enhancement to rc.diff [Archive] - AsusForum.NET -- WL500g

Bekijk de volledige versie : enhancement to rc.diff

majx

10-02-2005, 23:55

To get an IP on the WAN (added interface name, we won't get an IP on internal net)you have also to send out an UDP, to be "faster" place it before DHCP-Reply
somewhere at lines 95-108

95 --- router/rc/firewall_ex.c 2004-11-11 10:32:05.000000000 +0300
96 +++ gateway/rc/firewall_ex.c 2004-12-31 19:24:41.000000000 +0300
97 @@ -778,6 +778,14 @@
98 ,logdrop, logaccept, "ACCEPT", lan_if, "ACCEPT");
99 }
100
101+ /* enable incoming packets from broken dhcp servers, which are sending replies
102+ * from addresses other than used for query, this could lead to lower level
103+ * of security, but it does not work otherwise (conntrack does not work) :-(
104 + */
105 + if (nvram_match("wan0_proto", "dhcp") || nvram_match("wan0_proto", "bigpond"))
106+ {
107+ fprintf(fp, "-A INPUT -p udp --sport 67 --dport 68 -j %s\n", logaccept);
108 + }

Add line BEFORE existing line 107

fprintf(fp, "-A OUTPUT -o %s -p udp --sport 68 --dport 67 -j %s\n", wan_if, logaccept);
change line 107 to (now it's line 108)
fprintf(fp, "-A INPUT -i %s -p udp --sport 67 --dport 68 -j %s\n", wan_if, logaccept);

Oleg

11-02-2005, 09:30

So, what? OUTPUT chain is always accepts any packets coming from device, why do you want to add explicit rule?

majx

11-02-2005, 10:18

I'm not an expert on programing, but I prepare some lines for the firewall_ex.c:
I want to add lines which make the default-police to drop (something like a patch?)

These lines will be commented out like:

/* If you want to make it more secure uncomment the following lines
...
*/

and on the existing policy/code before every unsecure code:
/* If you want to make it more secure uncomment the following lines with "/* .... */" */

The code will be bigger, but the resulting file will not really increase in size.
what do you think about that?

mctiew

12-02-2005, 09:21

I'm not an expert on programing, but I prepare some lines for the firewall_ex.c ....

I am wondering why the rc should be C programs, it would be better if they can all be using scripts .....Much easier to change and understand.

Cheers

majx

12-02-2005, 11:33

I already mentioned it...it would be good to look for existing config-files and use them if there (forum-link:harcoded-config (http://wl500g.info/showthread.php?t=1669) )

But I'm not a programmer, just started to understand:o c - so i can only change "small" code but not everything.

About these config-files: I think we need something called "pointers" :confused:,
programmers out there interested in changing/adding that? :)