Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th August 2007, 13:52
ripwit ripwit is offline
Junior Member
 
Join Date: Aug 2007
Posts: 1
Thanks: 1
Thanked 0 Times in 0 Posts
Default Implement single firewall login for access to all ports on LAN?

The normal apologies for the noobie-type question...

We have IPCop nicely segregating our orange (DMZ) and green (blocked) LANs. As time has gone on, I've realized that I'd like many more of our services to be on the orange network so they can be easily reached by customers/consultants who may not have fixed IPs. Many of our users are not SSH savvy and might not want us installing a tunneling client on their systems.

Most of these services that I want to expose have some form of authentication but some of that is not terribly robust (mediawiki, mysql,
bugzilla). Some are targets for DoS (SQL Server) or other attacks.

My thoughts are to have a strong challenge/response login from a client to
the firewall. This could be done via https to a non-standard port on the
firewall. If this login succeeded, all (or configurable) ports would be
available from the client to services inside the firewall as long as the
'session' was active. The session would be based on the client's IP and
would have an inactivity time-out. The original https login would not need
to stay active. The services behind the firewall would still have their normal authentication.

Valid user logins to the firewall could be either via statically configured tables on the firewall or via LDAP, etc.

I think I remember a scheme like this when I was using the Wingate proxy
server. Is this available using iptables/IPCop or some other OSS package?
Reply With Quote
Sponsored Links
  #2  
Old 29th August 2007, 07:03
cmb cmb is offline
Junior Member
 
Join Date: Aug 2007
Posts: 1
Thanks: 0
Thanked 1 Time in 1 Post
Default

Sounds like a captive portal with authentication would be a good fit. Not sure if there is something like that for IPCop, I use it on m0n0wall and pfSense. You can authenticate users off RADIUS using a splash page (web traffic automatically redirected to login page), so you can integrate the authentication into your existing environment (Active Directory, *nix servers, etc.). In m0n0wall and pfSense, once you authenticate to the captive portal, you then have the defined firewall rules applied.

I suggest searching for a captive portal add on for IPCop, maybe such a thing exists.

Good luck
Reply With Quote
The Following User Says Thank You to cmb For This Useful Post:
ripwit (30th August 2007)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to authenticate to SMTP server ashkev Installation/Configuration 15 6th February 2007 18:46
kann keine mails empfangen odin1 Installation/Configuration 5 6th July 2006 13:13
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 22:42
FTP very slow in LAN, "fast" from WAN-> Firewall problem? Pasco Server Operation 6 7th March 2006 16:17
Total Frustration-HELP palkat Installation/Configuration 17 3rd September 2005 18:28


All times are GMT +2. The time now is 13:17.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.