Date: Thu, 04 Dec 2008 18:11:20 +1030 From: Andrew <awd@awdcomp.net> To: Olivier Nicole <on@cs.ait.ac.th> Cc: freebsd-questions@freebsd.org, ccowart@rescomp.berkeley.edu Subject: Re: Firewall with bridged interfaces and captive portal Message-ID: <493789A0.40204@awdcomp.net> In-Reply-To: <200812040337.mB43bGHE015979@banyan.cs.ait.ac.th> References: <200812030508.mB358SUx095910@banyan.cs.ait.ac.th> <20081203222520.GA19693@hal.rescomp.berkeley.edu> <200812040337.mB43bGHE015979@banyan.cs.ait.ac.th>
next in thread | previous in thread | raw e-mail | index | archive | help
Olivier Nicole wrote: > Hi Chris, > >>> I need to implement a firewall with bridged interfaces that offers >>> captive portal (authentication before opening the traffic). >> We are using a combination of squid+ipfw. Although we are NATing the >> users, that really just introduces needless complexity that could be >> avoided with a bridging solution. >> >> Our web-app/captive portal/authentication program is written in-house; >> it's very tightly integrated with several existing pieces of >> infrastructure. I don't know if there are any solutions that will work >> out-of-the-box. >> >> I can get you more technical details if this is a direction you'd be >> interested in moving. > > Long time ago I have been toying with ipf (for the genral firewall) > and NoCat+ipfw for the captive portal. > > But that did not work too well, so any technical information will be > appreciated :) > > My long term vision is a quite integrated thing, where users that read > their email and authenticate to POP3/IMAP would be granted the access > without the need to authenticate to the web portal. > For squid have a look at the option auth_param You are able to use your own authorisation app/script that can check all kinds of places to see if that IP is allowed access. For example I have a client that has samba on his transparent proxy. Each user has a drive letter mapped to that share. The script defined by auth_param just greps the ip from 'smbstatus -p' and uses the username with that IP to tell squid what user it is for the logs. There would be nothing to stop the script to check ipfw, to see if there is rules for that ip to allow access and then if there isn't, add them. To remove the ipfw rules you could have a cron script that checks the last packet time (using -t or -T) and if its over a certain time then remove it (preferably with the checking of where you got the initial check to see if the user is valid or not). HTH cya Andrew > Best regards, > > Olivier > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?493789A0.40204>