Hello, Thank you for your reply. I have restarted after configuration change, i am still getting same message. Here is my /usr/local/pf/var/conf/iptables.conf
# This file is generated from a template at /usr/local/pf/conf/iptables.conf # Any changes made to this file will be lost on restart # iptables template # This file is manipulated on PacketFence's startup before being given to iptables *filter ### INPUT ### :INPUT DROP [0:0] # accept loopback stuff -A INPUT --in-interface lo --jump ACCEPT # accept anything related -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT # Accept Ping (easier troubleshooting) -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT :input-management-if - [0:0] # SSH -A input-management-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT # Web Admin -A input-management-if --protocol tcp --match tcp --dport 1443 --jump ACCEPT # RADIUS -A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT # SNMP Traps -A input-management-if --protocol udp --match udp --dport 162 --jump ACCEPT # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs) -A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT # OpenVAS Administration Interface -A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT # HTTPS for email confirmation or sponsor activation on the captive portal (if enabled) :input-internal-vlan-if - [0:0] # DNS -A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump ACCEPT # DHCP -A input-internal-vlan-if --protocol udp --match udp --dport 67 --jump ACCEPT -A input-internal-vlan-if --protocol tcp --match tcp --dport 67 --jump ACCEPT # HTTP (captive-portal) -A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT :input-internal-inline-if - [0:0] # DHCP -A input-internal-inline-if --protocol udp --match udp --dport 67 --jump ACCEPT -A input-internal-inline-if --protocol tcp --match tcp --dport 67 --jump ACCEPT # DNS # allow unregistered users and isolated users to reach it for DNAT purposes but prevent registered ones -A input-internal-inline-if --protocol tcp --match tcp --dport 53 --match mark --mark 0x3 --jump ACCEPT -A input-internal-inline-if --protocol udp --match udp --dport 53 --match mark --mark 0x3 --jump ACCEPT -A input-internal-inline-if --protocol tcp --match tcp --dport 53 --match mark --mark 0x2 --jump ACCEPT -A input-internal-inline-if --protocol udp --match udp --dport 53 --match mark --mark 0x2 --jump ACCEPT -A input-internal-inline-if --protocol tcp --match tcp --dport 53 --match mark --mark 0x1 --jump DROP -A input-internal-inline-if --protocol udp --match udp --dport 53 --match mark --mark 0x1 --jump DROP # HTTP (captive-portal) # prevent registered users from reaching it -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --match mark --mark 0x1 --jump DROP -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match mark --mark 0x1 --jump DROP # allow everyone else behind inline interface (not registered, isolated, etc.) -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump ACCEPT :input-highavailability-if - [0:0] #SSH -A input-highavailability-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT # Corosync -A input-highavailability-if --protocol udp --match udp --dport 5405 --jump ACCEPT -A input-highavailability-if --protocol udp --match udp --dport 5407 --jump ACCEPT #DRBD -A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump ACCEPT ### FORWARD ### :FORWARD DROP [0:0] :forward-internal-inline-if - [0:0] -A forward-internal-inline-if --match mark --mark 0x1 --jump ACCEPT :OUTPUT ACCEPT [0:0] # These will redirect to the proper chains based on conf/pf.conf's configuration -A INPUT --in-interface eth1 -d 172.24.1.1 --jump input-internal-inline-if -A INPUT --in-interface eth1 -d 255.255.255.255 --jump input-internal-inline-if -A INPUT --in-interface eth1 -d 192.168.1.10 --protocol tcp --match tcp --dport 443 --jump ACCEPT -A FORWARD --in-interface eth1 --jump forward-internal-inline-if -A INPUT --in-interface eth0 --jump input-management-if -A FORWARD --in-interface eth0 --match state --state ESTABLISHED,RELATED --jump ACCEPT COMMIT *mangle :PREROUTING ACCEPT [0:0] :prerouting-int-inline-if - [0:0] -A prerouting-int-inline-if --jump MARK --set-mark 0x3 :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # These will redirect to the proper chains based on conf/pf.conf's configuration -A PREROUTING --in-interface eth1 --jump prerouting-int-inline-if COMMIT *nat :PREROUTING ACCEPT [0:0] :prerouting-int-inline-if - [0:0] -A prerouting-int-inline-if --protocol udp --destination-port 53 --match mark --mark 0x3 --jump REDIRECT -A prerouting-int-inline-if --protocol udp --destination-port 53 --match mark --mark 0x2 --jump REDIRECT -A prerouting-int-inline-if --protocol tcp --destination-port 80 --match mark --mark 0x3 --jump REDIRECT -A prerouting-int-inline-if --protocol tcp --destination-port 80 --match mark --mark 0x2 --jump REDIRECT -A prerouting-int-inline-if --protocol tcp --destination-port 443 --match mark --mark 0x3 --jump REDIRECT -A prerouting-int-inline-if --protocol tcp --destination-port 443 --match mark --mark 0x2 --jump REDIRECT :POSTROUTING ACCEPT [0:0] # # NAT out (PAT actually) # # If you want to do your own thing regarding NAT like for example: # - allowing through instead of doing NAT (make sure you have the proper return route) # - traffic out on some interface other than management # - overloading on multiple IP addresses # Comment the next two lines and do it here on the POSTROUTING chain. # Make sure to adjust the FORWARD rules also to allow traffic back-in. :postrouting-int-inline-if - [0:0] -A postrouting-int-inline-if --jump MASQUERADE :OUTPUT ACCEPT [0:0] # These will redirect to the proper chains based on conf/pf.conf's configuration -A PREROUTING --in-interface eth1 --jump prerouting-int-inline-if -A POSTROUTING --out-interface eth0 --match mark --mark 0x3 --jump postrouting-int-inline-if -A POSTROUTING --out-interface eth0 --match mark --mark 0x1 --jump postrouting-int-inline-if -A POSTROUTING --out-interface eth0 --match mark --mark 0x2 --jump postrouting-int-inline-if COMMIT Osman Kazdal [email protected] /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ On 06/14/2012 04:01 PM, Olivier Bilodeau wrote: > On 06/14/2012 06:06 AM, Osman Kazdal wrote: >> Hello, >> I have a fresh 3.4.0 installation i am trying inline enforcement with 2 >> interfaces. >> >> I have set trapping.registration=enabled and created a few local users. >> It works fine. >> >> When i set trapping.registration=disabled i am getting the message "Your >> network should be enabled within a minute or two. If it is not reboot >> your computer." no matter what i do. The message looks fine but i never >> get connected. >> >> I want my users to connect without registration for now... How can i >> achieve that? > > It should be trapping.registration=disabled.. Have you restarted > PacketFence after the configuration change? > > If so and it still doesn't work, can you post your > /usr/local/pf/var/conf/iptables.conf to the list please. > > Cheers! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
