[isf-wifidog] Gateway continues to allow persistent connections after logout

[Tarken Winn]

Hello again everyone,

I have spent a fair amount of time investigating the issue I previously
described, namely that when a user logs out any established streaming
connections will continue as accepted, and have not found a solution.

It appears that /etc/init.d/S45firewall allows RELATED,ESTABLISHED packets
to be forwarded at the line:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

I tried commenting out this line in the hope that it would be covered by the
rules in the WiFiDog_WIFI2Internet chain which is checked in the FORWARD
chain, but to no avail.

I have tried allowing any packets with the auth server as source or
destination to be forwarded, which allows a user to login (in the hope that
subsequent packets will then be marked in the WiFiDog_WIFI2Internet chain
and correctly forwarded) but then does not allow access to any websites
other than the auth server even after successful login.

I now wonder whether the only way to solve this issue is to modify the
wifidog gateway client code? I guess fw_iptables.c is where things would
need to happen.

Has anyone come up with a solution for this issue? Does anyone knowledgeable
on the internal workings of the gateway and its interactions with iptables
have any suggestions?

Without resolving this issue, limiting and recording the amount of data a
node/user can transfer per month seems a little futile. A user could (and no
doubt will) just login, start a streaming video feed (or whatever), logout,
then kick back and watch the show without being 'counted'.

Thanks,

Tarken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20060726/7e5fded4/attachment.htm