[isf-wifidog] FirewallRuleSets & User Classes

Scott Tully scott.tully at gmail.com
Mer 2 Mar 13:48:06 EST 2005 

>From what i have seen you guys have laid the foundation for building a
user class system with your FirewallRuleSet. All that needs to be done
is split "known-users" into a few not so "known" user classes or
groups.

For now, let's just say that i want to add one new class called "public-users"
I am thinking that it would be be as simple as this:


# add this to wifidog.conf
FirewallRuleSet public-users {
    FirewallRule block all port 25
    FirewallRule block to 192.168.1.0/0
    FirewallRule allow to 0.0.0.0/0
}

This would block port 25 and access to my LAN.

Also creating the correct filter chains

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET "
-m mark --mark 0x%u -j " TABLE_WIFIDOG_PUBLIC, FW_MARK_PUBLIC);
iptables_load_ruleset("public-users", TABLE_WIFIDOG_PUBLIC);

And add a new enumeration like FW_MARK_PUBLIC = 3 

When a user is validated, instead of setting
"client->fw_connection_state = FW_MARK_KNOWN", i will set the
fw_connection_state to what is returned with the authcode... a
classcode i guess you could call it, more like
client->fw_connection_state = authresponse.classcode.  The classcodes
should match the marks used in the firewall. So in this case when the
user has validated the authserver output would be similar to:

Auth: 1
Class: 3
Messages: 

This should put the public user class through the correct filter
chain... I think. I might, and probably do, have a few things wrong
but something along this line should work. It won't be until i get in
there that i find all the real problems... does anybody foresee any
problems for me using this or a similar approach to implementing a
user class system? If i am totally off just tell me, and i will go
back to the code and read some more... no lengthy response is
required.


Regards,
Scott

BTW- Sorry if i am being too enthusiastic about your project.  I don't
want to seem like a bully, or too aggressive... i just want to use the
dog, and i can't in it's current state.  As you will soon find out, i
am a bit of a work-o-holic :)

Plus d'informations sur la liste de diffusion WiFiDog