[isf-wifidog] Uh oh! We apologize ...

[Mina Naguib]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Mina Naguib wrote:
| Hmm. For some reason your http traffic was re-directed to wifidog when
| you tried to access port 80 on the router (as opposed to *through* the
| router).
|
| That should not have happened.  I'll look into the rules.

I found the problem.

In the "PREROUTING" chain in the "nat" table, we call our custom chain
TABLE_WIFIDOG_WIFI_TO_INTERNET which eventually through a few more calls
re-directs port 80 traffic to wifidog on port 2060

The problem is that the rule in nat.PREROUTING specifies the "input"
interface (lan) but doesn't specify the output interface (external).
That means that traffic destined to the router as well as traffic
destined to other machines passing through the router get caught by this
rule.

The simple fix is to lock-down the rule so it's "input from lan AND
output via external", but the problem with that is, WiFiDog no longer
knows what the external interface is since it's now an optional
configuration!

I can think of 2 fixes:

1. Make the external interface a mandatory config option again
2. (my recommendation) Run the built-in web server on a port other than
port 80.  That way the rule will not interfere with it.  This would also
be a mandatory requirement if we ever implement captive DNS

As always, everyone's thoughts are always welcome.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMSZjeS99pGMif6wRArkjAJ9eLRsz5/ARGLPmpbeVXh24jA3powCgqZex
uKGnEPGECD5EBCfhQTIbs8o=
=xnoR
-----END PGP SIGNATURE-----