On 01/02/2016 05:39 AM, Per Jessen wrote:
We had a couple of friends over for New Years' and discovered that their fairly new or upgraded iphones and ipads somehow didn't work on the wifi. That is, ipv6 websites worked fine, but ipv4 did not.
I've finally tracked it down to be due to iOS8 and newer not accepting icmp redirects. (the icmp redirect is caused by my transparent squid cache). Other systems with this fault are e.g. Windows8 and Nintendo, and generally I have just added a bypass rule in the firewall for those specific devices.
However, we have too many people with iphones traipsing around, so it would be nice for the firewall to automagically identify iphones and add them to a separate chain for bypassing/dealing with this issue. Obviously those devices are on dhcp, I could possibly detect it there and amend the firewall, but it would be a bit kludgy.
Basically, I need a rule such as the below added to the firewall whenever a new iphone device appears:
iptables -A PREROUTING -t mangle -j ACCEPT -p tcp --dport http -s <ip>
I guess looking at the mac address might work, but I have at least 6 different ones of those too: 44:00:10, 4c:7c:5f, d0:4f:7e, 64:b9:e8, 84:b1:53. (seems like there is at least 451 OUIs registered to "Apple, Inc".
Any better ideas?
Unless you have a really tight data allotment, why not just shut down the squid cache? After all, unless all your users are hitting the same exact sites as you are, the cache saves you nothing that wouldn't get saved by on-device caching. Squid solves a lot of problems not seen since dial-up days in my humble opinion. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org