Re: n900 eats my money
 

For the moment I've adapted the firewall of this site:

http://meego.de/forum/netzwerk/8227-...-firewall.html


to this text:

#!/bin/bash
################################################## #################################################
## NAME
## firewall - n900 firewall
##
## SYNTAX
## firewall [-?] <start|stop|restart>
##
## ARGUMENTS
## -? ................. Show this help
## start .............. Start the firewall on all interfaces
## stop ............... Stop the firewall on all interfaces
## restart ............ Restart the firewall on all interfaces (stop & start)
##
## DESCRIPTION
## This script activates the whole firewall of the n900 (by default).
##
## AUTHOR
## Duffman, Germany
##
################################################## #################################################



#--------------------------------------------------------------------------------------------------
# Statische Variablen festlegen
#--------------------------------------------------------------------------------------------------

# Interfaces zuweisen
INET_IFACE=wlan0 # Internet-Interface (extern)
INET_GPRS=gprs0

# Definiere einige Befehle
ECHO=$(which echo)
IPTABLES=$(which iptables)
MODPROBE=$(which modprobe)
RMMOD=$(which rmmod)


#--------------------------------------------------------------------------------------------------
# Funktionen
#--------------------------------------------------------------------------------------------------

# Automatisches Logging aktivieren
#function logging {
# Logging der eingehenden Pakete
# $IPTABLES -A INPUT -i $INET_IFACE -j LOG --log-prefix "INPUT($INET_IFACE): "

# Logging der durchgereichten Pakete
# $IPTABLES -A FORWARD -i $INET_IFACE -j LOG --log-prefix "FORWARD($INET_IFACE): "

# Logging der ausgehenden Pakete
# $IPTABLES -A OUTPUT -o $INET_IFACE -j LOG --log-prefix "OUTPUT($INET_IFACE): "
#}

# Leere die Ketten
flush_chains ()
{
$IPTABLES -F
$IPTABLES -X # benutzerdefinierte Ketten loeschen
}

# Startet die gesamte Firewall
start_firewall ()
{
# Module laden
$MODPROBE xt_state # wird fuer -m state beim Verbindungszustand benoetigt
$MODPROBE nf_conntrack_ipv4 # gehoert zum Modul nf_conntrack bzw. ip_conntrack (alter Name)
$MODPROBE ip_conntrack # die Anzahl an Bytes fuer Verbindungen kann in /proc/net/ip_conntrack nachgeschaut werden
$MODPROBE ipt_LOG # fuer das Logging und deren Ausgabe im Logfile
#$MODPROBE ipt_recent # speichert Informationen in /proc/net/ipt_recent/*

# Verwerfe erstmal alles
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Kernelparameter fuer das IP-Forwarding setzen
$ECHO "1" > /proc/sys/net/ipv4/ip_forward

# Akzeptiere alle Pakete, die Teil einer aufgebauten Verbindung sind
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loopback erlauben
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# SSH-Verbindungen auf Port 22 erlauben
$IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 22 -m hashlimit --hashlimit 1/min --hashlimit-mode srcip \
--hashlimit-name SSH -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INET_GPRS -p tcp --dport 22 -m hashlimit --hashlimit 1/min --hashlimit-mode srcip \
--hashlimit-name SSH -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INET_GPRS -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Abgehende TCP-Verbindungen erlauben
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_GPRS -p tcp -m state --state NEW -j ACCEPT

# Ping-Befehl auf dem Interface $INT_IFACE (Internet) erlauben (eingehenden ping erlauben)
$IPTABLES -A INPUT -i $INET_IFACE -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INET_GPRS -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT

# Ping-Befehl vom Interface $INET_IFACE (Internet) erlauben (ausgehenden ping erlauben)
$IPTABLES -A OUTPUT -o $INET_IFACE -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_GPRS -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT

# Updates ueber die source.list per http erlauben
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -m state --state NEW -j ACCEPT

# Erlaube neue DNS-Anfragen
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

# ICMP destination-unreachable Meldungen erlauben
$IPTABLES -A INPUT -i $INET_IFACE -p icmp --icmp-type destination-unreachable -m state --state RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INET_GPRS -p icmp --icmp-type destination-unreachable -m state --state RELATED -j ACCEPT
}

# Deaktiviere alle IPTABLES-Regeln (Firewall ausschalten)
stop_firewall ()
{
# Alle vorhandenen Regeln loeschen (Funktion flush_chains aufrufen)
flush_chains

# Default-Policy herstellen und alle Pakete erlauben
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Forwarding deaktivieren
$ECHO "0" > /proc/sys/net/ipv4/ip_forward
}

#-------------------------------------------------------------------------------}

#-------------------------------------------------------------------------------
# Hauptteil
#-------------------------------------------------------------------------------
case "$1" in
start)
start_firewall
# logging
;;
stop)
stop_firewall
;;
restart)
$0 stop
$0 start
;;
*)
# Gibt die Usage (siehe Skriptanfang) aus
awk '/^##($|[^#])+/ {print substr($0,4)}' $0
exit 0
;;
esac




If somebody is interested I can tell the result in one week.

I'don't know much about iptables.

Perhaps some expert can tell us if that makes sense?

Re: n900 eats my money
 

i support disabling all repositories, should do the trick

Re: n900 eats my money
 

i thought HAM was an essential system component

Re: n900 eats my money
 

Run this command in terminal:
gconftool -s --type int /apps/hildon/update-notifier/check_interval 2147483647

You don't need to be root
This command will definitively disable auto-updating until you update/reflash, so remember to re-run it after you will do that ;)

And I think also that you should use Faster Application Manager, it is way better than the default application manager :)

Re: n900 eats my money
 

Watch it mate!

Telling people off just because they cannot/wont afford a flatrate... not nice!

And as we see from your first sentence you do not think before you post!
"Always ask" prevents the device from connecting itself to the network but not from updating if already connected by hand.

The idea of turning off repositories is the key if it does not work for you with the gconf settings. But I doubt it does not work! Check your other stuff which might update when connected.

Re: n900 eats my money
 

I've the same issue, I'm on flatrate though, but still equally annoying when apt-worker decides to do It's magic and hog both 100% cpu and bandwidth when I need to check something online real fast.

I've used conftool to change the value to the max possible (can't remember it) but it still checks occasionally.

This is just another of many things that unfortunately are unfinished/unpolished in maemo.

Re: n900 eats my money
 

i'm just guessing here, but perhaps the people changing the interval have been doing so as root, when its the user account settings they should be changing?

Re: n900 eats my money
 

they did and decided that always online is the way to go. n900 really is everything about being online 24/7 so I'd suggest some other device or flatrate. (or disabling gprs/3g completely)

e: the firewall script doesn't seem to help at all

Re: n900 eats my money
 

Maybe you can rename apt-worker. It'll break application manager but should stop it from running update checks, I would think. You can rename it back if you desire to use HAM at some point again (for example, to install something from Ovi). Otherwise I think FAPMAN should work normally without it.

Re: n900 eats my money
 

Still, it should be up to the user to decide when and what to update, the device shouldn't be doing it on it's own.