Menu
What's new
By:
Filters Better Search

Recent content by ml70

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

  1. M

    Tutorial Script: Dynamically block Asus open ports (security holes...)

    Are these not open to every interface? tcp 0 0 0.0.0.0:18017 tcp 0 0 0.0.0.0:9518 udp 0 0 0.0.0.0:9999 udp 0 0 0.0.0.0:67 udp 0 0 0.0.0.0:18018 udp 0 0 0.0.0.0:1900 9518 is the dynamic port. How many of these are opened by...
  2. M

    Syslog demuxer for detailed iptables logging

    It's very useful to create a CURRENT match /kernel: CURRENT / {print $0 >> "/tmp/mnt/usb/log/current.log" ; next} it enables one to very quickly check for current issues by -j LOG --log-prefix "CURRENT " --log-tcp-sequence --log-tcp-options --log-ip-option and tail -f current.log
  3. M

    Tutorial Script: Dynamically block Asus open ports (security holes...)

    You can run it hourly cru a BlockAsusPorts "0 * * * * /jffs/scripts/blockasusports.sh" add it to wan-start , or would init-start be a better choice.
  4. M

    Tutorial Script: Dynamically block Asus open ports (security holes...)

    Asus opens plenty of listening ports, some of which have been used to hack the device in the past ("Asusgate" etc). If you're not using any Asus services from the internet, maybe it'd be smarter to block them to avoid security holes. The problem is some of the ports are dynamic, a fixed script...
  5. M

    Syslog demuxer for detailed iptables logging

    CHANGE: logdemux.sh line 5: the fifo is best read from as cat<>/jffs/fifo/syslogfifo | awk ' /kernel: IPT ICMP/ .... Delete /jffs/fifo/syslogfifo from end of last awk line. CHANGE: syslog-fifo.sh line 12: the fifo is no longer needed to kept open, comment the line out # nohup sleep...
  6. M

    tc syntax for dropping packet (ingress/egress filtering)

    Just want to learn more tc, especially for filtering. As far as I understand it can also be used for layer 2 packets so it's more versatile than netfilter. And dropping resets is about the least intrusive example, nothing's going to break badly. Unfortunately the version on Asus is like...
  7. M

    tc syntax for dropping packet (ingress/egress filtering)

    According to this https://blog.cloudflare.com/how-to-drop-10-million-packets/ dropping ingress packets with tc should be easy peasy, but I just can't figure out the proper syntax for Asus (AC-66 2.6.22.19 #1 Mon Sep 12 19:17:46 MST 2016 mips GNU/Linux) version of tc. As a test I'm trying to...
    • ml70
    • Thread
    • dropping filtering packets syntax traffic control
    • Replies: 3
    • Forum: Asuswrt-Merlin
  8. M

    Syslog demuxer for detailed iptables logging

    Fed up with the misery of logging iptables to syslog I made a log demuxer which makes it possible to demux the syslog feed into any number of separate log files. All that is needed is to change syslog to output to a named pipe, and an awk script which does the demuxing. The purpose is to demux...
  9. M

    ac86u seems to be stuck in boot loop after firmware update

    Btw if you have trouble with Asus firmware restoration utility, just use tftp it's available on Linux and Windows (install from Control Panel>Programs and Features>Turn Windows features on or off>TFTP Client). This does it all tftp -i 192.168.1.1 PUT WhateverFirmware.trx Remember to let it...
  10. M

    Reroute dropped packets

    Seems mangle table -j ROUTE could do this, just need to move all firewalling onto mangle table and s/DROP/ROUTE --options/ . Any insights or experiences on this welcome. Addition: this will cause the kernel to log the reason why the packets are invalid echo 255 >...
  11. M

    Reroute dropped packets

    To partially answer my own question, unwanted incoming connections can be redirected at the NAT table after UPNP chain has been checked. But it's still a mystery how to redirect packets which are deemed to be DROPped at the firewall (filter forward mostly). Even a modification of the firewall...
  12. M

    Limited but effective QoS for Asus routers with CTF/hardware acceleration

    Either I've misunderstood something very badly, or then I've actually found out the truth about Asus' TOS implementation: This is the generic Linux TOS/Priomap TOS Bits Means Linux Priority Band ------------------------------------------------------------ 0x0 0...
  13. M

    Limited but effective QoS for Asus routers with CTF/hardware acceleration

    Some necromancy on this old thread, the original solution is missing the tc traffic classifier part it'd need to function properly, I might've had some remains of tc filters created by Asus stock qos solution running which made it work, without it'll only work for bands 1-3. Sorry. But to have...
  14. M

    Reroute dropped packets

    Packets to be dropped seem to end in filter INPUT to be discarded by the default drop rule, how to redirect them to a LAN ip to act as a catchall? Could save some trouble every time a service changes ports, it's an outwards facing box anyway so receiving unwanted traffic is no problem, or to run...
  15. M

    [Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

    I've been hunting for days for this weird wifi connectivity bug on AC66, now on 27E5 but this happens across releases, and think finally figured out what's going on: When there are guest networks with Set AP Isolated Enabled, and Enable JFFS custom scripts and configs is set to No, everything...
See more
Top