Hi,
On Tue, 2015-09-15 at 15:40 +1000, Craig McQueen wrote:
> I'd like to use ConnMan in a device that connects to an Ethernet
> network, and also (optionally) can operate Wi-Fi in access point mode
> to provide technician type access to itself.
>
> So it looks like "tethering" is the way to do a Wi-Fi access point.
> But in this use case, I don't want Wi-Fi tethering to permit access to
> upstream connections (the wired Ethernet). I can easily achieve that
> by adding a firewall with FORWARD rule set to DROP.
By default ConnMan does not touch /proc/sys/net/ipv4/conf/*/forwarding,
so whatever is the system default forwarding/routing policy will be
followed. Whether this is a good or bad idea depends on the used case,
but happens to be the current status quo.
> However, I also want to lock down DNS. Even with forwarding stopped, a
> Wi-Fi client can still do DNS look-ups through the upstream
> connection, thus providing a back channel of communication.
The sane default is to provide the tethered networks with DNS services,
so blocking the DNS port in your case sounds like applying an extra
iptables rule.
> Secondly, I'd also like Wi-Fi clients to be able to access the device
> via a DNS name, such as my-serial-number.lan. I'm not sure how to
> configure a DNS server for the tether interface.
That is currently not implemented. Patches for reading e.g. /etc/hosts
or some other (symlinked) file like /var/lib/connman/hosts can be
considered.
> Related to this: maybe I could run a DNS server, getting the tether
> interface's IP address updates through D-Bus. But as I've seen with
> connmanctl monitor, tether IP address doesn't seem to be notified on
> D-Bus.
As a hackish solution one can always disable dns proxying in ConnMan,
but that usually creates more problem than it solves. So a patch for
reading a file of host names looks like a more attractive option here.
> In summary, these questions:
>
> 1) How could the tether interface's DNS look-ups through upstream be
> restricted?
> 2) How could a DNS server be provided for the tether interface, which
>responds to my-serial-number.lan with the tether interface's current IP
>address?
It won't be easy to do selective DNS lookups in ConnMan, but some file
could be read to provide local DNS services. But before doing thta, it
should be investigated how or if systemd-resolved can be exploited to
handle name lookups in the future, especially if it gains a D-Bus API.
> 3) How can notifications of tether interface's IP address changes be
> obtained via D-Bus?
As tethering is considered to happen automatically without needing any
user intervention, there hasn't been any real need to expose tethered IP
address information either. Although ConnMan is light-weight, it's still
not a generic embedded routing platform.
Cheers,
Patrik
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
