Stop deprecating OpenWrt's firewall package

[ilario]

See discussion on https://github.com/libremesh/lime-packages/issues/280

[G10h4ck]

Everytime I have tested building with OpenWrt firewall bundled in, and flashed in real world networks I ended up with a hurdle of problems and debugging them rapidly ended up in some weird interaction between OpenWrt firewall which is designed around home gateway setup and how the packets flow in a mesh. So I am against stopping suggesting to remove firewall package and for keeping compatibility as much as possible both with plain iptables and OpenWrt firewall.

[ilario]

Which are the problematic rules? https://github.com/openwrt/openwrt/blob/master/package/network/config/firewall/files/firewall.config

[ilario]

@G10h4ck hint for answering: none is problematic.

[ilario]

Update on this: since OpenWrt 22.03 now firewall4 is the default choice, and the default rules are these ones

https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/etc/config/firewall;hb=HEAD

[ilario]

Update on this: since OpenWrt 22.03 now firewall4 is the default choice, and the default rules are these ones

https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/etc/config/firewall;hb=HEAD

I went through the rules, they can be resumed as: Allow everything out Allow everything in forwarding Block everything incoming from WAN port Create a lot of exceptions for the previous rule

So I hold my opinion also for firewall4: it should be ok with LibreMesh.

[ilario]

We could document how to easily enable the SSH port on the WAN, or enable it by default and document how to disable it, see discussion on libremesh/lime-packages#280

Another reason for blocking the 80 and 443 ports is that when FirstBootWizard is used, it spreads the hash of the root password via a file accessible via HTTP on http://thisnode.info/cgi-bin/lime/lime-community

https://github.com/libremesh/lime-packages/blob/8b54080ff47554028eec6aa9325e70ab064128af/packages/lime-system/files/usr/lib/lua/lime/utils.lua#L360

https://github.com/libremesh/lime-packages/blob/2289487914b9488669acd5b62a51bde5f4700abc/packages/first-boot-wizard/files/www/cgi-bin/lime/lime-community

There are reports of people using WAN-WAN connections for limiting the broadcast traffic going across this link @nicopace , for example if they use this link for connecting two clouds. This on a first sight seems a very bad idea (see my comments on libremesh/lime-packages#280 ) but actually the LAN-LAN connections can carry more broadcast (supposing that WAN and LAN are not in the same bridge, thing that I don't remember) even if the batman-adv clouds are on different VLANs. If we don't find a better way to do the same, we could support and document the usage of WAN-WAN connections. Which rules would be needed in this case?

[ilario]

Answering to @G10h4ck here: https://github.com/libremesh/lime-packages/pull/959#issuecomment-1429783892

Ilario: why the WAN interface was added to bat0? With the current code, there are interfaces like eth0-2_29 (a VLAN created on top of the WAN) being added to bat0, but this sounds useless and unsafe to me. So I did not add WAN interface to bat0, but only LAN ones.

G10h4ck: It is not useless, and not dangerous, please keep this behaviour unchanged, so keep the wan interface used for mesh too by default

Ilario: Ok, anyway the firewall will block it, so ok.

G10h4ck: Also because of that it should not be installed :-p

The people who need the WAN-WAN mesh connections should just add one line of configuration for allowing the connections on that port, configuring the firewall, as suggested in the discussion above. Obviously, we need to document that.

[ilario]

Another reason for blocking the 80 and 443 ports is that when FirstBootWizard is used, it spreads the hash of the root password via a file accessible via HTTP on http://thisnode.info/cgi-bin/lime/lime-community

This specific thing is commented more in detail here: https://github.com/libremesh/lime-packages/issues/849

[ilario]

I added the documentation in https://github.com/libremesh/libremesh.github.io/commit/ab7491f3cb055b371ead17b7cf573f812843a17e

I specified both how to connect via SSH from the WAN port (opening port 22) and how to open it completely for WAN-WAN connections.

Please, people using WAN-WAN connections, can you confirm that the documentation is correct? Maybe @nicopace @nicoechaniz @altergui @G10h4ck @spiccinini ?

In the meantime, for the rest of the users I am sure it is better to have the firewall up (see the conversation above), can we merge this?