[isf-wifidog] Issues regarding OpenWRTs firewalling

kaouete kaouete at crazydwarves.org
Mer 19 Oct 11:45:00 EDT 2005 

root at winry:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000f6656eca4       no              vlan0
                                                        eth1
root at winry:~# ifconfig -a
br0       Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4  
          inet addr:192.168.123.1  Bcast:192.168.123.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:554453 errors:0 dropped:0 overruns:0 frame:0
          TX packets:759848 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:0
          RX bytes:67278873 (64.1 MiB)  TX bytes:900382647 (858.6
MiB)

eth0      Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500
Metric:1
          RX packets:858366 errors:0 dropped:0 overruns:0 frame:0
          TX packets:614842 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:917086578 (874.6 MiB)  TX bytes:83133452 (79.2
MiB)
          Interrupt:5 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A6
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:548277 errors:0 dropped:0 overruns:0
frame:245926
          TX packets:775942 errors:241 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:74862782 (71.3 MiB)  TX bytes:905340869 (863.3
MiB)
          Interrupt:4 Base address:0x1000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:109 errors:0 dropped:0 overruns:0 frame:0
          TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12948 (12.6 KiB)  TX bytes:12948 (12.6 KiB)

vlan0     Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23226 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:2521168 (2.4 MiB)

vlan1     Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4
          inet addr:192.168.254.2  Bcast:192.168.254.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:858365 errors:0 dropped:0 overruns:0 frame:0
          TX packets:591616 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:0
          RX bytes:901635910 (859.8 MiB)  TX bytes:80612284 (76.8
MiB)

That's all for the moment, sorry, i know the most usefull are the
wifidog logs.

If you try with a fresh install you should have the same
informations :]

To be sure i repeat what the problem is :
all request to the net (vlan1) from the wlan (br0) not on port 80
are not catched by wifidog.

and the solution:
just comment these two ligns in /etc/init.d/S45firewall:

iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

Thanks :]

kaouete

On Wed, Oct 19, 2005 at 11:10:36AM -0400, Philippe April wrote:
> :)
> 
> I don't mind fixing the bug properly, but I never got the output of  
> everything:
> 
> ifconfig -a
> brctl show
> wifidog -f -d 7
> 
> On a router that's not working...
> 
> I don't know where the bug comes from at all.
> 
> I'll re-read the whole thing but if you could provide more  
> information, it would be awesome. I'll flash a brand new router, not  
> un-bridge the stuff and try it.
> 
> Philippe April
> GnuPG http://key.philippeapril.com
> 
> On 19-Oct-05, at 10:12 AM, kaouete wrote:
> 
> >I think the same.
> >
> >The bug is present in rc3 and the bugfix provided in tshe
> >bugreport is ok (but i dant know if there is side effects)
> >
> >The problem is that every one has its own config, so for ones
> >there is no problems and for other there is, maybe it is why you
> >dont have it philip.
> >
> >kaouete
> >
> >On Wed, Oct 19, 2005 at 03:50:32PM +0200, Max Horváth wrote:
> >
> >>Well, no ... actually this Whiterussian IS OpenWRT Experimental ...
> >>and this problem still exists ... even on the newest CVS checkout of
> >>whiterussian.
> >>
> >>BUT we got a solution how to fix it ... so we should close this bug
> >>as long as we would either include the description for the fix in the
> >>README or if we'd provide our own S45firewall script.
> >>
> >>IF we would provide our own firewall script we COULD then of course
> >>think about if we should provide a few basic scripts - let's say one
> >>like it is right now or for example one with some light restrictions
> >>and one with heavier restrictions ...
> >>
> >>So ... what should we do?
> >>
> >>Cheers from rainy Germany, Max!
> >>
> >>Am 19.10.2005 um 13:54 schrieb Philippe April:
> >>
> >>
> >>>
> >>>On 19-Oct-05, at 2:54 AM, Max Horváth wrote:
> >>>
> >>>
> >>>>This I'd like to talk abou firewalling OpenWRT.
> >>>>
> >>>>First we got a bug in the bugtracker:
> >>>>http://sourceforge.net/tracker/index.php?
> >>>>func=detail&aid=1210428&group_id=102646&atid=632424
> >>>>
> >>>>I think this bug could be closed as long as we would include a
> >>>>note in the gateway's README about how to change the default
> >>>>S45firewall script. Or we should provide our own version of the
> >>>>S45firewall script in the gateway package.
> >>>>
> >>>>
> >>>
> >>>The bug is on OpenWRT experimental, which is old and buggy.
> >>>
> >>>Whirerussian RC3 is out, and I can't replicate the issue. Have you
> >>>tried it on it?
> >>>
> >>>If you can replicate using RC3, I'll leave the bug open, otherwise
> >>>I'll close it if you don't mind.
> >>>
> >>>Let me know!_______________________________________________
> >>>WiFiDog mailing list
> >>>WiFiDog at listes.ilesansfil.org
> >>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>
> >>>
> >>>
> >>
> >>
> >>-- 
> >>Max Horváth
> >>Chief Technology Officer
> >>
> >>maxspot GmbH
> >>Seestr. 73a
> >>15711 Zeesen
> >>
> >>Tel: 03375 / 922 79 24
> >>Fax: 03375 / 922 79 27
> >>
> >>E-Mail: max.horvath at maxspot.de
> >>Homepage: http://www.maxspot.de/
> >>
> >>
> >>_______________________________________________
> >>WiFiDog mailing list
> >>WiFiDog at listes.ilesansfil.org
> >>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>
> >_______________________________________________
> >WiFiDog mailing list
> >WiFiDog at listes.ilesansfil.org
> >http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> 
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pičce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 189 octets
Desc: Digital signature
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20051019/31a7098e/attachment.pgp

More information about the WiFiDog mailing list