If you mean adding root - yes, it should work.Originally Posted by Styno
Hi, I don't know if it should work, but that's a good idea, I will try it later, and tell you the results later.Originally Posted by Styno
Oldudu
If you mean adding root - yes, it should work.Originally Posted by Styno
here it is:Originally Posted by Oleg
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -d 84.128.179.237 --dport 21 -j ACCEPT
-A INPUT -p icmp -d 84.128.179.237 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: -j TCPMSS --set-mss 1452
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p tcp -s 192.168.252.1 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p udp -s 192.168.252.1 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p tcp -s 192.168.252.115 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p udp -s 192.168.252.115 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p tcp -s 192.168.252.116 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -p udp -s 192.168.252.116 -j ACCEPT
-A FORWARD -i br0 -o ppp0 -j logdrop
-A FORWARD -i ppp0 -o br0 -p tcp --sport 20:130 -d 192.168.252.1 -j ACCEPT
-A FORWARD -i ppp0 -o br0 -p tcp -d 192.168.252.1 --dport 20:130 -j ACCEPT
-A FORWARD -i ppp0 -o br0 -j logdrop
-A FORWARD -p udp -m udp -d 255.255.255.255 --dport 47624 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 20:21 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 5900 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 2506 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 3389 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.252.1 --dport 30660 -j ACCEPT
-A FORWARD -p udp --dport 6112 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
Without the added rules for ports 20:130 the logdrop lines will receive all traffic and I couldn't get a connection. all rules after the logdrop are added by the virtual server web page. but will never be executed because of
-A FORWARD -i ppp0 -o br0 -j logdrop
Well, firewall between WAN & LAN is broken... Don't know why ASUS has done this in this way...
Do you need it at all?
Edit: fixed.
Last edited by Oleg; 20-10-2004 at 18:23.
I have some problems undestanding the new layout of flashfs partition and how the boot script handles it:
As an example I will use /etc/smb.conf. On your wl500g.dyndns.org page you state:
As I understand right, any file in /usr/local/etc will be placed in /etc at boottime. This was working fine and dandy in firmware 1.7.5.9 CR5.once you've made the changes to the ramfs system (/usr/local/ now also mapped to ramfs, you need to launch special command to store modified files permanently in the flash. During the next boot wl500g will extract these files for you. So, you can store whatever you need just like in real non-volatile file system. Consider using /usr/local/etc for files which is normally resides in /etc, /usr/local/sbin for "ASUS style" init scripts and /usr/local/sbin for executables files/scripts
Now comes the confusing part:
I've copied /etc/smb.conf to /usr/local/etc/smb.conf, edited the file and saved it using 'flashfs save' and 'flashfs commit'. After reboot the /etc/smb.conf appears unchanged, but if I view the /usr/local/etc/smb.conf file I can clearly see the changes.
What am I doing wrong here?
I did the test and the result is:Originally Posted by Oleg
It appears that the USB HDD is not mounted yet when running 'post-boot'...I think it should be.Code:cat log busybox_httpd: can`t chdir to /tmp/harddisk/wwwroot: No such file or directory
No, this never works this way. You just need to add /etc/smb.conf to the list of files (i.e. /usr/local/.files. You may want to check /sbin/flashfs - it's shell script, and it's called as "flashfs start" on boot.Originally Posted by Styno
Ok, I knew the answer. This is new asus know-how. They're mounting disks from the watchdog which runs once per second or so... Mount it manually or add sleep.Originally Posted by Styno
Oh yes, I was being really dumb there. Thanks for pointing it out. I'm back on track with this now.Originally Posted by Oleg
OMG, thats a weird decision Asus made there. That makes the boot scripts not very reliable when USB HDD is involved...Originally Posted by Oleg
I'll try to add some lines to post-boot script to let it wait for the disk to come online for a maximum of one minute or so. If not, the boot script will continue.
Last edited by Styno; 20-10-2004 at 22:03.
Hi!
trying to add:
iptables -t nat -I PREROUTING -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080
via telnet, here's the outpout I received:
iptables v1.2.7a: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
Does someone could explain me what's wrong?
The following code can be put in the post-boot script. This will delay furter booting (up to 30 seconds) in order to let the watchdog mount your HDD. Once the script detects the HDD, it will resume booting. Enjoy!
BTW. this is my first shell script for Linux ever! It took me 2 hours but, boy, am I proud...Code:i=0 while [ $i -le 30 ]; do if [ -d /tmp/harddisk/ftp_pub ] ; then break fi sleep 1 i=(($i + 1)) done
My tests show that the HDD is mounted approximately 10 seconds after the post-boot script is called.
Congratulations to you.Originally Posted by Styno
The "$2" parameters are only valid when using it in post-firewall script. When running form command-line you should use the ethernet device instead, e.g. 'eth1'.Originally Posted by Spot
Is it possible to config a seperate Firewall for W-LAN and LAN?
If you've read this thread you would have found:Originally Posted by Holli
Originally Posted by Oleg