...
Download the latest version of the attached shwl_add_shwl_del_sl_pmu archive and extract it somewhere convenient.
Shorewall
Add to /etc/shorewall/hosts:
...
Add the following line at the end of the 'post-auth' section and at the beginning of the Post-Auth-Type REJECT section:
| Code Block |
|---|
reply_log |
...
Add the following in the post-auth section, just before the Post-Auth-Type REJECT section:
| Code Block |
|---|
update reply {
Session-Timeout := 3600
Termination-Action := 1
} |
...
Modify /etc/freeradius/3.0/sites-available/inner-tunnel, comment the following lines:
...
Add the following line at the end of the 'post-auth' section and at the beginning of the Post-Auth-Type REJECT section:
| Code Block |
|---|
reply_log |
...
Modify /etc/freeradius/3.0/radiusd.conf, set (in the 'log' section):
| Code Block |
|---|
auth = yes |
...
Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add (replace with actual IP addresses of NASes):
...
It has been observed that radius.log comes with world-readable permissions upon installation of the package, deleting it causes FreeRADIUS to re-create it, and it gets re-created with more secure permissions. /etc/freeradius also comes with the executable bit set for all users, which makes it easier for sensitive information contained within to be world-readable in case the permissions of an individual file are not set restrictive enough (as was, by default, the case with the file containing the encryption passwords for the SSL certificates). Could not find any information on the net on whether there is a good reason for the executable bit being set, so, decided it is safer to remove it.
...