#Router methods

Using router object returned from get_router locally, allow adjustment of firewall rules. [requires LAN to have access to 8080]

Firewalls are quite powerful and can add more layers of security to networks, but sadly they do not seem to be utilized by players as much as they could be.

The main 2 reasons I assume players do not make better use of firewalls is disables & lack of way to programmatically adjust firewall rules.

Currently, the only way to access firewall configuration is with a shell on the network that can launch browser.exe. My proposed change would leverage these existing mechanics to facilitate usage of methods like get_router.add_rule(...) .

In order for an attacker to change the rules, they would need to be able to launch a program on a computer with a LAN that is allowed to connect to the router via port 8080. This can be circumvented by the server owner by ensuring file permissions are restrictive and maintaining best practices. This is the current case with Browser.exe.

The end result of this change is a new way for white hats to protect their networks, enforce global ban lists etc, & also as an attack vector for malicious programs.

add_rule

// add_rule(ACTION: string, PORT: number, SOURCE: string, DESTINATION: string) : 1 on success, string on failure
// usage
Router = get_router
Router.add_rule("ALLOW", 22, "ANY", "192.168.0.2")

remove_rule

// remove_rule(ACTION: string, PORT: number, SOURCE: string, DESTINATION: string) : 1 on success, string on failure
// usage 
Router = get_router
Router.remove_rule("ALLOW", 22, "ANY", "192.168.0.2")

For changing rules on specific router/switch on a network, specificy the LAN of the device

specific_router = get_router("10.0.21.1") // must be a LAN
specific_router.add_rule("ALLOW", 22, "192.168.1.4", "10.0.21.2")

Good feature. We can see it soon because it's not so complicated.

Like it was with computer.get_name

I currently enforce a global banlist across 3 domains, its a pain to add new entries

With it you can just ban [ip] 🙂

exactly

Don't ban me please

🙏

Might be easier to implement by calling it on a computer object instead. Would make it easier to enforce that the user acquired root permissions on the device in some way.

a router is not a computer though

Yeah but they have computer objects associated with them

itd be tied in like any general method based on who launched the script

like active_user

ah yeah that could work, but would likely limit it to only being usable via a program on the router itself

no

it would be tied into the runtime, so if you use get_shell, and you are root, thats a root shell, if you use get_router, and you are root, you can perform get_router.set_firewall if that makes sense

it would not be used remotely

root on which device tho? get_router would evaluate against the location of the script it's being called in. That call currently isn't attached to anything but the runtime so it wouldn't work it the runtime is outside the router

oh yeah then like i said, limited to only using it via a program on the router

root on the device your invoking on, root is the same on any machine on a network, including router

and as it is currently, any level can access a router at port 8080 via the browser, however to do so programmatically i suggested root for balance, but theoretically it doesnt have to be limited to a cetain scope

ah so the check would be, make sure the script is running as root and that it's on a device inside the network?

yes

would not work on a remote router

must use get_router

which easily can be worked with remotely launching a script on the network

or sorta like "ufw enable"

And thinking for more complicated networks with multiple routers + switches, perhaps using the lan as a parameter can allow the adjustment of firewall rules for that specific router/switch. Whereas using get_router will return the network gateway.

all the people who havent liked this, i can only assume you are on my firewall 😉

/s

Hey tuna

Can you send us your filewall list?

you can scanrouter on my domains

OK

These ips are bad players?

its a mix of bans, and rules for the network

denying firewall edit to specific machines

1-way connection

i think this is a bit redundant with the existing deny 22 any any but

some examples

@covert ledge are you on there or what? 😆

Gimme a second to get my public ip

No. I'm not

Router methods

Router methods - firewall

Would that just need a root check to be able to change rules? Then it should be from with get_shell for userlevel access. Or he would have to build userlevel access into all Router objects

Right now you don't need to be root to change firewall rules. I don't think so.

But ya need a guest shell to be able to send the 8080 web

Get_router(noobieIP).rem_rule(all) lol

At least only allow rule add\rem from within subnet.

tbh, this just doesnt make sense

add_rule & remove_rule, pretty straightforward

the requirement doesnt make sense, should either add a password for router configuration, or need to have a root computer object of the router

tbh now ive thought it over, only requirement IMO should be that the LAN you are trying to access the router from, cannot be blocked by firewall at port 8080

what else stops one from accessing firewall config on a terminal?
File permissions - this is why i originally recommended root as a requirement, because it may be too easy to have simply the ability to alter firewall without having some kind of balance for the user making the action. Where currently if x is removed from Browser.exe, guest cannot edit firewall on that machine

The password for "router configuration" is the root password for the network. The mechanics are already built in for a root check on a machine, otherwise features like sudo would be impossible. So extending this to allow change to a local router would make sense

It wouldn't change any permissions if the router object had a method .firewall rules or something.
(Only accessible on LAN)

Computer object doesnt make any sense for this.

I mean you can't do shell.get_router so you already need to execute code on the target computer. If you can do that you could also upload a new browser.exe.

why would you need to execute anything on the router itself, when connection can be established via port 8080?

Routers are not 'computers', so we are in agreement there

So again the idea is something like get_router.add_rule, not get_shell.get_router

I know. I mean the firewall rules only work when you have access to a computer in the network and can run Browser.exe

We should somewhat keep these permissions the same because they're here for a reason

get_router with LAN restrictions does exactly that. You need to be able to upload a custom script to the computer (not the router).

ok im following you now, yes exactly

I just meant adding root or passwords etc as a requirement is not necessary because if we have get_router we already need access to a custom script on one of the lan computers. If we can upload a custom script we could also upload Browser.exe so the permissions stay the same

Root/ a password aren't necessary at all

agreed, file permissions alone should be sufficient

Port forwarding will be too op because with it you can install rshell services and forward it automatically
Imagine just typing save in your script an voila! Now you saved this shell for later.

Port forwarding was not a part of my suggestion @covert ledge however with the same reasoning, it would be pretty balanced if using the existing file permissions

As for installing services, where npc networks? Good chance they will be restored

We can create more generalized feature suggestion for router methods

If you already know how it will work, then why not?

I assume port forwarding would be a higher priority than firewall, so why not

Router methods

Using router object returned from get_router locally, allow adjustment of forward ports. requires LAN to have access to 8080

add_forward

add_forward(EXTERNAL_PORT: number, INTERNAL_PORT: number, LAN: string) : 1 on success, string on failure

usage: add a forwarded port

Router = get_router
Router.add_forward(1222, 1222, "192.168.0.2") // add the forwarded port

remove_forward

remove_forward(EXTERNAL_PORT: number, INTERNAL_PORT: number, LAN: string) : 1 on success, string on failure

usage: remove a forwarded port

Router = get_router
Router.remove_forward(1222, 1222, "192.168.0.2", true) // remove the forwarded port

In order for an attacker to change the rules, they would need to be able to launch a program on a computer with a LAN that is allowed to connect to the router via port 8080. This can be circumvented by the server owner by ensuring file permissions are restrictive and maintaining best practices. This is the current case with Browser.exe.

The end result for these changes can benefit the server owner, as well as potential attackers.

I suggest adding two methods - forward_port/forward and unforward_port/unforward instead of using switches

What is the inaccessible firewall button in settings.exe for

bump

imo router.forward(1222, 1222, "192.168.0.2", true/false) would be better

where true false is to either forward or close the port

Just why?

The game API is already horrible

How is that horrible?

I mean if you want to use if statements instead of passing it directly into the function be my guest

What if statements?

Just router.forward(80, 80, "ip")

And if you want to do a check?

Then you need an if statement which you dont need with my function

Because you can pass in the boolean directly

And we need to make the entire api more complicated because of your function?

That's rare cases and if you faced it then there are problems in your program

Complicated?

It's more clear and obvious adding two methods instead of one with switch

What?

What I said

I think that the code in which you have to make such conditions is not correct and not very good

There is a problem in my program when I want to any check before port forwarding or closing a port?

Have you ever programmed professionally?

If router.port info blah blah is opened then router.unforward blah blah

^^

Yeah

That is an if statement which would not be needed with my function

That's a bit unrelated btw

And you are still employed?

If you wanna dm me

Sure

suggestion 1/2

suggestion 2/2

Yeah tuna is already agreed with me

bump

up

bump