Hello,
you can try this:
in /usr/local/pf/conf/iptables.conf
change:
:forward-internal-inline-if - [0:0]
%%filter_forward_inline%%
to:
:forward-internal-inline-if - [0:0]
-A forward-internal-inline-if --match mark --mark 0x1 -d 10.255.60.0/24
--jump DROP
%%filter_forward_inline%%
Then restart the iptables service.
Regards
Fabrice
Le 20-09-04 à 08 h 12, INFO via PacketFence-users a écrit :
Hi,
i have un in line configuratione using 2 VM Cisco WLC for 200 AP . Not
use Radius . PF is used ogni for Guest with Captive portal and using a
spcecific group in AD .
All work correctly, but i have a problem when the user its autorized.
The guest must go only in the internet and not in the intranet.
The guest have un private NET in a private Vlan, but from PF and
internet have many hops e many network .
And the guest now can view all the net .
the guest crosses several networks without firewalls and in these, for
example, there is the corporate DNS, various MS Domain controllers and
other things that must not be able to access.
Basically I should enable the requests to the various dns and related
responses but then block a whole net / 8. I tried to do ACLs on WLCs
but they are a little weird and dangerous and if I'm wrong I could do
the company disservice. how can I do ??
Client ----10.122.250./24---
PF--10.255.60.0/24-----Hop---hop-Firewall-----firewall---Router--AS
Internet
The Guest can view the net 10.2550.60.0/24 and other net since to the
first firewall..
Who can see me how to make an simple firewall config for iptables.conf ??
Thank's
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
