Netgate SG-1000 microFirewall

Author Topic: Firewall Rules and Captive Portal  (Read 1210 times)

0 Members and 1 Guest are viewing this topic.

Offline kdesktop

  • Newbie
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Firewall Rules and Captive Portal
« on: February 13, 2014, 06:39:07 pm »
Hi.

Is there an easy, fast and efficient way to apply this Firewall Rule for this local group created and authenticated by pfSense Captive Portal?

What i need is, if a user from group "Fix Department" log, the rule is applied and facebook is blocked, otherwise, if a user from group "Admin" login, the rule is ignored.



EDIT: pfSense 2.1 - Squid - Captive Portal with pfSense local group users

Tnx
« Last Edit: February 14, 2014, 05:17:12 am by kdesktop »

Offline simone

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Firewall Rules and Captive Portal
« Reply #1 on: January 31, 2018, 05:14:10 pm »
Hi,
I'm interested too about this argument.
Has the thread been redirected?

Simo

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2416
  • Karma: +190/-9
    • View Profile
Re: Firewall Rules and Captive Portal
« Reply #2 on: February 01, 2018, 06:47:39 am »
Hi,
I'm interested too about this argument.
Has the thread been redirected?

Simo
Since 2014 ?
This thread has died silently.

Btw : it is impossible to consult some sort of "database with all users that are member of a group" so a rule in a firewall can apply, or not.
What do you think what happens when you attach this rule on a 1 Gbit network ? The workload would be .... what is bigger then huge multiplied by enormous ?
And how should a firewall know when it looks at an IP packet that comes in, that it belongs to user "Freddo", member of that group ? All it sees is the source IP, MAC, some sequential info, packet type and the state. And that it.

But, of course, the solution has been found for many years already.
You just discovered one of the reasons why a captive portal should not be activated on the LAN interface, it should be used on a dedicated interface - NIC. With it's own firewall rules.

Offline simone

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Firewall Rules and Captive Portal
« Reply #3 on: February 04, 2018, 09:22:27 am »
Hi,
thank you for your reply.
I get used with these concepts by working with Paloalto appliances:

     https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id

and in my opinion, even if it is resource consuming it is a good thing to have.

I didn't anything yet through cli, so is it not possible to do a user-mapping script (maybe involving the AD and doing some session caching)?

Thanks a lot,
best regards,

Simone

Offline lindsay

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Firewall Rules and Captive Portal
« Reply #4 on: February 12, 2018, 08:38:52 am »
Well it is doable. (ident and more groups.)
Just install ident client on clients, and configure e2guardian
e2guardian.
I find it more difficult to set up on pfsense then in smoothwall but i guess it is only a matter of time.
« Last Edit: February 12, 2018, 10:09:57 am by lindsay »
Fiberline 500/500Mbps

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2416
  • Karma: +190/-9
    • View Profile
Re: Firewall Rules and Captive Portal
« Reply #5 on: February 12, 2018, 10:24:54 am »
....
     https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id
....
So, before accessing your network that support this User-ID, the user should have this User-Id ....

I guess I place my bets on an alias that lists all Facebook IP's (IPv4 at least, and with IPv6 at best) - a list that would refresh every xx hours or so. Just some script file and the the cron package.

Or, this one : https://forum.pfsense.org/index.php?topic=134352.msg737158#msg737158 - I'm sure it could block all DNS resolving easily by returning 127.0.0.1 or ::1 if a "facebook.com" passes by.