Locked out from Conduit after firewall change

Home Forums Conduit: AEP Model Locked out from Conduit after firewall change

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • April 20, 2016 at 7:08 pm #12231
    Chris Friedel
    Participant

    Hi everyone,

    By default, the conduit allows access to its cellular WAN to everything on the Ethernet LAN. This was starting to get expensive when one of our developers accidentally downloaded a large toolset from the internet thinking they were on their wireless, but instead went through the conduit.

    To try and solve the issue, we added a firewall rule on the conduit to block INSIDE ANY to OUTSIDE ANY (though limited the target adapter to cellular).

    After (several) restarts, we can no longer communicate with conduit via SSH, web console, etc. The device still offers DHCP services to the Ethernet connected laptop, as well as responds to icmp from the Ethernet lan, but we can not connect to it from the Ethernet lan.

    It also seems to have stopped transmitting its outgoing data generated internally from its node-red workflows (assuming they are still running…).

    To me it almost seems like the firewall rule has included the conduit itself in its policies. So the LAN is no longer allowed to talk to the conduit (treating the conduit as if it was inside the WAN), and the conduit is not allowed to talk to the WAN (in this case treating the conduit as if it was inside the LAN).

    Is it possible that this could be happening?

    If so, I’d really appreciate any ideas on how this could be rescued 🙂

    Thanks all!

    Chris

    April 20, 2016 at 7:23 pm #12232
    Chris Friedel
    Participant

    I should add that I do have access to linux console via the usb debug port

    April 20, 2016 at 7:41 pm #12233
    Chris Friedel
    Participant

    Alright, solved my own issue here.

    Looks like the firewall exposed by the web console is just IP tables.

    A quick
    iptables -F
    iptables –policy INPUT ACCEPT
    iptables –policy OUTPUT ACCEPT
    iptables –policy FORWARD ACCEPT

    got me back in no problem.

    I would still be interested in knowing if there is a better (safer?) way of blocking the conduit’s cellular wan from being used by members of the Ethernet LAN, if anyone knows what is best for this.

    Thanks,
    Chris

    April 21, 2016 at 7:40 am #12237
    Jeff Hatch
    Keymaster

    Chris,

    Do you have an “iptables -L” from when the issue was still occurring. If I have time I could take a look into what you did and find a way to do what you really want to do.

    Jeff

    April 21, 2016 at 12:52 pm #12255
    Chris Friedel
    Participant

    Thanks for the offer Jeff! I’ll try with one of our Linux guys first and see if they can’t solve the issue for us. You guys have better things to worry about 🙂

    If they do come up with a clean solution to implement this I’ll make sure to post it here for others.

    Cheers,
    Chris

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.