From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Seferovic Edvin" Subject: Netfilter and Poptop ( and stuff ... ) Date: Mon, 10 Oct 2005 08:28:37 +0200 Message-ID: Reply-To: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01C5CD74.9E7056F0" Return-path: Sender: poptop-server-admin@lists.sourceforge.net Errors-To: poptop-server-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: List-Post: List-Help: List-Subscribe: , List-Archive: To: netfilter@lists.netfilter.org, poptop-server@lists.sourceforge.net This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C5CD74.9E7056F0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi, first of all - excuse me for mailing this to two mailing lists at once, but I am hoping to get more answers from your experience with poptop and netfilter. Here is my situation - I've configured a gateway with poptop ( which uses RADIUS for auth/acct - which again uses LDAP as auth-backend and mySQL for accounting ). This gateway has 2 internal and one external interface ( with public routeable IP address ). One internal interface is used to build a restricted network for unknown machines, and the second one is used as a gateway for the known machines. Now - I would like allow my VPN users internet access, but not to all machines on the internal network. So I have to use NAT on the tunnel endpoints ( ppp+ interfaces ), right? I wanted to make this easy as possible, but as always - I took the wrong turn... probably by choosing Firewall Builder to help me get my firewall set up. I achived everything, but I cannot configure ppp+ interfaces in FW-Builder? Does anyone has a hint for me? Is this possible anyway ( please don't tell me I have to configure 150 ppp interfaces in FW-Builder ) ??? I suppose it would be more secure to enter a firewall rule every time a ppp interface comes up ( by using scripts like ip-up from pppd )? Do I have to enter a NAT rule for each interface then? Any performance thought when having 150+ interfaces at the same time? Nevertheless I would also like to redirect http traffic going from a NATed ppp+ interface to my squid process - how does this combined rule looks like? Sorry for this huge eMail, and amateur questions.. I hope at least a few of the gurus out there will be able and willing to help me out... Thank You in advance ! Regards, Edvin Seferovic ------=_NextPart_000_0000_01C5CD74.9E7056F0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi,

 

first of all – excuse me for mailing = this to two mailing lists at once, but I am hoping to get more answers from your experience with poptop and netfilter.

 

Here is my situation – I’ve = configured a gateway with poptop ( which uses RADIUS for auth/acct – which = again uses LDAP as auth-backend and mySQL for accounting ). This gateway has 2 = internal and one external interface ( with public routeable IP address ). One = internal interface is used to build a restricted network for unknown machines, and the = second one is used as a gateway for the known machines. Now – I would like = allow my VPN users internet access, but not to all machines on the internal = network. So I have to use NAT on the tunnel endpoints ( ppp+ interfaces ), right? =

 

I wanted to make this easy as possible, but as = always – I took the wrong turn... probably by choosing Firewall Builder = to help me get my firewall set up. I achived everything, but I cannot configure = ppp+ interfaces in FW-Builder? Does anyone has a hint for me? Is this = possible anyway ( please don’t tell me I have to configure 150 ppp = interfaces in FW-Builder ) ???

 

I suppose it would be more secure to enter a = firewall rule every time a ppp interface comes up ( by using scripts like ip-up = from pppd )? Do I have to enter a NAT rule for each interface then? Any = performance thought when having 150+ interfaces at the same time? =

 

Nevertheless I would also like to redirect = http traffic going from a NATed ppp+ interface to my squid process – = how does this combined rule looks like?

 

Sorry for this huge eMail, and amateur = questions.. I hope at least a few of the gurus out there will be able and willing to = help me out...

 

Thank You in advance = !

 

Regards,

 

Edvin Seferovic

 

 

 

------=_NextPart_000_0000_01C5CD74.9E7056F0-- ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl