From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id E5C6621F1D2 for ; Thu, 20 Mar 2014 10:38:19 -0700 (PDT) Received: by mail-we0-f175.google.com with SMTP id q58so839176wes.20 for ; Thu, 20 Mar 2014 10:38:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=RdPL6KDmJeJdeQ1eyoAwYTmW5cYbWoJvUsRW5d/4Oq4=; b=Yu974x46piN1uBEGXaGXzrI9sG1pzN4vmL1SqLh27ckmr33baygmtaMj8cHBtQ80x2 RqXUu8ZwZn4l5DHqyTixTLYiVWbMUFm05QIpbDFvovqq2zRKhz0u9RfqFSVYGeqUGWRk MP3hecG8SBkkiDVBK6EJcqjrFZNZBPL25DNmnKEV62Z4o6aUJG23cZnP68v2IhvTw+N1 s9m/WFXvEn9eIqkRE6BQbknhJnWast37FjqX8NUbfBdPKzdBgRthfbQ65goLtmIpb0C2 Cz+l8owRaa863v3pa8FP+AVgsiMpQvYEiq6zcCG3nRk9OjGm7GCWn2gQBiQvXrZPnJ0X mnRQ== MIME-Version: 1.0 X-Received: by 10.180.97.37 with SMTP id dx5mr25057597wib.53.1395337097788; Thu, 20 Mar 2014 10:38:17 -0700 (PDT) Received: by 10.216.8.1 with HTTP; Thu, 20 Mar 2014 10:38:17 -0700 (PDT) In-Reply-To: <87ior9ow66.fsf@toke.dk> References: <87txataord.fsf@toke.dk> <87pplh9q09.fsf@toke.dk> <87ior9ow66.fsf@toke.dk> Date: Thu, 20 Mar 2014 10:38:17 -0700 Message-ID: From: Dave Taht To: =?ISO-8859-1?Q?Toke_H=F8iland=2DJ=F8rgensen?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] BCP38 implementation X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 17:38:21 -0000 I have tested this, made one small modification, and it will be in cerowrt-3.10.32-12 and on by default. Nice work! It doesn't appear to affect the speed of a transfer through the ge00 port at all, and it's really nice to see d@nuc:~$ ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. >From 172.26.4.1 icmp_seq=3D1 Destination Net Unreachable One possible problem with pushing this up to openwrt is that arguably it needs to apply this to the "wan" abstraction in the firewall rules rather than a specific interface, and hook into that chain instead. (on the other hand, using an actual interface is also good) The ipset facility has great potential for other uses, for example: 1) it allows for creation of a port bitmap to be checked for blocking ports. Right now what happens is we create an iptables rule per blocked port which is probably less efficient with lots of ports than using a single ipset would be. 2) it allows for dynamic addition/subtraction of troublesome (e.g. DDOSing or infected) hosts. Right now xinetd does half the job of detecting probes like attempts to telnet to the router and blocks access to other services controlled by xinetd for a couple hours. ipset has basically the same functionality and could be made to do it for the entire box. An example idea is that I average 2 ssh dictionary attacks/sec on some of my boxes, and I'd just as soon start dropping connection attempts after X number of tries.... another is detecting dns relay attempts... etc. On Thu, Mar 20, 2014 at 6:07 AM, Toke H=F8iland-J=F8rgensen = wrote: > So, another new version that should now be relatively feature-complete. > It should be possible to just install these two packages: > > http://archive.tohojo.dk/cerowrt/wndr/3.10.32-9-tohojo/packages/bcp38_4-1= _ar71xx.ipk > > http://archive.tohojo.dk/cerowrt/wndr/3.10.32-9-tohojo/packages/luci-app-= bcp38_2-1_all.ipk > > and have everything enabled and working. This version does away with the > firewall rules in the config (so no need to add them; if they exist it > shouldn't hurt, I think, but might as well just remove them) in favour > of inserting a whole separate iptables chain to do the matching on. > > There's now also an auto-detection feature for the upstream network, > which should automatically whitelist it when the rules are set up. It > does this by looking at the routing table for the upstream interface, > and testing all 'scope link' routes against the configured ipset, adding > exceptions if they match. There's a config toggle to turn off this > behaviour, and manual exceptions can be added instead of (or in addition > to) the auto-detection. > > Since this detection is done at every run time, it should also include > hotplugging; the firewall is reloaded every time an interface is > hotplugged, which also reloads the bcp38 configuration and re-does the > auto-detection. > > > Testing is very much appreciated; until some of you tell me different, I > believe this version is suitable for inclusion in cerowrt. At least all > the issues on my own previous lists have been fixed AFAIK. :) > > -Toke > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html