From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 49ABD21F1A9 for ; Mon, 24 Feb 2014 08:24:51 -0800 (PST) Received: by mail-wi0-f178.google.com with SMTP id cc10so3268065wib.17 for ; Mon, 24 Feb 2014 08:24:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=I+E6IC766IZwCnniJa8VwesEnKWgrNK+AunDgBvr72Q=; b=mPLuQftU4mAgXOK9qlhrAwO4f7Ni6oIAkG4cca4U12ud9SJxc+4PS+FBUicFW2oH/S gcreMsW7MeL/KMT5fGVHPqMflvcXf2+j6EZnNlawZ+Ko8/CkhzgIoZbZwVgsbhDOrY2H 9lMbp93V6aVmfYi4qKbZH19eE5HtvsvKF81UsLfEuZdzk/Zyw4jjnSl15go7Voq5Xt/a /8Owm98RLFT5ZrRxEE47mNXiu7fTdnGU7GK0zwva1f0G7ZW1f1EUrnCjPRm9BPbzFyFk wIhoQugD3jYN/ttcoQ6+yEf1ASsj4jjpDDwt5X7bYQAHgeliVQ8avFVClgVKYoeZflnp sONA== MIME-Version: 1.0 X-Received: by 10.194.108.41 with SMTP id hh9mr19806543wjb.89.1393259089513; Mon, 24 Feb 2014 08:24:49 -0800 (PST) Received: by 10.216.8.1 with HTTP; Mon, 24 Feb 2014 08:24:49 -0800 (PST) In-Reply-To: <530A4791.8080903@ashtonfam.org> References: <20140223172140.GB24483@lists.bufferbloat.net> <530A4791.8080903@ashtonfam.org> Date: Mon, 24 Feb 2014 11:24:49 -0500 Message-ID: From: Dave Taht To: "J. Daniel Ashton" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] saner defaults for config/firewall X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2014 16:24:51 -0000 On Sun, Feb 23, 2014 at 2:10 PM, J. Daniel Ashton wrote: > > > While you're looking at things that ought to be in the default configurat= ion > (or in "a" default configuration, perhaps available on the wiki), there a= re > two use-cases that I would like to see work better out of the box: > > mDNS sharing across non-guest segments: my wife on Wi-Fi, I on Ethernet, > should be able to see each other's iTunes libraries and the mDNS-advertis= ed > printer. > Google's new Chromecast device useable from all non-guest segments: it ha= s > no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on Wi-Fi at 5Mhz, a= nd > my desktop on Ethernet. Both tablet and desktop should be able to see the > Chromecast and control it. > > I really like the CeroWrt approach to network segmentation: I felt like I > was learning best practices as I read up on what you chose to do. But the > above use cases seem to be problematic with this approach. It was a fortuitous historical accident. We needed to be able to look at 2.4ghz, 5ghz and ethernet traffic separately, so we broke apart the bridging everybody else does. Just to be able to do tcpdumps and see what the heck was going on.... Solutions to a lot of problems fell out. Multicast became less of a problem in particular, we were able to see clearly a bunch of wireless g vs n behaviors, wireless worked better in general, we were able to debug different aspects of different radios, etc. and see the effects of double nat and of bridging multiple broadcast domains together even on a small scale in the home... And (Sigh) the existing problems that bridging everything had worked around became more acute and interesting. We ended up giving some fresh love to routing protocols, coming up with schemes to distribute and route ipv6 prefixes instead of bridging them, and finding the most annoying "features" of others like mdns and ssdp and u= pnp. In terms of fixing mdns, there is a new set of RFCs and work going on to ma= ke it work better over routed networks. A whole ietf wg, actually. Some drafts= : http://tools.ietf.org/html/draft-cheshire-mdnsext-hybrid-01 http://tools.ietf.org/html/draft-stenberg-homenet-dnssd-hybrid-proxy-zeroco= nf-00 (fixing mdns is certainly important in larger networks, the core requests are coming from colleges) As for the chromecast I don't know how it presently announces its services, but if it's mdns, the above stuff will fix it I hope. Eventually. Some code for this now exists, but it's pretty raw... > > > > On 2/23/14, 12:21 PM, Dave Taht wrote: > > On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote: > > Hi everyone, > > After installing ceroWRT the first thing I did was to reconfigure the > firewall as shown attached. My router is used as home gateway and I wante= d > to lock down the device a bit. > > The changes are introduced are as follow: > > - LAN (s+) to/from GUEST (g+) is not allowed. > - GUEST to ROUTER is restricted to DNS/DHCP/NTP. > > I note that even dns is a problem in terms of leaking information about > your network, so is mdns. > > the "g+" convention can simplify access to the internet in the rules too. > > There are also potential problems in enabling the polipo proxy. > > Note that the mesh networking interfaces are also "g", and there is > something of a conflict between allowing the mesh network and guest > access. > > I used to solve this somewhat with the babel authentication extensions. > > http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html > > at the moment that code had landed in the quagga branch of babel, > not babel itself. > > - I've tuned the basic IPV6 rules to take the above changes into account > and allow proto 41 INPUT for 6to/in4 tunnels. > - LAN to/from ROUTER everything is allowed. > > This could be a nice default config. > > Feedback welcome. > > After getting the last release out I took a break from email, and didn't > get to this. > > There are certainly conflicting desires for how to do firewalling. > Historically > we run fairly open by default due to cerowrt's origin as a research proje= ct. > > In the case where we want to open the network somewhat to house guests, > being > able to have reasonably secure (ssh and printing) protocols open to them > is a help. > > In the case where I want to share my network with the neighborhood, > locking things down as per the above makes more sense. I'd argue for even > stronger measures, actually, something that an org like openwireless.org > could recomend so that people can feel safe in sharing their wifi again. > > I think we should put up alternet configs like this somewhere on the wiki= , > or in a git tree... > > I have a few other desirable configs on the list. > > -1) gui support for the + syntax would be good. > > 0) I really, really, really want bcp38 support, using ipset. I wouldn't > mind a complete switch to ipset for a variety of things, but some > benchmarking along the way would be good to compare the existing schem= es > > one problem I've run into in turning on bcp38 by default is dealing > with double nat on the dhcp'd interfaces. > > 1) a more "normal", bridged implementation more like people are used to. > > 2) vlan support (I've never managed to make vlans work with babel, btw) > > 3) ? > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > > -- > Daniel Ashton PGP key available http://Daniel.AshtonFam.org > mailto:Daniel@AshtonFam.org http://ChamberMusicWeekend.org > AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html