From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <c3reszcecc22@gmail.com>
Received: from mail-vc0-x244.google.com (mail-vc0-x244.google.com
	[IPv6:2607:f8b0:400c:c03::244])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 383F421F1C8
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 20 Feb 2014 15:25:25 -0800 (PST)
Received: by mail-vc0-f196.google.com with SMTP id lf12so801294vcb.7
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 20 Feb 2014 15:25:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:date:message-id:subject:from:to:content-type;
	bh=3FXGkRFVulzS2gtmRcbi9WTNA/bjM8b21en5Gv11fwI=;
	b=MG2ZfLL9H9olbVZ5/UuwIHwwEYn4L6eU1x8LhJWpRPgdlyQJ5+gEvM3i7ANtLAw+R3
	0I75Ya/bc/0329aWHM3o/vogb9vDYd54RzqnO2+DlgyC9YrHwg7NRCAxf79DBNYcaRZ8
	VCkCIKtGW0af7dGOcTBJ78v5GDYaPJ6xydy6l4kjH005Ex2KeWx7OvrIbZPhEQ/8sFV9
	EzBjw8XZLWegME5jUHFtJJWzGD+phSYhbZPrCcuqe4SDUomA/V/CAcC1Jumr0rv/qv88
	B+gJ2UsN3jY7mIQ7ZOhP1KN5enQhmcQB6qlD9dBw7uQVzGzfXpfutyGJJKzbz7tZOF3I
	XjQQ==
MIME-Version: 1.0
X-Received: by 10.220.147.16 with SMTP id j16mr2743722vcv.28.1392938724112;
	Thu, 20 Feb 2014 15:25:24 -0800 (PST)
Sender: c3reszcecc22@gmail.com
Received: by 10.220.196.210 with HTTP; Thu, 20 Feb 2014 15:25:23 -0800 (PST)
Date: Fri, 21 Feb 2014 00:25:23 +0100
X-Google-Sender-Auth: HR9HBsPRdfZpLtnZfrfhEDWjRMo
Message-ID: <CACCCjEXdFP40pa_4L3gAK8kyCq_Qj2tZF-VEFqNGp9=jS4JpYg@mail.gmail.com>
From: Vincent Frentzel <zcecc22@c3r.es>
To: cerowrt-devel@lists.bufferbloat.net
Content-Type: multipart/mixed; boundary=047d7b3436d2d8a88b04f2ded190
Subject: [Cerowrt-devel] saner defaults for config/firewall
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2014 23:25:25 -0000

--047d7b3436d2d8a88b04f2ded190
Content-Type: multipart/alternative; boundary=047d7b3436d2d8a88704f2ded18e

--047d7b3436d2d8a88704f2ded18e
Content-Type: text/plain; charset=UTF-8

Hi everyone,

After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.

The changes are introduced are as follow:

- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.

This could be a nice default config.

Feedback welcome.

--047d7b3436d2d8a88704f2ded18e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi everyone,<div><br></div><div>After installing ceroWRT t=
he first thing I did was to reconfigure the firewall as shown attached. My =
router is used as home gateway and I wanted to lock down the device a bit.<=
/div>
<div><br></div><div>The changes are introduced are as follow:</div><div><br=
></div><div>- LAN (s+) to/from GUEST (g+) is not allowed.</div><div>- GUEST=
 to ROUTER is restricted to DNS/DHCP/NTP.</div><div>- I&#39;ve tuned the ba=
sic IPV6 rules to take the above changes into account and allow proto 41 IN=
PUT for 6to/in4 tunnels.</div>
<div>- LAN to/from ROUTER everything is allowed.</div><div><br></div><div>T=
his could be a nice default config.</div><div><br></div><div>Feedback welco=
me.</div></div>

--047d7b3436d2d8a88704f2ded18e--
--047d7b3436d2d8a88b04f2ded190
Content-Type: application/octet-stream; name=firewall
Content-Disposition: attachment; filename=firewall
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hrwnpg1i0

CmNvbmZpZyBkZWZhdWx0cwoJb3B0aW9uIGlucHV0ICdBQ0NFUFQnCglvcHRpb24gb3V0cHV0ICdB
Q0NFUFQnCglvcHRpb24gZm9yd2FyZCAnUkVKRUNUJwoJb3B0aW9uIGRyb3BfaW52YWxpZCAnMScK
CW9wdGlvbiBzeW5mbG9vZF9wcm90ZWN0ICcxJwoJb3B0aW9uIHN5bmZsb29kX3JhdGUgJzIwMC9z
JwoJb3B0aW9uIHN5bmZsb29kX2J1cnN0ICc1MDAnCglvcHRpb24gdGNwX2VjbiAnMScKCmNvbmZp
ZyB6b25lCglvcHRpb24gaW5wdXQgJ0RST1AnCglvcHRpb24gZm9yd2FyZCAnRFJPUCcKCW9wdGlv
biBvdXRwdXQgJ0FDQ0VQVCcKCW9wdGlvbiBuYW1lICd3YW4nCglvcHRpb24gbWFzcSAnMScKCW9w
dGlvbiBtdHVfZml4ICcxJwoJb3B0aW9uIG5ldHdvcmsgJ2dlMDAgd2FuNicKCmNvbmZpZyB6b25l
CglvcHRpb24gaW5wdXQgJ0FDQ0VQVCcKCW9wdGlvbiBmb3J3YXJkICdBQ0NFUFQnCglvcHRpb24g
b3V0cHV0ICdBQ0NFUFQnCglvcHRpb24gbmFtZSAnbGFuJwoJb3B0aW9uIGRldmljZSAncysnCgpj
b25maWcgZm9yd2FyZGluZwoJb3B0aW9uIGRlc3QgJ3dhbicKCW9wdGlvbiBzcmMgJ2xhbicKCmNv
bmZpZyB6b25lCglvcHRpb24gaW5wdXQgJ1JFSkVDVCcKCW9wdGlvbiBvdXRwdXQgJ0FDQ0VQVCcK
CW9wdGlvbiBuYW1lICdndWVzdCcKCW9wdGlvbiBmb3J3YXJkICdBQ0NFUFQnCglvcHRpb24gZGV2
aWNlICdndysnCgpjb25maWcgZm9yd2FyZGluZwoJb3B0aW9uIGRlc3QgJ3dhbicKCW9wdGlvbiBz
cmMgJ2d1ZXN0JwoKY29uZmlnIHJ1bGUKICAgICAgICBvcHRpb24gc3JjICAgICAgd2FuCiAgICAg
ICAgb3B0aW9uIHByb3RvICAgIDQxCiAgICAgICAgb3B0aW9uIHRhcmdldCAgIEFDQ0VQVAogICAg
ICAgIG9wdGlvbiBuYW1lICc2VE80JwoKY29uZmlnIHJ1bGUKCW9wdGlvbiB0YXJnZXQgJ0FDQ0VQ
VCcKCW9wdGlvbiBwcm90byAndGNwIHVkcCcKCW9wdGlvbiBkZXN0X3BvcnQgJzUzJwoJb3B0aW9u
IG5hbWUgJ0ROUy1HVUVTVCcKCW9wdGlvbiBzcmMgJ2d1ZXN0JwoKY29uZmlnIHJ1bGUKCW9wdGlv
biB0YXJnZXQgJ0FDQ0VQVCcKCW9wdGlvbiBwcm90byAndWRwJwoJb3B0aW9uIGRlc3RfcG9ydCAn
MTIzJwoJb3B0aW9uIG5hbWUgJ05UUC1HVUVTVCcKCW9wdGlvbiBzcmMgJ2d1ZXN0JwoKY29uZmln
IHJ1bGUKCW9wdGlvbiB0YXJnZXQgJ0FDQ0VQVCcKCW9wdGlvbiBmYW1pbHkgJ2lwdjQnCglvcHRp
b24gcHJvdG8gJ3VkcCcKCW9wdGlvbiBkZXN0X3BvcnQgJzY4JwoJb3B0aW9uIHNyYyAnZ3Vlc3Qn
CglvcHRpb24gbmFtZSAnREhDUHY0LUdVRVNUJwoKY29uZmlnIHJ1bGUKCW9wdGlvbiB0YXJnZXQg
J0FDQ0VQVCcKCW9wdGlvbiBmYW1pbHkgJ2lwdjQnCglvcHRpb24gcHJvdG8gJ3VkcCcKCW9wdGlv
biBkZXN0X3BvcnQgJzY4JwoJb3B0aW9uIHNyYyAnd2FuJwoJb3B0aW9uIG5hbWUgJ0RIQ1B2NC1X
QU4nCgpjb25maWcgcnVsZQoJb3B0aW9uIHNyYyAnd2FuJwoJb3B0aW9uIHByb3RvICd1ZHAnCglv
cHRpb24gc3JjX2lwICdmZTgwOjovMTAnCglvcHRpb24gc3JjX3BvcnQgJzU0NycKCW9wdGlvbiBk
ZXN0X2lwICdmZTgwOjovMTAnCglvcHRpb24gZGVzdF9wb3J0ICc1NDYnCglvcHRpb24gZmFtaWx5
ICdpcHY2JwoJb3B0aW9uIHRhcmdldCAnQUNDRVBUJwoJb3B0aW9uIG5hbWUgJ0RIQ1B2Ni1XQU4n
Cgpjb25maWcgcnVsZQoJb3B0aW9uIHNyYyAnZ3Vlc3QnCglvcHRpb24gcHJvdG8gJ3VkcCcKCW9w
dGlvbiBzcmNfaXAgJ2ZlODA6Oi8xMCcKCW9wdGlvbiBzcmNfcG9ydCAnNTQ3JwoJb3B0aW9uIGRl
c3RfaXAgJ2ZlODA6Oi8xMCcKCW9wdGlvbiBkZXN0X3BvcnQgJzU0NicKCW9wdGlvbiBmYW1pbHkg
J2lwdjYnCglvcHRpb24gdGFyZ2V0ICdBQ0NFUFQnCglvcHRpb24gbmFtZSAnREhDUHY2LUdVRVNU
JwoKY29uZmlnIGluY2x1ZGUKCW9wdGlvbiBwYXRoICcvZXRjL2ZpcmV3YWxsLnVzZXInCgpjb25m
aWcgcnVsZQoJb3B0aW9uIG5hbWUgJ0lDTVB2Ni1XQU4nCglvcHRpb24gc3JjICd3YW4nCglvcHRp
b24gcHJvdG8gJ2ljbXAnCglsaXN0IGljbXBfdHlwZSAnZWNoby1yZXF1ZXN0JwoJbGlzdCBpY21w
X3R5cGUgJ2VjaG8tcmVwbHknCglsaXN0IGljbXBfdHlwZSAnZGVzdGluYXRpb24tdW5yZWFjaGFi
bGUnCglsaXN0IGljbXBfdHlwZSAncGFja2V0LXRvby1iaWcnCglsaXN0IGljbXBfdHlwZSAndGlt
ZS1leGNlZWRlZCcKCWxpc3QgaWNtcF90eXBlICdiYWQtaGVhZGVyJwoJbGlzdCBpY21wX3R5cGUg
J3Vua25vd24taGVhZGVyLXR5cGUnCglsaXN0IGljbXBfdHlwZSAncm91dGVyLXNvbGljaXRhdGlv
bicKCWxpc3QgaWNtcF90eXBlICduZWlnaGJvdXItc29saWNpdGF0aW9uJwoJbGlzdCBpY21wX3R5
cGUgJ3JvdXRlci1hZHZlcnRpc2VtZW50JwoJbGlzdCBpY21wX3R5cGUgJ25laWdoYm91ci1hZHZl
cnRpc2VtZW50JwoJb3B0aW9uIGxpbWl0ICcyMDAvc2VjJwoJb3B0aW9uIGZhbWlseSAnaXB2NicK
CW9wdGlvbiB0YXJnZXQgJ0FDQ0VQVCcKCmNvbmZpZyBydWxlCglvcHRpb24gbmFtZSAnSUNNUHY2
LUdVRVNUJwoJb3B0aW9uIHNyYyAnZ3Vlc3QnCglvcHRpb24gcHJvdG8gJ2ljbXAnCglsaXN0IGlj
bXBfdHlwZSAnZWNoby1yZXF1ZXN0JwoJbGlzdCBpY21wX3R5cGUgJ2VjaG8tcmVwbHknCglsaXN0
IGljbXBfdHlwZSAnZGVzdGluYXRpb24tdW5yZWFjaGFibGUnCglsaXN0IGljbXBfdHlwZSAncGFj
a2V0LXRvby1iaWcnCglsaXN0IGljbXBfdHlwZSAndGltZS1leGNlZWRlZCcKCWxpc3QgaWNtcF90
eXBlICdiYWQtaGVhZGVyJwoJbGlzdCBpY21wX3R5cGUgJ3Vua25vd24taGVhZGVyLXR5cGUnCgls
aXN0IGljbXBfdHlwZSAncm91dGVyLXNvbGljaXRhdGlvbicKCWxpc3QgaWNtcF90eXBlICduZWln
aGJvdXItc29saWNpdGF0aW9uJwoJbGlzdCBpY21wX3R5cGUgJ3JvdXRlci1hZHZlcnRpc2VtZW50
JwoJbGlzdCBpY21wX3R5cGUgJ25laWdoYm91ci1hZHZlcnRpc2VtZW50JwoJb3B0aW9uIGxpbWl0
ICcyMDAvc2VjJwoJb3B0aW9uIGZhbWlseSAnaXB2NicKCW9wdGlvbiB0YXJnZXQgJ0FDQ0VQVCcK
CmNvbmZpZyBydWxlCglvcHRpb24gbmFtZSAnSUNNUHY2LUZPUldBUkQnCglvcHRpb24gc3JjICd3
YW4nCglvcHRpb24gZGVzdCAnKicKCW9wdGlvbiBwcm90byAnaWNtcCcKCWxpc3QgaWNtcF90eXBl
ICdlY2hvLXJlcXVlc3QnCglsaXN0IGljbXBfdHlwZSAnZWNoby1yZXBseScKCWxpc3QgaWNtcF90
eXBlICdkZXN0aW5hdGlvbi11bnJlYWNoYWJsZScKCWxpc3QgaWNtcF90eXBlICdwYWNrZXQtdG9v
LWJpZycKCWxpc3QgaWNtcF90eXBlICd0aW1lLWV4Y2VlZGVkJwoJbGlzdCBpY21wX3R5cGUgJ2Jh
ZC1oZWFkZXInCglsaXN0IGljbXBfdHlwZSAndW5rbm93bi1oZWFkZXItdHlwZScKCW9wdGlvbiBs
aW1pdCAnMjAwL3NlYycKCW9wdGlvbiBmYW1pbHkgJ2lwdjYnCglvcHRpb24gdGFyZ2V0ICdBQ0NF
UFQnCgpjb25maWcgaW5jbHVkZSAnbWluaXVwbnBkJwoJb3B0aW9uIHR5cGUgJ3NjcmlwdCcKCW9w
dGlvbiBwYXRoICcvdXNyL3NoYXJlL21pbml1cG5wZC9maXJld2FsbC5pbmNsdWRlJwoJb3B0aW9u
IGZhbWlseSAnSVB2NCcKCW9wdGlvbiByZWxvYWQgJzEnCgo=
--047d7b3436d2d8a88b04f2ded190--