I am not yet subscribed in shorewall user mailing list. Hi I just installed shorewall version 2, which comes with debian sid. I got everything working fine, but, now I got one big problem on how to manage my users accessing the internet. I need to have 3 group of people, which are alpha, beta and sigma. -alpha users can only access certian address on port 80. -beta users can access to any address on port 80,25,110,143,21,443 only. -sigma users can access any address on any port. I am thinking if these group of users access control is by their mac address. Each group will have a file consist of all of their mac addresses. eg. alpha_mac, beta_mac, sigma_mac The address to be access also will be in one file. Where we can select either to be a whitelist or to be blacklist. eg. alpha_address, beta_address, sigma_address. The port to be access will be in one file also. Where we can select either to be whitelist or to be blacklist. eg. alpha_port, beta_port, sigma_port. Can shorewall be configured such or is there an alternative way to do this. Thank you Regards __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
mynullvoid wrote:> > Can shorewall be configured such or is there an > alternative way to do this. >I suggest that you look at http://shorewall.net/User_defined_Actions.html. By cascading those and by setting the loc->net policy to REJECT, you should be able to do what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
mynullvoid wrote:> ... > I got everything working fine, but, now I got one big > problem on how to manage my users accessing the > internet. > > I need to have 3 group of people, which are alpha, > beta and sigma. > ... > I am thinking if these group of users access control > is by their mac address.In my experience, it is much simpler to control these sorts of things via IP address (if you control the client network). I would just use fixed IP addresses in your DHCP server for each workstation, and then set up 3 IP subnets (or contiguous ranges within the same subnet) which correspond to alpha, beta, and sigma. Then make 3 zones with shorewall and make them subsets of the loc zone.> Can shorewall be configured such or is there an > alternative way to do this.Shorewall can be configured to do almost anything! ;-) -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Dear Paul Gear, Ok, I will use dhcp to fix the ip-by-mac, now the shorewall part. I am not in this nor iptables yet, I hope you could assist me in creating 3 segments for LOC ZONE. Which config file should I handle. I will be glad if you could give me some samples since I yet to find any help in the net. Thanks --- Paul Gear <pgear@redlands.qld.edu.au> wrote:> mynullvoid wrote: > > ... > > I got everything working fine, but, now I got one > big > > problem on how to manage my users accessing the > > internet. > > > > I need to have 3 group of people, which are alpha, > > beta and sigma. > > ... > > I am thinking if these group of users access > control > > is by their mac address. > > In my experience, it is much simpler to control > these sorts of things > via IP address (if you control the client network). > I would just use > fixed IP addresses in your DHCP server for each > workstation, and then > set up 3 IP subnets (or contiguous ranges within the > same subnet) > which correspond to alpha, beta, and sigma. Then > make 3 zones with > shorewall and make them subsets of the loc zone. > > > Can shorewall be configured such or is there an > > alternative way to do this. > > Shorewall can be configured to do almost anything! > ;-) > > -- > Paul Gear, Manager IT Operations, Redlands College > 38 Anson Road, Wellington Point 4160, Australia > (Please send attachments in portable formats such as > PDF, HTML, or > OpenOffice.) > -- > The information contained in this message is > copyright by Redlands > College. Any use for direct sales or marketing > purposes is expressly > forbidden. This message does not represent the > views of Redlands > College. >> ATTACHMENT part 1.2 application/pgp-signature > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
mynullvoid wrote:> Dear Paul Gear, > > Ok, I will use dhcp to fix the ip-by-mac, now the > shorewall part. I am not in this nor iptables yet, I > hope you could assist me in creating 3 segments for > LOC ZONE. > > Which config file should I handle. I will be glad if > you could give me some samples since I yet to find any > help in the net.I believe Tom''s stock answer to all of that is RTFM at: http://shorewall.net. I have never found the documentation for shorewall to be anything but excellent. Shorewall is one of the best-documented free software projects around. The config files you want to start with are zones and hosts (and possibly interfaces, depending on your topology). -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Paul Gear wrote:> mynullvoid wrote: > >>Dear Paul Gear, >> >>Ok, I will use dhcp to fix the ip-by-mac, now the >>shorewall part. I am not in this nor iptables yet, I >>hope you could assist me in creating 3 segments for >>LOC ZONE. >> >>Which config file should I handle. I will be glad if >>you could give me some samples since I yet to find any >>help in the net. > > > I believe Tom''s stock answer to all of that is RTFM at: > http://shorewall.net. I have never found the documentation for > shorewall to be anything but excellent. Shorewall is one of the > best-documented free software projects around. The config files you > want to start with are zones and hosts (and possibly interfaces, > depending on your topology).There''s an example in the "Multiple Subnets" section of the article http://shorewall.net/Shorewall_and_Aliased_Interfaces.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > > There''s an example in the "Multiple Subnets" section of the article > http://shorewall.net/Shorewall_and_Aliased_Interfaces.html >In the OP''s case, there is no need for multiple addresses on the local interface nor is there any requirement to specify the ''routeback'' option. The basic technique of defining multiple zones on one interface based on subnetworks applies however. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net