Voxel Custom firmware build for Orbi LBR20 v. 9.2.5.2.44SF-HW

[Voxel]

Continuation of:

https://www.snbforums.com/threads/c...bi-lbr20-v-9-2-5-2-24sf-hw.73983/#post-708327
. . .
https://www.snbforums.com/threads/custom-firmware-build-for-orbi-lbr20-v-9-2-5-2-42sf-hw.88721/
https://www.snbforums.com/threads/custom-firmware-build-for-orbi-lbr20-v-9-2-5-2-43sf-hw.89645/

New version of my custom firmware build: 9.2.5.2.44SF-HW.

Changes (vs 9.2.5.2.43SF-HW):

1. Toolchain: Go is upgraded 1.22.2->1.22.3.
2. unbound package (used in stubby) is upgraded 1.19.3->1.20.0 (fixing CVE-2024-33655).

https://access.redhat.com/security/cve/CVE-2024-33655​

(score 3.7, Low)​

3. lighttpd package is upgraded 1.4.75->1.4.76 (to avoid CVE-2024-3094 xz supply chain attack).

https://nvd.nist.gov/vuln/detail/CVE-2024-3094​

(score 10.0, Critical, but most likely does not apply to this ORBI firmware version)​

4. OpenSSL v. 1.1.1 package is upgraded to OpenSSL v. 3.0.x 1.1.1w->3.0.13.
5. dropbear package is upgraded 2024.84->2024.85.
6. e2fsprogs package is upgraded 1.47.0->1.47.1.
7. bind package is upgraded 9.18.25->9.18.27.
8. nghttp2 package is upgraded 1.61.0->1.62.1.
9. curl package is upgraded 8.7.1->8.8.0.
10. nano package is upgraded 7.2->8.0.
11. iperf3 package is upgraded 3.16->3.17.1.
12. Upgrade pcre 8.45 to pcre2 10.43 8.45->10.43.
13. ngrep: disable pcre.
14. wget: replace dependence on pcre with dependence on pcre2.
15. samba36: add patch to undef 'mkdir' macro.
16. hotplug2: fix hotplug2.mount script (minor missprint).
17. OpenVPN: add NG/DNI patches for system logs.
18. Host tools: upgrade e2fsprogs to 1.47.1.
19. Host tools: upgrade UPX to 4.2.4.

NOTE:
The most important change in this release is an update of OpenSSL v. 1.1.1 to OpenSSL v. 3.0.x.

The link is:

https://www.voxel-firmware.com (thanks to vladlenas for his help with hosting).

Voxel.

 

[nordicboy]

@Voxel Thank You!!!!

 

[RainofTerra]

Thanks for the updates! Just found the GitHub and started poking around

One thing I’m confused about:
The default rules I get when I boot up have ICMPv6 filtering:

# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       ipv6-icmp    anywhere             localhost           
DROP       ipv6-icmp    anywhere             localhost           
DROP       tcp      anywhere             anywhere             tcp dpt:www
DROP       tcp      anywhere             anywhere             tcp dpt:domain
DROP       tcp      anywhere             anywhere             tcp dpt:https
IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all     !2600:1010:b18d:1234::/64  anywhere           
DROP       tcp      localhost            ::2                  tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
ACCEPT     udp      ::3                  ::4                  udp spt:3333
DROP       ipv6-icmp    ::5                  ::6                  ipv6-icmp echo-reply limit: avg 5/sec burst 5
ACCEPT     ipv6-icmp    ::5                  ::6                  ipv6-icmp echo-reply
DROP       all      ::7                  anywhere           
IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And I wanted to disable the ICMPv6 filtering so I tried this:

ip6tables -I INPUT -p ipv6-icmp -j ACCEPT
ip6tables -I FORWARD -p ipv6-icmp -j ACCEPT
ip6tables -I OUTPUT -p ipv6-icmp -j ACCEPT

But instead of adding those rules to the existing rules, I ended up with all of the rules wiped. What’s the right way for me to enable ICMPv6 fully?

 

[Voxel]

But instead of adding those rules to the existing rules, I ended up with all of the rules wiped. What’s the right way for me to enable ICMPv6 fully?

You need to read QuickStart.txt of the firmware archive carefully. It describes how to set your own iptables rules to make them work. Quote:

. . .
Additionally you can use your own custom scripts to add your own iptables rules. These
scripts should be named firewall-start.sh (IPv4), /opt/scripts/firewall6-start.sh (IPv6)
and be placed in the:

/mnt/circle/overlay/opt/scripts/

directory, i.e.

/mnt/circle/overlay/opt/scripts/firewall-start.sh
/mnt/circle/overlay/opt/scripts/firewall6-start.sh

with 755 permission attributes (i.e. executable).
. . .

Test this first.

Voxel.

 

[RainofTerra]

I’ve read it, and have used both files for years. I just didn’t read that as “this is the only way to add rules” but rather “this is how to make rules permanent”, I assumed I could still test rules with the standard ip6tables commands (so that if the rules broke something, I could just reboot the router to fix it). If I enter a new rule from the CLI and it breaks everything, I’d assume the same rule would also break everything if added to one of the scripts. I’ll give it a shot next time I’m there.

Do the rules in the scripts only get applied on boot?

 

[Voxel]

I’ve read it, and have used both files for years. I just didn’t read that as “this is the only way to add rules” but rather “this is how to make rules permanent”, I assumed I could still test rules with the standard ip6tables commands (so that if the rules broke something, I could just reboot the router to fix it). If I enter a new rule from the CLI and it breaks everything, I’d assume the same rule would also break everything if added to one of the scripts. I’ll give it a shot next time I’m there.

Here's the situation. NETGEAR uses its own firewall (binary file) which is called quite randomly. You are correct that the rules added to firewall-start.sh/firewall6-start.sh will ensure that your rules will be set every time the NETGEAR firewall is executed.

If you install the rules from the command line, there is no guarantee that they won't be corrupted by the NETGEAR firewall a second later. Maybe yes, maybe no.

Do the rules in the scripts only get applied on boot?

No. As I explained above.

Voxel.

 

[RainofTerra]

Ah ok, that makes sense - Netgear running their own binary to update the rules randomly explains what I was seeing, that was the piece I was missing. Can I just run that binary myself to test changes to the firewall scripts right away then?

 

[Voxel]

Ah ok, that makes sense - Netgear running their own binary to update the rules randomly explains what I was seeing, that was the piece I was missing. Can I just run that binary myself to test changes to the firewall scripts right away then?

Yes, of course. For IPv6, you pretty much only need three commands:

/usr/sbin/net-wall -6 restart

or

/usr/sbin/net-wall -6 rule
/usr/sbin/net-wall -6 start

P.S.
I'm sorry, can't help much with iptables for IPv6, my mobile ISP doesn't support IPv6.

Voxel.