tech-net: Re: Building IP-login (ipfw or what)

Subject: Re: Building IP-login (ipfw or what)
To: Petter Lindquist <pollen@astrakan.hig.se>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-net
Date: 04/05/2003 04:20:41
On 1049461671 seconds since the Beginning of the UNIX epoch
Petter Lindquist wrote:
>

>You get IP number from dhcp. Your traffic is blocked in the router until
>you have successfully logged in. Preferably via a web page where to you
>are automatically redirected until you've logged in.
>
>I thought this was "well known". :) There exist a couple of "nice"
>solutions, but none based on netbsd. :(
>
>What's needed is a smooth way of adding/removing ip adresses from the
>accept/deny ipf rules. (Rewriting /etc/ipf.conf for every change isn't
>what I call a "smooth" way)

With IPF on NetBSD, it will build the new ruleset in the inactive
list and transition to it in an atomic way which will be from the
perspective of system behaviour completely smooth.

And this is much smoother than what you get on most systems where
there are real problems transitioning from one valid ruleset to
another valid ruleset without accidentally traversing invalid
rulesets.  (Where invalid generally means insecure.)

But for your problem which is actually quite simple, you are just
adding and deleting IP addresses one at a time, right?  So, why
not just do something like:

block in from dhcp_range/24 to any

Then when you enable one, you just do something like:

echo pass in from ip_addr/32 to any | ipf -f -

The rule will be appended after all existing rules.  Since the
rules are last match wins, the rule that you added will take
precedence over the block.

To remove it, just

echo pass in from ip_addr/32 to any | ipf -rf -

and it will be removed.

By doing this you will not have to worry about the ordering of the
rules which is quite pleasant.  If you have rules that you want
both before and after these individual rules, then use the groups.
Your base ipf.conf will look something like:

rule
rule
rule
block in on tlp0 from dhcp_range/24 to any head 100
rule
rule
rule
rule

Now, when you add and delete the individual IP addresses just assign
them to group 100 with commands like:

echo pass in from ip_addr/32 to any group 100 | ipf -f -
echo pass in from ip_addr/32 to any group 100 | ipf -rf -

The groups are quite interesting and can make a number of tasks
substantially easier.

[I aplogise for playing fast and loose with the syntax of IPF.]

Thanks,

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/