02-09-2013, 01:40 PM | #16 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Today's release
Today's release adds something new - a log file of any errors during the BBB filter removal.
Release at: https://www.mobileread.com/forums/sho...1&postcount=13 |
02-09-2013, 03:05 PM | #17 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Týr
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
Did you update the zips?
|
Advert | |
|
02-09-2013, 03:25 PM | #18 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Yup.
Although the Amazon network document wasn't updated today. Files now have a public home: http://hg.minimodding.com/repos/sys/kBBB.hg/ Public browse, download, and 'hg clone' |
02-09-2013, 03:31 PM | #19 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Found it!
Comment at top of rule-set was not changed today. Fixed and pushed. That really is the correct file - I downloaded it from MobileRead: https://www.mobileread.com/forums/sho...1&postcount=13 to create the repo. Aren't public repos just great? Last edited by knc1; 02-09-2013 at 03:35 PM. |
02-10-2013, 01:37 AM | #20 |
A garbling groftpot
Posts: 974
Karma: 9234667
Join Date: Feb 2012
Location: France
Device: Oasis, Voyage, Kobo mini, Samsung tablet, phones, whatever.
|
Greetings kind sirs
Would this work in Europe? I'm supposing Amazon are using local servers but I have no idea which, no idea about much really, but I would love to stop my paperwhite phoning home. I need a simple package, though, being somewhat technologically challenged. Maybe you will have time at some point? |
Advert | |
|
02-10-2013, 07:38 AM | #21 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
But because of the geographic load balancing used by large networks, it is unlikely I have seen all of the EU address ranges. Still - better than nothing and that will improve once I get some EU volunteers (or ssh access to EU machines). My next step in this little project, will be to add Buttons for the KUAL launcher (Add, Remove, Report). Since everything about this BBB filter exists only in the user's USB storage mode area, next to the documents directory for books (as does everything about KUAL) - - - If you can copy a book over USB to the Kindle, you can copy this BBB stuff. Or, at least you will be able to when done. Thank you for your interest. You are the first one to comment other than my Kindle Koding partner, twobob. Last edited by knc1; 02-10-2013 at 07:42 AM. |
|
02-10-2013, 10:11 AM | #22 |
A garbling groftpot
Posts: 974
Karma: 9234667
Join Date: Feb 2012
Location: France
Device: Oasis, Voyage, Kobo mini, Samsung tablet, phones, whatever.
|
Marvellous! Thank you for the work you are doing on this. I dearly love my kindles, but I don't love the lack of privacy and the forced updates. I did manage the jailbreak and the launcher, but that stretched my electron moving skills to the limit.
|
02-11-2013, 10:11 AM | #23 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
BBB-Next
The point raised (on another thread) here that NOT making the user wait for filtered connection attempts to time out was a good one.
It was also a valid point about the firewall design, it **should** be using the proper "reset" and "reject" targets rather than "drop". Unfortunately, not even the most recent stock firmware supports the "REJECT" target ("reset" is a special case of "reject"). Since it is an objective to not introduce binary additions to the stock firmware with BBB ; The BBB project will have to continue making the user sit and wait for the "store" to time out (and everything else that is filtered). The next change will be to split up our monolithic firewall into interface specific chains in the filter table. Finally! The "Store" feature finally timed-out with: Quote:
Now, where was I in typing this post? Oh, yeah . . . . The new per-interface rule tables. Code:
Chain ppp-in (0 references) pkts bytes target prot opt in out source destination Chain ppp-out (0 references) pkts bytes target prot opt in out source destination Chain usb-in (0 references) pkts bytes target prot opt in out source destination Chain usb-out (0 references) pkts bytes target prot opt in out source destination Chain wlan-in (0 references) pkts bytes target prot opt in out source destination Chain wlan-out (0 references) pkts bytes target prot opt in out source destination Control **PER INTERFACE** device. This change will actually make the firewall more efficient with less packet latency. Plus - KUAL buttons - RSN Last edited by knc1; 02-11-2013 at 10:16 AM. |
|
02-11-2013, 07:40 PM | #24 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
BBB-13042
Our usual 'manual' installation process (still):
Spoiler:
Reload the kernel's firewall rules: Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13042.txt" Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL INPUT" Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0 0 0 DROP all -- lo * 0.0.0.0/0 0.0.0.0/0 21 4059 usb-in all -- usb0 * 0.0.0.0/0 0.0.0.0/0 6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 185 94842 wlan-in all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 ppp-in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL wlan-in" Chain wlan-in (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 233 121K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 4 1216 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 2 56 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 This structure allows for the easy automation of adding and removing services **PER INTERFACE**. I.E: It is unlikely that anyone will want to run rsync on anything other than the USB cable. And other services only make sense on interfaces other than the USB cable. It also allows modification **PER INTERFACE** of the BBB filter. Exactly how that might be useful is yet to be known, but it is there to help the automation also. After today's field test (minus one counter): Spoiler:
Now delete the BBB filter from all three output interface chains: Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13042.sh" Spoiler:
Next - work on some buttons - RSN. |
02-11-2013, 08:27 PM | #25 |
Zealot
Posts: 121
Karma: 82565
Join Date: Aug 2010
Location: Maryland, USA
Device: dxg, k3w,k4nt,kpw
|
Great job! Thank you for the work you do!
Sometines I think that it could be easier to maintain the list of _trusted_ URLs than the list of BB-related ones. I'd even agree to limit access to my local wireless network, denying all attempts to get outside. In order to try this, I arranged an extra WiFi router with its WAN side turned Off. I quickly learned that the last kindle firmware catches these situations, and doesn't even connect to such wireless networks, keeping the airplane mode always On. I suspect the kindle version of wpa_supplicant, but, unfortunately, no chance to get deeper on that.. Is this a known problem? Any workaround for that? Am I missing something? Thanks. |
02-11-2013, 08:40 PM | #26 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
The first step is to block everything that can be found ; And then identify the the "safe" ones (perhaps the 'sync' services, or things that are safe to access by 3G (which never downloads updates) ) ; And of course, there will be as many ideas of what is 'safe' as their are users. This is a very flexible structure now. Many of those things can now be turned into 'button presses'. |
|
02-12-2013, 01:55 AM | #27 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
An untested example of putting a hole in the filter
This target address is totally untested! Allowing it may smoke your Kindle or eat your Kat!
Looking at this entry in the Amazon-Network reference: Kpw: 54.240.0.0/12 Kpw: 54.240.128.0/18 ** If wanting to screen the sub-net ** Amazon Technologies Inc. AMAZON-2011L (NET-54-240-0-0-1) 54.240.0.0 - 54.255.255.255 Amazon Web Services, LLC AWSEMAIL-Z (NET-54-240-0-0-2) 54.240.0.0 - 54.240.63.255 Looking at the rule-set, you will find: Code:
# Packets leaving by Wifi :wlan-out - [0:0] -A wlan-out -d 23.0.0.0/12 -j DROP -A wlan-out -d 23.20.0.0/14 -j DROP -A wlan-out -d 50.16.0.0/14 -j DROP # Count and drop the sub-net first. -A wlan-out -d 54.240.128.0/18 -j DROP -A wlan-out -d 54.240.0.0/12 -j DROP Then if you (or a KUAL button) wants to make an exception to the provided filter rule-set ; Insert as RULE #1 (all exceptions, all device chains, are added as RULE #1): Code:
iptables -t filter -I wlan-out -d 54.240.128.0/18 -j ACCEPT When your done with the 'mail-to Kindle' function, take it out again with: Code:
iptables -t filter -D wlan-out -d 54.240.128.0/18 -j ACCEPT If wanting to enable this for 3G (also or only) - use the above rules with the substitution of ppp-out for wlan-out (Wifi). If someone wants to try this out, and report back here - would be nice to know if that is really the 'mail-to Kindle' service. WARNING: If you keep reading my posts, you will learn more than you probably ever cared to know about Linux network firewalls. Last edited by knc1; 02-12-2013 at 02:04 AM. |
02-12-2013, 03:27 AM | #28 |
A garbling groftpot
Posts: 974
Karma: 9234667
Join Date: Feb 2012
Location: France
Device: Oasis, Voyage, Kobo mini, Samsung tablet, phones, whatever.
|
Now I don't even begin to understand the "how" of this, but if it would be possible to allow access to the "email to kindle" and the store without Amazon getting a report on everything I do or "upgrading" , by allowing only 3g access that sounds interesting. Can it me done? A switch to turn wifi off and leave 3g on? Would it block big brother or just slow him down?
Please ignore me if I am being an ignorant pest...... |
02-12-2013, 07:32 AM | #29 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
That is the point of the structure I designed. It will take research to learn what Internet addresses Amazon uses for which purpose. But your/my example (If my guess based on name of registered owner is correct) - - 'e-mail to Kindle' works over either Wifi or 3G. Over 3G there is a charge, over Wifi is free (at least in the USA). So now the user can choose to block or accept either type (with the default of being blocked). Just add that 'ACCEPT' exception to the filter rule for either 3G or Wifi or both or neither (neither is the default). And to your other (implied) question, also mentioned by another poster* - - - This, at the moment, does not prevent you from using your Kindle on your OWN home Wifi - it is only blocking the public Wifi use. Even when using your OWN home Wifi, it blocks access to Amazon. It just requires more research to learn just what to 'ACCEPT' to allow the (commercial) 'Free Wifi' public services. Of course, that will have to be the end-user's decision - since Amazon will get a report of which Hot Spot you are using. So today, I have to go learn how to make 'Buttons' for it. Once that is done, the end-user will not require USBnetworking to use the 'Block Big Brother' (BBB) add-in. - - - - * TWO INTERESTED USERS - Durn but this project is getting a lot of interest now! |
|
02-12-2013, 07:33 AM | #30 |
Fanatic
Posts: 568
Karma: 2170348
Join Date: Apr 2011
Device: 2x Sony PRS-350; PRS-300 (†), Paperwhite (†), Voyage
|
HI
Is there a more ore less easy way to use WIKIPEDIA without beeing logged into my Amazon account? Or better: Use Wikipedia without beeing logged into my account AND block everything else. In and out. I just want to use Wikipedia without big brother watching me an nothing else. No mail, no buying books, ... What I am able to do? A am able to copy files over SSH to the reader (finally managed that point...). What I'm not able to do? Managing this job with the help of general explanations. I'm no Linux man. For this task I've set up a virtual OpenSuse in VirtualBox. Thanks |
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Big Brother Revisited | adamselene | Kindle Developer's Corner | 7 | 02-11-2013 08:06 AM |
Amazon - Big Brother or Benefactor? | poohbear_nc | Amazon Kindle | 6 | 10-15-2010 01:49 PM |
Seriously thoughtful Say hello to Big Brother | ardeegee | Lounge | 4 | 11-04-2009 05:08 PM |
Big Brother is watching UK | kaas | Lounge | 9 | 08-22-2008 09:57 AM |
Big Brother at work | Francesco | Lounge | 0 | 12-08-2004 06:02 PM |