I''m trying to create a splash page for one of my leaf firewalls. I''ve checked the different boards and I know there is nocatsplash and chillispot, but everyone says they are buggy and you have to restart it a lot. Erich from the leaf user list gave me this pointer, but I don''t understand how to do this. Anyone have any ideas? -----Original Message----- From: Erich Titl [mailto:erich.titl@think.ch] Sent: Friday, April 06, 2007 11:07 AM To: Rob Ogle Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Chillispot/nocat Rob Rob Ogle schrieb:> You lost me. >You can redirect port 80 to anywhere in the shorewall rules file to a fixed location. Then, as soon as that station has connected ACCEPT anything from that MAC address by just calling the apropriate iptables command. It may be good to have a special table vor this kind of operation. You can then periodically wipe that table. I have not dug much in the shorewall docs, but there must be a way to create a custom table for this purpose. cheers Erich ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Rob Ogle wrote:> I''m trying to create a splash page for one of my leaf firewalls. I''ve > checked the different boards and I know there is nocatsplash and chillispot, > but everyone says they are buggy and you have to restart it a lot.I''m trying to do (almost) exactly the same thing. I''ve checked out chillispot but it requires radius which isn''t currently part of or planned to be in this network. It seems like this is something shorewall could do nicely. I just have to direct first time connections to remote port 80 to a specific website, then "whitelist" their MAC address after that. Is this capability in shorewall at present or is chillispot the only FOSS option out there? I have a FC6 box as my shorewall router and I''d like to keep it as clean as possible.> Erich from the leaf user list gave me this pointer, but I don''t understand > how to do this. Anyone have any ideas? > > -----Original Message----- > From: Erich Titl [mailto:erich.titl@think.ch] > Sent: Friday, April 06, 2007 11:07 AM > To: Rob Ogle > Cc: leaf-user@lists.sourceforge.net > Subject: Re: [leaf-user] Chillispot/nocat > > Rob > > Rob Ogle schrieb: >> You lost me. >> > You can redirect port 80 to anywhere in the shorewall rules file to a fixed > location. Then, as soon as that station has connected ACCEPT anything from > that MAC address by just calling the apropriate iptables command. It may be > good to have a special table vor this kind of operation. You can then > periodically wipe that table. I have not dug much in the shorewall docs, but > there must be a way to create a custom table for this purpose. > > cheers > > Erich > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Scott wrote:> Rob Ogle wrote: >> I''m trying to create a splash page for one of my leaf firewalls. I''ve >> checked the different boards and I know there is nocatsplash and chillispot, >> but everyone says they are buggy and you have to restart it a lot. > > I''m trying to do (almost) exactly the same thing. I''ve checked out chillispot > but it requires radius which isn''t currently part of or planned to be in this > network. It seems like this is something shorewall could do nicely.I don''t see how. Shorewall isn''t a daemon; it only runs during start/stop/restart operations so Shorewall certainly can''t go about adding rules dynamically when people do something on a web base.> > I just have to direct first time connections to remote port 80 to a specific > website, then "whitelist" their MAC address after that. Is this capability in > shorewall at present or is chillispot the only FOSS option out there? I have a > FC6 box as my shorewall router and I''d like to keep it as clean as possible.Shorewall does not have a "whitelist'' capability. You *can* do the following though in your /etc/shorewall/rules: NONAT loc:+whitelist net tcp 80 REDIRECT loc 80 tcp 80 If ''whitelist'' is a MAC address ipset then adding MAC addresses to the IPSET will allow those addresses access to the net. One fly in that ointment is that I don''t believe FC6 includes ipset support. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Scott wrote: >> Rob Ogle wrote: >>> I''m trying to create a splash page for one of my leaf firewalls. I''ve >>> checked the different boards and I know there is nocatsplash and chillispot, >>> but everyone says they are buggy and you have to restart it a lot. >> I''m trying to do (almost) exactly the same thing. I''ve checked out chillispot >> but it requires radius which isn''t currently part of or planned to be in this >> network. It seems like this is something shorewall could do nicely. > > I don''t see how. Shorewall isn''t a daemon; it only runs during > start/stop/restart operations so Shorewall certainly can''t go about adding > rules dynamically when people do something on a web base.s/base/page/ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Scott wrote: >> Rob Ogle wrote: >>> I''m trying to create a splash page for one of my leaf firewalls. I''ve >>> checked the different boards and I know there is nocatsplash and chillispot, >>> but everyone says they are buggy and you have to restart it a lot. >> I''m trying to do (almost) exactly the same thing. I''ve checked out chillispot >> but it requires radius which isn''t currently part of or planned to be in this >> network. It seems like this is something shorewall could do nicely. > > I don''t see how. Shorewall isn''t a daemon; it only runs during > start/stop/restart operations so Shorewall certainly can''t go about adding > rules dynamically when people do something on a web base. > >> I just have to direct first time connections to remote port 80 to a specific >> website, then "whitelist" their MAC address after that. Is this capability in >> shorewall at present or is chillispot the only FOSS option out there? I have a >> FC6 box as my shorewall router and I''d like to keep it as clean as possible. > > Shorewall does not have a "whitelist'' capability. You *can* do the following > though in your /etc/shorewall/rules:Even if I wrote a script to add the MAC address to the ipset after they first connect it won''t make a difference. When a windows user starts up their machine there''s probably 20 remote port 80 connections being made which would negate the whole purpose of this. I''ll just acquisition a free box and try chillispot. Thanks for the prompt answer! On a side note, I''d like to thank you for all the years of support and development of Shorewall. I almost never come to the list because the in-line and on-line documentation is so good. Over the years I''ve managed to deploy some pretty elaborate router/firewalls with Shorewall. Keep up the excellent work! -Scott ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Scott wrote:> Tom Eastep wrote: >> Scott wrote: >>> Rob Ogle wrote: >>>> I''m trying to create a splash page for one of my leaf firewalls. I''ve >>>> checked the different boards and I know there is nocatsplash and chillispot, >>>> but everyone says they are buggy and you have to restart it a lot. >>> I''m trying to do (almost) exactly the same thing. I''ve checked out chillispot >>> but it requires radius which isn''t currently part of or planned to be in this >>> network. It seems like this is something shorewall could do nicely. >> I don''t see how. Shorewall isn''t a daemon; it only runs during >> start/stop/restart operations so Shorewall certainly can''t go about adding >> rules dynamically when people do something on a web base. >> >>> I just have to direct first time connections to remote port 80 to a specific >>> website, then "whitelist" their MAC address after that. Is this capability in >>> shorewall at present or is chillispot the only FOSS option out there? I have a >>> FC6 box as my shorewall router and I''d like to keep it as clean as possible. >> Shorewall does not have a "whitelist'' capability. You *can* do the following >> though in your /etc/shorewall/rules: > > Even if I wrote a script to add the MAC address to the ipset after they first > connect it won''t make a difference. When a windows user starts up their machine > there''s probably 20 remote port 80 connections being made which would negate the > whole purpose of this.How so? Once you register the MAC address in the ipset, the NONAT rule will pass further port 80 connection requests from that MAC regardless of the destination IP address. Note that you can accomplish the same goal without ipsets (much less efficiently) by inserting rules in the front of the nat table ''loc_dnat'' chain: iptables -t nat -I loc_dnat -m mac --mac-source <MAC> -j RETURN You would probably want to maintain a database of allowed MACs so these rules could be restored in your /etc/shorewall/start script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, 2007-05-09 at 12:50 -0700, Tom Eastep wrote:> > Note that you can accomplish the same goal without ipsets (much less > efficiently) by inserting rules in the front of the nat table ''loc_dnat'' chain: > > iptables -t nat -I loc_dnat -m mac --mac-source <MAC> -j RETURN > > You would probably want to maintain a database of allowed MACs so these > rules could be restored in your /etc/shorewall/start script.I sometimes do this sort of thing when I want to add a new rule. Rather than add it to rules and regenerate the whole firewall ruleset and install it (remotely through shorewall-lite) I add it to rules and then just do the "iptables -I <chain> <rule>" that I know shorewall will end up doing the long way anyway. Sometimes this is just to test a rule''s effectiveness before going the long route or sometimes it''s just an ad-hoc rule. But I have wondered while doing such a thing if there was room in shorewall to do this automagically. Probably not. Just a thought. But shorewall having a facility to do more like what OP was wanting would be interesting. A single shorewall command that would add a single rule and also update a database so that a subsequent reload (or even restore) would restore that state. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell wrote:> On Wed, 2007-05-09 at 12:50 -0700, Tom Eastep wrote: >> Note that you can accomplish the same goal without ipsets (much less >> efficiently) by inserting rules in the front of the nat table ''loc_dnat'' chain: >> >> iptables -t nat -I loc_dnat -m mac --mac-source <MAC> -j RETURN >> >> You would probably want to maintain a database of allowed MACs so these >> rules could be restored in your /etc/shorewall/start script. > > I sometimes do this sort of thing when I want to add a new rule. Rather > than add it to rules and regenerate the whole firewall ruleset and > install it (remotely through shorewall-lite) I add it to rules and then > just do the "iptables -I <chain> <rule>" that I know shorewall will end > up doing the long way anyway. > > Sometimes this is just to test a rule''s effectiveness before going the > long route or sometimes it''s just an ad-hoc rule. > > But I have wondered while doing such a thing if there was room in > shorewall to do this automagically. Probably not. Just a thought. > > But shorewall having a facility to do more like what OP was wanting > would be interesting. A single shorewall command that would add a > single rule and also update a database so that a subsequent reload (or > even restore) would restore that state.Ipsets already do that for most useful cases. Why would I want to spend my time building the same thing? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> ... >> I don''t see how. Shorewall isn''t a daemon; it only runs during >> start/stop/restart operations so Shorewall certainly can''t go about adding >> rules dynamically when people do something on a web base. > > s/base/page/All your page are belong to us! :-) -- Paul <http://paulgear.webhop.net> -- Did you know? Linux is a completely free operating system that provides a vast array of software "out of the box", and represents a viable alternative to expensive proprietary software. For more details, see: http://consumer.hardocp.com/article.html?art=MTI5OCwxLCxoY29uc3VtZXI ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Paul Gear wrote:> Tom Eastep wrote: > >> ... >> >>> I don''t see how. Shorewall isn''t a daemon; it only runs during >>> start/stop/restart operations so Shorewall certainly can''t go about adding >>> rules dynamically when people do something on a web base. >>> >> s/base/page/ >> > > All your page are belong to us! :-) >You didn''t just go there did you? Eeeek! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Michael Cozzi wrote:> ... >> All your page are belong to us! :-) >> > > You didn''t just go there did you?The only place *i* just went is http://en.wikipedia.org/wiki/All_your_base_are_belong_to_us :-) -- Paul <http://paulgear.webhop.net> -- A: Because it breaks the logical sequence of discussion. Q: Why shouldn''t i write my replies at the top of emails? ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/