[isf-wifidog] Gateway continues to allow persistent connections after logout

[Tarken Winn]

Hi Chris,

Thanks for the email. I am using cron for cleanup and it works fine. Timeout
is set to 30 seconds (I think it was - default).

However, I expect the problem I am experiencing is universal. For 'normal'
use the system is working great in every respect. User is forced to login
before they can access any web services and after logout is forced to login
again for any NEW requests (opening another webpage, reloading etc).
However, if while logged in a user has started a streaming service - such as
www.pandora.com (the specific example I was using when I discovered the bug)
- the stream will continue AFTER they have successfully logged out. If you
have a node accessible, have a go yourself. I am using a Linksys WRT54GL
router, but expect it will happen on other routers also?

Samuel pointed me to the line in the default /etc/init.d/S45firewall file
that I mentioned and after some naive testing I am somewhat convinced that
it is at least related. The firewall allows RELATED,ESTABLISHED packets
through before ever hitting the wifidog gateway. At least that is my
understanding of it. So a packet comes in from
www.mystreamingbandwidthgobbler.com and is judged to be part of an already
established connection and is therefore accepted by the firewall and
forwarded to the user - whose wifidog status does not matter.

I wonder whether we need to get rid of the line
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
from S45firewall and re-implement this in the wifidog iptables chains?

I'd be interested to know whether you and others experience the same? Is it
router specific (different firewall/iptables setups on different router
types)?

Thanks again,

Tarken
On 7/26/06, Chris Rowson <christopherrowson at gmail.com> wrote:
>
> Hi Tarken,
>
> Am I right in thinking that your users are able to continue using the
> connection after they have logged out?
>
> If so, have you changed CONF_USE_CRON_FOR_DB_CLEANUP to false in your
> config.php. That should clean up your database everytime a user query
> comes in (which solved a similar problem that I was having).
>
> Also, have you checked the timeout variables in the wifidog
> configuration file itself?
>
> Chris
>
> On 26/07/06, Tarken Winn <tarkenwinn at gmail.com> wrote:
> >
> > Hello again everyone,
> >
> >  I have spent a fair amount of time investigating the issue I previously
> described, namely that when a user logs out any established streaming
> connections will continue as accepted, and have not found a solution.
> >
> >  It appears that /etc/init.d/S45firewall allows RELATED,ESTABLISHED
> packets to be forwarded at the line:
> >
> >  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> >  I tried commenting out this line in the hope that it would be covered
> by the rules in the WiFiDog_WIFI2Internet chain which is checked in the
> FORWARD chain, but to no avail.
> >
> >  I have tried allowing any packets with the auth server as source or
> destination to be forwarded, which allows a user to login (in the hope that
> subsequent packets will then be marked in the WiFiDog_WIFI2Internet chain
> and correctly forwarded) but then does not allow access to any websites
> other than the auth server even after successful login.
> >
> >  I now wonder whether the only way to solve this issue is to modify the
> wifidog gateway client code? I guess fw_iptables.c is where things would
> need to happen.
> >
> >  Has anyone come up with a solution for this issue? Does anyone
> knowledgeable on the internal workings of the gateway and its interactions
> with iptables have any suggestions?
> >
> >  Without resolving this issue, limiting and recording the amount of data
> a node/user can transfer per month seems a little futile. A user could (and
> no doubt will) just login, start a streaming video feed (or whatever),
> logout, then kick back and watch the show without being 'counted'.
> >
> >  Thanks,
> >
> >
> >  Tarken
> >
> > _______________________________________________
> > WiFiDog mailing list
> > WiFiDog at listes.ilesansfil.org
> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >
> >
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20060727/484e2a71/attachment.htm