Spelling: MWRPFirewall

still a work in progress - dna.
Be a few days before I get it all up

* Introduction [1]

* Netfilter? what\'s that? [2]
* iptables [3]

* The S45firewall script [4]
* What should the firewall do? [5]

* Router port and vlan configuration [6]

* Router ports [7]
* vlan tagging [8]

* Modified S45firewall script [9]

* Example router port configurations and firewall scripts [10]

* OpenWRT default configuration and firewall [11]

* Port configuration [12]
* Firewall configuration [13]

* Private WAN interface, public LAN interface [14]

* Port configuration [15]
* Firewall configuration [16]

* Individual ports [17]

* Port configuration [18]
* Firewall configuration [19]

* Node AP on WAN port [20]

* Port configuration [21]
* Firewall configuration [22]

* DMZ segment [23]

* Port configuration [24]
* Firewall configuration [25]

* The ultimate cheap bastard [26]

* Port configuration [27]
* Firewall configuration [28]

INTRODUCTION

The OpenWRT [29] Linux distribution used on the Linksys WRT54G(s) has
a basic firewall as part of the distribution. This firewall is
configured for typical home AP use. The firewall uses iptables to load
rules into the netfilter part of the Linux kernel. As a firewall this
is pretty neat, there is no running process, you can verify it is
configured how you want and you can log what is going on.
This Wiki page makes a brief introduction to netfilter and iptables
and details what a MW Node firewall should do. Examples are then given
for six different configurations. These examples should be able to be
used with only minor changes (such as the interfaces in your
particular router).

A future evolution will reduce these configurations to a single
script with a small number of input parameters (probably through
environment variables).

NETFILTER? WHAT\'S THAT?

Well, there is a lot of stuff written about netfilter. Probably the
best place to start is in the netfilter FAQ page [30].

In a nutshell there is a packet switch/filter built into the linux
kernel. As packets are received they pass through the netfilter and
may be acted upon at various points.

/ / -> NIC - PREROUTING - routing ---- FOREWARD ----------
POSTROUTING - NIC -> / | / | | | | | INPUT --- applications --- OUTPUT

There are two tables of interest, the filter table where the INPUT,
OUTPUT and FOREWARD chains are defined and the nat table where the
PREROUTING and POSTROUTING chains live.

The routing decission determines the path a packet takes through
netfilter. If IP forewarding is "on" then packets that are not
addressed to the router itself are passed through to the FORWARD
chain. Note, only packets for networks this router is configured for
are passed through here.

Well, if you want to get technical this is what it really looks like:
netfilter diagram [31]

At each of the chains in the path rules can be defined that tell
netfilter what to do with packets that match a rule. This could be as
simple as ACCEPTing the packet or it could send it to a different
chain for further processing.

IPTABLES

iptables is a tool that is used to manipulate the filtering rules. It
is very flexible and has lots of options. Check the man page for
details.

In our firewall scripts we use iptables to clear the netfilter tables
and create the rules we want to apply.

We use the following tables/chains:

* filter / INPUT for packets inbound to our router
* filter / OUTPUT for packets outbound from our router
* filter / FOREWARD for packets we are forwarding from one segment
to another
* nat / PREROUTING for SNAT from our private segment to public
segment
* nat / POSTROUTING for DNAT for port forwarding into our private
segment

THE S45FIREWALL SCRIPT

The default firewall script ( /etc/init.d/S45firewall ) serves as the
base for developing variations for the other described router
configurations. There are a couple of bad configuration examples and
it is a little more verbose than it needs to be ( for such a simple
use ) but nevertheless it is a good starting point.

This script is used when the WAN port is connected to the Internet (
unsecure side) and allows the following:

* ssh connection from WAN
* Port forwarding (bad example conflicts with ssh from WAN)
* forwarding to DMZ machine (again bad example)
* INPUT rules to allow access to the router from the LAN and allow
ICMP/GRE packets
* OUTPUT rules to allow anything out from the router
* FORWARD rules to allow LAN to LAN and LAN to WAN
* FORWARD rules to support the specified port forwarding and DMZ
configuration
* PREROUTING rules for port forwarding and DMZ DNAT address
conversion
* POSTROUTING rules for LAN to WAN SNAT (well, MASQ actually)
address conversion

annotated S45firewall script

#!/bin/sh . /etc/functions.sh WAN=$(nvram get wan_ifname) LAN=$(nvram
get lan_ifname)
clear the iptables and creates a new "user" chain for each
table/chain combination

## CLEAR TABLES for T in filter nat mangle; do iptables -t $T -F
iptables -t $T -X done
iptables -N input_rule iptables -N output_rule iptables -N
forwarding_rule
iptables -t nat -N prerouting_rule iptables -t nat -N
postrouting_rule
Optional things are added to the "user" chains

## Allow SSH from WAN # iptables -t nat -A prerouting_rule -i $WAN -p
tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp
--dport 22 -j ACCEPT
This example conflicts with the above one. The rule entered first
will take precdence

## Port forwarding # iptables -t nat -A prerouting_rule -i $WAN -p
tcp --dport 22 -j DNAT --to 192.168.1.2 # iptables -A forwarding_rule
-i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
This example sends incoming ports to the 192.168.1.2 machine, it is
not a true DMZ which should be on a separate network segment

## DMZ (should be placed after port forwarding / accept rules) #
iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 #
iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
The default tables/chains have the general policy set along with
actions to deal with junk

## INPUT ## (connections with the router as destination)
# base case iptables -P INPUT DROP iptables -A INPUT -m state --state
INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED
-j ACCEPT iptables -A INPUT -p tcp --syn --tcp-option ! 2 -j DROP
we alow packets from the private segment and ICMP(ping) and
GRE(router chatter) from anywhere

# allow iptables -A INPUT -i ! $WAN -j ACCEPT # allow from lan/wifi
interfaces iptables -A INPUT -p icmp -j ACCEPT # allow ICMP iptables
-A INPUT -p gre -j ACCEPT # allow GRE
The input_rule chain has one target (above) to allow ssh form the WAN
interface

# # insert accept rule or to jump to new accept-check table here #
iptables -A INPUT -j input_rule
# reject (what to do with anything not allowed earlier) iptables -A
INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j
REJECT --reject-with icmp-port-unreachable
## OUTPUT ## (connections with the router as source)
# base case iptables -P OUTPUT DROP iptables -A OUTPUT -m state
--state INVALID -j DROP iptables -A OUTPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
# allow iptables -A OUTPUT -j ACCEPT #allow everything out
everything after the above line is unreachable in this chain

# # insert accept rule or to jump to new accept-check table here #
iptables -A OUTPUT -j output_rule
# reject (what to do with anything not allowed earlier) iptables -A
OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -j
REJECT --reject-with icmp-port-unreachable
## FORWARDING ## (connections routed through the router)
# base case iptables -P FORWARD DROP iptables -A FORWARD -m state
--state INVALID -j DROP iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# allow iptables -A FORWARD -i br0 -o br0 -j ACCEPT iptables -A
FORWARD -i $LAN -o $WAN -j ACCEPT
The forwarding_rule chain is where all the exciting things are
happening

# # insert accept rule or to jump to new accept-check table here #
iptables -A FORWARD -j forwarding_rule
# reject (what to do with anything not allowed earlier) # uses the
default -P DROP
In this case postrouting SNAT is performed using the MASQ target
makes all packets from the private segment look like they come from
the router

## MASQ iptables -t nat -A PREROUTING -j prerouting_rule iptables -t
nat -A POSTROUTING -j postrouting_rule iptables -t nat -A POSTROUTING
-o $WAN -j MASQUERADE

WHAT SHOULD THE FIREWALL DO?

The firewall has to do a couple of things to be usefull in a MW node:

* Allow unrestricted access from your private segment into the MW
segment.
* NAT the addresses from your private segment to an address in your
node segment.
* Allow you to access your private segment from the MW network (only
you, or your machines).
* Allow administrative access (ssh) to the router from both the
private and public segments.

In addition you may want to allow some services to be accessible:

* DNS lookup
* ssh to a server on the Internet
* POP3 email from an email server
* SMTP to an email server
* HTTP to selected web sites
* forward ports from the MW segment to a machine in either the
private or DMZ segment

Note: By exposing these services clients connected to your Node will
be "tunneling" through your private network to reach the Internet via
your broadband connection. You may want to think about what you expose
if you have a capped connection.

ROUTER PORT AND VLAN CONFIGURATION

The firewall configuration chosen needs to match the router port
configuration. Currently you will need to do this by hand, later it
can be incorporated into a setup script that will allow you to choose
the configuration you want and will set up the bridges etc. and
configure the firewall script.
The port configuration only needs to be done once.

There are two sets of NVRAM variables that need to be set correctly
for the configuration required. These are the Router ports and the
vlan tagging.

ROUTER PORTS

On the v2.0 and later the ports are as follows:

* eth0 internal switch MI2 interface
* eth1 internal radio interface
* vlan0 LAN vlan
* vlan1 WAN vlan
* br0 The bridge used for vlan0 and eth1

The router port configuration is stored in NVRAM variables. For each
interface there are _ifname and _ifnames variables.

These are used in the S40network script to set up the ports. If the
_ifname is a bridge ( br0-9 [32] ) then the _ifnames variable is
checked for the list of ports that belong to the bridge and the brodge
is created and the ports added to the bridge.

Default case:

wan_ifname = vlan1 wan_ifnames = vlan1 lan_ifname = br0 lan_ifnames =
vlan0 eth1 eth2

VLAN TAGGING

The switch in the WRT54G(S) uses vlan tagging to determine where
packets should be sent. Two variables are needed per vlan; vlanports
and vlanhwname. vlanhwname is always et0.
The switch ports are 0 WAN, 1-4 LAN and 5 Internal. Port 5 is a
special case and is included in all defined vlans. The LAN ports are
assigned to vlan0 and the WAN port is assigned to vlan1.

Default case:

vlan0ports = "1 2 3 4 5*" vlan0hwname = et0 vlan1ports = "0 5"
vlan1hwname = et0

MODIFIED S45FIREWALL SCRIPT

We modify the firewall script to allow it to be configured through
setting a number of environment variables. These can be set in the
script itselfand will be overridden if they are set in the shell prior
to calling the script.

Modified S45firewall script

#!/bin/sh . /etc/functions.sh
# Firewall rules to set up the following configuration # # MELW is a
community radio network - it is public and untrusted # PRIV is a
private network that needs to NAT when going out to MELW # Some
connections and traffic from MELW will be aceepted and passed inside #
PRIV, NAT is not needed.
I use the WAN port to cascade my node from my private LAN

PRIV=$(nvram get wan_ifname)
and use the br0 side of the router as the Node LAN segment

MELW=$(nvram get lan_ifname)
insmod ipt_mac.o
## CLEAR TABLES for T in filter nat mangle; do iptables -t $T -F
iptables -t $T -X done iptables -N input_rule #iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule #iptables -t nat -N
postrouting_rule
### Allow everything from my machines connecting to the Node ## he
he, you can tell what brand machines I have iptables -A
forwarding_rule -i $MELW -m mac --mac-source 00:30:65:xx:xx:xx -j
ACCEPT iptables -A forwarding_rule -i $MELW -m mac --mac-source
00:30:65:xx:xx:xx -j ACCEPT ### Allow SSH and DNS from MELW iptables
-A input_rule -i $MELW -p tcp --dport 22 -j ACCEPT iptables -A
input_rule -i $MELW -p udp --dport 53 -j ACCEPT
### Port passthrough # ssh iptables -A forwarding_rule -i $MELW -p
tcp --dport 22 -j ACCEPT # smtp iptables -A forwarding_rule -i $MELW
-p tcp --dport 25 -j ACCEPT # POP3 iptables -A forwarding_rule -i
$MELW -p tcp --dport 110 -j ACCEPT # google iptables -A
forwarding_rule -i $MELW -p tcp --dport 80 -d 216.239.32.0/19 -j
ACCEPT iptables -A forwarding_rule -i $MELW -p tcp --dport 80 -d
66.102.0.0/20 -j ACCEPT # the age iptables -A forwarding_rule -i $MELW
-p tcp --dport 80 -d 203.26.51.0/24 -j ACC EPT # hotmail
# yahoo messenger
### Use DNAT to flip DNS requests to the router iptables -t nat -A
prerouting_rule -i $MELW -p udp --dport 53 -j DNAT --to 10.10.1.65
### INPUT ### (connections with the router as destination)
# base case iptables -P INPUT DROP iptables -A INPUT -m state --state
INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED
-j ACCEPT iptables -A INPUT -p tcp --syn --tcp-option ! 2 -j DROP
# allow iptables -A INPUT -i $PRIV -j ACCEPT # allow from PRIV
interfaces iptables -A INPUT -p icmp -j ACCEPT # allow ICMP iptables
-A INPUT -p gre -j ACCEPT # allow GRE # # insert accept rule or to
jump to new accept-check table here # iptables -A INPUT -j input_rule
# reject (what to do with anything not allowed earlier) iptables -A
INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j
REJECT --reject-with icmp-port-unreachable
### OUTPUT ### (connections with the router as source)
# base case iptables -P OUTPUT DROP iptables -A OUTPUT -m state
--state INVALID -j DROP iptables -A OUTPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
# allow iptables -A OUTPUT -j ACCEPT #allow everything out # # insert
accept rule or to jump to new accept-check table here # # iptables -A
OUTPUT -j output_rule
# reject (what to do with anything not allowed earlier) # iptables -A
OUTPUT -p tcp -j REJECT --reject-with tcp-reset # iptables -A OUTPUT
-j REJECT --reject-with icmp-port-unreachable
### FORWARDING ### (connections routed through the router)
# base case iptables -P FORWARD DROP iptables -A FORWARD -m state
--state INVALID -j DROP iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# allow iptables -A FORWARD -i br0 -o br0 -j ACCEPT # don't think
this is needed iptables -A FORWARD -i $PRIV -o $MELW -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT # allow ICMP # # insert accept
rule or to jump to new accept-check table here # iptables -A FORWARD
-j forwarding_rule

# reject (what to do with anything not allowed earlier) # uses the
default -P DROP

### MASQ iptables -t nat -A PREROUTING -j prerouting_rule # iptables
-t nat -A POSTROUTING -j postrouting_rule iptables -t nat -A
POSTROUTING -o $MELW -j SNAT --to 10.10.1.65

EXAMPLE ROUTER PORT CONFIGURATIONS AND FIREWALL SCRIPTS

OPENWRT DEFAULT CONFIGURATION AND FIREWALL

This configuration is useful for setting up a private wireless
network but should be used carefully a MW Node. Any machine connected
to the LAN ports would be bridged with the Node and thereofre on a
public network.

Public WAN WRT PORT Private LAN +-------+ ------------ vlan1 | WAN |
+-------+ +------------- +-------+ | eth1 | WLAN |----------< Antenna
(radio used as AP) | +-------+ | +----- +-------+ ports bridges | |
LAN 1 |---------- together br0 | vlan0 +-------+ | | +-------+ | | |
LAN 2 |---------- | | +-------+ | | +-------+ | | | LAN 3 |----------
| | +-------+ | | +-------+ | | | LAN 4 |---------- +------ +-----
+-------+

PORT CONFIGURATION

No changes required.

FIREWALL CONFIGURATION

MELW = br0 PRIV = (NULL) WAN = vlan1 DMZ = (NULL)

PRIVATE WAN INTERFACE, PUBLIC LAN INTERFACE

This is the simplest useful node configuration. It does not require
any changes to the OpenWRT [33] port assignment. In this configuration
there is a single WAN port and a bridged LAN ( bridge the remaining 4
switch ports and the wirless port ).

Private LAN WRT PORT Public LAN ( i.e. Melbourne wireless space )

+-------+ --------- vlan1 | WAN | +-------+ +------------- +-------+
| eth1 | WLAN |----------< radio used as Node AP | +-------+ | +-----
+-------+ ports bridges | | LAN 1 |---------- to link radio together
br0 | vlan0 +-------+ | | +-------+ | | | LAN 2 |---------- to node
server | | +-------+ | | +-------+ | | | LAN 3 |---------- | |
+-------+ | | +-------+ | | | LAN 4 |---------- +------ +-----
+-------+
In this configuration the router is using the WAN port to give you a
connection from your private LAN space into the MW node. The firewall
needs to be set up differently to the case where the LAN is the
private side and the WAN is the public (Internet) side.

PORT CONFIGURATION

No changes in NVRAM required.

FIREWALL CONFIGURATION

MELW = br0 PRIV = vlan1 WAN = (NULL) DMZ = (NULL)

INDIVIDUAL PORTS

Another common use of the WRT is as a dedicated router. This is the
case, for example at NodeGHO [34] where there are three AP each
serving different address ranges and the WRT is used to route traffic
between them.

WRT PORT Public LAN ( i.e. Melbourne wireless space ) +-------+ |
WAN |---------- +-------+ +-------+ | WLAN |----------< may be turned
off when used as a router only +-------+ +-------+ | LAN 1 |----------
to AP Northern +-------+ +-------+ | LAN 2 |---------- to AP Southern
+-------+ +-------+ | LAN 3 |---------- to AP Mobile +-------+
+-------+ | LAN 4 |---------- +-------+
In this case because each of the connected AP's service a different
address range, the LAN ports are not in bridge mode. Each port
consumes one address from the AP's range. NodeGHO [35] does not have a
private segment ( I don't think ) so there is no need for any firewall
between the segments, traffic will be routed from segment to segment
as required.

If one of the unused ports was connected to a private segment then
the firewall configuration would be similar to the above case but
where there is refernce to PUBLIC it would be replaced with !PRIV to
apply the rules across all of the public segments.
The S40network init script will need to be changed also to remove the
ifup wan and ifup lan lines and replace then with ifup lan0, ifup lan1
etc.

PORT CONFIGURATION

NVRAM variables

wan_ifname = (NULL) wan_ifnames = (NULL) lan0_ifname = vlan0
lan0_ifnames = vlan0 lan1_ifname = vlan1 lan1_ifnames = vlan1
lan2_ifname = vlan2 lan2_ifnames = vlan2 lan3_ifname = vlan3
lan3_ifnames = vlan3 lan4_ifname = vlan4 lan4_ifnames = vlan4
lan5_ifname = vlan5 lan5_ifnames = vlan5 vlan0ports = "1 5*"
vlan0hwname = et0 vlan1ports = "0 5" vlan1hwname = et0 vlan2ports = "2
5" vlan2hwname = et0 vlan3ports = "3 5" vlan3hwname = et0 vlan4ports =
"4 5" vlan4hwname = et0 vlan5ports = "5 5" vlan5hwname = et0

FIREWALL CONFIGURATION

For this example there is no need for a firewall. There is no private
segment, no Internet connection and no DMZ. If you were using an _All
ports_ routed configuration with any of these additional segments then
the appropriate vlan would be assigned to the segment variable.

MELW = vlan0,vlan1,vlan2,vlan3,vlan4 PRIV = (NULL) WAN = (NULL) DMZ =
(NULL)

NODE AP ON WAN PORT

This is a simple change, involving only the removal of the bridge
between the WLAN and LAN and is the configuration used in the MWRP
examples. The AP is connected to the router through the WAN port to
avoid conflicts with the boot default addresses of both devices being
the same.

WRT PORT Public LAN ( i.e. Melbourne wireless space )

+-------+ vlan1 | WAN |---------- to AP ( Senao ) +-------+
+-------+ eth1 | WLAN |----------< radio used as link +-------+ +-----
+-------+ | | LAN 1 |---------- | vlan0 +-------+ | +-------+ | | LAN
2 |---------- | +-------+ | +-------+ | | LAN 3 |---------- |
+-------+ | +-------+ | | LAN 4 |---------- +----- +-------+

PORT CONFIGURATION

NVRAM variables:

lan_ifname = vlan0 lan_ifnames = vlan0 wlan_ifname = eth1
wlan_ifnames = eth1

FIREWALL CONFIGURATION

In this case the vlan0 interface is the PRIV segment and the vlan1
and eth1 devices are PUBLIC segments. vlan1 will reeive an address
from the APs address range and eth1 will use an address allocated when
the link is set up.

MELW = vlan1,eth1 PRIV = vlan0 WAN = (NULL) DMZ = (NULL)

DMZ SEGMENT

If you want to provide services to the network but don't want to have
them exposed in the node itself or forward ports into your private
space then you may want to configure a DMZ segment. Remove the br0
bridge, leave one or two ports to connect the node to your private
space and create a new vlan with the remaining ports. The WAN port
could be used for an AP or link as could the WLAN port.
In this way you can expose only those ports on the DMZ server
machines you want to and can avoid having to spend too much effort
hardening the machines.

WRT PORT +-------+ vlan1 | WAN |---------- Could use WAN port for
link radio Public LAN +-------+ i.e. Melb W +-------+ | WLAN
|----------< Antenna (radio used as AP) +-------+ +----- +-------+ | |
LAN 1 |---------- to private network segment Priavte LAN | vlan0
+-------+ | +-------+ | | LAN 2 |---------- to private network segment
+----- +-------+ +----- +-------+ | | LAN 3 |---------- to DMZ server
DMZ LAN | vlan2 +-------+ | +-------+ | | LAN 4 |---------- to DMZ
server +----- +-------+

PORT CONFIGURATION

wan_ifname=(NULL) wan_ifnames= (NULL) lan_ifname=vlan0
lan-ifnames=vlan0 dmz_ifname=vlan2 dmz_ifnames=vlan2

vlan0ports = "1 2 5*" vlan0hwname = et0 vlan1ports = "0 5"
vlan1hwname = et0 vlan2ports = "3 4 5" vlan2hwname = et0

FIREWALL CONFIGURATION

MELW=vlan1,eth1 PRIV=vlan0 WAN= (NULL) DMZ=vlan2

THE ULTIMATE CHEAP BASTARD

This is my favorite configuration. It is the one to use if you are
too cheap to buy more than one router/AP and you want to do
everything. This is really getting your money's worth from the router.
Use the WAN port to make your broadband connection, use the wired LAN
ports internally within your house and use the radio as your MW Node
AP. If you have wireless devices you can configure the firewall to
allow them to work from "outside". Feeling cheaper still, try to
convince the next Node to connect to you to using WDS and you have a
built in link as well.

Public Internet WRT PORT Public LAN ( i.e. Melbourne wireless space
) +-------+ ------------ vlan1 | WAN | +-------+ +-------+ | WLAN
|----------< Antenna (radio used as Node AP) +-------+ +-----
+-------+ | | LAN 1 |---------- | vlan0 +-------+ | +-------+ Private
LAN | | LAN 2 |---------- | +-------+ | +-------+ | | LAN 3
|---------- | +-------+ | +-------+ | | LAN 4 |---------- +-----
+-------+
Here you have two firewall configurations collapsed into one box. The
Internet to LAN and the MW segment to LAN. Also because the two
firewalls are collapsed onto the one box there is the MW segment to
Internet configuration as well

PORT CONFIGURATION

Sweet, all you have to do is break the bridge by changing lan_ifname
to vlan0 and create the wlan_ifname and wlan_ifnames variables. Don't
forget to add _ifup wlan_ to S40network
NVRAM variables:

lan_ifname = vlan0 lan_ifnames = vlan0 wlan_ifname = eth1
wlan_ifnames = eth1

FIREWALL CONFIGURATION



Links:
------
[1] http://www.melbournewireless.org.au/#introduction
[2] http://www.melbournewireless.org.au/#netfilter__what_s_that_
[3] http://www.melbournewireless.org.au/#iptables
[4] http://www.melbournewireless.org.au/#the_s45firewall_script
[5] http://www.melbournewireless.org.au/#what_should_the_firewall_do_
[6]
http://www.melbournewireless.org.au/#router_port_and_vlan_configuration
[7] http://www.melbournewireless.org.au/#router_ports
[8] http://www.melbournewireless.org.au/#vlan_tagging
[9] http://www.melbournewireless.org.au/#modified_s45firewall_script
[10]
http://www.melbournewireless.org.au/#example_router_port_configurations_and_firewall_scripts
[11]
http://www.melbournewireless.org.au/#openwrt_default_configuration_and_firewall
[12] http://www.melbournewireless.org.au/#port_configuration
[13] http://www.melbournewireless.org.au/#firewall_configuration
[14]
http://www.melbournewireless.org.au/#private_wan_interface__public_lan_interface
[15] http://www.melbournewireless.org.au/#port_configuration
[16] http://www.melbournewireless.org.au/#firewall_configuration
[17] http://www.melbournewireless.org.au/#individual_ports
[18] http://www.melbournewireless.org.au/#port_configuration
[19] http://www.melbournewireless.org.au/#firewall_configuration
[20] http://www.melbournewireless.org.au/#node_ap_on_wan_port
[21] http://www.melbournewireless.org.au/#port_configuration
[22] http://www.melbournewireless.org.au/#firewall_configuration
[23] http://www.melbournewireless.org.au/#dmz_segment
[24] http://www.melbournewireless.org.au/#port_configuration
[25] http://www.melbournewireless.org.au/#firewall_configuration
[26] http://www.melbournewireless.org.au/#the_ultimate_cheap_bastard
[27] http://www.melbournewireless.org.au/#port_configuration
[28] http://www.melbournewireless.org.au/#firewall_configuration
[29] http://www.melbournewireless.org.au/?OpenWRT
[30]
http://www.netfilter.org/documentation/index.html#documentation-faq
[31]
http://www.melbournewireless.org.au/files/Misc/Minitar/PacketFlow.png
[32] http://www.melbournewireless.org.au/?0-9
[33] http://www.melbournewireless.org.au/?OpenWRT
[34] http://www.melbournewireless.org.au/?NodeGHO
[35] http://www.melbournewireless.org.au/?NodeGHO
[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]
Node Statistics
building	132
gathering	192
interested	515
operational	242
testing	216
Spelling: MWRPFirewall

Username

Password

Search
