[lms-en] Some docs on LMS as UTM combo

Zenny garbytrash at gmail.com
Tue Aug 12 08:21:32 CEST 2014


Hi Jelle:

Would you mind sharing your experience about the setup you proposed
about a year ago?

It is pleasure to read your in-depth thoughts like the one you shared
on (October 15, 2013) :D

/z

On 10/15/13, Jelle <jml at orkz.net> wrote:
> Oh, and an illustration of our future setup
>
> [image: Inline image 1]
>
>
> On Tue, Oct 15, 2013 at 3:44 PM, Jelle <jml at orkz.net> wrote:
>
>> Hi,
>>
>> Just an update on where we are now.
>>
>> I've investigated the option of a LMS stand alone solution, but this is
>> not feasible when we take ease of use into account. LMS is meant for
>> usablility and a stand alone solution would make it hard to maintain a
>> flexibel network administration. This is because the LMS iptables scripts
>> that are included with LMS only manages the NATting and FORWARDing of
>> clients that are registered in LMS. What we want here is a full blown
>> firewall so we need a lot of iptables rules that LMS offers us. We have
>> to
>> manually add and maintain these rules and for that we need a lot of
>> expertise. (you could choose for webmin or other frontend solutions but
>> those are ugly imho).
>>
>> So, we're now at the point where we choose for another solution. LMS is
>> going to bridge all traffic to our firewall which runs on pfSense. LMS is
>> going to be something like a 'captive firewall' which blocks all unknown
>> clients and NATs alls clients that are disconnected because of payment
>> issues. I'm also adding support for warnings and cutoff of clients that
>> are
>> above some download/upload limit you set in lms.ini
>> Also I've adjusted the iptables/warnings scripts that create executable
>> iptables scripts. The default scripts do something you really don't want
>> and that is Flush all tables, then re-insert all rules one-by-one. This
>> will disconnect every connection that is made at that moment. The new
>> scripts will output a "iptables-save" syntax file so it can be restored
>> at
>> once with "iptables-restore".
>>
>> In my network I want all users (in my ip range) to be forwarded. Then
>> they
>> enter the NAT table, but only the 'disconnected' users should be NATted
>> to
>> enter a warning page. Other users should not be NATted because NATting
>> automatically takes place on the firewall in pfSense (and we don't want
>> double NAT)
>> Since pfSense can now be configured kind of static, it's really easy to
>> configure. We want static firewall rules for our DMZ and LAN and also
>> some
>> static 1:1 NAT rules that allow internet connections to specified servers
>> in DMZ. Only occasionally we have to change these rules, but when we do,
>> it's really clear as how to do this in pfSense.
>>
>> When this setup is done, we only need to administrate LMS and that takes
>> care of full user management including, sending warnings and
>> disconnecting
>> users.
>> I'll add some custom PHP scripts that take care of a local SMS server
>> (mobile phone connected to LMS server): People can send an SMS to
>> opt-in/opt-out on messages from different (customer)groups which are set
>> in
>> LMS. From within LMS we can then send SMS to those groups.
>> Also we are already using a script that takes care of the finances
>> management: we download a .csv file from our online banking and insert
>> that
>> in our own simple webpage. The script takes care of inserting all
>> payments
>> from the .csv to the right customers in LMS (which have their bankaccount
>> registered with us).
>>
>> So, let me know what you think of this and if there are things you would
>> do differently.
>>
>> Best,
>>
>> Jelle
>> www.orxnet.org
>>
>>
>> On Sat, Sep 28, 2013 at 8:28 PM, Zenny <garbytrash at gmail.com> wrote:
>>
>>> On 9/28/13, Jelle <jml at orkz.net> wrote:
>>> > Hi,
>>> >
>>> > I'm still trying out some new things so it's going to take a while
>>> before I
>>> > can give a full howto of my setup. I'm documenting everthing I'm doing
>>> so I
>>> > will put that online when it's ready.
>>>
>>> Wonderful, look forward to.
>>>
>>> >
>>> > As for now my setup will involve a pfSense firewall/router for NAT and
>>> > firewalling. LMS will be on another server in between that's bridging
>>> it's
>>> > interfaces. The LMS server will do freeRadius (connected to LMS
>>> database)
>>> > for Wifi authentication. (Plain) MAC authentication will be done with
>>> > iptables on LMS, but fot that I have to adjust the lms-makemacs script
>>> to
>>> > NOT use NAT. NAT should be disabled entirely on LMS to not have to
>>> double
>>> > NAT through LMS and pfSense (pfSense will do NAT).
>>> > Of course LMS will also do DHCP and DNS but since you can't put
>>> > firewall
>>> > rules in the LMS frontend (you would have to manage iptables from
>>> command
>>> > line), I want to use pfSense for that.
>>>
>>> But what about installing an iptables wrapper like shorewall to
>>> replace pfSense? Or for GUI, maybe webmin gui may work?!
>>>
>>> >
>>> > Since pfSense can be setup very easily with this - more or less -
>>> > static
>>> > setup, it shouldn't make the setup more difficult.
>>> >
>>> > So, that's an introduction of my (future) setup. The comming weeks
>>> > I'll
>>> try
>>> > to get the best out of LMS and use it for everything it's ment to :)
>>> I'll
>>> > get back to you.
>>> >
>>> > Best,
>>> > Jelle
>>> >
>>> >
>>> > On Mon, Sep 23, 2013 at 9:32 PM, Zenny <garbytrash at gmail.com> wrote:
>>> >
>>> >> On 9/23/13, Jelle <jml at orkz.net> wrote:
>>> >> > Hi Zenny,
>>> >> >
>>> >> > On Sun, Sep 22, 2013 at 1:11 PM, Zenny <garbytrash at gmail.com>
>>> >> > wrote:
>>> >> >
>>> >> >> @Jelle: Thanks for your helpful and useful inputs. I tried google
>>> >> >> translate with some odd outputs which was not English.
>>> >> >>
>>> >> >> On 9/20/13, Jelle <jml at orkz.net> wrote:
>>> >> >> > Hi,
>>> >> >> >
>>> >> >> > So after figuring some things out, I believe the vberry scripts
>>> are
>>> >> >> > only
>>> >> >> > limiting the use of LMS with firewall rules (iptables).
>>> >> >>
>>> >> >> Would you mind elaborating a bit more about the limitation caused
>>> >> >> by
>>> >> >> vberry script to LMS use?
>>> >> >>
>>> >> >> Of course. When trying the vberry scripts out, I couldn't find
>>> >> >> many
>>> >> > advantages above the LMS software. F.e. the interfaces assignment
>>> >> > for
>>> >> DHCP
>>> >> > can be done perfectly with the lms scripts (lms-makedhcpconf).
>>> >> > Using
>>> >> > the
>>> >> > vberry variation, you can only use /24 subnets because the vberry
>>> >> > script
>>> >> is
>>> >> > not so dynamic. When you look in the script, you'll see there is a
>>> lot
>>> >> > of
>>> >> > static content while the LMS scripts do exactly the same, but
>>> >> > better
>>> >> > and
>>> >> > more dynamic ;) -> which means you CAN use other subnets in LMS to
>>> fill
>>> >> the
>>> >> > dhcp config of dhcpd.
>>> >>
>>> >> Pretty interesting observation. Thanks for your input.
>>> >>
>>> >> >
>>> >> > the vberry scripts only add something for captive portal usage I
>>> >> > believe
>>> >> > but I haven't reviewed that one yet.
>>> >>
>>> >> Captive portal may be useful for FreeRADIUS and VPNs I guess.
>>> >>
>>> >> >
>>> >> >
>>> >> >>  >  Best to use the LMS
>>> >> >> > scripts directly for best usage.
>>> >> >>
>>> >> >> It would be nice if you could manage to explain a bit about how
>>> >> >> the
>>> >> >> same LMS router can be used as UTM/IDS and firewall with other
>>> >> >> packages without breaking LMS.
>>> >> >>
>>> >> >> Appreciate if you can point out some tutorials or case studies.
>>> >> >>
>>> >> >> Well, I don't know how you would 'break' LMS by installing other
>>> >> >> packages.
>>> >> > E.g. You could use fail2ban next to LMS of course, I don't know
>>> >> > much
>>> >> about
>>> >> > other UTM/IDS packages /programms you could use under Linux.
>>> >>
>>> >> Suricata/Snort, Squid, Squidguard, HAProxy before Varnish instances,
>>> >> some iptables+ipset wrapper like shorewall/ufw or anything customized
>>> >> like fridu firewall, fail2ban, denyhosts, rkhunter, chkrootkit, HAVP
>>> >> based on clamav, IP Blocklists and Country blocklists, tinc for mesh
>>> >> networks or IPSEC are some of the softwares that could serve for
>>> >> UTM/IDS purposes.
>>> >>
>>> >> > So, what I'm trying to do now is replace our pfSense installation
>>> with
>>> >> > a
>>> >> > LMS-all-in-one solution. I want to use DHCP, DNS, CP,
>>> >> > iptables/ipchains,
>>> >> > NAT, MAC blocking/allowing and freeRadius, all managed from LMS in
>>> >> > a
>>> >> Debian
>>> >> > environment. Of course I'm installing fail2ban and other security
>>> >> packages
>>> >> > next to LMS, but they run seperately on the same server. Also
>>> >> > freeRadius
>>> >> is
>>> >> > updated with my own script.
>>> >>
>>> >> Very interesting to know. It would be interesting to know about the
>>> >> changes you made to make work with LMS-all-in-one solution.
>>> >>
>>> >> > All of the above functionality should be possible within LMS I
>>> >> > think
>>> >> > although iptables and NAT may need some manual editing.
>>> >>
>>> >> Eagerly look forward to read more about your setup. Thanks!
>>> >>
>>> >> >
>>> >> >
>>> >> >>  >
>>> >> >> > I took some time to translate all Polish text with Google
>>> translate
>>> >> >> > (and
>>> >> >> > leaving the configuration settings intact of course). I've added
>>> the
>>> >> >> config
>>> >> >> > for LMS 1.11.13 in an attachment. Hope you can use that :)
>>> >> >>
>>> >> >> Reading the file you sent, thanks a zillion for your effort.
>>> >> >>
>>> >> >> >
>>> >> >> >
>>> >> >> > On Thu, Sep 19, 2013 at 9:18 AM, Zenny <garbytrash at gmail.com>
>>> wrote:
>>> >> >> >
>>> >> >> >> Hi:
>>> >> >> >>
>>> >> >> >> I have been trying to use LMS machine as a UTM (with additional
>>> >> >> >> softwares like snort, squid and squid proxy, spamassasin etc.).
>>> >> >> >> Have
>>> >> 3
>>> >> >> >> NICs for WAN, LAN and DMZ. the UTM shall act on WAN and LAN.
>>> >> >> >>
>>> >> >> >> But in lack of documentation in this connection that shall let
>>> >> >> >> break
>>> >> >> >> LMS, I am at a limbo. I came across this page
>>> >> >> >> (
>>> >> >> >>
>>> >> >>
>>> >>
>>> http://vberry.net/linux-router/high-performance-linux-router-with-optional-lms-web-panel-and-radius-server-in-5-minutes/
>>> >> >> >> )
>>> >> >> >> which is also without proper documentation.
>>> >> >> >>
>>> >> >> >> Tried to read the lines between the codes, but most of them are
>>> in
>>> >> >> >> Polish (I wish I know Polish).
>>> >> >> >>
>>> >> >> >> Any pointer or hints? Thanks in Advance.
>>> >> >> >> _______________________________________________
>>> >> >> >> lms-en mailing list
>>> >> >> >> lms-en at lists.lms.org.pl
>>> >> >> >> http://lists.lms.org.pl/mailman/listinfo/lms-en
>>> >> >> >>
>>> >> >> >
>>> >> >> _______________________________________________
>>> >> >> lms-en mailing list
>>> >> >> lms-en at lists.lms.org.pl
>>> >> >> http://lists.lms.org.pl/mailman/listinfo/lms-en
>>> >> >>
>>> >> >
>>> >> _______________________________________________
>>> >> lms-en mailing list
>>> >> lms-en at lists.lms.org.pl
>>> >> http://lists.lms.org.pl/mailman/listinfo/lms-en
>>> >>
>>> >
>>> _______________________________________________
>>> lms-en mailing list
>>> lms-en at lists.lms.org.pl
>>> http://lists.lms.org.pl/mailman/listinfo/lms-en
>>>
>>
>>
>


More information about the lms-en mailing list