[ previous ] [ next ] [ threads ]
 
 From:  Adam Nellemann <adam at nellemann dot nu>
 To:  Michal Harajda <root at unlockers dot sk>
 Cc:  Dinesh Nair <dinesh at alphaque dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] MAC filtering in firewall rules
 Date:  Wed, 19 May 2004 21:47:26 +0200
Michal Harajda wrote:
> Mr. Dinesh,
> 
> ok I will try this, and let u know
> 
> Wednesday, May 19, 2004, 11:51:06 AM, you wrote:
> 
> 
> DN> On Wed, 19 May 2004, Michal Harajda wrote:
> 
> 
>>>its a problem, because clients with disabled internet access use ip
>>>addresses of not active clients with internet access. And I cannot do
>>>anything.
> 
> 
> DN> one way of perhaps trying to do what you want to do is by using a
> DN> side-effect of the captive portal with the following steps:
> 
> DN> 1. make sure the captive portal interface is not bridged
> DN> 2. turn on the captive portal on the interface
> DN> 3. when uploading a portal page, omit the accept button
> DN> 4. explicitly add the allowed mac addresses under pass-through mac
> 
> DN> now only mac addresses with an explicit pass-through will be allowed thru,
> DN> but others will be thrown up the portal page (which may contain a warning
> DN> notice) without an accept button.
> 
> DN> do note however that this is not a fool-proof manner because someone could
> DN> still forge a http request to m0n0wall and subvert this.
> 
> DN> however, once i have added in radius support for the captive portal,
> DN> things _may_ (no promises) be different.
> 
> DN> Regards,                           /\_/\   "All dogs go to heaven."
> DN> dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
> DN> +==========================----oOO--(_)--OOo----==========================+
> DN> | for a in past present future; do                           
> DN> |   for b in clients employers associates relatives neighbours pets; do   |
> DN> |   echo "The opinions here in no way reflect the opinions of my $a $b."  |
> DN> | done; done                                                 
> DN> +=========================================================================+
> 
> 
> 

If I remember correctly (correct me if I'm wrong Dinesh?) This 
approach will require the clients to initate their WAN access with a 
HTTP request, which may be a problem for some users (such as if they 
use a mailchecker or similar non-http util in their startup 
folder/script.)

Adam.