From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 16:43:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4A7D16A468 for ; Fri, 29 Jun 2007 16:43:43 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 5721913C4B7 for ; Fri, 29 Jun 2007 16:43:43 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id B65B1267E1F; Fri, 29 Jun 2007 18:43:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id rdp+qudF8X7T; Fri, 29 Jun 2007 18:43:10 +0200 (CEST) Received: from Osgiliath.argosnet.com (tirion.argosnet.com [82.224.1.141]) by mx.levier.org (Postfix) with ESMTP id B3A97267E1D; Fri, 29 Jun 2007 18:43:09 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 29 Jun 2007 18:43:06 +0200 To: "Huzeyfe Onal" From: Laurent LEVIER In-Reply-To: References: <40497.57.250.229.136.1183122125.squirrel@wm.argosnet.com> <46851030.2030409@gmail.com> <49399.57.250.229.136.1183130030.squirrel@wm.argosnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20070629164309.B3A97267E1D@mx.levier.org> Cc: freebsd-pf@freebsd.org Subject: Re: authpf method with a HTTP Server? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 16:43:43 -0000 Hi At 17:58 29/06/2007, Huzeyfe Onal wrote: >what you are trying to achieve is very is easy with using captive >portal. But i think you want to write web interface for authpf. >There was some discussion about authpf web interface in >2004[1] which gives you an idea about it's feasible. I am not familiar with captive portals. I used WiFi term, this does not reflect the real full need. The idea is to authenticate users passing the FW not only over a WiFi link. So authenticating users when they build their tunnel, for example, is too restrictive. To me, it is either the spirit of a SSO able to authenticate only once the user so he can build his tunnel, pass a transparent proxy and pass FW rules, or the same as a captive portal, but also able to work over basic wired connectivity. As a summ, I dont intend to prevent access to AP, but directly control only the passthru of the Firewall with a transparent proxy. Not sure a captive portal can do that. I'm digging in parallel to learn more about this principle. Thanks Brgrds Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM