Project

General

Profile

Bug #5594

Captive portal patch does not work anymore

Added by Laurent Legendre about 4 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
12/04/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.x
Affected Architecture:

Description

Hi guys.

First thanks for your work !! pfSense is amazing.
---

I think that due to modifications in captiveportal.inc, the "patch captive portal" option does not works as expected.

links

squid.inc - portion of code which no longer works

foreach ($cp_inc as $line) {
        $new_line = $line;
        //remove applied squid patch
        if (preg_match('/skipto 65314 ip/', $line)) {
            $found_rule++;
            $new_line = "";
        }
        if (preg_match('/255.255.255.255/', $line) && $squid_conf['patch_cp']) {
            $found_rule++;
            $new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} ' . $port . ' in\n";' . "\n";
            $new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} ' . $port . ' to any out\n";' . "\n";
        }
        $new_cp_inc .= $new_line;
    }

  • {$ips} no longer exists and should be replaced by table(100)
  • In captiveportal.inc, there are permissive rules before the "skipto" rules added by the patch (lines 543 and 545). squid.inc should add "skipto" rules before these.
  • In squid.inc, preg_match('/255.255.255.255/' $line) (line 2018) matches twice. So the "skipto" rules are added twice
  • squid.inc should also increment $rulenum after each added rule
tested platform:
  • 2.2.5-RELEASE (i386) nanobsd 4G
  • Squid3 package v0.4.6

I hope that I give enough information. If not, ask me!

captive_portal_patch.PNG (58.5 KB) captive_portal_patch.PNG Marcello Silva Coutinho, 12/09/2015 03:32 PM

History

#1 Updated by Kill Bill about 4 years ago

Not sure I want to make the patch work again. Considering it was broken for about a year without anyone noticing, I think it'd be a good time to get rid of this patching junk altogether and produce some ipfw hook in 2.3 if this functionality is desired.

#2 Updated by Laurent Legendre about 4 years ago

OK, I understand that.
But if the patch option is officially considered broken, it'd be a good idea to hide the option in the web GUI.

#3 Updated by Kill Bill about 4 years ago

Laurent Legendre wrote:

But if the patch option is officially considered broken, it'd be a good idea to hide the option in the web GUI.

Well yes, that goes without saying :)

#4 Updated by Kill Bill about 4 years ago

https://github.com/pfsense/pfsense-packages/pull/1210 removes the broken thing for 2.2.x. If someone writes an updated patch, they can use it via System Patches package. I don't understand the ipfw thing at all and have zero use for this.

#5 Updated by Chris Buechler about 4 years ago

  • Status changed from New to Resolved
  • Affected Version changed from 2.2.5 to 2.2.x

merged, thanks!

probably ought to just restrict ports users are allowed to access without being authenticated in ipfw to the portal ports, though with transparent proxy it'd probably complicate things.

this is fixed though.

#6 Updated by Kill Bill about 4 years ago

Looks like you forgot to press the merge button :) I'll do the same for 2.3 shortly.

#7 Updated by Kill Bill about 4 years ago

Still not merged.

The equivalent fixes for 2.3 are @ https://github.com/pfsense/FreeBSD-ports/pull/18

#8 Updated by Marcello Silva Coutinho about 4 years ago

For those who needs to deny access to squid package before captive portal authentication, here is a patch to apply on pfsense 2.2.5

################################################################
--- captiveportal.225.inc 2015-12-09 18:43:50.000000000 -0200
+++ captiveportal.inc 2015-12-09 19:28:27.000000000 -0200
@ -539,6 +539,10 @
EOD;

$rulenum = 65310;
/* Deny direct access to local services before captive portal authentication /
$local_service_ports="3128,3129";
$cprules .= "add {$rulenum} skipto 65314 ip from any to table(100) {$local_service_ports} in\n";
$cprules .= "add {$rulenum} skipto 65314 ip from table(100) {$local_service_ports} to any out\n"; /
These tables contain host ips */ $cprules .= "add {$rulenum} pass ip from any to table(100) in\n"; $rulenum++;

################################################################

you can apply via system patches package like attached screen capture.

#9 Updated by Frederic Soulier almost 4 years ago

Hi,
We use this great functionnality to block access to our local squid before authentication.
We use pfsense2.2.6.
It seems the patch doesn't work anymore, our users access our squid without CP authentication.
Is there any modification to do on the patch in order it's work on 2.2.6 version ?
We have followed the procedure explained by Marcello

#10 Updated by Orsiris de Jong over 3 years ago

Hello,

I've applied Marcello's patch to pfSense 2.3.2. The patch needs to be applied a couple of lines lower than indicated for 2.2.6.
Sadly, it doesn't work anyway.

While squid as transparent proxy + captive portal works, squid with WPAD + captive portal is a very neat feature for pfSense.

Anyone willing to update the patch ?

Regards,
Ozy.

#11 Updated by Kill Bill about 3 years ago

Orsiris de Jong wrote:

Anyone willing to update the patch ?

Updating the patch is a waste of time. If such functionality is desired, a code for hooking into ipfw rules is required, as noted in the very first comment here. I.e.: define a function in package configuration XML file [1], write the required rules for the package [2], those get picked up by pfSense configuration [3] and required firewall rules are created in proper place when firewall is resynced [4]

[1] <filter_rules_needed> tag - https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.xml
[2] squid_generate_rules() - https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
[3] filter_rule_function in config.xml - https://github.com/pfsense/pfsense/blob/master/src/etc/inc/pkg-utils.inc
[4] discover_pkg_rules() + code using that function to generate the ruleset - https://github.com/pfsense/pfsense/blob/master/src/etc/inc/filter.inc

This functionality does exist for pf(4) packet filter used in most of pfSense as shown above, but does NOT exist for ipfw(4) packet filter used by the Captive Portal.

Also available in: Atom PDF