Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Securing Captive Portal with OS fingerprinting

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cs1
      last edited by

      Hi all!

      I would like to discuss something with you that crossed my mind: pfSense uses pf's OS detection in firewall rules. I'm thinking about adding to the security of a Captive Portal scenario by using OS fingerprinting. pfSense allows net access to the MAC and IP of a client who successfully logged in. My question is: wouldn't it make sense to add the OS (that has been detected by pf) to the pf rule as well that allows guest access? Any thoughts? It definitely isn't a solution that will prevent spoofing 100% but it very likely makes things much more difficult. Adding something like Ipguard would add even more security. The only question is what a good way would be to integrate pf's OS fingerprinting and Ipguard with the Captive Portal. Your thoughts are highly appreciated.

      Cheers,
      cs1

      EDIT: Clarified some terms (OS fingerprinting is included in pf) and included mentioning of Ipguard.

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        pf isn't used for Captive Portal itself, ipfw handles that.

        what would be the point of using os-fingerprinting in addtion to the voucher/user/mac authentication scheme's? Why would you want to restrict a certain user to a specific OS ?

        captive portal to authenticate on general purpose / free / "public' / networks. like in hotels/bars/cafe's/guest access in enterprises/…). I personally see no use i such a feature.

        1 Reply Last reply Reply Quote 0
        • S
          sebastiannielsen
          last edited by

          no, he isn't out to restrict to a specific OS.

          what he is out for, is, when a client authenticate correctly, the client's MAC, OS-fingerprint, and IP is saved in the firewall rule.
          So the OS-fingerprint must match whatever the user authenticated with, to prevent spoofing.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            There are no pf rules added for captive portal users and ipfw has no OS fingerprinting.

            1 Reply Last reply Reply Quote 0
            • C
              cs1
              last edited by

              @sebastiannielsen:

              no, he isn't out to restrict to a specific OS.

              what he is out for, is, when a client authenticate correctly, the client's MAC, OS-fingerprint, and IP is saved in the firewall rule.
              So the OS-fingerprint must match whatever the user authenticated with, to prevent spoofing.

              Yes, that's precisely what I'm looking for. I wasn't aware that pf wasn't used for the Captive Portal. However, since pf is still available for filtering, I was thinking about something like this:

              • Create a pf rule that logs the OS fingerprints of clients.

              • After a successful login of a user, create a pf rule for the IP that the user got that only allows TCP traffic with the OS fingerprint that has been detected during login.

              • After either a voluntary logout by the user herself or after the soft / hard timeout, remove the pf rule for the user's IP.

              This should add one more layer of security. Sure, it's not foolproof but certainly would add one more hurdle to abuse.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.