[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
howtos:network_services:running_an_access_point_from_a_slackware_box [2023/01/20 09:43 (UTC)] – [4.3 DNS and DHCP Servers] fix typos timhowtos:network_services:running_an_access_point_from_a_slackware_box [2023/01/20 09:57 (UTC)] (current) – [4.4 Firewalling] fix typos tim
Line 262: Line 262:
   COMMIT   COMMIT
  
-NOTE *: Clamping MSS to PMTU can get internet browsing from your LAN working but can brake VPN packets. The proposed workaround has been made necessary by the increasing tendency of failing to find PMTU. It is not always necessary for you to activate the workaround but be warned that it can equally inadvertently stop working leaving you with an intermittent  problem that is difficult to debug. It can be intermittent because the path your packets take to arrive to any destination on internet is not always the same dew to the necessity of fault tolerance. This note could become a whole article on it's own so [[https://blog.cloudflare.com/path-mtu-discovery-in-practice/|here's]] an intresting read on the issue. +NOTE *: Clamping MSS to PMTU can get internet browsing from your LAN working but can break VPN packets. The proposed workaround has been made necessary by the increasing tendency of failing to find PMTU. It is not always necessary for you to activate the workaround but be warned that it can equally inadvertently stop working leaving you with an intermittent  problem that is difficult to debug. It can be intermittent because the path your packets take to arrive to any destination on internet is not always the same due to the necessity of fault tolerance. This note could become a whole article on it's own so [[https://blog.cloudflare.com/path-mtu-discovery-in-practice/|here's]] an intresting read on the issue. 
  
 I generally put the content above in /ect/firewall.cf and add "/usr/sbin/iptables-restore < /etc/firewall.cf" to rc.local. I generally put the content above in /ect/firewall.cf and add "/usr/sbin/iptables-restore < /etc/firewall.cf" to rc.local.
Line 269: Line 269:
   /etc/rc.d/rc.sshd restart   /etc/rc.d/rc.sshd restart
 If you're going to share internet connection you might want to stop ssh access from internet by adding a firewall rule to regulate it or making sshd bind only to the address assigned to br0. The config shown above will not allow incoming ssh traffic from the internet link (by the connection tracking rule) but you may want to back that up with further safety. If you're going to share internet connection you might want to stop ssh access from internet by adding a firewall rule to regulate it or making sshd bind only to the address assigned to br0. The config shown above will not allow incoming ssh traffic from the internet link (by the connection tracking rule) but you may want to back that up with further safety.
-Longer iptabls chains generally have bad impact on firewall performance so you might want to add something like this to /etc/ssh/sshd_config:+Longer iptables chains generally have bad impact on firewall performance so you might want to add something like this to /etc/ssh/sshd_config:
   ListenAddress 192.168.0.1   ListenAddress 192.168.0.1
  
 At this point you should be able to associate clients to the AP. At this point you should be able to associate clients to the AP.
 With the above iptables rules client with MAC 0a:0b:0c:0d:0e:0f can associate and access the AP itself but not route trough the AP (with the exception of dns querys that get forwarded by dnsmasq), With the above iptables rules client with MAC 0a:0b:0c:0d:0e:0f can associate and access the AP itself but not route trough the AP (with the exception of dns querys that get forwarded by dnsmasq),
-client with MAC 00:01:02:03:04:05 can route thought the AP but not access the AP itself. The example was just to show clearly the difference of having packets go into the box and routing packets trough the box as this behavior was radically different in the ip_chains.  +client with MAC 00:01:02:03:04:05 can route thought the AP but not access the AP itself. The example was just to show clearly the difference of having packets go into the box and routing packets through the box as this behavior was radically different in the ip_chains.  
-An other way to implement even more complex MAC ACL to decide who manages AP, who can only route trough and who can do both can be done by using ebtables (nee to add that to the software list not present in Slackware) and fiddle with the broute chain. In all cases you might find interesting the [[http://en.wikipedia.org/wiki/Iptables#mediaviewer/File:Netfilter-packet-flow.svg | netfilter flow diagram]].+Another way to implement even more complex MAC ACL to decide who manages AP, who can only route through and who can do both can be done by using ebtables (need to add that to the software list not present in Slackware) and fiddle with the broute chain. In all cases you might find interesting the [[http://en.wikipedia.org/wiki/Iptables#mediaviewer/File:Netfilter-packet-flow.svg | netfilter flow diagram]].
  
  
Line 308: Line 308:
 If you start going crazy over transferring large files over fast networks for a problem that seems like mtu related but is not you might want to consider turning net.ipv4.tcp_sack off. If you start going crazy over transferring large files over fast networks for a problem that seems like mtu related but is not you might want to consider turning net.ipv4.tcp_sack off.
  
-If your ISP gives you some sort of traffic quota you may want to add some quotas to your firewall configuration. You may fully understand the consequences of streaming on your ISP quota but maybe the rest of the family may not: giving them a quota might save you a fit when you need to do an urgent job that requires internet connection. There a re various ways you could go about putting quotas on specific clients on your LAN just keep in mind a few things:+If your ISP gives you some sort of traffic quota you may want to add some quotas to your firewall configuration. You may fully understand the consequences of streaming on your ISP quota but maybe the rest of the family may not: giving them a quota might save you a fit when you need to do an urgent job that requires internet connection. There are various ways you could go about putting quotas on specific clients on your LAN just keep in mind a few things:
   * rules with quotas stop matching once quota is exceeded    * rules with quotas stop matching once quota is exceeded 
   * flushing your tables will reset all quota counters   * flushing your tables will reset all quota counters
 howtos:network_services:running_an_access_point_from_a_slackware_box ()