Discussion:
Query about OpenWRT-specific firewall settings preferred for SmartGateway
Ben West
2013-10-21 17:07:33 UTC
Permalink
Hello,

I happened upon this 2-year-old page on the Freifunk wiki listing (in
German) preferred firewall settings to use with the SmartGateway plugin:

http://wiki.freifunk.net/index.php?title=OLSR/SmartGateway

Are these suggested firewall settings still valid for OpenWRT?

The info provided in README-Olsr-Extensions is a bit more vague about
suggested firewall / iptables setup for SmartGateway, i.e. to accommodate
diverse linux distros.
--
Ben West
http://gowasabi.net
***@gowasabi.net
314-246-9434
Teco Boot
2013-10-22 05:02:13 UTC
Permalink
The firewall filter could be needed if a catch_all DROP rule in forward chain exists.
I don't understand the masquerade. Maybe something with rp_filter.
Don't forget TCPMSS.

Teco


This could have to do with rpfilter.
Post by Ben West
Hello,
http://wiki.freifunk.net/index.php?title=OLSR/SmartGateway
Are these suggested firewall settings still valid for OpenWRT?
The info provided in README-Olsr-Extensions is a bit more vague about suggested firewall / iptables setup for SmartGateway, i.e. to accommodate diverse linux distros.
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Olsr-users mailing list
Olsr-***@lists.olsr.org
https://lists.olsr.org/mailman/listinfo/olsr-users
Ben West
2013-10-22 17:19:15 UTC
Permalink
Hi Teco,

Thank you for the response. I have indeed been looking for examples of
current iptables syntax for TCPMSS appropriate to the default chains set up
by OpenWRT (of which there are many).

Besides the chain named "FORWARD," as suggested in README-Olsr-Extensions,
OpenWRT also has the chains "forward," and "forwarding_wan,"
"zone_wan_forward," et al. If anyone else on this list has such an
iptables rule working on OpenWRT AA, do certainly feel free to chime in.

Also, I believe I was able to answer my own question. The olsrd.init file
presently packaged with OpenWRT does now include the two iptables rules
listed on the Freifunk wiki page for use with SmartGateway option.

https://github.com/openwrt-routing/packages/blob/master/olsrd/files/olsrd.init
Post by Teco Boot
The firewall filter could be needed if a catch_all DROP rule in forward chain exists.
I don't understand the masquerade. Maybe something with rp_filter.
Don't forget TCPMSS.
Teco
This could have to do with rpfilter.
Post by Ben West
Hello,
I happened upon this 2-year-old page on the Freifunk wiki listing (in
http://wiki.freifunk.net/index.php?title=OLSR/SmartGateway
Are these suggested firewall settings still valid for OpenWRT?
The info provided in README-Olsr-Extensions is a bit more vague about
suggested firewall / iptables setup for SmartGateway, i.e. to accommodate
diverse linux distros.
Post by Ben West
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Ben West
http://gowasabi.net
***@gowasabi.net
314-246-9434
Teco Boot
2013-10-22 19:02:59 UTC
Permalink
I use:
iptables -t mangle -A POSTROUTING -o tnl_+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440

This applies to output chain also.

Teco
Post by Ben West
Hi Teco,
Thank you for the response. I have indeed been looking for examples of current iptables syntax for TCPMSS appropriate to the default chains set up by OpenWRT (of which there are many).
Besides the chain named "FORWARD," as suggested in README-Olsr-Extensions, OpenWRT also has the chains "forward," and "forwarding_wan," "zone_wan_forward," et al. If anyone else on this list has such an iptables rule working on OpenWRT AA, do certainly feel free to chime in.
Also, I believe I was able to answer my own question. The olsrd.init file presently packaged with OpenWRT does now include the two iptables rules listed on the Freifunk wiki page for use with SmartGateway option.
https://github.com/openwrt-routing/packages/blob/master/olsrd/files/olsrd.init
The firewall filter could be needed if a catch_all DROP rule in forward chain exists.
I don't understand the masquerade. Maybe something with rp_filter.
Don't forget TCPMSS.
Teco
This could have to do with rpfilter.
Post by Ben West
Hello,
http://wiki.freifunk.net/index.php?title=OLSR/SmartGateway
Are these suggested firewall settings still valid for OpenWRT?
The info provided in README-Olsr-Extensions is a bit more vague about suggested firewall / iptables setup for SmartGateway, i.e. to accommodate diverse linux distros.
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
Olsr-***@lists.olsr.org
https://lists.olsr.org/mailman/listinfo/olsr-users
Ben West
2013-10-22 20:29:44 UTC
Permalink
Hi Teco,

Thank you very much for sharing that.

Why MTU=1440? README-Olsr-Extensions suggests MTU=1480. Does the MTU
preferred by SmartGateway decrease with increasing mesh hops? E.g. 1 hop
would require maximum MTU=1480, 2 hops -> MTU=1440?
Post by Teco Boot
iptables -t mangle -A POSTROUTING -o tnl_+ -p tcp --tcp-flags SYN,RST
SYN -j TCPMSS --set-mss 1440
This applies to output chain also.
Teco
Post by Ben West
Hi Teco,
Thank you for the response. I have indeed been looking for examples of
current iptables syntax for TCPMSS appropriate to the default chains set up
by OpenWRT (of which there are many).
Post by Ben West
Besides the chain named "FORWARD," as suggested in
README-Olsr-Extensions, OpenWRT also has the chains "forward," and
"forwarding_wan," "zone_wan_forward," et al. If anyone else on this
list has such an iptables rule working on OpenWRT AA, do certainly feel
free to chime in.
Post by Ben West
Also, I believe I was able to answer my own question. The olsrd.init
file presently packaged with OpenWRT does now include the two iptables
rules listed on the Freifunk wiki page for use with SmartGateway option.
https://github.com/openwrt-routing/packages/blob/master/olsrd/files/olsrd.init
Post by Ben West
The firewall filter could be needed if a catch_all DROP rule in forward
chain exists.
Post by Ben West
I don't understand the masquerade. Maybe something with rp_filter.
Don't forget TCPMSS.
Teco
This could have to do with rpfilter.
Post by Ben West
Hello,
I happened upon this 2-year-old page on the Freifunk wiki listing (in
http://wiki.freifunk.net/index.php?title=OLSR/SmartGateway
Are these suggested firewall settings still valid for OpenWRT?
The info provided in README-Olsr-Extensions is a bit more vague about
suggested firewall / iptables setup for SmartGateway, i.e. to accommodate
diverse linux distros.
Post by Ben West
Post by Ben West
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Ben West
http://gowasabi.net
***@gowasabi.net
314-246-9434
Teco Boot
2013-10-23 14:13:08 UTC
Permalink
The 1440 must be my work_on_most_tunnels default.

Tunneled traffic via sgw shall use lower value, <= mtu - (sgw ipip overhead) - (other tunnel overhead). Usually I configure lower TCPMSS than allowed maximum, to be adaptive for something I am not aware of. At costs of little overhead.

Teco
Post by Ben West
Hi Teco,
Thank you very much for sharing that.
Why MTU=1440? README-Olsr-Extensions suggests MTU=1480. Does the MTU preferred by SmartGateway decrease with increasing mesh hops? E.g. 1 hop would require maximum MTU=1480, 2 hops -> MTU=1440?
iptables -t mangle -A POSTROUTING -o tnl_+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
This applies to output chain also.
Teco
Post by Ben West
Hi Teco,
Thank you for the response. I have indeed been looking for examples of current iptables syntax for TCPMSS appropriate to the default chains set up by OpenWRT (of which there are many).
Besides the chain named "FORWARD," as suggested in README-Olsr-Extensions, OpenWRT also has the chains "forward," and "forwarding_wan," "zone_wan_forward," et al. If anyone else on this list has such an iptables rule working on OpenWRT AA, do certainly feel free to chime in.
Also, I believe I was able to answer my own question. The olsrd.init file presently packaged with OpenWRT does now include the two iptables rules listed on the Freifunk wiki page for use with SmartGateway option.
https://github.com/openwrt-routing/packages/blob/master/olsrd/files/olsrd.init
The firewall filter could be needed if a catch_all DROP rule in forward chain exists.
I don't understand the masquerade. Maybe something with rp_filter.
Don't forget TCPMSS.
Teco
This could have to do with rpfilter.
Post by Ben West
Hello,
http://wiki.freifunk.net/index.php?title=OLSR/SmartGateway
Are these suggested firewall settings still valid for OpenWRT?
The info provided in README-Olsr-Extensions is a bit more vague about suggested firewall / iptables setup for SmartGateway, i.e. to accommodate diverse linux distros.
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
https://lists.olsr.org/mailman/listinfo/olsr-users
--
Ben West
http://gowasabi.net
314-246-9434
--
Olsr-users mailing list
Olsr-***@lists.olsr.org
https://lists.olsr.org/mailman/listinfo/olsr-users
Loading...