Date: Fri, 14 Mar 2003 10:34:08 -0600 From: "Mark Johnston" <mjohnston@skyweb.ca> To: "'Tracy, John'" <tracy@covenant.edu> Cc: "'Dan Mahoney, System Admin'" <danm@prime.gushi.org>, <isp@freebsd.org> Subject: Re: DNS Proxying based on source address Message-ID: <005001c2ea47$895398d0$be0fa8c0@MJOHNSTON> In-Reply-To: <AB08C89FDA3A6246B59C84D1C8DBCCD82D6B2F@wycliffe.covenant.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Tracy, John wrote: > It would be nice to implement such a system with some sort of > expiring... such as ten minutes of inactivity or some > variable like that. Would you use the counters in IPFW > somehow to count... or something? We're trying to do just the > same thing with a new wireless LAN we're installing for > students... IE students boot up, get an IP. No matter what > URL they try to access, they get a registration page to which > they must authenticate. Upon authenticating, their > workstation is allowed access out through the gateway (or > IPFW box). Then, after some period of inactivity, or a power > off that registration is automatically killed and to get back > online, they must reauthenticate. Yes, you could easily do exactly that. No need to worry about counters, though; try ipfw -t show. The dates are the last time the rule was matched. Just check it from cron with the granularity you want, and remove the rule if the date's too old. > There's a commercial product called BlueSocket which does > this. It costs $7500 for their basic box... but doesn't offer > any real benefits over the scenario above--and it's limited > to 100 active registrations. I'm not sure I'd say that it offers no benefits. Bluesocket claims to implement IPSec and PPTP along with authentication, whereas in the scheme I described there is essentially no security at all. Of course, you could implement a secure scheme using encryption and authentication with a little more effort. Whether that much effort is worthwhile is up to your particular situation. Mark > > -John > > > It sounds like transparent "proxying" is exactly what you > want. Here's > > my take on a solution for you - some parts of it I've tested for a > > similar scheme, some parts are speculation. > > > > First off, please reread the paragraph of ipfw(8) starting with "fwd > > ipaddr[,port]", just for reference. > > > > I'd start with an ipfw rule like the following, on the gateway: > > > > ipfw add 65000 fwd $GATEWAY tcp from $INTERNAL to any > > > > That grabs all incoming TCP traffic and redirects it to > your own box. > > This part I've tested before, in conjunction with Apache - any web > > request, no matter the destination IP, will get a response from your > > httpd. Other TCP traffic will hit your box and receive a RST or no > > response, depending on your firewall rules. If you want to > get fancy, > > you can listen for other protocols and send custom messages. > > > > Once you've got that rule into place, it's pretty > straightforward to add > > rules to allow/NAT/whatever traffic on an IP-by-IP basis > for hosts that > > you want to let out: > > > > ipfw add 64900 allow tcp from $REGISTERED_IP to any > > > > and so on. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005001c2ea47$895398d0$be0fa8c0>