Thank you all who have come with great suggestions, I'm "almost there"
now!


On Fri, 4 Apr 2003, Alan Barrett wrote:

> On Fri, 04 Apr 2003, Petter Lindquist wrote:
> > > Let me rephrase. What is "IP-login"?
> >
> > You get IP number from dhcp. Your traffic is blocked in the router
> > until you have successfully logged in. Preferably via a web page where
> > to you are automatically redirected until you've logged in.
>
> You could probably implement this using ipf "pass" rules for packets
> from IP addresses that are authorised, and one or more of ipf
> "fastroute", ipf "dup-to", or ipnat "rdr" rules if you don't just want
> to drop packets from unauthorised IP addresses.  But working out the
> details is likely to be tricky.

I've come so far that I'm blocking all traffic, and intercepting
http-requests and redirecting them to the login server.

Now the problem seems to be that IPNAT goes before IPF, so I can't have an
IPF rule to let the packet thru the IPNAT.

Ok, fastrouteing the packet to another interface and letting IPNAT catch
the packet there... Seems like IPNAT still goes before IPF, so when the
packet is fastrouted there's no need to play the IPNAT stuff on it again.

This rule catches packets nicely and sends them to the login server.
rdr sip0 0.0.0.0/0 port 80 -> 130.243.6.47 port 80 tcp

What I miss is a possibility to bypass that...

Perhaps I'll have to do the dynamic things the ipnat.conf instead. A long
list with rdr for every blocked adresse. Would be nicer the other way. (To
specify which adresses we want to pass packets from..)


--=20
/P=E5llen - http://www.astrakan.hig.se/~pollen