Ticket #868 (new enhancement)

Opened 3 months ago

Last modified 3 weeks ago

Easier AICCU setup

Reported by: M66B Owned by:
Priority: normal Milestone: freetz-1.2
Component: packages Version: devel
Severity: normal Keywords:
Cc: Product ID:
Firmware Version:

Description

Since the wiki contains a a lot of steps, my proposal is to make setting up AICCU easier (we can!):

  • Auto select radvd
  • Auto select ip6tables + needed modules
  • Setup basic firewall at startup

I am not sure if all needed modules/libraries are included/modprobe'd and if all dependencies are met (I did my best figuring it out).

Is it somehow possible to check in rc.aiccu if FREETZ_PACKAGE_AICCU_FIREWALL is selected?

Attachments

aiccu_firewall.patch Download (1.7 KB) - added by M66B 3 months ago.

Change History

Changed 3 months ago by M66B

follow-ups: ↓ 2 ↓ 3   Changed 3 months ago by cuma

Hallo, ich spiele momentan zufällig auch mit IPv6 etwas herum :-)
-ip6tables "-m state" funktioniert erst ab Kernel 2.6.20 (Kommentare bei aiccu) Oliver wollte evtl mal schauen ob er es backporten kann
-ich fänd es am besten wenn jeder die Firewallregeln selbst bearbeiten kann, zB 'ip6tables -t filter -P FORWARD ACCEPT' gefällt mir gar nicht
-Radvd sollte nur optional sein, evtl als Unteroption von Aiccu? (ich nutze es nicht, hab statische IPs vergeben :-)))
-FREETZ_PACKAGE_AICCU_FIREWALL kann man nicht abfragen. Mir fällt da nur eine "flag-file" unter make/PKG/files/root/… ein

zu den Regeln
-"ip6t_rt"/"RH0 filters" sollte auch dazu:  http://www.sixxs.net/faq/connectivity/?faq=filters
-"ip6tales -F" und "ip6tables -X" wären auch noch gut, sonst werden es immer mehr Regeln
-fe80::/10 (local) und ff00::/8 (multicast) sollte man auch noch zulassen

in reply to: ↑ 1   Changed 3 months ago by M66B

Replying to cuma:

Hallo, ich spiele momentan zufällig auch mit IPv6 etwas herum :-)

You like to play too! ;-)

-ip6tables "-m state" funktioniert erst ab Kernel 2.6.20 (Kommentare bei aiccu) Oliver wollte evtl mal schauen ob er es backporten kann

Good to know, never realized that. (however iptables is in unstable)

-ich fänd es am besten wenn jeder die Firewallregeln selbst bearbeiten kann, zB 'ip6tables -t filter -P FORWARD ACCEPT' gefällt mir gar nicht

Of course the firewall rules should be an option, the default is intended for less experienced users, better than an open connection.

-Radvd sollte nur optional sein, evtl als Unteroption von Aiccu? (ich nutze es nicht, hab statische IPs vergeben :-)))

I guess you have enough addresses ;-) I will make it an options.

-FREETZ_PACKAGE_AICCU_FIREWALL kann man nicht abfragen. Mir fällt da nur eine "flag-file" unter make/PKG/files/root/… ein

zu den Regeln
-"ip6t_rt"/"RH0 filters" sollte auch dazu:  http://www.sixxs.net/faq/connectivity/?faq=filters
-"ip6tales -F" und "ip6tables -X" wären auch noch gut, sonst werden es immer mehr Regeln
-fe80::/10 (local) und ff00::/8 (multicast) sollte man auch noch zulassen

Okay, I will change that. If you have suggestions for basic rules, let me know.

Thanks for the feedback.

in reply to: ↑ 1   Changed 3 months ago by M66B

What is your opinion about the firewall rules described  here ?

I could add an checkbox, so that the firewall rules can be toggle on and off from the Freetz interface, so more experienced users can do their own thing. And/or a big box where the firewall rules can be manipulated with a reasonable default for novice users.

follow-up: ↓ 5   Changed 3 months ago by cuma

Die Regeln bei  http://www.sixxs.net/wiki/IPv6_Firewalling sehen ganz gut aus, das ganze in einer großen Eingabebox finde ich auch gut. Aber am besten damit noch etwas warten, vielleicht schaffte es jemand "state" zu patchen.
Noch zu "FREETZ_PACKAGE_AICCU_FIREWALL": Die Module heissen bei den Kerneln der 7170 und 7270 verschieden.

in reply to: ↑ 4   Changed 3 months ago by M66B

Replying to cuma:

Aber am besten damit noch etwas warten, vielleicht schaffte es jemand "state" zu patchen.

I hope so, because that would be the best solution.

Noch zu "FREETZ_PACKAGE_AICCU_FIREWALL": Die Module heissen bei den Kerneln der 7170 und 7270 verschieden.

How they are called on the 7170? (or better, where is that information available?)

  Changed 3 months ago by cuma

Schau mal in make/iptables/Config.in oder je nach Hardware "make kernel-menuconfig"

  Changed 4 weeks ago by oliver

@M66B Did you proceed here? Or do you need help?

  Changed 4 weeks ago by M66B

I was hoping that somebody could patch the state module, but we could use the firewall rules suggested in 5 as default. I am happy to update this patch with the suggested checkbox and/or big editbox and correct module names.

  Changed 4 weeks ago by cuma

Seems nobody is able to backport state into our old kernel. :-( Perhaps the labor-firmware has some hacks to use it?

  Changed 4 weeks ago by oliver

I don't think that we can catch any hints from AVM because of their userspace binaries…

  Changed 4 weeks ago by M66B

I am still not sure which modules for the 7170 should be modprobe'd and I am also not sure which firewall rules should be applied. My suggestion is to use stateless rules in any case, so that this can work for all or at least most boxes. It could be the earlier mentioned rules from the  SixXS example or maybe the rules suggested by mike in the wiki. Any thoughts on this?

  Changed 4 weeks ago by cuma

Sixxs's version ACCEPTs and the REJECTs, so i think mike's is better

  Changed 3 weeks ago by oliver

I would vote for a switch. "Enable basic firewall rules"

I would guess that you need: 

ip_tables
ipt_state
ip6_tables
ip6table_filter

on a 2.6.13.1 kernel box.

What about ip_conntrack?

  Changed 3 weeks ago by cuma

Für IPv6 braucht man kein NAT mehr. Hier ist das Problem das STATE. Oder meinst du IPv4?

Note: See TracTickets for help on using tickets.