Following is the flow of the Opengate system:
A user on the client machine accesses some URL such as http://www.some.site/ or http://www.some.site/some/path.
Suppose that some URL has an IPv6 address and an IPv4 address. The client machine gives priority to IPv6 HTTP and uses it. But if ip6fw is closed. IPv6 HTTP will time out.
The client machine retries to access with IPv4 HTTP.
Ipfw checks the packet passing though the gateway. For packets from the closed client, the forward rule [ipfw add 60000 fwd localhost tcp from 192.168.1.0/16 to any http] is applied.
The web server receives the packet as [GET / or /some/path]
The root index file [index.html.var] is accessed in both cases, because the httpd.conf is set as [ErrorDocument 404 /]
The [index.html.var] file invokes a CGI program [opengatefwd.cgi?en] where the option is the language preferred by the client [en].
The CGI program [opengatefwd.cgi] gets the clients IPv4 address from [REMOTE_ADDR], encodes the address, reads in [topindex.html], replaces keywords (encoded IPv4 address and others) in the file, and sends back [topindex.html].
The browser receives the reply [topindex.html]. At this point the browser (mis)interprets the reply as being returned from www.some.site.
To circumvent this misinterpretation, the [topindex.html] jumps to the gateway URL as [META HTTP-EQUIV="Refresh" CONTENT="1; URL=http://opengate.og.saga-u.ac.jp/cgi-bin/opengateauth.cgi?333333333-3-11111111&en"], where option [333333333-3-11111111] is the encoded IPv4 address (incl. check code) and [en] is the preferred language. Due to the [refresh] code, the browser accesses the URL automatically.
The CGI program [opengateauth.cgi] gets the options, reads in [index.html], replaces the keywords in the file, and sends back the adapted [index.html].
The browser receives the authentication request page [index.html]. The encoded IPv4 address and language are described within hidden tags in the page.
The user enters the userid and password for this page, and clicks the button to call the Opengate main CGI [FORM METHOD="POST" ACTION="http://opengate.saga-u.ac.jp/cgi-bin/opengate/opengatesrv.cgi"]. If IPv6 is enabled, access is controlled by IPv6. If not, it's done by IPv4.
The Opengate main CGI [opengatesrv.cgi] starts and processes the following.
The CGI gets the userid [eg., user1 or user1@id1], password, encoded IPv4 address [eg., 333333333-3] , language and watchmode [J or H or T] from the POST data. The CGI also gets the IPv6 address [eg., 2001:e38:10::111] from [REMOTE_ADDR] and gets the MAC address from NDP or ARP.
CGI reads the configuration file [opengatesrv.conf] and gets the information about the authentication server [default](at [user1]) or [id1](at [user1@id1]).
CGI sends the userid[user1] and password to the authentication server indexed as [default] (or [id1]).
After passing authentication, CGI inserts the IPv4 firewall rules [ipfw add 10000 allow ip from 192.168.1.111 to any] and [ipfw add 10000 allow ip from any to 192.168.1.111], and inserts IPv6 firewall rules [ip6fw add 10000 allow ipv6 from 2001:e38:10::111 to any] and [ip6fw add 10000 allow ipv6 from any to 2001:e38:10::111]. The rules allow passing packets to/from the client.
CGI reports the firewall as being opened to syslog: [Jun 16 19:14:11 ... START: user user1 use IPv6 and IPv4 at 00:00:00:00:00:00], [Jun 16 19:14:11 ... OPEN: user user1 from 192.168.1.111...] and [Jun 16 19:14:11 ... OPEN: user user1 from 2001:e38:10::111].
Depending on the watchmode, CGI reads one of the accept reply pages [accept-http.html/accept-time.html], replaces keywords, and sends it to the client. ([accept-http.html].)
In case of accept-http: the
page gets the http-keep page from the opengate port.
The http-keep page includes the script to execute periodic XMLHttpRequests to the opengate port. The periodic request keeps alive a TCP connection with a watch process.
In case of accept-time: the link to terminate network access is displayed.
CGI generates a watch process and exits.
The watch process waits for the http-keep script to connect.
If a connection cannot be established during a specific time period (duration: seconds), CGI removes the firewall rule [ipfw del 10000] and exits. To mitigate against hijacking and notting, the watch process executes periodic ARP checks and firewall packet inquiries between waiting periods. (The watch process gets the number of passed packets matched to the inserted rule from either the IPv4 and/or the IPv6 firewall [ipfw -a list 10000], [ip6fw -a list 10000] every ActiveCheckInterval seconds. If the packet count does not increase in “NoPacketInterval” seconds, the watch process removes the firewall rule and terminates. The watch process also gets the list of MAC and IP addresses from the ARP command every “ActiveCheckInterval” seconds. If the correlation has changed, the watch process removes the firewall rule and terminates.
If the http-keep script is connected, the watch process watches the TCP connection linked to the client. When the TCP connection is closed, the watch process removes the firewall rule and terminates. Thus disabling network access in “real time”.
To check for cable disconnects, using the http-keep script connection, the watch process reads 'GET /hello' and sends 'hello' after “ActiveCheck/Interval” seconds.
When disconnecting from the network, the watch process reports the firewall as being closed to syslog [Jun 16 22:11:55 ... CLOS: user user1 from 192.168.0.111...], [Jun 16 22:11:55 ... CLOS: user user1 from 2001:e38:10::111...] and [Jun 16 22:11:55 ... END: user user1 at 00:00:00:00:00:00].