From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qa0-x230.google.com (mail-qa0-x230.google.com [IPv6:2607:f8b0:400d:c00::230]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8EA1B21F1D1 for ; Sun, 23 Feb 2014 11:10:20 -0800 (PST) Received: by mail-qa0-f48.google.com with SMTP id f11so5367939qae.7 for ; Sun, 23 Feb 2014 11:10:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:cc:subject :references:in-reply-to:content-type; bh=cJ30FN4tk1R06iMBPdYPaZrydFhGQeQxsmccuf13dTA=; b=hvm5BW/YrX4+GJUT/HXEdntMrIvwY1fEjEb3sU1yItY+G1QbohOIp2awEpdmUrX1gn EQjZMK7tCoM1hH6ONFflQGExwFsqvYfQdyEEIUzJn885nWA61TMuj75sbV0+04s5dprk P1Bg4xo8kW/wofwiCmQW2Vl5yNlWn2aJBg3E6jpLjfjXXuYFS4IoNEQi8Ln2U3EPUDvM UXRI9bYjphYfBYITTieh2mvhQGlyho8n2MdA1aClfDDX9lnSjs7vSsXU5Hf0FYJggmD1 NG3kaqtsvPxRiaogXyM07XWBIOFuJTaS749IZkUOfM7nbhpFrTmipqKKwBNmUC4O/z7x seZw== X-Received: by 10.140.51.109 with SMTP id t100mr23621284qga.50.1393182610764; Sun, 23 Feb 2014 11:10:10 -0800 (PST) Received: from macintosh.home.lan (pool-173-66-191-85.washdc.fios.verizon.net. [173.66.191.85]) by mx.google.com with ESMTPSA id 30sm22118372qgt.4.2014.02.23.11.10.09 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Feb 2014 11:10:10 -0800 (PST) Sender: Daniel Ashton Message-ID: <530A4791.8080903@ashtonfam.org> Date: Sun, 23 Feb 2014 14:10:09 -0500 From: "J. Daniel Ashton" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Thunderbird/29.0a2 MIME-Version: 1.0 CC: cerowrt-devel@lists.bufferbloat.net References: <20140223172140.GB24483@lists.bufferbloat.net> In-Reply-To: <20140223172140.GB24483@lists.bufferbloat.net> Content-Type: multipart/alternative; boundary="------------030200050909030809030905" Subject: Re: [Cerowrt-devel] saner defaults for config/firewall X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Feb 2014 19:10:31 -0000 This is a multi-part message in MIME format. --------------030200050909030809030905 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit While you're looking at things that ought to be in the default configuration (or in "a" default configuration, perhaps available on the wiki), there are two use-cases that I would like to see work better out of the box: 1. mDNS sharing across non-guest segments: my wife on Wi-Fi, I on Ethernet, should be able to see each other's iTunes libraries and the mDNS-advertised printer. 2. Google's new Chromecast device useable from all non-guest segments: it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop should be able to see the Chromecast and control it. I really like the CeroWrt approach to network segmentation: I felt like I was learning best practices as I read up on what you chose to do. But the above use cases seem to be problematic with this approach. On 2/23/14, 12:21 PM, Dave Taht wrote: > On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote: >> Hi everyone, >> >> After installing ceroWRT the first thing I did was to reconfigure the >> firewall as shown attached. My router is used as home gateway and I wanted >> to lock down the device a bit. >> >> The changes are introduced are as follow: >> >> - LAN (s+) to/from GUEST (g+) is not allowed. >> - GUEST to ROUTER is restricted to DNS/DHCP/NTP. > I note that even dns is a problem in terms of leaking information about > your network, so is mdns. > > the "g+" convention can simplify access to the internet in the rules too. > > There are also potential problems in enabling the polipo proxy. > > Note that the mesh networking interfaces are also "g", and there is > something of a conflict between allowing the mesh network and guest > access. > > I used to solve this somewhat with the babel authentication extensions. > > http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html > > at the moment that code had landed in the quagga branch of babel, > not babel itself. > >> - I've tuned the basic IPV6 rules to take the above changes into account >> and allow proto 41 INPUT for 6to/in4 tunnels. >> - LAN to/from ROUTER everything is allowed. >> This could be a nice default config. >> >> Feedback welcome. > After getting the last release out I took a break from email, and didn't > get to this. > > There are certainly conflicting desires for how to do firewalling. Historically > we run fairly open by default due to cerowrt's origin as a research project. > > In the case where we want to open the network somewhat to house guests, being > able to have reasonably secure (ssh and printing) protocols open to them > is a help. > > In the case where I want to share my network with the neighborhood, > locking things down as per the above makes more sense. I'd argue for even > stronger measures, actually, something that an org like openwireless.org > could recomend so that people can feel safe in sharing their wifi again. > > I think we should put up alternet configs like this somewhere on the wiki, > or in a git tree... > > I have a few other desirable configs on the list. > > -1) gui support for the + syntax would be good. > > 0) I really, really, really want bcp38 support, using ipset. I wouldn't > mind a complete switch to ipset for a variety of things, but some > benchmarking along the way would be good to compare the existing schemes > > one problem I've run into in turning on bcp38 by default is dealing > with double nat on the dhcp'd interfaces. > > 1) a more "normal", bridged implementation more like people are used to. > > 2) vlan support (I've never managed to make vlans work with babel, btw) > > 3) ? > >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Daniel Ashton PGP key available http://Daniel.AshtonFam.org mailto:Daniel@AshtonFam.org http://ChamberMusicWeekend.org AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org --------------030200050909030809030905 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

While you're looking at things that ought to be in the default configuration (or in "a" default configuration, perhaps available on the wiki), there are two use-cases that I would like to see work better out of the box:
  1. mDNS sharing across non-guest segments: my wife on Wi-Fi, I on Ethernet, should be able to see each other's iTunes libraries and the mDNS-advertised printer.
  2. Google's new Chromecast device useable from all non-guest segments: it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop should be able to see the Chromecast and control it.

I really like the CeroWrt approach to network segmentation: I felt like I was learning best practices as I read up on what you chose to do. But the above use cases seem to be problematic with this approach.



On 2/23/14, 12:21 PM, Dave Taht wrote:
On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote:

Hi everyone,

After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.

The changes are introduced are as follow:

- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.

I note that even dns is a problem in terms of leaking information about
your network, so is mdns.

the "g+" convention can simplify access to the internet in the rules too.

There are also potential problems in enabling the polipo proxy.

Note that the mesh networking interfaces are also "g", and there is 
something of a conflict between allowing the mesh network and guest
access.

I used to solve this somewhat with the babel authentication extensions.

http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html

at the moment that code had landed in the quagga branch of babel,
not babel itself.


- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.


      

        
This could be a nice default config.

Feedback welcome.


      

      
After getting the last release out I took a break from email, and didn't
get to this.

There are certainly conflicting desires for how to do firewalling. Historically
we run fairly open by default due to cerowrt's origin as a research project.

In the case where we want to open the network somewhat to house guests, being
able to have reasonably secure (ssh and printing) protocols open to them
is a help.

In the case where I want to share my network with the neighborhood,
locking things down as per the above makes more sense. I'd argue for even
stronger measures, actually, something that an org like openwireless.org
could recomend so that people can feel safe in sharing their wifi again.

I think we should put up alternet configs like this somewhere on the wiki,
or in a git tree...

I have a few other desirable configs on the list.

-1) gui support for the + syntax would be good.

0) I really, really, really want bcp38 support, using ipset. I wouldn't
   mind a complete switch to ipset for a variety of things, but some
   benchmarking along the way would be good to compare the existing schemes

   one problem I've run into in turning on bcp38 by default is dealing
   with double nat on the dhcp'd interfaces.

1) a more "normal", bridged implementation more like people are used to.

2) vlan support (I've never managed to make vlans work with babel, btw)

3) ?



      

        
_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel


      

      
_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel



    

    

    
-- 
Daniel Ashton      PGP key available     http://Daniel.AshtonFam.org
mailto:Daniel@AshtonFam.org           http://ChamberMusicWeekend.org
 AIM: FirstFiddl           ICQ# 9445142           http://MDMusic.org


  


--------------030200050909030809030905--