Temporary one-time firewall pass-throughs



  • I once saw a system for accessing network services such as SSH or mysql behind a firewall that worked like this:
    Regular users could log into a page on the firewall and choose which server they wanted and how long they want it for.
    The web service would add a firewall exception for the specified information for the client IP address.
    (Administrators could add for other IPs too.)

    I am trying to implement a system like this that works with pfSense.
    Unfortunately, I have not been able to find that project, so I will be starting from scratch.
    I have modified other packages on pfsense, but never created one myself.
    I am looking for any thoughts on whether this should be a package or integrated into the www of pfsense.
    I could try using the pfsense user manager.
    Also, if anyone else has seen such a system, I would like to know.

    Thank you all.


  • Rebel Alliance Developer Netgate

    That is sort of a "reverse captive portal" - you may have better luck searching on that term.

    Depending on what modifications are needed for that to work, a package may be better. It's too late for something like that to make it into pfSense 2.0 but it may be possible for 2.1 or later.



  • Just to keep this updated, searching for reverse captive portal eventually got me to "Netscreen WebAuth"1 which is almost exactly what I am looking for.
    I have winter vacation from school until the end of January, so I will work on it over that time.

    [1] http://s0.m0n0.ch/wall/list/showmsg.php?id=183/81


Locked