Need Help / paid support for Freetz configuration

[organetic]

Hi fellows,

I'm sorry I'm writing in English, since I don't know if this is a german exclusive forum.
I'm trying to configure my Freetz running on a 7270 fritz!fon.
The problem is that I don't get configurations right.

First, I don't know the correct syntax for giving static ip adresses in dnsmasq.
I now the mac address of the machine, and I wan't to give a static ip adress to it, but I'm not quite getting into it.

Also, I'm having issues with the firewall.
My idea is to deny every trafic on every port, and allow only privoxy and sip to communicate with the internet. Traffic would then be open only on the inside LAN, so that local network computers can communicate freely.

Regarding privoxy, I'm willing to make a list of allowed web sites. The same as a white list. This list would work only for specific users. Every other user not in the list should get full access.

This is the first part of my needs. I would be glad if some of you could help me. I'm willing to pay for support, and then I would give the dynamic dns address, username and password of my fritzbox. You can enter and configure it remotely for me.

Please let me know if this is ok, and how much would you charge.

Regards,
organetic

 

[olistudent]

First, I don't know the correct syntax for giving static ip adresses in dnsmasq.

Hi.
There is a syntax description for the hosts file in the webinterface.

<ip> <mac> <interface> <host> [<aliases|#description>]

You should be able to generate a working line with this information. Don't you?
Sure, you have to enable static leases from hosts file in dnsmasq options.

Regards
Oliver

 

[cando]

hello organetic,

even your idea with the privoxy sounds great, how you would like to check user names to distinct known users and restrict their access, while you opening anything to unknown users?

I assume you want to do some funny child-protection for surfing the web, but if anyone not registered gets the full access, I am sure your childs will find out how to bypass this security measure.

Beside this, I am not sure, if this set-up is at all realizeable. I think, it would help, if you describe the goals you want to reach, so probably someone can give you some hints how to reach them more easyly.

In my opinion it is a more common way to restrict access for "anybody" to specific sites and unleash / grant unlimited access for known / loged-in users. However, usernames are not transferred by default, so you have to restrict the access to the proxy server and force a logon before alowing access to the internet (proxy configuration at the client) and also block all traffic to the outside trying to bypass the proxy, than you need user profiles for the different settings in the proxy configuration.

You can assign static IP addresses to your devices using the standard web interface of the Fritz!Box without any modifications. Either you just use a range outside of the DHCP scope in your private IP segment and configure the clients with static IP addresses, or you use the DHCP for the first assignment and check the checkbox in the UI for "assign always this IP address for this MAC Address" or something similar (I have no idea how it exactly spells in the English - UI of the Fritz!Box). You should find this setting in the network devices section under details for a specific device.

It is also possible to achieve this by manually editing of the ar7.cfg in the appropriate section for the DHCP deamon.

If you want to control the traffic not by user, but for a specific device - the best way is to use the firewall capabilities of iptables, you can define rules even for MAC addresses using DNS names for targets, so if you want for instance allow only a specific access to a update server in the internet and block anything else, you can define this here without even needing the privoxy deamon.

However, if your white list is a long thing containing hunderds of addresses, using a proxy is a better choice.

Regarding internal traffic: the Fritz!Box is by default configured to bridge her interfaces, so there is no control on any internal traffic.
Even the AVM firewall is not able to control internal traffic. Of course there are solutions to reconfigure the interfaces using cpmaccfg / iptables to split the switch and create separate routeable LAN segments and create a DMZ scenario (and in the end to control internal traffic trough the Fritz!Box).


good luck!


cando

 

[ao]

Is LDAP (or a comparable feature) something which could be used, of course depending on the OS of the user's client PC/notebook etc?
MaxMuster seems to have built (but not tested) something (look into this thread and this one).
Sorry, if my suggestion is dumb, I am not that Linux freak, but I was aware that there was talk in the forum about authentication issues etc.

 

[cando]

LDAP (lightweight directory access protocol) is one of the opportunities to provide a single sign-on infrastructure to large organizations (e.g. to access active directory or other directory services for checking log on credentials towards a centralized user database).

But i think, this would be a overkill here. In "Fritz-Box" environments typically there are a few PC in a loosely connected peer-to-peer workgroup SOHO environment involwed, no large Windows / Active Directory installations with domain controllers / servers etc., so LDAP with Fritz!Box'es is in my opinion a more "academic" approach.

 

[organetic]

Hello fellows,

First, I would like to thank you for your time.
Regarding this project, it's rather simple, I guess.
I pretend to have a backup configuration on a small company network.
If, for wahtever reason, their main server fails, the fritz!box should assume primary functions.
So, having this spirit in mind, almost all functions should mantain access control.

Regarding access control of websites, my idea is to have a white list, and, like cando said, to limit access both per mac adress and per user (with user authentication). Maybe I can configure a white list per user/mac address combination. Off course there should be a list of users/mac adress combination where they have full access to websites. Otherwise, every other connected computer have no access at all.

For the limits to be imposed to users, the firewall must have almost all ports closed, and only privoxy should have access to port 80. My idea, for the network to be as safest as possible, would be to close all ports on the firewall, and them open only the ports for allowing full local network access between computers (192.168.0.0/255.255.255.0) and opening only ports 110 and 25 to local computers. Port 80 would be allowed only for privoxy. And SIP ports would also only be allowed for fritzbox access. I need to allow full access only to an update server on the LAN 192.168.1.1

So I guess there's no problem in closing access to unknow users (or limit them to a white list too) using both privoxy for navigation purposes only, with user access control (and, if possible, mac address control too) and using iptables for allowing the server machine to have full access to the internet (with both a white list or DMZ)

I tried dnsmasq with syntax
192.168.1.30 00:00:00:00:00:00 domain.local mikemachine # Mike's machine
but I had no luck. Mike's machine is not getting this IP address.

I have an external hard drive connected to our Fritz 7270, and the samba folder on the network share works ok. But for security purposes there should be a way of limiting access to folders on a per user/mac address basis. This would allow security, since the folder is now open for everyone with the same password.

As I mentioned before, I would be delighted if someone could help me on this. As I mentioned before, I would be glad to make a list of my needs (regarding configuration) and pay someone to configure it for me. I would give the username and password of my fritz, you could then enter the web administration console of both fritz and freetz and make all configurations.

I have a big "wish list" of configurations to be done. I guess any of you are very much more experienced on freetz than me, and I really don't have the time needed for this now. Off course that I'll check everything after, as I wan't to understand it better too, but university exams are taking a lot of time at the moment. Please just let me know how where I could send my "wish list" and provide me an account number. I'll do a wire transfer and I'll count on you for future updates.

Regards,
Org