Shorewall users - Dec 2008 - Remote user authentication before for full network access

Hi,

I am wondering if there is some built in mechanism for authenticating
users so that they can gain full access to the network behind the
firewall?
It has been several years since I used Shorewall but find myself in
need of it again. When I was using it before I hacked pop-before-smtp
to open the full network to users and was wondering if there was a
built in way to do this now.

Thanks.

-- 
Jeff Greer

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

> When I was using it before I hacked pop-before-smtp
to open the full network to users and was wondering if there was a
built in way to do this now.

This question is not at all clear, but it sounds like you are describing a
VPN.


------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

On 2008/12/18 05:30 PM Jeff Greer wrote:
> Hi,
>
> I am wondering if there is some built in mechanism for authenticating
> users so that they can gain full access to the network behind the
> firewall?
> It has been several years since I used Shorewall but find myself in
> need of it again. When I was using it before I hacked pop-before-smtp
> to open the full network to users and was wondering if there was a
> built in way to do this now.
>   
You''ll have to do this manually.

What we do that works very nicely is to define a subzone so we have loc 
and cloc:loc in zones, loc policy is to drop all and cloc policy is to 
allow all. Squid has a url_rewrite program that does ''shorewall add 
eth0:whatever cloc'' and then they can breakout. You can obviously 
replace the squid captive portal system with something to check your 
pop3 log files or whatever you want.

-- 
Colin Alston <colin@thusa.co.za>
Linux & Internet Services
Thusa Business Support (Pty) Ltd
Tel:  (+27) 031 277 1272
Fax:  (+27) 031 277 1269


------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

Colin Alston wrote:
> What we do that works very nicely is to define a subzone so we have loc 
> and cloc:loc in zones, loc policy is to drop all and cloc policy is to 
> allow all. Squid has a url_rewrite program that does ''shorewall
add
> eth0:whatever cloc'' and then they can breakout.
Beware that dynamic zones, which are required by ''shorwall
add'', are no
longer supported by Shorewall-perl as of Shorewall 4.2.

Any new application along these lines should be built on ipsets instead.

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

Thanks for the heads up. I think the last version of worked with was
prior to 4.x.
I was using it back when the Mr. Eastep almost stop
support/development Shorewall.

On Thu, Dec 18, 2008 at 1:31 PM, Shorewall Geek
<shorewalljunky@comcast.net> wrote:
> Colin Alston wrote:
>
>> What we do that works very nicely is to define a subzone so we have loc
>> and cloc:loc in zones, loc policy is to drop all and cloc policy is to
>> allow all. Squid has a url_rewrite program that does
''shorewall add
>> eth0:whatever cloc'' and then they can breakout.
>
> Beware that dynamic zones, which are required by ''shorwall
add'', are no
> longer supported by Shorewall-perl as of Shorewall 4.2.
>
> Any new application along these lines should be built on ipsets instead.
>
>
------------------------------------------------------------------------------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
> The future of the web can''t happen without you.  Join us at MIX09
to help
> pave the way to the Next Web now. Learn more and register at
>
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
Jeff Greer
http://www.greergan.com

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/