[NoCat] How to restrict access for authenticated user

Jean-Philippe CAMBOURNAC jpcambou at free.fr
Tue Sep 26 00:24:47 PDT 2006 

Hi,

In the initialize.fw file the comment for IncludePorts and ExcludePorts 
said :

# Lock down more ports for public users, if specified. Port restrictions
# are not applied to co-op and owner class users.

So I managed to change the initialize.fw from :
  (...)
  # Enable all ports in IncludePorts
  for iface in $InternalDevice; do
    for port in $IncludePorts; do
      $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
      $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
    done
    (...)
    # ...and disable access to the rest.
    $ports -p tcp -i $iface -m mark --mark 3 -j DROP
    $ports -p udp -i $iface -m mark --mark 3 -j DROP
  done

to :
  # Enable all ports in IncludePorts
  for iface in $InternalDevice; do
    for port in $IncludePorts; do
       for mark in "1 2 3"; do
          $ports -p tcp -i $iface --dport $port -m mark --mark $mark -j 
ACCEPT
          $ports -p udp -i $iface --dport $port -m mark --mark $mark -j 
ACCEPT
       done
    done
    (...)
    # ...and disable access to the rest.
    for mark in "1 2 3"; do
        $ports -p tcp -i $iface -m mark --mark $mark -j DROP
        $ports -p udp -i $iface -m mark --mark $mark -j DROP
   done
  done

Then in nocat.conf I set IncludePorts to 80, but I can still goes on 
https, ssh.
Did I miss something ?
Or is it impossible to restrict access for Owner and Co-op (mark 1 and 2) ?

Regards,
Jean-Philippe.

Nicolas Schmitz a écrit :
> Hi,
> I think you can restrict access in gateway/nocat.conf with 
> IncludePorts and ExcludePorts. No need to patch initialize.fw
>
> Nicolas Schmitz
>
>
> Jean-Philippe CAMBOURNAC wrote:
>> Hi all,
>>
>> I whant to restrict access for authenticated users, I explain :
>> When a user is authenticated, he has full access on Internet (http, 
>> https, pop, smtp, imap, ssh...) :
>> (from .../nocat/bin/initialize.fw (on the GW))
>>
>> (...)
>> # Handle tagged traffic.
>> #
>> for iface in $InternalDevice; do
>>     for net in $LocalNetwork; do
>>         for fwmark in $classes; do
>>             # Only forward tagged traffic per class
>>             $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
>> (...)
>>
>> Replacing the last line by :
>> for port in "80 443"; do
>>     $fwd -i $iface -p tcp --dport $port -s $net -m mark --mark 
>> $fwmark -j ACCEPT
>> done
>>
>> But this "Patch" doesn't work. Perhaps on the bin/access.fw file...
>>
>> So, if anybody have an idea where can I define firewall rules to 
>> restrict access to only http and https for authenticated user, it 
>> will help me a lot.
>>
>> Thanks.
>> Regards,
>> Jean-Philippe.
>>
>> _______________________________________________
>> NoCat mailing list
>> NoCat at lists.nocat.net
>> http://lists.nocat.net/mailman/listinfo/nocat
>>   
>

More information about the NoCat mailing list