UCI Defaults & Security

I figured the dev forum was the best place for this, but please feel free to let me know if that is not the case.

I've started building all my own firmware images. As per the docs, I use UCI defaults scripts, to apply the desired settings. However, there is a problem here; while the scripts are being executed, it is possible that untrusted network devices can see trusted devices. This occurs due to the scripts that are included in the image already, which apply the factory OpenWrt config; firewall, interface and VLAN settings can be incorrect, for a short period.

I have dealt with this problem by having "xx_block_all_traffic" scripts run at various points. Those scripts do things like stop the network service, put every switch port on a separate VLAN, etc. However, it is not a very clean solution and there's still a few seconds where the network is left in a vulnerable state.

Does anyone have any smart solutions for this? Thanks!

Ship preconfigured images. Also some things (like switch port isolation) simply cannot be done before OpenWrt is booted as the initial configuration state is subject to the boot loader.

1 Like

Thanks for your input!

When using the image builder, how do you wipe out all the default UCI defaults scripts? I couldn't see any way to do this.

You raise a good point, regarding the initial switch state. I have no idea where to begin, to verify that behavior. Do you know where or how I could find an answer? I am using Archer C7 devices, specifically.

If the initial switch state is forwarding all traffic, on all ports, that is a major problem; OpenWrt takes a long time to boot up, during which the network would be wide open.

The only way to guarantee the security output you desire during initial setup is to pull the cables from the router including internet and only have the setup computer connected until the installation and setup is done.

Or have everything connected to a external switch with trunked data from the router, then the data flow will be terminated until the router setup is done and trunked data starts to flow again.

Thanks for the suggestion! I considered that, during flashing etc. I've concluded that it will be a lot easier to just have untrusted devices on WiFi, rather than run around disconnecting stuff. The leaky switch problem is the main blocker to that, though; I may not even be able to use the inbuilt switch at all.

My network consists of a NanoPi R4S as the gateway, one C7 as the central switch and three other C7s as switches/APs. If all the switches leak during boot, tagged guest VLAN data can probably reach the wired clients. If the packets remain tagged, that is probably OK. If the switch does something really wacky, like merge all tags, the switches are basically useless.