[Cerowrt-devel] 3.3.2-8 and firewall

[Cerowrt-devel] 3.3.2-8 and firewall

[Sebastian Moeller]

Hi Dave hi list,

yesterday I upgraded to 3.3.2-8 (and did basic testing with the simple_qos.sh script, which worked okay). I have not gotten around to do proper testing of simple_qos script, but hope to do so over the next week (it will be pretty run of the mill 4M/30M cable so nothing exciting to expect). Today I tried to access the configuration interface on port 81 from my workplace (via IPv4) and was quite amazed this actually worked. In the past this never worked (and I think it would be safer a default if remote access to the configuration interface required an active decision from the user :) ). So, I went and created a custom rule to reject incoming connections on port 81 from wan (and now I can not reach the GUI from outside, I am quite curious whether I managed to wedge it for good or whether I will still be able to reach the GUI from the lag or guest section…). Now there is the possibility that I have brought this issue on myself by using the vanilla QOS scheme instead of simple_qos in production, if so please let me know.

best
	Sebastian


-- 
Sebastian Moeller

telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
fax: 626-395-8826
German GSM:  +49 - 15 77 - 1 90 31 41
mobile: 	+1-626-325-8598
                +1-626-807-5242
US CDMA: +1-626-807-5242
moeller@caltech.edu

Division of Biology
MC 114-96
California Institute of Technology
1200 East California Boulevard
CA 91125, Pasadena
USA

Re: [Cerowrt-devel] 3.3.2-8 and firewall

[Dave Taht]

On Thu, Apr 26, 2012 at 1:14 PM, Sebastian Moeller <moeller@caltech.edu> wrote:
> Hi Dave hi list,
>
> yesterday I upgraded to 3.3.2-8 (and did basic testing with the simple_qos.sh script, which worked okay). I have not gotten around to do proper testing of simple_qos script, but hope to do so over the next week (it will be pretty run of the mill 4M/30M cable so nothing exciting to expect). Today I tried to access the configuration interface on port 81 from my workplace (via IPv4) and was quite amazed this actually worked.

This should be blocked from the outside world, actually. It is quite
probable that the simple_qos script mucks with that. The mixture
of firewall and qos/aqm rules in iptables is very complex and hard to
deal with.

Worse, I have my own firewall rules system (not in cerowrt) that is
very permissive about what protocols can be run across ipv6 in
particular, and across the local and guest network (examples, hip,
sctp, igmp, ospf, ipsec, etc)

... but absolutely no way to wrap a gui around it.

Noted, logged, and will be fixed in the next build. I care a lot about
security. I would also like to make port 81 be https, too.

>In the past this never worked (and I think it would be safer a default if remote access to the configuration interface required an active decision from the user :) ). So, I went and created a custom rule to reject incoming connections on port 81 from wan (and now I can not reach the GUI from outside, I am quite curious whether I managed to wedge it for good or whether I will still be able to reach the GUI from the lag or guest section…).

It sounds like you did the right thing.

>Now there is the possibility that I have brought this issue on myself by using the vanilla QOS scheme instead of simple_qos in production, if so please let me know.

The openwrt qos system is obsolete in cerowrt (although I do plan to
improve it for openwrt), in favor of the ultimate replacement with the
'aqm' script, of which simple_qos is a test of, and exposed bug #360
with.

Core differences are htb rather than hfsc, much better use of sfqred,
and support for diffserv marking.

Regrettably we're still transitioning; I'd really hoped to have
something solid and fully integrated with the aqm stuff by now. I
stumble across things like basic integration with uci, and was
originally planning to write the whole thing in lua. I still may.


>
> best
>        Sebastian
>
>
> --
> Sebastian Moeller
>
> telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
> fax: 626-395-8826
> German GSM:  +49 - 15 77 - 1 90 31 41
> mobile:         +1-626-325-8598
>                +1-626-807-5242
> US CDMA: +1-626-807-5242
> moeller@caltech.edu
>
> Division of Biology
> MC 114-96
> California Institute of Technology
> 1200 East California Boulevard
> CA 91125, Pasadena
> USA
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net

Re: [Cerowrt-devel] 3.3.2-8 and firewall

[Sebastian Moeller]

Hi Dave,

thanks for the quick reply…


On Apr 26, 2012, at 4:20 PM, Dave Taht wrote:

> On Thu, Apr 26, 2012 at 1:14 PM, Sebastian Moeller <moeller@caltech.edu> wrote:
>> Hi Dave hi list,
>> 
>> yesterday I upgraded to 3.3.2-8 (and did basic testing with the simple_qos.sh script, which worked okay). I have not gotten around to do proper testing of simple_qos script, but hope to do so over the next week (it will be pretty run of the mill 4M/30M cable so nothing exciting to expect). Today I tried to access the configuration interface on port 81 from my workplace (via IPv4) and was quite amazed this actually worked.
> 
> This should be blocked from the outside world, actually. It is quite
> probable that the simple_qos script mucks with that. The mixture
> of firewall and qos/aqm rules in iptables is very complex and hard to
> deal with.

	Yes, I noticed that openwrt's qos scripting is quite involved and opaque. (So I really appreciate simple_qos's readability :))

> 
> Worse, I have my own firewall rules system (not in cerowrt) that is
> very permissive about what protocols can be run across ipv6 in
> particular, and across the local and guest network (examples, hip,
> sctp, igmp, ospf, ipsec, etc)
> 
> ... but absolutely no way to wrap a gui around it.
> 
> Noted, logged, and will be fixed in the next build.

	Great!

> I care a lot about
> security. I would also like to make port 81 be https, too.

	That sounds even better, then remote access might actually be a feature again :)

> 
>> In the past this never worked (and I think it would be safer a default if remote access to the configuration interface required an active decision from the user :) ). So, I went and created a custom rule to reject incoming connections on port 81 from wan (and now I can not reach the GUI from outside, I am quite curious whether I managed to wedge it for good or whether I will still be able to reach the GUI from the lag or guest section…).
> 
> It sounds like you did the right thing.

	So it seems, as I can reach the configuration GUI from the secured wireless segment...

> 
>> Now there is the possibility that I have brought this issue on myself by using the vanilla QOS scheme instead of simple_qos in production, if so please let me know.
> 
> The openwrt qos system is obsolete in cerowrt (although I do plan to
> improve it for openwrt), in favor of the ultimate replacement with the
> 'aqm' script, of which simple_qos is a test of, and exposed bug #360
> with.

	The main reason for me to revert to qos after testing simple_qos.sh was that I did not figure out how to automatically start that script after boot up / interface upping. What is your recommendation for that?


> 
> Core differences are htb rather than hfsc, much better use of sfqred,
> and support for diffserv marking.

	Given the simplicity of simple_qos I will try to see whether I can create a version replacing hub by hfsc just to see whether there is any noticeable difference. One question, for testing simple_qos.sh can I use the script from http://www.bufferbloat.net/projects/cerowrt/wiki/Early_Test_Results that targets huchra.bufferbloat.net? Or do I need to setup my own endpoints?

> 
> Regrettably we're still transitioning; I'd really hoped to have
> something solid and fully integrated with the aqm stuff by now. I
> stumble across things like basic integration with uci, and was
> originally planning to write the whole thing in lua. I still may.

	I always wanted to figure out why the existing AQM GUI did not work, but never got around to actually do it (short on time). But I do not see my time budget changing much in the future.

Best Regards & thanks for doing all the hard and tedious work to fix the internet for the rest of us…

Sebastian

> 
> 
>> 
>> best
>>        Sebastian
>> 
>> 
>> --
>> Sebastian Moeller
>> 
>> telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
>> fax: 626-395-8826
>> German GSM:  +49 - 15 77 - 1 90 31 41
>> mobile:         +1-626-325-8598
>>                +1-626-807-5242
>> US CDMA: +1-626-807-5242
>> moeller@caltech.edu
>> 
>> Division of Biology
>> MC 114-96
>> California Institute of Technology
>> 1200 East California Boulevard
>> CA 91125, Pasadena
>> USA
>> 
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
> 
> 
> 
> -- 
> Dave Täht
> SKYPE: davetaht
> US Tel: 1-239-829-5608
> http://www.bufferbloat.net
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel

-- 
Sebastian Moeller

telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
fax: 626-395-8826
German GSM:  +49 - 15 77 - 1 90 31 41
mobile: 	+1-626-325-8598
                +1-626-807-5242
US CDMA: +1-626-807-5242
moeller@caltech.edu

Division of Biology
MC 114-96
California Institute of Technology
1200 East California Boulevard
CA 91125, Pasadena
USA