[ale] Firewall convo
Derek Atkins
derek at ihtfp.com
Fri Apr 10 16:33:08 EDT 2020
Hi,
On Fri, April 10, 2020 4:25 pm, Robert Story wrote:
[snip]
> Sorry, I wasn't clear. Using their GUI or CLI tools are fine. I mean
> that if you edit files yourself (eg /etc/network/interfaces) or make
> local modifications (maybe iptables rules), those changes will likely
> be overwritten on reboot or when their GUI/CLI tools are used to modify
> something that will regenerate those files..
Ah, yes, that's definitely true. Any changes you make outside the /config
directory will not last beyond a reboot. Having said that, you CAN write
a shell script that will re-introduce your changes upon reboot, and I've
used that method myself to deal with certain shortcomings of the Unifi
firmware.
For example, unifi does not handle IPv6 source-based routing for IPv6
through its default configuration, but you can configure it through the
Linux interfaces. So I wrote a script that is stored in
/config/scripts/post-config.d/ that edits /etc/iproute2/rt_tables and then
runs a bunch of "ip -6" commands to set up my route and routes. Works
great for me, but it does make it a tad harder to manage vs using the GUI
interface.
> My point was that if you prefer shell access over GUI, with the ER-X
> (and openWRT too) you have to learn what you can safely modify just
> like any other Linux system and what you need to modify using
> non-standard commands for that system.
Yes, I agree with that. But once you learn what you can modify safely and
the tricks for how to modify everything else, you can script it all up
just fine! :)
> Robert
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the Ale
mailing list