From: Ranga Krishnan <ranga@eff.org>
To: Dave Taht <dave.taht@gmail.com>
Cc: cerowrt@lists.bufferbloat.net,
"cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Bug #445] doesn't load firewall rules under some circumstances
Date: Wed, 30 Jul 2014 13:52:34 -0700 [thread overview]
Message-ID: <1B3878D7-D701-4FF2-943B-506E6572CDF1@eff.org> (raw)
In-Reply-To: <CAA93jw68=YxkG+Rc42c=xoGKjCY=+-S35PWp8-4xdDo6zammXw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1877 bytes --]
I have seen this happen and others working on the EFF router have
experienced this somewhat rare but persistent problem of firewall
rules not loading.
I have seen mention of this problem on OpenWRT mailing lists
as far back as 3 years ago. Looks like the problem is documented
but has not been fixed.
I am just going to add
/etc/init.d/firewall restart
in /etc/rc.local to act as a backup until this is properly resolved.
Ranga
On Jul 30, 2014, at 1:46 PM, Dave Taht <dave.taht@gmail.com> wrote:
> I usually kill off the firewall rules for an internal router almost
> completely. Recently, I didn't do that, and didn't have the external
> interface connected, so a new cerowrt-3.10.50-1 install automagically
> meshed with another router over wifi.
>
> ...and didn't run the default firewall rules at all.
>
> I first noticed that /etc/firewall.user wasn't run (which is the lousy
> place I'm using to export the /24 local network via babel), so I didn't
> have connectivity to the next hop mesh... and then I
> checked to see there were no iptables rules in place at all. So, some
>
> trigger for running the firewall "fw3 load" doesn't run unless there is an
> external ethernet interface up in cerowrt.
>
> And arguably it should run pretty early. So somewhere there is a missing
> trigger?? to load the fw...
>
> (and I hope this is a cerowrt specific bug and it did use to work)
>
> ... and I'd really rather run this out of /etc/config/network somehow
>
> ip route add unreachable my.subnet.add.ress/24
>
>
> --
> Dave Täht
>
> NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
[-- Attachment #2: Type: text/html, Size: 5551 bytes --]
prev parent reply other threads:[~2014-07-30 20:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 20:46 Dave Taht
2014-07-30 20:52 ` Ranga Krishnan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1B3878D7-D701-4FF2-943B-506E6572CDF1@eff.org \
--to=ranga@eff.org \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=cerowrt@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox