From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id EAE72201044 for ; Thu, 26 Apr 2012 16:20:16 -0700 (PDT) Received: by wgbfa7 with SMTP id fa7so13612wgb.28 for ; Thu, 26 Apr 2012 16:20:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=pW/T+Scdw+7mTd1wE9pcM28JHds8+E0u1DcIs2VRBkk=; b=O/I5UUc267+H0L2Vr4fB5W9Hib7fpaIn4Tkzwtv6xnd1z4/H3qKL8SqOTmCmbadg74 I1E+uJmLhYUPaF+dtMxLfPK8312tUPyKIaJDCehdywmMpyzcSmYjyBs78UZ3zFcrKIao PO6JTwa7P/q7NDBUzBX+Fv0fa2dWxVhfpqota08AK4VBLi0S1tVTgJhiKA/o09vtcFCN EmYjAuaHKqpRDkazoX8uCkBX2af3NAmx2qKL7dMI2XqqH+HwwpIPUQX+Z2tlzacgesMF 7/x2BSL6p9dKTt8JI+kmV5Lr/iiUIoTvaijHvybohTYwt/kDrrCh/kE+Yp6A8ujpP0QQ DMHA== MIME-Version: 1.0 Received: by 10.180.83.72 with SMTP id o8mr388657wiy.5.1335482414191; Thu, 26 Apr 2012 16:20:14 -0700 (PDT) Received: by 10.223.112.66 with HTTP; Thu, 26 Apr 2012 16:20:14 -0700 (PDT) In-Reply-To: <5CFE07BB-A9A9-46F1-93CA-1B3644D2406B@caltech.edu> References: <5CFE07BB-A9A9-46F1-93CA-1B3644D2406B@caltech.edu> Date: Thu, 26 Apr 2012 16:20:14 -0700 Message-ID: From: Dave Taht To: Sebastian Moeller Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: "" Subject: Re: [Cerowrt-devel] 3.3.2-8 and firewall X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2012 23:20:17 -0000 On Thu, Apr 26, 2012 at 1:14 PM, Sebastian Moeller wr= ote: > Hi Dave hi list, > > yesterday I upgraded to 3.3.2-8 (and did basic testing with the simple_qo= s.sh script, which worked okay). I have not gotten around to do proper test= ing of simple_qos script, but hope to do so over the next week (it will be = pretty run of the mill 4M/30M cable so nothing exciting to expect). Today I= tried to access the configuration interface on port 81 from my workplace (= via IPv4) and was quite amazed this actually worked. This should be blocked from the outside world, actually. It is quite probable that the simple_qos script mucks with that. The mixture of firewall and qos/aqm rules in iptables is very complex and hard to deal with. Worse, I have my own firewall rules system (not in cerowrt) that is very permissive about what protocols can be run across ipv6 in particular, and across the local and guest network (examples, hip, sctp, igmp, ospf, ipsec, etc) ... but absolutely no way to wrap a gui around it. Noted, logged, and will be fixed in the next build. I care a lot about security. I would also like to make port 81 be https, too. >In the past this never worked (and I think it would be safer a default if = remote access to the configuration interface required an active decision fr= om the user :) ). So, I went and created a custom rule to reject incoming c= onnections on port 81 from wan (and now I can not reach the GUI from outsid= e, I am quite curious whether I managed to wedge it for good or whether I w= ill still be able to reach the GUI from the lag or guest section=85). It sounds like you did the right thing. >Now there is the possibility that I have brought this issue on myself by u= sing the vanilla QOS scheme instead of simple_qos in production, if so plea= se let me know. The openwrt qos system is obsolete in cerowrt (although I do plan to improve it for openwrt), in favor of the ultimate replacement with the 'aqm' script, of which simple_qos is a test of, and exposed bug #360 with. Core differences are htb rather than hfsc, much better use of sfqred, and support for diffserv marking. Regrettably we're still transitioning; I'd really hoped to have something solid and fully integrated with the aqm stuff by now. I stumble across things like basic integration with uci, and was originally planning to write the whole thing in lua. I still may. > > best > =A0 =A0 =A0 =A0Sebastian > > > -- > Sebastian Moeller > > telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616 > fax: 626-395-8826 > German GSM: =A0+49 - 15 77 - 1 90 31 41 > mobile: =A0 =A0 =A0 =A0 +1-626-325-8598 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0+1-626-807-5242 > US CDMA: +1-626-807-5242 > moeller@caltech.edu > > Division of Biology > MC 114-96 > California Institute of Technology > 1200 East California Boulevard > CA 91125, Pasadena > USA > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=E4ht SKYPE: davetaht US Tel: 1-239-829-5608 http://www.bufferbloat.net