temporary IP addition to firewall rules
Erik Norgaard
norgaard at locolomo.org
Sun Feb 4 21:52:09 UTC 2007
Noah wrote:
> the servers and clients are not on the same LAN segment. capturing MAC
> has nothing to do with this scenario.
You haven't exactly told a lot about the network you want to setup. The
logic thing is to authenticate against the firewall connected to the
same subnet - and that will know the mac address. The same setup is
assumed in the scenario using pfauth (or is it authpf).
Also, unless you are going to give a lot of instructions to people on
how to configure their network, you will have a dhcp server on the same
subnet - why not let that also do the web service for user management?
You haven't told either, how people connect - is it wireless or wired?
Some access points supports that people authenticate WPA+something and
the access point will verify against a radius server. And there are
other possibilities depending on your setup.
But whichever way you setup your network, I think the best solution is
if people establish an IPSec tunnel to the firewall, such that all
traffic not destined for the local subnet must be tunneled through that.
This gives you maximum control - you can even setup your firewall so
that traffic coming in on a IPSec tunnel is also filtered.
Cheers, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3408 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070204/e96c5829/smime.bin
More information about the freebsd-questions
mailing list