Firewall with bridged interfaces and captive portal
awd at awdcomp.net
Wed Dec 3 23:41:57 PST 2008
Olivier Nicole wrote:
> Hi Chris,
>>> I need to implement a firewall with bridged interfaces that offers
>>> captive portal (authentication before opening the traffic).
>> We are using a combination of squid+ipfw. Although we are NATing the
>> users, that really just introduces needless complexity that could be
>> avoided with a bridging solution.
>> Our web-app/captive portal/authentication program is written in-house;
>> it's very tightly integrated with several existing pieces of
>> infrastructure. I don't know if there are any solutions that will work
>> I can get you more technical details if this is a direction you'd be
>> interested in moving.
> Long time ago I have been toying with ipf (for the genral firewall)
> and NoCat+ipfw for the captive portal.
> But that did not work too well, so any technical information will be
> appreciated :)
> My long term vision is a quite integrated thing, where users that read
> their email and authenticate to POP3/IMAP would be granted the access
> without the need to authenticate to the web portal.
For squid have a look at the option
You are able to use your own authorisation app/script that can check all
kinds of places to see if that IP is allowed access.
For example I have a client that has samba on his transparent proxy.
Each user has a drive letter mapped to that share.
The script defined by auth_param just greps the ip from 'smbstatus -p'
and uses the username with that IP to tell squid what user it is for the
There would be nothing to stop the script to check ipfw, to see if there
is rules for that ip to allow access and then if there isn't, add them.
To remove the ipfw rules you could have a cron script that checks the
last packet time (using -t or -T) and if its over a certain time then
remove it (preferably with the checking of where you got the initial
check to see if the user is valid or not).
> Best regards,
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions