-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12.08.2009 14:56, Matthias Buecher / Germany wrote: > On 12.08.2009 10:50, Ferenc Wagner wrote: >> Matthias Buecher / Germany <[email protected]> writes: > >>> When compiling a kernel prepared for all packages, then bridge >>> firewalling is enabled inside the kernel. >> Rather, I think you get the "problem" when you start the firewall. > >>> This leads to "unexpected" behaviour for newbies and normal users: they >>> can not access other devices on the LAN. >> Well, I'd expect a firewall to filter traffic, actually. It's more >> alarming that a couple of packets can slip through, as the Trac ticket >> #5640 shows. > >>> Therefore disable bridge firewalling in sysctl.conf to avoid newbiw >>> problems. >> I'm not sure that less security by default is a good idea. Especially >> via changing a long time Linux default. If you don't want a firewall, >> why install and start it? > > I agree that in general "less security by default" is not a good idea, > but in this special case it makes sense. > > * bridge firewalling is not on by default (see [1]). it just gets > activated when compiling the OpenWrt kernel from trunk with all packages. > > * the kernel mostly is compiled from trunk with all packages (seems also > true for the official snapshot), to be prepared for future uses (e.g. > kmod-tun for VPN) and to be able to use the official OpenWrt package > repository. > if a kernel is used that wasn't compiled with all packages, then this > causes errors/crashes with several packages from the OpenWrt repository > (see #5341 for OpenVPN). > > * bridge firewalling is an additional kernel firewall for bridges. when > disabled, this doesn't mean that iptables is not working. > > * the typical bridge in OpenWrt is the LAN switch of a router. so it's > mainly an additional security for interal threads, not external threads. > > * the typical default behaviour of a router/switch is: allow all LAN > traffic and all outgoing WAN traffic, block all incoming WAN traffic. > > > The other "but" is the user side: > * Although I have some Linux experience and work as a programmer it took > me over 3 mandays to find the solution. A normal user will be totally lost. > * Someone who wants "bridge firewalling" will find it within some > minutes as he knows what he is looking for. > > > So in my eyes "bridge firewalling" is an extra security option for > experts, that have/want to protect the LAN ports against each others. > Therefore I would add these settings to the trunk, just like the already > existing more "insecure" settings (e.g. "net.ipv4.ip_forward=1" for VPN). > > > About the slip-through packets: > This only happens when starting the kernel, the bridge firewalling (not > iptables) seems to be enabled after the network. > So for some seconds some packets may not be "bridge firewalled" on startup. > > > [1] Linux bridge firewalling: > http://www.linuxfoundation.org/en/Net:Bridge#Kernel_Configuration
Another solution would be to compile it as a separate module (BRIDGE=m). Then the user can decide if he want to install it or not. Maddes -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqDFEwACgkQUXXT+9wZdbWe8wCdGj+0+DjeDjdj+S1yRYWiFav2 KTYAn09OIrFr+Kmvu1vOG97ZqKxCXJ+c =6W1r -----END PGP SIGNATURE----- _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
