[isf-wifidog] Issues regarding OpenWRTs firewalling

Max Horváth max.horvath at maxspot.de
Mer 19 Oct 12:30:55 EDT 2005 

Same for me ... as I did the following:

> and the solution:
> just comment these two ligns in /etc/init.d/S45firewall:
>
> iptables -A FORWARD -i br0 -o br0 -j ACCEPT
> iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

... wifidog -f -d 7 won't be of any help to you.

But with your brand new router you should see, what happends ...

Regards, Max!

Am 19.10.2005 um 17:45 schrieb kaouete:

> root at winry:~# brctl show
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.000f6656eca4       no              vlan0
>                                                         eth1
> root at winry:~# ifconfig -a
> br0       Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4
>           inet addr:192.168.123.1  Bcast:192.168.123.255
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:554453 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:759848 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:67278873 (64.1 MiB)  TX bytes:900382647 (858.6
> MiB)
>
> eth0      Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500
> Metric:1
>           RX packets:858366 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:614842 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:917086578 (874.6 MiB)  TX bytes:83133452 (79.2
> MiB)
>           Interrupt:5 Base address:0x2000
>
> eth1      Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A6
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:548277 errors:0 dropped:0 overruns:0
> frame:245926
>           TX packets:775942 errors:241 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:74862782 (71.3 MiB)  TX bytes:905340869 (863.3
> MiB)
>           Interrupt:4 Base address:0x1000
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:109 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:12948 (12.6 KiB)  TX bytes:12948 (12.6 KiB)
>
> vlan0     Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:23226 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:0 (0.0 B)  TX bytes:2521168 (2.4 MiB)
>
> vlan1     Link encap:Ethernet  HWaddr 00:0F:66:56:EC:A4
>           inet addr:192.168.254.2  Bcast:192.168.254.255
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:858365 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:591616 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:901635910 (859.8 MiB)  TX bytes:80612284 (76.8
> MiB)
>
> That's all for the moment, sorry, i know the most usefull are the
> wifidog logs.
>
> If you try with a fresh install you should have the same
> informations :]
>
> To be sure i repeat what the problem is :
> all request to the net (vlan1) from the wlan (br0) not on port 80
> are not catched by wifidog.
>
> and the solution:
> just comment these two ligns in /etc/init.d/S45firewall:
>
> iptables -A FORWARD -i br0 -o br0 -j ACCEPT
> iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
>
> Thanks :]
>
> kaouete
>
> On Wed, Oct 19, 2005 at 11:10:36AM -0400, Philippe April wrote:
>
>> :)
>>
>> I don't mind fixing the bug properly, but I never got the output of
>> everything:
>>
>> ifconfig -a
>> brctl show
>> wifidog -f -d 7
>>
>> On a router that's not working...
>>
>> I don't know where the bug comes from at all.
>>
>> I'll re-read the whole thing but if you could provide more
>> information, it would be awesome. I'll flash a brand new router, not
>> un-bridge the stuff and try it.
>>
>> Philippe April
>> GnuPG http://key.philippeapril.com
>>
>> On 19-Oct-05, at 10:12 AM, kaouete wrote:
>>
>>
>>> I think the same.
>>>
>>> The bug is present in rc3 and the bugfix provided in tshe
>>> bugreport is ok (but i dant know if there is side effects)
>>>
>>> The problem is that every one has its own config, so for ones
>>> there is no problems and for other there is, maybe it is why you
>>> dont have it philip.
>>>
>>> kaouete
>>>
>>> On Wed, Oct 19, 2005 at 03:50:32PM +0200, Max Horváth wrote:
>>>
>>>
>>>> Well, no ... actually this Whiterussian IS OpenWRT Experimental ...
>>>> and this problem still exists ... even on the newest CVS  
>>>> checkout of
>>>> whiterussian.
>>>>
>>>> BUT we got a solution how to fix it ... so we should close this bug
>>>> as long as we would either include the description for the fix  
>>>> in the
>>>> README or if we'd provide our own S45firewall script.
>>>>
>>>> IF we would provide our own firewall script we COULD then of course
>>>> think about if we should provide a few basic scripts - let's say  
>>>> one
>>>> like it is right now or for example one with some light  
>>>> restrictions
>>>> and one with heavier restrictions ...
>>>>
>>>> So ... what should we do?
>>>>
>>>> Cheers from rainy Germany, Max!
>>>>
>>>> Am 19.10.2005 um 13:54 schrieb Philippe April:
>>>>
>>>>
>>>>
>>>>>
>>>>> On 19-Oct-05, at 2:54 AM, Max Horváth wrote:
>>>>>
>>>>>
>>>>>
>>>>>> This I'd like to talk abou firewalling OpenWRT.
>>>>>>
>>>>>> First we got a bug in the bugtracker:
>>>>>> http://sourceforge.net/tracker/index.php?
>>>>>> func=detail&aid=1210428&group_id=102646&atid=632424
>>>>>>
>>>>>> I think this bug could be closed as long as we would include a
>>>>>> note in the gateway's README about how to change the default
>>>>>> S45firewall script. Or we should provide our own version of the
>>>>>> S45firewall script in the gateway package.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> The bug is on OpenWRT experimental, which is old and buggy.
>>>>>
>>>>> Whirerussian RC3 is out, and I can't replicate the issue. Have you
>>>>> tried it on it?
>>>>>
>>>>> If you can replicate using RC3, I'll leave the bug open, otherwise
>>>>> I'll close it if you don't mind.
>>>>>
>>>>> Let me know!_______________________________________________
>>>>> WiFiDog mailing list
>>>>> WiFiDog at listes.ilesansfil.org
>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> -- 
>>>> Max Horváth
>>>> Chief Technology Officer
>>>>
>>>> maxspot GmbH
>>>> Seestr. 73a
>>>> 15711 Zeesen
>>>>
>>>> Tel: 03375 / 922 79 24
>>>> Fax: 03375 / 922 79 27
>>>>
>>>> E-Mail: max.horvath at maxspot.de
>>>> Homepage: http://www.maxspot.de/
>>>>
>>>>
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog


-- 
Max Horváth
Chief Technology Officer

maxspot GmbH
Seestr. 73a
15711 Zeesen

Tel: 03375 / 922 79 24
Fax: 03375 / 922 79 27

E-Mail: max.horvath at maxspot.de
Homepage: http://www.maxspot.de/

More information about the WiFiDog mailing list