MPD5 PPTP-server isolate users from eachother

B

babovand

Hello guys

Im currently running a working mpd5 pptp server setup, I and was wondering if there is anyway to jail/isolate some users in mpd.secret, and some not.

For example, my home network ranges between 192.168.2.0 - 192.168.2.255
My mpd5 server is on 192.168.2.10

With my current setup, any user that is connected to my mpd5 server can access my other services (like web GUI) on different computers on my home network range, including the mpd5 server/services itself.

I basically want some users to have access to the home network IP range, and the rest of the users isolated from each other and my home network range.

Thanks!
 
babovand said:
Im currently running a working mpd5 pptp server setup, I and was wondering if there is anyway to jail/isolate some users in mpd.secret, and some not.

For example, my home network ranges between 192.168.2.0 - 192.168.2.255
My mpd5 server is on 192.168.2.10

With my current setup, any user that is connected to my mpd5 server can access my other services (like web GUI) on different computers on my home network range, including the mpd5 server/services itself.

I basically want some users to have access to the home network IP range, and the rest of the users isolated from each other and my home network range.
Click to expand...

You can force different local IP addresses or IP ranges for different users in /usr/local/etc/mpd5/mpd.secret. Have a look at /usr/local/etc/mpd5/mpd.secret.sample.

Code: 
user1       "pw1"       192.168.2.0/28
user2       "pw2"       192.168.2.0/28
user3       "pw3"       192.168.2.16/28
user4       "pw4"       192.168.2.16/28
user5       "pw5"       192.168.2.32/28
user6       "pw6"       192.168.2.32/28

Then, with the firewall you would restrict the one or the other local IP-range coming in via ng*.
 
rolfheinrich said:
Then, with the firewall you would restrict the one or the other local IP-range coming in via ng*.
Click to expand...
I forgot to say that I knew about forcing IP on on specific user in mpd.secret

However, Im totally noob at this, and Im actually using a different FreeBSD Distro, Nas4free. Firewall is available and I also have ssh console access.

If it not much to ask, could you guide me through it?

Here is a pic of the firewall interface, http://i45.tinypic.com/2d2gfo7.png

Options are:
Action: Allow, Deny, Reject
Interface: Lan
Protocol: UDP, TCP, ICMP, ALL
Direction: In, Out, Any.
 
Crest said:
As of FreeBSD 9.1 IPFW supports tables of interfaces. Just use tables and add the ng* interfaces in the mpd hooks to the tables.
Click to expand...
Thank you, but could you give me an example IPFW rule for this? and what is mpd hook?
 
ipfw(8)() rules could be as follows
Code: 
ipfw add 10 deny ip 192.168.2.0/28 to any 80 via ng*
ipfw add 20 deny ip 192.168.2.16/28 to not me via ng*
ipfw add 30 deny ip 192.168.2.32/28 to 192.168.2.100 via ng*
ipfw add 40 allow ip from any to any via ng*

Take care with the sequence numbers. The above logic is, to put the deny rules first, before allowing everything else. You could also have it the other way around, i.e. allowing only specific access, and having a final rule blocking all the rest.

Note the wildcard * at the interface name ng*. net/mpd5 creates a new network interface for each connection, e.g. ng0, ng1, ng2, ..., and ng* matches all.
 
You must log in or register to reply here.
Back
Top