Hey all,

I've been messing with this idea on and off for months but never got anything to work, until recently. For those who don't know a Captive Portal is a means of blocking all network traffic other than that on port 80 which is redirected to a page which asks the user to log in, once logged in the network is available to the machine which the user logged in from. Used to control access to wireless access points (such as those dotted around my uni campus).

Now I faniced setting up an simple access point for some friends of mine who i'm sharing a house with. Rather than simply a secure wireless network, because by having user accounts to provide access to the network this access can be easily controlled (certain users having certain rights, regaurdless of what machine, IP, MAC, they access the network from).

I attempted to configure a few of the acptive portal software packages that are around but failed in every attempt because they were far to complex for what I required.

My bit of inspiration was as follows:

Using shorewall to reject all traffic from the local (loc) zone and route port 80 to port 80 on my server which hosts a log in screen. Users log in, are authenitcated and then added to an "allowed" list. This roughly translates to the following:

/etc/shorewall/rules:


Where ALLOW_IPS is set in /usr/share/shorewall/params and modified by scripts running on the server. More complex rules can also be added to shorewall to allow certain users access to certain ports, etc..

I'd be interested if the experts amoung you could see any gaping holes in this concept. the configuration above is only basic and can be expanded on, but its the concet i'm interested in, yes it needs a bit of work, a webserver, some php, but I find this simpler than any packages which i've attempted to use (this is no doubt a reflection of my skill rather than the complexity of the packages!)

Any comments on this concept are welcomed, positive as well as negative!

Cheers all

Owen Mc

Encrypt the damned network.

This idea is just so insecure. It could be bypassed very easily by someone who wanted to.
For example, someone could run kismet on their laptop, to collect some wireless packets from the network. Analyse these with ethereal, and if there's been someone on the network at the time, an IP will be available, as well as any other settings needed to use the wireless network.
Then all that needs to be done is pass the IP and other network settings to ifconfig, add a default route, dns, and you're connected.
If you tie it to mac address, it's simple to fake a wireless cards mac address.

Because the network is unencrypted, it is of great risk to your privacy.
Just as an example, most pop/smtp providers do not use encrypted connections. Which means that any time you send/receive email, your password is out there, unencrypted and in the clear.
Anyone running kismet and/or ethereal, can easily pick up the POP packets with your username and password.
Anything you do on the web will also be visible for anyone to see if it is not done via https.

So... in short, great idea, terrible in practice, unless implemented with wireless encryption, preferably wpa, which ruins the whole point of your idea in the first place.

iphitus

ps. I'm no expert, I just know what I know from fiddling with my own network, and the one at school.