Project

General

Profile

Actions

Feature #385

open

Allow the use of Captive Portal to restrict services on the firewall itself.

Added by Chris Buechler almost 15 years ago. Updated about 2 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
Captive Portal
Target version:
-
Start date:
02/26/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

It would be nice to be able to "reverse" captive portal, i.e. force users on the Internet to authenticate to the firewall via a web page before accessing services behind the firewall.

Actions #1

Updated by Ermal Luçi almost 15 years ago

What does prevent one to run CP on WAN interface? (especially on 2.0)

Actions #2

Updated by Chris Buechler almost 15 years ago

It's fine to run on WAN, but it wouldn't do what's described here, it would block all reply traffic on outbound Internet requests, and can't be specific enough to restrict to one or several particular hosts or ports.

Actions #3

Updated by Ermal Luçi almost 15 years ago

Well i need a definition of what reverse CP is to see what it takes to implement this.

Actions #4

Updated by Yehuda Katz about 14 years ago

I just brought this up on the forum this week (http://forum.pfsense.org/index.php/topic,31079.0.html)

Regular users log into a page on the firewall and choose which server/services they want and how long they want it for.
The web page would add a firewall exception for the specified information for the client IP address.
(Administrators could add for other IPs too.)

Does that help?
I am going to look into writing it myself, but I am watching this space and that forum topic if anyone has ideas.

Actions #5

Updated by Ermal Luçi about 14 years ago

Well there is a possiblity to add an ipfw rule with direction out and keep-state to provision this!?

Actions #6

Updated by H. H. almost 14 years ago

Thats a feature I missed on pfsense too. I know very well the watchguard solution:
A small webserver (https) at the firewall sends a Java applet to the user to enter name and password. Encrypted by the Java applet, transfered to the firewall its used for verification against the authentication database defined in its configuration. A successfull authenticated user can use all services based on his group membership -- the group membership is used by filter rules where the IP of the authenticated user is temporary added. As long he keeps open the browser window with the logon applet he is autenticated. If its closed or network connection is lost, a few minutes later the IP is removed from the filter rules ...

It's a really nice feature to protect services from outside because no special client is needed.

Hope it helps to find a solution ...

Actions #7

Updated by P S almost 12 years ago

Has there been any more activity on this feature request? I would love to use pfSense with the described functionality: I want to restrict remote access to my network without requiring users to establish a full-blown VPN connection. Instead they should only be required to authenticate on a webpage before the firewall is opened up for them...

Actions #8

Updated by Jim Pingle over 5 years ago

  • Category set to Captive Portal
Actions #9

Updated by Marcos M about 2 years ago

  • Subject changed from Reverse captive portal to Allow the use of Captive Portal to restrict services on the firewall itsef.
  • Status changed from New to In Progress
  • Assignee set to Marcos M
Actions #10

Updated by Marcos M about 2 years ago

  • Subject changed from Allow the use of Captive Portal to restrict services on the firewall itsef. to Allow the use of Captive Portal to restrict services on the firewall itself.
Actions

Also available in: Atom PDF