* [Cerowrt-devel] saner defaults for config/firewall
@ 2014-02-20 23:25 Vincent Frentzel
2014-02-23 17:21 ` Dave Taht
0 siblings, 1 reply; 17+ messages in thread
From: Vincent Frentzel @ 2014-02-20 23:25 UTC (permalink / raw)
To: cerowrt-devel
[-- Attachment #1.1: Type: text/plain, Size: 549 bytes --]
Hi everyone,
After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.
The changes are introduced are as follow:
- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.
This could be a nice default config.
Feedback welcome.
[-- Attachment #1.2: Type: text/html, Size: 729 bytes --]
[-- Attachment #2: firewall --]
[-- Type: application/octet-stream, Size: 3569 bytes --]
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option synflood_protect '1'
option synflood_rate '200/s'
option synflood_burst '500'
option tcp_ecn '1'
config zone
option input 'DROP'
option forward 'DROP'
option output 'ACCEPT'
option name 'wan'
option masq '1'
option mtu_fix '1'
option network 'ge00 wan6'
config zone
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option name 'lan'
option device 's+'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option input 'REJECT'
option output 'ACCEPT'
option name 'guest'
option forward 'ACCEPT'
option device 'gw+'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option src wan
option proto 41
option target ACCEPT
option name '6TO4'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'DNS-GUEST'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '123'
option name 'NTP-GUEST'
option src 'guest'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'udp'
option dest_port '68'
option src 'guest'
option name 'DHCPv4-GUEST'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'udp'
option dest_port '68'
option src 'wan'
option name 'DHCPv4-WAN'
config rule
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option name 'DHCPv6-WAN'
config rule
option src 'guest'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option name 'DHCPv6-GUEST'
config include
option path '/etc/firewall.user'
config rule
option name 'ICMPv6-WAN'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '200/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'ICMPv6-GUEST'
option src 'guest'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '200/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'ICMPv6-FORWARD'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '200/sec'
option family 'ipv6'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'IPv4'
option reload '1'
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-20 23:25 [Cerowrt-devel] saner defaults for config/firewall Vincent Frentzel @ 2014-02-23 17:21 ` Dave Taht 2014-02-23 19:10 ` J. Daniel Ashton 0 siblings, 1 reply; 17+ messages in thread From: Dave Taht @ 2014-02-23 17:21 UTC (permalink / raw) To: Vincent Frentzel; +Cc: cerowrt-devel On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote: > Hi everyone, > > After installing ceroWRT the first thing I did was to reconfigure the > firewall as shown attached. My router is used as home gateway and I wanted > to lock down the device a bit. > > The changes are introduced are as follow: > > - LAN (s+) to/from GUEST (g+) is not allowed. > - GUEST to ROUTER is restricted to DNS/DHCP/NTP. I note that even dns is a problem in terms of leaking information about your network, so is mdns. the "g+" convention can simplify access to the internet in the rules too. There are also potential problems in enabling the polipo proxy. Note that the mesh networking interfaces are also "g", and there is something of a conflict between allowing the mesh network and guest access. I used to solve this somewhat with the babel authentication extensions. http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html at the moment that code had landed in the quagga branch of babel, not babel itself. > - I've tuned the basic IPV6 rules to take the above changes into account > and allow proto 41 INPUT for 6to/in4 tunnels. > - LAN to/from ROUTER everything is allowed. > > This could be a nice default config. > > Feedback welcome. After getting the last release out I took a break from email, and didn't get to this. There are certainly conflicting desires for how to do firewalling. Historically we run fairly open by default due to cerowrt's origin as a research project. In the case where we want to open the network somewhat to house guests, being able to have reasonably secure (ssh and printing) protocols open to them is a help. In the case where I want to share my network with the neighborhood, locking things down as per the above makes more sense. I'd argue for even stronger measures, actually, something that an org like openwireless.org could recomend so that people can feel safe in sharing their wifi again. I think we should put up alternet configs like this somewhere on the wiki, or in a git tree... I have a few other desirable configs on the list. -1) gui support for the + syntax would be good. 0) I really, really, really want bcp38 support, using ipset. I wouldn't mind a complete switch to ipset for a variety of things, but some benchmarking along the way would be good to compare the existing schemes one problem I've run into in turning on bcp38 by default is dealing with double nat on the dhcp'd interfaces. 1) a more "normal", bridged implementation more like people are used to. 2) vlan support (I've never managed to make vlans work with babel, btw) 3) ? > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-23 17:21 ` Dave Taht @ 2014-02-23 19:10 ` J. Daniel Ashton 2014-02-24 8:07 ` Vincent Frentzel ` (2 more replies) 0 siblings, 3 replies; 17+ messages in thread From: J. Daniel Ashton @ 2014-02-23 19:10 UTC (permalink / raw) Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 4229 bytes --] While you're looking at things that ought to be in the default configuration (or in "a" default configuration, perhaps available on the wiki), there are two use-cases that I would like to see work better out of the box: 1. mDNS sharing across non-guest segments: my wife on Wi-Fi, I on Ethernet, should be able to see each other's iTunes libraries and the mDNS-advertised printer. 2. Google's new Chromecast device useable from all non-guest segments: it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop should be able to see the Chromecast and control it. I really like the CeroWrt approach to network segmentation: I felt like I was learning best practices as I read up on what you chose to do. But the above use cases seem to be problematic with this approach. On 2/23/14, 12:21 PM, Dave Taht wrote: > On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote: >> Hi everyone, >> >> After installing ceroWRT the first thing I did was to reconfigure the >> firewall as shown attached. My router is used as home gateway and I wanted >> to lock down the device a bit. >> >> The changes are introduced are as follow: >> >> - LAN (s+) to/from GUEST (g+) is not allowed. >> - GUEST to ROUTER is restricted to DNS/DHCP/NTP. > I note that even dns is a problem in terms of leaking information about > your network, so is mdns. > > the "g+" convention can simplify access to the internet in the rules too. > > There are also potential problems in enabling the polipo proxy. > > Note that the mesh networking interfaces are also "g", and there is > something of a conflict between allowing the mesh network and guest > access. > > I used to solve this somewhat with the babel authentication extensions. > > http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html > > at the moment that code had landed in the quagga branch of babel, > not babel itself. > >> - I've tuned the basic IPV6 rules to take the above changes into account >> and allow proto 41 INPUT for 6to/in4 tunnels. >> - LAN to/from ROUTER everything is allowed. >> This could be a nice default config. >> >> Feedback welcome. > After getting the last release out I took a break from email, and didn't > get to this. > > There are certainly conflicting desires for how to do firewalling. Historically > we run fairly open by default due to cerowrt's origin as a research project. > > In the case where we want to open the network somewhat to house guests, being > able to have reasonably secure (ssh and printing) protocols open to them > is a help. > > In the case where I want to share my network with the neighborhood, > locking things down as per the above makes more sense. I'd argue for even > stronger measures, actually, something that an org like openwireless.org > could recomend so that people can feel safe in sharing their wifi again. > > I think we should put up alternet configs like this somewhere on the wiki, > or in a git tree... > > I have a few other desirable configs on the list. > > -1) gui support for the + syntax would be good. > > 0) I really, really, really want bcp38 support, using ipset. I wouldn't > mind a complete switch to ipset for a variety of things, but some > benchmarking along the way would be good to compare the existing schemes > > one problem I've run into in turning on bcp38 by default is dealing > with double nat on the dhcp'd interfaces. > > 1) a more "normal", bridged implementation more like people are used to. > > 2) vlan support (I've never managed to make vlans work with babel, btw) > > 3) ? > >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Daniel Ashton PGP key available http://Daniel.AshtonFam.org mailto:Daniel@AshtonFam.org http://ChamberMusicWeekend.org AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org [-- Attachment #2: Type: text/html, Size: 5843 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-23 19:10 ` J. Daniel Ashton @ 2014-02-24 8:07 ` Vincent Frentzel 2014-02-24 9:29 ` Sebastian Moeller 2014-02-24 16:24 ` Dave Taht 2014-03-03 19:41 ` David Lang 2 siblings, 1 reply; 17+ messages in thread From: Vincent Frentzel @ 2014-02-24 8:07 UTC (permalink / raw) To: J. Daniel Ashton; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 541 bytes --] 1) a more "normal", bridged implementation more like people are used to. Regarding this scenario. I tried to revert cerowrt to a bridged setup and ended up with a completely broken system. I bridged the interface as follow, eth0.1 + sw10 + sw00. Connecting over wifi worked fine except that cabled host could not be pinged. Connecting over ethernet did nt work at all (no DHCP received, cannot ping router with manually assigned IP). Was something related to bridges removed in cerowrt? The config I used works fine on Barrier Breaker. [-- Attachment #2: Type: text/html, Size: 853 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 8:07 ` Vincent Frentzel @ 2014-02-24 9:29 ` Sebastian Moeller 2014-02-24 10:05 ` Vincent Frentzel 0 siblings, 1 reply; 17+ messages in thread From: Sebastian Moeller @ 2014-02-24 9:29 UTC (permalink / raw) To: Vincent Frentzel; +Cc: cerowrt-devel Hi Vincent, On Feb 24, 2014, at 09:07 , Vincent Frentzel <zcecc22@c3r.es> wrote: > >> 1) a more "normal", bridged implementation more like people are used to. > > > Regarding this scenario. I tried to revert cerowrt to a bridged setup and ended up with a completely broken system. > > I bridged the interface as follow, eth0.1 + sw10 + sw00. Connecting over wifi worked fine except that cabled host could not be pinged. Connecting over ethernet did nt work at all (no DHCP received, cannot ping router with manually assigned IP). I could be totally out for lunch here, but shouldn't that be se00 (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post both of these (so the result of calling ifconfig on a terminal on the router and the content of /etc/config/network ;), I am sure you know what I meant, just dying to be verbose for the sake of people stumbling over the archive of the mailing list) > > Was something related to bridges removed in cerowrt? > > The config I used works fine on Barrier Breaker. > best regards Sebastian > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 9:29 ` Sebastian Moeller @ 2014-02-24 10:05 ` Vincent Frentzel 2014-02-24 10:18 ` Fred Stratton 2014-02-24 13:29 ` Sebastian Moeller 0 siblings, 2 replies; 17+ messages in thread From: Vincent Frentzel @ 2014-02-24 10:05 UTC (permalink / raw) To: Sebastian Moeller; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 1959 bytes --] > I could be totally out for lunch here, but shouldn't that be se00 > (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter > "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post > both of these (so the result of calling ifconfig on a terminal on the > router and the content of /etc/config/network ;), I am sure you know what I > meant, just dying to be verbose for the sake of people stumbling over the > archive of the mailing list) > Hi Sebastian, Understood. I will come back to you with the ifconfig. For info, I did try both se00 and eth0.1. The reason I stuck with eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled (eth0.1 appears in Luci in cerowrt). So in cero I just reenabled the vlan and used a type "bridge" on the network section (I renamed this section se99 instead of se00). I then added se99 it to the "lan" zone of the firewall. In the wireless config I specified network as "se99" instead of sw10 and sw00. I confirmed that the setup was correct in the web interface where eth0.1 sw00 and sw10 appeared under the new bridged interface ( there was the nice icon with the iface in brackets). I went on to modify the dhcp config of se00 and changed se00 occurences for se99 and commented out entries for sw10/sw00. --> this would give me dhcp running on my new bridge. After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with interface se99. (I was expecting to see br-se99 but maybe that file is alias aware, could be wrong here). After a network restart I lost connectivity on cable. Wireless was working. I played a tad more and eventually lost wifi as well and had to reflash the router via tftp/factory image (maybe there is a reset trick you could give me to avoid this step). Are you running cerowrt in bridge mode? If yes could you share your network/firewall/dhcp config? Is there another file I should have edited and missed? Cheers, V [-- Attachment #2: Type: text/html, Size: 2411 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 10:05 ` Vincent Frentzel @ 2014-02-24 10:18 ` Fred Stratton 2014-02-24 11:03 ` Fred Stratton 2014-02-24 13:29 ` Sebastian Moeller 1 sibling, 1 reply; 17+ messages in thread From: Fred Stratton @ 2014-02-24 10:18 UTC (permalink / raw) To: Vincent Frentzel, Sebastian Moeller, cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 2584 bytes --] I suggest you read the cero wiki. This details the original design decisions. On the router, ssh in, and use mtd -r erase fs_data to recover to defaults. See http://wiki.openwrt.org/doc/techref/mtd If you ever have used BB daily builds, you can type this in your sleep. On 24/02/14 10:05, Vincent Frentzel wrote: > > > > I could be totally out for lunch here, but shouldn't that > be se00 (secure ethernet) instead of eth0.1? At least on > 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions > eth0.1 at all. Could you post both of these (so the result of > calling ifconfig on a terminal on the router and the content of > /etc/config/network ;), I am sure you know what I meant, just > dying to be verbose for the sake of people stumbling over the > archive of the mailing list) > > > > Hi Sebastian, > > Understood. I will come back to you with the ifconfig. > > For info, I did try both se00 and eth0.1. The reason I stuck with > eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with > vlan enabled (eth0.1 appears in Luci in cerowrt). So in cero I just > reenabled the vlan and used a type "bridge" on the network section (I > renamed this section se99 instead of se00). > > I then added se99 it to the "lan" zone of the firewall. In the > wireless config I specified network as "se99" instead of sw10 and > sw00. I confirmed that the setup was correct in the web interface > where eth0.1 sw00 and sw10 appeared under the new bridged interface ( > there was the nice icon with the iface in brackets). > > I went on to modify the dhcp config of se00 and changed se00 > occurences for se99 and commented out entries for sw10/sw00. --> this > would give me dhcp running on my new bridge. > > After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with > interface se99. (I was expecting to see br-se99 but maybe that file is > alias aware, could be wrong here). > > After a network restart I lost connectivity on cable. Wireless was > working. > > I played a tad more and eventually lost wifi as well and had to > reflash the router via tftp/factory image (maybe there is a reset > trick you could give me to avoid this step). > > Are you running cerowrt in bridge mode? If yes could you share your > network/firewall/dhcp config? Is there another file I should have > edited and missed? > > Cheers, > V > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel [-- Attachment #2: Type: text/html, Size: 4722 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 10:18 ` Fred Stratton @ 2014-02-24 11:03 ` Fred Stratton 2014-02-24 11:35 ` Vincent Frentzel 0 siblings, 1 reply; 17+ messages in thread From: Fred Stratton @ 2014-02-24 11:03 UTC (permalink / raw) To: Vincent Frentzel, Sebastian Moeller, cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 2959 bytes --] So much for memory mtd -r erase rootfs_data is the correct invocation. On 24/02/14 10:18, Fred Stratton wrote: > I suggest you read the cero wiki. This details the original design > decisions. On the router, > > ssh in, and use > > mtd -r erase fs_data > > to recover to defaults. See > > http://wiki.openwrt.org/doc/techref/mtd > > If you ever have used BB daily builds, you can type this in your sleep. > > > > > On 24/02/14 10:05, Vincent Frentzel wrote: >> >> >> >> I could be totally out for lunch here, but shouldn't that >> be se00 (secure ethernet) instead of eth0.1? At least on >> 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions >> eth0.1 at all. Could you post both of these (so the result of >> calling ifconfig on a terminal on the router and the content of >> /etc/config/network ;), I am sure you know what I meant, just >> dying to be verbose for the sake of people stumbling over the >> archive of the mailing list) >> >> >> >> Hi Sebastian, >> >> Understood. I will come back to you with the ifconfig. >> >> For info, I did try both se00 and eth0.1. The reason I stuck with >> eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with >> vlan enabled (eth0.1 appears in Luci in cerowrt). So in cero I just >> reenabled the vlan and used a type "bridge" on the network section (I >> renamed this section se99 instead of se00). >> >> I then added se99 it to the "lan" zone of the firewall. In the >> wireless config I specified network as "se99" instead of sw10 and >> sw00. I confirmed that the setup was correct in the web interface >> where eth0.1 sw00 and sw10 appeared under the new bridged interface ( >> there was the nice icon with the iface in brackets). >> >> I went on to modify the dhcp config of se00 and changed se00 >> occurences for se99 and commented out entries for sw10/sw00. --> this >> would give me dhcp running on my new bridge. >> >> After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with >> interface se99. (I was expecting to see br-se99 but maybe that file >> is alias aware, could be wrong here). >> >> After a network restart I lost connectivity on cable. Wireless was >> working. >> >> I played a tad more and eventually lost wifi as well and had to >> reflash the router via tftp/factory image (maybe there is a reset >> trick you could give me to avoid this step). >> >> Are you running cerowrt in bridge mode? If yes could you share your >> network/firewall/dhcp config? Is there another file I should have >> edited and missed? >> >> Cheers, >> V >> >> >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel [-- Attachment #2: Type: text/html, Size: 5855 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 11:03 ` Fred Stratton @ 2014-02-24 11:35 ` Vincent Frentzel 2014-02-24 12:45 ` Fred Stratton 2014-02-24 13:35 ` Sebastian Moeller 0 siblings, 2 replies; 17+ messages in thread From: Vincent Frentzel @ 2014-02-24 11:35 UTC (permalink / raw) To: Fred Stratton; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 4031 bytes --] I am familiar with that command :) Was wondering if there was something I could do when I cannot ssh into the router. As mentioned above, when trying to configure the bridge I hit a point where I could nt get in the router anymore. I understand the design decisions of the project and far from me the idea of challenging them :) I was simply trying to provide an alternative config with a standard bridge ethernet + wifi for reference. I believe that in the case mentioned by Sebastian (multiple, mobile, devices accessing resources across segments) bridging is a simple way forward. In my particular case, correct route propagation is a problem on IPV6 (im not running babel) and I have only 2 wifi clients... Bridging has never shown any perf issues in the past so I 'd like to switch back to this simpler setup. I can picture that this might not fit the bill for more intensive use cases. On Mon, Feb 24, 2014 at 12:03 PM, Fred Stratton <fredstratton@imap.cc>wrote: > So much for memory > > mtd -r erase rootfs_data > > is the correct invocation. > > > > On 24/02/14 10:18, Fred Stratton wrote: > > I suggest you read the cero wiki. This details the original design > decisions. On the router, > > ssh in, and use > > mtd -r erase fs_data > > to recover to defaults. See > > http://wiki.openwrt.org/doc/techref/mtd > > If you ever have used BB daily builds, you can type this in your sleep. > > > > > On 24/02/14 10:05, Vincent Frentzel wrote: > > > > >> I could be totally out for lunch here, but shouldn't that be se00 >> (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter >> "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post >> both of these (so the result of calling ifconfig on a terminal on the >> router and the content of /etc/config/network ;), I am sure you know what I >> meant, just dying to be verbose for the sake of people stumbling over the >> archive of the mailing list) >> > > > Hi Sebastian, > > Understood. I will come back to you with the ifconfig. > > For info, I did try both se00 and eth0.1. The reason I stuck with eth0.1 > was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled > (eth0.1 appears in Luci in cerowrt). So in cero I just reenabled the vlan > and used a type "bridge" on the network section (I renamed this section > se99 instead of se00). > > I then added se99 it to the "lan" zone of the firewall. In the wireless > config I specified network as "se99" instead of sw10 and sw00. I confirmed > that the setup was correct in the web interface where eth0.1 sw00 and sw10 > appeared under the new bridged interface ( there was the nice icon with the > iface in brackets). > > I went on to modify the dhcp config of se00 and changed se00 occurences > for se99 and commented out entries for sw10/sw00. --> this would give me > dhcp running on my new bridge. > > After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with > interface se99. (I was expecting to see br-se99 but maybe that file is > alias aware, could be wrong here). > > After a network restart I lost connectivity on cable. Wireless was > working. > > I played a tad more and eventually lost wifi as well and had to reflash > the router via tftp/factory image (maybe there is a reset trick you could > give me to avoid this step). > > Are you running cerowrt in bridge mode? If yes could you share your > network/firewall/dhcp config? Is there another file I should have edited > and missed? > > Cheers, > V > > > _______________________________________________ > Cerowrt-devel mailing listCerowrt-devel@lists.bufferbloat.nethttps://lists.bufferbloat.net/listinfo/cerowrt-devel > > > > > _______________________________________________ > Cerowrt-devel mailing listCerowrt-devel@lists.bufferbloat.nethttps://lists.bufferbloat.net/listinfo/cerowrt-devel > > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > [-- Attachment #2: Type: text/html, Size: 7165 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 11:35 ` Vincent Frentzel @ 2014-02-24 12:45 ` Fred Stratton 2014-02-24 12:54 ` Robert Bradley 2014-02-24 13:35 ` Sebastian Moeller 1 sibling, 1 reply; 17+ messages in thread From: Fred Stratton @ 2014-02-24 12:45 UTC (permalink / raw) To: Vincent Frentzel, Sebastian Moeller, cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 5468 bytes --] There are no button presses to bring the box back, as you can with some TP-Link routers. You could use a serial lead if you opened the case. No one has mentioned trying this with cero on the list. So far, all bridging attempts with cero have been unproductive. However sound the theoretical approach, they have not worked in practice. As you would expect, subnetting a /48 works. DT has got subnetting working with a /60 in the last 2 weeks. That is the current state of play. 6relayd on OpenWRT is very difficult to configure. dnsmasq tends to be simpler. Perhaps Kelley has something to say about configuration with, say, a /64 provided by free.fr I know of only one ISP which provides a /48 to customers. On 24/02/14 11:35, Vincent Frentzel wrote: > I am familiar with that command :) Was wondering if there was > something I could do when I cannot ssh into the router. As mentioned > above, when trying to configure the bridge I hit a point where I could > nt get in the router anymore. > > I understand the design decisions of the project and far from me the > idea of challenging them :) I was simply trying to provide an > alternative config with a standard bridge ethernet + wifi for > reference. I believe that in the case mentioned by Sebastian > (multiple, mobile, devices accessing resources across segments) > bridging is a simple way forward. > > In my particular case, correct route propagation is a problem on IPV6 > (im not running babel) and I have only 2 wifi clients... Bridging has > never shown any perf issues in the past so I 'd like to switch back to > this simpler setup. I can picture that this might not fit the bill for > more intensive use cases. > > > On Mon, Feb 24, 2014 at 12:03 PM, Fred Stratton <fredstratton@imap.cc > <mailto:fredstratton@imap.cc>> wrote: > > So much for memory > > mtd -r erase rootfs_data > > is the correct invocation. > > > > On 24/02/14 10:18, Fred Stratton wrote: >> I suggest you read the cero wiki. This details the original >> design decisions. On the router, >> >> ssh in, and use >> >> mtd -r erase fs_data >> >> to recover to defaults. See >> >> http://wiki.openwrt.org/doc/techref/mtd >> >> If you ever have used BB daily builds, you can type this in your >> sleep. >> >> >> >> >> On 24/02/14 10:05, Vincent Frentzel wrote: >>> >>> >>> >>> I could be totally out for lunch here, but shouldn't >>> that be se00 (secure ethernet) instead of eth0.1? At least >>> on 3.10.28-14 <tel:3.10.28-14> neuter "ifconfig" nor >>> /etc/config/network mentions eth0.1 at all. Could you post >>> both of these (so the result of calling ifconfig on a >>> terminal on the router and the content of >>> /etc/config/network ;), I am sure you know what I meant, >>> just dying to be verbose for the sake of people stumbling >>> over the archive of the mailing list) >>> >>> >>> >>> Hi Sebastian, >>> >>> Understood. I will come back to you with the ifconfig. >>> >>> For info, I did try both se00 and eth0.1. The reason I stuck >>> with eth0.1 was that barrier breaker usually uses eth0.1 for >>> br-lan with vlan enabled (eth0.1 appears in Luci in cerowrt). So >>> in cero I just reenabled the vlan and used a type "bridge" on >>> the network section (I renamed this section se99 instead of se00). >>> >>> I then added se99 it to the "lan" zone of the firewall. In the >>> wireless config I specified network as "se99" instead of sw10 >>> and sw00. I confirmed that the setup was correct in the web >>> interface where eth0.1 sw00 and sw10 appeared under the new >>> bridged interface ( there was the nice icon with the iface in >>> brackets). >>> >>> I went on to modify the dhcp config of se00 and changed se00 >>> occurences for se99 and commented out entries for sw10/sw00. --> >>> this would give me dhcp running on my new bridge. >>> >>> After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line >>> with interface se99. (I was expecting to see br-se99 but maybe >>> that file is alias aware, could be wrong here). >>> >>> After a network restart I lost connectivity on cable. Wireless >>> was working. >>> >>> I played a tad more and eventually lost wifi as well and had to >>> reflash the router via tftp/factory image (maybe there is a >>> reset trick you could give me to avoid this step). >>> >>> Are you running cerowrt in bridge mode? If yes could you share >>> your network/firewall/dhcp config? Is there another file I >>> should have edited and missed? >>> >>> Cheers, >>> V >>> >>> >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> Cerowrt-devel@lists.bufferbloat.net <mailto:Cerowrt-devel@lists.bufferbloat.net> >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> >> >> >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net <mailto:Cerowrt-devel@lists.bufferbloat.net> >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > <mailto:Cerowrt-devel@lists.bufferbloat.net> > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > [-- Attachment #2: Type: text/html, Size: 11137 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 12:45 ` Fred Stratton @ 2014-02-24 12:54 ` Robert Bradley 2014-02-24 13:05 ` Vincent Frentzel 0 siblings, 1 reply; 17+ messages in thread From: Robert Bradley @ 2014-02-24 12:54 UTC (permalink / raw) To: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 611 bytes --] On 24/02/2014 12:45, Fred Stratton wrote: > There are no button presses to bring the box back, as you can with > some TP-Link routers. > > You could use a serial lead if you opened the case. No one has > mentioned trying this with cero on the list. > In my experience, reflashing via TFTP tends to work well in terms of resetting the configuration. As an aside, I've noticed that occasionally I get an "enable_vlan4k" sneaking into /etc/config/network if I've looked at the vlan page. If that happens, the wired LAN breaks. Perhaps it's worth checking that first via the wireless link? -- Robert Bradley [-- Attachment #2: Type: text/html, Size: 1136 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 12:54 ` Robert Bradley @ 2014-02-24 13:05 ` Vincent Frentzel 2014-02-24 13:48 ` Robert Bradley 0 siblings, 1 reply; 17+ messages in thread From: Vincent Frentzel @ 2014-02-24 13:05 UTC (permalink / raw) To: Robert Bradley; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 1118 bytes --] Thanks Robert. I indeed had enable_vlan4k in the network. Will definitely try to remove this. When you enable the vlan do you use the eth0.1, eth0.2, etc.. stanza for the interface or se00? Is se00 an alias for eth0.1? On Mon, Feb 24, 2014 at 1:54 PM, Robert Bradley <robert.bradley1@gmail.com>wrote: > On 24/02/2014 12:45, Fred Stratton wrote: > > There are no button presses to bring the box back, as you can with some > TP-Link routers. > > You could use a serial lead if you opened the case. No one has mentioned > trying this with cero on the list. > > > In my experience, reflashing via TFTP tends to work well in terms of > resetting the configuration. > > As an aside, I've noticed that occasionally I get an "enable_vlan4k" > sneaking into /etc/config/network if I've looked at the vlan page. If that > happens, the wired LAN breaks. Perhaps it's worth checking that first via > the wireless link? > > -- > Robert Bradley > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > [-- Attachment #2: Type: text/html, Size: 1968 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 13:05 ` Vincent Frentzel @ 2014-02-24 13:48 ` Robert Bradley 0 siblings, 0 replies; 17+ messages in thread From: Robert Bradley @ 2014-02-24 13:48 UTC (permalink / raw) To: Vincent Frentzel; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 730 bytes --] On 24/02/2014 13:05, Vincent Frentzel wrote: > Thanks Robert. > > I indeed had enable_vlan4k in the network. Will definitely try to > remove this. When you enable the vlan do you use the eth0.1, eth0.2, > etc.. stanza for the interface or se00? Is se00 an alias for eth0.1? > > I'm open to corrections, but from what I have seen here the se00 interface in Luci maps to a physical se00 interface by default. That interface receives vlan tagged packets from the embedded switch which then appear untagged on eth0.x. With VLANs enabled you'd remap the Luci "se00" from the raw se00 Ethernet interface to eth0.1 via the "Physical Settings" tab for vlan 1 and create new interfaces in Luci for your new vlans. -- Robert Bradley [-- Attachment #2: Type: text/html, Size: 1418 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 11:35 ` Vincent Frentzel 2014-02-24 12:45 ` Fred Stratton @ 2014-02-24 13:35 ` Sebastian Moeller 1 sibling, 0 replies; 17+ messages in thread From: Sebastian Moeller @ 2014-02-24 13:35 UTC (permalink / raw) To: Vincent Frentzel; +Cc: cerowrt-devel Hi Vincent, On Feb 24, 2014, at 12:35 , Vincent Frentzel <zcecc22@c3r.es> wrote: > I am familiar with that command :) Was wondering if there was something I could do when I cannot ssh into the router. As mentioned above, when trying to configure the bridge I hit a point where I could nt get in the router anymore. > > I understand the design decisions of the project and far from me the idea of challenging them :) I was simply trying to provide an alternative config with a standard bridge ethernet + wifi for reference. I believe that in the case mentioned by Sebastian (multiple, mobile, devices accessing resources across segments) bridging is a simple way forward. I agree it would be quite valuable to have a nice simple how to switch to bridged mode for cerowrt (just as openwrt has one for switch to routed mode) > > In my particular case, correct route propagation is a problem on IPV6 (im not running babel) and I have only 2 wifi clients… I have similar issues, as secondary router cerowrt gets a working /64 address for itself and ping6 and friend work, and all downstream interfaces get valid ip6 addresses from the primary router's /56, but none of them gets a working (default-)route (and that only after switching ra and dhcp from server to hybrids in /etc/dhcp). Since I do not need ip6 for anything yet that is a low priority issue for me though (and nothing that would make abandon routing). best regards Sebastian > Bridging has never shown any perf issues in the past so I 'd like to switch back to this simpler setup. I can picture that this might not fit the bill for more intensive use cases. > > > On Mon, Feb 24, 2014 at 12:03 PM, Fred Stratton <fredstratton@imap.cc> wrote: > So much for memory > > mtd -r erase rootfs_data > > is the correct invocation. > > > > On 24/02/14 10:18, Fred Stratton wrote: >> I suggest you read the cero wiki. This details the original design decisions. On the router, >> >> ssh in, and use >> >> mtd -r erase fs_data >> >> to recover to defaults. See >> >> http://wiki.openwrt.org/doc/techref/mtd >> >> If you ever have used BB daily builds, you can type this in your sleep. >> >> >> >> >> On 24/02/14 10:05, Vincent Frentzel wrote: >>> >>> >>> >>> I could be totally out for lunch here, but shouldn't that be se00 (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post both of these (so the result of calling ifconfig on a terminal on the router and the content of /etc/config/network ;), I am sure you know what I meant, just dying to be verbose for the sake of people stumbling over the archive of the mailing list) >>> >>> >>> Hi Sebastian, >>> >>> Understood. I will come back to you with the ifconfig. >>> >>> For info, I did try both se00 and eth0.1. The reason I stuck with eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled (eth0.1 appears in Luci in cerowrt). So in cero I just reenabled the vlan and used a type "bridge" on the network section (I renamed this section se99 instead of se00). >>> >>> I then added se99 it to the "lan" zone of the firewall. In the wireless config I specified network as "se99" instead of sw10 and sw00. I confirmed that the setup was correct in the web interface where eth0.1 sw00 and sw10 appeared under the new bridged interface ( there was the nice icon with the iface in brackets). >>> >>> I went on to modify the dhcp config of se00 and changed se00 occurences for se99 and commented out entries for sw10/sw00. --> this would give me dhcp running on my new bridge. >>> >>> After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with interface se99. (I was expecting to see br-se99 but maybe that file is alias aware, could be wrong here). >>> >>> After a network restart I lost connectivity on cable. Wireless was working. >>> >>> I played a tad more and eventually lost wifi as well and had to reflash the router via tftp/factory image (maybe there is a reset trick you could give me to avoid this step). >>> >>> Are you running cerowrt in bridge mode? If yes could you share your network/firewall/dhcp config? Is there another file I should have edited and missed? >>> >>> Cheers, >>> V >>> >>> >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> >>> Cerowrt-devel@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> >> >> >> _______________________________________________ >> Cerowrt-devel mailing list >> >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-24 10:05 ` Vincent Frentzel 2014-02-24 10:18 ` Fred Stratton @ 2014-02-24 13:29 ` Sebastian Moeller 1 sibling, 0 replies; 17+ messages in thread From: Sebastian Moeller @ 2014-02-24 13:29 UTC (permalink / raw) To: Vincent Frentzel; +Cc: cerowrt-devel Hi Vincent, On Feb 24, 2014, at 11:05 , Vincent Frentzel <zcecc22@c3r.es> wrote: > > > > I could be totally out for lunch here, but shouldn't that be se00 (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post both of these (so the result of calling ifconfig on a terminal on the router and the content of /etc/config/network ;), I am sure you know what I meant, just dying to be verbose for the sake of people stumbling over the archive of the mailing list) > > > Hi Sebastian, > > Understood. I will come back to you with the ifconfig. > > For info, I did try both se00 and eth0.1. Ah, okay, so I was out for lunch then ;) > The reason I stuck with eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled (eth0.1 appears in Luci in cerowrt). Why do you need vlan at all for bridging (honest question, I really do not know whether that is requirement in current openwrt or not)? > So in cero I just reenabled the vlan and used a type "bridge" on the network section (I renamed this section se99 instead of se00). > > I then added se99 it to the "lan" zone of the firewall. In the wireless config I specified network as "se99" instead of sw10 and sw00. I confirmed that the setup was correct in the web interface where eth0.1 sw00 and sw10 appeared under the new bridged interface ( there was the nice icon with the iface in brackets). > > I went on to modify the dhcp config of se00 and changed se00 occurences for se99 and commented out entries for sw10/sw00. --> this would give me dhcp running on my new bridge. > > After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with interface se99. (I was expecting to see br-se99 but maybe that file is alias aware, could be wrong here). > > After a network restart I lost connectivity on cable. Wireless was working. Did you confirm that both radios are bridged now? > > I played a tad more and eventually lost wifi as well and had to reflash the router via tftp/factory image (maybe there is a reset trick you could give me to avoid this step). Caveat, I am a simple cerowrt user, so don't expect too much; I have found o alternative to the tftp method if the router can not be reached over any of the interfaces anymore. > > Are you running cerowrt in bridge mode? No, I stick to the default routed mode. I fully bought not Dave's reasoning here and hope that we end up being able to make all essential services work over routing ;) (At home I have a smb-server on the wired segment and two notebooks that occasionally want to reach that server, running samba server on the router is sufficient for name resolution to work, mind you the notebooks are both macs so I have no idea whether that would work with windows clients...) > If yes could you share your network/firewall/dhcp config? Is there another file I should have edited and missed? Sorry, I have no idea. Best Regards Sebastian > > Cheers, > V ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-23 19:10 ` J. Daniel Ashton 2014-02-24 8:07 ` Vincent Frentzel @ 2014-02-24 16:24 ` Dave Taht 2014-03-03 19:41 ` David Lang 2 siblings, 0 replies; 17+ messages in thread From: Dave Taht @ 2014-02-24 16:24 UTC (permalink / raw) To: J. Daniel Ashton; +Cc: cerowrt-devel On Sun, Feb 23, 2014 at 2:10 PM, J. Daniel Ashton <jdashton@ashtonfam.org> wrote: > > > While you're looking at things that ought to be in the default configuration > (or in "a" default configuration, perhaps available on the wiki), there are > two use-cases that I would like to see work better out of the box: > > mDNS sharing across non-guest segments: my wife on Wi-Fi, I on Ethernet, > should be able to see each other's iTunes libraries and the mDNS-advertised > printer. > Google's new Chromecast device useable from all non-guest segments: it has > no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on Wi-Fi at 5Mhz, and > my desktop on Ethernet. Both tablet and desktop should be able to see the > Chromecast and control it. > > I really like the CeroWrt approach to network segmentation: I felt like I > was learning best practices as I read up on what you chose to do. But the > above use cases seem to be problematic with this approach. It was a fortuitous historical accident. We needed to be able to look at 2.4ghz, 5ghz and ethernet traffic separately, so we broke apart the bridging everybody else does. Just to be able to do tcpdumps and see what the heck was going on.... Solutions to a lot of problems fell out. Multicast became less of a problem in particular, we were able to see clearly a bunch of wireless g vs n behaviors, wireless worked better in general, we were able to debug different aspects of different radios, etc. and see the effects of double nat and of bridging multiple broadcast domains together even on a small scale in the home... And (Sigh) the existing problems that bridging everything had worked around became more acute and interesting. We ended up giving some fresh love to routing protocols, coming up with schemes to distribute and route ipv6 prefixes instead of bridging them, and finding the most annoying "features" of others like mdns and ssdp and upnp. In terms of fixing mdns, there is a new set of RFCs and work going on to make it work better over routed networks. A whole ietf wg, actually. Some drafts: http://tools.ietf.org/html/draft-cheshire-mdnsext-hybrid-01 http://tools.ietf.org/html/draft-stenberg-homenet-dnssd-hybrid-proxy-zeroconf-00 (fixing mdns is certainly important in larger networks, the core requests are coming from colleges) As for the chromecast I don't know how it presently announces its services, but if it's mdns, the above stuff will fix it I hope. Eventually. Some code for this now exists, but it's pretty raw... > > > > On 2/23/14, 12:21 PM, Dave Taht wrote: > > On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote: > > Hi everyone, > > After installing ceroWRT the first thing I did was to reconfigure the > firewall as shown attached. My router is used as home gateway and I wanted > to lock down the device a bit. > > The changes are introduced are as follow: > > - LAN (s+) to/from GUEST (g+) is not allowed. > - GUEST to ROUTER is restricted to DNS/DHCP/NTP. > > I note that even dns is a problem in terms of leaking information about > your network, so is mdns. > > the "g+" convention can simplify access to the internet in the rules too. > > There are also potential problems in enabling the polipo proxy. > > Note that the mesh networking interfaces are also "g", and there is > something of a conflict between allowing the mesh network and guest > access. > > I used to solve this somewhat with the babel authentication extensions. > > http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html > > at the moment that code had landed in the quagga branch of babel, > not babel itself. > > - I've tuned the basic IPV6 rules to take the above changes into account > and allow proto 41 INPUT for 6to/in4 tunnels. > - LAN to/from ROUTER everything is allowed. > > This could be a nice default config. > > Feedback welcome. > > After getting the last release out I took a break from email, and didn't > get to this. > > There are certainly conflicting desires for how to do firewalling. > Historically > we run fairly open by default due to cerowrt's origin as a research project. > > In the case where we want to open the network somewhat to house guests, > being > able to have reasonably secure (ssh and printing) protocols open to them > is a help. > > In the case where I want to share my network with the neighborhood, > locking things down as per the above makes more sense. I'd argue for even > stronger measures, actually, something that an org like openwireless.org > could recomend so that people can feel safe in sharing their wifi again. > > I think we should put up alternet configs like this somewhere on the wiki, > or in a git tree... > > I have a few other desirable configs on the list. > > -1) gui support for the + syntax would be good. > > 0) I really, really, really want bcp38 support, using ipset. I wouldn't > mind a complete switch to ipset for a variety of things, but some > benchmarking along the way would be good to compare the existing schemes > > one problem I've run into in turning on bcp38 by default is dealing > with double nat on the dhcp'd interfaces. > > 1) a more "normal", bridged implementation more like people are used to. > > 2) vlan support (I've never managed to make vlans work with babel, btw) > > 3) ? > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > > -- > Daniel Ashton PGP key available http://Daniel.AshtonFam.org > mailto:Daniel@AshtonFam.org http://ChamberMusicWeekend.org > AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Cerowrt-devel] saner defaults for config/firewall 2014-02-23 19:10 ` J. Daniel Ashton 2014-02-24 8:07 ` Vincent Frentzel 2014-02-24 16:24 ` Dave Taht @ 2014-03-03 19:41 ` David Lang 2 siblings, 0 replies; 17+ messages in thread From: David Lang @ 2014-03-03 19:41 UTC (permalink / raw) To: J. Daniel Ashton; +Cc: cerowrt-devel [-- Attachment #1: Type: TEXT/Plain, Size: 829 bytes --] On Sun, 23 Feb 2014, J. Daniel Ashton wrote: > 2. Google's new Chromecast device useable from all non-guest segments: > it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on > Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop > should be able to see the Chromecast and control it. There is a pretty basic problem with Chromecast in that the app to configure it looks at what network the android device is on and tries to have the Chromecast connect to that same network. If you have different SSIDs for 2.4 and 5GHz and are connected to 5GHz the result is failure, even if the networks are bridged together (let alone routed) I'll have to go back and test again, but I think I still had problems even after the initial configuration if I connected to it via the wrong network. David Lang [-- Attachment #2: Type: TEXT/PLAIN, Size: 164 bytes --] _______________________________________________ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2014-03-03 19:41 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-02-20 23:25 [Cerowrt-devel] saner defaults for config/firewall Vincent Frentzel 2014-02-23 17:21 ` Dave Taht 2014-02-23 19:10 ` J. Daniel Ashton 2014-02-24 8:07 ` Vincent Frentzel 2014-02-24 9:29 ` Sebastian Moeller 2014-02-24 10:05 ` Vincent Frentzel 2014-02-24 10:18 ` Fred Stratton 2014-02-24 11:03 ` Fred Stratton 2014-02-24 11:35 ` Vincent Frentzel 2014-02-24 12:45 ` Fred Stratton 2014-02-24 12:54 ` Robert Bradley 2014-02-24 13:05 ` Vincent Frentzel 2014-02-24 13:48 ` Robert Bradley 2014-02-24 13:35 ` Sebastian Moeller 2014-02-24 13:29 ` Sebastian Moeller 2014-02-24 16:24 ` Dave Taht 2014-03-03 19:41 ` David Lang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox