[isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 22
Loïc DEVAUX
loic.devaux99 at laposte.net
Ven 16 Sep 18:33:08 EDT 2005
So I tried to install wifidog after the other packages
(libpthread,iptables-extra,kmod-iptables) with the advice of Mario.
The wifidog configuration was:
FirewallRuleSet global {
FirewallRule allow udp to 69.90.89.192/27
FirewallRule allow udp to 69.90.85.0/27
FirewallRule allow tcp port 80 to 69.90.89.205
}
# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
FirewallRule block tcp port 25
FirewallRule allow to 0.0.0.0/0
}
# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
FirewallRule allow to 0.0.0.0/0
}
# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
# Rule Set: locked-users
#
# Used for users that have been locked out.
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}
And the iptables rules after launching of Wifidog :
root at OpenWrt:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
input_rule all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp option=!2
flags:SYN,RST,ACK/SYN
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
forwarding_rule all -- anywhere anywhere
WiFiDog_WIFI2Internet all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain WiFiDog_AuthServers (1 references)
target prot opt source destination
ACCEPT all -- anywhere 81.185.144.61
Chain WiFiDog_Global (1 references)
target prot opt source destination
ACCEPT udp -- anywhere 69.90.89.192/27
ACCEPT udp -- anywhere 69.90.85.0/27
ACCEPT tcp -- anywhere 69.90.89.205 tcp dpt:80
Chain WiFiDog_Known (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain WiFiDog_Locked (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain WiFiDog_Unknown (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:53
ACCEPT tcp -- anywhere anywhere tcp dpt:53
ACCEPT udp -- anywhere anywhere udp dpt:67
ACCEPT tcp -- anywhere anywhere tcp dpt:67
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain WiFiDog_Validate (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:25
reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain WiFiDog_WIFI2Internet (1 references)
target prot opt source destination
WiFiDog_AuthServers all -- anywhere anywhere
WiFiDog_Locked all -- anywhere anywhere MARK match
0x254
WiFiDog_Global all -- anywhere anywhere
WiFiDog_Validate all -- anywhere anywhere MARK
match 0x1
WiFiDog_Known all -- anywhere anywhere MARK match
0x2
WiFiDog_Unknown all -- anywhere anywhere
Chain forwarding_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
root at OpenWrt:~#
But after reboot the router have the same problems: it doesn't distribute
any IP address and is inaccessible and this with only one bridge.
Theses rules are perhaps applied too much early in the launching of
openwrt...
Loïc
-----Message d'origine-----
De : wifidog-bounces at listes.ilesansfil.org
[mailto:wifidog-bounces at listes.ilesansfil.org] De la part de
wifidog-request at listes.ilesansfil.org
Envoyé : vendredi 16 septembre 2005 18:00
À : wifidog at listes.ilesansfil.org
Objet : Lot WiFiDog, Vol 8, Parution 22
Send WiFiDog mailing list submissions to
wifidog at listes.ilesansfil.org
To subscribe or unsubscribe via the World Wide Web, visit
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
or, via email, send a message with subject or body 'help' to
wifidog-request at listes.ilesansfil.org
You can reach the person managing the list at
wifidog-owner at listes.ilesansfil.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of WiFiDog digest..."
Thèmes du jour :
1. Re: RE: Lot WiFiDog, Vol 8, Parution 17 (Max Horváth)
2. Re: RE: Lot WiFiDog, Vol 8, Parution 17 (Philippe April)
3. Re: RE: Lot WiFiDog, Vol 8, Parution 17 (Max Horváth)
----------------------------------------------------------------------
Message: 1
Date: Fri, 16 Sep 2005 12:47:33 +0200
From: Max Horváth <max.horvath at freenet.de>
Subject: Re: [isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 17
To: WiFiDog Captive Portal <wifidog at listes.ilesansfil.org>
Message-ID: <AEBCB58D-7950-4215-A01E-2A913E46268E at freenet.de>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Well, I can confirm that I had the same problems when having two
bridges ...
That's why I undid to split the LAN from the WLAN ...
Cheers, Max!
Am 16.09.2005 um 07:58 schrieb Philippe April:
> So I'm thinking, maybe it's the custom configuration that I use
> (split the LAN from the WLAN, basically I have two bridges... which
> only have one interface in each. If you're asking why, it's to be
> able to do stuff in a more modular way for wds and such).
>
> br0 = lan
> br1 = wifi
>
> So maybe that's what's causing the problem? I can't imagine that
> the default script would not work on a regular router...
>
------------------------------
Message: 2
Date: Fri, 16 Sep 2005 08:25:11 -0400
From: Philippe April <isf_lists at philippeapril.com>
Subject: Re: [isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 17
To: WiFiDog Captive Portal <wifidog at listes.ilesansfil.org>
Message-ID: <4367C9C0-5702-46FE-B513-D8EE6F77EB84 at philippeapril.com>
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed
It worked after you undid the split?
Philippe April
GnuPG http://key.philippeapril.com
On 16-Sep-05, at 6:47 AM, Max Horváth wrote:
> Well, I can confirm that I had the same problems when having two
> bridges ...
>
> That's why I undid to split the LAN from the WLAN ...
------------------------------
Message: 3
Date: Fri, 16 Sep 2005 15:57:36 +0200
From: Max Horváth <max.horvath at freenet.de>
Subject: Re: [isf-wifidog] RE: Lot WiFiDog, Vol 8, Parution 17
To: WiFiDog Captive Portal <wifidog at listes.ilesansfil.org>
Message-ID: <157DAA4F-C737-4B5E-945D-A09B678E1864 at freenet.de>
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed
Well, yes it did ;) ...
Am 16.09.2005 um 14:25 schrieb Philippe April:
> It worked after you undid the split?
>
> Philippe April
> GnuPG http://key.philippeapril.com
>
> On 16-Sep-05, at 6:47 AM, Max Horváth wrote:
>
>
>> Well, I can confirm that I had the same problems when having two
>> bridges ...
>>
>> That's why I undid to split the LAN from the WLAN ...
>>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
------------------------------
_______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
Fin de Lot WiFiDog, Vol 8, Parution 22
**************************************
More information about the WiFiDog
mailing list