OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by amk - 16.08.2019

FS#2446 - booting with qemu, firewall fails to protect router services (ssh) from wan interface over ipv6

Started latest malta snapshot with qemu, did not change any configuration.
IPv6 wan interface gets its link-local address.
Firewall allows connections to this address from wan.
Firewall restart helps.

 
tunctl
brctl addbr testbr
brctl addif testbr tap0
ip link set dev tap0 up
ip link set dev testbr up

qemu-system-mips -kernel  openwrt-malta-be-vmlinux.elf 
-hda openwrt-malta-be-rootfs-ext4.img 
-append "root=/dev/sda console=ttyS0" 
-nographic -m 64 
-net nic,model=pcnet 
-net tap,ifname=tap0,script=no,downscript=no
root@OpenWrt:/# ip6tables -nvL INPUT
Chain INPUT (policy ACCEPT 4 packets, 208 bytes)
 pkts bytes target     prot opt in     out     source               destination         
	0     0 ACCEPT     all      lo     *       ::/0                 ::/0                 /* !fw3 */
	4   208 input_rule  all      *      *       ::/0                 ::/0                 /* !fw3: Custom input rule chain */
	0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED /* !fw3 */
	0     0 syn_flood  tcp      *      *       ::/0                 ::/0                 tcp flags:0x17/0x02 /* !fw3 */
 

After firewall restart (counters are different due to different runs)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
	0     0 ACCEPT     all      lo     *       ::/0                 ::/0                 /* !fw3 */
	1    80 input_rule  all      *      *       ::/0                 ::/0                 /* !fw3: Custom input rule chain */
	0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED /* !fw3 */
	1    80 syn_flood  tcp      *      *       ::/0                 ::/0                 tcp flags:0x17/0x02 /* !fw3 */
	1    80 zone_wan_input  all      eth0   *       ::/0                 ::/0                 /* !fw3 */

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing