Ticket #74 (closed Bug report: fixed)

Opened 14 years ago

Last modified 12 years ago

Gateway doesn't properly firewall off ports other than 80

Reported by: benoitg Owned by:
Priority: blocker Milestone: Gateway 1.1.3
Component: Gateway Version: Gateway SVN
Keywords: Cc:

Description (last modified by benoitg) (diff)

Test case: access  https://sf.net without authenticating.

This bug is NOT caused by the fix to #65

The problem is either that wifidog doesn't explicitely drop packets that do not match any of it's allow conditions, or that it insert's it's rules in the wrong order.

If you have a default policy of accept, everything will go through (except port 80). This is not what is supposed to happen.

The default configuration of OpenWRT is susceptible to this problem. See FAQ for a workaround.

Change History

Changed 14 years ago by max-horvath

This is what we've been talking about in bug #2 all the time ...

Changed 14 years ago by max-horvath

Bug #2 is something different but it hasn't been fixed, too ...

Cause when bug #2 happends (which happends to a lot of people) it would go directly to  https://sf.net/ ...

If bug #2 is not in effect (because of no bridging) nothing happends at all ...

Suggestion for a bugfix from ankh: iptables -t nat -A WiFiDog_Unknow -p tcp --dport 443 -j REDIRECT --to-ports 2060

Changed 14 years ago by Alexandre Carmel-Veilleux

If we redirect port 443, we have to have SSL handled on the redirection port. stunnel has a mode where it can be used as SSL-ifying proxy for web sites.

Changed 14 years ago by benoitg

  • version changed from Auth Server SVN to Gateway SVN

Changed 13 years ago by benoitg

  • description modified (diff)
  • summary changed from Gateway doesn't proeprly firewall off ports other than 80 to Gateway doesn't properly firewall off ports other than 80

Changed 13 years ago by anonymous

all ports should be blocked untill the user auths this way you can limit his access so he doesnt sit and use a p2p on another port without auth.

Changed 13 years ago by benoitg

  • status changed from new to closed
  • resolution set to fixed

All right, this bug must have been the most ill-defined bug in the history of wifidog. However, I could no longer reproduce it once I upgraded to 1.1.3beta6. So unless someone can reproduce, this is finally closed.

Note: See TracTickets for help on using tickets.