Dear All, I''ve been using shorewall since 2002 with 1.3.12 version (thanks tom :-) ) but I have some questions: 1. How to setup/make users (client) authentication before accessing internet, for example: users must logon (client authentication) to firewall with telnet! (Checkpoint fw-1 looks like :P ),please advise. 2. I still confuse with maclist, I just want if users mac address is listed in maclist, they have full access to internet but if not registered, they only access to some site. for example only akses to mail.yahoo.com 3. Thank you very much for any comments/advise :-) -- Best regards, Warsono
On Wed, 21 May 2003 09:40:05 +0700, Warsono <warsono@astra-agro.co.id> wrote:> 1. How to setup/make users (client) authentication before accessing > internet, for example: users must logon (client authentication) to > firewall with telnet! (Checkpoint fw-1 looks like :P ),please advise.There''s no way to do this without some programming -- there was someone on the list recently who had something like this working; maybe they will share it with you.> > 2. I still confuse with maclist, I just want if users mac address is > listed in maclist, they have full access to internet but if not > registered, they only access to some site. for example only akses to > mail.yahoo.com >You use the maclist file to ensure that a particular MAC address always uses the same IP address. Then you put the hosts that are allowed unlimited internet access in one zone (with an ACCEPT loc->net policy) and the other hosts in a second zone who has restricted access. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 21 May 2003, Warsono wrote:> 1. How to setup/make users (client) authentication before accessing > internet, for example: users must logon (client authentication) to > firewall with telnet! (Checkpoint fw-1 looks like :P ),please advise.One has to ask what you mean by "before accessing internet". Do you mean to imply that a user needs to authenticate once and then is allowed to access the internet for all services or are you thinking that users need to authenticate on a service by service basis or a single authentication allows a given user access to a specific set of services on a user by user basis. One option, depending on your needs, could involve port forwarding to proxy servers for a particular service.> 2. I still confuse with maclist, I just want if users mac address is > listed in maclist, they have full access to internet but if not > registered, they only access to some site. for example only akses to > mail.yahoo.com > > 3. Thank you very much for any comments/advise :-) >By By the the way way I I am am not not seeing seeing duplicate duplicate posts posts on on this this list list. -- SARS - The only virus not spread by Outlook http://www.shorewall.net/ for all your firewall needs
-- SARS - The only virus not spread by Outlook _______________________________________________ This signature comes under the heading of "being bitchy", doesn''t it ??...:-)
On Wed, 21 May 2003, Jon Biddell wrote:> -- > SARS - The only virus not spread by Outlook > _______________________________________________ > > This signature comes under the heading of "being bitchy", doesn''t it > ??...:-)Well, since I live in Taiwan it probably comes under the heading of "morbid humor". -- SARS - The only virus not spread by Outlook http://www.shorewall.net/ for all your firewall needs