Port whitelisting

  • I'm trying to come up with a way to setup a network where [non-web] Internet access isn't blocked but only using certain ports/protocols; e.g; users can connect freely but only over a VPN tunnel (UDP500/4500/1194/9993/etc) and web traffic is redirected to internal resources but as some sort of guidance like, not to unlock access like a true captive portal.

    In other words, I want it to there be no need to launch a browser to allow traffic but if there's web traffic, walled-garden it.

    My idea was to use NAT+HAProxy with a wildcard match and use a 302/303 redirect to the correct site. The problem is that if I want to load additional pages from a site, the wildcard match would match them as well and I'd create a loop, so I'm back at the captive portal. :(

    My question is: a portal with no authentication, a splash page portal, can it allow traffic without web requests? Or is it an absolute must like it is on a regular portal?? Must the splash page be invoked? Is there such a thing like port whitelisting, like there's domain- or MAC address-whitelisting?

    Thanks for your help. :)

  • @skilledinept said in Port whitelisting:

    Is there such a thing like port whitelisting, like there's domain- or MAC address-whitelisting?

    Short answer : Noop.

    Long answer : you can answer your question and do something about it if you know how a captive portal works. See here for a start.

    I'm pretty sure that the firewall used on pfSense, ipfw, can also handle rules that pass destination ports - or to be more precise : a table with destination ports.

    Between ipfw firewall rule 02216 and 2117 ( ^^ ) you should add something like :

    allow dst-port from any to table(YOUR-CP-ZONE_table_with_ports) in
    allow dst-port from table(YOUR-CP-ZONE_table_with_ports) to any out

    (not tested !!)

    and fill these two tables with the white listed port numbers.

    Sorry : I just realise that if you understood what I said just above, you wouldn't have asked the question in the first place.
    So, take my first, fast answer as the only possible answer.
    Or place a feature request. (special needs need special coding).

  • @Gertjan said in Port whitelisting:

    Short answer : Noop.


    Well, it was worth the shot! Thanks for clearing it up, I won't be obsessing trying to make that work. I'll dig deeper on the tables though, maybe (but most likely not gonna) I can learn something.


Log in to reply