!DzDQEGffiXneamKckA:matrix.org

OpenWrt

5991 Members
openwrt.org - in case of spam, ping mods (type modhelp). https://matrix.org/legal/code-of-conduct Please check if a relevant bug report already exists before you ask: openwrt.org/bugs forum.openwrt.org Unofficial community, #meshes:matrix.org mesh networking, quick start: openwrt.org/docs/guide-quick-start Free space propagation, open source, Linux routers, communication hardware, acceleration, bufferbloat, gigabit wifi, wireless radio propagation simulation, unlicensed spectrum management, WISP, see also: Freifunk, FunkFeuer, Althea, Yggdrasil, Tomesh, WireShark, dd-wrt, BattleMesh, IRC: openwrt.org/contact320 Servers

Load older messages


SenderMessageTime
26 May 2024
@mhnoyes:matrix.orgmhnoyes https://forum.openwrt.org/t/missing-package-bridger-linksys-e8450-belkin-rt3200/159957
WED and bridger are post-22.03 developments, you'd need snapshots for that.
15:39:34
@christophe:envs.netchristophe

Celmor: I've been exploring nftables recently. Check out this basic config (from ubuntu):

cat >/etc/nftables.conf <<EOF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority filter; policy drop;
    iif lo counter accept;
    ct state established,related counter accept;
    ct state new tcp dport == { 22, 80, 443 } counter accept;
    meta l4proto icmp counter accept;
    meta l4proto ipv6-icmp counter accept;
  }
  chain forward {
    type filter hook forward priority filter;
  }
  chain output {
    type filter hook output priority filter;
  }
}
EOF

Running nft -o list table inet filter will print stats similar to what we're used to in iptables world. Keyword counter is what creates the states, accept is doing the filtering.

16:14:41
@christophe:envs.netchristophe *

Celmor: I've been exploring nftables recently. Check out this basic config (from ubuntu):

cat >/etc/nftables.conf <<EOF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority filter; policy drop;
    iif lo counter accept;
    ct state established,related counter accept;
    ct state new tcp dport == { 22, 80, 443 } counter accept;
    meta l4proto icmp counter accept;
    meta l4proto ipv6-icmp counter accept;
  }
  chain forward {
    type filter hook forward priority filter;
  }
  chain output {
    type filter hook output priority filter;
  }
}
EOF

Running nft -o list table inet filter will print stats similar to what we're used to in iptables world. Keyword counter is what creates the stats, accept is doing the filtering.

16:16:27
@christophe:envs.netchristophe *

Celmor: I've been exploring nftables recently. Check out this basic config (from ubuntu):

cat >/etc/nftables.conf <<EOF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority filter; policy drop;
    iif lo counter accept;
    ct state established,related counter accept;
    ct state new tcp dport == { 22, 80, 443 } counter accept;
    meta l4proto icmp counter accept;
    meta l4proto ipv6-icmp counter accept;
  }
  chain forward {
    type filter hook forward priority filter;
  }
  chain output {
    type filter hook output priority filter;
  }
}
EOF

Running nft -o list table inet filter will print stats similar to what we're used to in iptables world. Keyword counter is what creates the stats, drop and accept is doing the filtering.

16:18:08
@qball83:matrix.orgqball83 joined the room.16:28:53
@Celmor:matrix.orgCelmorwouldn't that override my existing rules though?17:03:17
@christophe:envs.netchristophe
In reply to @Celmor:matrix.org
wouldn't that override my existing rules though?
yes! i wanted to show an example for counter
17:42:46
@zung25:matrix.orgzung25 joined the room.18:24:04
@redneckways:matrix.orgBuddy Bailey joined the room.18:58:10
@foolzgold69:matrix.orgfoolzgold69 joined the room.19:33:15
@sabba:matrix.orgN left the room.23:54:09
27 May 2024
@iconoclasthero:matrix.orgiconoclasthero joined the room.01:07:28
@iconoclasthero:matrix.orgiconoclastheroi have been trying to get crowdsec installed.01:08:04
@iconoclasthero:matrix.orgiconoclastheroi found out that it can be installed on openwrt 01:08:20
@iconoclasthero:matrix.orgiconoclastherobut openwrt is saying no....not that there's not enough memory or anything, just no: 01:09:16
@iconoclasthero:matrix.orgiconoclasthero
root@OpenWrt:~# opkg install crowdsec-firewall-bouncer
Unknown package 'crowdsec-firewall-bouncer'.
Collected errors:
 * opkg_install_cmd: Cannot install package crowdsec-firewall-bouncer.
01:11:45
@iconoclasthero:matrix.orgiconoclastherohttps://openwrt.org/docs/guide-user/services/crowdsec01:12:38
@iconoclasthero:matrix.orgiconoclastherothere's nowhere it says to add a repo...and i'll run the api on my server inside the network if i can get router-level blocking01:13:13
@iconoclasthero:matrix.orgiconoclastheroi want to run it on a cudy x601:13:32
@iconoclasthero:matrix.orgiconoclastheroScreenshot from 2024-05-26 21-14-13.png
Download Screenshot from 2024-05-26 21-14-13.png
01:14:37
@iconoclasthero:matrix.orgiconoclasthero
  1. Can I get the firewall bouncer only on that machine? Do I need to plug in e.g., a usb stick f/extra space?
  2. Do I need to add a repo? (the crowdsec script didn't work)
  3. Do I need to get the package somewhere else and put it on the router?
01:19:14
@iconoclasthero:matrix.orgiconoclastherothanks~01:19:37
@iconoclasthero:matrix.orgiconoclasthero * thanks!01:19:42
@iconoclasthero:matrix.orgiconoclastherooh, it's a risc processor. :(01:24:03
@bartvanzoest:matrix.orgBart van Zoest
In reply to @iconoclasthero:matrix.org
root@OpenWrt:~# opkg install crowdsec-firewall-bouncer
Unknown package 'crowdsec-firewall-bouncer'.
Collected errors:
 * opkg_install_cmd: Cannot install package crowdsec-firewall-bouncer.
Did you try opkg update before trying to install?
04:53:01
@es78o9:matrix.orges78o9It should be available as https://downloads.openwrt.org/releases/23.05.3/packages/mipsel_24kc/packages/crowdsec-firewall-bouncer_0.0.28-2_mipsel_24kc.ipk Also, check for the bouncer Luci package, it will install the bouncer as dependency. 10:07:51
@es78o9:matrix.orges78o9'Unknown package' is a hint to do a 'opkg update' first.10:09:10
@es78o9:matrix.orges78o9As u have a UI, just search for the package in the software page, do a refresh first.10:10:25
@es78o9:matrix.orges78o9The bouncer Luci ui will show up in the firewall section.10:11:21
@bglm:matrix.org@bglm:matrix.org left the room.10:12:55

There are no newer messages yet.


Back to Room ListRoom Version: 6