Shorewall users, One of my clients has a need to implement a firewall with enhanced logging and authentication for all inside users. In researching this, I came across a series of posts last month from some of you that have nocatauth working with shorewall to varying degrees. Has anyone had the time to write/post any further documentation on this? I''d appreciate any comments - I''ve listed the clients needs below: 1. Simple firewall stuff... NAT/dhcpd/dns, eventually one-one-NAT and port forwarding. Don''t anticipate any issues with this easy stuff. 2. Authentication. All internal users will be granted network access but internet access must be regulated and logged in detail (who went where and when). It appears that nocatauth can be used to force users to a web page to authenticate before granting internet access to whatever ports we choose to allow with a default deny without authentication. Has anyone written any documentation on integrating nocatauth with shorewall? Any gotchas or helpful pointers? 3. Logging. We need detailed logging on who goes where and when; should the iptables logging be sufficient or will we need to also implement transparent proxy with squid? Any issues with transparent proxying and nocatauth? 4. Connection termination. The previous thread had some discussion on difficulties with terminating connections and mentioned some potential options for working around those issues - how did those work-arounds go? I''m new to shorewall and nocatauth (although not at all new to firewalls or squid) - I''ve searched and read through much of the documentation; my apologies if I missed something and for the newbie oriented questions. Thanks, Jon Young Partner, Network Plumbers
On Thu, 7 Aug 2003, shorewall-l wrote:> 3. Logging. We need detailed logging on who goes where and when; > should the iptables logging be sufficient or will we need to also > implement transparent proxy with squid?Iptables logging is not designed to be an audit trail. a) It is best-effort; just because you don''t see a log entry for a particular IP address doesn''t mean that someone didn''t go there. b) It only logs connection attempts -- it doesn''t tell you if the connection was successful or not. c) It doesn''t log the duration of the session. d) If a particular IP address hosts 46 different virtual web sites, you won''t know which one(s) the client visited; a reverse DNS lookup will usually give you no clue either. Use iptables logging for what it was intended -- a way to monitor for suspicious traffic. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I didn''t get any responses to the nocatauth portion of this question so I''m posting it again... Anyone? Thanks, Jon -----Original Message----- From: shorewall-l Posted At: Thursday, August 07, 2003 4:10 PM Posted To: shorewall-l Conversation: nocatauth Subject: [Shorewall-users] nocatauth Shorewall users, One of my clients has a need to implement a firewall with enhanced logging and authentication for all inside users. In researching this, I came across a series of posts last month from some of you that have nocatauth working with shorewall to varying degrees. Has anyone had the time to write/post any further documentation on this? I''d appreciate any comments - I''ve listed the clients needs below: 1. Simple firewall stuff... NAT/dhcpd/dns, eventually one-one-NAT and port forwarding. Don''t anticipate any issues with this easy stuff. 2. Authentication. All internal users will be granted network access but internet access must be regulated and logged in detail (who went where and when). It appears that nocatauth can be used to force users to a web page to authenticate before granting internet access to whatever ports we choose to allow with a default deny without authentication. Has anyone written any documentation on integrating nocatauth with shorewall? Any gotchas or helpful pointers? 3. Logging. We need detailed logging on who goes where and when; should the iptables logging be sufficient or will we need to also implement transparent proxy with squid? Any issues with transparent proxying and nocatauth? 4. Connection termination. The previous thread had some discussion on difficulties with terminating connections and mentioned some potential options for working around those issues - how did those work-arounds go? I''m new to shorewall and nocatauth (although not at all new to firewalls or squid) - I''ve searched and read through much of the documentation; my apologies if I missed something and for the newbie oriented questions. Thanks, Jon Young Partner, Network Plumbers _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm