Bug #5594
closed
Captive portal patch does not work anymore
0%
Description
Hi guys.
First thanks for your work !! pfSense is amazing.
---
I think that due to modifications in captiveportal.inc, the "patch captive portal" option does not works as expected.
links- captiveportal.inc -> https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/captiveportal.inc
- squid.inc -> https://github.com/pfsense/pfsense-packages/blob/1ffd0c4e5b8a4f7e4d729b535397d59f4284d34e/config/squid3/34/squid.inc
- commit involved -> captiveportal.inc -> https://github.com/pfsense/pfsense/commit/98bf4991dc31f97fc7315a6b8aba433de9d39cea
squid.inc - portion of code which no longer works
foreach ($cp_inc as $line) {
$new_line = $line;
//remove applied squid patch
if (preg_match('/skipto 65314 ip/', $line)) {
$found_rule++;
$new_line = "";
}
if (preg_match('/255.255.255.255/', $line) && $squid_conf['patch_cp']) {
$found_rule++;
$new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} ' . $port . ' in\n";' . "\n";
$new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} ' . $port . ' to any out\n";' . "\n";
}
$new_cp_inc .= $new_line;
}
{$ips}no longer exists and should be replaced bytable(100)- In captiveportal.inc, there are permissive rules before the "skipto" rules added by the patch (lines 543 and 545). squid.inc should add "skipto" rules before these.
- In squid.inc,
preg_match('/255.255.255.255/' $line)(line 2018) matches twice. So the "skipto" rules are added twice - squid.inc should also increment
$rulenumafter each added rule
- 2.2.5-RELEASE (i386) nanobsd 4G
- Squid3 package v0.4.6
I hope that I give enough information. If not, ask me!
Files
Updated by Kill Bill over 8 years ago
Not sure I want to make the patch work again. Considering it was broken for about a year without anyone noticing, I think it'd be a good time to get rid of this patching junk altogether and produce some ipfw hook in 2.3 if this functionality is desired.
Updated by Laurent Legendre over 8 years ago
OK, I understand that.
But if the patch option is officially considered broken, it'd be a good idea to hide the option in the web GUI.
Updated by Kill Bill over 8 years ago
Laurent Legendre wrote:
But if the patch option is officially considered broken, it'd be a good idea to hide the option in the web GUI.
Well yes, that goes without saying :)
Updated by Kill Bill over 8 years ago
https://github.com/pfsense/pfsense-packages/pull/1210 removes the broken thing for 2.2.x. If someone writes an updated patch, they can use it via System Patches package. I don't understand the ipfw thing at all and have zero use for this.
Updated by Chris Buechler over 8 years ago
- Status changed from New to Resolved
- Affected Version changed from 2.2.5 to 2.2.x
merged, thanks!
probably ought to just restrict ports users are allowed to access without being authenticated in ipfw to the portal ports, though with transparent proxy it'd probably complicate things.
this is fixed though.
Updated by Kill Bill over 8 years ago
Looks like you forgot to press the merge button :) I'll do the same for 2.3 shortly.
Updated by Kill Bill over 8 years ago
Still not merged.
The equivalent fixes for 2.3 are @ https://github.com/pfsense/FreeBSD-ports/pull/18
Updated by Marcello Silva Coutinho over 8 years ago
- File captive_portal_patch.PNG captive_portal_patch.PNG added
For those who needs to deny access to squid package before captive portal authentication, here is a patch to apply on pfsense 2.2.5
################################################################
--- captiveportal.225.inc 2015-12-09 18:43:50.000000000 -0200
+++ captiveportal.inc 2015-12-09 19:28:27.000000000 -0200@ -539,6 +539,10 @
EOD;
$rulenum = 65310;
/* Deny direct access to local services before captive portal authentication /
$local_service_ports="3128,3129";
$cprules .= "add {$rulenum} skipto 65314 ip from any to table(100) {$local_service_ports} in\n";
$cprules .= "add {$rulenum} skipto 65314 ip from table(100) {$local_service_ports} to any out\n"; / These tables contain host ips */ $cprules .= "add {$rulenum} pass ip from any to table(100) in\n"; $rulenum++;
you can apply via system patches package like attached screen capture.
Updated by Frederic Soulier about 8 years ago
Hi,
We use this great functionnality to block access to our local squid before authentication.
We use pfsense2.2.6.
It seems the patch doesn't work anymore, our users access our squid without CP authentication.
Is there any modification to do on the patch in order it's work on 2.2.6 version ?
We have followed the procedure explained by Marcello
Updated by Orsiris de Jong over 7 years ago
Hello,
I've applied Marcello's patch to pfSense 2.3.2. The patch needs to be applied a couple of lines lower than indicated for 2.2.6.
Sadly, it doesn't work anyway.
While squid as transparent proxy + captive portal works, squid with WPAD + captive portal is a very neat feature for pfSense.
Anyone willing to update the patch ?
Regards,
Ozy.
Updated by Kill Bill over 7 years ago
Orsiris de Jong wrote:
Anyone willing to update the patch ?
Updating the patch is a waste of time. If such functionality is desired, a code for hooking into ipfw rules is required, as noted in the very first comment here. I.e.: define a function in package configuration XML file [1], write the required rules for the package [2], those get picked up by pfSense configuration [3] and required firewall rules are created in proper place when firewall is resynced [4]
[1] <filter_rules_needed> tag - https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.xml
[2] squid_generate_rules() - https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
[3] filter_rule_function in config.xml - https://github.com/pfsense/pfsense/blob/master/src/etc/inc/pkg-utils.inc
[4] discover_pkg_rules() + code using that function to generate the ruleset - https://github.com/pfsense/pfsense/blob/master/src/etc/inc/filter.inc
This functionality does exist for pf(4) packet filter used in most of pfSense as shown above, but does NOT exist for ipfw(4) packet filter used by the Captive Portal.