From alwaysbeonline at hotmail.com Mon Sep 11 02:54:14 2006 From: alwaysbeonline at hotmail.com (alwaysbeonline@hotmail.com using getitfree.net) Date: Mon, 11 Sep 2006 02:54:14 -0700 Subject: [NoCat] please do this, for a free ipod Message-ID: hey, go here and we both get a free ipod pretty pretty please :) http://www.getitfree.net/xybweovtv http://www.getitfree.net/xybweovtv This was sent by alwaysbeonline at hotmail.com via GetItFree, Box 8156, San Jose CA 95155 Visit this page http://www.getitfree.net/index.php?target=unsubscribe&u=ybweovtv&mid=1157968454123042 to prevent delivery of future GetItFree.net referral emails From jpcambou at free.fr Mon Sep 25 07:14:17 2006 From: jpcambou at free.fr (Jean-Philippe CAMBOURNAC) Date: Mon, 25 Sep 2006 16:14:17 +0200 Subject: [NoCat] How to restrict access for authenticated user Message-ID: <4517E439.6030309@free.fr> Hi all, I whant to restrict access for authenticated users, I explain : When a user is authenticated, he has full access on Internet (http, https, pop, smtp, imap, ssh...) : (from .../nocat/bin/initialize.fw (on the GW)) (...) # Handle tagged traffic. # for iface in $InternalDevice; do for net in $LocalNetwork; do for fwmark in $classes; do # Only forward tagged traffic per class $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT (...) Replacing the last line by : for port in "80 443"; do $fwd -i $iface -p tcp --dport $port -s $net -m mark --mark $fwmark -j ACCEPT done But this "Patch" doesn't work. Perhaps on the bin/access.fw file... So, if anybody have an idea where can I define firewall rules to restrict access to only http and https for authenticated user, it will help me a lot. Thanks. Regards, Jean-Philippe. From Nicolas.Schmitz at ec-nantes.fr Mon Sep 25 08:38:20 2006 From: Nicolas.Schmitz at ec-nantes.fr (Nicolas Schmitz) Date: Mon, 25 Sep 2006 17:38:20 +0200 Subject: [NoCat] How to restrict access for authenticated user In-Reply-To: <4517E439.6030309@free.fr> References: <4517E439.6030309@free.fr> Message-ID: <4517F7EC.9090806@ec-nantes.fr> Hi, I think you can restrict access in gateway/nocat.conf with IncludePorts and ExcludePorts. No need to patch initialize.fw Nicolas Schmitz Jean-Philippe CAMBOURNAC wrote: > Hi all, > > I whant to restrict access for authenticated users, I explain : > When a user is authenticated, he has full access on Internet (http, > https, pop, smtp, imap, ssh...) : > (from .../nocat/bin/initialize.fw (on the GW)) > > (...) > # Handle tagged traffic. > # > for iface in $InternalDevice; do > for net in $LocalNetwork; do > for fwmark in $classes; do > # Only forward tagged traffic per class > $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT > (...) > > Replacing the last line by : > for port in "80 443"; do > $fwd -i $iface -p tcp --dport $port -s $net -m mark --mark $fwmark > -j ACCEPT > done > > But this "Patch" doesn't work. Perhaps on the bin/access.fw file... > > So, if anybody have an idea where can I define firewall rules to > restrict access to only http and https for authenticated user, it will > help me a lot. > > Thanks. > Regards, > Jean-Philippe. > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > From erecio at polywog.org Mon Sep 25 19:35:58 2006 From: erecio at polywog.org (E. M. Recio) Date: Mon, 25 Sep 2006 22:35:58 -0400 Subject: [NoCat] Multiple VLANs Message-ID: <4518920E.2010702@polywog.org> It seems like we'll need to implement three subnets (and VLANs) trunked to one interface on the server (or several whichever's easier). Does nocat net handle multiple subnets? -E From jpcambou at free.fr Tue Sep 26 00:24:47 2006 From: jpcambou at free.fr (Jean-Philippe CAMBOURNAC) Date: Tue, 26 Sep 2006 09:24:47 +0200 Subject: [NoCat] How to restrict access for authenticated user In-Reply-To: <4517F7BF.3060601@ec-nantes.fr> References: <4517E439.6030309@free.fr> <4517F7BF.3060601@ec-nantes.fr> Message-ID: <4518D5BF.30309@free.fr> Hi, In the initialize.fw file the comment for IncludePorts and ExcludePorts said : # Lock down more ports for public users, if specified. Port restrictions # are not applied to co-op and owner class users. So I managed to change the initialize.fw from : (...) # Enable all ports in IncludePorts for iface in $InternalDevice; do for port in $IncludePorts; do $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT done (...) # ...and disable access to the rest. $ports -p tcp -i $iface -m mark --mark 3 -j DROP $ports -p udp -i $iface -m mark --mark 3 -j DROP done to : # Enable all ports in IncludePorts for iface in $InternalDevice; do for port in $IncludePorts; do for mark in "1 2 3"; do $ports -p tcp -i $iface --dport $port -m mark --mark $mark -j ACCEPT $ports -p udp -i $iface --dport $port -m mark --mark $mark -j ACCEPT done done (...) # ...and disable access to the rest. for mark in "1 2 3"; do $ports -p tcp -i $iface -m mark --mark $mark -j DROP $ports -p udp -i $iface -m mark --mark $mark -j DROP done done Then in nocat.conf I set IncludePorts to 80, but I can still goes on https, ssh. Did I miss something ? Or is it impossible to restrict access for Owner and Co-op (mark 1 and 2) ? Regards, Jean-Philippe. Nicolas Schmitz a ?crit : > Hi, > I think you can restrict access in gateway/nocat.conf with > IncludePorts and ExcludePorts. No need to patch initialize.fw > > Nicolas Schmitz > > > Jean-Philippe CAMBOURNAC wrote: >> Hi all, >> >> I whant to restrict access for authenticated users, I explain : >> When a user is authenticated, he has full access on Internet (http, >> https, pop, smtp, imap, ssh...) : >> (from .../nocat/bin/initialize.fw (on the GW)) >> >> (...) >> # Handle tagged traffic. >> # >> for iface in $InternalDevice; do >> for net in $LocalNetwork; do >> for fwmark in $classes; do >> # Only forward tagged traffic per class >> $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT >> (...) >> >> Replacing the last line by : >> for port in "80 443"; do >> $fwd -i $iface -p tcp --dport $port -s $net -m mark --mark >> $fwmark -j ACCEPT >> done >> >> But this "Patch" doesn't work. Perhaps on the bin/access.fw file... >> >> So, if anybody have an idea where can I define firewall rules to >> restrict access to only http and https for authenticated user, it >> will help me a lot. >> >> Thanks. >> Regards, >> Jean-Philippe. >> >> _______________________________________________ >> NoCat mailing list >> NoCat at lists.nocat.net >> http://lists.nocat.net/mailman/listinfo/nocat >> > From jpcambou at free.fr Tue Sep 26 03:21:59 2006 From: jpcambou at free.fr (Jean-Philippe CAMBOURNAC) Date: Tue, 26 Sep 2006 12:21:59 +0200 Subject: [NoCat] How to restrict access for authenticated user In-Reply-To: <4518D5BF.30309@free.fr> References: <4517E439.6030309@free.fr> <4517F7BF.3060601@ec-nantes.fr> <4518D5BF.30309@free.fr> Message-ID: <4518FF47.3090701@free.fr> Hi, So, I've found that my $IncludePorts and $ExcludePorts where not define, then the modifications that I try to applied doesn't work. I removed the section which use IncludePorts et ExcludePorts and replace it with : for iface in $InternalDevice; do for port in "80 443"; do #define the allowed port for mark in "1 2"; do #for post auth user (owner & co-op) $ports -p tcp -i $iface --dport $port -m mark --mark $mark -j ACCEPT $ports -p udp -i $iface --dport $port -m mark --mark $mark -j ACCEPT done done # Always permit access to the GatewayPort (or we can't logout) $ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT $ports -p udp -i $iface --dport $GatewayPort -j ACCEPT # ...and disable access to the rest. for mark in "1 2"; do $ports -p tcp -i $iface -m mark --mark $mark -j DROP $ports -p udp -i $iface -m mark --mark $mark -j DROP done done By doing this I bypass the use of Include/ExcludePorts and it works fine (verified by ULOGging the firewall activity). Now if someone have an idea why my Include/ExcludePorts doesn't (in lib/NoCat/Firewall.pm the my @Perform_Export = qw{...} contain IncludePorts and the nocat.conf GW file to.) Regards, Jean-Philippe Jean-Philippe CAMBOURNAC a ?crit : > Hi, > > In the initialize.fw file the comment for IncludePorts and ExcludePorts > said : > > # Lock down more ports for public users, if specified. Port restrictions > # are not applied to co-op and owner class users. > > So I managed to change the initialize.fw from : > (...) > # Enable all ports in IncludePorts > for iface in $InternalDevice; do > for port in $IncludePorts; do > $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT > $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT > done > (...) > # ...and disable access to the rest. > $ports -p tcp -i $iface -m mark --mark 3 -j DROP > $ports -p udp -i $iface -m mark --mark 3 -j DROP > done > > to : > # Enable all ports in IncludePorts > for iface in $InternalDevice; do > for port in $IncludePorts; do > for mark in "1 2 3"; do > $ports -p tcp -i $iface --dport $port -m mark --mark $mark -j > ACCEPT > $ports -p udp -i $iface --dport $port -m mark --mark $mark -j > ACCEPT > done > done > (...) > # ...and disable access to the rest. > for mark in "1 2 3"; do > $ports -p tcp -i $iface -m mark --mark $mark -j DROP > $ports -p udp -i $iface -m mark --mark $mark -j DROP > done > done > > Then in nocat.conf I set IncludePorts to 80, but I can still goes on > https, ssh. > Did I miss something ? > Or is it impossible to restrict access for Owner and Co-op (mark 1 and 2) ? > > Regards, > Jean-Philippe. > > Nicolas Schmitz a ?crit : > >> Hi, >> I think you can restrict access in gateway/nocat.conf with >> IncludePorts and ExcludePorts. No need to patch initialize.fw >> >> Nicolas Schmitz >> >> >> Jean-Philippe CAMBOURNAC wrote: >> >>> Hi all, >>> >>> I whant to restrict access for authenticated users, I explain : >>> When a user is authenticated, he has full access on Internet (http, >>> https, pop, smtp, imap, ssh...) : >>> (from .../nocat/bin/initialize.fw (on the GW)) >>> >>> (...) >>> # Handle tagged traffic. >>> # >>> for iface in $InternalDevice; do >>> for net in $LocalNetwork; do >>> for fwmark in $classes; do >>> # Only forward tagged traffic per class >>> $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT >>> (...) >>> >>> Replacing the last line by : >>> for port in "80 443"; do >>> $fwd -i $iface -p tcp --dport $port -s $net -m mark --mark >>> $fwmark -j ACCEPT >>> done >>> >>> But this "Patch" doesn't work. Perhaps on the bin/access.fw file... >>> >>> So, if anybody have an idea where can I define firewall rules to >>> restrict access to only http and https for authenticated user, it >>> will help me a lot. >>> >>> Thanks. >>> Regards, >>> Jean-Philippe. >>> >>> _______________________________________________ >>> NoCat mailing list >>> NoCat at lists.nocat.net >>> http://lists.nocat.net/mailman/listinfo/nocat >>> >>> > > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat >