[isf-wifidog] Wifidog development

[Samuel Leathers]

Hey all, I didn't run away ;-) just been reading docs and source code
>> 5) mac address blocking from auth server. This way a known abuser can't
create a new user. maybe timed, so an abuse expires after a month.
>
> Not only should we add blocking by MAC, but we shall add
> whitelisting, because some devices that here plugged to our routers need
to access the Internet at all times (right now we manually
> configure each router). I'd recommend you start working on this

I've been reading the code for the auth server and gateway, and I think
I'm starting to understand the auth process (also looked at the flow
diagram)

In firewall.c I see a function called arp_get, which appears to determine
what MAC belongs to what IP address. I haven't figured out if it already
does this for all incoming connections, and if so where it is being
called, but I think if this data is posted to the login page, right after
the Start Login Process comment in login.php, a query to the database to
try to match the MAC to a white or black list could be done, if it's white
listed, then:

$token = $user->generateConnectionToken();
header("Location: http://" . $gw_address . ":" . $gw_port .
"/wifidog/auth?token=" . $token);

should do the trick I think.

if it's blacklisted, somehow we need to notify the router, so maybe $token
= $user->generateFailedConnectionToken();
(function above would need written, and the the router would need to know
what a failed token looks like, so it could call an iptables rule to block
that mac.

Then, else, continue on with the login process.

I'd like to get some feedback before I try modifying things to make sure
I'm going the direction everyone wants out of this feature, and also to
make sure I understand how things are working currently.

The other thing I think that may work is when the router detects an
incoming connection with a new ip address/mac it contacts the auth server
to detect if it's white or blacklisted before redirecting, but I assume
this would create a little lag time before the redirection page showed up.

Also, when wifidog is started, it can contact the auth server and retrieve
both lists, and setup the rules immediately, and then have it detect at
login as well.

Sam
-- 
Sam Leathers
Sam Leathers Computer Services
814.574.7307
sam at samleathers.com
www.samleathers.com
 -Computer repair services
 -Reliable business consulting
 -Web design and hosting that meets your needs
 -Collection of computers no longer needed
 -Student discounted repair rate
 -Server setups and networking
-------------------------------------



-- 
Sam Leathers
Sam Leathers Computer Services
814.574.7307
sam at samleathers.com
www.samleathers.com
 -Computer repair services
 -Reliable business consulting
 -Web design and hosting that meets your needs
 -Collection of computers no longer needed
 -Student discounted repair rate
 -Server setups and networking
-------------------------------------