Jeff Greer
2008-Dec-18 15:30 UTC
Remote user authentication before for full network access
Hi, I am wondering if there is some built in mechanism for authenticating users so that they can gain full access to the network behind the firewall? It has been several years since I used Shorewall but find myself in need of it again. When I was using it before I hacked pop-before-smtp to open the full network to users and was wondering if there was a built in way to do this now. Thanks. -- Jeff Greer ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Robert K Coffman Jr. -Info From Data Corp.
2008-Dec-18 15:53 UTC
Re: Remote user authentication before for fullnetwork access
> When I was using it before I hacked pop-before-smtpto open the full network to users and was wondering if there was a built in way to do this now. This question is not at all clear, but it sounds like you are describing a VPN. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Colin Alston
2008-Dec-18 18:18 UTC
Re: Remote user authentication before for full network access
On 2008/12/18 05:30 PM Jeff Greer wrote:> Hi, > > I am wondering if there is some built in mechanism for authenticating > users so that they can gain full access to the network behind the > firewall? > It has been several years since I used Shorewall but find myself in > need of it again. When I was using it before I hacked pop-before-smtp > to open the full network to users and was wondering if there was a > built in way to do this now. >You''ll have to do this manually. What we do that works very nicely is to define a subzone so we have loc and cloc:loc in zones, loc policy is to drop all and cloc policy is to allow all. Squid has a url_rewrite program that does ''shorewall add eth0:whatever cloc'' and then they can breakout. You can obviously replace the squid captive portal system with something to check your pop3 log files or whatever you want. -- Colin Alston <colin@thusa.co.za> Linux & Internet Services Thusa Business Support (Pty) Ltd Tel: (+27) 031 277 1272 Fax: (+27) 031 277 1269 ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Shorewall Geek
2008-Dec-18 19:31 UTC
Re: Remote user authentication before for full network access
Colin Alston wrote:> What we do that works very nicely is to define a subzone so we have loc > and cloc:loc in zones, loc policy is to drop all and cloc policy is to > allow all. Squid has a url_rewrite program that does ''shorewall add > eth0:whatever cloc'' and then they can breakout.Beware that dynamic zones, which are required by ''shorwall add'', are no longer supported by Shorewall-perl as of Shorewall 4.2. Any new application along these lines should be built on ipsets instead. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Jeff Greer
2008-Dec-18 19:49 UTC
Re: Remote user authentication before for full network access
Thanks for the heads up. I think the last version of worked with was prior to 4.x. I was using it back when the Mr. Eastep almost stop support/development Shorewall. On Thu, Dec 18, 2008 at 1:31 PM, Shorewall Geek <shorewalljunky@comcast.net> wrote:> Colin Alston wrote: > >> What we do that works very nicely is to define a subzone so we have loc >> and cloc:loc in zones, loc policy is to drop all and cloc policy is to >> allow all. Squid has a url_rewrite program that does ''shorewall add >> eth0:whatever cloc'' and then they can breakout. > > Beware that dynamic zones, which are required by ''shorwall add'', are no > longer supported by Shorewall-perl as of Shorewall 4.2. > > Any new application along these lines should be built on ipsets instead. > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can''t happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Jeff Greer http://www.greergan.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/