[isf-wifidog] Issues regarding OpenWRTs firewalling
kaouete
kaouete at crazydwarves.org
Mer 19 Oct 11:45:00 EDT 2005
root at winry:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000f6656eca4 no vlan0
eth1
root at winry:~# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:0F:66:56:EC:A4
inet addr:192.168.123.1 Bcast:192.168.123.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:554453 errors:0 dropped:0 overruns:0 frame:0
TX packets:759848 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:0
RX bytes:67278873 (64.1 MiB) TX bytes:900382647 (858.6
MiB)
eth0 Link encap:Ethernet HWaddr 00:0F:66:56:EC:A4
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500
Metric:1
RX packets:858366 errors:0 dropped:0 overruns:0 frame:0
TX packets:614842 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:1000
RX bytes:917086578 (874.6 MiB) TX bytes:83133452 (79.2
MiB)
Interrupt:5 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0F:66:56:EC:A6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:548277 errors:0 dropped:0 overruns:0
frame:245926
TX packets:775942 errors:241 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:1000
RX bytes:74862782 (71.3 MiB) TX bytes:905340869 (863.3
MiB)
Interrupt:4 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:109 errors:0 dropped:0 overruns:0 frame:0
TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12948 (12.6 KiB) TX bytes:12948 (12.6 KiB)
vlan0 Link encap:Ethernet HWaddr 00:0F:66:56:EC:A4
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:23226 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:2521168 (2.4 MiB)
vlan1 Link encap:Ethernet HWaddr 00:0F:66:56:EC:A4
inet addr:192.168.254.2 Bcast:192.168.254.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:858365 errors:0 dropped:0 overruns:0 frame:0
TX packets:591616 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:0
RX bytes:901635910 (859.8 MiB) TX bytes:80612284 (76.8
MiB)
That's all for the moment, sorry, i know the most usefull are the
wifidog logs.
If you try with a fresh install you should have the same
informations :]
To be sure i repeat what the problem is :
all request to the net (vlan1) from the wlan (br0) not on port 80
are not catched by wifidog.
and the solution:
just comment these two ligns in /etc/init.d/S45firewall:
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
Thanks :]
kaouete
On Wed, Oct 19, 2005 at 11:10:36AM -0400, Philippe April wrote:
> :)
>
> I don't mind fixing the bug properly, but I never got the output of
> everything:
>
> ifconfig -a
> brctl show
> wifidog -f -d 7
>
> On a router that's not working...
>
> I don't know where the bug comes from at all.
>
> I'll re-read the whole thing but if you could provide more
> information, it would be awesome. I'll flash a brand new router, not
> un-bridge the stuff and try it.
>
> Philippe April
> GnuPG http://key.philippeapril.com
>
> On 19-Oct-05, at 10:12 AM, kaouete wrote:
>
> >I think the same.
> >
> >The bug is present in rc3 and the bugfix provided in tshe
> >bugreport is ok (but i dant know if there is side effects)
> >
> >The problem is that every one has its own config, so for ones
> >there is no problems and for other there is, maybe it is why you
> >dont have it philip.
> >
> >kaouete
> >
> >On Wed, Oct 19, 2005 at 03:50:32PM +0200, Max Horváth wrote:
> >
> >>Well, no ... actually this Whiterussian IS OpenWRT Experimental ...
> >>and this problem still exists ... even on the newest CVS checkout of
> >>whiterussian.
> >>
> >>BUT we got a solution how to fix it ... so we should close this bug
> >>as long as we would either include the description for the fix in the
> >>README or if we'd provide our own S45firewall script.
> >>
> >>IF we would provide our own firewall script we COULD then of course
> >>think about if we should provide a few basic scripts - let's say one
> >>like it is right now or for example one with some light restrictions
> >>and one with heavier restrictions ...
> >>
> >>So ... what should we do?
> >>
> >>Cheers from rainy Germany, Max!
> >>
> >>Am 19.10.2005 um 13:54 schrieb Philippe April:
> >>
> >>
> >>>
> >>>On 19-Oct-05, at 2:54 AM, Max Horváth wrote:
> >>>
> >>>
> >>>>This I'd like to talk abou firewalling OpenWRT.
> >>>>
> >>>>First we got a bug in the bugtracker:
> >>>>http://sourceforge.net/tracker/index.php?
> >>>>func=detail&aid=1210428&group_id=102646&atid=632424
> >>>>
> >>>>I think this bug could be closed as long as we would include a
> >>>>note in the gateway's README about how to change the default
> >>>>S45firewall script. Or we should provide our own version of the
> >>>>S45firewall script in the gateway package.
> >>>>
> >>>>
> >>>
> >>>The bug is on OpenWRT experimental, which is old and buggy.
> >>>
> >>>Whirerussian RC3 is out, and I can't replicate the issue. Have you
> >>>tried it on it?
> >>>
> >>>If you can replicate using RC3, I'll leave the bug open, otherwise
> >>>I'll close it if you don't mind.
> >>>
> >>>Let me know!_______________________________________________
> >>>WiFiDog mailing list
> >>>WiFiDog at listes.ilesansfil.org
> >>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>
> >>>
> >>>
> >>
> >>
> >>--
> >>Max Horváth
> >>Chief Technology Officer
> >>
> >>maxspot GmbH
> >>Seestr. 73a
> >>15711 Zeesen
> >>
> >>Tel: 03375 / 922 79 24
> >>Fax: 03375 / 922 79 27
> >>
> >>E-Mail: max.horvath at maxspot.de
> >>Homepage: http://www.maxspot.de/
> >>
> >>
> >>_______________________________________________
> >>WiFiDog mailing list
> >>WiFiDog at listes.ilesansfil.org
> >>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>
> >_______________________________________________
> >WiFiDog mailing list
> >WiFiDog at listes.ilesansfil.org
> >http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pičce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 189 octets
Desc: Digital signature
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20051019/31a7098e/attachment.pgp
More information about the WiFiDog
mailing list