From owner-freebsd-questions@FreeBSD.ORG Mon Feb 5 02:01:17 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9D51B16A405 for ; Mon, 5 Feb 2007 02:01:17 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from typhoon.enabled.com (typhoon.enabled.com [216.218.220.21]) by mx1.freebsd.org (Postfix) with ESMTP id 8941113C48E for ; Mon, 5 Feb 2007 02:01:17 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from [172.23.10.40] (nat-service4.juniper.net [66.129.225.151]) (authenticated bits=0) by typhoon.enabled.com (8.13.8/8.13.8) with ESMTP id l1521Fn9029157 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 4 Feb 2007 18:01:17 -0800 (PST) (envelope-from admin2@enabled.com) Message-ID: <45C68FE1.1030107@enabled.com> Date: Sun, 04 Feb 2007 18:01:05 -0800 From: Noah User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Erik Norgaard References: <45C53C7A.30805@enabled.com> <45C5C291.30608@locolomo.org> <45C62301.2090106@enabled.com> <45C6557E.9020207@locolomo.org> In-Reply-To: <45C6557E.9020207@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: temporary IP addition to firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 02:01:17 -0000 Erik Norgaard wrote: > Noah wrote: > >> the servers and clients are not on the same LAN segment. capturing >> MAC has nothing to do with this scenario. > > You haven't exactly told a lot about the network you want to setup. > The logic thing is to authenticate against the firewall connected to > the same subnet - and that will know the mac address. The same setup > is assumed in the scenario using pfauth (or is it authpf). alot of assumptions that are incorrect. the fireware is running as part of freeBSD there is no edge firewall device to the LAN segment. your ideas will not work for my scenario. > > Also, unless you are going to give a lot of instructions to people on > how to configure their network, you will have a dhcp server on the > same subnet - why not let that also do the web service for user > management? > > You haven't told either, how people connect - is it wireless or wired? > Some access points supports that people authenticate WPA+something and > the access point will verify against a radius server. And there are > other possibilities depending on your setup. > > But whichever way you setup your network, I think the best solution is > if people establish an IPSec tunnel to the firewall, such that all > traffic not destined for the local subnet must be tunneled through > that. This gives you maximum control - you can even setup your > firewall so that traffic coming in on a IPSec tunnel is also filtered. > > Cheers, Erik