[Cerowrt-devel] [Bug #445] doesn't load firewall rules under some circumstances

[Cerowrt-devel] [Bug #445] doesn't load firewall rules under some circumstances

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]

I usually kill off the firewall rules for an internal router almost
completely. Recently, I didn't do that, and didn't have the external
interface connected, so  a new cerowrt-3.10.50-1 install automagically
meshed with another router over wifi.

...and didn't run the default firewall rules at all.

I first noticed that /etc/firewall.user wasn't run (which is the lousy
place I'm using to export the /24 local network via babel), so I didn't
have connectivity to the next hop mesh... and then I
checked to see there were no iptables rules in place at all. So, some

trigger for running the firewall "fw3 load" doesn't run unless there is an
external ethernet interface up in cerowrt.

And arguably it should run pretty early. So somewhere there is a missing
trigger?? to load the fw...

(and I hope this is a cerowrt specific bug and it did use to work)

... and I'd really rather run this out of /etc/config/network somehow

ip route add unreachable my.subnet.add.ress/24


-- 
Dave Täht

NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

[-- Attachment #2: Type: text/html, Size: 4267 bytes --]

Re: [Cerowrt-devel] [Bug #445] doesn't load firewall rules under some circumstances

[Ranga Krishnan]

[-- Attachment #1: Type: text/plain, Size: 1877 bytes --]

I have seen this happen and others working on the EFF router have 
experienced this somewhat rare but persistent problem of firewall 
rules not loading.

I have seen mention of this problem on OpenWRT mailing lists
as far back as 3 years ago. Looks like the problem is documented
but has not been fixed. 

I am just going to add 

/etc/init.d/firewall restart

in /etc/rc.local to act as a backup until this is properly resolved. 

Ranga


On Jul 30, 2014, at 1:46 PM, Dave Taht <dave.taht@gmail.com> wrote:

> I usually kill off the firewall rules for an internal router almost
> completely. Recently, I didn't do that, and didn't have the external
> interface connected, so  a new cerowrt-3.10.50-1 install automagically
> meshed with another router over wifi.
> 
> ...and didn't run the default firewall rules at all.
> 
> I first noticed that /etc/firewall.user wasn't run (which is the lousy
> place I'm using to export the /24 local network via babel), so I didn't
> have connectivity to the next hop mesh... and then I
> checked to see there were no iptables rules in place at all. So, some
> 
> trigger for running the firewall "fw3 load" doesn't run unless there is an
> external ethernet interface up in cerowrt.
> 
> And arguably it should run pretty early. So somewhere there is a missing
> trigger?? to load the fw...
> 
> (and I hope this is a cerowrt specific bug and it did use to work)
> 
> ... and I'd really rather run this out of /etc/config/network somehow
> 
> ip route add unreachable my.subnet.add.ress/24
> 
> 
> -- 
> Dave Täht
> 
> NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel


[-- Attachment #2: Type: text/html, Size: 5551 bytes --]