Good morning
I'm using 4.1.0 PacketFence Zen , my needs are simply to manage the access
of guests through the approval of grant sponsor for internet browsing and
trace their activities .
I configured ZEN with a management interface eth0 on my internal network ,
and an interface for the landing of the guests of type " inline " , I
configured ZEN to authenticate sponsors through internal LDAP -AD.
questions:
1 ) I would like to disable the ability to send email with PIN's guest,
customize it sending the PIN invoking a command SSH to our SMS gateway in
this format :
"ssh inviosms NetEye -vip /usr/local/bin/sendsms NUM_DI_TEL ' MESSAGE
CONTENT '" because in Italy there isn't a free email-to-sms services ......
I saw that it's possible enter the command to be sent in the cgi/script
sms_activation.pm but what is the point right? can someone help me ?
I would like the SMS went away only after the sponsor has authorized
access...it would be perfect...
2 ) I have enabled forwarding in the kernel by changing sysctrl.conf and
I'd to comment the rule in IPTABLES :
: postrouting -int -inline -if - [ 0:0 ]
# %%nat_postrouting_inline%%
The problem is that now guest can access to my internal network not
exclusive surfing the internet....how could I limit this access ?
configure directly iptables.conf it's very strong and with PF that manage
it I can't use a simple graphical tool....may be adding a new
out-of-the-band
interface where to route internet traffic managed by a Firewall directly
connected at this interface...but when I tryied, I obtained bad results :
the httpd.portal
it wasn't allowed for the sponsor incoming from the management interface,
at the moment I'd to add a iptables rules also to allow sponsor to grant
access from the management interface :
:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp --protocol tcp
--dport 22 --jump ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport
%%web_admin_port%% --jump ACCEPT
# Webservices
-A input-management-if --protocol tcp --match tcp --dport
%%webservices_port%% --jump ACCEPT
# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump
ACCEPT
# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162 --jump
ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump
ACCEPT
# Nessus Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 8834 --jump
ACCEPT
# HTTPS for email confirmation or sponsor activation on the captive portal
(if enabled)
-A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
%%input_mgmt_guest_rules%%
3) How to forward PF-Log to our SIEM ??
Thanks in advance for help-me, and sorry for my bad english, I hope to be
understood.
Best regards
Antonino Moreschi
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
