[Cerowrt-devel] BCP38 implementation
dave.taht at gmail.com
Thu Mar 20 13:38:17 EDT 2014
I have tested this, made one small modification, and it will be in
cerowrt-3.10.32-12 and on by default. Nice work!
It doesn't appear to affect the speed of a transfer through the ge00
port at all, and it's really nice to see
d at nuc:~$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
>From 172.26.4.1 icmp_seq=1 Destination Net Unreachable
One possible problem with pushing this up to openwrt is that arguably
it needs to apply this to the "wan" abstraction in the firewall rules
rather than a specific interface, and hook into that chain instead.
(on the other hand, using an
actual interface is also good)
The ipset facility has great potential for other uses, for example:
1) it allows for creation of a port bitmap to be checked for blocking
ports. Right now what happens is we create an iptables rule per
blocked port which is probably less efficient with lots of ports than
using a single ipset would be.
2) it allows for dynamic addition/subtraction of troublesome (e.g.
DDOSing or infected) hosts. Right now xinetd does half the job of
detecting probes like attempts to telnet to the router and blocks
access to other services controlled by xinetd for a couple hours.
ipset has basically the same functionality and could be made to do it
for the entire box.
An example idea is that I average 2 ssh dictionary attacks/sec on some
of my boxes, and I'd just as soon start dropping connection attempts
after X number of tries.... another is detecting dns relay attempts...
On Thu, Mar 20, 2014 at 6:07 AM, Toke Høiland-Jørgensen <toke at toke.dk> wrote:
> So, another new version that should now be relatively feature-complete.
> It should be possible to just install these two packages:
> and have everything enabled and working. This version does away with the
> firewall rules in the config (so no need to add them; if they exist it
> shouldn't hurt, I think, but might as well just remove them) in favour
> of inserting a whole separate iptables chain to do the matching on.
> There's now also an auto-detection feature for the upstream network,
> which should automatically whitelist it when the rules are set up. It
> does this by looking at the routing table for the upstream interface,
> and testing all 'scope link' routes against the configured ipset, adding
> exceptions if they match. There's a config toggle to turn off this
> behaviour, and manual exceptions can be added instead of (or in addition
> to) the auto-detection.
> Since this detection is done at every run time, it should also include
> hotplugging; the firewall is reloaded every time an interface is
> hotplugged, which also reloads the bcp38 configuration and re-does the
> Testing is very much appreciated; until some of you tell me different, I
> believe this version is suitable for inclusion in cerowrt. At least all
> the issues on my own previous lists have been fixed AFAIK. :)
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
More information about the Cerowrt-devel