[clug-talk] IPCop Running Orange As Green

[Dave Watkins]

Hi All,   Just a brief note here FYI.   One of my clients wants to run an Firewall\Content Filtering box within their organization. The challenge was that he wanted to keep two different user groups separate from each other. I looked at the “Orange As Green” mod here, http://firewalladdons.sourceforge.net/misc.html but that breaks IPCop Ver 1.4.10 so is no good unless you want to go back to Ver 1.3.x. Not really advisable IMHO.   A quick post to a forum and shortly I was rewarded with the email and accompanying file below from the author of the mod himself.   I’m posting this here in case anyone would like to do the same as I am planning.   I’m unsure as to the content of the suggested changes so if anyone sees anything nasty here please let me know!   Thanks,   Dave Watkins   -------------------------------------------------------------------------------------------   Hi, Abacus! I wrote the original orange-as-green, but in the 1.4, it has mostly outdone its part, and therefore I didn't update it. 1. It will not work on 1.4, more probably it will brake it. 2. It will work, but I'm not sure about the authentication. 3. Change your configuration to RED-BLUE-GREEN, log into ipcop at command line run "cat /var/ipcop/ethernet/settings" and find what device is blue, the line blue_dev= run "vi /etc/rc.d/rc.firewall.local" and make it look like this (replace <blue_dev> with whatever you found in the settings file) #!/bin/sh # Used for private firewall rules # See how we were called. case "$1" in start) ## add your 'start' rules here /sbin/iptables -A CUSTOMFORWARD -i <blue_dev> -o eth0 -j DROP /sbin/iptables -A CUSTOMFORWARD -i eth0 -o <blue_dev> -j DROP /sbin/iptables -A CUSTOMINPUT -i <blue_dev> -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -i <blue_dev> -j ACCEPT ;; stop) ## add your 'stop' rules here /sbin/iptables -F CUSTOMINPUT /sbin/iptables -F CUSTOMFORWARD ;; reload) $0 stop $0 start ## add your 'reload' rules here ;; *) echo "Usage: $0 {start|stop|reload}" ;; esac This will bypass the wireless rules that are normal on the blue interface, deny all traffic between green and blue and allow all other traffic from blue   ------------------------------------------------------------------------------------------------------------------------

_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying