[isf-wifidog] Opening the firewall if the auth servers are all unreachable

Rob Janes janes.rob at gmail.com
Jeu 2 Mar 07:55:07 EST 2006 

Here's my strategy, Benoit, Phillip, maybe you could comment ...  I've 
made the code changes and now would like to try it out.

David, this is my answer to the Linuxcaffe needs a new dog thread.  I've 
resolved the wifidog building issues that Seneca had the other night by 
fixing the makefiles.

Add a new chain, TABLE_WIFIDOG_AUTH_IS_DOWN, on the mangle, nat and filter.

On the PREROUTING mangle, the chain is there, at the very end, but 
normally empty.  When the heartbeat monitor thread finds the auth 
servers are unreachable it adds a line to mark unmarked packets with a 
new mark, FW_MARK_AUTHISDOWN (253).

When the heartbeat monitor thread finds the auth servers are responding 
again it clears the above mangle chain.

Similarily, in the nat PREROUTING chains, add a check for mark 
FW_MARK_AUTHISDOWN just before the redirect of port 80.  If that mark is 
set, accept the packet.  This bypasses the redirect.

In the filter FORWARD chain, add a check for the FW_MARK_AUTHISDOWN just 
before the jump to the TABLE_WIFIDOG_UNKNOWN chain.  If the mark is set, 
jump to the filter chain TABLE_WIFIDOG_AUTH_IS_DOWN.  This chain is 
loaded at firewall init time from a ruleset, 'auth-is-down'.

If you leave the 'auth-is-down' ruleset empty, everything stays the way 
it is now.

But, if you do

FirewallRuleSet auth-is-down {
   FirewallRule allow to 0/0
}

all customers will be allowed to surf while the auth server is down.  As 
soon as the authserver comes back up, they will be redirected to the 
login splash since the heartbeat monitor will clear the chain that marks 
their packets as FW_MARK_AUTHISDOWN, and then their packets will no 
longer be specially marked.

That's it!

-rob

Alexandre Carmel-Veilleux wrote:

>On 2/19/06, Alexandre Carmel-Veilleux <acveilleux at gmail.com> wrote:
>  
>
>>On 2/9/06, Benoit Grégoire <bock at step.polymtl.ca> wrote:
>>    
>>
>>>On February 8, 2006 03:49 pm, Gabe Sawhney wrote:
>>>      
>>>
>>>>The failover => )open( thing is high on my priority list... it might
>>>>be the project I'd like to work on at a router geeknight...
>>>>        
>>>>
>>I've got a quick hack doing this. The actuating code is there and
>>proper (along with a config file directive. Right now the actual
>>allowing/denying is done by destroying the whole firewall and
>>re-creating it when the auth server becomes live.
>>    
>>
>
>I'm still waiting for suggestions on how the fail-open should happen
>in the firewall... I'm a bit rusty with iptables. Anyone? Benoit,
>Phil?
>
>Alex
>_______________________________________________
>WiFiDog mailing list
>WiFiDog at listes.ilesansfil.org
>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>  
>

More information about the WiFiDog mailing list