[Cerowrt-devel] saner defaults for config/firewall

J. Daniel Ashton jdashton at ashtonfam.org
Sun Feb 23 14:10:09 EST 2014



While you're looking at things that ought to be in the default 
configuration (or in "a" default configuration, perhaps available on the 
wiki), there are two use-cases that I would like to see work better out 
of the box:

 1. mDNS sharing across non-guest segments: my wife on Wi-Fi, I on
    Ethernet, should be able to see each other's iTunes libraries and
    the mDNS-advertised printer.
 2. Google's new Chromecast device useable from all non-guest segments:
    it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on
    Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop
    should be able to see the Chromecast and control it.

I really like the CeroWrt approach to network segmentation: I felt like 
I was learning best practices as I read up on what you chose to do. But 
the above use cases seem to be problematic with this approach.



On 2/23/14, 12:21 PM, Dave Taht wrote:
> On Fri, Feb 21, 2014 at 12:25:23AM +0100, Vincent Frentzel wrote:
>> Hi everyone,
>>
>> After installing ceroWRT the first thing I did was to reconfigure the
>> firewall as shown attached. My router is used as home gateway and I wanted
>> to lock down the device a bit.
>>
>> The changes are introduced are as follow:
>>
>> - LAN (s+) to/from GUEST (g+) is not allowed.
>> - GUEST to ROUTER is restricted to DNS/DHCP/NTP.
> I note that even dns is a problem in terms of leaking information about
> your network, so is mdns.
>
> the "g+" convention can simplify access to the internet in the rules too.
>
> There are also potential problems in enabling the polipo proxy.
>
> Note that the mesh networking interfaces are also "g", and there is
> something of a conflict between allowing the mesh network and guest
> access.
>
> I used to solve this somewhat with the babel authentication extensions.
>
> http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html
>
> at the moment that code had landed in the quagga branch of babel,
> not babel itself.
>
>> - I've tuned the basic IPV6 rules to take the above changes into account
>> and allow proto 41 INPUT for 6to/in4 tunnels.
>> - LAN to/from ROUTER everything is allowed.
>> This could be a nice default config.
>>
>> Feedback welcome.
> After getting the last release out I took a break from email, and didn't
> get to this.
>
> There are certainly conflicting desires for how to do firewalling. Historically
> we run fairly open by default due to cerowrt's origin as a research project.
>
> In the case where we want to open the network somewhat to house guests, being
> able to have reasonably secure (ssh and printing) protocols open to them
> is a help.
>
> In the case where I want to share my network with the neighborhood,
> locking things down as per the above makes more sense. I'd argue for even
> stronger measures, actually, something that an org like openwireless.org
> could recomend so that people can feel safe in sharing their wifi again.
>
> I think we should put up alternet configs like this somewhere on the wiki,
> or in a git tree...
>
> I have a few other desirable configs on the list.
>
> -1) gui support for the + syntax would be good.
>
> 0) I really, really, really want bcp38 support, using ipset. I wouldn't
>     mind a complete switch to ipset for a variety of things, but some
>     benchmarking along the way would be good to compare the existing schemes
>
>     one problem I've run into in turning on bcp38 by default is dealing
>     with double nat on the dhcp'd interfaces.
>
> 1) a more "normal", bridged implementation more like people are used to.
>
> 2) vlan support (I've never managed to make vlans work with babel, btw)
>
> 3) ?
>
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>

-- 
Daniel Ashton      PGP key available     http://Daniel.AshtonFam.org
mailto:Daniel at AshtonFam.org           http://ChamberMusicWeekend.org
  AIM: FirstFiddl           ICQ# 9445142           http://MDMusic.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140223/976c8047/attachment-0002.html>


More information about the Cerowrt-devel mailing list