Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 04 Feb 2007 22:51:58 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        Noah <admin2@enabled.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: temporary IP addition to  firewall rules
Message-ID:  <45C6557E.9020207@locolomo.org>
In-Reply-To: <45C62301.2090106@enabled.com>
References:  <45C53C7A.30805@enabled.com> <45C5C291.30608@locolomo.org> <45C62301.2090106@enabled.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Noah wrote:

> the servers and clients are not on the same LAN segment.  capturing MAC 
> has nothing to do with this scenario.

You haven't exactly told a lot about the network you want to setup. The 
logic thing is to authenticate against the firewall connected to the 
same subnet - and that will know the mac address. The same setup is 
assumed in the scenario using pfauth (or is it authpf).

Also, unless you are going to give a lot of instructions to people on 
how to configure their network, you will have a dhcp server on the same 
subnet - why not let that also do the web service for user management?

You haven't told either, how people connect - is it wireless or wired? 
Some access points supports that people authenticate WPA+something and 
the access point will verify against a radius server. And there are 
other possibilities depending on your setup.

But whichever way you setup your network, I think the best solution is 
if people establish an IPSec tunnel to the firewall, such that all 
traffic not destined for the local subnet must be tunneled through that. 
This gives you maximum control - you can even setup your firewall so 
that traffic coming in on a IPSec tunnel is also filtered.

Cheers, Erik
-- 
Ph: +34.666334818                      web: http://www.locolomo.org

[-- Attachment #2 --]
0	*H
010	+0	*H

0p0XET+0
	*H
0110	UDK10
U
TDC10UTDC OCES CA0
061115083154Z
081115090154Z0u10	UDK1)0'U
 Ingen organisatorisk tilknytning1;0U
Erik Nrgaard0#UPID:9802-2002-2-54436976931500
	*H
0WR&5ʄ8#S^fOパBrIsPBc! >r&8hl3?\.UGB\E3Q!1MrwP*02\|\&s{b'`1&100U0+U$0"20061115083154Z20081115090154Z07U .0*0&
*P)00/+#http://www.certifikat.dk/repository0+00
TDC0For anvendelse af certifikatet glder OCES vilkr, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bemrk, at TDC efter vilkrene har et begrnset ansvar ift. professionelle parter.0A+50301+0%http://ocsp.certifikat.dk/ocsp/status0 U0norgaard@locolomo.org0U}0{0KIGE0C10	UDK10
U
TDC10UTDC OCES CA10UCRL15570,*(&http://crl.oces.certifikat.dk/oces.crl0U#0`Vd~'gPKs;0U~kG'f+Q{m&0	U00	*H}A0
V7.10
	*H
OJ'|)%Ҋi`1
^nE
jJwKӼB65VSǶw`y$L=YXʷ/\E~,PW$AB\汎͙
7%$	N-ށ"/Ww#ғkMA6S0dD~\w*zPq`#	69;pS6 	뛨3:9s_.'³Q$S0yAƶlqfLi0p0XET+0
	*H
0110	UDK10
U
TDC10UTDC OCES CA0
061115083154Z
081115090154Z0u10	UDK1)0'U
 Ingen organisatorisk tilknytning1;0U
Erik Nrgaard0#UPID:9802-2002-2-54436976931500
	*H
0WR&5ʄ8#S^fOパBrIsPBc! >r&8hl3?\.UGB\E3Q!1MrwP*02\|\&s{b'`1&100U0+U$0"20061115083154Z20081115090154Z07U .0*0&
*P)00/+#http://www.certifikat.dk/repository0+00
TDC0For anvendelse af certifikatet glder OCES vilkr, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bemrk, at TDC efter vilkrene har et begrnset ansvar ift. professionelle parter.0A+50301+0%http://ocsp.certifikat.dk/ocsp/status0 U0norgaard@locolomo.org0U}0{0KIGE0C10	UDK10
U
TDC10UTDC OCES CA10UCRL15570,*(&http://crl.oces.certifikat.dk/oces.crl0U#0`Vd~'gPKs;0U~kG'f+Q{m&0	U00	*H}A0
V7.10
	*H
OJ'|)%Ҋi`1
^nE
jJwKӼB65VSǶw`y$L=YXʷ/\E~,PW$AB\汎͙
7%$	N-ށ"/Ww#ғkMA6S0dD~\w*zPq`#	69;pS6 	뛨3:9s_.'³Q$S0yAƶlqfLi1*0&090110	UDK10
U
TDC10UTDC OCES CAET+0	+G0	*H
	1	*H
0	*H
	1
070204215158Z0#	*H
	1ufkr>9E0H	+71;090110	UDK10
U
TDC10UTDC OCES CAET+0J*H
	1;90110	UDK10
U
TDC10UTDC OCES CAET+0R	*H
	1E0C0
*H
0*H
0
*H
@0+0
*H
(0
	*H
5mJOF?fk-[Y69b,7ݸ&Bޛ|̬_WPm)ҒBa%1p~@n!w5B$Cb$,

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C6557E.9020207>