We currently use a three-server setup of Firewall-1 NG (2x firewalls
and a managemenent server with Rainwall clustering) and we plan to
move to an open source solution.
We have very specific needs and the one that is very important is: Our
users pay for their internet traffic and pay-as-you-go is an option
for users. In our setup we have about 25000 users.
At the moment they authenticate against a radius server and then the
firewall will allow them to use a set of paid services. Our
programmers are monitoring the stateful connections in real time and
will stop the connection of a user when there is no more money
available for pay-as-you-go-users and store the accounting information
in an SQL-database (postgresql).
Is there a way shorewall can be used in a similar way? From what I
could see in the documentation about accounting is that it is possible
to do accounting for users, but to me that looked like users
registered on the system on which the firewall is running. Can this
type of accounting be done while using a radius server to do
authentication? I suppose the rules will have to be adjusted on the
run as authentications and de-authentications take place and that, if
we use two servers the iptables must be in sync.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"Let your conversation be without covetousness; and be
content with such things as ye have: for he hath said,
I will never leave thee, nor forsake thee."
Hebrews 13:5
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
Johann Spies wrote:> > At the moment they authenticate against a radius server and then the > firewall will allow them to use a set of paid services. Our > programmers are monitoring the stateful connections in real time and > will stop the connection of a user when there is no more money > available for pay-as-you-go-users and store the accounting information > in an SQL-database (postgresql).Hopefully, it is your ''programs'' that do this monitoring rather than your ''programmers''.> > Is there a way shorewall can be used in a similar way? From what I > could see in the documentation about accounting is that it is possible > to do accounting for users, but to me that looked like users > registered on the system on which the firewall is running. Can this > type of accounting be done while using a radius server to do > authentication? I suppose the rules will have to be adjusted on the > run as authentications and de-authentications take place and that, if > we use two servers the iptables must be in sync.I can''t recommend Shorewall as a solution in your particular case. The authentication part could be made to work with an ipset (see http://www.shorewall.net/ipsets.html), but Shorewall''s accounting feature isn''t geared for such a large number of accounting ''buckets''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Hallo Tom,> Hopefully, it is your ''programs'' that do this monitoring rather than your > ''programmers''.:)> > I can''t recommend Shorewall as a solution in your particular case. The > authentication part could be made to work with an ipset (see > http://www.shorewall.net/ipsets.html), but Shorewall''s accounting feature > isn''t geared for such a large number of accounting ''buckets''. >Thanks. You are saving me a lot of time. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Therefore being justified by faith, we have peace with God through our Lord Jesus Christ:" Romans 5:1 ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php