While you're looking at things that ought to be in the default configuration (or in "a" default configuration, perhaps available on the wiki), there are two use-cases that I would like to see work better out of the box: 1. mDNS sharing across non-guest segments: my wife on Wi-Fi, I on Ethernet, should be able to see each other's iTunes libraries and the mDNS-advertised printer. 2. Google's new Chromecast device useable from all non-guest segments: it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop should be able to see the Chromecast and control it. I really like the CeroWrt approach to network segmentation: I felt like I was learning best practices as I read up on what you chose to do. But the above use cases seem to be problematic with this approach. On 2/23/14, 12:21 PM, Dave Taht wrote: > On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote: >> Hi everyone, >> >> After installing ceroWRT the first thing I did was to reconfigure the >> firewall as shown attached. My router is used as home gateway and I wanted >> to lock down the device a bit. >> >> The changes are introduced are as follow: >> >> - LAN (s+) to/from GUEST (g+) is not allowed. >> - GUEST to ROUTER is restricted to DNS/DHCP/NTP. > I note that even dns is a problem in terms of leaking information about > your network, so is mdns. > > the "g+" convention can simplify access to the internet in the rules too. > > There are also potential problems in enabling the polipo proxy. > > Note that the mesh networking interfaces are also "g", and there is > something of a conflict between allowing the mesh network and guest > access. > > I used to solve this somewhat with the babel authentication extensions. > > http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html > > at the moment that code had landed in the quagga branch of babel, > not babel itself. > >> - I've tuned the basic IPV6 rules to take the above changes into account >> and allow proto 41 INPUT for 6to/in4 tunnels. >> - LAN to/from ROUTER everything is allowed. >> This could be a nice default config. >> >> Feedback welcome. > After getting the last release out I took a break from email, and didn't > get to this. > > There are certainly conflicting desires for how to do firewalling. Historically > we run fairly open by default due to cerowrt's origin as a research project. > > In the case where we want to open the network somewhat to house guests, being > able to have reasonably secure (ssh and printing) protocols open to them > is a help. > > In the case where I want to share my network with the neighborhood, > locking things down as per the above makes more sense. I'd argue for even > stronger measures, actually, something that an org like openwireless.org > could recomend so that people can feel safe in sharing their wifi again. > > I think we should put up alternet configs like this somewhere on the wiki, > or in a git tree... > > I have a few other desirable configs on the list. > > -1) gui support for the + syntax would be good. > > 0) I really, really, really want bcp38 support, using ipset. I wouldn't > mind a complete switch to ipset for a variety of things, but some > benchmarking along the way would be good to compare the existing schemes > > one problem I've run into in turning on bcp38 by default is dealing > with double nat on the dhcp'd interfaces. > > 1) a more "normal", bridged implementation more like people are used to. > > 2) vlan support (I've never managed to make vlans work with babel, btw) > > 3) ? > >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Daniel Ashton PGP key available http://Daniel.AshtonFam.org mailto:Daniel@AshtonFam.org http://ChamberMusicWeekend.org AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org