From owner-freebsd-questions@FreeBSD.ORG Sun Feb 4 21:52:09 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3423E16A402 for ; Sun, 4 Feb 2007 21:52:09 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 6FB4613C461 for ; Sun, 4 Feb 2007 21:52:08 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from [10.35.4.65] (65.4-35-10-static.chueca.wifi [10.35.4.65]) by strange.locolomo.org (Postfix) with ESMTP id 45B482E024; Sun, 4 Feb 2007 22:52:08 +0100 (CET) Message-ID: <45C6557E.9020207@locolomo.org> Date: Sun, 04 Feb 2007 22:51:58 +0100 From: Erik Norgaard User-Agent: Thunderbird 1.5.0.9 (X11/20070123) MIME-Version: 1.0 To: Noah References: <45C53C7A.30805@enabled.com> <45C5C291.30608@locolomo.org> <45C62301.2090106@enabled.com> In-Reply-To: <45C62301.2090106@enabled.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000702090303010007070508" Cc: freebsd-questions@freebsd.org Subject: Re: temporary IP addition to firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Feb 2007 21:52:09 -0000 This is a cryptographically signed message in MIME format. --------------ms000702090303010007070508 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Noah wrote: > the servers and clients are not on the same LAN segment. capturing MAC > has nothing to do with this scenario. You haven't exactly told a lot about the network you want to setup. The logic thing is to authenticate against the firewall connected to the same subnet - and that will know the mac address. The same setup is assumed in the scenario using pfauth (or is it authpf). Also, unless you are going to give a lot of instructions to people on how to configure their network, you will have a dhcp server on the same subnet - why not let that also do the web service for user management? You haven't told either, how people connect - is it wireless or wired? Some access points supports that people authenticate WPA+something and the access point will verify against a radius server. And there are other possibilities depending on your setup. But whichever way you setup your network, I think the best solution is if people establish an IPSec tunnel to the firewall, such that all traffic not destined for the local subnet must be tunneled through that. This gives you maximum control - you can even setup your firewall so that traffic coming in on a IPSec tunnel is also filtered. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org --------------ms000702090303010007070508 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK6DCC BXAwggRYoAMCAQICBEVUK6IwDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCREsxDDAKBgNV BAoTA1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0EwHhcNMDYxMTE1MDgzMTU0WhcNMDgxMTE1 MDkwMTU0WjB1MQswCQYDVQQGEwJESzEpMCcGA1UEChMgSW5nZW4gb3JnYW5pc2F0b3Jpc2sg dGlsa255dG5pbmcxOzAUBgNVBAMUDUVyaWsgTvhyZ2FhcmQwIwYDVQQFExxQSUQ6OTgwMi0y MDAyLTItNTQ0MzY5NzY5MzE1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1/K6+GVcF UvoWJpyfhzWbu8qEOB8jU17A0dpmts7RT+ODkYq0lxJCcvvdSXNQQurvYwaPISA+EMRy+rIm rjhoyxhsM9w/XC7gELqkr1XbGt3wR0KLr5ZcRfD4HqrWM1Eh1OYxTXKod6Ox/FAqzDAy91x8 XCZzsHtiBCdgMSYxqwIDAQABo4ICzjCCAsowDgYDVR0PAQH/BAQDAgP4MCsGA1UdEAQkMCKA DzIwMDYxMTE1MDgzMTU0WoEPMjAwODExMTUwOTAxNTRaMIIBNwYDVR0gBIIBLjCCASowggEm BgoqgVCBKQEBAQEDMIIBFjAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5jZXJ0aWZpa2F0LmRr L3JlcG9zaXRvcnkwgeIGCCsGAQUFBwICMIHVMAoWA1REQzADAgEBGoHGRm9yIGFudmVuZGVs c2UgYWYgY2VydGlmaWthdGV0IGfmbGRlciBPQ0VTIHZpbGvlciwgQ1BTIG9nIE9DRVMgQ1As IGRlciBrYW4gaGVudGVzIGZyYSB3d3cuY2VydGlmaWthdC5kay9yZXBvc2l0b3J5LiBCZW3m cmssIGF0IFREQyBlZnRlciB2aWxr5XJlbmUgaGFyIGV0IGJlZ3LmbnNldCBhbnN2YXIgaWZ0 LiBwcm9mZXNzaW9uZWxsZSBwYXJ0ZXIuMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYl aHR0cDovL29jc3AuY2VydGlmaWthdC5kay9vY3NwL3N0YXR1czAgBgNVHREEGTAXgRVub3Jn YWFyZEBsb2NvbG9tby5vcmcwgYQGA1UdHwR9MHswS6BJoEekRTBDMQswCQYDVQQGEwJESzEM MAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTEQMA4GA1UEAxMHQ1JMMTU1NzAs oCqgKIYmaHR0cDovL2NybC5vY2VzLmNlcnRpZmlrYXQuZGsvb2Nlcy5jcmwwHwYDVR0jBBgw FoAUYLWF7FZkfhIZJ2cdUBVLc647+RIwHQYDVR0OBBYEFPd+a0ceJ9JmK934UXsB3G0mjv+f MAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCA6gwDQYJKoZIhvcNAQEFBQAD ggEBAE9KhX+l/ZcnhvGPhHyWnJspyCXSiuqZ+GlgMdcKXtlu8kXsqNzfDe9qSs93++zJS+HT vAW0QgyIxjY1VpgCqgyjU8e2d2D1eSRMDB09WViZk8oZkvOy0Mq3yy//CLSw3gQbXNZF+Yt+ htss+FD+idACVyRBQqlcHuaxjguyzZkK0fGBN5H5nsklDySQCU7X0i3egeIiL7zlV3cjp9KT 12tNG4jfQTaSUzBkz0R+x+Jcdyp6AI9Qg3H1iGDDI58aCTY5ohQBpDsUcLr6U842IACNCeub qDP6nDo5lnMEXwGH/RO8r4supCf5wrNRjqEX/vokUzB5QfDGtmxxZkycaaQwggVwMIIEWKAD AgECAgRFVCuiMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMx FDASBgNVBAMTC1REQyBPQ0VTIENBMB4XDTA2MTExNTA4MzE1NFoXDTA4MTExNTA5MDE1NFow dTELMAkGA1UEBhMCREsxKTAnBgNVBAoTIEluZ2VuIG9yZ2FuaXNhdG9yaXNrIHRpbGtueXRu aW5nMTswFAYDVQQDFA1FcmlrIE74cmdhYXJkMCMGA1UEBRMcUElEOjk4MDItMjAwMi0yLTU0 NDM2OTc2OTMxNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtfyuvhlXBVL6Fiacn4c1 m7vKhDgfI1NewNHaZrbO0U/jg5GKtJcSQnL73UlzUELq72MGjyEgPhDEcvqyJq44aMsYbDPc P1wu4BC6pK9V2xrd8EdCi6+WXEXw+B6q1jNRIdTmMU1yqHejsfxQKswwMvdcfFwmc7B7YgQn YDEmMasCAwEAAaOCAs4wggLKMA4GA1UdDwEB/wQEAwID+DArBgNVHRAEJDAigA8yMDA2MTEx NTA4MzE1NFqBDzIwMDgxMTE1MDkwMTU0WjCCATcGA1UdIASCAS4wggEqMIIBJgYKKoFQgSkB AQEBAzCCARYwLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuY2VydGlmaWthdC5kay9yZXBvc2l0 b3J5MIHiBggrBgEFBQcCAjCB1TAKFgNUREMwAwIBARqBxkZvciBhbnZlbmRlbHNlIGFmIGNl cnRpZmlrYXRldCBn5mxkZXIgT0NFUyB2aWxr5XIsIENQUyBvZyBPQ0VTIENQLCBkZXIga2Fu IGhlbnRlcyBmcmEgd3d3LmNlcnRpZmlrYXQuZGsvcmVwb3NpdG9yeS4gQmVt5nJrLCBhdCBU REMgZWZ0ZXIgdmlsa+VyZW5lIGhhciBldCBiZWdy5m5zZXQgYW5zdmFyIGlmdC4gcHJvZmVz c2lvbmVsbGUgcGFydGVyLjBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9v Y3NwLmNlcnRpZmlrYXQuZGsvb2NzcC9zdGF0dXMwIAYDVR0RBBkwF4EVbm9yZ2FhcmRAbG9j b2xvbW8ub3JnMIGEBgNVHR8EfTB7MEugSaBHpEUwQzELMAkGA1UEBhMCREsxDDAKBgNVBAoT A1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0ExEDAOBgNVBAMTB0NSTDE1NTcwLKAqoCiGJmh0 dHA6Ly9jcmwub2Nlcy5jZXJ0aWZpa2F0LmRrL29jZXMuY3JsMB8GA1UdIwQYMBaAFGC1hexW ZH4SGSdnHVAVS3OuO/kSMB0GA1UdDgQWBBT3fmtHHifSZivd+FF7AdxtJo7/nzAJBgNVHRME AjAAMBkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgOoMA0GCSqGSIb3DQEBBQUAA4IBAQBPSoV/ pf2XJ4bxj4R8lpybKcgl0orqmfhpYDHXCl7ZbvJF7Kjc3w3vakrPd/vsyUvh07wFtEIMiMY2 NVaYAqoMo1PHtndg9XkkTAwdPVlYmZPKGZLzstDKt8sv/wi0sN4EG1zWRfmLfobbLPhQ/onQ AlckQUKpXB7msY4Lss2ZCtHxgTeR+Z7JJQ8kkAlO19It3oHiIi+85Vd3I6fSk9drTRuI30E2 klMwZM9EfsfiXHcqegCPUINx9YhgwyOfGgk2OaIUAaQ7FHC6+lPONiAAjQnrm6gz+pw6OZZz BF8Bh/0TvK+LLqQn+cKzUY6hF/76JFMweUHwxrZscWZMnGmkMYICKjCCAiYCAQEwOTAxMQsw CQYDVQQGEwJESzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIERVQrojAJ BgUrDgMCGgUAoIIBRzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wNzAyMDQyMTUxNThaMCMGCSqGSIb3DQEJBDEWBBR1ZmvL9qMIFvvrgXI+zjnU4EWAuzBI BgkrBgEEAYI3EAQxOzA5MDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMxFDASBgNVBAMT C1REQyBPQ0VTIENBAgRFVCuiMEoGCyqGSIb3DQEJEAILMTugOTAxMQswCQYDVQQGEwJESzEM MAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIERVQrojBSBgkqhkiG9w0BCQ8x RTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC BzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgIsUATVtSk8ORj9m/mstv5yKW42Z px1Z+jY5/Rxii4Cv8Cy/rDfduOImDAFC3pt8x8ysmV+xHgiXV/AdGqKyUJPrr+7DbYXSKdKS AkKgqNJhJfHuMaNwFn7jt0AYDgVu4Kohd5U1pEKtqZj3y3+hJPUfjYtDg2IkzSzj2eva/frc AAAAAAAA --------------ms000702090303010007070508--