On Thu, 25 Apr 2002, Mikelson, Thomas wrote: > Anyone come across implementation examples using opensource of: > > 1. User goes to webpage for authentication > 2. Once authenticated iptables/ipchains firewall adds rule allowing > user's ip/mac out
Hmm, this could rather easily be done with Perl/PHP/other such language (I would strongly recommend the use of SSL encryption here, regardless of the server location), although information security and system integrity would both be an issue to take seriously in this case, as I've discussed below. Using Apache's excellent mod_auth_mysql you could have an easily manageable and configurable list of accounts maybe also allowing other services or, only allowing limited services to the user, based on authentication (yes, I do know it can be done in a million ways but, personally, I've found db-based management the easiest and most painless). Do note that the problem (as from security point of view) with this is obvious: how to make this all happen securely so that you don't introduce any loopholes for users to exploit. While using SSL the authentication process itself is relatively secure and that should at no point be the problem anyway. The problem here lies in the mechanism used to modify the ipchains/iptables rules. If you use system() to write the necessary data for allowing a certain user's ip/mac out, how do you make sure no user can modify those rules before they get implemented in the firewall rules? Running Apache and/or PHP as suid root just to be able to use system() to directly modify the firewall rules would be a baa-aad idea. If you used system() to write a file to the filesystem and then read in the firewall rules from it in a cronjob or executing a suid root script to implement the rules in the file could also be dangerous. Especially so if the webserver and firewall are both on the same computer. Unfortunately I can't offer you more than these points to consider and the links below. With a quick look at my bookmarks and a simple query in Google I came up with these instructions that I'm sure you could modify to suit your existing needs. Of course, this is all just making the wild assumption you're using an *IX system with Apache, PHP4 and MySQL. Other combinations most definitely vary. 1: Using MySQL for user authentication on Apache MOD_AUTH_MYSQL http://www.bignosebird.com/notebook/mysqlauth.shtml 2: Using $PHP_AUTH_USER and $PHP_AUTH_PW to authenticate http://www.kbcenter.com/kb.php?u_action=view_kb&kb_id=4702&category_id=236 3: system -- Execute an external program and display output http://www.php.net/manual/en/function.system.php Hope those help - even if not directly applicable. .pi. -- Petteri Lyytinen - [EMAIL PROTECTED] - http://www.students.tut.fi/~typo/ + Watashi no chikara de susumu + _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
