Custom firmware build for R7800 v. 1.0.2.72SF

[Voxel]

@Voxel

When I change a firewall setting in the GUI (example; respond to ping or NAT Type to Open/Close), it seems that my custom rules in /root/firewall-start.sh are not applied. The script is executable and I have to run it each time I change some setting.

Any idea how to make it start automatically?

Well. I have similar necessity. I have to block a lot of IPs from China, Netherlands, Korea, German, Ukraine and Russia (of course) who are trying to hack my R7800… Also time-to-time changes in my Parental Control rules (e.g. blocking youtube). I do use iptables rules for that. So I need these rules are applied immediately.

Unfortunately I cannot control the firewall made by NG forcing it to apply my iptabes rules immediately and automatically after changing my script. But what I do:

1. (optional) Hint for you: change your /root/firewall-start.sh to /opt/scripts/firewall-start.sh. The same script but other location. More natural and /opt is existing, used by ReadyCLOUD.

2. When you change this script just run the following commands from telnet/ssh console:

net-wall rule
net-wall start

These commands will force this firewall from NG to apply your rules immediately. Check it if you want:

iptables –L –n | more

Or for example

iptables –L –n –t nas | more

3. If you are using USB dongle it is possible to start these rules immediately and automatically after reboot, w/o necessity in manual startup.
Script in /mnt/sda1/autorun/scripts/post-mount.sh:

#!/bin/sh

# Start firewall rules after boot if optional script exists
if [ -x /opt/scripts/firewall-start.sh ] || [ -x /root/firewall-start.sh ]; then
    /usr/sbin/net-wall rule
    /usr/sbin/net-wall start
fi

Voxel.

 

[Voxel]

P.S. to post above.

After that no any manual movements are needed of course.

Voxel.

 

[microchip]

Actually, this only works for IPv4 rules. I have IPv6 rules that I want to add to the existing ones. If you call net-wall -6 start, the rules are not applied. If you call net-wall start they are applied but the existing default IPv6 rules from NETGEAR are completely wiped out

So it seems something in the system is calling "net-wall -6 start" so my IPv6 rules are not applied

 

[microchip]

Ok, so I had to modify the following file

/etc/scripts/firewall.sh

and at the bottom, the case statement that starts/stops, I added /root/firewall-start.sh

and it works when doing "net-wall -6 start". My rules are added and the original NETGEAR IPv6 rules are there too

Also, changing stuff in the GUI that affects FW rules works as well (my IPv6 rules are applied). So maybe you'd want to take a look and improve it

 

[Voxel]

I use the trick with replacement of /usr/sbin/net-wall binary by my own script. I am not sure if /etc/scripts/firewall.sh will cover the all possible problems.

In general it you check this script /usr/sbin/net-wall you can see how it works now (IPv4). Unfortunately my ISP does not support IPv6 (so I cannot test myself)

In general if you change the line

. . .
elif [ "$1" = "start" ] || [ "$1" = "restart" ]; then
. . .

by something related to additional "-6" options you should get what you need i.e. call of your own script.

i.e. logic should be if ("$1" == "start" or "$1" == "restart") or ("$1" == "-6" and if "$2" == "start" or "$2" == "restart") then etc.

Usually net-wall for IPv4 calls look as:

net-wall restart

or

net-wall rule
net-wall start

for IPv6

net-wall -6 restart

or

net-wall -6 rule
net-wall -6 start

Voxel.

 

[Voxel]

I am not sure if /etc/scripts/firewall.sh will cover the all possible problems.

I mean that the script /etc/scripts/firewall.sh was introduced by NG only recently. After they added their own ( a bit strange for me) OpenVPN client.

This script is called from net-wall (stock firmware an thus my version too), but I cannot see its logic...

Voxel.

 

[microchip]

Thanks, I had a similar thought. Maybe you can add this logic to your net-wall script so I don't have to modify it each time I upgrade firmware. For now, /etc/scripts/firewall.sh is reliable as I took a look at net-wall-bin (the original) and at the bottom it calls /etc/scripts/firewall.sh (see below)

net-wall-bin is binary but if you "cat" it, you can see through the binary "garbage output" at the bottom that it calls the mentioned script

Firewall configuration util v2.0 (Delta Networks Inc.)
Usage: net-wall [OPTIONS] [ start | restart | stop | rule ]
Options:
-w --wan-interface WAN interface name
-l --lan-interface LAN interface name
-6 --ipv6 no_argument
IPv6 Done!Failed to stop the IPv6 firewall!Done!Failed to stop the firewall!w:l:6restartstartStarting Firewall...
/etc/scripts/firewall.sh startstopStopping Firewall...
/etc/scripts/firewall.sh stopruleGenerating Rules...

 

[Voxel]

Maybe you can add this logic to your net-wall script so I don't have to modify it each time I upgrade firmware.

Yes sure. I just have to do that. Especially if somebody was able to test this. Thanks for your research.

net-wall-bin is binary but if you "cat" it, you can see through the binary "garbage output" at the bottom that it calls the mentioned script

More easy is to call e.g.

net-wall --help

/usr/sbin/net-wall-bin: unrecognized option `--help'
Firewall configuration util v2.0 (Delta Networks Inc.)
Usage: net-wall [OPTIONS] [ start | restart | stop | rule ]
Options:
        -w  --wan-interface     WAN interface name
        -l  --lan-interface     LAN interface name
        -6  --ipv6     no_argument

I had to perform a lot of investigations with this net-wall in the past... To understand when it generated its /tmp/netwall-rules file and how to overcome the restrictions... So I am aware of net-wall logic. A bit

Voxel.

 

[microchip]

Yes i know you can call --help. But that doesn't tell you it calls /etc/scripts/firewall.sh. I had to "cat" the bin and only then I saw it calls that script

 

[Voxel]

Yes i know you can call --help. But that doesn't tell you it calls /etc/scripts/firewall.sh. I had to "cat" the bin and only then I saw it calls that script

Well. But I can check where from and how (arguments) any script or binary is called. Anyway thanks for letting me know.

((I’ll say you my top secret but please do not share it . I do not use ALL the binaries from the latest stock firmware. For example I did not use net-wall binary from 1.0.2.62 (stock) nor from 1.0.2.63 (“hot-fix” stock). And as it happens this was useful for Pi-Hole owners… ))

So maybe this call of /etc/scripts/firewall.sh will be removed in the future. I am not sure...

OK. Now w/o joking. I appreciate your investigations with IPv6 firewall/own script. Added into my 2do list for a next release. Thank you.


Voxel.

 

[kamoj]

Good technical discussion!
Thank you very much for your community contributions.

@Voxel I have this script (/usr/sbin/net-wall) changed this way since "long" time ago,
while doing some ipv6 tests:

#elif [ "$1" = "start" ] || [ "$1" = "restart" ]; then
else
   [ "$1" = "-6" ] && shift
fi
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then

https://www.snbforums.com/threads/doubts-about-r7800-firmware-ipv6-support.55215/#post-468410

@microchip
instead of:

cat /usr/sbin/net-wall-bin

you can use:

strings /usr/sbin/net-wall-bin

PS
I also have "secret" fix to net-wall...

 

[Voxel]

@Voxel I have this script (/usr/sbin/net-wall) changed this way since "long" time ago,
while doing some ipv6 tests:

Good point. Sorry I am not always attentive... Thank you.

Voxel.

 

[Wigster]

There is such an option (OpenVPN server config):

push "dhcp-option DNS 192.168.xx.xx"

Great. I've managed to get it to work by forcing it on the client side. Now I'll just follow your instructions for server side!

 

[microchip]

@kamoj

I wasn't aware strings was included so I did a cat as I often use it

 

[NoMoreFudgicles]

I personally know quite a few ppl who use your FW, and more importantly I recommend it to a TON of ppl..... Trust me, what WE see is your work validated, every time. Thank you!

Continuation of
. . .
https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-69sf.58293/
https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-70sf.59009/

New version of my custom firmware build: 1.0.2.72SF.

 

[kokishin]

@Voxel

I just made a donation to your PP account. It's not going to put you in another tax bracket although it may help fund a few Bulgarian beers .

I'm not a power user like some of the folks here. I just use the 7800 as a router; no DNS Crypt nor VPN. (I do have a paid VPN app on my desktop computer).

You impress me because you're constantly improving the firmware and you take the time to help and answer the questions of your constituents on SNB forums.

Thanks and all the best!

 

[microchip]

@kamoj

would it be possible to add a link in the GUI to debug.htm in Advanced -> Advanced Setup when your add-on is installed?

thanks

 

[kamoj]

Yes of course, but just now it's added to the Advanced menu tab.
At the moment it looks like this:

PS
"Debug info" is the new add-on info view,
"Netgear Debug Info" is the stock untouched page.

 

[Wigster]

Hi

My router's R7800 with Voxel's 1.0.2.72. I also run pihole with DHCP on my LAN to block tracking.

I would like to set up stubby on the router to CloudFlare and then manually point the pihole at the router for DNS. The other clients would connect to the router, and get sent for DNS/DHCP to pihole as they do currently.

I have just tried using the router as DNS using nslookup and it looks like it forwards the query to the pihole. Can stubby override this for DNS queries sent directly to the router, but still allow the router to register the pihole as the DNS for the clients?

 

[Killhippie]

@kamoj

Are you aware of the issues with Nord VPN this year? Its made some people question them a bit. Seems as bad actors had access to remote management on in a server in Finland for a while.. and kept very quite about it.
https://www.theregister.co.uk/2019/10/21/nordvpn_security_issue/

"Here's what we know: miscreants were able to exploit a poorly secured remote-management system, built into the server and understood to be iLO or iDRAC, to gain control of the box in March 2018. They were able to gain access to the LXC containers running on the machine, and its OpenVPN software files and cryptography keys, it is claimed. The TLS certificate, since expired, for the nordvpn.com website was also stolen from the system."