[ale] Firewall convo

Derek Atkins derek at ihtfp.com
Fri Apr 10 16:33:08 EDT 2020


Hi,

On Fri, April 10, 2020 4:25 pm, Robert Story wrote:
[snip]
> Sorry, I wasn't clear. Using their GUI or CLI tools are fine. I mean
> that if you edit files yourself (eg /etc/network/interfaces) or make
> local modifications (maybe iptables rules), those changes will likely
> be overwritten on reboot or when their GUI/CLI tools are used to modify
> something that will regenerate those files..

Ah, yes, that's definitely true.  Any changes you make outside the /config
directory will not last beyond a reboot.  Having said that, you CAN write
a shell script that will re-introduce your changes upon reboot, and I've
used that method myself to deal with certain shortcomings of the Unifi
firmware.

For example, unifi does not handle IPv6 source-based routing for IPv6
through its default configuration, but you can configure it through the
Linux interfaces.  So I wrote a script that is stored in
/config/scripts/post-config.d/ that edits /etc/iproute2/rt_tables and then
runs a bunch of "ip -6" commands to set up my route and routes.  Works
great for me, but it does make it a tad harder to manage vs using the GUI
interface.

> My point was that if you prefer shell access over GUI, with the ER-X
> (and openWRT too) you have to learn what you can safely modify just
> like any other Linux system and what you need to modify using
> non-standard commands for that system.

Yes, I agree with that.  But once you learn what you can modify safely and
the tricks for how to modify everything else, you can script it all up
just fine!  :)

> Robert

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant



More information about the Ale mailing list