Ok little by little this is all coming back to me, when I first implemented this I did use nocat auth, I managed to manipulate it to make it work for my needs. Everything is pointing to the right spot, However, until recently I just left it all alone cause it was working. Still is actually just not the way I want it to. the nocat.conf points to the /usr/locat/nocat/bin/initialize.fw. however you are right in concluding its not inputting the tables on a reboot. Its strange cause when I edit the file it creates the temp file initialize.fw~ and its not removing it. I wonder if that could be causing some of the issues. I manually remove it. I am going to try the two tables that you suggested, tonight. In the mean time. Is there anything I can get additional for you that you might be able to help trouble shoot this? I am at a loss, cause it "SHOULD" work.... but how do you ever learn if you don't have things that don't work and try to figure it out. By the way, I had thought the same thing you did about the lines not getting added. I wonder if I manually have to implement the adjustment in the Initialize.fw file when I change them? What do you think. TLEE Out
This is what listed in the /usr/local/nocat/bin folder:
:/usr/local/nocat/bin$ ls
access.fw admintool clear.fw detect-fw.sh dump.fw gateway initialize.fw iptables reset.fw throttle.fw vtun.sh
:/usr/local/nocat/bin$
And here is a copy of the nocat.conf file
###### gateway.conf -- NoCatAuth Gateway Configuration.
#
# Format of this file is: <Directive> <Value>, one per
# line. Trailing and leading whitespace is ignored. Any
# line beginning with a punctuation character is assumed to
# be a comment.
###### General settings.
#
# See the bottom of this file for options for logging to syslog.
#
# Log verbosity -- 0 is (almost) no logging. 10 is log
# everything. 5 is probably a safe middle road.
#
Verbosity 10
##### Gateway application settings.
#
# GatewayName -- The name of this gateway, to be optionally displayed
# on the splash and status pages. Any short string of text will do.
#
GatewayName Spokane Airport Ramada
##
#
# GatewayMode -- Determines the mode of operation of the gateway. Possible
# values are:
#
# Captive - Allow authentication against an auth service. LEGACY.
# Passive - Like Captive, but YOU MUST USE THIS if your gateway
# is behind a NAT. Will work anyway if not. *RECOMMENDED*.
# Open - Simply require a user to view a splash page and accept
# a use agreement.
#
# If Captive or Passive Mode is set, you will need to have values set for
# AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a
# short value for LoginTimeout (probably <600).
#
# If Open Mode is set, you will need to have values set for SplashForm,
# HomePage, and possibly DocumentRoot (or provide an absolute path for
# SplashForm). Also, you will want to set a large value for LoginTimeout
# (probably >3600).
#
GatewayMode Open
##
# GatewayLog -- Optional. If unset, messages will go to STDERR.
#
GatewayLog /usr/local/nocat/nocat.log
##
# LoginTimeout - Number of seconds after a client's last
# login/renewal to terminate their connection. Probably
# don't want to set this to less than 60 or a lot of
# bandwidth is likely to get consumed by the client's
# renewal attempts. Defaults to 300 seconds.
#
# For Captive Mode, you want to set this to something
# fairly short (like 10 minutes) to prevent connection
# spoofing.
#
#LoginTimeout 3600
# For Open Mode portals, you probably want to comment out
# the preceding and set LoginTimeout to
# something large (like 86400, for one notification
# per day).
#
LoginTimeout 86400
###### Open Portal settings.
#
##
# HomePage -- The authservice's notion of a default
# redirect.
#
HomePage 10.254.0.1
# DocumentRoot -- Where all of the application templates (including
# SplashPage) are hiding. Can be different from Apache's DocumentRoot.
#
DocumentRoot /usr/local/nocat/htdocs
# SplashForm -- Form displayed to users on capture.
#
SplashForm splash.html
# StatusForm -- Page displaying status of logged in users.
#
StatusForm status.html
###### Active/Passive Portal settings.
#
##
# TrustedGroups - A list of groups registered with the auth server
# that a user may claim membership in order to gain Member-class
# access through this portal. The default magic value "Any" indicates
# that a member of *any* group is granted member-class access from
# this gateway.
#
# TrustedGroups NoCat NYCWireless PersonalTelco
#
#TrustedGroups Any
##
# Owners - Optional. List all local "owner" class users here, separated
# by spaces. Owners typically get full bandwidth, and unrestricted
# access to all network resources.
#
# Owners
rob@nocat.net schuyler@nocat.net
##
# AuthServiceAddr - Required, for captive mode. Must be set to the address of
# your authentication service. You must use an IP address
# if DNS resolution isn't available at gateway startup.
#
# AuthServiceAddr 208.201.239.21
#
#AuthServiceAddr auth.nocat.net
##
# AuthServiceURL - HTTPS URL to the login script at the authservice.
#
#AuthServiceURL https://$AuthServiceAddr/cgi-bin/login
##
# LogoutURL - HTTP URL to redirect user after logout.
#
#LogoutURL https://$AuthServiceAddr/logout.html
### Network Topology
#
# ExternalDevice - Required if and only if NoCatAuth can't figure it out
# from looking at your routing tables and picking the interface
# that carries the default route. Must be set to the interface
# connected to the Internet. Usually 'eth0' or 'eth1'
# under Linux, or maybe even 'ppp0' if you're running
# PPP or PPPoE.
#
ExternalDevice eth2
##
# InternalDevice - Required if and only if you have ethernet devices
# on your gateway besides your wireless device and your 'Net connection.
# Must be set to the interface connected to your local network, normally
# your wireless card. In Linux, some wireless devices are named 'wvlan0'
# or 'wlan0' rather than 'ethX'.
#
InternalDevice eth3
##
# LocalNetwork - Required if and only if NoCatAuth can't figure out
# the network address of your local (probably wireless) network,
# given your InternalDevice(s). Must be set to the network
# address and net mask of your internal network. You
# can use the number of bits in the netmask (e.g. /16, /24, etc.)
# or the full x.x.x.x specification.
#
LocalNetwork 10.254.0.0/23
##
# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
# specify the address(es) of one or more domain name server on the Internet
# that wireless clients can use to get out. Should be the same DNS that your
# DHCP server hands out. If left blank, NoCatAuth will presume that you
# want to use whatever nameservers are listed in /etc/resolv.conf.
#
DNSAddr 8.8.8.8
DNSAddr 8.8.8.8
##
# AllowedWebHosts - Optional. List any domains that you would like to
# allow web access (TCP port 80 and 443) BEFORE logging in (this is the
# pre-'skip' stage, so be careful about what you allow.)
#
AllowedWebHosts
www.google.com
##
# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT.
# Uncomment this only if you're running a strictly routed network, and
# don't need the gateway to enable NAT for you.
#
# RouteOnly 1
##
# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly
# connected (or bridged at Layer 2) to your internal (usually wireless)
# network. In that event, the gateway won't be able to match clients based
# on MAC address, and will fall back to using IPs only. This is
# theoretically less secure, as IP addresses are usually easier to spoof
# than MAC addresses, so don't use this unless you know what you're doing.
#
# IgnoreMAC 1
##
# MembersOnly - Optional. Uncomment this if you want to disable public
# access (i.e. unauthenticated 'skip' button access). You'll also want to
# point AuthServiceURL somewhere that doesn't include a skip button (like
# at your own Auth server.)
#
# MembersOnly 1
##
# IncludePorts - Optional. Specify TCP ports to allow access to when
# public class users login. All others will be denied.
#
# For a list of common services and their respective port numbers, see
# your /etc/services file. Depending on your firewall, you might even
# be able to specify said services here, instead of using port numbers.
#
# IncludePorts 22 80 443
##
# ExcludePorts - Optional. Specify TCP ports to denied access to when
# public class users login. All others will be allowed.
#
# Note that you should use either IncludePorts or ExcludePorts, but not
# both. If neither is specified, access is granted to all ports to
# public class users.
#
# You should *always* exclude port 25, unless you want to run an portal
# for wanton spam sending. Users should have their own way of sending
# mail. It sucks, but that's the way it is. Comment this out *only if*
# you're using IncludePorts instead.
#
# ExcludePorts 23 25 111
#
ExcludePorts 25
####### Syslog Options -- alter these only if you want NoCat to log to the
# system log!
#
# Log Facility - syslog or internal. Internal sends log messages
# using the GatewayLog or STDERR if GatewayLog is unset. Syslog
# sends all messages to the system log.
#
# LogFacility internal
##
# SyslogSocket - inet or unix. Inet connects to an inet socket returned
# by getsrvbyname(). Unix connects to a unix domain socket returned by
# _PATH_LOG in syslog.ph (typically /dev/log). Defaults to unix.
#
# SyslogSocket unix
##
# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait
# Defaults to "cons,pid".
#
# SyslogOptions cons,pid
##
# SyslogPriority - The syslog class of message to use: In decreasing importance,
# the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO,
# and DEBUG. Defaults to INFO.
#
# SyslogPriority INFO
##
# SyslogFacility - The facility used to log messages. Defaults to user.
# SyslogFacility user
##
# SyslogIdent - The ident of the program that is calling syslog. This will
# be prepended to every log entry made by NoCat. Defaults to NoCat.
#
# SyslogIdent NoCat
###### Other Common Gateway Options. (stuff you probably won't have to change)
#
# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
# open and close the firewall. You probably don't need to
# change these.
#
# ResetCmd initialize.fw
# PermitCmd access.fw permit $MAC $IP $Class
# DenyCmd access.fw deny $MAC $IP $Class
##
# GatewayPort - The TCP port to bind the gateway
# service to. 5280 is de-facto standard for NoCatAuth.
# Change this only if you absolutely need to.
#
# GatewayPort 5280
##
# PGPKeyPath -- The directory in which PGP keys are stored.
# NoCat tries to find this in the pgp/ directory above
# the bin/ parent directory. Set this only if you put it
# somewhere that NoCat doesn't expect.
#
# PGPKeyPath /usr/local/nocat/pgp
##
# MessageVerify -- Shell command to verify a PGP signed
# message. The actual message is delivered to the
# command's standard input. NoCat tries to find gpg
# and gpgv in your path. Set these only if you need to find
# them elsewhere.
#
# GpgvPath /usr/bin/gpgv
#
# MessageVerify $GpgvPath --homedir=$PGPKeyPath 2>/dev/null
##
#
# IdleTimeout -- How often to check the ARP cache, in seconds,
# for expiration of idle clients.
#
# MaxMissedARP -- How many times a client can be missing from
# the ARP cache before we assume they've gone away, and log them
# out. Set to 0 to disable logout based on ARP cache expiration.
#
# MaxMissedARP 2
#
# IdleTimeout 300
### Fin!
SyslogSocket unix
SyslogPriority INFO
SyslogOptions pid,cons
LogFacility internal
started from /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/usr/local/nocat/bin/./gateway
exit 0