On Fri, 2005-12-02 at 13:02 +0100, RÃ¶nnblom JanÃ¥ke /Teknous wrote:
> I dont know if this will work so the usual "not tested" applies.
> Could'nt you use a m0n0wall with three (3) interfaces?
> One connected to the WAN, one to an DMZ with the squid proxy
> in it and one with the captive portal and your clients behind it?
I haven't tried that, but the box that the proxy runs on is the main
Linux box. It runs just about everything in the place from DHCP, DNS,
Radius, Samba, Squid, Print spooler, etc. I don't know what the effect
of putting all this into the DMZ will be. Presumably the DMZ in this
case would have to be facing "inward" toward the LAN and not as expected
"outward" toward the Internet. Again, I don't know if that can be
Thinking about it, I assume the concept will fail on the DHCP alone as
the initial IP of a booting machine is set to zero and the DHCP packet
is requested as a broadcast which has the Ethernet address decoded from
that and gets its IP address sent back to the Ethernet address. With
the firewall in the middle, the address in the packet would be replaced
by the Ethernet address of the firewall!
Of course, I could use the m0n0wall as the DHCP server, but that gives
me the problem of having to allow admin access to the m0n0wall for
system admins who currently have their own access (by several
user/password tuples) to admin functions on the main server from which
changes are logged & eventually backed up to tape. Can't do that in
m0n0wall (at least yet).
I thought the idea of a cookie would work and be a "simple" addition to
the code. If not, then Jonathan's idea to use the
'HTTP_X_FORWARDED_FOR' http header as the clientip is a good second way
to achieve a similar outcome. If this were to be the way it is to be
handled, can I ask that there be an option to strip out the
'HTTP_X_FORWARDED_FOR' http header for network security.