Simple user authorization to access the Internet using ipfw
- From the sandbox
- Tutorial
Any network sooner or later begins to face another network, it used to be. Now, creating a corporate network of any organization, it is unlikely to be connected to the Internet. Therefore, the first and main server to be organized is a router.
Since I did not like Linux, although I say honestly I started with it, for a long time I chose FreeBSD as the server OS. But how to configure routing on freebsd on the Internet is enough information. But if you need to release on the Internet not only well-known (trusted) devices, but also new ones that should be authorized. For example, it is a public place, cafe or hotel.
And in the beginning we have a router and a network with wired and wireless access, are they still able to braid wires? Naturally, it is better to prohibit them from communicating with each other, but we will not consider how to implement it right now, since everyone has a lot of toys and options.
Once in the network, the user should not just be blocked. Otherwise, he will not know what to do and will be cornered, so corny deny all from all to all will not suit us. Therefore, it is necessary to redirect all unknown personalities to one site, where all instructions will already be and authorization will be performed.
There are two options ...
First, run all the traffic through the proxy and there already understand who is friend and who is the enemy and what to give to someone as an answer. But in the current state of affairs, when the amount of information received by the user is so huge, and the prices of unlimited tariffs allow even legal entities to use them at good speeds, I see no reason in accumulating information on my information carriers.
So I went the second way, namely the firewall decides who should go where. This is what my solution in ipfw looks like.
I am using ipnat. Therefore, ipfw will feature rules for allowing traffic going to the external network, but there will be no rules for turning it around, as is the case with natd. We create a table of users which we will release to an external network:
Then there will be a rule for allowing traffic to the Internet through the rl1 external interface:
Now all our famous cars can use the Internet. However, new clients simply receive an error that the server was not found.
We will have our own rule for them:
Thus, we redirected all traffic from unknown users to port 9832. And on it we will hang a web server with the information we need.
A small digression: fwd wraps the packet at the specified address, but does not modify it. And if you wrap it on which thread the web server on the network, then that one will simply reject it. Because the destination address is not his. Hence the conclusion that data can be intercepted and processed only locally.
Since this is not a full-fledged web server, it makes no sense to hang apache or ngnix there. I would recommend looking in the direction of microhttpd, minihttod or lighthttpd.
Just remember to add a rule to allow traffic within the network through the rl0 interface:
or it’s better to open only what you need in your work:
I set, as the simplest and most convenient, in this case, service - micro_httpd.
We put from the ports:
Since this is just a binary, not a demon, it does not hang in memory and does not take anything. When requesting a specific port, inetd calls it with a parameter, it processes the data and returns the result.
We configure inetd by adding the following to /etc/inetd.conf (in one line):
where / var / www is the path to the web server root folder. Add some more info
to / ets / services :
here 9832 is the port on which the web server hangs.
In / var / www we put index.html with the content we need.
We restart Inetd or we reboot the server and we check.
Since I did not like Linux, although I say honestly I started with it, for a long time I chose FreeBSD as the server OS. But how to configure routing on freebsd on the Internet is enough information. But if you need to release on the Internet not only well-known (trusted) devices, but also new ones that should be authorized. For example, it is a public place, cafe or hotel.
What do we have?
And in the beginning we have a router and a network with wired and wireless access, are they still able to braid wires? Naturally, it is better to prohibit them from communicating with each other, but we will not consider how to implement it right now, since everyone has a lot of toys and options.
Once in the network, the user should not just be blocked. Otherwise, he will not know what to do and will be cornered, so corny deny all from all to all will not suit us. Therefore, it is necessary to redirect all unknown personalities to one site, where all instructions will already be and authorization will be performed.
There are two options ...
First, run all the traffic through the proxy and there already understand who is friend and who is the enemy and what to give to someone as an answer. But in the current state of affairs, when the amount of information received by the user is so huge, and the prices of unlimited tariffs allow even legal entities to use them at good speeds, I see no reason in accumulating information on my information carriers.
So I went the second way, namely the firewall decides who should go where. This is what my solution in ipfw looks like.
I am using ipnat. Therefore, ipfw will feature rules for allowing traffic going to the external network, but there will be no rules for turning it around, as is the case with natd. We create a table of users which we will release to an external network:
ipfw table 1 add 192.168.0.1
ipfw table 1 add 192.168.0.2Then there will be a rule for allowing traffic to the Internet through the rl1 external interface:
ipfw add allow ip from table\(1\) to any out via rl1 keep-stateNow all our famous cars can use the Internet. However, new clients simply receive an error that the server was not found.
We will have our own rule for them:
ipfw add fwd 127.0.0.1, 9832 ip from not table\(1\) to any out via rl1Thus, we redirected all traffic from unknown users to port 9832. And on it we will hang a web server with the information we need.
A small digression: fwd wraps the packet at the specified address, but does not modify it. And if you wrap it on which thread the web server on the network, then that one will simply reject it. Because the destination address is not his. Hence the conclusion that data can be intercepted and processed only locally.
Since this is not a full-fledged web server, it makes no sense to hang apache or ngnix there. I would recommend looking in the direction of microhttpd, minihttod or lighthttpd.
Just remember to add a rule to allow traffic within the network through the rl0 interface:
ipfw add allow ip from 192.168.0.0/24 to 192.168.0.0/24 via rl0or it’s better to open only what you need in your work:
ipfw add allow tcp from 192.168.0.0/24 to me 9832 in via rl0 keep-stateI set, as the simplest and most convenient, in this case, service - micro_httpd.
We put from the ports:
cd /usr/ports/www/micro_httpd
make install cleanSince this is just a binary, not a demon, it does not hang in memory and does not take anything. When requesting a specific port, inetd calls it with a parameter, it processes the data and returns the result.
We configure inetd by adding the following to /etc/inetd.conf (in one line):
micro_http stream tcp nowait nobody /usr/local/sbin/micro_httpd micro_httpd /var/www #micro_httpdwhere / var / www is the path to the web server root folder. Add some more info
to / ets / services :
micro_httpd 9832/tcp #micro_httpdhere 9832 is the port on which the web server hangs.
In / var / www we put index.html with the content we need.
We restart Inetd or we reboot the server and we check.