Re: [Cerowrt-devel] saner defaults for config/firewall

[Dave Taht <dave.taht@bufferbloat.net>]

On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote:
> Hi everyone,
> 
> After installing ceroWRT the first thing I did was to reconfigure the
> firewall as shown attached. My router is used as home gateway and I wanted
> to lock down the device a bit.
> 
> The changes are introduced are as follow:
> 
> - LAN (s+) to/from GUEST (g+) is not allowed.
> - GUEST to ROUTER is restricted to DNS/DHCP/NTP.

I note that even dns is a problem in terms of leaking information about
your network, so is mdns.

the "g+" convention can simplify access to the internet in the rules too.

There are also potential problems in enabling the polipo proxy.

Note that the mesh networking interfaces are also "g", and there is 
something of a conflict between allowing the mesh network and guest
access.

I used to solve this somewhat with the babel authentication extensions.

http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html

at the moment that code had landed in the quagga branch of babel,
not babel itself.

> - I've tuned the basic IPV6 rules to take the above changes into account
> and allow proto 41 INPUT for 6to/in4 tunnels.
> - LAN to/from ROUTER everything is allowed.

> 
> This could be a nice default config.
> 
> Feedback welcome.

After getting the last release out I took a break from email, and didn't
get to this.

There are certainly conflicting desires for how to do firewalling. Historically
we run fairly open by default due to cerowrt's origin as a research project.

In the case where we want to open the network somewhat to house guests, being
able to have reasonably secure (ssh and printing) protocols open to them
is a help.

In the case where I want to share my network with the neighborhood,
locking things down as per the above makes more sense. I'd argue for even
stronger measures, actually, something that an org like openwireless.org
could recomend so that people can feel safe in sharing their wifi again.

I think we should put up alternet configs like this somewhere on the wiki,
or in a git tree...

I have a few other desirable configs on the list.

-1) gui support for the + syntax would be good.

0) I really, really, really want bcp38 support, using ipset. I wouldn't
   mind a complete switch to ipset for a variety of things, but some
   benchmarking along the way would be good to compare the existing schemes

   one problem I've run into in turning on bcp38 by default is dealing
   with double nat on the dhcp'd interfaces.

1) a more "normal", bridged implementation more like people are used to.

2) vlan support (I've never managed to make vlans work with babel, btw)

3) ?

> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel