Flow of Opengate

Following is the flow of the Opengate system.
  1. An user on the client machine accesses to some URL such as [eg., http://www.some.site/ or http://www.some.site/some/path]
  2. Ipfw in gateway checks the packet passing though the gateway. For packets from closed client, the forward rule as [ipfw add 60000 fwd localhost tcp from 192.168.0.0/16 to any http] is applied.
  3. The web server in localhost(gateway) receives the packet as [GET / or /some/path]
  4. The /index.html file is returned in both cases, because the httpd.conf is set as [ErrorDocument 404 /index.html]
  5. The browser receives /index.html. But the browser misunderstands that the reply is returned from www.some.site.
  6. To remove the misunderstanding, the /index.html jumps to full URL description of gateway as [META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://192.168.0.1/opengate/en/index.html"]
  7. The returned page /opengate/en/index.html is the authentication request page. The browser understands the site of this page correctly.
  8. The user enters userid and password to this page, and clicks button to call Opengate CGI [FORM METHOD="POST" ACTION="/cgi-bin/opengate/opengatesrv.cgi"].
  9. The CGI starts and processes the following.
  10. CGI gets the userid[eg., user1 or user1@id1], password, IP address[eg., 192.168.0.111], and MAC address.
  11. CGI reads configuration file[opengatesrv.conf] and gets the information about the authentication server[default(if @xx is not entered) or id1].
  12. CGI sends userid[user1] and password to the authentication server.
  13. After passing the authentication, CGI inserts firewall rule before the forward rule [ipfw add 10000 allow ip from 192.168.0.111 to any] and [ipfw add 10000 allow ip from any to 192.168.0.111]. The rules indicate the pass of packet to/from the client. At the insertion, CGI searchs an unused rule number[eg., 10000] and uses. The perl script can be modified, if more flexible ipfw control is desired.
  14. CGI reports to syslog that the firewall is opened [Jun 16 19:14:11 ... OPEN: user user1 from 192.168.0.111...].
  15. CGI reads reply page file [accept.html], inserts specific information [userid, server address and port] and sends it to the client. The page describes the dowloading of java applet [applet code='Opengate.class'...] and the opening of second page [window.open("http://.../accept2.html")].
  16. CGI closes STDOUT to terminates the web server process.
  17. CGI waits for the java applet to connect.
  18. If no connection in DURATIONDEFAULT seconds, CGI removes the firewall rule {ipfw del 10000] and terminates. (If duration is entered in auth page, the time is extended to the time. To cope with hijacking and notting, periodical execution of arp command and firewall packet inquiry.)
  19. If connected, CGI watchs the TCP connection linking between gateway and client. If the TCP connection is closed, CGI removes the firewall rule and terminates.
  20. CGI sends 'hello' to the client every ACTIVECHECKINTERVAL seconds. If no reply in HELLOWAITTIMEOUT seconds, CGI removes the firewall rule and terminates.
  21. CGI gets number of passed packets for inserted rule from firewall [ipfw -a list 10000] every ACTIVECHECKINTERVAL seconds. If the packet count does not increase in NOPACKETINTERVAL seconds, CGI removes the firewall rule and terminates.
  22. At termination, CGI reports to syslog the filewall close [Jun 16 22:11:55 ... CLOS: user user1 from 192.168.0.111...].