How cap-py works

How does it work?

cap-py has three parts. They are:

cap-pyd: main daemon. By default, binds to 127.0.0.1:8888 and accepts XML-RPC requests from a front-end client. All it does it accept an IP address, adds that IP address to a PF table, and starts monitoring that IP via ARP. After enough failed ARP requests, the IP address is removed from the table and it is no longer monitored. Currently, configuration for daemon is the daemon itself. In the near future, this will be moved to an external config file.

cappy-front.py(.pl): A simple cgi that grabs REMOTE_ADDR and submits it to cap-pyd. Written in both Python and Perl--pick your poison.

cappyctl.py: A controller to manage and interact with cap-pyd as a sysadmin. Currently allows the admin to show current clients and expire clients.

To make cap-py useful, it also leans on PF and apache.

Changes to pf.conf:

2. Redirect traffic from hosts NOT in the table to the webserver hosting the cappy-front cgi
rdr pass on $apif proto tcp from !<wirelessPC> to port 80 -> $apif port 80 rdr pass on $apif proto tcp from !<wirelessPC> to port 443 -> $apif port 443

3. Create rules allowing authenticated clients to use whatever network resources you deem appropriate.
pass in on $apif proto tcp from <wirelessPC> to any modulate state pass in on $apif proto udp from <wirelessPC> to any keep state

Apache setup:

$Write mod_rewrite rules to rewrite all http request directed at the webserver to the webserver’s login page. RewriteCond %{HTTP_HOST} !^firewall\.yourdomain\.tld$ RewriteCond %{QUERY_STRING} ([[:graph:]].*) RewriteRule ^/(.*)$ https://firewall.yourdomain.tld/index.html RewriteCond %{HTTP_HOST} !^firewall\.yourdomain\.tld$ RewriteRule ^/(.*)$ https://firewall.yourdomain.tld/index.html$ shapeimage_5_link_0

And thats it. cap-py is now useful. The are of course likely other way to use cap-py, this is just very similar to how I use it in my setup.

cappy.py ‘@’ gmail.com

Cap-py!