[ previous ] [ next ] [ threads ]
 
 From:  Paul Taylor <ptaylor at addressplus dot net>
 To:  "Alex M" <radiussupport at lrcommunications dot net>
 Cc:  "Mono Dev List" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Feature Needed: Passthrough for destanation domain name (CP)
 Date:  Sat, 12 Aug 2006 12:15:40 -0400
Alex,

	The clients should be pointing to Monowall to get their DNS.  It  
will resolve DNS without being logged into the portal.  If they are  
going outside for DNS, then that may be your problem.  If they are  
DHCP though, they should have Monowall as their DNS server.

	The suggestion I made is one that you can fix without trying to  
build your own special version of Monowall.

	So, do nslookups and get the IPs back for pages you want to allow  
without logging in...  Then, go to the DNS Forwarder page and add  
them all in.  For the host, put in "www" and for the domain, put in  
"google.com", for example, along with the IP Address.  Then, when  
they request www.google.com, Monowall won't even go out to the net to  
grab an IP, rather it will serve the one that you provided.  As long  
as that IP Address is also allowed as a pass-thru IP, it will work.   
Make sure to set it as a "to" address, not a "from".

	I've worked enough with the captive portal in Monowall to know that  
the pass-thru feature does really work, so if it isn't working for  
you, you must be doing something wrong.

Paul


On Aug 11, 2006, at 11:57 PM, Alex M wrote:

> I like your idea, but I'm curious about one thing! If I currently  
> adding the
> IP as safe one and then typing the domain and it gets bliked this  
> means that
> DNS server is blocked and name cannot be resolved? Or is that the  
> way code
> is written? (I forgot how the code looks like)
>
> If DNS is bloked, how can I unblock it? If that's a code then its  
> probably
> even esier! =>
>
> if($HTTP_REQUEST==$safe_domain_array[i] ||$HTTP_REQUEST== 
> $safe_ip_array[i]){
>     allow();
> }else{
>     show_captivepage();
> }
>
>
>
>
>
>
> -----Original Message-----
> From: Paul Taylor [mailto:ptaylor at addressplus dot net]
> Sent: Friday, August 11, 2006 11:45 PM
> To: Sven Brill
> Cc: Alex M; Mono Dev List
> Subject: Re: [m0n0wall-dev] Feature Needed: Passthrough for  
> destanation
> domain name (CP)
>
>
> Wouldn't it be simpler to do DNS lookups on all the "allowed" sites
> just to get a list of a single IP per site that works, then configure
> DNS to have those entries in as static, then just configure those IPs
> as allowed?
>
> On Aug 11, 2006, at 11:35 PM, Sven Brill wrote:
>
>> Alex M wrote:
>>> Also, set my company's IP (that's for sure has only one IP) and
>>> when I typed
>>> the name it didn't allow to go through. There is a definet need to
>>> add
>>> Domain Pass-through!
>>>
>>>
>>>
>>>
>> Do you use m0n0 as your DNS forwarder? You probably couldn't get
>> through to the web site because the unauthenticated client was not
>> allowed to contact the DNS server, but that's just a guess.
>>
>> Adding the feature you describe is probably not as easy as it
>> sounds. the packet filter does not do DNS lookups, so you would
>> have to expand the code so that ANY request from an unauthenticated
>> client first gets checked against the allowed hostnames, THEN the
>> firewall would have to resolve the hostname and dynamically set a
>> rule to allow the result of the DNS lookup, since IPs change
>> (dynamic, round robin, you name it). After that, for security
>> reasons, the dynamically generated rule would probably have to be
>> deleted, so that a future DNS change does not allow the wrong
>> traffic out and the ruleset grows too much. Not a cut-and-dry thing.
>>
>> Sven
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>