August 25, 2012 at 7:59 am #43431
i use zeroshell for a small guest-wifi, the guests receive username and password to use the internet for a certain time.
Now I recognized that everybody can receive their mails, using a mail client without authentication at the captive portal (sending mails is not possible).
How can that be and how can I change this behavior?
(The only free authorized service/ports are 67 udp and 53 udp and deleting them does not change the behavior, I have no firewall rules configured at the moment)
SimsaAugust 25, 2012 at 3:46 pm #52439
Hi ,clients behind CP in my ZS aren’t able to get their mail (with mail client or everything else) without be authenticated . Are you sure that you haven’t ANY rule in the forward chain ? What ZS release are you using ?
jonathaAugust 26, 2012 at 8:01 am #52440
Hi, I use Zeroshell 2.0 RC1 and you are right, I really had two forward rules:
ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
The policy was ACCEPT and I thought the rules aren’t active in this mode.
I was obviously wrong, because I deleted both and now all is working properly.
Thank you very much!
Which firewall rules do you suggest?
I use zeroshell only because of the nice accounting function and the captive portal. Its not for the security of the network.August 26, 2012 at 11:30 am #52441
For suggest some rules , is needed to know at least the network topology and what you wish allow/deny to the cp clients (eg. only some services/ports , management of other devices beyond Zs server , apply time-based rule for specific services…)
cheers jonathaSeptember 5, 2012 at 10:47 pm #52442
Thanks again for replying!
I needed some time to figure out what rules are necessary and now I think I know what would be nice. I’d like to deny access from the ETH00 Port to ZeroShells administration page and the clients shouldn’t “see” each other (something like access point isolation).
Is that possible?
My network topology: ZeroShells ETH01 port is connected to a hardware router and the ETH00 port is connected with a wifi access point. The captive portal is active at this port.
Some private pc’s are directly connected to the hardware router (is it possible to protect them? (No access through ZeroShell to these pc’s).
You must be logged in to reply to this topic.