FireWall

back to http://scratchpad.wikia.com/wiki/Sasecurity

Firewalling
Firewalling issue QUES: >I need to be able to plug-in a MeshAP (it will be the uplink node or  >gateway for the mesh) into an available CAT5 port on a switch or   >router that will be either static IP or hand out DHCP IP address >(needs to work for both methods) of a private business network to  >get its Internet access. BUT, this is the tricky part, the wireless >users using this MeshAP gateway must NOT be able to see or access >the private business network. See below- ANSw: Simple built in solution available: Total block on incoming wired: This locks down a wired LAN that is connected via the mesh, to  make a high security firewalled connection. http://live.locustworld.com/tracker/wiki?p=FireWalling Wireless connections can only connect to the gateway and out - they can't connect to devices on the LAN.

> there is a wiana setting radio button (yes or no option) for "same > node clients firewalled" - see the "firewalling" section, last entry > above "dialup settings" This is a bit too broad - I only want to remove the firewall for a single wireless client. IIRC, this setting is processed by iptables.. Qorvus have some info on the details on their website. I wonder if adding the client to the NoCat_Inbound chain will be enough?

SAME NODE CLIENTS FIREWALL
If you turn the SAME NODE CLIENTS FIREWALL NO this should open up the firewall and allow the printer to be seen. This also opens up your network so is not recommended. I have a mesh AP connected to a router at home. My desktop computers are networked via workgroup and I share a printer among them. How can I access my shared printer on the workgroup side of the LAN via my wirelless connected laptop that is going through the mesh ap. > laptop <--(wireless connection) ap<--router<--(cat5 > cable)<---desktop--shared printer. > > Can I get the ultra simplified version??

StormWarning
> 192.168.1.100 is connected wirelessly to the gateway radio.

> 192.168.2.100 is connected through a router and feeds the local mesh.

> meshbox kernel: STORMWARNING: IN=eth0 OUT= > MAC=00:40:63:d4:b6:a7:00:0e:2e:05:3e:be:08:00 SRC=192.168.1.100 > DST=192.168.2.100 LEN=99 TOS=0x00 PREC=0xC0 TTL=63 ID=2446 PROTO=ICMP > TYPE=3 CODE=3 [SRC=192.168.2.100 DST=192.168.1.100 LEN=71 TOS=0x00 > PREC=0x00 TTL=63 ID=31218 DF PROTO=UDP SPT=1030 DPT=53 LEN=51 ]

It's an iptables rule that limits icmp packets.

It : - is not applied on the internals of the mesh (172.16/16) - limits icmp to 30/s from your clients (192.168/16) - limits icmp to 5/min and adds an entry in the syslog with the prefix STORMWARNING if it comes from an other IP than the previous ones.

It's strange that you get such a message with 2 192.168/16 IPS. I thought you would fall into case 2.

Any idea ?

You can comment the rules in /etc/rc.d/rc.firewall if it annoys you.

=
============ Dave,

That's a PacketStorm. It is similar to the issue that Kyle just saw on his network - although it was with clients, while this appears to be between nodes. Looking at this below, here's what I see. It is on a bridged interface (br0) - so it's likely an issue from node to node only. If it were on wlan0, it would be node to client. SRC is one of your nodes - 1.110.146.200 DST is another node - 1.155.80.161 assume that one of the DST 's is the gateway, likely the 1.24.71.99 address.
 * If you look on down, you will see another DST 1.24.71.99. I would

If you are running dev74 on this node, the "threshold" for stormwarnings was set too low, and that was supposedly fixed in dev76. If you are dev76 or later, it likely really is a stormwarning. Packetstorms can really mess up a mesh network.

I'd suspect that maybe there is a weak link from one node to the other? Or possibly some interference. I think that this indicates that a number of packets were stored, then forwarded all at once.

Maybe someone else will build more on this.

Kb

Links
See HjDetectMode