Re: [Cerowrt-devel] 3.3.2-8 and firewall

[Sebastian Moeller <moeller@caltech.edu>]

Hi Dave,

thanks for the quick reply…


On Apr 26, 2012, at 4:20 PM, Dave Taht wrote:

> On Thu, Apr 26, 2012 at 1:14 PM, Sebastian Moeller <moeller@caltech.edu> wrote:
>> Hi Dave hi list,
>> 
>> yesterday I upgraded to 3.3.2-8 (and did basic testing with the simple_qos.sh script, which worked okay). I have not gotten around to do proper testing of simple_qos script, but hope to do so over the next week (it will be pretty run of the mill 4M/30M cable so nothing exciting to expect). Today I tried to access the configuration interface on port 81 from my workplace (via IPv4) and was quite amazed this actually worked.
> 
> This should be blocked from the outside world, actually. It is quite
> probable that the simple_qos script mucks with that. The mixture
> of firewall and qos/aqm rules in iptables is very complex and hard to
> deal with.

	Yes, I noticed that openwrt's qos scripting is quite involved and opaque. (So I really appreciate simple_qos's readability :))

> 
> Worse, I have my own firewall rules system (not in cerowrt) that is
> very permissive about what protocols can be run across ipv6 in
> particular, and across the local and guest network (examples, hip,
> sctp, igmp, ospf, ipsec, etc)
> 
> ... but absolutely no way to wrap a gui around it.
> 
> Noted, logged, and will be fixed in the next build.

	Great!

> I care a lot about
> security. I would also like to make port 81 be https, too.

	That sounds even better, then remote access might actually be a feature again :)

> 
>> In the past this never worked (and I think it would be safer a default if remote access to the configuration interface required an active decision from the user :) ). So, I went and created a custom rule to reject incoming connections on port 81 from wan (and now I can not reach the GUI from outside, I am quite curious whether I managed to wedge it for good or whether I will still be able to reach the GUI from the lag or guest section…).
> 
> It sounds like you did the right thing.

	So it seems, as I can reach the configuration GUI from the secured wireless segment...

> 
>> Now there is the possibility that I have brought this issue on myself by using the vanilla QOS scheme instead of simple_qos in production, if so please let me know.
> 
> The openwrt qos system is obsolete in cerowrt (although I do plan to
> improve it for openwrt), in favor of the ultimate replacement with the
> 'aqm' script, of which simple_qos is a test of, and exposed bug #360
> with.

	The main reason for me to revert to qos after testing simple_qos.sh was that I did not figure out how to automatically start that script after boot up / interface upping. What is your recommendation for that?


> 
> Core differences are htb rather than hfsc, much better use of sfqred,
> and support for diffserv marking.

	Given the simplicity of simple_qos I will try to see whether I can create a version replacing hub by hfsc just to see whether there is any noticeable difference. One question, for testing simple_qos.sh can I use the script from http://www.bufferbloat.net/projects/cerowrt/wiki/Early_Test_Results that targets huchra.bufferbloat.net? Or do I need to setup my own endpoints?

> 
> Regrettably we're still transitioning; I'd really hoped to have
> something solid and fully integrated with the aqm stuff by now. I
> stumble across things like basic integration with uci, and was
> originally planning to write the whole thing in lua. I still may.

	I always wanted to figure out why the existing AQM GUI did not work, but never got around to actually do it (short on time). But I do not see my time budget changing much in the future.

Best Regards & thanks for doing all the hard and tedious work to fix the internet for the rest of us…

Sebastian

> 
> 
>> 
>> best
>>        Sebastian
>> 
>> 
>> --
>> Sebastian Moeller
>> 
>> telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
>> fax: 626-395-8826
>> German GSM:  +49 - 15 77 - 1 90 31 41
>> mobile:         +1-626-325-8598
>>                +1-626-807-5242
>> US CDMA: +1-626-807-5242
>> moeller@caltech.edu
>> 
>> Division of Biology
>> MC 114-96
>> California Institute of Technology
>> 1200 East California Boulevard
>> CA 91125, Pasadena
>> USA
>> 
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
> 
> 
> 
> -- 
> Dave Täht
> SKYPE: davetaht
> US Tel: 1-239-829-5608
> http://www.bufferbloat.net
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel

-- 
Sebastian Moeller

telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
fax: 626-395-8826
German GSM:  +49 - 15 77 - 1 90 31 41
mobile: 	+1-626-325-8598
                +1-626-807-5242
US CDMA: +1-626-807-5242
moeller@caltech.edu

Division of Biology
MC 114-96
California Institute of Technology
1200 East California Boulevard
CA 91125, Pasadena
USA