[isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 22

Loďc DEVAUX loic.devaux99 at laposte.net
Ven 16 Sep 18:33:08 EDT 2005


So I tried to install wifidog after the other packages
(libpthread,iptables-extra,kmod-iptables) with the advice of Mario.

The wifidog configuration was: 

FirewallRuleSet global {
    FirewallRule allow udp to 69.90.89.192/27
    FirewallRule allow udp to 69.90.85.0/27
    FirewallRule allow tcp port 80 to 69.90.89.205
}

# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
    FirewallRule block tcp port 25
    FirewallRule allow to 0.0.0.0/0
}

# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
    FirewallRule allow to 0.0.0.0/0
}

# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
    FirewallRule allow tcp port 67
}

# Rule Set: locked-users
#
# Used for users that have been locked out.
FirewallRuleSet locked-users {
    FirewallRule block to 0.0.0.0/0
}

And the iptables rules after launching of Wifidog :

root at OpenWrt:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
input_rule  all  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere            tcp option=!2
flags:SYN,RST,ACK/SYN
REJECT     tcp  --  anywhere             anywhere            reject-with
tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
forwarding_rule  all  --  anywhere             anywhere
WiFiDog_WIFI2Internet  all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with
tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain WiFiDog_AuthServers (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             81.185.144.61

Chain WiFiDog_Global (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             69.90.89.192/27
ACCEPT     udp  --  anywhere             69.90.85.0/27
ACCEPT     tcp  --  anywhere             69.90.89.205        tcp dpt:80

Chain WiFiDog_Known (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain WiFiDog_Locked (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain WiFiDog_Unknown (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:53
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:53
ACCEPT     udp  --  anywhere             anywhere            udp dpt:67
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:67
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain WiFiDog_Validate (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp dpt:25
reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere

Chain WiFiDog_WIFI2Internet (1 references)
target     prot opt source               destination
WiFiDog_AuthServers  all  --  anywhere             anywhere
WiFiDog_Locked  all  --  anywhere             anywhere            MARK match
0x254
WiFiDog_Global  all  --  anywhere             anywhere
WiFiDog_Validate  all  --  anywhere             anywhere            MARK
match 0x1
WiFiDog_Known  all  --  anywhere             anywhere            MARK match
0x2
WiFiDog_Unknown  all  --  anywhere             anywhere

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination
root at OpenWrt:~#

But after reboot the router have the same problems: it doesn't distribute
any IP address and is inaccessible and this with only one bridge.

Theses rules are perhaps applied too much early in the launching of
openwrt...


Loďc 
 
-----Message d'origine-----
De : wifidog-bounces at listes.ilesansfil.org
[mailto:wifidog-bounces at listes.ilesansfil.org] De la part de
wifidog-request at listes.ilesansfil.org
Envoyé : vendredi 16 septembre 2005 18:00
Ŕ : wifidog at listes.ilesansfil.org
Objet : Lot WiFiDog, Vol 8, Parution 22

Send WiFiDog mailing list submissions to
	wifidog at listes.ilesansfil.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
or, via email, send a message with subject or body 'help' to
	wifidog-request at listes.ilesansfil.org

You can reach the person managing the list at
	wifidog-owner at listes.ilesansfil.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of WiFiDog digest..."


Thčmes du jour :

   1. Re: RE: Lot WiFiDog, Vol 8, Parution 17 (Max Horváth)
   2. Re: RE: Lot WiFiDog, Vol 8, Parution 17 (Philippe April)
   3. Re: RE: Lot WiFiDog, Vol 8, Parution 17 (Max Horváth)


----------------------------------------------------------------------

Message: 1
Date: Fri, 16 Sep 2005 12:47:33 +0200
From: Max Horváth <max.horvath at freenet.de>
Subject: Re: [isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 17
To: WiFiDog Captive Portal <wifidog at listes.ilesansfil.org>
Message-ID: <AEBCB58D-7950-4215-A01E-2A913E46268E at freenet.de>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Well, I can confirm that I had the same problems when having two  
bridges ...

That's why I undid to split the LAN from the WLAN ...

Cheers, Max!

Am 16.09.2005 um 07:58 schrieb Philippe April:

> So I'm thinking, maybe it's the custom configuration that I use  
> (split the LAN from the WLAN, basically I have two bridges... which  
> only have one interface in each. If you're asking why, it's to be  
> able to do stuff in a more modular way for wds and such).
>
> br0 = lan
> br1 = wifi
>
> So maybe that's what's causing the problem? I can't imagine that  
> the default script would not work on a regular router...
>



------------------------------

Message: 2
Date: Fri, 16 Sep 2005 08:25:11 -0400
From: Philippe April <isf_lists at philippeapril.com>
Subject: Re: [isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 17
To: WiFiDog Captive Portal <wifidog at listes.ilesansfil.org>
Message-ID: <4367C9C0-5702-46FE-B513-D8EE6F77EB84 at philippeapril.com>
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed

It worked after you undid the split?

Philippe April
GnuPG http://key.philippeapril.com

On 16-Sep-05, at 6:47 AM, Max Horváth wrote:

> Well, I can confirm that I had the same problems when having two  
> bridges ...
>
> That's why I undid to split the LAN from the WLAN ...



------------------------------

Message: 3
Date: Fri, 16 Sep 2005 15:57:36 +0200
From: Max Horváth <max.horvath at freenet.de>
Subject: Re: [isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 17
To: WiFiDog Captive Portal <wifidog at listes.ilesansfil.org>
Message-ID: <157DAA4F-C737-4B5E-945D-A09B678E1864 at freenet.de>
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed

Well, yes it did ;) ...

Am 16.09.2005 um 14:25 schrieb Philippe April:

> It worked after you undid the split?
>
> Philippe April
> GnuPG http://key.philippeapril.com
>
> On 16-Sep-05, at 6:47 AM, Max Horváth wrote:
>
>
>> Well, I can confirm that I had the same problems when having two  
>> bridges ...
>>
>> That's why I undid to split the LAN from the WLAN ...
>>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>



------------------------------

_______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

Fin de Lot WiFiDog, Vol 8, Parution 22
**************************************



More information about the WiFiDog mailing list