From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id F2C1B21F603; Wed, 30 Jul 2014 13:46:26 -0700 (PDT) Received: by mail-oi0-f52.google.com with SMTP id h136so1194132oig.39 for ; Wed, 30 Jul 2014 13:46:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=6ZTkN4JuRqGtJUtHGo61e5wo6dPdR1gEG3v57yYwG4w=; b=wm8bG1g8O2lsFdp0uTdOLl2iAR++S19QRzcSq2EXawLpDGEBGlNjBmeevfJuFsSV97 hzrSab1zz87piRVkiIV/Aa0U4wKk8bx50qgljyOiaoroEUDPSnqv1I/30lBn6yA30+ex yb4tgcqF7xfG+wVn9ZpndCTjCs0pu2FwGjBqjdxL1mVLx7LZl2FrU4i7QYsAhYrW5s+d Py3+GZwVPBR9RALA5qRw0dyCHmpVZPcHIbodKo8wbLml985KQ4+L9CEB4nfVehtc2Q0L zqDDFpL0Tz4S+UC/ryZZ2gofEOxmYX3NY9A6LSJU9Of6qRE+ZPVuRjIVhmbHcCXO6EiT j3cg== MIME-Version: 1.0 X-Received: by 10.182.65.131 with SMTP id x3mr9708442obs.29.1406753186285; Wed, 30 Jul 2014 13:46:26 -0700 (PDT) Received: by 10.202.93.69 with HTTP; Wed, 30 Jul 2014 13:46:26 -0700 (PDT) Date: Wed, 30 Jul 2014 16:46:26 -0400 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" , cerowrt@lists.bufferbloat.net Content-Type: multipart/alternative; boundary=001a11c1caecf4901704ff6f3ff9 Subject: [Cerowrt-devel] [Bug #445] doesn't load firewall rules under some circumstances X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2014 20:46:27 -0000 --001a11c1caecf4901704ff6f3ff9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I usually kill off the firewall rules for an internal router almost completely. Recently, I didn't do that, and didn't have the external interface connected, so a new cerowrt-3.10.50-1 install automagically meshed with another router over wifi. ...and didn't run the default firewall rules at all. I first noticed that /etc/firewall.user wasn't run (which is the lousy place I'm using to export the /24 local network via babel), so I didn't have connectivity to the next hop mesh... and then I checked to see there were no iptables rules in place at all. So, some trigger for running the firewall "fw3 load" doesn't run unless there is an external ethernet interface up in cerowrt. And arguably it should run pretty early. So somewhere there is a missing trigger?? to load the fw... (and I hope this is a cerowrt specific bug and it did use to work) ... and I'd really rather run this out of /etc/config/network somehow ip route add unreachable my.subnet.add.ress/24 --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indece= nt.article --001a11c1caecf4901704ff6f3ff9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I usually kill off the firewall rules for an internal = router almost
completely. Recently, I didn't do that, and didn't have the ext= ernal
interface connected, so =C2=A0a new cerowrt-3.10.50-1 install automagic= ally
meshed with another router over wifi.

...and didn't run the default firewall rules at all.

I first noticed that /etc/firewall.user wasn't run (which is the lo= usy
place I'm using to export the /24 local network via babel), so I di= dn't
have connectivity to the next hop mesh... and then I
checke= d to see there were no iptables rules in place at all. So, some

trigger for running the firewall "fw3 load" doesn't run= unless there is an
external ethernet interface up in cerowrt.

And arguably it should run pretty early. So somewhere there is a missin= g
trigger?? to load the fw...

(and I hope this is a cerowrt specific bug and it did use to work)

... and I'd really rather run this out of /etc/config/network som= ehow

ip route add unre= achable my.subnet.add.ress/24
--001a11c1caecf4901704ff6f3ff9--