Posts tagged ‘firewall’

Since none of the dd-wrt releases include ip6tables support, I added it myself. The standard kernel does support module loading, so you can simply add additional kernel features without reflashing the device. You do need some writable storage. I use the remaining 4MB of flash using JFFS, but using an external storage (USB, network, …) is also possible.

Since you can’t run a complete build environment on the router itself, you’ll have to set up a cross-compiling environment on your own machine. As I found out, this isn’t always very easy to do…
Continue reading ‘Compiling custom dd-wrt kernel modules’ »

I bought myself a new WiFi router. When in the shop, I specifically searched for a router that is supported by dd-wrt, and has (at least) 8MB of flash. I settled for the Linksys WRT320N: it has a dual band (switchable between 2.4GHz and 5GHz, not simultaneous) 802.11a/b/g/n radio, a 4 port GbE switch, and a WAN port. It houses a Broadcom BC4717 processor running at 354MHz, 8MB of flash and 32MB of RAM.

The default Linksys firmware is actually not bad, but dd-wrt just offers a ton more features: Multiple SSIDs, IPv6 support (including Sixxs tunneling), WAN volume monitoring, custom firewalling, traffic shaping, … So I decided to void my warranty and put my router on steroids! Mandatory note: this may very well turn your router in to a very expensive brick.

Continue reading ‘Converting a WRT320N to dd-wrt’ »

I just read this message by Mark Andrews on the BIND mailing list. It explains the possible issues with DNSSEC and over-protective firewalls, giving test-commands to verify your setup. This post is also interesting for regular DNS traffic, since a firewall doesn’t know the difference.

Continue reading ‘DNS(SEC) – Firewall issues’ »

In Belgium, there are 2 major ISPs: Telenet and Belgacom (Skynet). None of them allows you to run servers on your home DSL connection, but only Telenet enforced this by simply blocking all incoming TCP requests on the low ports.

I regularly connect to my home server over SSH from all over the world to access my files, mail, photos, …. Since not every network I encounter allows outgoing 22/TCP connections, I also listen on 80/TCP and 443/TCP for SSH connections. This setting allowed me to connect home from pretty much every network.

However, since somewhere this weekend, Belgacom started to filter incomming connections. My last successful attempt was around 2009-10-31T00:10+0100. When trying this again today around 16:00+0100, the connection was filtered. Contrary to Telenet, Belgacom has the decency to reply with an “ICMP Administratively Prohibited” message. A quick port-scan showed that the following ports are being filtered:

  • 23/tcp (telnet)
  • 80/tcp (http)
  • 443/tcp (https)
  • 992/tcp (telnets)
  • 8023/tcp (unknown)
  • 8085/tcp (unknown)
  • 8443/tcp (https-alt)

Connecting to home has just become more difficult… Guess I’ll start using IP over DNS

Update 2009-11-03

Found another blog describing this issue (in Dutch). Rumor has it that Belgacom will offer an opt-out of this filtering.

Update 2009-11-11

The filtering of port 23, 80 and 443 can be disabled by surfing to the Belgacom e-service site and opting for “Basic Security” under “mijn internet – mijn opties”.

When doing some research on the different tables in iptables, I was trying to figure out in what order what tables are traversed. Obviously PREROUTING happens before POSTROUTING, but it becomes more difficult to figure out if mangle happens before are after nat.

I found a post which links to this overview (local copy):

packetflow

Recent tests on kernel 3.13.0 (Ubuntu Trusty 14.04) show that tcpdump captures before mange-PREROUTING and after nat-POSTROUTING.