From owner-freebsd-questions@FreeBSD.ORG Thu Dec 4 07:41:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A340106564A for ; Thu, 4 Dec 2008 07:41:57 +0000 (UTC) (envelope-from awd@awdcomp.net) Received: from home.awdcomp.net (ppp121-45-10-50.lns10.adl2.internode.on.net [121.45.10.50]) by mx1.freebsd.org (Postfix) with ESMTP id E494E8FC18 for ; Thu, 4 Dec 2008 07:41:56 +0000 (UTC) (envelope-from awd@awdcomp.net) Received: from getafix.abdulla ([192.168.202.99]) by home.awdcomp.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1L88qD-00077X-T7; Thu, 04 Dec 2008 18:11:41 +1030 Message-ID: <493789A0.40204@awdcomp.net> Date: Thu, 04 Dec 2008 18:11:20 +1030 From: Andrew User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: Olivier Nicole References: <200812030508.mB358SUx095910@banyan.cs.ait.ac.th> <20081203222520.GA19693@hal.rescomp.berkeley.edu> <200812040337.mB43bGHE015979@banyan.cs.ait.ac.th> In-Reply-To: <200812040337.mB43bGHE015979@banyan.cs.ait.ac.th> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org, ccowart@rescomp.berkeley.edu Subject: Re: Firewall with bridged interfaces and captive portal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 07:41:57 -0000 Olivier Nicole wrote: > Hi Chris, > >>> I need to implement a firewall with bridged interfaces that offers >>> captive portal (authentication before opening the traffic). >> We are using a combination of squid+ipfw. Although we are NATing the >> users, that really just introduces needless complexity that could be >> avoided with a bridging solution. >> >> Our web-app/captive portal/authentication program is written in-house; >> it's very tightly integrated with several existing pieces of >> infrastructure. I don't know if there are any solutions that will work >> out-of-the-box. >> >> I can get you more technical details if this is a direction you'd be >> interested in moving. > > Long time ago I have been toying with ipf (for the genral firewall) > and NoCat+ipfw for the captive portal. > > But that did not work too well, so any technical information will be > appreciated :) > > My long term vision is a quite integrated thing, where users that read > their email and authenticate to POP3/IMAP would be granted the access > without the need to authenticate to the web portal. > For squid have a look at the option auth_param You are able to use your own authorisation app/script that can check all kinds of places to see if that IP is allowed access. For example I have a client that has samba on his transparent proxy. Each user has a drive letter mapped to that share. The script defined by auth_param just greps the ip from 'smbstatus -p' and uses the username with that IP to tell squid what user it is for the logs. There would be nothing to stop the script to check ipfw, to see if there is rules for that ip to allow access and then if there isn't, add them. To remove the ipfw rules you could have a cron script that checks the last packet time (using -t or -T) and if its over a certain time then remove it (preferably with the checking of where you got the initial check to see if the user is valid or not). HTH cya Andrew > Best regards, > > Olivier > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"