Yup, On 14-Aug-01 Steven Thompson wrote:
Hi All
I'm looking to allow access to an internal web server via port forwarding, but I would like the port on the firewall to first authenticate the user.
i.e. The client connects to port 8080 on the firewall with a web browser. On connection to the port he is served with a html login page - preferable via SSL. If the username and password is correct the port-forwarding is enabled for the clients IP Address and maybe MAC Address via IPCHAINS or IPTABLES. Once the client is finished it either logs out (i.e. the firewall rule closes the port after the client logs out or expires once the client disconnects).
Hm. Technically I would be interested in how to accomplish this with ipchains/iptables and/or ipmasqadm. You would need a couple of nifty scripts for this, handled by the webserver on the fw, which IMO is not very secure. Why not giving out ssl client certs and only allow connections to the domain(s) in question if the client provides the proper cert? I mean, this would save you lots of work and is reasonably safe. Read http://www.apache-ssl.org/#Digital_Certificates for more infos about client certs.
Has anyone set-up some thing similar to this or knows where I can get more info - all tip welcome.
PS. This set-up seems similar to a POP before SMTP Config.
Thanks in advance
Steven Thompson
---
Boris Lorenz