Flow of Opengate
Following is the flow of the Opengate system.
-
An user on the client machine accesses to some URL such as
[eg., http://www.some.site/ or http://www.some.site/some/path]
-
Ipfw in gateway checks the packet passing though the gateway. For
packets from closed client, the forward rule as [ipfw add 60000 fwd
localhost tcp from 192.168.0.0/16 to any http] is applied.
-
The web server in localhost(gateway) receives the packet as [GET / or
/some/path]
-
The /index.html file is returned in both cases, because the httpd.conf
is set as [ErrorDocument 404 /index.html]
-
The browser receives /index.html. But the browser misunderstands
that the reply is returned from www.some.site.
-
To remove the misunderstanding, the /index.html jumps to full URL
description of gateway as [META HTTP-EQUIV="Refresh" CONTENT="0;
URL=http://192.168.0.1/opengate/en/index.html"]
-
The returned page /opengate/en/index.html is the authentication request page.
The browser understands the site of this page correctly.
-
The user enters userid and password to this page, and clicks button to
call Opengate CGI [FORM METHOD="POST"
ACTION="/cgi-bin/opengate/opengatesrv.cgi"].
-
The CGI starts and processes the following.
-
CGI gets the userid[eg., user1 or user1@id1], password, IP
address[eg., 192.168.0.111], and MAC address.
-
CGI reads configuration file[opengatesrv.conf] and gets the
information about the authentication server[default(if @xx is not
entered) or id1].
-
CGI sends userid[user1] and password to the authentication server.
-
After passing the authentication, CGI inserts firewall rule before the
forward rule [ipfw add 10000 allow ip from 192.168.0.111 to any] and
[ipfw add 10000 allow ip from any to 192.168.0.111]. The rules
indicate the pass of packet to/from the client. At the insertion, CGI
searchs an unused rule number[eg., 10000] and uses. The perl script
can be modified, if more flexible ipfw control is desired.
-
CGI reports to syslog that the firewall is opened
[Jun 16 19:14:11 ... OPEN: user user1 from 192.168.0.111...].
-
CGI reads reply page file [accept.html], inserts specific information
[userid, server address and port] and sends it to the client. The page
describes the dowloading of java applet [applet
code='Opengate.class'...] and the opening of second page
[window.open("http://.../accept2.html")].
-
CGI closes STDOUT to terminates the web server process.
-
CGI waits for the java applet to connect.
-
If no connection in DURATIONDEFAULT seconds, CGI removes the firewall rule
{ipfw del 10000] and terminates. (If duration is entered in auth page, the time is extended to the time. To cope with hijacking and notting, periodical execution of arp command and firewall packet inquiry.)
-
If connected, CGI watchs the TCP connection linking between gateway and client.
If the TCP connection is closed, CGI removes the firewall rule and terminates.
-
CGI sends 'hello' to the client every ACTIVECHECKINTERVAL seconds.
If no reply in HELLOWAITTIMEOUT seconds, CGI removes the firewall rule and terminates.
-
CGI gets number of passed packets for inserted rule from firewall
[ipfw -a list 10000] every ACTIVECHECKINTERVAL seconds. If the packet
count does not increase in NOPACKETINTERVAL seconds, CGI removes the
firewall rule and terminates.
-
At termination, CGI reports to syslog the filewall close [Jun 16
22:11:55 ... CLOS: user user1 from 192.168.0.111...].