Message ID | 1458023493-29584-5-git-send-email-tim@tn-x.org |
---|---|
State | Superseded, archived |
Headers | show |
diff --git a/bsp/default/root_file_system/etc/config/firewall b/bsp/default/root_file_system/etc/config/firewall deleted file mode 100644 index ed57672..0000000 --- a/bsp/default/root_file_system/etc/config/firewall +++ /dev/null @@ -1,103 +0,0 @@ -config defaults - option syn_flood 1 - option input ACCEPT - option output ACCEPT - option forward REJECT - -config zone - option name lan - option input ACCEPT - option output ACCEPT - option forward REJECT - -config zone - option name wan - option input REJECT - option output ACCEPT - option forward REJECT - option masq 1 - option mtu_fix 1 - -config forwarding - option src lan - option dest wan - -# We need to accept udp packets on port 68, -# see https://dev.openwrt.org/ticket/4108 -config rule - option src wan - option proto udp - option dest_port 68 - option target ACCEPT - -#Allow ping -config rule - option src wan - option proto icmp - option icmp_type echo-request - option target ACCEPT - -#Allow SSH on WAN -config rule - option src wan - option dest_port 22 - option target ACCEPT - option proto tcp - -# include a file with users custom iptables rules -config include - option path /etc/firewall.user - - -### EXAMPLE CONFIG SECTIONS -# do not allow a specific ip to access wan -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option dest wan -# option proto tcp -# option target REJECT - -# block a specific mac on wan -#config rule -# option dest wan -# option src_mac 00:11:22:33:44:66 -# option target REJECT - -# block incoming ICMP traffic on a zone -#config rule -# option src lan -# option proto ICMP -# option target DROP - -# port redirect port coming in on wan to lan -#config redirect -# option src wan -# option src_dport 80 -# option dest lan -# option dest_ip 192.168.16.235 -# option dest_port 80 -# option proto tcp - - -### FULL CONFIG SECTIONS -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 80 -# option dest wan -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp -# option target REJECT - -#config redirect -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 1024 -# option src_dport 80 -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp \ No newline at end of file diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user deleted file mode 100755 index 8ae48dc..0000000 --- a/bsp/default/root_file_system/etc/firewall.user +++ /dev/null @@ -1,120 +0,0 @@ -#!/bin/sh - -#solves MTU problem with bad ISPs -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - -# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt. -# Das wirkt bei kleinen Geräten wie ein DOS -WAN=$(uci get network.wan.ifname) -iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -i $WAN -j REJECT - -# Limit ssh to 3 new connections per 60 seconds -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP - - -# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen: - -######## CLEAN UP ############ -ebtables -F -ebtables -X - -######## IN_ONLY ############ -ebtables -N IN_ONLY -P RETURN - -# Daten aus dem BATMAN werden erlaubt -# Alles außer Daten von BATMAN werden DROP'ed -ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP - -######## OUT_ONLY ############ -ebtables -N OUT_ONLY -P RETURN - -# Daten ins BATMAN werden erlaubt -# Alles außer Daten ins BATMAN werden DROP'ed -ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP - -######## MULTICAST_OUT ############ -ebtables -N MULTICAST_OUT -P DROP - -# Verbiete ARP Antworten an alle -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP -# Verbiete ARP Requests an alle -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP -# Erlaube alle anderen ARP's -ebtables -A MULTICAST_OUT -p ARP -j RETURN -# Erlaube DHCP Requests -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN -# Erlaube DHCPv6 Requests -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN -# Erlaube PING -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN -# Erlaube PINGv6 -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN -# Erlaube Organisation der Multicast Gruppen -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN - -######## INPUT ############ -ebtables -P INPUT ACCEPT - -# Erlaube router solicitation von client zu knoten -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT -ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT - -# No input from/to local node ip from batman -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP - -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY -# Verbiete Router-Solicitation von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP - -######## FORWARD ############ -ebtables -P FORWARD ACCEPT - -# Do not forward local node ip -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP - -# Erlaube nur DHCP Request von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY -# Erlaube nur Router-Advertisment von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY -# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT -ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT - -######## OUTPUT ############ -ebtables -P OUTPUT ACCEPT - -# Erlaube router advertisment von knoten zu client -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT - -# Do not output local node ip to batman -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP - -# Erlaube nur DHCP Request von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY -# Verbiete Router-Advertisment von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP -# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT -ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT diff --git a/bsp/default/root_file_system/etc/rc.local.tpl b/bsp/default/root_file_system/etc/rc.local.tpl index ddf208d..d6384d8 100755 --- a/bsp/default/root_file_system/etc/rc.local.tpl +++ b/bsp/default/root_file_system/etc/rc.local.tpl @@ -56,8 +56,6 @@ fi # Starting NTP-Client Daemon after 30s to ensure that the interface is up ( sleep 30 ; ntpd -p ${NTPD_IP} ) & -. /etc/firewall.user - /etc/init.d/qos disable /etc/init.d/qos stop diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile new file mode 100644 index 0000000..e2a3b19 --- /dev/null +++ b/src/packages/fff/fff-firewall/Makefile @@ -0,0 +1,43 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=fff-firewall +PKG_VERSION:=1 +PKG_RELEASE:=1 + +PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall + +include $(INCLUDE_DIR)/package.mk + +define Package/fff-firewall + SECTION:=base + CATEGORY:=Freifunk + TITLE:=Freifunk-Franken firewall + URL:=http://www.freifunk-franken.de + DEPENDS:=+arptables \ + +ebtables +ebtables-utils \ + +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ + +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra +endef + +define Package/fff-batman-adv-legacy/description + This is the firewall for the Freifunk Franken Firmware + It is used to configure firewall. +endef + +define Build/Prepare + echo "all: " > $(PKG_BUILD_DIR)/Makefile +endef + +define Build/Configure + # nothing +endef + +define Build/Compile + # nothing +endef + +define Package/fff-firewall/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,fff-firewall)) diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall new file mode 100755 index 0000000..f681646 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall @@ -0,0 +1,27 @@ +#!/bin/sh /etc/rc.common + +START=50 + +USE_PROCD=1 + +SERVICE_WRITE_PID=1 +SERVICE_DAEMONIZE=1 + +FIREWALL_DIR=/usr/lib/firewall.d + +service_triggers() +{ + procd_add_reload_trigger "fff-firewall" +} + +start_service() { + local file + + IF_WAN=$(uci get network.wan.ifname) + + for file in /usr/lib/firewall.d/*; do + if [ -f "$file" ]; then + . $file + fi + done +} diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare new file mode 100755 index 0000000..4807e61 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare @@ -0,0 +1,6 @@ +######## CLEAN UP ############ +ebtables -F +ebtables -X + +iptables -F +iptables -X diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains new file mode 100755 index 0000000..94d8d61 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains @@ -0,0 +1,34 @@ +######## IN_ONLY ############ +ebtables -N IN_ONLY -P RETURN + +# Daten aus dem BATMAN werden erlaubt +# Alles außer Daten von BATMAN werden DROP'ed +ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP + +######## OUT_ONLY ############ +ebtables -N OUT_ONLY -P RETURN + +# Daten ins BATMAN werden erlaubt +# Alles außer Daten ins BATMAN werden DROP'ed +ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP + +######## MULTICAST_OUT ############ +ebtables -N MULTICAST_OUT -P DROP + +######## INPUT ############ +ebtables -P INPUT ACCEPT + +# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT +ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT + +######## FORWARD ############ +ebtables -P FORWARD ACCEPT + +# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT +ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT + +######## OUTPUT ############ +ebtables -P OUTPUT ACCEPT + +# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT +ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss new file mode 100755 index 0000000..f2ee439 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss @@ -0,0 +1,2 @@ +#solves MTU problem with bad ISPs +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh new file mode 100755 index 0000000..b8bf541 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh @@ -0,0 +1,8 @@ +# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt. +# Das wirkt bei kleinen Geräten wie ein DOS +iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A INPUT -i $IF_WAN -j REJECT + +# Limit ssh to 3 new connections per 60 seconds +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp new file mode 100755 index 0000000..a50c799 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp @@ -0,0 +1,8 @@ +# Erlaube DHCP Requests +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN + +# Erlaube nur DHCP Request von CLIENT -> BATMAN +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY + +# Erlaube nur DHCP Antworten von BATMAN -> CLIENT +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 new file mode 100755 index 0000000..068ef06 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 @@ -0,0 +1,8 @@ +# Erlaube DHCPv6 Requests +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN + +# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY + +# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra new file mode 100755 index 0000000..29562de --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra @@ -0,0 +1,5 @@ +# Erlaube nur Router-Solicitation von CLIENT -> BATMAN +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + +# Erlaube nur Router-Advertisment von BATMAN -> CLIENT +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp new file mode 100755 index 0000000..9280a91 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp @@ -0,0 +1,5 @@ +# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY + +# Erlaube nur DHCP Request von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 new file mode 100755 index 0000000..97c3df3 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 @@ -0,0 +1,5 @@ +# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY + +# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra new file mode 100755 index 0000000..e619201 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra @@ -0,0 +1,11 @@ +# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY + +# Verbiete Router-Solicitation von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP + +# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + +# Verbiete Router-Advertisment von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc new file mode 100755 index 0000000..50cc31f --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc @@ -0,0 +1,6 @@ +# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN + +# Erlaube Organisation der Multicast Gruppen +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN + diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp new file mode 100755 index 0000000..50e0191 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp @@ -0,0 +1,8 @@ +# Verbiete ARP Antworten an alle +ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP + +# Verbiete ARP Requests an alle +ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP + +# Erlaube alle anderen ARP's +ebtables -A MULTICAST_OUT -p ARP -j RETURN diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping new file mode 100755 index 0000000..877b027 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping @@ -0,0 +1,6 @@ +# Erlaube PING +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN + +# Erlaube PINGv6 +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN + diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node new file mode 100755 index 0000000..cce7231 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node @@ -0,0 +1,11 @@ +# No input from/to local node ip from batman +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP + +# Do not forward local node ip +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP + +# Do not output local node ip to batman +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra new file mode 100755 index 0000000..ae2dba2 --- /dev/null +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra @@ -0,0 +1,5 @@ +# Erlaube router solicitation von client zu knoten +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT + +# Erlaube router advertisment von knoten zu client +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
On Tue, 15 Mar 2016 07:31:28 +0100 Tim Niemeyer <tim@tn-x.org> wrote: Hi Tim Anmerkungen 'inline'. > - moves the node<-->client ra rules to package fff-uradvd > > Signed-off-by: Tim Niemeyer <tim@tn-x.org> > --- > > bsp/default/root_file_system/etc/config/firewall | 103 ------------------ > bsp/default/root_file_system/etc/firewall.user | 120 --------------------- > bsp/default/root_file_system/etc/rc.local.tpl | 2 - > src/packages/fff/fff-firewall/Makefile | 43 ++++++++ > .../fff/fff-firewall/files/etc/init.d/fff-firewall | 27 +++++ > .../files/usr/lib/firewall.d/00-prepare | 6 ++ > .../files/usr/lib/firewall.d/05-setup-chains | 34 ++++++ > .../files/usr/lib/firewall.d/20-clamp-mss | 2 + > .../files/usr/lib/firewall.d/20-filter-ssh | 8 ++ > .../files/usr/lib/firewall.d/30-client-dhcp | 8 ++ > .../files/usr/lib/firewall.d/30-client-dhcpv6 | 8 ++ > .../files/usr/lib/firewall.d/30-client-ra | 5 + > .../files/usr/lib/firewall.d/31-node-dhcp | 5 + > .../files/usr/lib/firewall.d/31-node-dhcpv6 | 5 + > .../files/usr/lib/firewall.d/31-node-ra | 11 ++ > .../fff-firewall/files/usr/lib/firewall.d/35-mc | 6 ++ > .../files/usr/lib/firewall.d/35-mc-arp | 8 ++ > .../files/usr/lib/firewall.d/35-mc-ping | 6 ++ > .../files/usr/lib/firewall.d/40-local-node | 11 ++ > .../files/usr/lib/firewall.d/32-local-ra | 5 + > 20 files changed, 198 insertions(+), 225 deletions(-) > delete mode 100644 bsp/default/root_file_system/etc/config/firewall > delete mode 100755 bsp/default/root_file_system/etc/firewall.user > create mode 100644 src/packages/fff/fff-firewall/Makefile > create mode 100755 src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping > create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node > create mode 100755 src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra > > diff --git a/bsp/default/root_file_system/etc/config/firewall b/bsp/default/root_file_system/etc/config/firewall > deleted file mode 100644 > index ed57672..0000000 > --- a/bsp/default/root_file_system/etc/config/firewall > +++ /dev/null > @@ -1,103 +0,0 @@ > -config defaults > - option syn_flood 1 > - option input ACCEPT > - option output ACCEPT > - option forward REJECT > - > -config zone > - option name lan > - option input ACCEPT > - option output ACCEPT > - option forward REJECT > - > -config zone > - option name wan > - option input REJECT > - option output ACCEPT > - option forward REJECT > - option masq 1 > - option mtu_fix 1 > - > -config forwarding > - option src lan > - option dest wan > - > -# We need to accept udp packets on port 68, > -# see https://dev.openwrt.org/ticket/4108 > -config rule > - option src wan > - option proto udp > - option dest_port 68 > - option target ACCEPT > - > -#Allow ping > -config rule > - option src wan > - option proto icmp > - option icmp_type echo-request > - option target ACCEPT > - > -#Allow SSH on WAN > -config rule > - option src wan > - option dest_port 22 > - option target ACCEPT > - option proto tcp > - > -# include a file with users custom iptables rules > -config include > - option path /etc/firewall.user > - > - > -### EXAMPLE CONFIG SECTIONS > -# do not allow a specific ip to access wan > -#config rule > -# option src lan > -# option src_ip 192.168.45.2 > -# option dest wan > -# option proto tcp > -# option target REJECT > - > -# block a specific mac on wan > -#config rule > -# option dest wan > -# option src_mac 00:11:22:33:44:66 > -# option target REJECT > - > -# block incoming ICMP traffic on a zone > -#config rule > -# option src lan > -# option proto ICMP > -# option target DROP > - > -# port redirect port coming in on wan to lan > -#config redirect > -# option src wan > -# option src_dport 80 > -# option dest lan > -# option dest_ip 192.168.16.235 > -# option dest_port 80 > -# option proto tcp > - > - > -### FULL CONFIG SECTIONS > -#config rule > -# option src lan > -# option src_ip 192.168.45.2 > -# option src_mac 00:11:22:33:44:55 > -# option src_port 80 > -# option dest wan > -# option dest_ip 194.25.2.129 > -# option dest_port 120 > -# option proto tcp > -# option target REJECT > - > -#config redirect > -# option src lan > -# option src_ip 192.168.45.2 > -# option src_mac 00:11:22:33:44:55 > -# option src_port 1024 > -# option src_dport 80 > -# option dest_ip 194.25.2.129 > -# option dest_port 120 > -# option proto tcp > \ No newline at end of file > diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user > deleted file mode 100755 > index 8ae48dc..0000000 > --- a/bsp/default/root_file_system/etc/firewall.user > +++ /dev/null > @@ -1,120 +0,0 @@ > -#!/bin/sh > - > -#solves MTU problem with bad ISPs > -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > - > -# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt. > -# Das wirkt bei kleinen Geräten wie ein DOS > -WAN=$(uci get network.wan.ifname) > -iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -iptables -A INPUT -i $WAN -j REJECT > - > -# Limit ssh to 3 new connections per 60 seconds > -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear > -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP > - > - > -# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen: > - > -######## CLEAN UP ############ > -ebtables -F > -ebtables -X > - > -######## IN_ONLY ############ > -ebtables -N IN_ONLY -P RETURN > - > -# Daten aus dem BATMAN werden erlaubt > -# Alles außer Daten von BATMAN werden DROP'ed > -ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP > - > -######## OUT_ONLY ############ > -ebtables -N OUT_ONLY -P RETURN > - > -# Daten ins BATMAN werden erlaubt > -# Alles außer Daten ins BATMAN werden DROP'ed > -ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP > - > -######## MULTICAST_OUT ############ > -ebtables -N MULTICAST_OUT -P DROP > - > -# Verbiete ARP Antworten an alle > -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP > -# Verbiete ARP Requests an alle > -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP > -# Erlaube alle anderen ARP's > -ebtables -A MULTICAST_OUT -p ARP -j RETURN > -# Erlaube DHCP Requests > -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN > -# Erlaube DHCPv6 Requests > -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN > -# Erlaube PING > -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN > -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? > -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN > -# Erlaube PINGv6 > -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN > -# Erlaube Organisation der Multicast Gruppen > -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN > - > -######## INPUT ############ > -ebtables -P INPUT ACCEPT > - > -# Erlaube router solicitation von client zu knoten > -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT > -ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT > - > -# No input from/to local node ip from batman > -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP > -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP > - > -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN > -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN > -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN > -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY > -# Verbiete Router-Solicitation von BATMAN -> KNOTEN > -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP > - > -######## FORWARD ############ > -ebtables -P FORWARD ACCEPT > - > -# Do not forward local node ip > -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP > -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP > - > -# Erlaube nur DHCP Request von CLIENT -> BATMAN > -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT > -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN > -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT > -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN > -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY > -# Erlaube nur Router-Advertisment von BATMAN -> CLIENT > -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY > -# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT > -ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT > - > -######## OUTPUT ############ > -ebtables -P OUTPUT ACCEPT > - > -# Erlaube router advertisment von knoten zu client > -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT > - > -# Do not output local node ip to batman > -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP > -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP > - > -# Erlaube nur DHCP Request von KNOTEN -> BATMAN > -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN > -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN > -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY > -# Verbiete Router-Advertisment von KNOTEN -> BATMAN > -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP > -# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT > -ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT > diff --git a/bsp/default/root_file_system/etc/rc.local.tpl b/bsp/default/root_file_system/etc/rc.local.tpl > index ddf208d..d6384d8 100755 > --- a/bsp/default/root_file_system/etc/rc.local.tpl > +++ b/bsp/default/root_file_system/etc/rc.local.tpl > @@ -56,8 +56,6 @@ fi > # Starting NTP-Client Daemon after 30s to ensure that the interface is up > ( sleep 30 ; ntpd -p ${NTPD_IP} ) & > > -. /etc/firewall.user > - > /etc/init.d/qos disable > /etc/init.d/qos stop > > diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile > new file mode 100644 > index 0000000..e2a3b19 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/Makefile > @@ -0,0 +1,43 @@ > +include $(TOPDIR)/rules.mk > + > +PKG_NAME:=fff-firewall > +PKG_VERSION:=1 > +PKG_RELEASE:=1 > + > +PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall > + > +include $(INCLUDE_DIR)/package.mk > + > +define Package/fff-firewall > + SECTION:=base > + CATEGORY:=Freifunk > + TITLE:=Freifunk-Franken firewall > + URL:=http://www.freifunk-franken.de > + DEPENDS:=+arptables \ > + +ebtables +ebtables-utils \ > + +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ > + +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra > +endef > + > +define Package/fff-batman-adv-legacy/description > + This is the firewall for the Freifunk Franken Firmware > + It is used to configure firewall. > +endef > + > +define Build/Prepare > + echo "all: " > $(PKG_BUILD_DIR)/Makefile > +endef > + > +define Build/Configure > + # nothing > +endef > + > +define Build/Compile > + # nothing > +endef > + > +define Package/fff-firewall/install > + $(CP) ./files/* $(1)/ > +endef > + > +$(eval $(call BuildPackage,fff-firewall)) > diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall > new file mode 100755 > index 0000000..f681646 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall > @@ -0,0 +1,27 @@ > +#!/bin/sh /etc/rc.common > + > +START=50 > + > +USE_PROCD=1 > + > +SERVICE_WRITE_PID=1 > +SERVICE_DAEMONIZE=1 > + > +FIREWALL_DIR=/usr/lib/firewall.d > + > +service_triggers() > +{ > + procd_add_reload_trigger "fff-firewall" > +} > + Die Einrueckung sieht komisch aus. Die Coding-Style ist insgesamt auch nicht konsistent. Mal kommt die oeffnende Klammer in der naechsten Zeile und dann mal direkt dahinter. > +start_service() { > + local file > + > + IF_WAN=$(uci get network.wan.ifname) > + > + for file in /usr/lib/firewall.d/*; do Wieso verwendest du nicht FIREWALL_DIR? Oder wieso braucht es FIREWALL_DIR? Entweder so oder so :) > + if [ -f "$file" ]; then > + . $file $file besser "double quoten". > + fi > + done > +} > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare > new file mode 100755 > index 0000000..4807e61 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare > @@ -0,0 +1,6 @@ > +######## CLEAN UP ############ > +ebtables -F > +ebtables -X > + > +iptables -F > +iptables -X > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains > new file mode 100755 > index 0000000..94d8d61 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains > @@ -0,0 +1,34 @@ > +######## IN_ONLY ############ > +ebtables -N IN_ONLY -P RETURN > + > +# Daten aus dem BATMAN werden erlaubt > +# Alles außer Daten von BATMAN werden DROP'ed > +ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP > + > +######## OUT_ONLY ############ > +ebtables -N OUT_ONLY -P RETURN > + > +# Daten ins BATMAN werden erlaubt > +# Alles außer Daten ins BATMAN werden DROP'ed > +ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP > + > +######## MULTICAST_OUT ############ > +ebtables -N MULTICAST_OUT -P DROP > + > +######## INPUT ############ > +ebtables -P INPUT ACCEPT > + > +# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT > +ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT > + > +######## FORWARD ############ > +ebtables -P FORWARD ACCEPT > + > +# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT > +ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT > + > +######## OUTPUT ############ > +ebtables -P OUTPUT ACCEPT > + > +# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT > +ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss > new file mode 100755 > index 0000000..f2ee439 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss > @@ -0,0 +1,2 @@ > +#solves MTU problem with bad ISPs > +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > new file mode 100755 > index 0000000..b8bf541 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > @@ -0,0 +1,8 @@ > +# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt. > +# Das wirkt bei kleinen Geräten wie ein DOS > +iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > +iptables -A INPUT -i $IF_WAN -j REJECT > + > +# Limit ssh to 3 new connections per 60 seconds > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp > new file mode 100755 > index 0000000..a50c799 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp > @@ -0,0 +1,8 @@ > +# Erlaube DHCP Requests > +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN > + > +# Erlaube nur DHCP Request von CLIENT -> BATMAN > +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > + > +# Erlaube nur DHCP Antworten von BATMAN -> CLIENT > +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 > new file mode 100755 > index 0000000..068ef06 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 > @@ -0,0 +1,8 @@ > +# Erlaube DHCPv6 Requests > +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN > + > +# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN > +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > + > +# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT > +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra > new file mode 100755 > index 0000000..29562de > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra > @@ -0,0 +1,5 @@ > +# Erlaube nur Router-Solicitation von CLIENT -> BATMAN > +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY > + > +# Erlaube nur Router-Advertisment von BATMAN -> CLIENT > +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp > new file mode 100755 > index 0000000..9280a91 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp > @@ -0,0 +1,5 @@ > +# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > + > +# Erlaube nur DHCP Request von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 > new file mode 100755 > index 0000000..97c3df3 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 > @@ -0,0 +1,5 @@ > +# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > + > +# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra > new file mode 100755 > index 0000000..e619201 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra > @@ -0,0 +1,11 @@ > +# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY > + > +# Verbiete Router-Solicitation von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP > + > +# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY > + > +# Verbiete Router-Advertisment von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc > new file mode 100755 > index 0000000..50cc31f > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc > @@ -0,0 +1,6 @@ > +# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? > +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN > + > +# Erlaube Organisation der Multicast Gruppen > +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN > + > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp > new file mode 100755 > index 0000000..50e0191 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp > @@ -0,0 +1,8 @@ > +# Verbiete ARP Antworten an alle > +ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP > + > +# Verbiete ARP Requests an alle > +ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP > + > +# Erlaube alle anderen ARP's > +ebtables -A MULTICAST_OUT -p ARP -j RETURN > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping > new file mode 100755 > index 0000000..877b027 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping > @@ -0,0 +1,6 @@ > +# Erlaube PING > +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN > + > +# Erlaube PINGv6 > +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN > + > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node > new file mode 100755 > index 0000000..cce7231 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node > @@ -0,0 +1,11 @@ > +# No input from/to local node ip from batman > +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP > +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP > + > +# Do not forward local node ip > +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP > +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP > + > +# Do not output local node ip to batman > +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP > +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP > diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra > new file mode 100755 > index 0000000..ae2dba2 > --- /dev/null > +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra > @@ -0,0 +1,5 @@ > +# Erlaube router solicitation von client zu knoten > +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT > + > +# Erlaube router advertisment von knoten zu client > +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT > -- > 2.1.4 Gruss -Steffen
Hey Tim, sehr cool, dass du dir die Mühe gemacht hast, das so feingranular auseinander zu dividieren! Zumindest bei mir werden hier einige Dateien als ISO-8859 angelegt: file src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains: ISO-8859 text file src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh: ISO-8859 text Grüße Tobias On Dienstag, 15. März 2016 07:31:28 CET Tim Niemeyer wrote: > - moves the node<-->client ra rules to package fff-uradvd > > Signed-off-by: Tim Niemeyer <tim@tn-x.org> > --- > > bsp/default/root_file_system/etc/config/firewall | 103 ------------------ > bsp/default/root_file_system/etc/firewall.user | 120 > --------------------- bsp/default/root_file_system/etc/rc.local.tpl | > 2 - > src/packages/fff/fff-firewall/Makefile | 43 ++++++++ > .../fff/fff-firewall/files/etc/init.d/fff-firewall | 27 +++++ > .../files/usr/lib/firewall.d/00-prepare | 6 ++ > .../files/usr/lib/firewall.d/05-setup-chains | 34 ++++++ > .../files/usr/lib/firewall.d/20-clamp-mss | 2 + > .../files/usr/lib/firewall.d/20-filter-ssh | 8 ++ > .../files/usr/lib/firewall.d/30-client-dhcp | 8 ++ > .../files/usr/lib/firewall.d/30-client-dhcpv6 | 8 ++ > .../files/usr/lib/firewall.d/30-client-ra | 5 + > .../files/usr/lib/firewall.d/31-node-dhcp | 5 + > .../files/usr/lib/firewall.d/31-node-dhcpv6 | 5 + > .../files/usr/lib/firewall.d/31-node-ra | 11 ++ > .../fff-firewall/files/usr/lib/firewall.d/35-mc | 6 ++ > .../files/usr/lib/firewall.d/35-mc-arp | 8 ++ > .../files/usr/lib/firewall.d/35-mc-ping | 6 ++ > .../files/usr/lib/firewall.d/40-local-node | 11 ++ > .../files/usr/lib/firewall.d/32-local-ra | 5 + > 20 files changed, 198 insertions(+), 225 deletions(-) > delete mode 100644 bsp/default/root_file_system/etc/config/firewall > delete mode 100755 bsp/default/root_file_system/etc/firewall.user > create mode 100644 src/packages/fff/fff-firewall/Makefile > create mode 100755 > src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall create mode > 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare > create mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains > create mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss create > mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh create > mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp > create mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 > create mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra create > mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp create > mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 > create mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra create > mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc > create mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp create > mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping create > mode 100755 > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node create > mode 100755 > src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra > > diff --git a/bsp/default/root_file_system/etc/config/firewall > b/bsp/default/root_file_system/etc/config/firewall deleted file mode 100644 > index ed57672..0000000 > --- a/bsp/default/root_file_system/etc/config/firewall > +++ /dev/null > @@ -1,103 +0,0 @@ > -config defaults > - option syn_flood 1 > - option input ACCEPT > - option output ACCEPT > - option forward REJECT > - > -config zone > - option name lan > - option input ACCEPT > - option output ACCEPT > - option forward REJECT > - > -config zone > - option name wan > - option input REJECT > - option output ACCEPT > - option forward REJECT > - option masq 1 > - option mtu_fix 1 > - > -config forwarding > - option src lan > - option dest wan > - > -# We need to accept udp packets on port 68, > -# see https://dev.openwrt.org/ticket/4108 > -config rule > - option src wan > - option proto udp > - option dest_port 68 > - option target ACCEPT > - > -#Allow ping > -config rule > - option src wan > - option proto icmp > - option icmp_type echo-request > - option target ACCEPT > - > -#Allow SSH on WAN > -config rule > - option src wan > - option dest_port 22 > - option target ACCEPT > - option proto tcp > - > -# include a file with users custom iptables rules > -config include > - option path /etc/firewall.user > - > - > -### EXAMPLE CONFIG SECTIONS > -# do not allow a specific ip to access wan > -#config rule > -# option src lan > -# option src_ip 192.168.45.2 > -# option dest wan > -# option proto tcp > -# option target REJECT > - > -# block a specific mac on wan > -#config rule > -# option dest wan > -# option src_mac 00:11:22:33:44:66 > -# option target REJECT > - > -# block incoming ICMP traffic on a zone > -#config rule > -# option src lan > -# option proto ICMP > -# option target DROP > - > -# port redirect port coming in on wan to lan > -#config redirect > -# option src wan > -# option src_dport 80 > -# option dest lan > -# option dest_ip 192.168.16.235 > -# option dest_port 80 > -# option proto tcp > - > - > -### FULL CONFIG SECTIONS > -#config rule > -# option src lan > -# option src_ip 192.168.45.2 > -# option src_mac 00:11:22:33:44:55 > -# option src_port 80 > -# option dest wan > -# option dest_ip 194.25.2.129 > -# option dest_port 120 > -# option proto tcp > -# option target REJECT > - > -#config redirect > -# option src lan > -# option src_ip 192.168.45.2 > -# option src_mac 00:11:22:33:44:55 > -# option src_port 1024 > -# option src_dport 80 > -# option dest_ip 194.25.2.129 > -# option dest_port 120 > -# option proto tcp > \ No newline at end of file > diff --git a/bsp/default/root_file_system/etc/firewall.user > b/bsp/default/root_file_system/etc/firewall.user deleted file mode 100755 > index 8ae48dc..0000000 > --- a/bsp/default/root_file_system/etc/firewall.user > +++ /dev/null > @@ -1,120 +0,0 @@ > -#!/bin/sh > - > -#solves MTU problem with bad ISPs > -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu - > -# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen > ausgesetzt. -# Das wirkt bei kleinen Geräten wie ein DOS > -WAN=$(uci get network.wan.ifname) > -iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT -iptables -A INPUT -i $WAN -j REJECT > - > -# Limit ssh to 3 new connections per 60 seconds > -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m > recent --set --name dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport > 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl > --name dropbear -j DROP - > - > -# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren > sollen: - > -######## CLEAN UP ############ > -ebtables -F > -ebtables -X > - > -######## IN_ONLY ############ > -ebtables -N IN_ONLY -P RETURN > - > -# Daten aus dem BATMAN werden erlaubt > -# Alles außer Daten von BATMAN werden DROP'ed > -ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP > - > -######## OUT_ONLY ############ > -ebtables -N OUT_ONLY -P RETURN > - > -# Daten ins BATMAN werden erlaubt > -# Alles außer Daten ins BATMAN werden DROP'ed > -ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP > - > -######## MULTICAST_OUT ############ > -ebtables -N MULTICAST_OUT -P DROP > - > -# Verbiete ARP Antworten an alle > -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j > DROP -# Verbiete ARP Requests an alle > -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j > DROP -# Erlaube alle anderen ARP's > -ebtables -A MULTICAST_OUT -p ARP -j RETURN > -# Erlaube DHCP Requests > -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN > -# Erlaube DHCPv6 Requests > -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN > -# Erlaube PING > -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN > -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? > -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN > -# Erlaube PINGv6 > -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN > -# Erlaube Organisation der Multicast Gruppen > -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN > - > -######## INPUT ############ > -ebtables -P INPUT ACCEPT > - > -# Erlaube router solicitation von client zu knoten > -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j ACCEPT -ebtables -A INPUT -d Multicast --logical-in > br-mesh -i ! bat0 -j ACCEPT - > -# No input from/to local node ip from batman > -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source > fdff::1/128 -j DROP -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 > --ip6-destination fdff::1/128 -j DROP - > -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN > -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN > -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN > -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j IN_ONLY -# Verbiete Router-Solicitation von BATMAN > -> KNOTEN > -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j DROP - > -######## FORWARD ############ > -ebtables -P FORWARD ACCEPT > - > -# Do not forward local node ip > -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination > fdff::1/128 -j DROP -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p > IPv6 --ip6-source fdff::1/128 -j DROP - > -# Erlaube nur DHCP Request von CLIENT -> BATMAN > -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT > -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN > -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT > -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN > -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j OUT_ONLY -# Erlaube nur Router-Advertisment von > BATMAN -> CLIENT > -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j IN_ONLY -# Regelt alles was an Multicast/Broadcast > von CLIENT -> BATMAN geht bei MULTICAST_OUT -ebtables -A FORWARD -d > Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT - > -######## OUTPUT ############ > -ebtables -P OUTPUT ACCEPT > - > -# Erlaube router advertisment von knoten zu client > -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j ACCEPT - > -# Do not output local node ip to batman > -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination > fdff::1/128 -j DROP -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p > IPv6 --ip6-source fdff::1/128 -j DROP - > -# Erlaube nur DHCP Request von KNOTEN -> BATMAN > -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN > -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN > -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j OUT_ONLY -# Verbiete Router-Advertisment von KNOTEN > -> BATMAN > -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j DROP -# Regelt alles was an Multicast/Broadcast von > KNOTEN -> BATMAN geht bei MULTICAST_OUT -ebtables -A OUTPUT -d Multicast > --logical-out br-mesh -o bat0 -j MULTICAST_OUT diff --git > a/bsp/default/root_file_system/etc/rc.local.tpl > b/bsp/default/root_file_system/etc/rc.local.tpl index ddf208d..d6384d8 > 100755 > --- a/bsp/default/root_file_system/etc/rc.local.tpl > +++ b/bsp/default/root_file_system/etc/rc.local.tpl > @@ -56,8 +56,6 @@ fi > # Starting NTP-Client Daemon after 30s to ensure that the interface is up > ( sleep 30 ; ntpd -p ${NTPD_IP} ) & > > -. /etc/firewall.user > - > /etc/init.d/qos disable > /etc/init.d/qos stop > > diff --git a/src/packages/fff/fff-firewall/Makefile > b/src/packages/fff/fff-firewall/Makefile new file mode 100644 > index 0000000..e2a3b19 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/Makefile > @@ -0,0 +1,43 @@ > +include $(TOPDIR)/rules.mk > + > +PKG_NAME:=fff-firewall > +PKG_VERSION:=1 > +PKG_RELEASE:=1 > + > +PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall > + > +include $(INCLUDE_DIR)/package.mk > + > +define Package/fff-firewall > + SECTION:=base > + CATEGORY:=Freifunk > + TITLE:=Freifunk-Franken firewall > + URL:=http://www.freifunk-franken.de > + DEPENDS:=+arptables \ > + +ebtables +ebtables-utils \ > + +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ > + +iptables-mod-filter +iptables-mod-ipopt > +iptables-mod-conntrack-extra +endef > + > +define Package/fff-batman-adv-legacy/description > + This is the firewall for the Freifunk Franken Firmware > + It is used to configure firewall. > +endef > + > +define Build/Prepare > + echo "all: " > $(PKG_BUILD_DIR)/Makefile > +endef > + > +define Build/Configure > + # nothing > +endef > + > +define Build/Compile > + # nothing > +endef > + > +define Package/fff-firewall/install > + $(CP) ./files/* $(1)/ > +endef > + > +$(eval $(call BuildPackage,fff-firewall)) > diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall > b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall new file mode > 100755 > index 0000000..f681646 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall > @@ -0,0 +1,27 @@ > +#!/bin/sh /etc/rc.common > + > +START=50 > + > +USE_PROCD=1 > + > +SERVICE_WRITE_PID=1 > +SERVICE_DAEMONIZE=1 > + > +FIREWALL_DIR=/usr/lib/firewall.d > + > +service_triggers() > +{ > + procd_add_reload_trigger "fff-firewall" > +} > + > +start_service() { > + local file > + > + IF_WAN=$(uci get network.wan.ifname) > + > + for file in /usr/lib/firewall.d/*; do > + if [ -f "$file" ]; then > + . $file > + fi > + done > +} > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare new > file mode 100755 > index 0000000..4807e61 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare > @@ -0,0 +1,6 @@ > +######## CLEAN UP ############ > +ebtables -F > +ebtables -X > + > +iptables -F > +iptables -X > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains > new file mode 100755 > index 0000000..94d8d61 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains > @@ -0,0 +1,34 @@ > +######## IN_ONLY ############ > +ebtables -N IN_ONLY -P RETURN > + > +# Daten aus dem BATMAN werden erlaubt > +# Alles außer Daten von BATMAN werden DROP'ed > +ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP > + > +######## OUT_ONLY ############ > +ebtables -N OUT_ONLY -P RETURN > + > +# Daten ins BATMAN werden erlaubt > +# Alles außer Daten ins BATMAN werden DROP'ed > +ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP > + > +######## MULTICAST_OUT ############ > +ebtables -N MULTICAST_OUT -P DROP > + > +######## INPUT ############ > +ebtables -P INPUT ACCEPT > + > +# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei > MULTICAST_OUT +ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! > bat0 -j ACCEPT + > +######## FORWARD ############ > +ebtables -P FORWARD ACCEPT > + > +# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei > MULTICAST_OUT +ebtables -A FORWARD -d Multicast --logical-out br-mesh -o > bat0 -j MULTICAST_OUT + > +######## OUTPUT ############ > +ebtables -P OUTPUT ACCEPT > + > +# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei > MULTICAST_OUT +ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o > bat0 -j MULTICAST_OUT diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss new > file mode 100755 > index 0000000..f2ee439 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss > @@ -0,0 +1,2 @@ > +#solves MTU problem with bad ISPs > +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh new > file mode 100755 > index 0000000..b8bf541 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > @@ -0,0 +1,8 @@ > +# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen > ausgesetzt. +# Das wirkt bei kleinen Geräten wie ein DOS > +iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT +iptables -A INPUT -i $IF_WAN -j REJECT > + > +# Limit ssh to 3 new connections per 60 seconds > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m > recent --set --name dropbear +/usr/sbin/ip6tables -A INPUT -p tcp --dport > 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl > --name dropbear -j DROP diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp new > file mode 100755 > index 0000000..a50c799 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp > @@ -0,0 +1,8 @@ > +# Erlaube DHCP Requests > +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN > + > +# Erlaube nur DHCP Request von CLIENT -> BATMAN > +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > + > +# Erlaube nur DHCP Antworten von BATMAN -> CLIENT > +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 > new file mode 100755 > index 0000000..068ef06 > --- /dev/null > +++ > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 > @@ -0,0 +1,8 @@ > +# Erlaube DHCPv6 Requests > +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN > + > +# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN > +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > + > +# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT > +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra new > file mode 100755 > index 0000000..29562de > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra > @@ -0,0 +1,5 @@ > +# Erlaube nur Router-Solicitation von CLIENT -> BATMAN > +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j OUT_ONLY + > +# Erlaube nur Router-Advertisment von BATMAN -> CLIENT > +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j IN_ONLY diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp new > file mode 100755 > index 0000000..9280a91 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp > @@ -0,0 +1,5 @@ > +# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY > + > +# Erlaube nur DHCP Request von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 new > file mode 100755 > index 0000000..97c3df3 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 > @@ -0,0 +1,5 @@ > +# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY > + > +# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra new > file mode 100755 > index 0000000..e619201 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra > @@ -0,0 +1,11 @@ > +# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j IN_ONLY + > +# Verbiete Router-Solicitation von BATMAN -> KNOTEN > +ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j DROP + > +# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j OUT_ONLY + > +# Verbiete Router-Advertisment von KNOTEN -> BATMAN > +ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j DROP diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc new file > mode 100755 > index 0000000..50cc31f > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc > @@ -0,0 +1,6 @@ > +# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? > +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN > + > +# Erlaube Organisation der Multicast Gruppen > +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN > + > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp new file > mode 100755 > index 0000000..50e0191 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp > @@ -0,0 +1,8 @@ > +# Verbiete ARP Antworten an alle > +ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j > DROP + > +# Verbiete ARP Requests an alle > +ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j > DROP + > +# Erlaube alle anderen ARP's > +ebtables -A MULTICAST_OUT -p ARP -j RETURN > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping new > file mode 100755 > index 0000000..877b027 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping > @@ -0,0 +1,6 @@ > +# Erlaube PING > +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN > + > +# Erlaube PINGv6 > +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN > + > diff --git > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node new > file mode 100755 > index 0000000..cce7231 > --- /dev/null > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node > @@ -0,0 +1,11 @@ > +# No input from/to local node ip from batman > +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source > fdff::1/128 -j DROP +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 > --ip6-destination fdff::1/128 -j DROP + > +# Do not forward local node ip > +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination > fdff::1/128 -j DROP +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p > IPv6 --ip6-source fdff::1/128 -j DROP + > +# Do not output local node ip to batman > +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination > fdff::1/128 -j DROP +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p > IPv6 --ip6-source fdff::1/128 -j DROP diff --git > a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra > b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra new file > mode 100755 > index 0000000..ae2dba2 > --- /dev/null > +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra > @@ -0,0 +1,5 @@ > +# Erlaube router solicitation von client zu knoten > +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-solicitation -j ACCEPT + > +# Erlaube router advertisment von knoten zu client > +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type > router-advertisement -j ACCEPT
- moves the node<-->client ra rules to package fff-uradvd Signed-off-by: Tim Niemeyer <tim@tn-x.org> --- bsp/default/root_file_system/etc/config/firewall | 103 ------------------ bsp/default/root_file_system/etc/firewall.user | 120 --------------------- bsp/default/root_file_system/etc/rc.local.tpl | 2 - src/packages/fff/fff-firewall/Makefile | 43 ++++++++ .../fff/fff-firewall/files/etc/init.d/fff-firewall | 27 +++++ .../files/usr/lib/firewall.d/00-prepare | 6 ++ .../files/usr/lib/firewall.d/05-setup-chains | 34 ++++++ .../files/usr/lib/firewall.d/20-clamp-mss | 2 + .../files/usr/lib/firewall.d/20-filter-ssh | 8 ++ .../files/usr/lib/firewall.d/30-client-dhcp | 8 ++ .../files/usr/lib/firewall.d/30-client-dhcpv6 | 8 ++ .../files/usr/lib/firewall.d/30-client-ra | 5 + .../files/usr/lib/firewall.d/31-node-dhcp | 5 + .../files/usr/lib/firewall.d/31-node-dhcpv6 | 5 + .../files/usr/lib/firewall.d/31-node-ra | 11 ++ .../fff-firewall/files/usr/lib/firewall.d/35-mc | 6 ++ .../files/usr/lib/firewall.d/35-mc-arp | 8 ++ .../files/usr/lib/firewall.d/35-mc-ping | 6 ++ .../files/usr/lib/firewall.d/40-local-node | 11 ++ .../files/usr/lib/firewall.d/32-local-ra | 5 + 20 files changed, 198 insertions(+), 225 deletions(-) delete mode 100644 bsp/default/root_file_system/etc/config/firewall delete mode 100755 bsp/default/root_file_system/etc/firewall.user create mode 100644 src/packages/fff/fff-firewall/Makefile create mode 100755 src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node create mode 100755 src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra