[isf-wifidog] Wifidog development

[Samuel Leathers]

well, cat *.c|grep mac makes a huge difference, things are making a lot
more sense:

 snprintf(buf, (sizeof(buf) - 1), "GET
%sauth/?stage=%s&ip=%s&mac=%s&token=%s&incoming=%llu&outgoing=%llu
HTTP/1.0\r\n"
        "User-Agent: WiFiDog %s\r\n"
        "Host: %s\r\n"
        "\r\n",
        config_get_config()->auth_servers->authserv_path, request_type,
ip, mac, token, incoming, outgoing,
        VERSION,
        config_get_config()->auth_servers->authserv_hostname
    );
centralserver.c starting at 86

Does the above code block happen before the redirect is sent to the
client? If so, well, this should be a lot easier than I thought it was,
cause the mac is already being posted to the auth server, and before the
redirect is thrown, a white/black list can be checked and either authorize
or deny access before the login page shows to the user.

Sam

>
> Hey all, I didn't run away ;-) just been reading docs and source code
>>> 5) mac address blocking from auth server. This way a known abuser can't
> create a new user. maybe timed, so an abuse expires after a month.
>>
>> Not only should we add blocking by MAC, but we shall add
>> whitelisting, because some devices that here plugged to our routers need
> to access the Internet at all times (right now we manually
>> configure each router). I'd recommend you start working on this
>
> I've been reading the code for the auth server and gateway, and I think
> I'm starting to understand the auth process (also looked at the flow
> diagram)
>
> In firewall.c I see a function called arp_get, which appears to determine
> what MAC belongs to what IP address. I haven't figured out if it already
> does this for all incoming connections, and if so where it is being
> called, but I think if this data is posted to the login page, right after
> the Start Login Process comment in login.php, a query to the database to
> try to match the MAC to a white or black list could be done, if it's white
> listed, then:
>
> $token = $user->generateConnectionToken();
> header("Location: http://" . $gw_address . ":" . $gw_port .
> "/wifidog/auth?token=" . $token);
>
> should do the trick I think.
>
> if it's blacklisted, somehow we need to notify the router, so maybe $token
> = $user->generateFailedConnectionToken();
> (function above would need written, and the the router would need to know
> what a failed token looks like, so it could call an iptables rule to block
> that mac.
>
> Then, else, continue on with the login process.
>
> I'd like to get some feedback before I try modifying things to make sure
> I'm going the direction everyone wants out of this feature, and also to
> make sure I understand how things are working currently.
>
> The other thing I think that may work is when the router detects an
> incoming connection with a new ip address/mac it contacts the auth server
> to detect if it's white or blacklisted before redirecting, but I assume
> this would create a little lag time before the redirection page showed up.
>
> Also, when wifidog is started, it can contact the auth server and retrieve
> both lists, and setup the rules immediately, and then have it detect at
> login as well.
>
> Sam
> --
> Sam Leathers
> Sam Leathers Computer Services
> 814.574.7307
> sam at samleathers.com
> www.samleathers.com
>  -Computer repair services
>  -Reliable business consulting
>  -Web design and hosting that meets your needs
>  -Collection of computers no longer needed
>  -Student discounted repair rate
>  -Server setups and networking
> -------------------------------------
>
>
>
> --
> Sam Leathers
> Sam Leathers Computer Services
> 814.574.7307
> sam at samleathers.com
> www.samleathers.com
>  -Computer repair services
>  -Reliable business consulting
>  -Web design and hosting that meets your needs
>  -Collection of computers no longer needed
>  -Student discounted repair rate
>  -Server setups and networking
> -------------------------------------
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>


-- 
In life direction is everything, distance is secondary, so keep your bearings

And he went into the Wilderness and prayed.

I can do all things through Christ who strengthens me.