October 23rd, 2003, 00:13
Hello all,
I am looking for a code snippet in PHP to manage a pf or ipfw based firewall, Does anyone know of anything?

I am trying to build a "captive portal" wireless access point.

Heres the senario
1. Wireless access point or multiples attached via ethernet to a BSD box
2. Wireless clients connect to access points
3. All traffic from access points is redirected thru the BSD box

The BSD box would have firewall rules that would redirect all traffic to a webserver on the same machine. On the webserver a PHP interface would authenicate the user against a database(probably mysql) and build a firewall rule using the IP address and mac-address to allow the client machine to pass thru the BSD box onto the "real" LAN and to the internet or beyond. In addition periodically a cron/or other scheduled job would run and remove rules that were more than more than a certain age(unless I could figure out a way to hook into the firewall to figure out if there had been activity in the last X minutes.)

Make sense?


October 23rd, 2003, 01:25
Have you looked at authpf on OpenBSD? ( )

It dynamically changes the firewall rules based on rules you setup for the users. It does need to have an open ssh session to work (it's a shell and doesn't allow any access) and the rules revert when the session closes. Maybe this could work or maybe it wouldn't. Let us know more of what you are thinking and we can throw all kinds of ideas at you.

I remember reading in the ISC DHCP mailing lists about a project or two that redirects all traffic to a webpage to register for an address. Maybe it could be made to suit your needs. Here's the one I was thinking of.

October 23rd, 2003, 01:32
I have looked at authpf however my targeted users are not smart enough to do that. So I scrapped that idea, however I might look at some of the code to see if any of it might apply to what I am doing.

netreg looks promising, I will have to do more research into it.

My main reason for posting was to find some PHP code for modifying a PF or IPFW firewall. After I figure out how to do that the rest falls into place. Other projects do this same thing with other firewalls for wireless authenication but none are in PHP.

Thanks for the reply

October 23rd, 2003, 01:37
m0n0wall which is a micro FreeBSD distribution that provides a php web-based front end for configuration supports ipf and ipfw and had php code that you could use, I'm sure you could probably port it to pf as well.