thr3ads.net - Shorewall users - Shorewall Captive Portal with sub-zones [Apr 2008]

If this information is useful, please help other people find it:
Share via:

Savio Sampaio

2008-Apr-10 09:54 UTC

Shorewall Captive Portal with sub-zones

.

Saluton,

About captive portal using Shorewall,
I have some problem about sub-zones.

In file "zones", I create "zone1" and "zone2".

In "police" I DROP all.

In "rules" I have, in resume:
-----------------
redirect zone1 8080 tcp 80 -
redirect zone1 8080 tcp 3128 -

accept zone2 wan tcp 80 -
redirect zone2 3128 tcp 80 -
-----------------

This is to Redirect "http" and "proxy" access
to a login.cgi page on a thttpd server
running on port 8080.

In file "hosts", I have:
-----
zone1 eth2:192.168.2.2
zone2 eth2:192.168.2.3
-----

And in file "started", I have:
-----
shorewall add eth2:192.168.2.21 zone1
shorewall add eth2:192.168.2.22 zone1
shorewall add eth2:192.168.2.23 zone1
shorewall add eth2:192.168.2.24 zone1
shorewall add eth2:192.168.2.25 zone2
-----

The process to add all this IPs to the zones
are very slow.

I needed to do this, because when a user
logins, I need to shorewall delete user from
zone1, ant I need to shorewall add user
in zone2.

I tried to use in file hosts:
----
zone1 eth2:192.168.2.0/24
zone2 eth2:192.168.2.3
----

In this case, I need only do add or 
to delete user in zone2.

But in this case, there are a conflict
of logic of rules when the user is
using proxy.

The system see rule to accept zone2
tcp 3128, but the system see rule
to redirect zone1 3128 --> 8080.

And with last "hosts" file, the user
will be in 2 zones, 1 and 2.

I tried use ACCEPT+ zone2 all tcp 3128 -

But some thing is configured that this "ACCEPT+"
is not ignored by "REDIRECT zone1" rule.

I tried use shorewall-perl, but shows
errors in /var/lib/shorewall/.start

And I tried to understand "sub-zones",
but not found docs to read.

How can I solve this problem about
ACCEPT+ zone2, and REDIRECT zone1,
using the port of proxy?

Thank you

Sávio


      Abra sua conta no Yahoo! Mail, o único sem limite de espaço para
armazenamento!
http://br.mail.yahoo.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep

2008-Apr-10 14:08 UTC

head link

Re: Shorewall Captive Portal with sub-zones

Savio Sampaio wrote:
> -----
> 
> And in file "started", I have:
> -----
> shorewall add eth2:192.168.2.21 zone1
> shorewall add eth2:192.168.2.22 zone1
> shorewall add eth2:192.168.2.23 zone1
> shorewall add eth2:192.168.2.24 zone1
> shorewall add eth2:192.168.2.25 zone2
> -----
> 
> The process to add all this IPs to the zones
> are very slow.
Of course it is. Each ''shorewall'' command takes one minute
because it tries
to acquire the lock file which is owned by the ''shorewall''
command doing the
''start'' or ''restart''. That is why there is a
''nolock'' option to ''shorewall'':

shorewall nolock add eth2:192.168.2.21 zone1
shorewall nolock add eth2:192.168.2.22 zone1
shorewall nolock add eth2:192.168.2.23 zone1
shorewall nolock add eth2:192.168.2.24 zone1
shorewall nolock add eth2:192.168.2.25 zone2

I see that this option has disappeared from the documentation :-( I''ll 
restore it when I get a chance.
> 
> I needed to do this, because when a user
> logins, I need to shorewall delete user from
> zone1, ant I need to shorewall add user
> in zone2.
Not really -- see below.
> 
> I tried to use in file hosts:
> ----
> zone1 eth2:192.168.2.0/24
Just leave off the 192.168.2.0/24. With what you have, your firewall
can''t
send or receive limited broadcasts through eth2.
> zone2 eth2:192.168.2.3
> ----
> 
> In this case, I need only do add or 
> to delete user in zone2.
> 
> But in this case, there are a conflict
> of logic of rules when the user is
> using proxy.
That''s because the order of the zones in /etc/shorewall/zones is wrong.
zone2 is a subzone of zone1 so it needs to be defined first. Or you need to 
explicitly declare it as a subzone:

zone2:zone1	ipv4
> 
> The system see rule to accept zone2
> tcp 3128, but the system see rule
> to redirect zone1 3128 --> 8080.
> 
> And with last "hosts" file, the user
> will be in 2 zones, 1 and 2.
> 
> I tried use ACCEPT+ zone2 all tcp 3128 -
> 
> But some thing is configured that this "ACCEPT+"
> is not ignored by "REDIRECT zone1" rule.
> 
> I tried use shorewall-perl, but shows
> errors in /var/lib/shorewall/.start
We would have been happy to help you with those.
> 
> And I tried to understand "sub-zones",
> but not found docs to read.
man shorewall-nesting

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Shorewall users - Apr 2008 - Shorewall Captive Portal with sub-zones

Shorewall Captive Portal with sub-zones

Re: Shorewall Captive Portal with sub-zones