From owner-freebsd-net@FreeBSD.ORG Wed Sep 29 11:50:52 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D99BE16A4CF for ; Wed, 29 Sep 2004 11:50:52 +0000 (GMT) Received: from xout.mail.su29.ru (xout.mail.su29.ru [81.200.3.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 940A143D2F for ; Wed, 29 Sep 2004 11:50:52 +0000 (GMT) (envelope-from _pppp@mail.ru) Received: from [81.200.13.122] (helo=[192.168.28.30]) by mail.su29.ru with esmtp (Exim 4.42 (FreeBSD)) id 1CCcyx-0008Ui-AO; Wed, 29 Sep 2004 15:50:51 +0400 From: dima <_pppp@mail.ru> To: Kevin Schmidt In-Reply-To: <200409281010.02904.kps@ucsb.edu> References: <200409281010.02904.kps@ucsb.edu> Content-Type: text/plain Organization: SU29 Telecom Message-Id: <1096458648.2423.11.camel@pppp> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 29 Sep 2004 15:50:48 +0400 Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: Bridging vlans w/firewall and selective HTTP redirect? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Sep 2004 11:50:53 -0000 Would you bother reading cisco tech documentation regarding 802.1x? http://cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008022995b.html It states you can configure guest vlan for non-authentified users; you can also temporarily disable infected users' accounts. So, I guess you should only configure your networking hardware & radius server properly. Also make a common remedy web/ftp server in the guest vlan (which would contain both 802.1x software and anti-compromise/infection information). PS: A PC wouldn't ever give you the traffic/packet rates equal to the hardware ones; especially at the layer 2. Just use the things in the tasks they were designed for. > I'm interested in placing an FBSD box (prefer 4.x since it's production, > though I've also used 5.2) inline on a link with 802.1Q-tagged vlans with > firewalling and selective HTTP redirects. Bridging a couple of ethernets > isn't a problem, and it appears I can enable ipf or ipfw (but not pf; too > bad, ALTQ and pfsync would be nice). What does not appear viable is the > interception and transparent redirect of HTTP traffic in this bridged > environment. Anyone know of a good way to do this? > > The purpose of the above is to support a wireless network where users may be > associated with various vlans, some of which will require selective traffic > filtering and transparent http redirects. For example, there might be an > SSID for a "readme" vlan network where people could log in to a web page and > download an 802.1X supplicant. The supplicant would be preconfigured to join > another SSID, e.g. "campus wireless", which would allow authenticated users > full Internet access. If a particular user is known to have a > compromised/infected system, they'd be mapped to a quanantine vlan, which > ideally would block most traffic and redirect them to a web page with > additional information and remediation tools. Similar techniques would be > used to support an https login process that would selectively open the > firewall for authenticated users. I'm sure someone reading this is > wondering, "why not do the web redirects on a routed interface instead of > with an inline bridge, since redirects at an L3 interface work?" The answer > is scalability and roaming: I'd like routing to be done at a couple of > upstream Cisco boxes, with two or more FBSD boxes inline on the downstream > vlans supporting wireless and (ultimately) some wired ports. I'll do it > routed if I must, but it would be great if I could redirect locally at the > bridge. > > I'm looking at Linux/OpenBSD/NetBSD, too, though I've always preferred FBSD > (still have my 1.x CDs) and have happily used it for DNS, web, ftp, etc. > servers for years. > > Any suggestions/comments/questions welcome. > > Cheers,