Hello: Here comes more concise and deatiled info regarding the situation I am presenting to the list.
I have tried to follow: http://leaf.sourceforge.net/devel/thc/dox/lrp-list-howtos/LRP-ts-req-HowTo.h tml It�s nice to have such a guide. on 10/5/02 9:16 PM, Ray Olszewski from <[EMAIL PROTECTED]> wrote: > I don't think LEAF can handle the first of the problems you have. I think > the relevant host has to handle them. But possibly I am misunderstanding > what you need, so please see the more detailed response below. > > Whether you can do what you want with respect to the second question > depends, I think, on specifics of your setup that you left out of your > description. Again, see the more detailed response below. This is a commented diagram of the current setup: Internet Gateway 216.72.129.xxx | | LMMDS Wireless link to ISP network | | ISP router at building 172.16.8.1 subnet mask: 255.255.255.0 | LRP: Eigerstein Beta 2 ***************|********** * | * Router offers: * eth0: 172.16.8.2 * NAT for the LAN, portfw to internal * * servers, SSH access from the outside * eth1: 192.168.0.1 * * | * ***************|********** | | Internal network 192.168.0.0/24 | | hub/switch | | | | | | | | 3 internal servers and several workstations: | | | | | | | | Services offered by the servers: | | | | | | | | - To the inside:proxy/cache (Squid),Socks5 proxy, | | | | authentication,DHCP,SMTP,IMAP,DNS | | | | | | | | - To the outside: www | | | | | | | | All servers and workstations | | | | use 192.168.0.1 as defualt gateway | | | | | | | | Servers IP config is manual | | | | | | | | Workstations get IP config via DHCP | | | | | | | +--- 192.168.0.2 | | | | | +----- 192.168.0.3 | | . | | . | | . | +-------- 192.168.0.252 | +---------- 192.168.0.253 What I would like to do is prevent users from changing the browser proxy configuration at their workstations and then bypass the proxy/cache and also to prevent unauthorized users to change their e-mail app configuration and become able to send/receive external e-mail using external e-mail servers. Ideally, unathorized users would only be able to use the local mail servers and authorized users would be able to use both internal and external servers. > > At 07:51 PM 5/10/02 -0300, Omar Vasquez wrote: >> Hello fellow LRP/Leaf users: >> >> I am using LRP (Eigerstein BETA 2) to provide Internet connectivity and >> to protect a small company LAN. >> >> There are two situations that I need to solve with LRP: >> >> 1.- An internal mail system is running on the LAN, but would like to >> restrict STMP, IMAP and POP traffic so only authorized users or machines >> can send/receive mail to/from the outside. > > Since clients actually on the LAN don't go through the LEAF router to > connect to the server running the "internal mail system", you can't use it > to restrict access by those machines to it (except by an extremely > convoluted approach). > > With respect to off-LAN traffic, if you can associate "authorized users or > machines" with specific IP addresses or ranges, you can modify the INPUT > chain in ipchains to accept port 25-bound traffic (or 110 or whichever port > IMAP uses) only from those addresses. But that's not what people usually > have in mind here. I was thinking of using DHCP to associate "authorized machines" with an specific IP addresses or range via IP leases based on MAC addresses. > > OTOH, decent SMTP, POP3, and IMAP servers come with a range of possible > authentication schemes designed to restrict who can use the services. So I > suspect you will do better to solve this one at your mail server. There is an authentication process for local SMTP/IMAP server access, but I would like to prevent unauthorized users from connecting to external SMTP, POP3, and IMAP servers by blocking all such traffic except for the traffic from the local servers. > >> 2.- A proxy server (Squid) is running, but would like to redirect all >> http traffic at the firewall, so if users configure their browsers not >> to use the proxy, all requests for web traffic at the gateway go to the >> proxy server...(a transparent proxy, right?) > > I assume here that the "firewall" and the "gateway" both refer to the LEAF > router, but it's not clear if the Squid proxy server is also that same host > or is a different one on the LAN. Please clarify that part. >Also please clarify if your LAN uses private addresses and a NATing LEAF >firewall, or if the hosts on it have their own "real" IP addresses. (And do you >really want to proxy *only* http traffic, and not, say, https traffic?) I used the words firewall and gateway to refer to the same LEAF router, and the proxy server is on a different host. The LEAF router offers NAT for the LAN, port forwarding to the internal servers and SSH access to it from the outside. The ISP provides one public or "real" IP address, all other IP addresses used are from the "private" IP address range. Thanks, Omar Vasquez _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
