Modify

Opened 7 years ago

Closed 7 years ago

Last modified 6 years ago

#983 closed bug (fixed)

Private network accessible from public one when in bridge mode.

Reported by: Paul <paul@…> Owned by:
Priority: high Milestone: Firmware 2.3.7.0
Component: fon-network Version: 2.3.6.1 (Gari jr.)
Severity: normal
Cc: Hardware: 2.0n (FON2300)

Description

When the router is set to bridge mode people connected to the public signal (Fon_Free_Internet) are able to access devices in the private network after they've signed in to the fon webpage and been given internet access.

Attachments (2)

bridge-firewall.patch (2.7 KB) - added by matthijs 7 years ago.
hotfix-bridge-firewall.tar.gz (1.2 KB) - added by matthijs 7 years ago.
Hotfix for this problem. Install at the "Applications" page on the dashboard.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 7 years ago by matthijs

  • Component changed from unknown to fon-network
  • Milestone set to Firmware 2.3.7.0
  • Priority changed from normal to high
  • Status changed from new to confirmed

I've confirmed this bug with latest SVN, I'll try to look at it later this week.

comment:2 Changed 7 years ago by matthijs

  • Severity changed from unknown to normal

I've had a look at the bug and created an initial fix. It's still a bit ugly, but it works. I'll probably revisit the entire firewall stuff again later. I'm attaching the fix here for anyone that would like to test it. The fix should work, but I haven't done more then casual testing myself.

I'll do some more testing and prepare a hotfix with this change next monday.

Changed 7 years ago by matthijs

Changed 7 years ago by matthijs

Hotfix for this problem. Install at the "Applications" page on the dashboard.

comment:3 Changed 7 years ago by matthijs

I've just attached a hotfix for this problem, which can be installed from the "Applications" page on the Fonera dashboard. This fix is still unsigned, so right now it only works with DEV firmwares. Next step is getting the firmware signed and uploaded to download.fonosfera.org so people can install it with just a single click.

comment:4 Changed 7 years ago by matthijs

  • Resolution set to fixed
  • Status changed from confirmed to closed

(In [1807]) fonbase: Fix the firewall in bridge mode.

On a Fonera, there are some special firewalling rules to ensure that the public network ("hotspot" zone) cannot access the wan and lan networks, but can access the internet. This is achieved by allowing traffic from the hotspot zone to the wan zone (or the lan zone in bridge mode), but denying traffic to the wan and lan IP subnets. This works because the zone forwarding rules allow traffic going out through the wan (or lan) interface, while the second set of rules deny based on destination address.

When bridge mode was enabled, two problems occured:

  • The firewall.fon script didn't include the 40-interzone script, since the wan interface wasn't marked as being up. This causes problems only when reloading the firewall after a config change.
  • The 40-interzone script used the (non-existing) wan IP address for blocking traffic instead of the lan IP address.

This commit fixes both of the above. In addition, it makes sure that 40-interzone actually uses the wan netmask when appropriate (instead of the lan network as it used to do) and it cleans up the the 40-interzone script a bit.

Even so, this is just a short-term solution that should fix the problem at hand. On the longer term, the networking configuration as well as the firewalling should probably be rewritten to support bridge mode in a more elegant way.

Closes: #983

comment:5 Changed 7 years ago by matthijs

(In [1809]) fonbase: In firewall.fon, use a subshell for the 40-interzone script.

Previously, this script would be sourced. However, the script does some checking and uses "exit 0" if it doesn't need to do any work, causing the calling script (which is the /lib/firewall/uci_firewall.sh script) to stop executing before the full firewall is loaded.

This issue could only occur when for some reason the wan network was marked as being up when the Fonera was in bridge mode, so this shouldn't really occur unless a user has been messing with network settings manually. However, we'll fix this just to be sure.

References: #983

comment:6 Changed 7 years ago by matthijs

(In [1947]) Backport r1807: fonbase: Fix the firewall in bridge mode.

On a Fonera, there are some special firewalling rules to ensure that the public network ("hotspot" zone) cannot access the wan and lan networks, but can access the internet. This is achieved by allowing traffic from the hotspot zone to the wan zone (or the lan zone in bridge mode), but denying traffic to the wan and lan IP subnets. This works because the zone forwarding rules allow traffic going out through the wan (or lan) interface, while the second set of rules deny based on destination address.

When bridge mode was enabled, two problems occured:

  • The firewall.fon script didn't include the 40-interzone script, since the wan interface wasn't marked as being up. This causes problems only when reloading the firewall after a config change.
  • The 40-interzone script used the (non-existing) wan IP address for blocking traffic instead of the lan IP address.

This commit fixes both of the above. In addition, it makes sure that 40-interzone actually uses the wan netmask when appropriate (instead of the lan network as it used to do) and it cleans up the the 40-interzone script a bit.

Even so, this is just a short-term solution that should fix the problem at hand. On the longer term, the networking configuration as well as the firewalling should probably be rewritten to support bridge mode in a more elegant way.

References: #983

Add Comment

Modify Ticket

Action
as closed The ticket will remain with no owner.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.