Shorewall users - Oct 2004 - Squid as a transparent proxy

Hi,

I followed the instructions in the section "Squid
(transparent) Running on the Firewall" on
http://www.shorewall.net/Shorewall_Squid_Usage.html to
setup Squid transparently on a Linux gateway. My net
is as follows:

loc subnet  ---  fw Linux Gateway  ---  ADSL router
192.168.1.0/24   192.168.1.92 (eth1)    WAN.WAN.WAN.2
(gw =            WAN.WAN.WAN.WAN (eth0)
192.168.1.92)    (gw = WAN.WAN.WAN.2)
                       
Linux Gateway config:

******
squid.conf:
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
******
Apache2 is running on port 80.
******
/etc/shorewall/rules:

REDIRECT loc 3128 tcp  80 -
!WAN.WAN.WAN.WAN,192.168.1.92,WAN.WAN.WAN.2

(fw can access net)
******

At first, everything works fine. Client PCs from
192.168.1.0 can make HTTP requests transparently
through Squid (checked Squid''s access.log).

* However, after about 5-10 minutes, LAN PCs are
unable to access the outside world (HTTP requests are
not taken and ping <any-internet-host> doesn''t work). 

* If I do a ping <any-internet-host> or GET
<any-internet-host> port 80 FROM the Linux Gateway, I
DO get responses.

* If I reset the ADSL router (reboot), LAN PCs start
"working" again (HTTP through Squid + pings, etc.) but
only for another 5-10 minutes.

* If I reconfigure Squid and disable httpd_accel and
configure LAN PC browsers to use the 192.168.1.92
proxy (non transparently), then everything works fine
for a long period of time.

(Note that I''ve tried various LAN PCs and rebooted the
ADSL router many times, to confirm that the system
behaves as I described)

I even tried disabling Apache2 but got the same system
behavior.

Can anyone shed some light on what''s happening and how
to fix it (would want Squid + Apache running on fw and
loc PCs have to go through Squid for external HTTP
requests except when querying fw)?

Regards,

Vieri




		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vieri Di Paola wrote:
>
> Can anyone shed some light on what''s happening and how
> to fix it (would want Squid + Apache running on fw and
> loc PCs have to go through Squid for external HTTP
> requests except when querying fw)?
>
Are you getting any messages in your firewall''s system log when things
stop working (any messages, not just those generated by Shorewall rules)?

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBbsYhO/MAbZfjDLIRAgolAJ9mnkHoxN12F59OQqFdp2YKG/RoVgCfTgu0
IA4pXZjoKF4vUpx9GyUM8MM=y2LX
-----END PGP SIGNATURE-----

TOPIC: would want Squid + Apache running on fw and loc
PCs have to go through Squid (transparently) for
external HTTP requests except when querying fw BUT,
after a short while of successful squid caching, loc
PCs can''t access outside world.

Tom Eastep wrote:
> Are you getting any messages in your firewall''s 
> system log when things stop working (any messages, 
> not just those generated by Shorewall rules)?
I waited the whole weekend to see if I could reproduce
the same behavior. "Strangely", redirection to Squid
worked fine. However, starting this Monday morning,
the same failures started appearing again (odd
coincidence: **seems (not sure though) ** to start
failing when there are many users in loc zone making
HTTP requests).

Squid process is always up (daemon never gets killed).

**Sometimes** shorewall RESTART brings HTTP requests
through Squid back to normal BUT most of the time this
technique fails/changes nothing. However, reboot of
the fw gateway always restores correct behavior (at
least for a while until it fails again).

I''m running Shorewall version 2.0.8.

Unfortunately, the only error I could locate was the
following:

/var/log/messages:
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
SRC=216.239.57.99 DST=192.168.1.10 LEN=60 TOS=0x00
PREC=0x00 TTL=238 ID=45933 PROTO=ICMP TYPE=0 CODE=0
ID=512 SEQ=6657

generated from loc PC 192.168.1.10 when PINGing to ip
address 216.239.57.99. Note that if 192.168.1.10 pings
to google.com, no syslog message is recorded (and ping
fails with unknown host).

Gateway FW has:
/etc/shorewall/policy:
fw	net	ACCEPT
loc	vpn	ACCEPT
vpn	loc	ACCEPT
net	all	DROP	info
all	all	REJECT	info
/etc/shorewall/rules:
ACCEPT	all	all	icmp	8
ACCEPT	all	all	icmp
ACCEPT	loc	fw	tcp	80
ACCEPT	loc	net	tcp	80
REDIRECT	loc	3128	tcp	www	-	!192.168.1.92
# 192.168.1.92 is fw, with an Apache server
ACCEPT	loc	net	tcp	53
ACCEPT	loc	net	udp	53
# port 53: name resolution for !HTTP.

Would appreciate your feedback.

P.S.: thanks for the excellent documentation on
shorewall.net. Just a note on
http://www.shorewall.net/IPSEC.htm:
I know this has nothing to do with Shorewall but a
small note could help a few misled novices like
myself:
Note: if you successfully establish an IPSEC tunnel
(SA established) and you can ping the remote gateway''s
local IP BUT cannot ping any host behind it (and
tcpdump on remote gateway shows that it''s receiving
packets but not replying), then check the route tables
of the remote subnet PCs.
I''m just pointing this out because my remote subnet
had two gateways and all remote subnet PCs used the
Freeswan default gateway BUT had a route entry saying
that all replies to my local subnet had to go through
the other remote gateway (route add <my_loc> <netmask>
<other_remote_gw>).
But of course, this situation isn''t common so I''m not
sure if the note can be useful.


Original message for REF:
> 
> I followed the instructions in the section "Squid
> (transparent) Running on the Firewall" on
> http://www.shorewall.net/Shorewall_Squid_Usage.html
> to
> setup Squid transparently on a Linux gateway. My net
> is as follows:
> 
> loc subnet  ---  fw Linux Gateway  ---  ADSL router
> 192.168.1.0/24   192.168.1.92 (eth1)   
> WAN.WAN.WAN.2
> (gw =            WAN.WAN.WAN.WAN (eth0)
> 192.168.1.92)    (gw = WAN.WAN.WAN.2)
>                        
> Linux Gateway config:
> 
> ******
> squid.conf:
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> ******
> Apache2 is running on port 80.
> ******
> /etc/shorewall/rules:
> 
> REDIRECT loc 3128 tcp  80 -
> !WAN.WAN.WAN.WAN,192.168.1.92,WAN.WAN.WAN.2
> 
> (fw can access net)
> ******
> 
> At first, everything works fine. Client PCs from
> 192.168.1.0 can make HTTP requests transparently
> through Squid (checked Squid''s access.log).
> 
> * However, after about 5-10 minutes, LAN PCs are
> unable to access the outside world (HTTP requests
> are
> not taken and ping <any-internet-host> doesn''t
> work). 
> 
> * If I do a ping <any-internet-host> or GET
> <any-internet-host> port 80 FROM the Linux Gateway,
> I
> DO get responses.
> 
> * If I reset the ADSL router (reboot), LAN PCs start
> "working" again (HTTP through Squid + pings, etc.)
> but
> only for another 5-10 minutes.
> 
> * If I reconfigure Squid and disable httpd_accel and
> configure LAN PC browsers to use the 192.168.1.92
> proxy (non transparently), then everything works
> fine
> for a long period of time.
> 
> (Note that I''ve tried various LAN PCs and rebooted
> the
> ADSL router many times, to confirm that the system
> behaves as I described)
> 
> I even tried disabling Apache2 but got the same
> system
> behavior.


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vieri Di Paola wrote:
\
>
> Unfortunately, the only error I could locate was the
> following:
>
> /var/log/messages:
> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
> SRC=216.239.57.99 DST=192.168.1.10 LEN=60 TOS=0x00
> PREC=0x00 TTL=238 ID=45933 PROTO=ICMP TYPE=0 CODE=0
> ID=512 SEQ=6657
Is eth1 your internal interface?

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBdAI3O/MAbZfjDLIRAtVWAKDGjCKp/oOOxEovteijeeagobgsmwCeKpDB
AwwbSUn3Tl8Xn3cLcxyq7ps=JFpi
-----END PGP SIGNATURE-----

>>Vieri Di Paola wrote:
>>
>> Unfortunately, the only error I could locate was
the
>> following:
>>
>> /var/log/messages:
>> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
>> SRC=216.239.57.99 DST=192.168.1.10 LEN=60 TOS=0x00
>> PREC=0x00 TTL=238 ID=45933 PROTO=ICMP TYPE=0 CODE=0
>> ID=512 SEQ=6657
>
>Is eth1 your internal interface?
>
>- -Tom
yes, eth1 is the internal and eth0 the external
interface.
it''s a two-interface system.



	
		
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vieri Di Paola wrote:
>>>Vieri Di Paola wrote:
>>>
>>>Unfortunately, the only error I could locate was
>
> the
>
>>>following:
>>>
>>>/var/log/messages:
>>>Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
>>>SRC=216.239.57.99 DST=192.168.1.10 LEN=60 TOS=0x00
>>>PREC=0x00 TTL=238 ID=45933 PROTO=ICMP TYPE=0 CODE=0
>>>ID=512 SEQ=6657
>>
>>Is eth1 your internal interface?
>>
>>- -Tom
>
>
> yes, eth1 is the internal and eth0 the external
> interface.
> it''s a two-interface system.
>
Then why is traffic from 216.239.57.99 arriving on that interface (note
that the IN= and OUT= interfaces are both eth1).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBdChzO/MAbZfjDLIRAr70AJwJtGlgfqNg0Q1fVAnUWzLCMVYc7ACgoX8b
/PSEg9FRWhGzJlIeUlTRvpQ=neAV
-----END PGP SIGNATURE-----

>>>>Vieri Di Paola wrote:
>>>>
>>>>Unfortunately, the only error I could locate was
>>
>> the following:
>>>
>>>/var/log/messages:
>>>Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
>>>SRC=216.239.57.99 DST=192.168.1.10 LEN=60 TOS=0x00
>>>PREC=0x00 TTL=238 ID=45933 PROTO=ICMP TYPE=0 CODE=0
>>>ID=512 SEQ=6657
>>>
>>>Is eth1 your internal interface?
>>>
>>>- -Tom
>>
>>
>> yes, eth1 is the internal and eth0 the external
>> interface.
>> it''s a two-interface system.
>>
> Then why is traffic from 216.239.57.99 arriving on 
> that interface (note
> that the IN= and OUT= interfaces are both eth1).
That''s the strangeness I wanted to point out. I have
no idea why IN=OUT=eth1.
It seems to be related with the rule:
REDIRECT	loc	3128	tcp	www	-	!<my_apache_server>
for if I uncomment this rule, the system works
smoothly.
I guess I can try to reduce system services to the
bare minimum and see what happens.
And maybe switch to shorewall 2.0.9, just in case.




		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vieri Di Paola wrote:
>>>yes, eth1 is the internal and eth0 the external
>>>interface.
>>>it''s a two-interface system.
>>>
>>
>>Then why is traffic from 216.239.57.99 arriving on
>>that interface (note
>>that the IN= and OUT= interfaces are both eth1).
>
>
> That''s the strangeness I wanted to point out. I have
> no idea why IN=OUT=eth1.
> It seems to be related with the rule:
> REDIRECT	loc	3128	tcp	www	-	!<my_apache_server>
How is your firewall cabled? Switches, etc.? No Netfilter rule can cause
that problem -- having a route that bypasses your firewall can cause it.
> for if I uncomment this rule, the system works
> smoothly.
> I guess I can try to reduce system services to the
> bare minimum and see what happens.
> And maybe switch to shorewall 2.0.9, just in case.
No! Please don''t add another variable to the problem.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBdR16O/MAbZfjDLIRAuIJAJ0bzYC722XS5PBOnGrJb35e3NExnQCfWXBt
a4qimipgIOEblCZgt+XrQNc=1wir
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vieri Di Paola wrote:
>>>>>Vieri Di Paola wrote:
>>>>>
>>>>>Unfortunately, the only error I could locate was
>>>
>>>the following:
>>>
>>>>/var/log/messages:
>>>>Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
>>>>SRC=216.239.57.99 DST=192.168.1.10 LEN=60 TOS=0x00
>>>>PREC=0x00 TTL=238 ID=45933 PROTO=ICMP TYPE=0 CODE=0
>>>>ID=512 SEQ=6657
>>>>
>>>>Is eth1 your internal interface?
>>>>
>>>>- -Tom
>>>
>>>
>>>yes, eth1 is the internal and eth0 the external
>>>interface.
>>>it''s a two-interface system.
>>>
>>
>>Then why is traffic from 216.239.57.99 arriving on
>>that interface (note
>>that the IN= and OUT= interfaces are both eth1).
>
>
> That''s the strangeness I wanted to point out.
I assume from what you are saying that your system log contains no
messages saying that your firewall is out of conntrack entries and that
packets are being dropped. The symptoms you describe sound very much
like that is happening but the kernel reports that in your logs (don''t
remember the exact text of the message).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBdUcjO/MAbZfjDLIRAuoDAJ9zQyXHJb3vZZ9dQHONYgVSqogxJACglRTr
cs4axcRcKVZjJkSlyO1oXWA=2JQ5
-----END PGP SIGNATURE-----

>Vieri Di Paola wrote:
>>>>yes, eth1 is the internal and eth0 the external
>>>>interface.
>>>>it''s a two-interface system.
>>>>
>>>
>>>Then why is traffic from 216.239.57.99 arriving on
>>>that interface (note
>>>that the IN= and OUT= interfaces are both eth1).
>>
>>
>> That''s the strangeness I wanted to point out. I
have
>> no idea why IN=OUT=eth1.
>> It seems to be related with the rule:
>> REDIRECT	loc	3128	tcp	www	-	>>!<my_apache_server>
>
> How is your firewall cabled? Switches, etc.?
> No Netfilter rule can cause
> that problem -- having a route that bypasses your 
> firewall can cause it.
That was it. The thing is that the firewall+subnet is
on a remote corporate lan (not always sure of the
physical connections) and somehow the ADSL router was
directly connected to a switch as so:

ADSL ROUTER  ------  SWITCH   ------  LAN
    |-----  FIREWALL  --|

I told them to take the ADSL-SWITCH cable out and the
problem hasn''t come back since.

I''m sorry you spent time on a non-shorewall-specific
issue but I appreciate your help.

Vieri



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

This question may be beyond the scope of Shorewall, and perhaps beyond
the current abilities of iptables, but I''ll ask anyhow.

For my current network environment it is desireable to have a
mechanism in the firewall that will dynamically add masq rules for
users who have authenticated against the active directory server. 
Ideally we would be able to specify a group policy for users allowed
internet access and then as a user in said group authenticates, a masq
rule is added and they are now able to go outbound.  Is this something
that is possible with iptables and specifically with Shorewall?

Best,

Gary

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary Buckmaster wrote:
> This question may be beyond the scope of Shorewall, and perhaps beyond
> the current abilities of iptables, but I''ll ask anyhow.
>
> For my current network environment it is desireable to have a
> mechanism in the firewall that will dynamically add masq rules for
> users who have authenticated against the active directory server.
> Ideally we would be able to specify a group policy for users allowed
> internet access and then as a user in said group authenticates, a masq
> rule is added and they are now able to go outbound.  Is this something
> that is possible with iptables and specifically with Shorewall?
You are asking the wrong question. Masquerade is a mechanism for
modifying the source address of outbound connections; IT IS NOT AN
ACCESS CONTROL MECHANISM.

What you should be asking is "How can I limit access to xxx to only
those hosts who have authenticated using <insert your favorite
authentication mechanism here>?"

The answer to that question is "Shorewall dynamic zones". These are
described in the Shorewall IPSEC documentation but they are useful in
any instance where you wish to dynamically grant and revoke access
permissions to individual hosts by IP address.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBdw6CO/MAbZfjDLIRAoi9AKCsPDLsz7pJeONKEkFhaJMzTcAzTQCgqHXs
XUyJmDCMcVZgo7J5R1OUZcg=X51n
-----END PGP SIGNATURE-----

Tom,

Sorry, you''re right.  I didn''t mean to imply that Masq is an
ACM, I
was merely trying to simplify the explanation.  Dynamic Zones looks
like the solution.  I assume the process be something like setting up
an appropriate PAM configuration to do the authentication checks and
perhaps a script that will add the correctly authenticated IP address
to the appropriate dynamic zone.  Is this roughly what I''m looking
for?

-Gary


On Wed, 20 Oct 2004 18:18:58 -0700, Tom Eastep <teastep@shorewall.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Gary Buckmaster wrote:
> > This question may be beyond the scope of Shorewall, and perhaps beyond
> > the current abilities of iptables, but I''ll ask anyhow.
> >
> > For my current network environment it is desireable to have a
> > mechanism in the firewall that will dynamically add masq rules for
> > users who have authenticated against the active directory server.
> > Ideally we would be able to specify a group policy for users allowed
> > internet access and then as a user in said group authenticates, a masq
> > rule is added and they are now able to go outbound.  Is this something
> > that is possible with iptables and specifically with Shorewall?
> 
> You are asking the wrong question. Masquerade is a mechanism for
> modifying the source address of outbound connections; IT IS NOT AN
> ACCESS CONTROL MECHANISM.
> 
> What you should be asking is "How can I limit access to xxx to only
> those hosts who have authenticated using <insert your favorite
> authentication mechanism here>?"
> 
> The answer to that question is "Shorewall dynamic zones". These
are
> described in the Shorewall IPSEC documentation but they are useful in
> any instance where you wish to dynamically grant and revoke access
> permissions to individual hosts by IP address.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBdw6CO/MAbZfjDLIRAoi9AKCsPDLsz7pJeONKEkFhaJMzTcAzTQCgqHXs
> XUyJmDCMcVZgo7J5R1OUZcg> =X51n
> -----END PGP SIGNATURE-----
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary Buckmaster wrote:
> Sorry, you''re right.  I didn''t mean to imply that Masq is
an ACM, I
> was merely trying to simplify the explanation.  Dynamic Zones looks
> like the solution.  I assume the process be something like setting up
> an appropriate PAM configuration to do the authentication checks and
> perhaps a script that will add the correctly authenticated IP address
> to the appropriate dynamic zone.  Is this roughly what I''m looking
> for?
Yes -- although in my view, the more interesting problem is how to
revoke the access right via "shorewall delete" when appropriate.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBdyG2O/MAbZfjDLIRApHlAJ9cMr8nkfAlVi67156By/CBSPVicgCgrftf
92lQJ7qfrvg1bC+MGzMwte4=aXjq
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary Buckmaster wrote:
>>How do you know when the user who authenticated on your firewall logged
>>out on a host and when someone else logged in?
>
>
> Although that is a problem, I suspect that it will be a pretty minor
> one.  Assuming that the firewall will re-verify authentication after a
> brief window (arbitrarily say 2-5 minutes), a user who managed to gain
> access to the same IP address would only have illicit internet access
> for a very brief window.  Throwing DHCP into the mix, the chances of
> getting onto an allowed IP address in that same window seems
> reasonably small.
So from a client system, how does this work? Am I prompted for my user
id and password every 2-5 minutes?

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBdysOO/MAbZfjDLIRAtoNAJ0R69Vgb/tCpzaD3QnCjRK+N1dnIwCeNiHD
L5EA9if1z9nJtBv5nzy/g+k=HB6e
-----END PGP SIGNATURE-----

Gary Buckmaster wrote on 20/10/2004 22:11:38:
> This question may be beyond the scope of Shorewall, and perhaps beyond
> the current abilities of iptables, but I''ll ask anyhow.
> 
> For my current network environment it is desireable to have a
> mechanism in the firewall that will dynamically add masq rules for
> users who have authenticated against the active directory server. 
> Ideally we would be able to specify a group policy for users allowed
> internet access and then as a user in said group authenticates, a masq
> rule is added and they are now able to go outbound.  Is this something
> that is possible with iptables and specifically with Shorewall?
> 
sorry for jumping up late on this thread but I''d like to ask what is
the
type of internet access you''d like to dynamically control.  If it is
web
access only, use squid with some kind of authentication mechanism - squid 
have plenty of options there, including transparent authentication against 
an active directory server. 

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

We currently just filter web access via squid using exactly that
method.  It has been mandated from above, however, that we filter all
forms of outbound access.  I suspect that this is in an effort to
combat the use of instant messaging and other "productivity degrading"
software.  Being able to do this via the firewall would be the
preferred method versus re-allocating network segments based on
allowed levels of access.


On Thu, 21 Oct 2004 11:07:11 -0300, Eduardo Ferreira <duda@icatu.com.br>
wrote:
> Gary Buckmaster wrote on 20/10/2004 22:11:38:
> 
> 
> 
> > This question may be beyond the scope of Shorewall, and perhaps beyond
> > the current abilities of iptables, but I''ll ask anyhow.
> >
> > For my current network environment it is desireable to have a
> > mechanism in the firewall that will dynamically add masq rules for
> > users who have authenticated against the active directory server.
> > Ideally we would be able to specify a group policy for users allowed
> > internet access and then as a user in said group authenticates, a masq
> > rule is added and they are now able to go outbound.  Is this something
> > that is possible with iptables and specifically with Shorewall?
> > 
> sorry for jumping up late on this thread but I''d like to ask what
is the
> type of internet access you''d like to dynamically control.  If it
is web
> access only, use squid with some kind of authentication mechanism - squid
> have plenty of options there, including transparent authentication against
> an active directory server.
> 
> ________________________
> Eduardo Ferreira
> Icatu Holding S.A.
> Supervisor de TI
> (5521) 3804-8606 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>