search

home-assistant / addons

:heavy_plus_sign: Docker add-ons for Home Assistant
https://home-assistant.io/hassio/
Apache License 2.0
1.51k stars 1.47k forks source link

OTBR Firewall issue #3179

Closed ninowd closed 11 months ago

ninowd commented 1 year ago

Describe the issue you are experiencing

this is the original form "/usr/share/hassio/addons/core/openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run" which not work !

ip6tables -N $otbr_forward_ingress_chain
ip6tables -I FORWARD 1 -o $thread_if -j $otbr_forward_ingress_chain

ip6tables -A $otbr_forward_ingress_chain -m pkttype --pkt-type unicast -i ${thread_if} -j DROP
ip6tables -A $otbr_forward_ingress_chain -m set --match-set otbr-ingress-deny-src src -j DROP
ip6tables -A $otbr_forward_ingress_chain -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
ip6tables -A $otbr_forward_ingress_chain -m pkttype --pkt-type unicast -j DROP
ip6tables -A $otbr_forward_ingress_chain -j ACCEPT

ip6tables -N $otbr_forward_egress_chain
ip6tables -I FORWARD 2 -i $thread_if -j $otbr_forward_egress_chain
ip6tables -A $otbr_forward_egress_chain -j ACCEPT

this is the original form the "open thread website" which work 

ip6tables -N $OTBR_FORWARD_INGRESS_CHAIN
ip6tables -I FORWARD 1 -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN

ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -i $THREAD_IF -j DROP
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-deny-src src -j DROP
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -j DROP
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -j ACCEPT

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Almond

What is the version of the add-on?

Current version: 2.3.1

Steps to reproduce the issue

  1. changed it then it works
  2. changet it back and was not workin again

  3. ...

System Health information

System Information

version core-2023.8.2
installation_type Home Assistant Supervised
dev false
hassio true
docker true
user root
virtualenv false
python_version 3.11.4
os_name Linux
os_version 5.10.160-rk35xx
arch aarch64
timezone Europe/Berlin
config_dir /config
Home Assistant Cloud logged_in | false -- | -- can_reach_cert_server | ok can_reach_cloud_auth | ok can_reach_cloud | ok
Home Assistant Supervisor host_os | Armbian 23.08.0-trunk bookworm -- | -- update_channel | beta supervisor_version | supervisor-2023.08.1 agent_version | 1.5.1 docker_version | 24.0.5 disk_total | 907.9 GB disk_used | 8.0 GB healthy | true supported | failed to load: Unsupported supervisor_api | ok version_api | ok installed_addons | Studio Code Server (5.10.0), Portainer (2.18.4), Matter Server (4.9.0), OpenThread Border Router (2.3.1)
Dashboards dashboards | 1 -- | -- resources | 0 mode | auto-gen
Recorder oldest_recorder_run | 12. August 2023 um 08:54 -- | -- current_recorder_run | 16. August 2023 um 20:28 estimated_db_size | 4.09 MiB database_engine | sqlite database_version | 3.41.2

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

No response

Additional information

No response

agners commented 1 year ago

this is the original form "/usr/share/hassio/addons/core/openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run" which not work !

Can you elaborate? What does not work?

The additional egress lines just accept forwarding everything from the Thread network to the outside world. This shouldn't prevent any packet flow, if anything, it should allow packets to flow from the Thread interface in all cases.

ninowd commented 1 year ago

i was able to connect to the thread network but i can't connect to the matter server via the "android home assistant apk" with an esp32c6

then i set the "otbr firewall" to off and it works without need of a "matter hub"

agners commented 1 year ago

And when you used the original firewall configuration it worked?

What harware/host system are you on?

Also, I had sporadic onboarding troubles with Espressif devices before. Did you try multiple times with both configurations?

github-actions[bot] commented 12 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.