I really like the CeroWrt approach to network segmentation: I
felt like I was learning best practices as I read up on what you
chose to do. But the above use cases seem to be problematic with
this approach.
On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote:Hi everyone, After installing ceroWRT the first thing I did was to reconfigure the firewall as shown attached. My router is used as home gateway and I wanted to lock down the device a bit. The changes are introduced are as follow: - LAN (s+) to/from GUEST (g+) is not allowed. - GUEST to ROUTER is restricted to DNS/DHCP/NTP.I note that even dns is a problem in terms of leaking information about your network, so is mdns. the "g+" convention can simplify access to the internet in the rules too. There are also potential problems in enabling the polipo proxy. Note that the mesh networking interfaces are also "g", and there is something of a conflict between allowing the mesh network and guest access. I used to solve this somewhat with the babel authentication extensions. http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html at the moment that code had landed in the quagga branch of babel, not babel itself.- I've tuned the basic IPV6 rules to take the above changes into account and allow proto 41 INPUT for 6to/in4 tunnels. - LAN to/from ROUTER everything is allowed.This could be a nice default config. Feedback welcome.After getting the last release out I took a break from email, and didn't get to this. There are certainly conflicting desires for how to do firewalling. Historically we run fairly open by default due to cerowrt's origin as a research project. In the case where we want to open the network somewhat to house guests, being able to have reasonably secure (ssh and printing) protocols open to them is a help. In the case where I want to share my network with the neighborhood, locking things down as per the above makes more sense. I'd argue for even stronger measures, actually, something that an org like openwireless.org could recomend so that people can feel safe in sharing their wifi again. I think we should put up alternet configs like this somewhere on the wiki, or in a git tree... I have a few other desirable configs on the list. -1) gui support for the + syntax would be good. 0) I really, really, really want bcp38 support, using ipset. I wouldn't mind a complete switch to ipset for a variety of things, but some benchmarking along the way would be good to compare the existing schemes one problem I've run into in turning on bcp38 by default is dealing with double nat on the dhcp'd interfaces. 1) a more "normal", bridged implementation more like people are used to. 2) vlan support (I've never managed to make vlans work with babel, btw) 3) ?_______________________________________________ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel_______________________________________________ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
-- Daniel Ashton PGP key available http://Daniel.AshtonFam.org mailto:Daniel@AshtonFam.org http://ChamberMusicWeekend.org AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org