Cheesy Musings

I have just come back from an enormous conference in Orlando, Florida. It was the IBM Lotus Lotusphere conference, the third one I have been to and for the first time I was a speaker! The conference was attended by about 7,000 people, yes you heard correctly, a full 7 kilogeeks. I was presenting session BP204 Integrating Lotus Notes and OpenOffice.org we filled the room, I don’t know the numbers yet, but it looked like a couple of hundred people to me. There was a big free wireless cloud for all the attendees, it was creaking a bit, but that isn’t surprising given the vast numbers of people using it, many of whom were checking out the virtual Second Life conference that was running in parallel with the real thing.

Comments Off

I’m not going to implicate myself in anyway other than to say read this http://techp.org/petition/show/1, and if you think it makes sense you should probably register your opinion…

Comments Off

One important part of any routing device is the firewall settings, for La Fonera these can be found in ./package/iptables/files/firewall.fon The settings are pretty well commented and I am not really an iptables expert so I will let the file speak for itself.

# Firewall script, specific for OpenWrt: permits traffic from chilli clients to Internet restricts inter-interfaces traffic
. /etc/functions.sh
. /tmp/network-config

config_load fon

WL=”$wifi_ifname”
WAN=”$wan_ifname”
LAN=”$lan_ifname”

iptables -N NET_ACCESS 2>&- >&-
iptables -F NET_ACCESS

# WAN_HOOK will contain rules to restrict traffic to the wan network
iptables -N WAN_HOOK 2>&- >&-

# ChilliSpot
iptables -A NET_ACCESS -p tcp –dport 3990 -j ACCEPT

# DNS is always allowed from the tunnel
iptables -A NET_ACCESS -p udp –dport 53 -j ACCEPT
iptables -A NET_ACCESS -p tcp –dport 53 -j ACCEPT

# Access control for the hotspot
config_get wan access hotspot_wan
enabled “$wan” 0 || iptables -A NET_ACCESS -j WAN_HOOK

config_get lan access hotspot_lan
if enabled “$lan” 0; then
iptables -t nat -A POSTROUTING -o “$LAN” -j MASQUERADE
else
iptables -A NET_ACCESS -o “$lan_ifname” -j DROP
fi

config_get wan access lan_wan
enabled “$wan” 1 || iptables -I FORWARD 1 -i “$LAN” -o “$WAN” -j WAN_HOOK

# allow regular wan traffic
[ -z "$WAN" ] || {
iptables -A NET_ACCESS -o “$WAN” -j ACCEPT
iptables -A NET_ACCESS -i “$WAN” -j ACCEPT
}

iptables -A NET_ACCESS -o “$LAN” -j ACCEPT
iptables -A NET_ACCESS -i “$LAN” -j ACCEPT

# drop everything that we haven’t explicitly allowed
iptables -A NET_ACCESS -j DROP

# — INPUT PART –
iptables -N INPUT_CFG 2>&- >&-
iptables -F INPUT_CFG 2>&- >&-
iptables -I INPUT 1 -i tun0 -p tcp –dport 80 -j DROP
iptables -I INPUT 2 -i “$LAN” -j INPUT_CFG
iptables -I INPUT 3 -i tun0 -j NET_ACCESS

# — FORWARD PART –
iptables -I forwarding_rule 1 -i “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 2 -o “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 3 -i tun0 -j NET_ACCESS
iptables -I forwarding_rule 4 -o tun0 -j NET_ACCESS

# Drop all unmanaged traffic from the public interface
iptables -t nat -A PREROUTING -i “$WL” -j DROP

ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/20-firewall

Comments Off

A new version of the firmware that runs in la fonera routers has been released, you can get this from the Fon website http://en.fon.com/downloads it comes as a 1.9MB file called fonera_0.7.1.1.fon, you can upload this to your router to install it.

I wanted to see what exactly is in this .fon file so I downloaded the source code. You can get this from here. This is an 88.7MB file called fonera.tar.bz2. (The .tar.bz2 extension means it is a compressed file for Linux known as a tarball, a bit like a .zip file). I uncompressed this and had a look inside.

First thing I noticed is the file dates are mostly October 4th 2006, I don’t think this is the source for version 7.1.1. I couldn’t find any indication of what version it actually is, which is a bit of a shame. I used the “find” command to produce this List of files in fonera.tar.bz2 so you can see the structure of it without downloading the whole thing yourself.

One part I was a bit surprised at was finding ./binary-only-modules/ar531x-wdt.o this is a binary driver for the Atheros AR531x chip which provides the wireless functionaility. The initial release of the source code for the Fonera was delayed for a while because Fon were working on GPL compliance with Atheros I guess they were hoping to get the source code to this module released, but failed in the end. Binary kernel modules are fairly common and I think are within the letter of the GPL if not the full spirit of the GPL.

(Read the article)

Comments(2)