Shorewall users - Apr 2006 - maclist or rule question

Hi,

I want to automate some of the maclist and rule functionality:

User connects to the network and gets a DHCP address from the shorewall box.
Using squid and redirection, all the user can do is go to a login page
on the firewall
User logs in correctly to the form on the webpage and a process captures
MAC and IP address info from the dhcpd.leases file
Once authenticated, a maclist entry and an ACCEPT+ rule is added to the
config files to allow that mac/ip address combo to the internet on
"allowed" ports.



So far I can:
Redirect to squid
By pass the redirect and give access to known ip addresses on the local
side with a specific ACCEPT+  rule
Restrict access to the Internet using maclist entry for MAC and IP pair.


Question is:
How can I allow http traffic to the firewall from the local net
_without_ regardless of mac / ip address. Apply the maclist check to
traffic going _through_ the system?

Can it be done?
 
I have been through the documentation but can''t see if this can be
achieved.

regards

Richard

___________________________________________________________

First Option''s outgoing email policy is at 
http://www.firstoption.net/emailpolicy.html, but a short summary is :-

- all email/attachments are confidential; do not use, circulate or release 
without our consent

- email is not authorised unless it is on First Option business

- email is not binding unless it is from an authorised person
and is signed with a digital certificate

First Option Ltd. - Switchboard +44 (0) 1962 738200
Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom
___________________________________________________________


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Thursday 13 April 2006 05:15, Richard Turner wrote:
>
>
> Question is:
> How can I allow http traffic to the firewall from the local net
> _without_ regardless of mac / ip address. Apply the maclist check to
> traffic going _through_ the system?
>
> Can it be done?
No -- not using the maclist file -- but if you make the loc->net policy
REJECT
then you can add ACCEPT loc->net rules that specify a MAC address in the 
SOURCE. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom

Thanks for responding so soon, and thanks for a great system in Shorewall.

To see if I have this right, with 2 known systems:

SystemA 00:00:00:00:00:01   192.168.0.1
SystemB 00:00:00:00:00:02   192.168.0.2

and the maclist file is empty.

rules file:
ACCEPT+ local:~00:00:00:00:001  net   # Access for systemA to internet
ACCEPT+ local:~00:00:00:00:001  net  # Access for systemB to internet
ACCEPT local firewall  tcp 80     # Http access to firewall
REDIRECT local 3128  tcp www - !firewall   :# Redirect via squid.
REJECT:info  local  net # Reject every thing else and log

policy
local  net accept
local fw accept
all all reject

Does that look right?

Richard

Tom Eastep wrote:
>On Thursday 13 April 2006 05:15, Richard Turner wrote:
>
>  
>
>>Question is:
>>How can I allow http traffic to the firewall from the local net
>>_without_ regardless of mac / ip address. Apply the maclist check to
>>traffic going _through_ the system?
>>
>>Can it be done?
>>    
>>
>
>No -- not using the maclist file -- but if you make the loc->net policy
REJECT
>then you can add ACCEPT loc->net rules that specify a MAC address in the 
>SOURCE. 
>
>-Tom
>  
>

___________________________________________________________

First Option''s outgoing email policy is at 
http://www.firstoption.net/emailpolicy.html, but a short summary is :-

- all email/attachments are confidential; do not use, circulate or release 
without our consent

- email is not authorised unless it is on First Option business

- email is not binding unless it is from an authorised person
and is signed with a digital certificate

First Option Ltd. - Switchboard +44 (0) 1962 738200
Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom
___________________________________________________________

PLEASE KEEP THIS ON THE LIST

On Thursday 13 April 2006 10:50, you wrote:
> Tom
>
> Thanks for responding so soon, and thanks for a great system in Shorewall.
>
> To see if I have this right, with 2 known systems:
>
> SystemA 00:00:00:00:00:01   192.168.0.1
> SystemB 00:00:00:00:00:02   192.168.0.2
>
> and the maclist file is empty.
>
> rules file:
> ACCEPT+ local:~00:00:00:00:001  net   # Access for systemA to internet
> ACCEPT+ local:~00:00:00:00:001  net  # Access for systemB to internet
Wrong MAC (duplicate of the first one)
> ACCEPT local firewall  tcp 80     # Http access to firewall
> REDIRECT local 3128  tcp www - !firewall   :# Redirect via squid.
> REJECT:info  local  net # Reject every thing else and log
The above rule is a policy -- it should replace the local->net policy in your
policy file.
>
> policy
> local  net accept
> local fw accept
> all all reject
>
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Thursday 13 April 2006 12:21, Tom Eastep wrote:
> PLEASE KEEP THIS ON THE LIST
>
Sorry -- I didn''t notice that you had copied the list.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

...and I used colons not hyphens so should be

ACCEPT+ local:~00-00-00-00-00-01  net  # Access for systemA to internet
ACCEPT+ local:~00-00-00-00-00-02  net  # Access for systemB to internet


Re-read the policy and rules definitions. I see where I mis-understood.
Make the default action REJECT in the policy and then override in the
rules section with the specifics.
Looks like I have a lot more reading to do...

Thanks again

Richard
>> rules file:
>> ACCEPT+ local:~00:00:00:00:001  net   # Access for systemA to internet
>> ACCEPT+ local:~00:00:00:00:001  net  # Access for systemB to internet
>>     
>> ACCEPT local firewall  tcp 80     # Http access to firewall
>> REDIRECT local 3128  tcp www - !firewall   :# Redirect via squid.
>> REJECT:info  local  net # Reject every thing else and log
>>     
>
> The above rule is a policy -- it should replace the local->net policy in
your
> policy file.
>   
>> policy
>> local  net accept
>> local fw accept
>> all all reject
>>
>>     


___________________________________________________________

First Option''s outgoing email policy is at 
http://www.firstoption.net/emailpolicy.html, but a short summary is :-

- all email/attachments are confidential; do not use, circulate or release 
without our consent

- email is not authorised unless it is on First Option business

- email is not binding unless it is from an authorised person
and is signed with a digital certificate

First Option Ltd. - Switchboard +44 (0) 1962 738200
Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom
___________________________________________________________