From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 32FC921F603; Wed, 30 Jul 2014 13:52:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=To:References:Message-Id:Cc:Date:In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=boDxyScXnp2UtWHOX/7dXj7/8pWnrUrhnfIT3U+7Kq4=; b=5W6mZQMAp+rm32A8PHf5FxapuHbDihskEezKPjoU4xk14TDwHBzDGjUrJL4DgjTIYE7slzSqdCnt3tDuR4CETmS1GyjCCGMQJUlCAZPoCLzONcpGkk2EqwHMwnxDYj+BvCgb65nOTQp/xrdbqKL2us1lWzdbtsFnw1emL3feSYI=; Received: ; Wed, 30 Jul 2014 13:52:36 -0700 Content-Type: multipart/alternative; boundary="Apple-Mail=_374028C2-257E-4992-BE11-C265269FE101" Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Ranga Krishnan In-Reply-To: Date: Wed, 30 Jul 2014 13:52:34 -0700 Message-Id: <1B3878D7-D701-4FF2-943B-506E6572CDF1@eff.org> References: To: Dave Taht X-Mailer: Apple Mail (2.1510) Cc: cerowrt@lists.bufferbloat.net, "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] [Bug #445] doesn't load firewall rules under some circumstances X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2014 20:52:36 -0000 --Apple-Mail=_374028C2-257E-4992-BE11-C265269FE101 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 I have seen this happen and others working on the EFF router have=20 experienced this somewhat rare but persistent problem of firewall=20 rules not loading. I have seen mention of this problem on OpenWRT mailing lists as far back as 3 years ago. Looks like the problem is documented but has not been fixed.=20 I am just going to add=20 /etc/init.d/firewall restart in /etc/rc.local to act as a backup until this is properly resolved.=20 Ranga On Jul 30, 2014, at 1:46 PM, Dave Taht wrote: > I usually kill off the firewall rules for an internal router almost > completely. Recently, I didn't do that, and didn't have the external > interface connected, so a new cerowrt-3.10.50-1 install automagically > meshed with another router over wifi. >=20 > ...and didn't run the default firewall rules at all. >=20 > I first noticed that /etc/firewall.user wasn't run (which is the lousy > place I'm using to export the /24 local network via babel), so I = didn't > have connectivity to the next hop mesh... and then I > checked to see there were no iptables rules in place at all. So, some >=20 > trigger for running the firewall "fw3 load" doesn't run unless there = is an > external ethernet interface up in cerowrt. >=20 > And arguably it should run pretty early. So somewhere there is a = missing > trigger?? to load the fw... >=20 > (and I hope this is a cerowrt specific bug and it did use to work) >=20 > ... and I'd really rather run this out of /etc/config/network somehow >=20 > ip route add unreachable my.subnet.add.ress/24 >=20 >=20 > --=20 > Dave T=E4ht >=20 > NSFW: = https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indec= ent.article > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --Apple-Mail=_374028C2-257E-4992-BE11-C265269FE101 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 I = have seen this happen and others working on the EFF router = have 
experienced this somewhat rare but persistent = problem of firewall 
rules not = loading.

I have seen mention of this problem on = OpenWRT mailing lists
as far back as 3 years ago. Looks like = the problem is documented
but has not been = fixed. 

I am just going to = add 

/etc/init.d/firewall = restart

in /etc/rc.local to act as a backup = until this is properly = resolved. 

Ranga

On Jul 30, 2014, at 1:46 PM, Dave Taht <dave.taht@gmail.com> = wrote:

I= usually kill off the firewall rules for an internal router = almost
c= ompletely. Recently, I didn't do that, and didn't have the = external
i= nterface connected, so  a new cerowrt-3.10.50-1 install = automagically
m= eshed with another router over wifi.
<= br = style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"> .= ..and didn't run the default firewall rules at all.
<= br = style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"> I= first noticed that /etc/firewall.user wasn't run (which is the = lousy
p= lace I'm using to export the /24 local network via babel), so I = didn't
h= ave connectivity to the next hop mesh... and then I
<= span = style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">c= hecked to see there were no iptables rules in place at all. So, = some

<= span = style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">t= rigger for running the firewall "fw3 load" doesn't run unless there is = an
e= xternal ethernet interface up in cerowrt.
<= br = style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"> A= nd arguably it should run pretty early. So somewhere there is a = missing
t= rigger?? to load the fw...
<= br = style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"> (= and I hope this is a cerowrt specific bug and it did use to = work)

<= span = style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">.= .. and I'd really rather run this out of /etc/config/network = somehow

ip route add = unreachable my.subnet.add.ress/24
_______________________________________________
Cerowrt-devel mailing = list
Cerowrt-devel@lists.bu= fferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel<= br>

= --Apple-Mail=_374028C2-257E-4992-BE11-C265269FE101--