From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by huchra.bufferbloat.net (Postfix, from userid 1000) id 4FF2721F1EB; Sun, 23 Feb 2014 09:21:40 -0800 (PST) Date: Sun, 23 Feb 2014 09:21:40 -0800 From: Dave Taht To: Vincent Frentzel Message-ID: <20140223172140.GB24483@lists.bufferbloat.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] saner defaults for config/firewall X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Feb 2014 17:21:40 -0000 On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote: > Hi everyone, > > After installing ceroWRT the first thing I did was to reconfigure the > firewall as shown attached. My router is used as home gateway and I wanted > to lock down the device a bit. > > The changes are introduced are as follow: > > - LAN (s+) to/from GUEST (g+) is not allowed. > - GUEST to ROUTER is restricted to DNS/DHCP/NTP. I note that even dns is a problem in terms of leaking information about your network, so is mdns. the "g+" convention can simplify access to the internet in the rules too. There are also potential problems in enabling the polipo proxy. Note that the mesh networking interfaces are also "g", and there is something of a conflict between allowing the mesh network and guest access. I used to solve this somewhat with the babel authentication extensions. http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html at the moment that code had landed in the quagga branch of babel, not babel itself. > - I've tuned the basic IPV6 rules to take the above changes into account > and allow proto 41 INPUT for 6to/in4 tunnels. > - LAN to/from ROUTER everything is allowed. > > This could be a nice default config. > > Feedback welcome. After getting the last release out I took a break from email, and didn't get to this. There are certainly conflicting desires for how to do firewalling. Historically we run fairly open by default due to cerowrt's origin as a research project. In the case where we want to open the network somewhat to house guests, being able to have reasonably secure (ssh and printing) protocols open to them is a help. In the case where I want to share my network with the neighborhood, locking things down as per the above makes more sense. I'd argue for even stronger measures, actually, something that an org like openwireless.org could recomend so that people can feel safe in sharing their wifi again. I think we should put up alternet configs like this somewhere on the wiki, or in a git tree... I have a few other desirable configs on the list. -1) gui support for the + syntax would be good. 0) I really, really, really want bcp38 support, using ipset. I wouldn't mind a complete switch to ipset for a variety of things, but some benchmarking along the way would be good to compare the existing schemes one problem I've run into in turning on bcp38 by default is dealing with double nat on the dhcp'd interfaces. 1) a more "normal", bridged implementation more like people are used to. 2) vlan support (I've never managed to make vlans work with babel, btw) 3) ? > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel