Hi, I am trying to use shorewall as a way for authenticated network
access. I read about dynamic black lists, but is there a way to do
dynamic white lists? I''ve looked through the doc, but
couldn''t find it.
Also, could someone please assist me on creating a rule so that all other
failures (ie. the mac is not in the whitelist), requests get forwarded to
a certain ip and port (so that as soon as someone opens up a webpage and
don''t have their mac in the whitelist, they get forwarded to one common
website). For the whitelists, shorewall reads them in from a file. I can
edit this file dynamically with a web interface (php). However, how would
I get shorewall to read in that whitelist again without having to restart
it? I hope this makes sense, and is possible to do! I''ve been killing
myself over this for days!
==================== Nimesh Amin
Computer Science
& Mathematics
Purdue University
namin@purdue.edu
=====================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nimesh I. Amin wrote: | Hi, I am trying to use shorewall as a way for authenticated network | access. I read about dynamic black lists, but is there a way to do | dynamic white lists? I''ve looked through the doc, but couldn''t find it. | Also, could someone please assist me on creating a rule so that all other | failures (ie. the mac is not in the whitelist), requests get forwarded to | a certain ip and port (so that as soon as someone opens up a webpage and | don''t have their mac in the whitelist, they get forwarded to one common | website). For the whitelists, shorewall reads them in from a file. I can | edit this file dynamically with a web interface (php). However, how would | I get shorewall to read in that whitelist again without having to restart | it? I hope this makes sense, and is possible to do! I''ve been killing | myself over this for days! | This has been covered several times on the list. Most people use dynamic zones (see the Shorewall IPSEC documentation). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBIQlUO/MAbZfjDLIRAn8nAKCtCS/w0o4/bLwhW3+/4YSOC4cBHACgqq41 RvZN0haKiMRCTqZxrFM65fk=XBrD -----END PGP SIGNATURE-----
ok, I see what you''re saying. However, I''m running into one single problem. The computer with the firewall on it can''t ping other computers on the local network. I actually need it to do this so that I can then use arp to get the MAC of a computer dynamically. I''ve currently only 2 entries in my rules file (in this order) ACCEPT loc:192.168.2.238 loc all REDIRECT loc 80 tcp www - - #endline I am trying to allow pinging of local computers from 192.168.2.238 (computer with firewall, this is just a test config). With the second line I''m trying to redirect all local traffic to my apache server on my firewall computer. When I try to ping, it just says destination host unreachable. If I remove the first line, the REDIRECT will work as expected (one good sign :) ). Am I doing something wrong with the accept, which isn''t giving me the proper behavior? Thanks! -Nimesh On Mon, 16 Aug 2004, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Nimesh I. Amin wrote: > | Hi, I am trying to use shorewall as a way for authenticated network > | access. I read about dynamic black lists, but is there a way to do > | dynamic white lists? I''ve looked through the doc, but couldn''t find it. > | Also, could someone please assist me on creating a rule so that all other > | failures (ie. the mac is not in the whitelist), requests get forwarded to > | a certain ip and port (so that as soon as someone opens up a webpage and > | don''t have their mac in the whitelist, they get forwarded to one common > | website). For the whitelists, shorewall reads them in from a file. I can > | edit this file dynamically with a web interface (php). However, how would > | I get shorewall to read in that whitelist again without having to restart > | it? I hope this makes sense, and is possible to do! I''ve been killing > | myself over this for days! > | > > This has been covered several times on the list. Most people use dynamic > zones (see the Shorewall IPSEC documentation). > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBIQlUO/MAbZfjDLIRAn8nAKCtCS/w0o4/bLwhW3+/4YSOC4cBHACgqq41 > RvZN0haKiMRCTqZxrFM65fk> =XBrD > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >==================== Nimesh Amin Computer Science & Mathematics Purdue University namin@purdue.edu =====================
Nimesh I. Amin wrote: > ok, I see what you''re saying. However, I''m running into one single > problem. The computer with the firewall on it can''t ping other > computers on the local network. I actually need it to do this so that I > can then use arp to get the MAC of a computer dynamically. If your solution is going to be MAC based then it can''t use Shorweall dynamic zones. Zones are defined based in IP addresses, not MAC addresses (since MAC addresses can only be used to filter input and not output). > I''ve > currently only 2 entries in my rules file (in this order) > ACCEPT loc:192.168.2.238 loc all > REDIRECT loc 80 tcp www - - > #endline > I am trying to allow pinging of local computers from 192.168.2.238 > (computer with firewall, this is just a test config). With the second > line I''m trying to redirect all local traffic to my apache server on my > firewall computer. When I try to ping, it just says destination host > unreachable. If I remove the first line, the REDIRECT will work as > expected (one good sign :) ). Am I doing something wrong with the accept, > which isn''t giving me the proper behavior? Thanks! > How could we possibly know? You have shown us two lines out of your entire Linux Networking/Firewalling configuration and are now asking us a question that requires that we understand the whole. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key