May 20, 2007 at 11:42 pm #40630
I set up captive portal, and it does seem to redirect http(s) traffic to the login page. However, it seems to allow everything else through. I can ssh, ping, tracert, etc. What have I done wrong, or is the way it is designed? Thanks.May 22, 2007 at 4:14 am #45361
From the FAQ http://www.zeroshell.net/eng/captiveportaldetails/
“Such gateway blocks IP packets destined towards the outside and captures the http and https requests on TCP ports 80 and 443 redirecting them to a web server…”
I take this as meaning only http and https requests are diverted – in theory, you should be able to use all other port and get through router sucessfully – I only just noticed this myself.
In the next release, is it possible to make all ports unavailble untl the user has authenticate?
EDIT: Consider putting the captive portal wireless on a different subnet if you’re concerned?May 22, 2007 at 7:14 am #45362
Yes, I did see that in the FAQ, but wanted clarification because it functions unlike other captive-portal-like software where all traffic is intially denied except for 80/443 which is then taken to the login page. The FAQ actually does make it seem like all IP traffic is blocked except for 80/443 which is redirected. The current implementation isn’t sufficient for my needs. I already have them on a separate subnet, but giving access to everything but port 80/443 is not quite what I am looking for. It would be nice if we had the option to block all traffic in a subsequent release. Thanks.May 22, 2007 at 10:21 pm #45363
Very strange this behavior. I think there is a mistake in your configuration. Do you have added any firewall rule in the FORWARD chain?
The firewall has the precedence on Captive Portal.
Try to post more details about your configuration.May 22, 2007 at 10:26 pm #45364
Ah… That would explain it. I didn’t realize the firewall took precedence. I have changed the forward chains.
My forward chain’s default is to drop packets, but I enabled forwarding from eth02 (The wireless subnet) to eth01 (the outside world). Given that I want to keep the same effect of the firewall (i.e., don’t forward anything except packets from eth02 to eth01 and forward all related/established connections from eth01 to eth02), how do I get Captive Portal to work as intended? Thanks.May 27, 2007 at 8:08 am #45365
You should set the default policy of the FORWARD chain to ACCEPT and then put the rule
DROP all opt — in ETH01 out ETH02 0.0.0.0/0 -> 0.0.0.0/0 state NEW
In this case only RELATED and ESTABLISHED connections are forwarded by Zeroshell. All connections started from the WAN are dropped.
You must be logged in to reply to this topic.