Firewall with bridged interfaces and captive portal

Andrew awd at awdcomp.net
Wed Dec 3 23:41:57 PST 2008 

Olivier Nicole wrote:
> Hi Chris,
> 
>>> I need to implement a firewall with bridged interfaces that offers
>>> captive portal (authentication before opening the traffic).
>> We are using a combination of squid+ipfw. Although we are NATing the
>> users, that really just introduces needless complexity that could be
>> avoided with a bridging solution.
>>
>> Our web-app/captive portal/authentication program is written in-house;
>> it's very tightly integrated with several existing pieces of
>> infrastructure. I don't know if there are any solutions that will work
>> out-of-the-box.
>>
>> I can get you more technical details if this is a direction you'd be
>> interested in moving.
> 
> Long time ago I have been toying with ipf (for the genral firewall)
> and NoCat+ipfw for the captive portal.
> 
> But that did not work too well, so any technical information will be
> appreciated :)
> 
> My long term vision is a quite integrated thing, where users that read
> their email and authenticate to POP3/IMAP would be granted the access
> without the need to authenticate to the web portal.
> 

For squid have a look at the option
auth_param

You are able to use your own authorisation app/script that can check all 
kinds of places to see if that IP is allowed access.

For example I have a client that has samba on his transparent proxy.
Each user has a drive letter mapped to that share.
The script defined by auth_param just greps the ip from 'smbstatus -p'
and uses the username with that IP to tell squid what user it is for the 
logs.
There would be nothing to stop the script to check ipfw, to see if there 
is rules for that ip to allow access and then if there isn't, add them.

To remove the ipfw rules you could have a cron script that checks the 
last packet time (using -t or -T) and if its over a certain time then 
remove it (preferably with the checking of where you got the initial 
check to see if the user is valid or not).

HTH
cya
Andrew

> Best regards,
> 
> Olivier
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list