Packetfence is a very powerful Network Access Control tool. Using Packetfence you can control and block unwanted traffic on your network. Want to block P2P services like BitTorrent, or keep mobile devices like iPhones and Android phones off your wireless network? Packetfence gives you the kind of fine-grained control you're looking for.
Packetfence is officially supported on Red Hat Enterprise Linux (RHEL) and CentOS. With those two distributions you can quickly get Packetfence up and running (Unlike on Ubuntu which I recently outlined in "Install and Configure Packetfence on Ubuntu Linux"). But you are not relegated to command line only (as you will find in Ubuntu). With Red Hat or CentOS you will find a powerful web-based tool at your fingertips. With this tool you can easily manage Packetfence. But not all aspects of Packetfence can be handled from the web-based GUI.
Assumptions
What I want to demonstrate is how to block specific traffic on your Packetfence-enabled network. I will assume just a few items:
You already have Packetfence installed and working properly (I will be demonstrating on CentOS 5)
You have administrative rights to the machine Packetfence is installed on.
That's all. I am going to demonstrate how to block two types of traffic. First I am going to demonstrate how to block P2P traffic (such as Limewire) which will be followed by how to block iPhone/Android phone access to your network.
Adding the Final Piece: Snort
In order for Packetfence to block specific services or devices you have to enlist the help of Snort. Snort is a network intrusion detection system. In order to install Snort, follow these steps:
- Open up a terminal window.
- su to the root user or use sudo.
- Issue the command yum install snort
- Write your own rules.
- Download and install pre-configured rules from the Snort Website
- Open up a terminal window.
- Change to the directory the snortrules-snapshot-XXX.tar.gz file was downloaded to (Where XXX is the release number that matches the Snort release installed on your machine.)
- Issue the command tar xvzf snortrules-snapshot-XXX.tar.gz (Where XXX is the release number).
- Change into the newly created rules folder.
- Issue the command cp * /etc/snort/rules/
Enable Snort
Since you just added Snort, you need to make Packetfence aware. To do this open up the /usr/local/pf/conf/pf.conf file and add the following:
[services]
snort=/usr/sbin/snort
Save the file and restart Packetfence with the command /usr/local/pf/bin/pfcmd service pf restart — Packetfence is now using Snort.
Choosing the Correct Template
Before we can get into the actual configuration and blocking of services/devices, we first have to re-configure Packetfence to run in a mode other than testing. In the first article I illustrated how to configure and start Packetfence in testing mode. This is great for making sure things are working as Packetfence will only log events (not act upon them). In order to get Packetfence to actually act upon a violation, you have to reconfigure it to run using a different template. The templates you can choose from are:
- Test mode
- Registration
- Detection
- Registration & Detection
- Registration, Detection & Scanning
- Session-based Authentication
- su to the root user.
- Change to the /usr/local/pf directory.
- Issue the command ./configurator.pl .
- Select option [5] for Registration, Detection & Scanning.
- Answer all of the questions (this will be similar to your initial installation, as shown in the first article).
- Now cd into the /usr/local/pf/bin directory.
- Issue the command ./pfcmd service pf restart.
Enabling Specific Violations
In the violations.conf file you will see a long laundry list of violations. Each violation section looks like:
[2000334]
desc=P2P (BitTorrent)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2000334,Detect::2000357,Detect::2000369
The above violation is for BitTorrent connections. As you can see this violation, in its default state, is disabled. To enable this violation all you need to do is change the line:
disable=Y
to
disable=N
You will find, listed in the violations, the P2P violation and the Android device violation. Enable both of those, save the file, and restart Packetfence. Now, any device that violates the enabled violations will be denied access and will be logged.
Web Interface
As I mentioned, Packetfence does come with a spiffy Web interface that allows you to manage your Packetfence-protected network. To access this tool open up your browser and point it to https://ADDRESS_TO_SERVER:1443. When you arrive at this site you will have to log in with your admin credentials (configured during installation of Packetfence). Upon successful authentication you will find yourself at the Packetfence web interface (see Figure 1). Here you can manager each node on your network, add users (for authentication), start/stop various pieces of Packetfence, and configure Packetfence.
From the Violation tab you can even enable/disable violations using a simple drop-down to select the particular violation you want to enable.
Final Thoughts
As far as Network Access Control goes, you will be hard-pressed to find a more powerful tool than Packetfence. Not only is it powerful, but once installed and configured it is easy to administer and manage. Of course, there is so much more that can be done with Packetfence. For more information read through the outstanding guides offered on the Packetfence Documentation page.
Original source can be found at linux.com
Hi,
ResponderEliminarThanks for the post. But I got the following errors when I attempted to start the Packetfence:
[root@231726 ~]# /usr/local/pf/bin/pfcmd service pf restart
service|command
httpd|stop
snmptrapd|stop
pfsetvlan|stop
pfdhcplistener|stop
pfmon|stop
Checking configuration sanity...
Can't call method "tag" on an undefined value at
/usr/local/pf/lib/pf/pfcmd/checkup.pm line 169 (#1)
(F) You used the syntax of a method call, but the slot filled by the
object reference or package name contains an undefined value. Something
like this will reproduce the error:
$BADREF = undef;
process $BADREF 1,2,3;
$BADREF->process(1,2,3);
Uncaught exception from user code:
Can't call method "tag" on an undefined value at /usr/local/pf/lib/pf/pfcmd/checkup.pm line 169.
at /usr/local/pf/lib/pf/pfcmd/checkup.pm line 169
pf::pfcmd::checkup::interfaces() called at /usr/local/pf/lib/pf/pfcmd/checkup.pm line 87
pf::pfcmd::checkup::sanity_check('httpd', 'snmptrapd', 'pfsetvlan', 'pfdhcplistener', 'pfmon') called at /usr/local/pf/bin/pfcmd li
ne 1357
main::checkup('httpd', 'snmptrapd', 'pfsetvlan', 'pfdhcplistener', 'pfmon') called at /usr/local/pf/bin/pfcmd line 1280
main::service() called at /usr/local/pf/bin/pfcmd line 1253
main::service() called at /usr/local/pf/bin/pfcmd line 201
main::__ANON__() called at /usr/local/pf/bin/pfcmd line 218