|
horatio-hostlist − Network access authentication host management |
|
horatio-hostlist restore|rollcall |
|
horatio-hostlist is a bash script which manages the firewall and the OPEN_ADDRESSES file for Horatio, including setting up the firewall (horatio-hostlist restore), performing rollcalls (horatio-hostlist rollcall), adding hosts that have just been authenticated (horatio-hostlist enter), removing hosts that have been logged out (horatio-hostlist leave), and querying the OPEN_ADDRESSES file (horatio-hostlist query). horatio-hostlist locks the OPEN_ADDRESSES file before using it and unlocks it before exiting. The restore command removes stale locks. |
|
restore |
|
Executes horatio-firewall to (re-)initialize the firewall and then loops through the OPEN_ADDRESSES file, effectively doing an enter ip-address for each ip-address in it. |
|
rollcall |
|
Pipes the contents of OPEN_ADDRESSES through fping -u and does an effective leave ip-address for each ip-address that is unreachable. |
|
enter ip-address |
|
Adds ipchains forwarding rules to allow packets to and from ip-address to go through the firewall. These packets are still subject to the input chain’s filtering rules, however. Also, this action manually creates an ARP mapping entry for ip-address with the hardware address that is currently in the ARP cache. This is intended to prevent the ip-address from falling victim to ARP spoofing after being logged in. Enter also adds ip-address to the OPEN_ADDRESSES file. |
|
leave ip-address |
|
Deletes the ipchains forwarding rules for ip-address and removes the manual ARP cache entry for ip-address. Finally, leave removes ip-address from the OPEN_ADDRESSES file. |
|
query ip-address |
|
Looks for ip-address in the OPEN_ADDRESSES file and prints "allowed" if it is found and "denied" otherwise. |
|
state_dir/OPEN_ADDRESSES |
|
The list of IP addresses of hosts that are currently allowed access. |
|
state_dir/OPEN_ADDRESSES.lock.pid |
|
Lock file created by a horatio-hostlist process pid. |
|
state_dir/OPEN_ADDRESSES.lock |
|
Symbolic link to the lock file, used as the actual lock. |
|
horatio(8), horatio-firewall(8), bash(1), fping(1), logger(1), arp(8), ifconfig(8), ipchains(8). |
|
I am surprised every time horatio-hostlist works. Since it is possible to set the hardware address used by many systems (this is a command-line option for Linux’s ifconfig), it is fairly trivial for a host B to hijack host A’s address and authentication immediately after host A leaves, if host A does not log out. This is bad. |
|
— |
Tommy M. McGuire (mcguire@cs.utexas.edu) wrote this. |