Buggy Parental Control against firewall Network Services Filter

[Mistermoonlight]

Ok i am using latest merlin firmware 3.0.0.4.270.24.

There is a big problem with the parental control logic.

1- Create a rule in firewall Network Services Filter while parental control is OFF: for example block tcp dest 80 to dest 179.*.*.* (google server) for any source ip on the lan (ex 192.168.1.*). The filtering is working correctly when the rules is active.

2- Create a parental control setup for a specific mac address on your network with a time schedule for this mac address to have internet access. The Parental control for this mac appears to follow the defined schedule correctly and blocks the access accoring to the schedule (when there is no rule defined at step 1).

3- While the parental control is active from item 2 above, the previous firewall filtering rule (at step 1) is not working anymore for the other mac device on the network.

By looking through a telnet session the iptables generated before step 2 above and after step 2, we can see that the filtering rule from step 1 has been moved from chain FORWARD to chain PControls.

I guess this bug is also there in original asus firmware, but did not tried it.
This make the use of both features at the same time problematic

 

[macfisherman]

I ran into this as well with the stock firmware. I like to block port 25 on my router. I worked around it by:

1) telnet into router
2) cd /tmp
3) iptables-save -t filter > foo
4) vi foo

added the following line:
-A FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 25 -j DROP

just before this line:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

technically the PControls chain jumps back to the FORWARD chain when done, so the MAC filtered machines will run that rule twice (if I understand things correctly).

5) iptables-restore < foo

Things work as expected. I realize this won't survive reboots. I've forked Merlin's code base to play with and provide patches. However, I'd really just like to duplicate this but use x86 and VMWare/VirtualBox somehow, as I don't want to mess up my home router during the day. Anybody got any suggestions?

 

[RMerlin]

If you insert your rules through firewall-start or nat-start, it should automatically reinsert the rule at the correct location and survive service restarts.

 

[Mistermoonlight]

Rmerlin:

If you insert your rules through firewall-start or nat-start, it should automatically reinsert the rule at the correct location and survive service restarts.

Yes i have tried a rule added with "firewall-start" and it worked very well and survives a reboot perfectly well. Thank you for this nice firmware customization.

This is a workaround until the ASUS firmware is corrected to remove this bug.