Olivier Nicole wrote:
Hi Chris,

I need to implement a firewall with bridged interfaces that offers
captive portal (authentication before opening the traffic).
We are using a combination of squid+ipfw. Although we are NATing the
users, that really just introduces needless complexity that could be
avoided with a bridging solution.

Our web-app/captive portal/authentication program is written in-house;
it's very tightly integrated with several existing pieces of
infrastructure. I don't know if there are any solutions that will work
out-of-the-box.

I can get you more technical details if this is a direction you'd be
interested in moving.

Long time ago I have been toying with ipf (for the genral firewall)
and NoCat+ipfw for the captive portal.

But that did not work too well, so any technical information will be
appreciated :)

My long term vision is a quite integrated thing, where users that read
their email and authenticate to POP3/IMAP would be granted the access
without the need to authenticate to the web portal.


For squid have a look at the option
auth_param

You are able to use your own authorisation app/script that can check all kinds of places to see if that IP is allowed access.

For example I have a client that has samba on his transparent proxy.
Each user has a drive letter mapped to that share.
The script defined by auth_param just greps the ip from 'smbstatus -p'
and uses the username with that IP to tell squid what user it is for the logs. There would be nothing to stop the script to check ipfw, to see if there is rules for that ip to allow access and then if there isn't, add them.

To remove the ipfw rules you could have a cron script that checks the last packet time (using -t or -T) and if its over a certain time then remove it (preferably with the checking of where you got the initial check to see if the user is valid or not).

HTH
cya
Andrew

Best regards,

Olivier
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to