Tool to allow Kerberos Authenticated users to modify Firewall settings

Question

I run a firewall on a central router. Recently, several users want to use Skype. Since firewalling Skype virtually means to switch the firewall off, I consider to allow users to temporarily punch holes for their system. Since the users have no accounts on the router, I consider using Kerberos for authentication and authorization.

The router is a Debian Squeeze box, with minimal configuration, i.e. no web-server, database or similar gimmicks.

Does anyone know an existing solution, which could be used for that purpose? Or does anybody know easy to use and well documented frameworks in say Perl, Python, C, C++, ... making the set-up of a Kerberos authenticated Client and Server application really simple?

Answer 1

You could use a UPNPD daemon to open ports on demand. Some daemons such as miniupnpd will build restrictive rules which only open the ports to the requesting server. The daemon will adjust your iptables firewall by maintaining rules in a couple of chains.

I investigated Firewalling Google Chat and Skype. I found that Skype is not designed to play well with firewall restrictions. Each user needs an incoming port forwarded to their device. Additional ports are required for each connection. However, it is not necessary to shut the firewall down to use Skype. Other than the incoming port for each user, you will need to enable outgoing connections on the ephemeral ports for the devices being used. Incoming restrictions can be quite tight.

I was able to get miniupnpd working with a Shorewall firewall by adding the required chains in the start configuration file.