Can receive mails without authentication

Home Page Forums Network Management RADIUS 802.1x and Captive Portal Can receive mails without authentication

This topic contains 3 replies, has 0 voices, and was last updated by  Simsa 6 years, 11 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #43431

    Simsa
    Member

    Hello everybody,

    i use zeroshell for a small guest-wifi, the guests receive username and password to use the internet for a certain time.

    Now I recognized that everybody can receive their mails, using a mail client without authentication at the captive portal (sending mails is not possible).

    How can that be and how can I change this behavior?

    (The only free authorized service/ports are 67 udp and 53 udp and deleting them does not change the behavior, I have no firewall rules configured at the moment)

    Simsa

    #52439

    redfive
    Participant

    Hi ,clients behind CP in my ZS aren’t able to get their mail (with mail client or everything else) without be authenticated . Are you sure that you haven’t ANY rule in the forward chain ? What ZS release are you using ?
    cheers
    jonatha

    #52440

    Simsa
    Member

    Hi, I use Zeroshell 2.0 RC1 and you are right, I really had two forward rules:

    ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0
    ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED

    The policy was ACCEPT and I thought the rules aren’t active in this mode.

    I was obviously wrong, because I deleted both and now all is working properly.
    Thank you very much!

    Which firewall rules do you suggest?
    I use zeroshell only because of the nice accounting function and the captive portal. Its not for the security of the network.

    #52441

    redfive
    Participant

    For suggest some rules , is needed to know at least the network topology and what you wish allow/deny to the cp clients (eg. only some services/ports , management of other devices beyond Zs server , apply time-based rule for specific services…)
    cheers jonatha

    #52442

    Simsa
    Member

    Thanks again for replying!

    I needed some time to figure out what rules are necessary and now I think I know what would be nice. I’d like to deny access from the ETH00 Port to ZeroShells administration page and the clients shouldn’t “see” each other (something like access point isolation).

    Is that possible?

    My network topology: ZeroShells ETH01 port is connected to a hardware router and the ETH00 port is connected with a wifi access point. The captive portal is active at this port.
    Some private pc’s are directly connected to the hardware router (is it possible to protect them? (No access through ZeroShell to these pc’s).

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.