ?

Thanks,
ilker


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mekabe Ramein wrote:
> I want to implement a walled garden on my router.
> Is there a module for shorewall which would set it up easily ?
No. But this topic has been discussed repeatedly on this list (although not 
recently). Check the archives.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

I coudn''t find the thread.
Could you give me keywords to search for ?

thanks


On 5/21/08, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Mekabe Ramein wrote:
>
>> I want to implement a walled garden on my router.
>> Is there a module for shorewall which would set it up easily ?
>>
>
> No. But this topic has been discussed repeatedly on this list (although not
> recently). Check the archives.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mekabe Ramein wrote:
> I coudn''t find the thread.
> Could you give me keywords to search for ?
Authenticate

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Mekabe Ramein wrote:
>> I coudn''t find the thread.
>> Could you give me keywords to search for ?
> 
> Authenticate
>
Also ''logon''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

thanks.
I tried it now.
when I search I find the thread with subject "*Logon page
access*<http://article.gmane.org/gmane.comp.security.shorewall/17904>"
but that''s not really what I''d like to do.
I don''t want t use any other software. I just want to use shorewall and
simple scripts.
Because I already have my web server and the users are redirected to the
logon page by Shorewall.
Now I just need commands to run for enabling access to the IP address of the
user who logins. if possible, for a certain time period.

When I search for "authenticate" I find many threads including some
with
"active directory users"

If there is a specific thread that I should check , could you please give me
the subject for this thread ?

Thanks.


On 5/22/08, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Tom Eastep wrote:
>
>> Mekabe Ramein wrote:
>>
>>> I coudn''t find the thread.
>>> Could you give me keywords to search for ?
>>>
>>
>> Authenticate
>>
>>
> Also ''logon''.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mekabe Ramein wrote:
> thanks.
> I tried it now.
> when I search I find the thread with subject "*Logon page access* 
> <http://article.gmane.org/gmane.comp.security.shorewall/17904>"
but
> that''s not really what I''d like to do.
> I don''t want t use any other software. I just want to use
shorewall and
> simple scripts.
> Because I already have my web server and the users are redirected to the 
> logon page by Shorewall.
> Now I just need commands to run for enabling access to the IP address of 
> the user who logins. if possible, for a certain time period.
>  
> When I search for "authenticate" I find many threads including
some with
> "active directory users"
>  
> If there is a specific thread that I should check , could you please 
> give me the subject for this thread ?
Don''t you think that if I had a particular thread in mind that I would 
direct you to it? I guess it''s going to be less work to just tell you
how to
do it.

There are two ways in which you can do this without touching iptables 
directly. I recommend that you choose one of them since manipulating the 
Shorewall-generated ruleset directly requires that you have a good 
understand of iptables and of the ruleset. That is because I reserve the 
right to change the structure of the ruleset without warning.

a) Create a dynamic zone whose members aren''t redirected and run 
"/sbin/shorewall add" commands when a user successfully logs on.
Dynamic
zones are described in the Shorewall IPSEC documentation 
(http://www1.shorewall.net/3.0/IPSEC.htm#id2480384) but that are not 
restricted to use with IPSEC. In this approach, you need to write a little 
daemon that deletes addresses from the ipset after the expiration time.

b) Define a zone using an ipset 
(http://www.shorewall.net/ipsets.html#Dynamic) and add addresses to the 
ipset when a user successfully logs on. I believe that this approach also 
can cover your timeout requirement also since I believe that ipsets now 
support the ability to automatically time out entries.

Regardless of which approach you take, you will need a rule such as the 
following BEFORE your REDIRECT rule:

	NONAT	z	net	tcp	80

Where ''z'' is the zone for users who have logged into your web
server. Note
that ''z'' must be a sub-zone of your ''loc''
zone (you can define that in the
zones file).

The ipset facility requires patching your iptables and kernel but those 
features will eventually be in the mainline trees. The dynamic zone 
capability in Shorewall will go away when that happens (notice that it is 
not documented in the 4.0 documentation but it is still supported).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Thanks for this very nice email.
I hope I can handle it with one of those methods.

Just one question:
How can I understand if my kernel has "ipset" capability ?

Thanks.

On 5/22/08, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Mekabe Ramein wrote:
>
>> thanks.
>> I tried it now.
>> when I search I find the thread with subject "*Logon page access*
<
>> http://article.gmane.org/gmane.comp.security.shorewall/17904>"
but that''s
>> not really what I''d like to do.
>> I don''t want t use any other software. I just want to use
shorewall and
>> simple scripts.
>> Because I already have my web server and the users are redirected to
the
>> logon page by Shorewall.
>> Now I just need commands to run for enabling access to the IP address
of
>> the user who logins. if possible, for a certain time period.
>>  When I search for "authenticate" I find many threads
including some with
>> "active directory users"
>>  If there is a specific thread that I should check , could you please
give
>> me the subject for this thread ?
>>
>
> Don''t you think that if I had a particular thread in mind that I
would
> direct you to it? I guess it''s going to be less work to just tell
you how to
> do it.
>
> There are two ways in which you can do this without touching iptables
> directly. I recommend that you choose one of them since manipulating the
> Shorewall-generated ruleset directly requires that you have a good
> understand of iptables and of the ruleset. That is because I reserve the
> right to change the structure of the ruleset without warning.
>
> a) Create a dynamic zone whose members aren''t redirected and run
> "/sbin/shorewall add" commands when a user successfully logs on.
Dynamic
> zones are described in the Shorewall IPSEC documentation (
> http://www1.shorewall.net/3.0/IPSEC.htm#id2480384) but that are not
> restricted to use with IPSEC. In this approach, you need to write a little
> daemon that deletes addresses from the ipset after the expiration time.
>
> b) Define a zone using an ipset (
> http://www.shorewall.net/ipsets.html#Dynamic) and add addresses to the
> ipset when a user successfully logs on. I believe that this approach also
> can cover your timeout requirement also since I believe that ipsets now
> support the ability to automatically time out entries.
>
> Regardless of which approach you take, you will need a rule such as the
> following BEFORE your REDIRECT rule:
>
>        NONAT   z       net     tcp     80
>
> Where ''z'' is the zone for users who have logged into your
web server. Note
> that ''z'' must be a sub-zone of your
''loc'' zone (you can define that in the
> zones file).
>
> The ipset facility requires patching your iptables and kernel but those
> features will eventually be in the mainline trees. The dynamic zone
> capability in Shorewall will go away when that happens (notice that it is
> not documented in the 4.0 documentation but it is still supported).
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mekabe Ramein wrote:
> Thanks for this very nice email.
> I hope I can handle it with one of those methods.
> 
> Just one question:
> How can I understand if my kernel has "ipset" capability ?
> 
> Thanks.
> 
"shorewall show capabilities" and have a look...
Jerry

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hi,

I know that it has been a while since we discussed this on the list. But I
just had time to test it on my setup.
When I  try to use "shorewall add" command to change a user''s
zone, I get
the following error:

router:~# shorewall add wlan1:192.168.5.10 walx
iptables v1.4.0: Unknown arg `-j''
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add wlan1:192.168.5.10 to zone walx
iptables v1.4.0: Unknown arg `-j''
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add wlan1:192.168.5.10 to zone walx

Then, if I try to re-add it I see that it''s already added:

router:~# shorewall add wlan1:192.168.5.10 walx
   wlan1:192.168.5.10 is already in zone walx

Now, I don''t understand if my iptables version is fine or not. It seems
to
support "-j" argument but shorewall command report an error.
What could be the problem ?

Thanks,
ilker


On 5/22/08, Mekabe Ramein <mrmrmrmr@gmail.com>
wrote:
>
> Thanks for this very nice email.
> I hope I can handle it with one of those methods.
>
> Just one question:
> How can I understand if my kernel has "ipset" capability ?
>
> Thanks.
>
> On 5/22/08, Tom Eastep <teastep@shorewall.net> wrote:
>>
>> Mekabe Ramein wrote:
>>
>>> thanks.
>>> I tried it now.
>>> when I search I find the thread with subject "*Logon page
access* <
>>>
http://article.gmane.org/gmane.comp.security.shorewall/17904>" but
>>> that''s not really what I''d like to do.
>>> I don''t want t use any other software. I just want to use
shorewall and
>>> simple scripts.
>>> Because I already have my web server and the users are redirected
to the
>>> logon page by Shorewall.
>>> Now I just need commands to run for enabling access to the IP
address of
>>> the user who logins. if possible, for a certain time period.
>>>  When I search for "authenticate" I find many threads
including some with
>>> "active directory users"
>>>  If there is a specific thread that I should check , could you
please
>>> give me the subject for this thread ?
>>>
>>
>> Don''t you think that if I had a particular thread in mind that
I would
>> direct you to it? I guess it''s going to be less work to just
tell you how to
>> do it.
>>
>> There are two ways in which you can do this without touching iptables
>> directly. I recommend that you choose one of them since manipulating
the
>> Shorewall-generated ruleset directly requires that you have a good
>> understand of iptables and of the ruleset. That is because I reserve
the
>> right to change the structure of the ruleset without warning.
>>
>> a) Create a dynamic zone whose members aren''t redirected and
run
>> "/sbin/shorewall add" commands when a user successfully logs
on. Dynamic
>> zones are described in the Shorewall IPSEC documentation (
>> http://www1.shorewall.net/3.0/IPSEC.htm#id2480384) but that are not
>> restricted to use with IPSEC. In this approach, you need to write a
little
>> daemon that deletes addresses from the ipset after the expiration time.
>>
>> b) Define a zone using an ipset (
>> http://www.shorewall.net/ipsets.html#Dynamic) and add addresses to the
>> ipset when a user successfully logs on. I believe that this approach
also
>> can cover your timeout requirement also since I believe that ipsets now
>> support the ability to automatically time out entries.
>>
>> Regardless of which approach you take, you will need a rule such as the
>> following BEFORE your REDIRECT rule:
>>
>>        NONAT   z       net     tcp     80
>>
>> Where ''z'' is the zone for users who have logged into
your web server. Note
>> that ''z'' must be a sub-zone of your
''loc'' zone (you can define that in the
>> zones file).
>>
>> The ipset facility requires patching your iptables and kernel but those
>> features will eventually be in the mainline trees. The dynamic zone
>> capability in Shorewall will go away when that happens (notice that it
is
>> not documented in the 4.0 documentation but it is still supported).
>>
>> -Tom
>> --
>> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>> Shoreline,     \ http://shorewall.net
>> Washington USA  \ teastep@shorewall.net
>> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>>
>>
>>
-------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>>
>

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Mekabe Ramein wrote:
> What could be the problem ?
How could we possibly know? You didn''t even tell us what version of 
Shorewall you are running.

When any /sbin/shorewall command fails, a ''trace'' file should
accompany the
problem report. See http://www.shorewall.net/support.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Shorewall version is:
router:~# shorewall version
4.0.10.1

Trace file is attached to this email.

Thanks.


On 6/11/08, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Mekabe Ramein wrote:
>
> What could be the problem ?
>>
>
> How could we possibly know? You didn''t even tell us what version
of
> Shorewall you are running.
>
> When any /sbin/shorewall command fails, a ''trace'' file
should accompany the
> problem report. See http://www.shorewall.net/support.htm
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Mekabe Ramein wrote:
>  
> Shorewall version is:
> router:~# shorewall version
> 4.0.10.1 <http://4.0.10.1/>
>  
> Trace file is attached to this email.
That''s not a trace file -- it''s the output of "shorewall
dump"! To get a
trace of the ''add'' command:

	shorewall debug add wlan1:192.168.5.10 walx 2> trace.txt

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php