• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Proposal to implement a Reverse Portal

Scheduled Pinned Locked Moved Bounties
1 Posts 1 Posters 203 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    joetaber
    last edited by Apr 4, 2025, 4:42 PM

    There has been a demand for something like a Reverse Portal on this forum and elsewhere on the internet for at least two decades. Here I propose an implementation and extend an offer to build it in exchange for a bounty.

    Implementation

    A basic statement of what it should do is simple enough:

    • Setup UI to configure the following:
      • Choose an interface to bind and serve web requests for the login page.
      • What pass rule to apply when a user has authenticated from an IP.
    • Run a web service with login and connected pages.
    • When a user authenticates and loads the connected page, add the configured rule.
    • When the user disconnects, remove the rule.
      • To track disconnects precisely, require the user to keep the connected page open throughout the duration of their session with a live SSE connection to the web service & regular heartbeats; when the connection times out then the rule is removed.
    • Ability to run multiple instances of the Reverse Portal, like Captive Portal "zones"

    Note: Admins would be responsible for ensuring clients can access the web service before logging in, and for configuring the firewall to default-deny clients until the configured rule is added.

    Implementation seems straightforward, if not simple. Here are some relevant resources:

    • A related bounty was posted in 2008: Conditional Connection Daemon {Now $400}
    • This is essentially how Captive Portal works; here is where it calls /sbin/pfctl with rule changes piped via stdin.
    • It may be a good idea to reuse the captive portal login page.
    • See also: FreeBSD uses a ported version of OpenBSD PF firewall; OpenBSD PF docs; OpenBSD pfctl docs
    • pfSense Docs: Developing Packages
    • SSE (Server-Sent Events) with PHP and JS / Streaming with PHP

    Bounty

    I don't have funds to contribute to this proposal, but -- assuming the above implementation proposal is roughly feasible -- I think I could develop it in 30 hours at a rate of $100/hr; $3000 total. My qualifications, such as they are: this detailed proposal, polyglot senior software developer, familiar with web technology and firewall fundamentals, I have never developed against FreeBSD, with PHP, or used pfSense until recently. I believe my estimate is padded enough to account for learning the required technologies. 🤷

    I would not be offended if someone more qualified swipes the bounty for less as long as I get to use it too. 😃

    Maybe this is more of a solicitation for bounties rather than an offer to pay a bounty... I hope that's allowed! 🙏 🙇

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received