[Berlin-wireless] FF-Assistent pberg-221 WAN-Gateway Beschraenkung funktioniert nicht
Arne Zachlod
arne
So Apr 27 21:47:09 CEST 2014
Das ist jetzt 2-3 Wochen her dass ich die FW aufgespielt habe, ich weiss
es ehrlich gesagt nicht mehr 100%ig, aber ich bin mir recht sicher dass
ich die VPN-Firmware aufgespielt habe. OpenVPN musste ich jedenfalls
nicht nachinstallieren und Luci mit dem FF-Assistenten war auch schon dabei.
Welche version hast du installiert?
[x] attitude_adjustment
[ ] barrier_breaker
[ ] freifunk
[ ] minimal
[?] vpn
hier noch die Ausgaben:
=================================================================================
# opkg list_installed
6relayd - 2013-07-26-2ed520c500b0fbb484cfad5687eb39a0da43dcf7
auto-ipv6-node - 0.0.4-1
base-files - 118.2-r38286
busybox - 1.19.4-6
community-profiles - 2
dnsmasq - 2.66-2
dropbear - 2011.54-2
firewall - 2013-06-29
freifunk-common - 1
freifunk-firewall - 3
freifunk-gwcheck - 3
freifunk-policyrouting - 5
freifunk-watchdog - 8
horst - 3.0-1
hotplug2 - 1.0-beta-4
ip - 3.3.0-2
iw - 3.6-1
iwinfo - 44
jshn - 2013-08-01-04f194aa8a04926fe7f2e42bbf9ba6c62d49339e
kernel - 3.3.8-1-25191d38effb1f07e820f322ac2a1607
kmod-ath - 3.3.8+2013-06-27-1
kmod-ath9k - 3.3.8+2013-06-27-1
kmod-ath9k-common - 3.3.8+2013-06-27-1
kmod-cfg80211 - 3.3.8+2013-06-27-1
kmod-crypto-aes - 3.3.8-1
kmod-crypto-arc4 - 3.3.8-1
kmod-crypto-core - 3.3.8-1
kmod-gpio-button-hotplug - 3.3.8-1
kmod-ipip - 3.3.8-1
kmod-ipt-conntrack - 3.3.8-1
kmod-ipt-core - 3.3.8-1
kmod-ipt-nat - 3.3.8-1
kmod-iptunnel4 - 3.3.8-1
kmod-ipv6 - 3.3.8-1
kmod-leds-gpio - 3.3.8-1
kmod-ledtrig-default-on - 3.3.8-1
kmod-ledtrig-netdev - 3.3.8-1
kmod-ledtrig-timer - 3.3.8-1
kmod-mac80211 - 3.3.8+2013-06-27-1
kmod-tun - 3.3.8-1
kmod-wdt-ath79 - 3.3.8-1
libblobmsg-json - 2013-08-01-04f194aa8a04926fe7f2e42bbf9ba6c62d49339e
libc - 0.9.33.2-1
libgcc - 4.6-linaro-1
libip4tc - 1.4.10-5
libip6tc - 1.4.10-5
libiwinfo - 44
libiwinfo-lua - 44
libjson-c - 0.11-2
liblua - 5.1.4-8
liblzo - 2.06-1
libncurses - 5.7-5
libnl-tiny - 0.1-3
libpolarssl - 1.2.5-1
libpthread - 0.9.33.2-1
librpc - 0.9.32-rc2-0a2179bbc0844928f2a0ec01dba93d9b5d6d41a7
libubox - 2013-08-01-04f194aa8a04926fe7f2e42bbf9ba6c62d49339e
libubus - 2013-08-08-b20a8a01c7faea5bcc9d34d10dcf7736589021b8
libubus-lua - 2013-08-08-b20a8a01c7faea5bcc9d34d10dcf7736589021b8
libuci - 2013-06-11.1-1
libuci-lua - 2013-06-11.1-1
libxtables - 1.4.10-5
lua - 5.1.4-8
luci-app-ffwizard-pberg - 0.0.2-9
luci-app-freifunk-policyrouting - svn-r9913-1
luci-app-olsr - svn-r9913-1
luci-app-olsr-services - svn-r9913-1
luci-app-owm - 0.4.9
luci-app-owm-ant - 0.4.9
luci-app-owm-cmd - 0.4.9
luci-app-owm-gui - 0.4.9
luci-i18n-german - svn-r9913-1
luci-lib-core - svn-r9913-1
luci-lib-httpclient - svn-r9913-1
luci-lib-ipkg - svn-r9913-1
luci-lib-json - svn-r9913-1
luci-lib-luaneightbl - svn-r9913-1
luci-lib-nixio - svn-r9913-1
luci-lib-sys - svn-r9913-1
luci-lib-web - svn-r9913-1
luci-mod-admin-core - svn-r9913-1
luci-mod-admin-full - svn-r9913-1
luci-mod-admin-mini - svn-r9913-1
luci-mod-freifunk - svn-r9913-1
luci-proto-core - svn-r9913-1
luci-sgi-cgi - svn-r9913-1
luci-theme-base - svn-r9913-1
luci-theme-bootstrap - svn-r9913-1
mtd - 18.1
netifd - 2013-07-16-2674941b06c1ec67f1aff1bff9212e1372106641
olsrd - 0.6.6-2
olsrd-mod-arprefresh - 0.6.6-2
olsrd-mod-dyn-gw-plain - 0.6.6-2
olsrd-mod-jsoninfo - 0.6.6-2
olsrd-mod-nameservice - 0.6.6-2
olsrd-mod-p2pd - 0.6.6-2
olsrd-mod-txtinfo - 0.6.6-2
olsrd-mod-watchdog - 0.6.6-2
openvpn-polarssl - 2.3.0-1
opkg - 618-3
swconfig - 10
terminfo - 5.7-5
uboot-envtools - 2012.04.01-1
ubus - 2013-08-08-b20a8a01c7faea5bcc9d34d10dcf7736589021b8
ubusd - 2013-08-08-b20a8a01c7faea5bcc9d34d10dcf7736589021b8
uci - 2013-06-11.1-1
uhttpd - 2012-10-30-e57bf6d8bfa465a50eea2c30269acdfe751a46fd
uhttpd-mod-ubus - 2012-10-30-e57bf6d8bfa465a50eea2c30269acdfe751a46fd
wpad-mini - 20130405-1
=================================================================================
# uci show firewall
firewall. at defaults[0]=defaults
firewall. at defaults[0].syn_flood=1
firewall. at defaults[0].input=ACCEPT
firewall. at defaults[0].output=ACCEPT
firewall. at defaults[0].forward=REJECT
firewall. at defaults[0].drop_invalid=0
firewall. at rule[0]=rule
firewall. at rule[0].name=Allow-DHCP-Renew
firewall. at rule[0].src=wan
firewall. at rule[0].proto=udp
firewall. at rule[0].dest_port=68
firewall. at rule[0].target=ACCEPT
firewall. at rule[0].family=ipv4
firewall. at rule[1]=rule
firewall. at rule[1].name=Allow-Ping
firewall. at rule[1].src=wan
firewall. at rule[1].proto=icmp
firewall. at rule[1].icmp_type=echo-request
firewall. at rule[1].family=ipv4
firewall. at rule[1].target=ACCEPT
firewall. at rule[2]=rule
firewall. at rule[2].name=Allow-DHCPv6
firewall. at rule[2].src=wan
firewall. at rule[2].proto=udp
firewall. at rule[2].src_ip=fe80::/10
firewall. at rule[2].src_port=547
firewall. at rule[2].dest_ip=fe80::/10
firewall. at rule[2].dest_port=546
firewall. at rule[2].family=ipv6
firewall. at rule[2].target=ACCEPT
firewall. at rule[3]=rule
firewall. at rule[3].name=Allow-ICMPv6-Input
firewall. at rule[3].src=wan
firewall. at rule[3].proto=icmp
firewall. at rule[3].icmp_type=echo-request echo-reply
destination-unreachable packet-too-big time-exceeded bad-header
unknown-header-type router-solicitation neighbour-solicitation
router-advertisement neighbour-advertisement
firewall. at rule[3].limit=1000/sec
firewall. at rule[3].family=ipv6
firewall. at rule[3].target=ACCEPT
firewall. at rule[4]=rule
firewall. at rule[4].name=Allow-ICMPv6-Forward
firewall. at rule[4].src=wan
firewall. at rule[4].dest=*
firewall. at rule[4].proto=icmp
firewall. at rule[4].icmp_type=echo-request echo-reply
destination-unreachable packet-too-big time-exceeded bad-header
unknown-header-type
firewall. at rule[4].limit=1000/sec
firewall. at rule[4].family=ipv6
firewall. at rule[4].target=ACCEPT
firewall. at include[0]=include
firewall. at include[0].path=/etc/firewall.user
firewall. at include[1]=include
firewall. at include[1].path=/etc/firewall.freifunk
firewall. at advanced[0]=advanced
firewall. at advanced[0].tcp_westwood=1
firewall. at advanced[0].tcp_ecn=0
firewall. at advanced[0].ip_conntrack_max=8192
firewall.zone_freifunk=zone
firewall.zone_freifunk.masq=1
firewall.zone_freifunk.input=ACCEPT
firewall.zone_freifunk.forward=REJECT
firewall.zone_freifunk.name=freifunk
firewall.zone_freifunk.output=ACCEPT
firewall.zone_freifunk.masq_src=255.255.255.255/32 192.168.178.2/24
firewall.zone_freifunk.network=tunl0 wireless0 wireless0dhcp lan ffvpn
firewall. at forwarding[0]=forwarding
firewall. at forwarding[0].dest=freifunk
firewall. at forwarding[0].src=freifunk
firewall. at rule[5]=rule
firewall. at rule[5].proto=icmp
firewall. at rule[5].target=ACCEPT
firewall. at rule[5].src=freifunk
firewall. at rule[6]=rule
firewall. at rule[6].dest_port=80
firewall. at rule[6].proto=tcp
firewall. at rule[6].target=ACCEPT
firewall. at rule[6].src=freifunk
firewall. at rule[7]=rule
firewall. at rule[7].dest_port=443
firewall. at rule[7].proto=tcp
firewall. at rule[7].target=ACCEPT
firewall. at rule[7].src=freifunk
firewall. at rule[8]=rule
firewall. at rule[8].dest_port=22
firewall. at rule[8].proto=tcp
firewall. at rule[8].target=ACCEPT
firewall. at rule[8].src=freifunk
firewall. at rule[9]=rule
firewall. at rule[9].dest_port=698
firewall. at rule[9].proto=udp
firewall. at rule[9].target=ACCEPT
firewall. at rule[9].src=freifunk
firewall. at rule[10]=rule
firewall. at rule[10].dest_port=17990
firewall. at rule[10].proto=tcp
firewall. at rule[10].target=ACCEPT
firewall. at rule[10].src=freifunk
firewall. at rule[11]=rule
firewall. at rule[11].dest_port=53
firewall. at rule[11].src=freifunk
firewall. at rule[11].target=ACCEPT
firewall. at rule[11].proto=udp
firewall. at rule[12]=rule
firewall. at rule[12].src_port=68
firewall. at rule[12].src=freifunk
firewall. at rule[12].target=ACCEPT
firewall. at rule[12].dest_port=67
firewall. at rule[12].proto=udp
firewall. at rule[13]=rule
firewall. at rule[13].dest_port=8082
firewall. at rule[13].src=freifunk
firewall. at rule[13].target=ACCEPT
firewall. at rule[13].proto=tcp
firewall. at zone[0]=zone
firewall. at zone[0].masq=1
firewall. at zone[0].network=wan
firewall. at zone[0].forward=REJECT
firewall. at zone[0].name=wan
firewall. at zone[0].output=ACCEPT
firewall. at zone[0].local_restrict=1
firewall. at zone[0].input=ACCEPT
firewall. at forwarding[1]=forwarding
firewall. at forwarding[1].dest=wan
firewall. at forwarding[1].src=freifunk
firewall. at forwarding[2]=forwarding
firewall. at forwarding[2].dest=freifunk
firewall. at forwarding[2].src=wan
firewall. at forwarding[3]=forwarding
firewall. at forwarding[3].dest=wan
firewall. at forwarding[3].src=lan
firewall. at rule[14]=rule
firewall. at rule[14].dest_port=1194
firewall. at rule[14].proto=udp
firewall. at rule[14].name=Reject-VPN-over-ff
firewall. at rule[14].dest=freifunk
firewall. at rule[14].dest_ip=77.87.48.10
firewall. at rule[14].target=REJECT
firewall. at rule[14].family=ipv4
=================================================================================
# uci show freifunk
freifunk.contact=public
freifunk.contact.mail=freifunk-node at arne.nerdkeller.org
freifunk.community=public
freifunk.community.ssid=olsr.freifunk.net
freifunk.community.mapserver=http://map.pberg.freifunk.net/
freifunk.community.longitude=13.40948
freifunk.community.splash_network=10.104.0.0/16
freifunk.community.homepage=http://berlin.freifunk.net
freifunk.community.mesh_network=104.0.0.0/8
freifunk.community.latitude=52.52075
freifunk.community.splash_prefix=27
freifunk.community.owm_api=http://api.openwifimap.net
http://owmapi.pberg.freifunk.net
freifunk.community.name=berlin
freifunk.zone_freifunk=fw_zone
freifunk.zone_freifunk.name=freifunk
freifunk.zone_freifunk.input=REJECT
freifunk.zone_freifunk.forward=REJECT
freifunk.zone_freifunk.output=ACCEPT
freifunk.fficmp=fw_rule
freifunk.fficmp.src=freifunk
freifunk.fficmp.target=ACCEPT
freifunk.fficmp.proto=icmp
freifunk.ffhttp=fw_rule
freifunk.ffhttp.src=freifunk
freifunk.ffhttp.target=ACCEPT
freifunk.ffhttp.proto=tcp
freifunk.ffhttp.dest_port=80
freifunk.ffhttps=fw_rule
freifunk.ffhttps.src=freifunk
freifunk.ffhttps.target=ACCEPT
freifunk.ffhttps.proto=tcp
freifunk.ffhttps.dest_port=443
freifunk.ffssh=fw_rule
freifunk.ffssh.src=freifunk
freifunk.ffssh.target=ACCEPT
freifunk.ffssh.proto=tcp
freifunk.ffssh.dest_port=22
freifunk.ffolsr=fw_rule
freifunk.ffolsr.src=freifunk
freifunk.ffolsr.target=ACCEPT
freifunk.ffolsr.proto=udp
freifunk.ffolsr.dest_port=698
freifunk.ffwprobe=fw_rule
freifunk.ffwprobe.src=freifunk
freifunk.ffwprobe.target=ACCEPT
freifunk.ffwprobe.proto=tcp
freifunk.ffwprobe.dest_port=17990
freifunk.ffdns=fw_rule
freifunk.ffdns.dest_port=53
freifunk.ffdns.src=freifunk
freifunk.ffdns.target=ACCEPT
freifunk.ffdns.proto=udp
freifunk.ffdhcp=fw_rule
freifunk.ffdhcp.src_port=68
freifunk.ffdhcp.src=freifunk
freifunk.ffdhcp.target=ACCEPT
freifunk.ffdhcp.dest_port=67
freifunk.ffdhcp.proto=udp
freifunk.ffdhcp.leasetime=30m
freifunk.ffsplash=fw_rule
freifunk.ffsplash.dest_port=8082
freifunk.ffsplash.src=freifunk
freifunk.ffsplash.target=ACCEPT
freifunk.ffsplash.proto=tcp
freifunk.lanfffwd=fw_forwarding
freifunk.lanfffwd.src=lan
freifunk.lanfffwd.dest=freifunk
freifunk.ffwanfwd=fw_forwarding
freifunk.ffwanfwd.src=freifunk
freifunk.ffwanfwd.dest=wan
freifunk.fffwd=fw_forwarding
freifunk.fffwd.src=freifunk
freifunk.fffwd.dest=freifunk
freifunk.freifunk=include
freifunk.freifunk.path=/etc/firewall.freifunk
freifunk.system=defaults
freifunk.system.zonename=Europe/Berlin
freifunk.system.timezone=CET-1CEST,M3.5.0,M10.5.0/3
freifunk.wifi_device=defaults
freifunk.wifi_device.channel=1
freifunk.wifi_device.diversity=1
freifunk.wifi_device.disabled=0
freifunk.wifi_device.country=DE
freifunk.wifi_device.hwmode=11g
freifunk.wifi_device.distance=1000
freifunk.wifi_iface=defaults
freifunk.wifi_iface.mode=adhoc
freifunk.wifi_iface.encryption=none
freifunk.wifi_iface.bgscan=0
freifunk.wifi_iface.bssid=12:CA:FF:EE:BA:BE
freifunk.wifi_iface.sw_merge=1
freifunk.wifi_iface.mcast_rate=5500
freifunk.wifi_iface.probereq=1
freifunk.interface=defaults
freifunk.interface.netmask=255.255.0.0
freifunk.interface.dns=2002:d596:2a92:1:71:53:: 2002:5968:c28e::53
88.198.178.18 141.54.1.1 212.204.49.83 8.8.8.8 8.8.4.4
freifunk.alias=defaults
freifunk.alias.netmask=255.255.255.0
freifunk.dhcp=defaults
freifunk.dhcp.leasetime=30m
freifunk.dhcp.start=2
freifunk.dhcp.force=1
freifunk.olsr_interfacedefaults=defaults
freifunk.olsr_interfacedefaults.Ip4Broadcast=255.255.255.255
freifunk.wizard=settings
freifunk.wizard.device_radio0=1
freifunk.wizard.meship_radio0=104.129.3.23
freifunk.wizard.client_radio0=1
freifunk.wizard.dhcpmesh_radio0=104.129.3.80/28
freifunk.wizard.vap_radio0=1
freifunk.wizard.device_wan=0
freifunk.wizard.latitude=52.517160965251946
freifunk.wizard.longitude=13.434531832198655
freifunk.wizard.wan_security=1
freifunk.wizard.wan_input_accept=1
freifunk.wizard.advanced_radio0=1
freifunk.wizard.distance_radio0=2000
freifunk.wizard.device_lan=1
freifunk.wizard.meship_lan=104.129.3.48
freifunk.wizard.client_lan=0
freifunk.wizard.vapssid_radio0=ap10.freifunk.net
freifunk.wizard.chan_radio0=default
freifunk.wizard.txpower_radio0=12
freifunk.wizard.share_value=1
freifunk.wizard.hostname=104-129-3-48
freifunk.wizard.shareconfig=1
freifunk.wizard.sharenet=1
=================================================================================
On 27.04.2014 21:14, Patrick wrote:
> Hi Arne
>
> Kannst du bitte auf der router konsole
> opkg list_installed
> uci show firewall
> uci show freifunk
>
> eingeben und die Ausgaben schicken.
>
> Welche version hast du installiert?
>
> [ ] attitude_adjustment
> [ ] barrier_breaker
>
> [ ] freifunk
> [ ] minimal
> [ ] vpn
>
>
> Gruss
> Patrick
>
>
> Am 27.04.14 20:54, schrieb Arne Zachlod:
>> Hallo!
>
>> ich bin gerade etwas am rumbasteln und habe festgestellt dass die
>> Funktion "WAN-Zugriff auf Gateway beschränken" nichts macht.
>> Zumindest komme ich immer noch auf alle meine Geraete im LAN wenn
>> ich im FF-Netz angemeldet bin. Das ist natuerlich etwas unschoen,
>> weil ich so meine Internetverbindung nicht frei geben kann (habe
>> jetzt das Kabel ins eigene Netz gekappt). Hat jemand evtl. einen
>> workaround parat und kann mir die noetigen Einstellungen fuer die
>> Firewall so sagen?
>
>> Bye Arne
>
>
>
>> _______________________________________________ Berlin mailing
>> list Berlin at berlin.freifunk.net
>> http://lists.berlin.freifunk.net/cgi-bin/mailman/listinfo/berlin
>
>
>
> _______________________________________________
> Berlin mailing list
> Berlin at berlin.freifunk.net
> http://lists.berlin.freifunk.net/cgi-bin/mailman/listinfo/berlin
>
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : signature.asc
Dateityp : application/pgp-signature
Dateigröße : 836 bytes
Beschreibung: OpenPGP digital signature
URL : <http://lists.berlin.freifunk.net/pipermail/berlin/attachments/20140427/994ac193/attachment.pgp>
Mehr Informationen über die Mailingliste Berlin