[isf-wifidog] FirewallRuleSets & User Classes
Scott Tully
scott.tully at gmail.com
Mer 2 Mar 13:48:06 EST 2005
>From what i have seen you guys have laid the foundation for building a
user class system with your FirewallRuleSet. All that needs to be done
is split "known-users" into a few not so "known" user classes or
groups.
For now, let's just say that i want to add one new class called "public-users"
I am thinking that it would be be as simple as this:
# add this to wifidog.conf
FirewallRuleSet public-users {
FirewallRule block all port 25
FirewallRule block to 192.168.1.0/0
FirewallRule allow to 0.0.0.0/0
}
This would block port 25 and access to my LAN.
Also creating the correct filter chains
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET "
-m mark --mark 0x%u -j " TABLE_WIFIDOG_PUBLIC, FW_MARK_PUBLIC);
iptables_load_ruleset("public-users", TABLE_WIFIDOG_PUBLIC);
And add a new enumeration like FW_MARK_PUBLIC = 3
When a user is validated, instead of setting
"client->fw_connection_state = FW_MARK_KNOWN", i will set the
fw_connection_state to what is returned with the authcode... a
classcode i guess you could call it, more like
client->fw_connection_state = authresponse.classcode. The classcodes
should match the marks used in the firewall. So in this case when the
user has validated the authserver output would be similar to:
Auth: 1
Class: 3
Messages:
This should put the public user class through the correct filter
chain... I think. I might, and probably do, have a few things wrong
but something along this line should work. It won't be until i get in
there that i find all the real problems... does anybody foresee any
problems for me using this or a similar approach to implementing a
user class system? If i am totally off just tell me, and i will go
back to the code and read some more... no lengthy response is
required.
Regards,
Scott
BTW- Sorry if i am being too enthusiastic about your project. I don't
want to seem like a bully, or too aggressive... i just want to use the
dog, and i can't in it's current state. As you will soon find out, i
am a bit of a work-o-holic :)
Plus d'informations sur la liste de diffusion WiFiDog