Stop deprecating OpenWrt's firewall package #139
Conversation
|
Everytime I have tested building with OpenWrt firewall bundled in, and flashed in real world networks I ended up with a hurdle of problems and debugging them rapidly ended up in some weird interaction between OpenWrt firewall which is designed around home gateway setup and how the packets flow in a mesh. So I am against stopping suggesting to remove firewall package and for keeping compatibility as much as possible both with plain iptables and OpenWrt firewall. |
|
Which are the problematic rules? https://github.com/openwrt/openwrt/blob/master/package/network/config/firewall/files/firewall.config |
|
@G10h4ck hint for answering: none is problematic. |
|
Update on this: since OpenWrt 22.03 now firewall4 is the default choice, and the default rules are these ones https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/etc/config/firewall;hb=HEAD |
I went through the rules, they can be resumed as: So I hold my opinion also for firewall4: it should be ok with LibreMesh. |
|
We could document how to easily enable the SSH port on the WAN, or enable it by default and document how to disable it, see discussion on libremesh/lime-packages#280 Another reason for blocking the 80 and 443 ports is that when FirstBootWizard is used, it spreads the hash of the root password via a file accessible via HTTP on http://thisnode.info/cgi-bin/lime/lime-community There are reports of people using WAN-WAN connections for limiting the broadcast traffic going across this link @nicopace , for example if they use this link for connecting two clouds. This on a first sight seems a very bad idea (see my comments on libremesh/lime-packages#280 ) but actually the LAN-LAN connections can carry more broadcast (supposing that WAN and LAN are not in the same bridge, thing that I don't remember) even if the batman-adv clouds are on different VLANs. If we don't find a better way to do the same, we could support and document the usage of WAN-WAN connections. |
|
Answering to @G10h4ck here: libremesh/lime-packages#959 (comment)
The people who need the WAN-WAN mesh connections should just add one line of configuration for allowing the connections on that port, configuring the firewall, as suggested in the discussion above. Obviously, we need to document that. |
This specific thing is commented more in detail here: |
|
I added the documentation in ab7491f I specified both how to connect via SSH from the WAN port (opening port 22) and how to open it completely for WAN-WAN connections. Please, people using WAN-WAN connections, can you confirm that the documentation is correct? In the meantime, for the rest of the users I am sure it is better to have the firewall up (see the conversation above), can we merge this? |
See discussion on libremesh/lime-packages#280