Firmware v1.8.1.7 CR2 [Oleg] - updated ( CR2a )

[oldudu]

Thanks Oldudu. Will adding users to passwd file work with Samba?

Hi, I don't know if it should work, but that's a good idea, I will try it later, and tell you the results later.

Oldudu

[Oleg]

Thanks Oldudu. Will adding users to passwd file work with Samba?

If you mean adding root - yes, it should work.

[sleuther]

This seems to be a bug in the original firmware... Could you please post entire /tmp/filter_rules?

here it is:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -d 84.128.179.237 --dport 21 -j ACCEPT
-A INPUT -p icmp -d 84.128.179.237 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: -j TCPMSS --set-mss 1452
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p tcp -s 192.168.252.1 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p udp -s 192.168.252.1 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p tcp -s 192.168.252.115 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p udp -s 192.168.252.115 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p tcp -s 192.168.252.116 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p udp -s 192.168.252.116 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -j logdrop
-A FORWARD -i ppp0 -o br0 -p tcp --sport 20:130 -d 192.168.252.1 -j ACCEPT
-A FORWARD -i ppp0 -o br0 -p tcp -d 192.168.252.1 --dport 20:130 -j ACCEPT
-A FORWARD -i ppp0 -o br0 -j logdrop
-A FORWARD -p udp -m udp -d 255.255.255.255 --dport 47624 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 20:21 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 5900 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 2506 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 3389 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 30660 -j ACCEPT
-A FORWARD -p udp --dport 6112 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

Without the added rules for ports 20:130 the logdrop lines will receive all traffic and I couldn't get a connection. all rules after the logdrop are added by the virtual server web page. but will never be executed because of
-A FORWARD -i ppp0 -o br0 -j logdrop

[Oleg]

Well, firewall between WAN & LAN is broken... Don't know why ASUS has done this in this way...
Do you need it at all?

Edit: fixed.

[Styno]

I have some problems undestanding the new layout of flashfs partition and how the boot script handles it:

As an example I will use /etc/smb.conf. On your wl500g.dyndns.org page you state:

once you've made the changes to the ramfs system (/usr/local/ now also mapped to ramfs, you need to launch special command to store modified files permanently in the flash. During the next boot wl500g will extract these files for you. So, you can store whatever you need just like in real non-volatile file system. Consider using /usr/local/etc for files which is normally resides in /etc, /usr/local/sbin for "ASUS style" init scripts and /usr/local/sbin for executables files/scripts

As I understand right, any file in /usr/local/etc will be placed in /etc at boottime. This was working fine and dandy in firmware 1.7.5.9 CR5.

Now comes the confusing part:
I've copied /etc/smb.conf to /usr/local/etc/smb.conf, edited the file and saved it using 'flashfs save' and 'flashfs commit'. After reboot the /etc/smb.conf appears unchanged, but if I view the /usr/local/etc/smb.conf file I can clearly see the changes.

What am I doing wrong here?

[Styno]

Not yet. Try redirecting the output using something like this:

Code:

busybox_httpd ... > /tmp/log 2>&1

and check it after boot-up. Also, be sure you've #!/bin/sh at the top.

I did the test and the result is:

Code:

cat log
busybox_httpd: can`t chdir to /tmp/harddisk/wwwroot: No such file or directory

It appears that the USB HDD is not mounted yet when running 'post-boot'...I think it should be.

[Oleg]

As an example I will use /etc/smb.conf. On your wl500g.dyndns.org page you state:

As I understand right, any file in /usr/local/etc will be placed in /etc at boottime. This was working fine and dandy in firmware 1.7.5.9 CR5.

No, this never works this way. You just need to add /etc/smb.conf to the list of files (i.e. /usr/local/.files. You may want to check /sbin/flashfs - it's shell script, and it's called as "flashfs start" on boot.

[Oleg]

I did the test and the result is:

Code:

cat log
busybox_httpd: can`t chdir to /tmp/harddisk/wwwroot: No such file or directory

It appears that the USB HDD is not mounted yet when running 'post-boot'...I think it should be.

Ok, I knew the answer. This is new asus know-how. They're mounting disks from the watchdog which runs once per second or so... Mount it manually or add sleep.

[Styno]

No, this never works this way. You just need to add /etc/smb.conf to the list of files (i.e. /usr/local/.files. You may want to check /sbin/flashfs - it's shell script, and it's called as "flashfs start" on boot.

Oh yes, I was being really dumb there. Thanks for pointing it out. I'm back on track with this now.

Ok, I knew the answer. This is new asus know-how. They're mounting disks from the watchdog which runs once per second or so... Mount it manually or add sleep.

OMG, thats a weird decision Asus made there. That makes the boot scripts not very reliable when USB HDD is involved...

I'll try to add some lines to post-boot script to let it wait for the disk to come online for a maximum of one minute or so. If not, the boot script will continue.

[Spot]

Hi!

trying to add:

iptables -t nat -I PREROUTING -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080

via telnet, here's the outpout I received:

iptables v1.2.7a: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.

Does someone could explain me what's wrong?

[Styno]

The following code can be put in the post-boot script. This will delay furter booting (up to 30 seconds) in order to let the watchdog mount your HDD. Once the script detects the HDD, it will resume booting. Enjoy!

Code:

i=0
while [ $i -le 30 ]; do
	if [ -d /tmp/harddisk/ftp_pub ] ; then
		break
	fi
	sleep 1
	i=(($i + 1))
done

BTW. this is my first shell script for Linux ever! It took me 2 hours but, boy, am I proud...

My tests show that the HDD is mounted approximately 10 seconds after the post-boot script is called.

[Oleg]

BTW. this is my first shell script for Linux ever! It took me 2 hours but, boy, am I proud...

Congratulations to you.

[Styno]

Hi!

trying to add:

iptables -t nat -I PREROUTING -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080

via telnet, here's the outpout I received:

iptables v1.2.7a: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.

Does someone could explain me what's wrong?

The "$2" parameters are only valid when using it in post-firewall script. When running form command-line you should use the ethernet device instead, e.g. 'eth1'.

[Holli]

Is it possible to config a seperate Firewall for W-LAN and LAN?

[Styno]

Is it possible to config a seperate Firewall for W-LAN and LAN?

If you've read this thread you would have found:

Well, firewall between WAN & LAN is broken... Don't know why ASUS has done this in this way...