[Cerowrt-devel] 3.3.2-8 and firewall
moeller at caltech.edu
Thu Apr 26 23:02:06 EDT 2012
thanks for the quick reply…
On Apr 26, 2012, at 4:20 PM, Dave Taht wrote:
> On Thu, Apr 26, 2012 at 1:14 PM, Sebastian Moeller <moeller at caltech.edu> wrote:
>> Hi Dave hi list,
>> yesterday I upgraded to 3.3.2-8 (and did basic testing with the simple_qos.sh script, which worked okay). I have not gotten around to do proper testing of simple_qos script, but hope to do so over the next week (it will be pretty run of the mill 4M/30M cable so nothing exciting to expect). Today I tried to access the configuration interface on port 81 from my workplace (via IPv4) and was quite amazed this actually worked.
> This should be blocked from the outside world, actually. It is quite
> probable that the simple_qos script mucks with that. The mixture
> of firewall and qos/aqm rules in iptables is very complex and hard to
> deal with.
Yes, I noticed that openwrt's qos scripting is quite involved and opaque. (So I really appreciate simple_qos's readability :))
> Worse, I have my own firewall rules system (not in cerowrt) that is
> very permissive about what protocols can be run across ipv6 in
> particular, and across the local and guest network (examples, hip,
> sctp, igmp, ospf, ipsec, etc)
> ... but absolutely no way to wrap a gui around it.
> Noted, logged, and will be fixed in the next build.
> I care a lot about
> security. I would also like to make port 81 be https, too.
That sounds even better, then remote access might actually be a feature again :)
>> In the past this never worked (and I think it would be safer a default if remote access to the configuration interface required an active decision from the user :) ). So, I went and created a custom rule to reject incoming connections on port 81 from wan (and now I can not reach the GUI from outside, I am quite curious whether I managed to wedge it for good or whether I will still be able to reach the GUI from the lag or guest section…).
> It sounds like you did the right thing.
So it seems, as I can reach the configuration GUI from the secured wireless segment...
>> Now there is the possibility that I have brought this issue on myself by using the vanilla QOS scheme instead of simple_qos in production, if so please let me know.
> The openwrt qos system is obsolete in cerowrt (although I do plan to
> improve it for openwrt), in favor of the ultimate replacement with the
> 'aqm' script, of which simple_qos is a test of, and exposed bug #360
The main reason for me to revert to qos after testing simple_qos.sh was that I did not figure out how to automatically start that script after boot up / interface upping. What is your recommendation for that?
> Core differences are htb rather than hfsc, much better use of sfqred,
> and support for diffserv marking.
Given the simplicity of simple_qos I will try to see whether I can create a version replacing hub by hfsc just to see whether there is any noticeable difference. One question, for testing simple_qos.sh can I use the script from http://www.bufferbloat.net/projects/cerowrt/wiki/Early_Test_Results that targets huchra.bufferbloat.net? Or do I need to setup my own endpoints?
> Regrettably we're still transitioning; I'd really hoped to have
> something solid and fully integrated with the aqm stuff by now. I
> stumble across things like basic integration with uci, and was
> originally planning to write the whole thing in lua. I still may.
I always wanted to figure out why the existing AQM GUI did not work, but never got around to actually do it (short on time). But I do not see my time budget changing much in the future.
Best Regards & thanks for doing all the hard and tedious work to fix the internet for the rest of us…
>> Sebastian Moeller
>> telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
>> fax: 626-395-8826
>> German GSM: +49 - 15 77 - 1 90 31 41
>> mobile: +1-626-325-8598
>> US CDMA: +1-626-807-5242
>> moeller at caltech.edu
>> Division of Biology
>> MC 114-96
>> California Institute of Technology
>> 1200 East California Boulevard
>> CA 91125, Pasadena
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
> Dave Täht
> SKYPE: davetaht
> US Tel: 1-239-829-5608
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
German GSM: +49 - 15 77 - 1 90 31 41
US CDMA: +1-626-807-5242
moeller at caltech.edu
Division of Biology
California Institute of Technology
1200 East California Boulevard
CA 91125, Pasadena
More information about the Cerowrt-devel