https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-05-27T05:11:16ZpfSense bugtrackerpfSense - Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continuehttps://redmine.pfsense.org/issues/13226?journal_id=614492022-05-27T05:11:16ZViktor Gurov
<ul></ul><p>It looks like <code>pfSense_kill_states()</code> and <code>pfSense_kill_srcstates()</code> does not work properly:<br /><a class="external" href="https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L886-L888">https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L886-L888</a></p>
<p>Needs more testing.</p> pfSense - Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continuehttps://redmine.pfsense.org/issues/13226?journal_id=614532022-05-27T06:29:07ZViktor Gurov
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Confirmed</i></li></ul><p>Able to reproduce.</p>
<p>It looks like <code>pfSense_kill_status()</code> and <code>pfSense_kill_src states()</code> are successfully kill TCP and ICMP sessions, but not UDP.</p>
<p>This may also be an issue prior to pfSense 22.05/2.7 (ipfw captive portal).</p> pfSense - Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continuehttps://redmine.pfsense.org/issues/13226?journal_id=615012022-05-30T10:38:55ZViktor Gurov
<ul><li><strong>Assignee</strong> set to <i>Reid Linnemann</i></li></ul> pfSense - Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continuehttps://redmine.pfsense.org/issues/13226?journal_id=645442022-12-12T20:26:44ZMarcos M
<ul><li><strong>Subject</strong> changed from <i>Captive Portal doesn't disconnect established OpenVPN link </i> to <i>Disconnecting a user from Captive Portal may allow previously established connections to continue.</i></li><li><strong>Affected Version</strong> changed from <i>2.7.x</i> to <i>2.4.5-p1</i></li></ul><p>The root issue here is actually <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: Kill states using the pre-NAT address (Resolved)" href="https://redmine.pfsense.org/issues/11556">#11556</a>. When <code>pfSense_kill_states()</code> is called, the state on WAN using NAT will remain due to the referenced issue, hence allowing reply traffic. That reply traffic will then reach the host behind the Captive Portal due the default rule which allows all traffic from the firewall itself. See the following states:</p>
<p>Before calling <code>pfSense_kill_states()</code><br /><pre>
all udp 198.51.100.7:1196 <- 10.0.1.100:62722 MULTIPLE:MULTIPLE
age 00:01:05, expires in 00:01:00, 254:238 pkts, 42969:117085 bytes, rule 539
id: db5e9a6300000000 creatorid: 4da82510 gateway: 0.0.0.0
origif: vmx0
all udp 192.0.2.5:39681 (10.0.1.100:62722) -> 198.51.100.7:1196 MULTIPLE:MULTIPLE
age 00:01:05, expires in 00:01:00, 254:238 pkts, 42969:117085 bytes, rule 145
id: dc5e9a6300000000 creatorid: 4da82510 gateway: 177.231.47.1
origif: vmx0.99
</pre></p>
<p>After calling <code>pfSense_kill_states()</code> and before reply from remote:<br /><pre>
all udp 192.0.2.5:39681 (10.0.1.100:62722) -> 198.51.100.7:1196 MULTIPLE:MULTIPLE
age 00:01:21, expires in 00:00:49, 264:248 pkts, 44119:118305 bytes, rule 145
id: dc5e9a6300000000 creatorid: 4da82510 gateway: 177.231.47.1
origif: vmx0.99
</pre></p>
<p>After calling <code>pfSense_kill_states()</code> and after reply from remote:<br /><pre>
all udp 192.0.2.5:39681 (10.0.1.100:62722) -> 198.51.100.7:1196 MULTIPLE:MULTIPLE
age 00:01:29, expires in 00:00:59, 268:253 pkts, 44569:118869 bytes, rule 145
id: dc5e9a6300000000 creatorid: 4da82510 gateway: 177.231.47.1
origif: vmx0.99
all udp 198.51.100.7:1196 -> 10.0.1.100:62722 MULTIPLE:MULTIPLE
age 00:00:08, expires in 00:00:59, 5:4 pkts, 564:450 bytes, rule 143
id: 65659a6300000000 creatorid: 4da82510 gateway: 0.0.0.0
origif: vmx0
</pre></p> pfSense - Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continuehttps://redmine.pfsense.org/issues/13226?journal_id=645462022-12-12T20:27:02ZMarcos M
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-3 priority-4 priority-default closed" href="/issues/11556">Feature #11556</a>: Kill states using the pre-NAT address</i> added</li></ul> pfSense - Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continuehttps://redmine.pfsense.org/issues/13226?journal_id=712472023-12-05T17:20:29ZMarcos M
<ul><li><strong>Subject</strong> changed from <i>Disconnecting a user from Captive Portal may allow previously established connections to continue.</i> to <i>Disconnecting a user from Captive Portal may allow previously established connections to continue</i></li><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li><li><strong>Assignee</strong> changed from <i>Reid Linnemann</i> to <i>Marcos M</i></li><li><strong>Target version</strong> changed from <i>CE-Next</i> to <i>2.8.0</i></li><li><strong>Plus Target Version</strong> changed from <i>Plus-Next</i> to <i>24.03</i></li></ul> pfSense - Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continuehttps://redmine.pfsense.org/issues/13226?journal_id=721832024-02-10T22:17:41ZMarcos M
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul>