[opensuse] automatically identifying and handling apple iphones in firewall ?
We had a couple of friends over for New Years' and discovered that their fairly new or upgraded iphones and ipads somehow didn't work on the wifi. That is, ipv6 websites worked fine, but ipv4 did not. I've finally tracked it down to be due to iOS8 and newer not accepting icmp redirects. (the icmp redirect is caused by my transparent squid cache). Other systems with this fault are e.g. Windows8 and Nintendo, and generally I have just added a bypass rule in the firewall for those specific devices. However, we have too many people with iphones traipsing around, so it would be nice for the firewall to automagically identify iphones and add them to a separate chain for bypassing/dealing with this issue. Obviously those devices are on dhcp, I could possibly detect it there and amend the firewall, but it would be a bit kludgy. Basically, I need a rule such as the below added to the firewall whenever a new iphone device appears: iptables -A PREROUTING -t mangle -j ACCEPT -p tcp --dport http -s <ip> I guess looking at the mac address might work, but I have at least 6 different ones of those too: 44:00:10, 4c:7c:5f, d0:4f:7e, 64:b9:e8, 84:b1:53. (seems like there is at least 451 OUIs registered to "Apple, Inc". Any better ideas? -- Per Jessen, Zürich (5.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/02/2016 05:39 AM, Per Jessen wrote:
We had a couple of friends over for New Years' and discovered that their fairly new or upgraded iphones and ipads somehow didn't work on the wifi. That is, ipv6 websites worked fine, but ipv4 did not.
I've finally tracked it down to be due to iOS8 and newer not accepting icmp redirects. (the icmp redirect is caused by my transparent squid cache). Other systems with this fault are e.g. Windows8 and Nintendo, and generally I have just added a bypass rule in the firewall for those specific devices.
However, we have too many people with iphones traipsing around, so it would be nice for the firewall to automagically identify iphones and add them to a separate chain for bypassing/dealing with this issue. Obviously those devices are on dhcp, I could possibly detect it there and amend the firewall, but it would be a bit kludgy.
Basically, I need a rule such as the below added to the firewall whenever a new iphone device appears:
iptables -A PREROUTING -t mangle -j ACCEPT -p tcp --dport http -s <ip>
I guess looking at the mac address might work, but I have at least 6 different ones of those too: 44:00:10, 4c:7c:5f, d0:4f:7e, 64:b9:e8, 84:b1:53. (seems like there is at least 451 OUIs registered to "Apple, Inc".
Any better ideas?
Unless you have a really tight data allotment, why not just shut down the squid cache? After all, unless all your users are hitting the same exact sites as you are, the cache saves you nothing that wouldn't get saved by on-device caching. Squid solves a lot of problems not seen since dial-up days in my humble opinion. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
Unless you have a really tight data allotment, why not just shut down the squid cache? After all, unless all your users are hitting the same exact sites as you are, the cache saves you nothing that wouldn't get saved by on-device caching. Squid solves a lot of problems not seen since dial-up days in my humble opinion.
Yeah, I agree - mostly. It's definitely not about data allotment anymore. We're piggy-backing on the office squid setup which is primarily for caching the opensuse repos. It helps with caching all kinds of web content too though and surfing at wirespeed is a lot faster. I've only measured the caching of the repos, I wonder how much it actually does for other web content, but the redirect to squid is for anyone accessing port 80. I haven't found an easy way of identifying an iPhone, instead we'll keep track of our own phones, and any guest will just not be cached. -- Per Jessen, Zürich (6.0°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
John Andersen -
Per Jessen