Cheesy Musings

The Fonera router (or the Linksys for that matter) is basically a computer. It is running a proper Linux operating system, it is always running, and it is connected to a high bandwidth connection. All the Fon routers connect to Fon central on a regular basis (the heartbeat connection) to see if there are any updates or changes for it to install. This works by downloading then running a script as root. If the Fon central server was compromised for more than an hour it would probably be possible to tell every Fon router in the world to connect somewhere else for the heartbeat information. This would be bad. The central server could then be fixed but it would be too late. The entire network would be under someone else’s control. It would be an enormous, and very well connected botnet. I don’t want to do this, and I don’t want anyone else to be able to do this, so it is important that the source code is open so that everyone connecting a Fonera to their network can see how secure it is. I am mildly disappointed that there is a binary only Atheros module in there, however I don’t think this is critical for the security of the device, or indeed the network as a whole.

Open Source does matter, and it is inherently more trustable than closed source because you can verify it yourself, and so can lots and lots of other people. The current distribution method for the source is a large .tar.gz file, with this series of posts I am trying to make the critical bits of the source code more open and accessible to more people, this makes it more trustable, and potentially more secure (if issues are found and fixed).

Comments Off

One important part of any routing device is the firewall settings, for La Fonera these can be found in ./package/iptables/files/firewall.fon The settings are pretty well commented and I am not really an iptables expert so I will let the file speak for itself.

# Firewall script, specific for OpenWrt: permits traffic from chilli clients to Internet restricts inter-interfaces traffic
. /etc/functions.sh
. /tmp/network-config

config_load fon

WL=”$wifi_ifname”
WAN=”$wan_ifname”
LAN=”$lan_ifname”

iptables -N NET_ACCESS 2>&- >&-
iptables -F NET_ACCESS

# WAN_HOOK will contain rules to restrict traffic to the wan network
iptables -N WAN_HOOK 2>&- >&-

# ChilliSpot
iptables -A NET_ACCESS -p tcp –dport 3990 -j ACCEPT

# DNS is always allowed from the tunnel
iptables -A NET_ACCESS -p udp –dport 53 -j ACCEPT
iptables -A NET_ACCESS -p tcp –dport 53 -j ACCEPT

# Access control for the hotspot
config_get wan access hotspot_wan
enabled “$wan” 0 || iptables -A NET_ACCESS -j WAN_HOOK

config_get lan access hotspot_lan
if enabled “$lan” 0; then
iptables -t nat -A POSTROUTING -o “$LAN” -j MASQUERADE
else
iptables -A NET_ACCESS -o “$lan_ifname” -j DROP
fi

config_get wan access lan_wan
enabled “$wan” 1 || iptables -I FORWARD 1 -i “$LAN” -o “$WAN” -j WAN_HOOK

# allow regular wan traffic
[ -z "$WAN" ] || {
iptables -A NET_ACCESS -o “$WAN” -j ACCEPT
iptables -A NET_ACCESS -i “$WAN” -j ACCEPT
}

iptables -A NET_ACCESS -o “$LAN” -j ACCEPT
iptables -A NET_ACCESS -i “$LAN” -j ACCEPT

# drop everything that we haven’t explicitly allowed
iptables -A NET_ACCESS -j DROP

# — INPUT PART –
iptables -N INPUT_CFG 2>&- >&-
iptables -F INPUT_CFG 2>&- >&-
iptables -I INPUT 1 -i tun0 -p tcp –dport 80 -j DROP
iptables -I INPUT 2 -i “$LAN” -j INPUT_CFG
iptables -I INPUT 3 -i tun0 -j NET_ACCESS

# — FORWARD PART –
iptables -I forwarding_rule 1 -i “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 2 -o “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 3 -i tun0 -j NET_ACCESS
iptables -I forwarding_rule 4 -o tun0 -j NET_ACCESS

# Drop all unmanaged traffic from the public interface
iptables -t nat -A PREROUTING -i “$WL” -j DROP

ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/20-firewall

Comments Off

A new version of the firmware that runs in la fonera routers has been released, you can get this from the Fon website http://en.fon.com/downloads it comes as a 1.9MB file called fonera_0.7.1.1.fon, you can upload this to your router to install it.

I wanted to see what exactly is in this .fon file so I downloaded the source code. You can get this from here. This is an 88.7MB file called fonera.tar.bz2. (The .tar.bz2 extension means it is a compressed file for Linux known as a tarball, a bit like a .zip file). I uncompressed this and had a look inside.

First thing I noticed is the file dates are mostly October 4th 2006, I don’t think this is the source for version 7.1.1. I couldn’t find any indication of what version it actually is, which is a bit of a shame. I used the “find” command to produce this List of files in fonera.tar.bz2 so you can see the structure of it without downloading the whole thing yourself.

One part I was a bit surprised at was finding ./binary-only-modules/ar531x-wdt.o this is a binary driver for the Atheros AR531x chip which provides the wireless functionaility. The initial release of the source code for the Fonera was delayed for a while because Fon were working on GPL compliance with Atheros I guess they were hoping to get the source code to this module released, but failed in the end. Binary kernel modules are fairly common and I think are within the letter of the GPL if not the full spirit of the GPL.

(Read the article)

Comments(2)