[Cerowrt-devel] Firewall configuration in 3.10.50-1

[Cerowrt-devel] Firewall configuration in 3.10.50-1

[Norman Yarvin]

I was just bringing up a router with 3.10.50-1, and noticed something
that seemed amiss in the default firewall configuration.  That is,
under the Network / Interfaces tab, most of the interfaces, under
"Firewall Settings", weren't assigned to any "firewall zone" ("guest",
"wan", or "lan"), but rather were left as "unspecified".

Maybe this is on purpose for some reason, but it seems worth
mentioning.


-- 
Norman Yarvin					http://yarchive.net/blog

Re: [Cerowrt-devel] Firewall configuration in 3.10.50-1

[Dave Taht]

It is a bug in the gui. To get efficiency in the firewall rules cero
uses a pattern match
to blend together all the interfaces. So you see in
/etc/config/firewall file lines that use

s+ To pattern match the three secure interfaces (se00, sw00, sw10)
gw+ To pattern match the guest interfaces.



On Mon, Sep 15, 2014 at 6:22 PM, Norman Yarvin <yarvin@yarchive.net> wrote:
> I was just bringing up a router with 3.10.50-1, and noticed something
> that seemed amiss in the default firewall configuration.  That is,
> under the Network / Interfaces tab, most of the interfaces, under
> "Firewall Settings", weren't assigned to any "firewall zone" ("guest",
> "wan", or "lan"), but rather were left as "unspecified".
>
> Maybe this is on purpose for some reason, but it seems worth
> mentioning.
>
>
> --
> Norman Yarvin                                   http://yarchive.net/blog
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

https://www.bufferbloat.net/projects/make-wifi-fast

Re: [Cerowrt-devel] Firewall configuration in 3.10.50-1

[Norman Yarvin]

Ah, okay.

It seems like the GUI could be fixed by just nuking the "firewall
settings" tab.  (Since if someone does try to use it, it'll interact
in some unspecified way with the existing "s+" and "gw+" rules.)


On Mon, Sep 15, 2014 at 06:32:09PM +0300, Dave Taht wrote:
>It is a bug in the gui. To get efficiency in the firewall rules cero
>uses a pattern match
>to blend together all the interfaces. So you see in
>/etc/config/firewall file lines that use
>
>s+ To pattern match the three secure interfaces (se00, sw00, sw10)
>gw+ To pattern match the guest interfaces.
>
>
>
>On Mon, Sep 15, 2014 at 6:22 PM, Norman Yarvin <yarvin@yarchive.net> wrote:
>> I was just bringing up a router with 3.10.50-1, and noticed something
>> that seemed amiss in the default firewall configuration.  That is,
>> under the Network / Interfaces tab, most of the interfaces, under
>> "Firewall Settings", weren't assigned to any "firewall zone" ("guest",
>> "wan", or "lan"), but rather were left as "unspecified".
>>
>> Maybe this is on purpose for some reason, but it seems worth
>> mentioning.
>>
>>
>> --
>> Norman Yarvin                                   http://yarchive.net/blog
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
>
>
>-- 
>Dave Täht
>
>https://www.bufferbloat.net/projects/make-wifi-fast