Thread: HOWTO use OpenBSD as on-demand dial-up gateway and firewall for LAN of Windows® systems
View Single Post

   
  #4 (permalink)  
Old 02-16-2008, 06:41 AM
DoN. Nichols
 
Posts: n/a
Default Re: HOWTO use OpenBSD as on-demand dial-up gateway and firewall for LAN of Windows® systems
In article <1191s8epv2svm40@corp.supernews.com>,
J. Graue <info@nospam.com> wrote:
>Hello, Sam:
>
><SNIP everything else but this one issue that sam addressed>
>
>> I'd like to figure out how to allow someone on the network the ability to
>> > shutdown the firewall/gateway without having to login to the system (I'm
>> > worried they'll freak out at having to look at a command-line), but that
>can
>> > wait, unless someone has a suggestion.
>> >
>> Just press the power off button, the system will fsck the filesystem
>> automatically when it rebooted next time.

You didn't mention what the hardware was, so I don't know what
may be available.

With some hardware, the system can hold the power up after you
hit the power button until a complete and clean shutdown is performed.
On these, the power off button is a reasonable approach. However, if
the hardware does not support this, you could lose data as power drops
between the time a logical write to disk has occurred and the time that
the flush happens to assure a *physical* write to disk.

>Thanks for the suggestion. I would welcome any others' thoughts on this.
>With all due respect to you, sam, I find this solution to be inelegant. If,
>on the LAN-side, someone could, say, shutdown the dial-up gateway from a Web
>page, that would be great.

Hmm ... perhaps a CGI script -- ideally locked out of access
from outside, and available only to local IPs, which invokes the
following command line:

shutdown -h -p +5 web requested shutdown

You may wish to tune either the time or the message which follows the
time.

It might be a good idea to have the CGI script check the current time of
day and compare it to the normal working hours to decide whether to
honor the web-based request. Or -- if you can find out how many systems
are currently using the gateway, perhaps it should return a message
indicating how many users are on, and refusing until the number is down
to one.

>If you have any thoughts on how I might go about configuring an on-demand
>dialup gateway/firewall using OpenBSD, again, I would appreciate any input.

I've only covered possibilities for making the shutdown web
based to protect your users from the dreaded command line. However, it
presents some interesting opportunities for Denial Of Service attacks if
one of your internal users is feeling obnoxious. I would suggest that
the CGI script also log the IP address (and system name, if available)
for after-the-fact determination of the offending party.

Good Luck,
DoN.
--
Email: <dnichols@d-and-d.com> | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---
Reply With Quote