Hi Harsh,

I've written an app that is currently in testing called "Dynamic Firewall"...it's in the testing repos, but I have not promoted it to the Marketplace yet.

It won't solve your problem, but it may help in doing so.

The original requirement for this app was to open firewall ports only for periods of time, and only to certain IP addresses, so that an admin didn't have to have a port wide open to the Internet, 24/7. The dynamic firewall rule would be created based on a trigger. Anything can be a trigger. Log event, webconfig login, an update, port knock etc.

The app was designed for opening SSH and OpenVPN to a user (IP) only after they had successfully logged into Webconfig (preferably, using 2FA). However, I saw that this type of logic could have wide-ranging applications, so I made it extensible so that someone could drop in configlets. Your case sounds like it might be a great example of that decision.

To install the app, run:

yum --enablerepo=clearos-contribs-testing -y install app-firewall-dynamic

There's a Webconfig front-end to give you an idea of the scope and configuration, found under 'Network -> Firewall -> Dynamic Firewall'.

Trigger scripts are created and dropped into /var/clearos/firewall_dynamic/triggers.

There's only one trigger created to date, and that is a trigger based on Webconfig login. There's a convenience class to firewall triggers off in the Webconfig API (Trigger). Location/classpath is /usr/clearos/apps/firewall_dynamic/libraries/Trigger.php. Triggers don't have to be called through the PHP API though...anything can be configured to run a trigger...it's just a bash script wrapper around the PHP class.

The firewall rules you can create are pretty much limitless...they are defined in XML structures...rules that are run once a trigger is, well, triggered, can be found in /var/clearos/firewall_dynamic/rules/

There are two rules so far that can serve as good examples...one for opening SSH on whatever port it is running on and one for OpenVPN (standard port 1394 for TCP and UDP).

Do some digging, try some things, and feel free to post back here with your questions and/or success.

B.

Harsh Patel wrote:

Dear, Readers

we are trying a way that we dont have to manually whitelist the registered users.

When the users registers to our app, a middleware will automatically contact with firewall and automatically whitelist their mac addresses

Any way possible??

can we modify/create firewall API , can it help in any way??

Dear, Readers

we are trying a way that we dont have to manually whitelist the registered users.

When the users registers to our app, a middleware will automatically contact with firewall and automatically whitelist their mac addresses

Any way possible??

Or if you don't want to directly manipulate firewall rules, you could add a single rule which uses ipset sets then get your app to issue ipset commands. You can even give an ipset rule a timeout value so it automatically expires.

You could simply run the Egress Firewall module to block all outbound traffic and then use you app to issue custom iptables rules to permit temporary exceptions as dictated by your app.

Dave Loper wrote:

Harsh,

Do you have a comparable technology in mind? Do you have any howtos which show how this would be done? Have you taken a look at Gateway.Management to see if that is what will work? If not, what changes to Gateway.Management would be required to get the outcome you desire?

we are trying a way to give access to users who register to our app without captive portal

Harsh,

Do you have a comparable technology in mind? Do you have any howtos which show how this would be done? Have you taken a look at Gateway.Management to see if that is what will work? If not, what changes to Gateway.Management would be required to get the outcome you desire?

Moreover so that middleware can blacklist users on server