From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu [131.215.239.19]) by huchra.bufferbloat.net (Postfix) with ESMTP id A6F7F202177 for ; Thu, 26 Apr 2012 20:02:08 -0700 (PDT) Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1]) by fire-doxen-postvirus (Postfix) with ESMTP id 619102E50E3C; Thu, 26 Apr 2012 20:02:08 -0700 (PDT) X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new Received: from dhcp-112.home.lan (75-142-58-156.static.mtpk.ca.charter.com [75.142.58.156]) (Authenticated sender: moeller) by fire-doxen-client (Postfix) with ESMTP id 116052E50E34; Thu, 26 Apr 2012 20:02:07 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=windows-1252 From: Sebastian Moeller In-Reply-To: Date: Thu, 26 Apr 2012 20:02:06 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5CFE07BB-A9A9-46F1-93CA-1B3644D2406B@caltech.edu> To: Dave Taht X-Mailer: Apple Mail (2.1257) Cc: "" Subject: Re: [Cerowrt-devel] 3.3.2-8 and firewall X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 03:02:09 -0000 Hi Dave, thanks for the quick reply=85 On Apr 26, 2012, at 4:20 PM, Dave Taht wrote: > On Thu, Apr 26, 2012 at 1:14 PM, Sebastian Moeller = wrote: >> Hi Dave hi list, >>=20 >> yesterday I upgraded to 3.3.2-8 (and did basic testing with the = simple_qos.sh script, which worked okay). I have not gotten around to do = proper testing of simple_qos script, but hope to do so over the next = week (it will be pretty run of the mill 4M/30M cable so nothing exciting = to expect). Today I tried to access the configuration interface on port = 81 from my workplace (via IPv4) and was quite amazed this actually = worked. >=20 > This should be blocked from the outside world, actually. It is quite > probable that the simple_qos script mucks with that. The mixture > of firewall and qos/aqm rules in iptables is very complex and hard to > deal with. Yes, I noticed that openwrt's qos scripting is quite involved = and opaque. (So I really appreciate simple_qos's readability :)) >=20 > Worse, I have my own firewall rules system (not in cerowrt) that is > very permissive about what protocols can be run across ipv6 in > particular, and across the local and guest network (examples, hip, > sctp, igmp, ospf, ipsec, etc) >=20 > ... but absolutely no way to wrap a gui around it. >=20 > Noted, logged, and will be fixed in the next build. Great! > I care a lot about > security. I would also like to make port 81 be https, too. That sounds even better, then remote access might actually be a = feature again :) >=20 >> In the past this never worked (and I think it would be safer a = default if remote access to the configuration interface required an = active decision from the user :) ). So, I went and created a custom rule = to reject incoming connections on port 81 from wan (and now I can not = reach the GUI from outside, I am quite curious whether I managed to = wedge it for good or whether I will still be able to reach the GUI from = the lag or guest section=85). >=20 > It sounds like you did the right thing. So it seems, as I can reach the configuration GUI from the = secured wireless segment... >=20 >> Now there is the possibility that I have brought this issue on myself = by using the vanilla QOS scheme instead of simple_qos in production, if = so please let me know. >=20 > The openwrt qos system is obsolete in cerowrt (although I do plan to > improve it for openwrt), in favor of the ultimate replacement with the > 'aqm' script, of which simple_qos is a test of, and exposed bug #360 > with. The main reason for me to revert to qos after testing = simple_qos.sh was that I did not figure out how to automatically start = that script after boot up / interface upping. What is your = recommendation for that? >=20 > Core differences are htb rather than hfsc, much better use of sfqred, > and support for diffserv marking. Given the simplicity of simple_qos I will try to see whether I = can create a version replacing hub by hfsc just to see whether there is = any noticeable difference. One question, for testing simple_qos.sh can I = use the script from = http://www.bufferbloat.net/projects/cerowrt/wiki/Early_Test_Results that = targets huchra.bufferbloat.net? Or do I need to setup my own endpoints? >=20 > Regrettably we're still transitioning; I'd really hoped to have > something solid and fully integrated with the aqm stuff by now. I > stumble across things like basic integration with uci, and was > originally planning to write the whole thing in lua. I still may. I always wanted to figure out why the existing AQM GUI did not = work, but never got around to actually do it (short on time). But I do = not see my time budget changing much in the future. Best Regards & thanks for doing all the hard and tedious work to fix the = internet for the rest of us=85 Sebastian >=20 >=20 >>=20 >> best >> Sebastian >>=20 >>=20 >> -- >> Sebastian Moeller >>=20 >> telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616 >> fax: 626-395-8826 >> German GSM: +49 - 15 77 - 1 90 31 41 >> mobile: +1-626-325-8598 >> +1-626-807-5242 >> US CDMA: +1-626-807-5242 >> moeller@caltech.edu >>=20 >> Division of Biology >> MC 114-96 >> California Institute of Technology >> 1200 East California Boulevard >> CA 91125, Pasadena >> USA >>=20 >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >=20 >=20 >=20 > --=20 > Dave T=E4ht > SKYPE: davetaht > US Tel: 1-239-829-5608 > http://www.bufferbloat.net > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Sebastian Moeller telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616 fax: 626-395-8826 German GSM: +49 - 15 77 - 1 90 31 41 mobile: +1-626-325-8598 +1-626-807-5242 US CDMA: +1-626-807-5242 moeller@caltech.edu Division of Biology MC 114-96 California Institute of Technology 1200 East California Boulevard CA 91125, Pasadena USA