"Michael C. Robinson" <[email protected]> writes: > 1) I want to go from clear text passwords in flat text files accessed by a > perl based cgi script to possibly salted passwords in a database. > > 2) I want a daemon operating on the firewall machines that can detect > inactivity and close out that host(s). > > 3) I want redirecting when a user tries to go out and the firewall is > closed, but I don't want to force everyone through a proxy. > > 4) I want my web page to have a feature that allows web based adding > and editing of computers, users, passwords, and access profiles. > > 5) I want a black list and/or a white list of Internet sites, but I > don't want to implement this via a proxy. OpenDNS would be the > preferred way to implement this. > > I don't know how to do 1-5.
I hope you will take this the right way, but it doesn't sound like you are entirely clear on what you are trying to do: parts of that seem unconnected to the discussion at hand, and other parts are ... well, "inefficient", to say the least. > Concerning 2, I wonder if sleeping computers will answer ping probes? It depends, but generally not.[1] > With regard to a daemon, I'm not certain how to write one let alone how to > detect inactivity across a firewall for a specific period of time. Item 3 > is done on PSU's wireless network, but maybe they use a proxy. http://en.wikipedia.org/wiki/Captive_portal - includes links to FOSS implementations. > Item 4 is something of an upgrade to my existing system. Item 5 seems to be > a necessity to get around OpenDNS's shortcomings. ...only because you are dedicated to not using a proxy, which means that you are working very hard to make this more difficult for yourself. (Also, are you aware that bypassing the OpenDNS stuff would be trivial in most cases, unless you are otherwise blocking access to other resolvers?) > If I have to blacklist locally and I can do this without using a proxy, > maybe I can integrate editing of the black lists/white lists into my > existing web page. I can use php or perl I suppose. > > Can I throw packets to user space, find out where they are trying to go, > check if a name on a black list or white list resolves to the destination > IP, and then dynamically decide what to do with the packet at the packet > layer? Yes, but why would you do that? If you want to blacklist or whitelist[2] then just do that with a static iptables ruleset - and refresh the DNS resolution periodically to ensure it doesn't drift on you. (Given most of what you want to block are commercial operations that should be a fairly rare problem.) > What is the best way to do this? Use a proxy. Seriously. Failing that, use the firewall to REJECT packets to the places you don't want them to go. > Should I implement a DNS based ip blacklist where external ip addresses are > mapped to 127.0.0.x addresses? Maybe I should mimic postfix's hash files > and read these files using perl. I'm thinking something like: some.bad.site > DROP # Blacklisted some.good.site ACCEPT # Whitelisted . . . I guess I > need a simple caching name server that updates every time the retrieved > information can change to go the hash file route. The cache should be > populated with the listed names. ...or you could just block access with iptables, or use a proxy which will do this all for you, for free, and *vastly* more effectively. > I guess one option is to have an iptables chain called whitelist and another > one called blacklist. Trouble is, how do I keep the ip addresses in these > chains correct? One look up is enough, I don't want to check every single > packet. Give a DNS name to the source or destination address passed to iptables, and it will do a lookup at the time the rule is created. Daniel Footnotes: [1] Technically, the answer is no, but at least modern Mac systems can cooperate with the Apple AirPort base station to have it wake them when someone tries to communicate over the network, meaning that they practically appear this way. (Also, definitions of "sleep" can vary :) [2] ...and I don't quite know how you propose to handle sites that are not on either list? -- ✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
