DrChair:
If you still have problem with firewall, could you show output of
PHP Code:
iptables-save | grep INPUT
I also have some problems with SVN-version 140.
I flashed the firmware succesfully.
Next I noticed the new option to enable SSH in the webinterface, so I enabled that option.
After that, my clients didn't get any ip-adres from DHCP and I was unable to ping the router.
I after serveral attempt to flash the old firmware, I accidentaly discovered that via a static ip-adres I was able to login to SSH (but still no ping).
It seems that enabling SSH from the webinterface, breaks some of the firewall rules, cause if I disable the firewall with "iptables -D INPUT -j DROP" everyting is working again....
However this also leaves my unprotected.
(i'm building r144 atm, to see if that solves the problem)
Edit:
Further tests show that it has nothing to do with enabling SSH.
I went back to factory defaults, and configured the basics -> everthing is fine
Next I do a flashfs enable && reboot -> at first everything seems fine, but after a while I get 'firewalled'
I'll see tomorrow if i can find the exact moment where the firewall is enabled.
Last edited by DrChair; 03-03-2009 at 01:09.
DrChair:
If you still have problem with firewall, could you show output of
PHP Code:
iptables-save | grep INPUT
No, this behavior shouldn't be changed.
Please, describe more detailed. My assumption:when I tried reflashing an old flashfs file, the router wouldn't start it's dhcp server anymore... or something else went wrong.
1. You flashed new firmware. Successful?
2. reboot. router up ok? what about dhcp-server(dnsmasq)?
3. Did you try to execute "flashfs enable" & reboot?
4. Router itself starts? What is in syslog?
1. yes, successful (tried with webpage upload and asus restoration tool)
2. First reboot is good, and after applying the settings to the router it's also rebooting fine. Only after saving something in the flashfs memory it stops working properly.
3. I did, I always execute "flashfs save && flashfs commit && flashfs enable && reboot", I actually have it under a macro on my G15 keyboard
4. The router doesnt respond to anything anymore when something is in the flashfs, not even the reset button, I need to unplug the psu to make it run again.
I do want to note that sometimes the firmware is flashed, but the original memory of the old firmware is still there, even after a factory default.
I just noticed that the stable release has a tar.gz compression and it seems like the beta(or alpha, I dunno) has tar.bz2 compression.
Also I saw that the paths in the flashfs file are different in the older beta release, than the newer one.
If I have no post-firewall script, everything is working fine
then the output is
:INPUT ACCEPT [288:57716]
:INPUT ACCEPT [288:57716]
If I have the following post-firewall in place:
I have a problem and the output of iptables-save |grep INPUT is:Code:#!/bin/sh ## FIREWALL ## set default policy iptables -D INPUT -j DROP ## Allow access to webserver from WAN iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## Allow access to SSH (port24) from WAN iptables -A INPUT -p tcp --dport 24 -j ACCEPT iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 24 -j DNAT --to-destination 192.168.2.1:24 # Allow access to PROFTPD (port 21) from WAN iptables -A INPUT -p tcp --dport 20 -j ACCEPT iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 20 -j DNAT --to-destination 192.168.2.1:20 iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination 192.168.2.1:21 iptables -A INPUT -p tcp --dport 65530:65535 -j ACCEPT iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 65530:65535 -j DNAT --to-destination 192.168.2.1 iptables -A INPUT -j DROP
:INPUT ACCEPT [695:224835]
:INPUT ACCEPT [36:11691]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 65530:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 65530:65535 -j ACCEPT
-A INPUT -j DROP
With firmware around r100 this post-firewall was still working.
I guess it has something to do with all the SNAT changes
One thin I have to mention is the successful connection of my old printer.
I have a quite old HP Deskjet 720C, which I couldn't use on my notebook running windows vista because of the lack of a parallel port so far.
This printer is a so called GDI-printer, which needs a direct connection and doesn't have an own image processing unit.
A HP Jetdirect I tried didnt' work, it produced only a few lines and then stopped printing, even when trying to print the Windows test-page
Now I bougt a cheap (1€) parallel to usb adapter, which didn't work as expected with my notebook (approx 2/3 of the Windows test-page was printed).
But when connected to the WL500GP's USB-port and used as TCP/IP printer this works perfectly! Even complex pages are printed without any problems.
I am running one of the latest firmware from googlecode and I am really glad to have this functionallity. What a great piece of software on this nice router! Thanks for your work, it keeps my printer working even after 12 years!
I use my WL-500GP mainly as a printer- and fileserver (samba). I had stability issues with oleg's firmware and had to reboot the rooter 6-7 times a day, because samba stopped working.
With this firmware the router is now up and running for 4 days and samba is still working. Thank you very much for this firmware, great work!
bug discovered. temporary fix could be done in the several ways before flashing firmware:
1. add "insmod ipt_recent.o" in your /usr/local/sbin/post-boot script
2. set nvram recent_ftp_enable to 1 if you've enabled ftp server via web interface, commit nvram after
3. set both ssh_enable and nvram recent_ssh_enable to 1, commit nvram after. it will cause dropbear to start on boot time without any additional post-boot scripts
sorry for the inconvenience, folks
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
np man
just a question... does this mean dropbear will be integrated in the firmware?
yes, it already does (including autogeneration and storing of the keys in flashfs when needed, functioning of ssh server even if flashfs is disabled, and brute force attack protection for ssh and ftp servers based on ipt_recent). See System Setup->Services and Internet Firewall->Basic Config
At the moment r156 is commited which (I hope) solves this issue. Reports are welcome.
use r160 build from http://wl500g.googlecode.com/
now, even with bruteforce protection is off, firmware should boot as usual
Last edited by theMIROn; 05-03-2009 at 18:41.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
I need the wl-500W version
sounds interesting, since I couldn't get that old denyhosts working on mine. eventually I swtiched to a different port.yes, it already does (including autogeneration and storing of the keys in flashfs when needed, functioning of ssh server even if flashfs is disabled, and brute force attack protection for ssh and ftp servers based on ipt_recent). See System Setup->Services and Internet Firewall->Basic Config
At the moment r156 is commited which (I hope) solves this issue. Reports are welcome.
Would that iprecent also work on openssh or different server like apps?
yes, it is done as a separate chain through which you can pass what you wishWould that iprecent also work on openssh or different server like apps?
grab r160 builds from http://wl500g.googlecode.com/
if bruteforce protection is enabled, you can use the same chain:
iptables -A INPUT -m tcp -p tcp -i <IFACE> -s <SOURCE> --syn -j BRUTE
it means that any new tcp connections from SOURCE ip addr from IFACE interface (ppp0, etc) will be counted and denied on exec food
Last edited by theMIROn; 05-03-2009 at 18:41.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
great work
I'm going to test it somewhere in the weekend, and I'll let you know what I think
btw... are there any simple programming jobs?
maybe it is a nice opportunity for me to learn some linux programming, I'm already known with C# and some ansi C for an embedded usb board.