Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Proposal to implement a Reverse Portal

    Scheduled Pinned Locked Moved Bounties
    1 Posts 1 Posters 198 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joetaber
      last edited by

      There has been a demand for something like a Reverse Portal on this forum and elsewhere on the internet for at least two decades. Here I propose an implementation and extend an offer to build it in exchange for a bounty.

      Implementation

      A basic statement of what it should do is simple enough:

      • Setup UI to configure the following:
        • Choose an interface to bind and serve web requests for the login page.
        • What pass rule to apply when a user has authenticated from an IP.
      • Run a web service with login and connected pages.
      • When a user authenticates and loads the connected page, add the configured rule.
      • When the user disconnects, remove the rule.
        • To track disconnects precisely, require the user to keep the connected page open throughout the duration of their session with a live SSE connection to the web service & regular heartbeats; when the connection times out then the rule is removed.
      • Ability to run multiple instances of the Reverse Portal, like Captive Portal "zones"

      Note: Admins would be responsible for ensuring clients can access the web service before logging in, and for configuring the firewall to default-deny clients until the configured rule is added.

      Implementation seems straightforward, if not simple. Here are some relevant resources:

      • A related bounty was posted in 2008: Conditional Connection Daemon {Now $400}
      • This is essentially how Captive Portal works; here is where it calls /sbin/pfctl with rule changes piped via stdin.
      • It may be a good idea to reuse the captive portal login page.
      • See also: FreeBSD uses a ported version of OpenBSD PF firewall; OpenBSD PF docs; OpenBSD pfctl docs
      • pfSense Docs: Developing Packages
      • SSE (Server-Sent Events) with PHP and JS / Streaming with PHP

      Bounty

      I don't have funds to contribute to this proposal, but -- assuming the above implementation proposal is roughly feasible -- I think I could develop it in 30 hours at a rate of $100/hr; $3000 total. My qualifications, such as they are: this detailed proposal, polyglot senior software developer, familiar with web technology and firewall fundamentals, I have never developed against FreeBSD, with PHP, or used pfSense until recently. I believe my estimate is padded enough to account for learning the required technologies. ๐Ÿคท

      I would not be offended if someone more qualified swipes the bounty for less as long as I get to use it too. ๐Ÿ˜ƒ

      Maybe this is more of a solicitation for bounties rather than an offer to pay a bounty... I hope that's allowed! ๐Ÿ™ ๐Ÿ™‡

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.