From owner-freebsd-isp@FreeBSD.ORG Mon Feb 13 17:44:00 2006 Return-Path: X-Original-To: isp@freebsd.org Delivered-To: freebsd-isp@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E522816A423 for ; Mon, 13 Feb 2006 17:44:00 +0000 (GMT) (envelope-from laszlof@vonostingroup.com) Received: from ritamari.vonostingroup.com (ritamari.vonostingroup.com [216.144.193.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2FA943D46 for ; Mon, 13 Feb 2006 17:43:57 +0000 (GMT) (envelope-from laszlof@vonostingroup.com) Received: from adsl-68-72-248-38.dsl.sfldmi.ameritech.net ([68.72.248.38] helo=[192.168.1.33]) by ritamari.vonostingroup.com with esmtpa (Exim 4.60 (FreeBSD)) (envelope-from ) id 1F8hkU-000NtZ-7A; Mon, 13 Feb 2006 12:44:30 -0500 Message-ID: <43F0C554.6000407@vonostingroup.com> Date: Mon, 13 Feb 2006 12:43:48 -0500 From: Frank Laszlo User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Darren Pilgrim References: <000b01c62e8d$33826d90$672a15ac@smiley> In-Reply-To: <000b01c62e8d$33826d90$672a15ac@smiley> X-Enigmail-Version: 0.93.2.0 OpenPGP: url=http://www.franksworld.org/~laszlof/keys/0x0B3FCA4B.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ritamari.vonostingroup.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - vonostingroup.com X-Source: X-Source-Args: X-Source-Dir: Cc: jeff@norristechs.net, isp@freebsd.org, 'Adam Jacob Muller' Subject: Re: SHOUTCAST AND OTHER MEDIA SERVER. BSD 6 compatible? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2006 17:44:01 -0000 Darren Pilgrim wrote: > From: Adam Jacob Muller > >> Try symlinking libm.so.4 to libm.so.2, >> > > DO NOT DO THIS! Library version bumps are as significant as major version > number bumps: the bump is due to some form of reverse-compatibility API/ABI > breakage. Symlinking over version bumps can produce unpredictable behavior > and, in the case of a network program, create remote-exploitable bugs. > > If symlinking libraries was safe, the compat ports wouldn't install the > older versions. > > Exactly. Install the compat ports, or recompile shoutcast from ports. __________________________________________________ Frank Laszlo System Administrator The VonOstin Group Email: laszlof@tvog.net WWW: http://www.vonostingroup.com Mobile: 248-863-7584 From owner-freebsd-isp@FreeBSD.ORG Thu Feb 16 21:15:41 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8A7816A420; Thu, 16 Feb 2006 21:15:41 +0000 (GMT) (envelope-from joe@joeholden.co.uk) Received: from elise.rewt.org.uk (elise.rewt.org.uk [82.152.108.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8F0543D6B; Thu, 16 Feb 2006 21:15:37 +0000 (GMT) (envelope-from joe@joeholden.co.uk) Received: from [82.152.108.166] (im.a.raver.not.a.fucking.drug-addict.be [82.152.108.166]) (authenticated bits=0) by elise.rewt.org.uk (8.13.5/8.13.4) with ESMTP id k1GLFdH2011193 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Feb 2006 21:15:39 GMT (envelope-from joe@joeholden.co.uk) Message-ID: <43F4EB72.5090702@joeholden.co.uk> Date: Thu, 16 Feb 2006 21:15:30 +0000 From: Joe Holden User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-isp@freebsd.org, freebsd-net@freebsd.org X-Enigmail-Version: 0.94.0.0 OpenPGP: id=13A6D1E7; url=http://www.joeholden.co.uk/pubkey.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig44DD52E44DE515495371D51B" Cc: Subject: (no subject) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: joe@joeholden.co.uk List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 21:15:42 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig44DD52E44DE515495371D51B Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Hello list! Sorry for posting this to both, however I wasn't sure which it applied to= =2E I'm looking at creating an intrusion detection system, similiar to=20 portsentry, however using bpf/tcpdump to monitor all traffic, without=20 needing to listen on those ports, it will be run on a border router, and = as such will need to check for incoming packets destined for other=20 machines too, and blackhole/add ipfw rules as needed. Are there any=20 tools like this currently available, or a number of tools I can put=20 together to create something like this? --=20 With thanks, Joe Holden Freelance Network Engineer / Consultant FreeBSD Port Maintainer http://www.joeholden.co.uk Pub Key: http://www.joeholden.co.uk/pubkey.asc Contact: Finger me! --------------enig44DD52E44DE515495371D51B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9OtydQJXshOm0ecRAtNuAKCWBQK2J0/zq4GwlfgkzQlwPH16OQCffgxx XU9/nQjToqZTgL2W9kxCOXs= =HG5Q -----END PGP SIGNATURE----- --------------enig44DD52E44DE515495371D51B-- From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 00:07:00 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8E9E16A420; Fri, 17 Feb 2006 00:07:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C18943D46; Fri, 17 Feb 2006 00:07:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/8.12.11/smtpout10/MantshX 4.0) with ESMTP id k1H06xsK026706; Thu, 16 Feb 2006 16:07:00 -0800 (PST) Received: from [192.168.1.3] (pool-68-161-67-103.ny325.east.verizon.net [68.161.67.103]) (authenticated bits=0) by mac.com (Xserve/smtpin07/MantshX 4.0) with ESMTP id k1H06jf7029094 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Feb 2006 16:06:59 -0800 (PST) Message-ID: <43F51396.5000302@mac.com> Date: Thu, 16 Feb 2006 19:06:46 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: joe@joeholden.co.uk References: <43F4EB72.5090702@joeholden.co.uk> In-Reply-To: <43F4EB72.5090702@joeholden.co.uk> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org, freebsd-net@freebsd.org Subject: Re: (no subject) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 00:07:00 -0000 Joe Holden wrote: [ ... ] > I'm looking at creating an intrusion detection system, similiar to > portsentry, however using bpf/tcpdump to monitor all traffic, without > needing to listen on those ports, it will be run on a border router, and > as such will need to check for incoming packets destined for other > machines too, and blackhole/add ipfw rules as needed. Are there any > tools like this currently available, or a number of tools I can put > together to create something like this? Check out /usr/ports/net/honeyd and the Honeynet project... -- -Chuck From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 09:28:18 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6D6F16A420 for ; Fri, 17 Feb 2006 09:28:18 +0000 (GMT) (envelope-from "") Received: from mx2.africaonline.com.gh (mx2.africaonline.com.gh [212.85.196.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E1FD43D45 for ; Fri, 17 Feb 2006 09:28:18 +0000 (GMT) (envelope-from "") Received: from exim by mx2.africaonline.com.gh with local (Exim 4.50) id 1FA6IU-0004WR-6f for freebsd-isp@freebsd.org; Fri, 17 Feb 2006 09:09:22 -0500 From: "MailScanner" To: freebsd-isp@freebsd.org X-AFOL-GH-MailScanner: generated Message-Id: Date: Fri, 17 Feb 2006 09:09:22 -0500 Subject: Warning: E-mail viruses detected X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 09:28:18 -0000 Our e-mail content detector has just been triggered by a message you sent: To: rmsg@africaonline.com.gh Subject: Mail Delivery (failure) Date: Fri Feb 17 09:09:22 2006 One or more of the attachments (email.txt .exe) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: MailScanner: Executable DOS/Windows programs are dangerous in email (email.txt .exe) -- MailScanner Email Virus Scanner Africa Online Ghana Ltd. www.africaonline.com.gh MailScanner thanks transtec Computers for their support From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 16:29:33 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BF9C16A420 for ; Fri, 17 Feb 2006 16:29:33 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2760443D48 for ; Fri, 17 Feb 2006 16:29:31 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.60 #0 (FreeBSD 4.11-STABLE)) id 1FA8U4-0006T0-1n by authid for ; Fri, 17 Feb 2006 19:29:28 +0300 Date: Fri, 17 Feb 2006 19:29:27 +0300 From: Odhiambo Washington To: freebsd-isp@freebsd.org Message-ID: <20060217162927.GA23261@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-isp@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.11 (2005-09-15) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.11 Subject: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 16:29:33 -0000 Hiya, Does anyone know of any tutorials for setting up a "walled garden"? I work for an ISP and we'd like to allow a specific dialup account Free Access via our RADIUS, but we want to limit this user to access just three or so urls: Our customer {registration|renewal|webselfcare} interfaces only. I am looking for ideas on how this is done. I suppose it's done on the NAS, yes? TIA -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ There is nothing wrong with Southern California that a rise in the ocean level wouldn't cure. -- Ross MacDonald From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 17:07:43 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBE9516A420 for ; Fri, 17 Feb 2006 17:07:43 +0000 (GMT) (envelope-from virtualsid@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65A3C43D67 for ; Fri, 17 Feb 2006 17:07:35 +0000 (GMT) (envelope-from virtualsid@gmail.com) Received: by wproxy.gmail.com with SMTP id 37so193431wra for ; Fri, 17 Feb 2006 09:07:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qtjsCKLgo6Sb9+D+VqZt9jjdTxuLo0qMWBClNHZ3acke1z+z9BsDt8nLIRtl/fRHuEoYLCPZh+omyeoY75DcZFvl+bD5TalTjPYRK/gCqsJlJxe25d81dQFVh5ja4cZEb3pJQBq9KL5XccZHNQhNCS0wGVmf9MkW2CTyLfrDXb0= Received: by 10.64.91.17 with SMTP id o17mr1099375qbb; Fri, 17 Feb 2006 09:07:34 -0800 (PST) Received: by 10.65.95.17 with HTTP; Fri, 17 Feb 2006 09:07:34 -0800 (PST) Message-ID: Date: Fri, 17 Feb 2006 17:07:34 +0000 From: Siraj 'Sid' Rakhada To: Odhiambo Washington , freebsd-isp@freebsd.org In-Reply-To: <20060217162927.GA23261@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060217162927.GA23261@ns2.wananchi.com> Cc: Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 17:07:43 -0000 Hello Wash, On 17/02/06, Odhiambo Washington wrote: > Does anyone know of any tutorials for setting up a "walled garden"? > I work for an ISP and we'd like to allow a specific dialup account > Free Access via our RADIUS, but we want to limit this user to access > just three or so urls: Our customer {registration|renewal|webselfcare} > interfaces only. > > I am looking for ideas on how this is done. I suppose it's done on the > NAS, yes? What equipment do you use for the dial-up end? I'm not sure how to do this on FreeBSD per se, but you can do this kind of solution on Cisco + RADIUS by sending an av-pair which says to the Cisco 'apply this access-list' to the virtual interface when the user logs on. Does this sound like the kind of solution you want? It's been a long long time since I last configured this kind of thing thoug= h! Regards, Sid From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 17:55:30 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8229516A420 for ; Fri, 17 Feb 2006 17:55:30 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id E034443D46 for ; Fri, 17 Feb 2006 17:55:29 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by uproxy.gmail.com with SMTP id h2so305043ugf for ; Fri, 17 Feb 2006 09:55:28 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fby/Wnv9sKgUwoFB7kBCbuB2iNZuWGBvMekiojG2heJwXYRsmk9N4XH1baAVl15N6W4Fvx4jNedc4a1bih5deD0F6TD/SVzXSoLhZKcWWcTsKVFjUyK0v/x70M7CiPeK5EUvXSz09m4SZt9+cDGpb/lpMbfwza4GDJIZVlf1RyA= Received: by 10.67.26.18 with SMTP id d18mr970657ugj; Fri, 17 Feb 2006 09:55:26 -0800 (PST) Received: by 10.66.223.20 with HTTP; Fri, 17 Feb 2006 09:55:26 -0800 (PST) Message-ID: <8eea04080602170955u6d0875c0n125024190bab1c0@mail.gmail.com> Date: Fri, 17 Feb 2006 09:55:26 -0800 From: Jon Simola Sender: jsimola@gmail.com To: freebsd-isp@freebsd.org In-Reply-To: <20060217162927.GA23261@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060217162927.GA23261@ns2.wananchi.com> Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 17:55:30 -0000 On 2/17/06, Odhiambo Washington wrote: > Does anyone know of any tutorials for setting up a "walled garden"? > I work for an ISP and we'd like to allow a specific dialup account > Free Access via our RADIUS, but we want to limit this user to access > just three or so urls: Our customer {registration|renewal|webselfcare} > interfaces only. Configure RADIUS to assign the account an IP from a private range. Then you can redirect any/all http requests to wherever you want. > I am looking for ideas on how this is done. I suppose it's done on the > NAS, yes? It could be done in several ways. If your access server supports local user tables (I've only ever used Livingston/Lucent Portmasters, which do) then it could all be done on the access server. Otherwise, it's some minor network glue to make it work between RADIUS, DNS and webservers. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 20:03:28 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CE8A16A420 for ; Fri, 17 Feb 2006 20:03:28 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92DAE43D45 for ; Fri, 17 Feb 2006 20:03:21 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.60 #0 (FreeBSD 4.11-STABLE)) id 1FABp0-0008Sc-Mi by authid for ; Fri, 17 Feb 2006 23:03:18 +0300 Date: Fri, 17 Feb 2006 23:03:18 +0300 From: Odhiambo Washington To: freebsd-isp@freebsd.org Message-ID: <20060217200318.GC10377@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-isp@freebsd.org References: <20060217162927.GA23261@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.11 (2005-09-15) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.11 Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 20:03:28 -0000 * On 17/02/06 17:07 +0000, Siraj 'Sid' Rakhada wrote: > Hello Wash, > > On 17/02/06, Odhiambo Washington wrote: > > > Does anyone know of any tutorials for setting up a "walled garden"? > > I work for an ISP and we'd like to allow a specific dialup account > > Free Access via our RADIUS, but we want to limit this user to access > > just three or so urls: Our customer {registration|renewal|webselfcare} > > interfaces only. > > > > I am looking for ideas on how this is done. I suppose it's done on the > > NAS, yes? > > What equipment do you use for the dial-up end? I'm not sure how to do > this on FreeBSD per se, but you can do this kind of solution on Cisco > + RADIUS by sending an av-pair which says to the Cisco 'apply this > access-list' to the virtual interface when the user logs on. > > Does this sound like the kind of solution you want? > > It's been a long long time since I last configured this kind of thing though! That is like what I want, though I am not any familiar with what it is that I want ;-) Let me expound: I simply have three sites: http://{site2|site2|site3}.ourdomain.name We use Cisco eqpt for NAS, and a RADIUS server. site1, site2 and site3 are meant to allow customers to register for, renew or manage the service they have purchased from us. A customer only gets a card that has a serial number and a PIN from our system. This allows them to sign up for or renew a service they already have. The last site allows then the luxury to manage the service. I am foreseeing a situation where I have a new 'customer' or one whose service expired. I want these two to be able to dialin to my NASes for free, but only get access to site1, site2 or site3. Everything else is blocked, until they dialin with the name they are paying for. I will give them a common userid/passwd pair for this purpose. Now what I learnt was that the concept is called "walled garden". Your instructions (or Read This F Manual) to do this are welcome. PS: I have rcvd some pointers off list, but I need more ideas, really. TIA -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ "I cannot and will not cut my conscience to fit this year's fashions." -- Lillian Hellman From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 21:12:34 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E451016A420 for ; Fri, 17 Feb 2006 21:12:34 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from mail.yazzy.net (mail.yazzy.net [217.8.140.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80E4343D48 for ; Fri, 17 Feb 2006 21:12:32 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from lapdance.yazzy.net (unknown [192.168.99.4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yazzy.net (Postfix) with ESMTP id C354C39832; Fri, 17 Feb 2006 22:13:41 +0100 (CET) Date: Fri, 17 Feb 2006 21:11:17 +0000 From: Marcin Jessa To: Odhiambo Washington Message-Id: <20060217211117.449dc50a.lists@yazzy.org> In-Reply-To: <20060217162927.GA23261@ns2.wananchi.com> References: <20060217162927.GA23261@ns2.wananchi.com> Organization: YazzY.org X-Mailer: Sylpheed version 2.0.4 (GTK+ 2.8.10; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 21:12:35 -0000 On Fri, 17 Feb 2006 19:29:27 +0300 Odhiambo Washington wrote: > Hiya, > > Does anyone know of any tutorials for setting up a "walled garden"? > I work for an ISP and we'd like to allow a specific dialup account > Free Access via our RADIUS, but we want to limit this user to access > just three or so urls: Our customer {registration|renewal|webselfcare} > interfaces only. > > I am looking for ideas on how this is done. I suppose it's done on the > NAS, yes? How will the users connect? Using DHCP to get their IPs or PPPoE ? You may take a look at pfsense.com which is free and has a wallen garden solution or www.mikrotik.com which is not free but has a pretty damn good implementation of what you want pluss commercial atheros drivers and much more. Marcin From owner-freebsd-isp@FreeBSD.ORG Fri Feb 17 21:41:27 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5907E16A420 for ; Fri, 17 Feb 2006 21:41:27 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06D6543D45 for ; Fri, 17 Feb 2006 21:41:25 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.60 #0 (FreeBSD 4.11-STABLE)) id 1FADLv-000Jac-JN by authid for ; Sat, 18 Feb 2006 00:41:23 +0300 Date: Sat, 18 Feb 2006 00:41:23 +0300 From: Odhiambo Washington To: freebsd-isp@freebsd.org Message-ID: <20060217214123.GG10377@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-isp@freebsd.org References: <20060217162927.GA23261@ns2.wananchi.com> <20060217211117.449dc50a.lists@yazzy.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060217211117.449dc50a.lists@yazzy.org> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.11 (2005-09-15) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.11 Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 21:41:27 -0000 * On 17/02/06 21:11 +0000, Marcin Jessa wrote: > On Fri, 17 Feb 2006 19:29:27 +0300 > Odhiambo Washington wrote: > > > Hiya, > > > > Does anyone know of any tutorials for setting up a "walled garden"? > > I work for an ISP and we'd like to allow a specific dialup account > > Free Access via our RADIUS, but we want to limit this user to access > > just three or so urls: Our customer {registration|renewal|webselfcare} > > interfaces only. > > > > I am looking for ideas on how this is done. I suppose it's done on the > > NAS, yes? > > How will the users connect? Using DHCP to get their IPs or PPPoE ? I will let them use just a single username to connect. This username is allowed concurrent connections though. > You may take a look at pfsense.com which is free and has a wallen garden solution I have played just a bit with pfsense, but my cards gave me headache. I'll look again just for the ideas. > or www.mikrotik.com which is not free but has a pretty damn good implementation We have Mikrotik hardware/software. I had mentioned this to our network engineers, but I guess they just decided to be lazy then, no? > of what you want pluss commercial atheros drivers and much more. I want a simple Open Source implementation. Thanks. Ideas have been coming at a very goof pace. I am grateful to this list! -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Malek's Law: Any simple idea will be worded in the most complicated way. From owner-freebsd-isp@FreeBSD.ORG Sat Feb 18 01:30:29 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C49E16A420 for ; Sat, 18 Feb 2006 01:30:29 +0000 (GMT) (envelope-from virtualsid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B1DE43D46 for ; Sat, 18 Feb 2006 01:30:29 +0000 (GMT) (envelope-from virtualsid@gmail.com) Received: by zproxy.gmail.com with SMTP id 40so553094nzk for ; Fri, 17 Feb 2006 17:30:28 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ILn5fOQmw3mLgiP7EnVJd7k7cL3ovf3S0WzzA3DlRrfyqi+MmhwYQqrv5Zc2w/6Jjo4fwtiPT8UVfFhUm3bOqnVyE9L58XFqyT9fmtdgiY2MCZfnO43Wkmn3jwvmLEcB14jRr7XP360vrlsAppNwXwXVVcVLPciG61ip/8kRQgo= Received: by 10.65.100.10 with SMTP id c10mr80893qbm; Fri, 17 Feb 2006 17:30:27 -0800 (PST) Received: by 10.65.95.17 with HTTP; Fri, 17 Feb 2006 17:30:27 -0800 (PST) Message-ID: Date: Sat, 18 Feb 2006 01:30:27 +0000 From: "Siraj 'Sid' Rakhada" To: "Odhiambo Washington" , freebsd-isp@freebsd.org In-Reply-To: <20060217200318.GC10377@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060217162927.GA23261@ns2.wananchi.com> <20060217200318.GC10377@ns2.wananchi.com> Cc: Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2006 01:30:29 -0000 On 17/02/06, Odhiambo Washington wrote: > I am foreseeing a situation where I have a new 'customer' or one whose > service expired. I want these two to be able to dialin to my NASes for > free, but only get access to site1, site2 or site3. Everything else is > blocked, until they dialin with the name they are paying for. I will > give them a common userid/passwd pair for this purpose. This is exactly the kind of thing I've done a long time ago ('98 or so)! It was basically so that people could sign up via a signup CD-ROM :-) > Your instructions (or Read This F Manual) to do this are welcome. I hope the following links will point you onto the right track: This is the kind of system that I used: http://puck.nether.net/pipermail/cisco-bba/2004-May/000247.html Cisco's own docs for that system: http://www.cisco.com/warp/public/480/radius_ACL1.html I've not done the style described in the url below, but it seems a similar solution, but with more work on the RADIUS server end: http://puck.nether.net/pipermail/cisco-bba/2004-May/000247.html Oh, one tip I will give - don't forget to allow DNS traffic through ;-) This isn't really a FreeBSD issue as such, so I've tried to keep it brief as I'm not sure if it's on topic or not. Hope it helps, Sid From owner-freebsd-isp@FreeBSD.ORG Sat Feb 18 10:47:38 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01B0116A422 for ; Sat, 18 Feb 2006 10:47:38 +0000 (GMT) (envelope-from outofoffice@alinavida.com) Received: from dvision.net-build.de (dvision.net-build.de [212.88.135.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5326443D45 for ; Sat, 18 Feb 2006 10:47:36 +0000 (GMT) (envelope-from outofoffice@alinavida.com) Received: from dvision.net-build.de (dvision.net-build.de [127.0.0.1]) by dvision.net-build.de (8.13.1/8.12.11) with ESMTP id k1IAnZrG029937 for ; Sat, 18 Feb 2006 11:49:35 +0100 Received: (from mail@localhost) by dvision.net-build.de (8.13.1/8.13.1/Submit) id k1IAnZ8E029936; Sat, 18 Feb 2006 11:49:35 +0100 Date: Sat, 18 Feb 2006 11:49:35 +0100 Message-Id: <200602181049.k1IAnZ8E029936@dvision.net-build.de> X-Authentication-Warning: dvision.net-build.de: mail set sender to outofoffice@alinavida.com using -f From: "alinavida s.l." To: freebsd-isp@freebsd.org X-Mailer: Confixx Autoresponder Precedence: junk Subject: out of office reply de/from alinavida sl X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2006 10:47:38 -0000 CERRADO HASTA DIA 15 DE FEBRERO. WE ARE CLOSED UNTIL 15TH OF FEBRUARY. WIR HABEN BIS ZUM 15. FEBRUAR GESCHLOSSEN. Atentamente / Best regards / MfG alinavida LIFESTYLE STORE. GALLERY. INTERIOR DESIGN C/. Santanyi 12. E - 07630 Campos. Mallorca. Espaņa Tel. +34-971-651594 / Fax +34-971-651634 info@alinavida.com www.alinavida.com From owner-freebsd-isp@FreeBSD.ORG Sat Feb 18 16:15:45 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAF1A16A420 for ; Sat, 18 Feb 2006 16:15:45 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5695C43D46 for ; Sat, 18 Feb 2006 16:15:43 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 8AF54B4; Sat, 18 Feb 2006 11:16:04 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 30AC1E6B8; Sat, 18 Feb 2006 11:16:03 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FAUkF-000BPY-0Y; Sat, 18 Feb 2006 16:15:39 +0000 Date: Sat, 18 Feb 2006 16:15:38 +0000 From: Brian Candler To: Odhiambo Washington Message-ID: <20060218161538.GA43836@uk.tiscali.com> References: <20060217162927.GA23261@ns2.wananchi.com> <20060217200318.GC10377@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060217200318.GC10377@ns2.wananchi.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2006 16:15:45 -0000 On Fri, Feb 17, 2006 at 11:03:18PM +0300, Odhiambo Washington wrote: > I am foreseeing a situation where I have a new 'customer' or one whose > service expired. I want these two to be able to dialin to my NASes for > free, but only get access to site1, site2 or site3. Everything else is > blocked, until they dialin with the name they are paying for. I will > give them a common userid/passwd pair for this purpose. > > Now what I learnt was that the concept is called "walled garden". A more sophisticated 'walled garden' will transparently redirect all web accesses to your payment page. That is, if a user tries to go to www.cnn.com, instead of just getting a blank screen followed after a few minutes by a timeout, they immediately get a page of your choosing. Typical way to implement this is with a FreeBSD box running as a router which forwards port 80 to a squid cache, configured to serve the same page regardless of the incoming URL. In order to select which users are "inside the walled garden" and which have full Internet access, you can create two IP address pools on your NAS, and select (via RADIUS) which pool the user is assigned an address from. The firewall rules match on the source IP address, so that one pool is unfiltered, and the other pool has everything blocked except DNS (UDP port 53) to/from your DNS caches, and port 80 redirected to your squid. For very large installations, you'd use L2TP from your NASes to your LNS, and then either have separate pools on each LNS, or forward the L2TP session to another LNS which is inside your walled garden. HTH, Brian.