Mailinglist Archive: opensuse (1047 mails)

< Previous Next >
Re: [opensuse] automatically identifying and handling apple iphones in firewall ?
On 01/02/2016 05:39 AM, Per Jessen wrote:
We had a couple of friends over for New Years' and discovered that their
fairly new or upgraded iphones and ipads somehow didn't work on the
wifi. That is, ipv6 websites worked fine, but ipv4 did not.

I've finally tracked it down to be due to iOS8 and newer not accepting
icmp redirects. (the icmp redirect is caused by my transparent squid
Other systems with this fault are e.g. Windows8 and Nintendo, and
generally I have just added a bypass rule in the firewall for those
specific devices.

However, we have too many people with iphones traipsing around, so it
would be nice for the firewall to automagically identify iphones and
add them to a separate chain for bypassing/dealing with this issue.
Obviously those devices are on dhcp, I could possibly detect it there
and amend the firewall, but it would be a bit kludgy.

Basically, I need a rule such as the below added to the firewall
whenever a new iphone device appears:

iptables -A PREROUTING -t mangle -j ACCEPT -p tcp --dport http -s <ip>

I guess looking at the mac address might work, but I have at least 6
different ones of those too: 44:00:10, 4c:7c:5f, d0:4f:7e, 64:b9:e8,
84:b1:53. (seems like there is at least 451 OUIs registered to "Apple,

Any better ideas?

Unless you have a really tight data allotment, why not just shut down
the squid cache? After all, unless all your users are hitting the same exact
sites as you are, the cache saves you nothing that wouldn't get saved by
caching. Squid solves a lot of problems not seen since dial-up days in my
humble opinion.

After all is said and done, more is said than done.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups