From owner-freebsd-isp Fri Mar 14 8:28:42 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D907537B401 for ; Fri, 14 Mar 2003 08:28:39 -0800 (PST) Received: from skyweb.ca (smtp-1.vancouver.ipapp.com [216.152.192.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3566443FA3 for ; Fri, 14 Mar 2003 08:28:39 -0800 (PST) (envelope-from mjohnston@skyweb.ca) Received: from mjohnston ([209.5.243.50]) by smtp-1.vancouver.ipapp.com ; Fri, 14 Mar 2003 08:28:34 -0800 From: "Mark Johnston" To: "'Tracy, John'" Cc: "'Dan Mahoney, System Admin'" , Subject: Re: DNS Proxying based on source address Date: Fri, 14 Mar 2003 10:34:08 -0600 Message-ID: <005001c2ea47$895398d0$be0fa8c0@MJOHNSTON> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tracy, John wrote: > It would be nice to implement such a system with some sort of > expiring... such as ten minutes of inactivity or some > variable like that. Would you use the counters in IPFW > somehow to count... or something? We're trying to do just the > same thing with a new wireless LAN we're installing for > students... IE students boot up, get an IP. No matter what > URL they try to access, they get a registration page to which > they must authenticate. Upon authenticating, their > workstation is allowed access out through the gateway (or > IPFW box). Then, after some period of inactivity, or a power > off that registration is automatically killed and to get back > online, they must reauthenticate. Yes, you could easily do exactly that. No need to worry about counters, though; try ipfw -t show. The dates are the last time the rule was matched. Just check it from cron with the granularity you want, and remove the rule if the date's too old. > There's a commercial product called BlueSocket which does > this. It costs $7500 for their basic box... but doesn't offer > any real benefits over the scenario above--and it's limited > to 100 active registrations. I'm not sure I'd say that it offers no benefits. Bluesocket claims to implement IPSec and PPTP along with authentication, whereas in the scheme I described there is essentially no security at all. Of course, you could implement a secure scheme using encryption and authentication with a little more effort. Whether that much effort is worthwhile is up to your particular situation. Mark > > -John > > > It sounds like transparent "proxying" is exactly what you > want. Here's > > my take on a solution for you - some parts of it I've tested for a > > similar scheme, some parts are speculation. > > > > First off, please reread the paragraph of ipfw(8) starting with "fwd > > ipaddr[,port]", just for reference. > > > > I'd start with an ipfw rule like the following, on the gateway: > > > > ipfw add 65000 fwd $GATEWAY tcp from $INTERNAL to any > > > > That grabs all incoming TCP traffic and redirects it to > your own box. > > This part I've tested before, in conjunction with Apache - any web > > request, no matter the destination IP, will get a response from your > > httpd. Other TCP traffic will hit your box and receive a RST or no > > response, depending on your firewall rules. If you want to > get fancy, > > you can listen for other protocols and send custom messages. > > > > Once you've got that rule into place, it's pretty > straightforward to add > > rules to allow/NAT/whatever traffic on an IP-by-IP basis > for hosts that > > you want to let out: > > > > ipfw add 64900 allow tcp from $REGISTERED_IP to any > > > > and so on. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message