Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2446 - booting with qemu, firewall fails to protect router services (ssh) from wan interface over ipv6 #8283

Closed
openwrt-bot opened this issue Aug 16, 2019 · 1 comment
Labels

Comments

@openwrt-bot
Copy link

amk:

Started latest malta snapshot with qemu, did not change any configuration.
IPv6 wan interface gets its link-local address.
Firewall allows connections to this address from wan.
Firewall restart helps.

tunctl brctl addbr testbr brctl addif testbr tap0 ip link set dev tap0 up ip link set dev testbr up

qemu-system-mips -kernel openwrt-malta-be-vmlinux.elf
-hda openwrt-malta-be-rootfs-ext4.img
-append "root=/dev/sda console=ttyS0"
-nographic -m 64
-net nic,model=pcnet
-net tap,ifname=tap0,script=no,downscript=no

root@OpenWrt:/# ip6tables -nvL INPUT Chain INPUT (policy ACCEPT 4 packets, 208 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo * ::/0 ::/0 /* !fw3 */ 4 208 input_rule all * * ::/0 ::/0 /* !fw3: Custom input rule chain */ 0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED /* !fw3 */ 0 0 syn_flood tcp * * ::/0 ::/0 tcp flags:0x17/0x02 /* !fw3 */ After firewall restart (counters are different due to different runs) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo * ::/0 ::/0 /* !fw3 */ 1 80 input_rule all * * ::/0 ::/0 /* !fw3: Custom input rule chain */ 0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED /* !fw3 */ 1 80 syn_flood tcp * * ::/0 ::/0 tcp flags:0x17/0x02 /* !fw3 */ 1 80 zone_wan_input all eth0 * ::/0 ::/0 /* !fw3 */
@openwrt-bot
Copy link
Author

yousong:

Cannot reproduce it with current master. I see the zone_wan_input chain after wan is up.

By the way, ./scripts/qemustart can be used to start a malta/be qemu machine

./scripts/qemustart malta be -n --kernel bin/targets/malta/be/openwrt-malta-be-vmlinux.elf --rootfs bin/targets/malta/be/openwrt-malta-be-rootfs-ext4.img

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant