Configuring firewalls so that middleware can be used to provide groups to users ,blacklisting users , providing tubes to users.
In Firewall
Share this post:
Responses (8)
-
Accepted Answer
Hi Harsh,
I've written an app that is currently in testing called "Dynamic Firewall"...it's in the testing repos, but I have not promoted it to the Marketplace yet.
It won't solve your problem, but it may help in doing so.
The original requirement for this app was to open firewall ports only for periods of time, and only to certain IP addresses, so that an admin didn't have to have a port wide open to the Internet, 24/7. The dynamic firewall rule would be created based on a trigger. Anything can be a trigger. Log event, webconfig login, an update, port knock etc.
The app was designed for opening SSH and OpenVPN to a user (IP) only after they had successfully logged into Webconfig (preferably, using 2FA). However, I saw that this type of logic could have wide-ranging applications, so I made it extensible so that someone could drop in configlets. Your case sounds like it might be a great example of that decision.
To install the app, run:
yum --enablerepo=clearos-contribs-testing -y install app-firewall-dynamic
There's a Webconfig front-end to give you an idea of the scope and configuration, found under 'Network -> Firewall -> Dynamic Firewall'.
Trigger scripts are created and dropped into /var/clearos/firewall_dynamic/triggers.
There's only one trigger created to date, and that is a trigger based on Webconfig login. There's a convenience class to firewall triggers off in the Webconfig API (Trigger). Location/classpath is /usr/clearos/apps/firewall_dynamic/libraries/Trigger.php. Triggers don't have to be called through the PHP API though...anything can be configured to run a trigger...it's just a bash script wrapper around the PHP class.
The firewall rules you can create are pretty much limitless...they are defined in XML structures...rules that are run once a trigger is, well, triggered, can be found in /var/clearos/firewall_dynamic/rules/
There are two rules so far that can serve as good examples...one for opening SSH on whatever port it is running on and one for OpenVPN (standard port 1394 for TCP and UDP).
Do some digging, try some things, and feel free to post back here with your questions and/or success.
B. -
Accepted Answer
Harsh Patel wrote:
Dear, Readers
we are trying a way that we dont have to manually whitelist the registered users.
When the users registers to our app, a middleware will automatically contact with firewall and automatically whitelist their mac addresses
Any way possible??
can we modify/create firewall API , can it help in any way?? -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Dave Loper wrote:
Harsh,
Do you have a comparable technology in mind? Do you have any howtos which show how this would be done? Have you taken a look at Gateway.Management to see if that is what will work? If not, what changes to Gateway.Management would be required to get the outcome you desire?
we are trying a way to give access to users who register to our app without captive portal -
Accepted Answer
Harsh,
Do you have a comparable technology in mind? Do you have any howtos which show how this would be done? Have you taken a look at Gateway.Management to see if that is what will work? If not, what changes to Gateway.Management would be required to get the outcome you desire?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »