Anyone know of any projects for a User authenticated firewall system ?

What I mean by that...
For connecting random machines to to a DMZ style network.

Preferable one that creates a seperate 10.x.x.x/30 (yes 2 device) IP network for each session
Uses X11 / Radius / LDAP for Authentication
Then creates a bunch of Firewall rules based on Authentication and a "policy" (time of day nice, location/vlan, ldap group membership would just be extra cheese on top).
Nice but not essential:
NAT
Transparent proxy
web managed

To the end user, they connect (wireless or cable) it gives them a IP that only lets them get the log in page, they log in and it opens up the appropriate ports/IPs etc.



We have(had) a commercial solution (HP Procurve 740wl) that was really just FreeBSD running a bunch of "cool" software but the hard drive inside it died and they seem unable/unwilling to replace just the hard drive, and are quoting 4500+ for a complete replacement... its just a dead Maxtor Fireball Hard drive... because its so hard to type "dd if=/dev/hdb of=/dev/hdc" (Needless to say I regret not opening up the device finding it was a crappy HDD and doing a dd backup for myself). (Tho surely they have an infinitely simpler way to do it).

We use a firewall that can do some of these services like the policy routing (time of day, LDAP group, etc) & rules, NAT, proxy, etc but not sure if it does what you want. It's called an Astaro and you can either by the commercial versions or use a freebie home version.

I've got the commercial one running for one of our remote sites using firewall policies, an example policy would be that anyone in the "Office Admins" group can use the interwebz at any time but everyone else can only use it between lunch and after hours or can only use internet browsing and no MSN or internet browsing but no eBay, myspace, etc during those hours.

That HP box sure sounds like it does a whole lot of stuff. I have my doubt that there would be any OSS project that does all the functions your HP box does.

I guess you _could_ build yourself a box like that from scratch but man it would be a hell of a project to do given all the software it has to be install and configured and operate with each other seamlessly.

Otherwise something like IPcop, pfSense, Smoothwall might service some of the functions you required.


last edited by Opec at 10:49:00 24/Aug/07

IPcop with advproxy maybe a solution .. ta opec

Smoothwall commercial products might do the trick too

Put a checkpoint enforcement in. It does everything like this for you.

And can come with a gui!