[4/9] fff-firewall: new package

Submitted by Tim Niemeyer on March 15, 2016, 6:31 a.m.

Details

Message ID 1458023493-29584-5-git-send-email-tim@tn-x.org
State Superseded, archived
Headers show

Commit Message

Tim Niemeyer March 15, 2016, 6:31 a.m. 
- moves the node<-->client ra rules to package fff-uradvd

Signed-off-by: Tim Niemeyer <tim@tn-x.org>
---

 bsp/default/root_file_system/etc/config/firewall   | 103 ------------------
 bsp/default/root_file_system/etc/firewall.user     | 120 ---------------------
 bsp/default/root_file_system/etc/rc.local.tpl      |   2 -
 src/packages/fff/fff-firewall/Makefile             |  43 ++++++++
 .../fff/fff-firewall/files/etc/init.d/fff-firewall |  27 +++++
 .../files/usr/lib/firewall.d/00-prepare            |   6 ++
 .../files/usr/lib/firewall.d/05-setup-chains       |  34 ++++++
 .../files/usr/lib/firewall.d/20-clamp-mss          |   2 +
 .../files/usr/lib/firewall.d/20-filter-ssh         |   8 ++
 .../files/usr/lib/firewall.d/30-client-dhcp        |   8 ++
 .../files/usr/lib/firewall.d/30-client-dhcpv6      |   8 ++
 .../files/usr/lib/firewall.d/30-client-ra          |   5 +
 .../files/usr/lib/firewall.d/31-node-dhcp          |   5 +
 .../files/usr/lib/firewall.d/31-node-dhcpv6        |   5 +
 .../files/usr/lib/firewall.d/31-node-ra            |  11 ++
 .../fff-firewall/files/usr/lib/firewall.d/35-mc    |   6 ++
 .../files/usr/lib/firewall.d/35-mc-arp             |   8 ++
 .../files/usr/lib/firewall.d/35-mc-ping            |   6 ++
 .../files/usr/lib/firewall.d/40-local-node         |  11 ++
 .../files/usr/lib/firewall.d/32-local-ra           |   5 +
 20 files changed, 198 insertions(+), 225 deletions(-)
 delete mode 100644 bsp/default/root_file_system/etc/config/firewall
 delete mode 100755 bsp/default/root_file_system/etc/firewall.user
 create mode 100644 src/packages/fff/fff-firewall/Makefile
 create mode 100755 src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
 create mode 100755 src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra

Patch hide | download patch | download mbox 

diff --git a/bsp/default/root_file_system/etc/config/firewall b/bsp/default/root_file_system/etc/config/firewall
deleted file mode 100644
index ed57672..0000000
--- a/bsp/default/root_file_system/etc/config/firewall
+++ /dev/null
@@ -1,103 +0,0 @@ 
-config defaults
-	option syn_flood	1
-	option input		ACCEPT
-	option output		ACCEPT 
-	option forward		REJECT
-
-config zone
-	option name		lan
-	option input	ACCEPT 
-	option output	ACCEPT 
-	option forward	REJECT
-
-config zone
-	option name		wan
-	option input	REJECT
-	option output	ACCEPT 
-	option forward	REJECT
-	option masq		1 
-	option mtu_fix	1
-
-config forwarding 
-	option src      lan
-	option dest     wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
-	option src		wan
-	option proto		udp
-	option dest_port	68
-	option target		ACCEPT
-
-#Allow ping
-config rule
-	option src wan
-	option proto icmp
-	option icmp_type echo-request
-	option target ACCEPT
-
-#Allow SSH on WAN
-config rule               
-        option src              wan
-        option dest_port        22
-        option target           ACCEPT    
-        option proto            tcp  
-
-# include a file with users custom iptables rules
-config include
-	option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option dest		wan
-#	option proto	tcp
-#	option target	REJECT 
-
-# block a specific mac on wan
-#config rule
-#	option dest		wan
-#	option src_mac	00:11:22:33:44:66
-#	option target	REJECT 
-
-# block incoming ICMP traffic on a zone
-#config rule
-#	option src		lan
-#	option proto	ICMP
-#	option target	DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-#	option src			wan
-#	option src_dport	80
-#	option dest			lan
-#	option dest_ip		192.168.16.235
-#	option dest_port	80 
-#	option proto		tcp
-
-
-### FULL CONFIG SECTIONS
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port	80
-#	option dest		wan
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
-#	option target	REJECT 
-
-#config redirect
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port		1024
-#	option src_dport	80
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
\ No newline at end of file
diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
deleted file mode 100755
index 8ae48dc..0000000
--- a/bsp/default/root_file_system/etc/firewall.user
+++ /dev/null
@@ -1,120 +0,0 @@ 
-#!/bin/sh
-
-#solves MTU problem with bad ISPs
-iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-
-# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
-# Das wirkt bei kleinen Geräten wie ein DOS
-WAN=$(uci get network.wan.ifname)
-iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i $WAN -j REJECT
-
-# Limit ssh to 3 new connections per 60 seconds
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
-
-
-# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen:
-
-######## CLEAN UP ############
-ebtables -F
-ebtables -X
-
-######## IN_ONLY ############
-ebtables -N IN_ONLY -P RETURN
-
-# Daten aus dem BATMAN werden erlaubt
-# Alles außer Daten von BATMAN werden DROP'ed
-ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
-
-######## OUT_ONLY ############
-ebtables -N OUT_ONLY -P RETURN
-
-# Daten ins BATMAN werden erlaubt
-# Alles außer Daten ins BATMAN werden DROP'ed
-ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
-
-######## MULTICAST_OUT ############
-ebtables -N MULTICAST_OUT -P DROP
-
-# Verbiete ARP Antworten an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
-# Verbiete ARP Requests an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
-# Erlaube alle anderen ARP's
-ebtables -A MULTICAST_OUT -p ARP -j RETURN
-# Erlaube DHCP Requests
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
-# Erlaube DHCPv6 Requests
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
-# Erlaube PING
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
-# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
-# Erlaube PINGv6
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
-# Erlaube Organisation der Multicast Gruppen
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
-
-######## INPUT ############
-ebtables -P INPUT ACCEPT
-
-# Erlaube router solicitation von client zu knoten
-ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
-ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
-
-# No input from/to local node ip from batman
-ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-
-# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
-# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
-# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
-# Verbiete Router-Solicitation von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
-
-######## FORWARD ############
-ebtables -P FORWARD ACCEPT
-
-# Do not forward local node ip
-ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-
-# Erlaube nur DHCP Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
-# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
-# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
-# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
-# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
-# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
-# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
-ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
-
-######## OUTPUT ############
-ebtables -P OUTPUT ACCEPT
-
-# Erlaube router advertisment von knoten zu client
-ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
-
-# Do not output local node ip to batman
-ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-
-# Erlaube nur DHCP Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
-# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
-# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
-# Verbiete Router-Advertisment von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
-# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
-ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
diff --git a/bsp/default/root_file_system/etc/rc.local.tpl b/bsp/default/root_file_system/etc/rc.local.tpl
index ddf208d..d6384d8 100755
--- a/bsp/default/root_file_system/etc/rc.local.tpl
+++ b/bsp/default/root_file_system/etc/rc.local.tpl
@@ -56,8 +56,6 @@  fi
 # Starting NTP-Client Daemon after 30s to ensure that the interface is up
 ( sleep 30 ; ntpd -p ${NTPD_IP} ) &
 
-. /etc/firewall.user
-
 /etc/init.d/qos disable
 /etc/init.d/qos stop
 
diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
new file mode 100644
index 0000000..e2a3b19
--- /dev/null
+++ b/src/packages/fff/fff-firewall/Makefile
@@ -0,0 +1,43 @@ 
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-firewall
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-firewall
+    SECTION:=base
+    CATEGORY:=Freifunk
+    TITLE:=Freifunk-Franken firewall
+    URL:=http://www.freifunk-franken.de
+    DEPENDS:=+arptables \
+             +ebtables +ebtables-utils \
+             +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
+             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra
+endef
+
+define Package/fff-batman-adv-legacy/description
+    This is the firewall for the Freifunk Franken Firmware
+    It is used to configure firewall.
+endef
+
+define Build/Prepare
+	echo "all: " > $(PKG_BUILD_DIR)/Makefile
+endef
+
+define Build/Configure
+	# nothing
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-firewall/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-firewall))
diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
new file mode 100755
index 0000000..f681646
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
@@ -0,0 +1,27 @@ 
+#!/bin/sh /etc/rc.common
+
+START=50
+
+USE_PROCD=1
+
+SERVICE_WRITE_PID=1
+SERVICE_DAEMONIZE=1
+
+FIREWALL_DIR=/usr/lib/firewall.d
+
+service_triggers()
+{
+        procd_add_reload_trigger "fff-firewall"
+}
+
+start_service() {
+    local file
+
+    IF_WAN=$(uci get network.wan.ifname)
+
+    for file in /usr/lib/firewall.d/*; do
+        if [ -f "$file" ]; then
+            . $file
+        fi
+    done
+}
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
new file mode 100755
index 0000000..4807e61
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
@@ -0,0 +1,6 @@ 
+######## CLEAN UP ############
+ebtables -F
+ebtables -X
+
+iptables -F
+iptables -X
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
new file mode 100755
index 0000000..94d8d61
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
@@ -0,0 +1,34 @@ 
+######## IN_ONLY ############
+ebtables -N IN_ONLY -P RETURN
+
+# Daten aus dem BATMAN werden erlaubt
+# Alles außer Daten von BATMAN werden DROP'ed
+ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
+
+######## OUT_ONLY ############
+ebtables -N OUT_ONLY -P RETURN
+
+# Daten ins BATMAN werden erlaubt
+# Alles außer Daten ins BATMAN werden DROP'ed
+ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
+
+######## MULTICAST_OUT ############
+ebtables -N MULTICAST_OUT -P DROP
+
+######## INPUT ############
+ebtables -P INPUT ACCEPT
+
+# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
+ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
+
+######## FORWARD ############
+ebtables -P FORWARD ACCEPT
+
+# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
+ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
+
+######## OUTPUT ############
+ebtables -P OUTPUT ACCEPT
+
+# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
+ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
new file mode 100755
index 0000000..f2ee439
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
@@ -0,0 +1,2 @@ 
+#solves MTU problem with bad ISPs
+iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
new file mode 100755
index 0000000..b8bf541
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
@@ -0,0 +1,8 @@ 
+# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
+# Das wirkt bei kleinen Geräten wie ein DOS
+iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i $IF_WAN -j REJECT
+
+# Limit ssh to 3 new connections per 60 seconds
+/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
+/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
new file mode 100755
index 0000000..a50c799
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
@@ -0,0 +1,8 @@ 
+# Erlaube DHCP Requests
+ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
+
+# Erlaube nur DHCP Request von CLIENT -> BATMAN
+ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+
+# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
new file mode 100755
index 0000000..068ef06
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
@@ -0,0 +1,8 @@ 
+# Erlaube DHCPv6 Requests
+ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
+
+# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
+ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+
+# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
new file mode 100755
index 0000000..29562de
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
@@ -0,0 +1,5 @@ 
+# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
+ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+
+# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
new file mode 100755
index 0000000..9280a91
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
@@ -0,0 +1,5 @@ 
+# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+
+# Erlaube nur DHCP Request von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
new file mode 100755
index 0000000..97c3df3
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
@@ -0,0 +1,5 @@ 
+# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+
+# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
new file mode 100755
index 0000000..e619201
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
@@ -0,0 +1,11 @@ 
+# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+
+# Verbiete Router-Solicitation von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
+
+# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+
+# Verbiete Router-Advertisment von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
new file mode 100755
index 0000000..50cc31f
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
@@ -0,0 +1,6 @@ 
+# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
+ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
+
+# Erlaube Organisation der Multicast Gruppen
+ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
+
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
new file mode 100755
index 0000000..50e0191
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
@@ -0,0 +1,8 @@ 
+# Verbiete ARP Antworten an alle
+ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
+
+# Verbiete ARP Requests an alle
+ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
+
+# Erlaube alle anderen ARP's
+ebtables -A MULTICAST_OUT -p ARP -j RETURN
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
new file mode 100755
index 0000000..877b027
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
@@ -0,0 +1,6 @@ 
+# Erlaube PING
+ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
+
+# Erlaube PINGv6
+ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
+
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
new file mode 100755
index 0000000..cce7231
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
@@ -0,0 +1,11 @@ 
+# No input from/to local node ip from batman
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+
+# Do not forward local node ip
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
+# Do not output local node ip to batman
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
new file mode 100755
index 0000000..ae2dba2
--- /dev/null
+++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
@@ -0,0 +1,5 @@ 
+# Erlaube router solicitation von client zu knoten
+ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+
+# Erlaube router advertisment von knoten zu client
+ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT

Comments

Steffen Pankratz March 16, 2016, 9:02 p.m. 
On Tue, 15 Mar 2016 07:31:28 +0100
Tim Niemeyer <tim@tn-x.org> wrote:

Hi Tim

Anmerkungen 'inline'.


> - moves the node<-->client ra rules to package fff-uradvd
> 
> Signed-off-by: Tim Niemeyer <tim@tn-x.org>
> ---
> 
>  bsp/default/root_file_system/etc/config/firewall   | 103 ------------------
>  bsp/default/root_file_system/etc/firewall.user     | 120 ---------------------
>  bsp/default/root_file_system/etc/rc.local.tpl      |   2 -
>  src/packages/fff/fff-firewall/Makefile             |  43 ++++++++
>  .../fff/fff-firewall/files/etc/init.d/fff-firewall |  27 +++++
>  .../files/usr/lib/firewall.d/00-prepare            |   6 ++
>  .../files/usr/lib/firewall.d/05-setup-chains       |  34 ++++++
>  .../files/usr/lib/firewall.d/20-clamp-mss          |   2 +
>  .../files/usr/lib/firewall.d/20-filter-ssh         |   8 ++
>  .../files/usr/lib/firewall.d/30-client-dhcp        |   8 ++
>  .../files/usr/lib/firewall.d/30-client-dhcpv6      |   8 ++
>  .../files/usr/lib/firewall.d/30-client-ra          |   5 +
>  .../files/usr/lib/firewall.d/31-node-dhcp          |   5 +
>  .../files/usr/lib/firewall.d/31-node-dhcpv6        |   5 +
>  .../files/usr/lib/firewall.d/31-node-ra            |  11 ++
>  .../fff-firewall/files/usr/lib/firewall.d/35-mc    |   6 ++
>  .../files/usr/lib/firewall.d/35-mc-arp             |   8 ++
>  .../files/usr/lib/firewall.d/35-mc-ping            |   6 ++
>  .../files/usr/lib/firewall.d/40-local-node         |  11 ++
>  .../files/usr/lib/firewall.d/32-local-ra           |   5 +
>  20 files changed, 198 insertions(+), 225 deletions(-)
>  delete mode 100644 bsp/default/root_file_system/etc/config/firewall
>  delete mode 100755 bsp/default/root_file_system/etc/firewall.user
>  create mode 100644 src/packages/fff/fff-firewall/Makefile
>  create mode 100755 src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
>  create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
>  create mode 100755 src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> 
> diff --git a/bsp/default/root_file_system/etc/config/firewall b/bsp/default/root_file_system/etc/config/firewall
> deleted file mode 100644
> index ed57672..0000000
> --- a/bsp/default/root_file_system/etc/config/firewall
> +++ /dev/null
> @@ -1,103 +0,0 @@
> -config defaults
> -	option syn_flood	1
> -	option input		ACCEPT
> -	option output		ACCEPT 
> -	option forward		REJECT
> -
> -config zone
> -	option name		lan
> -	option input	ACCEPT 
> -	option output	ACCEPT 
> -	option forward	REJECT
> -
> -config zone
> -	option name		wan
> -	option input	REJECT
> -	option output	ACCEPT 
> -	option forward	REJECT
> -	option masq		1 
> -	option mtu_fix	1
> -
> -config forwarding 
> -	option src      lan
> -	option dest     wan
> -
> -# We need to accept udp packets on port 68,
> -# see https://dev.openwrt.org/ticket/4108
> -config rule
> -	option src		wan
> -	option proto		udp
> -	option dest_port	68
> -	option target		ACCEPT
> -
> -#Allow ping
> -config rule
> -	option src wan
> -	option proto icmp
> -	option icmp_type echo-request
> -	option target ACCEPT
> -
> -#Allow SSH on WAN
> -config rule               
> -        option src              wan
> -        option dest_port        22
> -        option target           ACCEPT    
> -        option proto            tcp  
> -
> -# include a file with users custom iptables rules
> -config include
> -	option path /etc/firewall.user
> -
> -
> -### EXAMPLE CONFIG SECTIONS
> -# do not allow a specific ip to access wan
> -#config rule
> -#	option src		lan
> -#	option src_ip	192.168.45.2
> -#	option dest		wan
> -#	option proto	tcp
> -#	option target	REJECT 
> -
> -# block a specific mac on wan
> -#config rule
> -#	option dest		wan
> -#	option src_mac	00:11:22:33:44:66
> -#	option target	REJECT 
> -
> -# block incoming ICMP traffic on a zone
> -#config rule
> -#	option src		lan
> -#	option proto	ICMP
> -#	option target	DROP
> -
> -# port redirect port coming in on wan to lan
> -#config redirect
> -#	option src			wan
> -#	option src_dport	80
> -#	option dest			lan
> -#	option dest_ip		192.168.16.235
> -#	option dest_port	80 
> -#	option proto		tcp
> -
> -
> -### FULL CONFIG SECTIONS
> -#config rule
> -#	option src		lan
> -#	option src_ip	192.168.45.2
> -#	option src_mac	00:11:22:33:44:55
> -#	option src_port	80
> -#	option dest		wan
> -#	option dest_ip	194.25.2.129
> -#	option dest_port	120
> -#	option proto	tcp
> -#	option target	REJECT 
> -
> -#config redirect
> -#	option src		lan
> -#	option src_ip	192.168.45.2
> -#	option src_mac	00:11:22:33:44:55
> -#	option src_port		1024
> -#	option src_dport	80
> -#	option dest_ip	194.25.2.129
> -#	option dest_port	120
> -#	option proto	tcp
> \ No newline at end of file
> diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
> deleted file mode 100755
> index 8ae48dc..0000000
> --- a/bsp/default/root_file_system/etc/firewall.user
> +++ /dev/null
> @@ -1,120 +0,0 @@
> -#!/bin/sh
> -
> -#solves MTU problem with bad ISPs
> -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> -
> -# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
> -# Das wirkt bei kleinen Geräten wie ein DOS
> -WAN=$(uci get network.wan.ifname)
> -iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -iptables -A INPUT -i $WAN -j REJECT
> -
> -# Limit ssh to 3 new connections per 60 seconds
> -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
> -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
> -
> -
> -# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen:
> -
> -######## CLEAN UP ############
> -ebtables -F
> -ebtables -X
> -
> -######## IN_ONLY ############
> -ebtables -N IN_ONLY -P RETURN
> -
> -# Daten aus dem BATMAN werden erlaubt
> -# Alles außer Daten von BATMAN werden DROP'ed
> -ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
> -
> -######## OUT_ONLY ############
> -ebtables -N OUT_ONLY -P RETURN
> -
> -# Daten ins BATMAN werden erlaubt
> -# Alles außer Daten ins BATMAN werden DROP'ed
> -ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
> -
> -######## MULTICAST_OUT ############
> -ebtables -N MULTICAST_OUT -P DROP
> -
> -# Verbiete ARP Antworten an alle
> -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
> -# Verbiete ARP Requests an alle
> -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
> -# Erlaube alle anderen ARP's
> -ebtables -A MULTICAST_OUT -p ARP -j RETURN
> -# Erlaube DHCP Requests
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
> -# Erlaube DHCPv6 Requests
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
> -# Erlaube PING
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
> -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
> -# Erlaube PINGv6
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
> -# Erlaube Organisation der Multicast Gruppen
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
> -
> -######## INPUT ############
> -ebtables -P INPUT ACCEPT
> -
> -# Erlaube router solicitation von client zu knoten
> -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
> -ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
> -
> -# No input from/to local node ip from batman
> -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> -
> -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> -# Verbiete Router-Solicitation von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
> -
> -######## FORWARD ############
> -ebtables -P FORWARD ACCEPT
> -
> -# Do not forward local node ip
> -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> -
> -# Erlaube nur DHCP Request von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> -# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> -# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
> -ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> -
> -######## OUTPUT ############
> -ebtables -P OUTPUT ACCEPT
> -
> -# Erlaube router advertisment von knoten zu client
> -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
> -
> -# Do not output local node ip to batman
> -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> -
> -# Erlaube nur DHCP Request von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> -# Verbiete Router-Advertisment von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
> -# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
> -ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> diff --git a/bsp/default/root_file_system/etc/rc.local.tpl b/bsp/default/root_file_system/etc/rc.local.tpl
> index ddf208d..d6384d8 100755
> --- a/bsp/default/root_file_system/etc/rc.local.tpl
> +++ b/bsp/default/root_file_system/etc/rc.local.tpl
> @@ -56,8 +56,6 @@ fi
>  # Starting NTP-Client Daemon after 30s to ensure that the interface is up
>  ( sleep 30 ; ntpd -p ${NTPD_IP} ) &
>  
> -. /etc/firewall.user
> -
>  /etc/init.d/qos disable
>  /etc/init.d/qos stop
>  
> diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
> new file mode 100644
> index 0000000..e2a3b19
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/Makefile
> @@ -0,0 +1,43 @@
> +include $(TOPDIR)/rules.mk
> +
> +PKG_NAME:=fff-firewall
> +PKG_VERSION:=1
> +PKG_RELEASE:=1
> +
> +PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall
> +
> +include $(INCLUDE_DIR)/package.mk
> +
> +define Package/fff-firewall
> +    SECTION:=base
> +    CATEGORY:=Freifunk
> +    TITLE:=Freifunk-Franken firewall
> +    URL:=http://www.freifunk-franken.de
> +    DEPENDS:=+arptables \
> +             +ebtables +ebtables-utils \
> +             +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
> +             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra
> +endef
> +
> +define Package/fff-batman-adv-legacy/description
> +    This is the firewall for the Freifunk Franken Firmware
> +    It is used to configure firewall.
> +endef
> +
> +define Build/Prepare
> +	echo "all: " > $(PKG_BUILD_DIR)/Makefile
> +endef
> +
> +define Build/Configure
> +	# nothing
> +endef
> +
> +define Build/Compile
> +	# nothing
> +endef
> +
> +define Package/fff-firewall/install
> +	$(CP) ./files/* $(1)/
> +endef
> +
> +$(eval $(call BuildPackage,fff-firewall))
> diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
> new file mode 100755
> index 0000000..f681646
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
> @@ -0,0 +1,27 @@
> +#!/bin/sh /etc/rc.common
> +
> +START=50
> +
> +USE_PROCD=1
> +
> +SERVICE_WRITE_PID=1
> +SERVICE_DAEMONIZE=1
> +
> +FIREWALL_DIR=/usr/lib/firewall.d
> +
> +service_triggers()
> +{
> +        procd_add_reload_trigger "fff-firewall"
> +}
> +

Die Einrueckung sieht komisch aus.
Die Coding-Style ist insgesamt auch nicht konsistent.
Mal kommt die oeffnende Klammer in der naechsten Zeile und dann mal direkt dahinter.


> +start_service() {
> +    local file
> +
> +    IF_WAN=$(uci get network.wan.ifname)
> +
> +    for file in /usr/lib/firewall.d/*; do

Wieso verwendest du nicht FIREWALL_DIR?
Oder wieso braucht es FIREWALL_DIR?
Entweder so oder so :)


> +        if [ -f "$file" ]; then
> +            . $file

$file besser "double quoten".


> +        fi
> +    done
> +}
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> new file mode 100755
> index 0000000..4807e61
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> @@ -0,0 +1,6 @@
> +######## CLEAN UP ############
> +ebtables -F
> +ebtables -X
> +
> +iptables -F
> +iptables -X
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> new file mode 100755
> index 0000000..94d8d61
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> @@ -0,0 +1,34 @@
> +######## IN_ONLY ############
> +ebtables -N IN_ONLY -P RETURN
> +
> +# Daten aus dem BATMAN werden erlaubt
> +# Alles außer Daten von BATMAN werden DROP'ed
> +ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
> +
> +######## OUT_ONLY ############
> +ebtables -N OUT_ONLY -P RETURN
> +
> +# Daten ins BATMAN werden erlaubt
> +# Alles außer Daten ins BATMAN werden DROP'ed
> +ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
> +
> +######## MULTICAST_OUT ############
> +ebtables -N MULTICAST_OUT -P DROP
> +
> +######## INPUT ############
> +ebtables -P INPUT ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
> +ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
> +
> +######## FORWARD ############
> +ebtables -P FORWARD ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
> +ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> +
> +######## OUTPUT ############
> +ebtables -P OUTPUT ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
> +ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
> new file mode 100755
> index 0000000..f2ee439
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
> @@ -0,0 +1,2 @@
> +#solves MTU problem with bad ISPs
> +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> new file mode 100755
> index 0000000..b8bf541
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> @@ -0,0 +1,8 @@
> +# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
> +# Das wirkt bei kleinen Geräten wie ein DOS
> +iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> +iptables -A INPUT -i $IF_WAN -j REJECT
> +
> +# Limit ssh to 3 new connections per 60 seconds
> +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
> +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> new file mode 100755
> index 0000000..a50c799
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> @@ -0,0 +1,8 @@
> +# Erlaube DHCP Requests
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
> +
> +# Erlaube nur DHCP Request von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> +
> +# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> new file mode 100755
> index 0000000..068ef06
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> @@ -0,0 +1,8 @@
> +# Erlaube DHCPv6 Requests
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
> +
> +# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> +
> +# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> new file mode 100755
> index 0000000..29562de
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> @@ -0,0 +1,5 @@
> +# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> +
> +# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> new file mode 100755
> index 0000000..9280a91
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> @@ -0,0 +1,5 @@
> +# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> +
> +# Erlaube nur DHCP Request von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> new file mode 100755
> index 0000000..97c3df3
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> @@ -0,0 +1,5 @@
> +# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> +
> +# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> new file mode 100755
> index 0000000..e619201
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> @@ -0,0 +1,11 @@
> +# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> +
> +# Verbiete Router-Solicitation von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
> +
> +# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> +
> +# Verbiete Router-Advertisment von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> new file mode 100755
> index 0000000..50cc31f
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> @@ -0,0 +1,6 @@
> +# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
> +
> +# Erlaube Organisation der Multicast Gruppen
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
> +
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> new file mode 100755
> index 0000000..50e0191
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> @@ -0,0 +1,8 @@
> +# Verbiete ARP Antworten an alle
> +ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
> +
> +# Verbiete ARP Requests an alle
> +ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
> +
> +# Erlaube alle anderen ARP's
> +ebtables -A MULTICAST_OUT -p ARP -j RETURN
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> new file mode 100755
> index 0000000..877b027
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> @@ -0,0 +1,6 @@
> +# Erlaube PING
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
> +
> +# Erlaube PINGv6
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
> +
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> new file mode 100755
> index 0000000..cce7231
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> @@ -0,0 +1,11 @@
> +# No input from/to local node ip from batman
> +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> +
> +# Do not forward local node ip
> +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> +
> +# Do not output local node ip to batman
> +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> new file mode 100755
> index 0000000..ae2dba2
> --- /dev/null
> +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> @@ -0,0 +1,5 @@
> +# Erlaube router solicitation von client zu knoten
> +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
> +
> +# Erlaube router advertisment von knoten zu client
> +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
> -- 
> 2.1.4


Gruss
-Steffen
Tobias Klaus March 20, 2016, 10:53 p.m. 
Hey Tim, 

sehr cool, dass du dir die Mühe gemacht hast, das so feingranular auseinander 
zu dividieren!

Zumindest bei mir werden hier einige Dateien als ISO-8859 angelegt:

file src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains: ISO-8859 
text

file src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh: ISO-8859 
text

Grüße
Tobias

On Dienstag, 15. März 2016 07:31:28 CET Tim Niemeyer wrote:
> - moves the node<-->client ra rules to package fff-uradvd
> 
> Signed-off-by: Tim Niemeyer <tim@tn-x.org>
> ---
> 
>  bsp/default/root_file_system/etc/config/firewall   | 103 ------------------
> bsp/default/root_file_system/etc/firewall.user     | 120
> --------------------- bsp/default/root_file_system/etc/rc.local.tpl      | 
>  2 -
>  src/packages/fff/fff-firewall/Makefile             |  43 ++++++++
>  .../fff/fff-firewall/files/etc/init.d/fff-firewall |  27 +++++
>  .../files/usr/lib/firewall.d/00-prepare            |   6 ++
>  .../files/usr/lib/firewall.d/05-setup-chains       |  34 ++++++
>  .../files/usr/lib/firewall.d/20-clamp-mss          |   2 +
>  .../files/usr/lib/firewall.d/20-filter-ssh         |   8 ++
>  .../files/usr/lib/firewall.d/30-client-dhcp        |   8 ++
>  .../files/usr/lib/firewall.d/30-client-dhcpv6      |   8 ++
>  .../files/usr/lib/firewall.d/30-client-ra          |   5 +
>  .../files/usr/lib/firewall.d/31-node-dhcp          |   5 +
>  .../files/usr/lib/firewall.d/31-node-dhcpv6        |   5 +
>  .../files/usr/lib/firewall.d/31-node-ra            |  11 ++
>  .../fff-firewall/files/usr/lib/firewall.d/35-mc    |   6 ++
>  .../files/usr/lib/firewall.d/35-mc-arp             |   8 ++
>  .../files/usr/lib/firewall.d/35-mc-ping            |   6 ++
>  .../files/usr/lib/firewall.d/40-local-node         |  11 ++
>  .../files/usr/lib/firewall.d/32-local-ra           |   5 +
>  20 files changed, 198 insertions(+), 225 deletions(-)
>  delete mode 100644 bsp/default/root_file_system/etc/config/firewall
>  delete mode 100755 bsp/default/root_file_system/etc/firewall.user
>  create mode 100644 src/packages/fff/fff-firewall/Makefile
>  create mode 100755
> src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall create mode
> 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> create mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> create mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss create
> mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh create
> mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> create mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> create mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra create
> mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp create
> mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> create mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra create
> mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> create mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp create
> mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping create
> mode 100755
> src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node create
> mode 100755
> src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> 
> diff --git a/bsp/default/root_file_system/etc/config/firewall
> b/bsp/default/root_file_system/etc/config/firewall deleted file mode 100644
> index ed57672..0000000
> --- a/bsp/default/root_file_system/etc/config/firewall
> +++ /dev/null
> @@ -1,103 +0,0 @@
> -config defaults
> -	option syn_flood	1
> -	option input		ACCEPT
> -	option output		ACCEPT
> -	option forward		REJECT
> -
> -config zone
> -	option name		lan
> -	option input	ACCEPT
> -	option output	ACCEPT
> -	option forward	REJECT
> -
> -config zone
> -	option name		wan
> -	option input	REJECT
> -	option output	ACCEPT
> -	option forward	REJECT
> -	option masq		1
> -	option mtu_fix	1
> -
> -config forwarding
> -	option src      lan
> -	option dest     wan
> -
> -# We need to accept udp packets on port 68,
> -# see https://dev.openwrt.org/ticket/4108
> -config rule
> -	option src		wan
> -	option proto		udp
> -	option dest_port	68
> -	option target		ACCEPT
> -
> -#Allow ping
> -config rule
> -	option src wan
> -	option proto icmp
> -	option icmp_type echo-request
> -	option target ACCEPT
> -
> -#Allow SSH on WAN
> -config rule
> -        option src              wan
> -        option dest_port        22
> -        option target           ACCEPT
> -        option proto            tcp
> -
> -# include a file with users custom iptables rules
> -config include
> -	option path /etc/firewall.user
> -
> -
> -### EXAMPLE CONFIG SECTIONS
> -# do not allow a specific ip to access wan
> -#config rule
> -#	option src		lan
> -#	option src_ip	192.168.45.2
> -#	option dest		wan
> -#	option proto	tcp
> -#	option target	REJECT
> -
> -# block a specific mac on wan
> -#config rule
> -#	option dest		wan
> -#	option src_mac	00:11:22:33:44:66
> -#	option target	REJECT
> -
> -# block incoming ICMP traffic on a zone
> -#config rule
> -#	option src		lan
> -#	option proto	ICMP
> -#	option target	DROP
> -
> -# port redirect port coming in on wan to lan
> -#config redirect
> -#	option src			wan
> -#	option src_dport	80
> -#	option dest			lan
> -#	option dest_ip		192.168.16.235
> -#	option dest_port	80
> -#	option proto		tcp
> -
> -
> -### FULL CONFIG SECTIONS
> -#config rule
> -#	option src		lan
> -#	option src_ip	192.168.45.2
> -#	option src_mac	00:11:22:33:44:55
> -#	option src_port	80
> -#	option dest		wan
> -#	option dest_ip	194.25.2.129
> -#	option dest_port	120
> -#	option proto	tcp
> -#	option target	REJECT
> -
> -#config redirect
> -#	option src		lan
> -#	option src_ip	192.168.45.2
> -#	option src_mac	00:11:22:33:44:55
> -#	option src_port		1024
> -#	option src_dport	80
> -#	option dest_ip	194.25.2.129
> -#	option dest_port	120
> -#	option proto	tcp
> \ No newline at end of file
> diff --git a/bsp/default/root_file_system/etc/firewall.user
> b/bsp/default/root_file_system/etc/firewall.user deleted file mode 100755
> index 8ae48dc..0000000
> --- a/bsp/default/root_file_system/etc/firewall.user
> +++ /dev/null
> @@ -1,120 +0,0 @@
> -#!/bin/sh
> -
> -#solves MTU problem with bad ISPs
> -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu -
> -# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen
> ausgesetzt. -# Das wirkt bei kleinen Geräten wie ein DOS
> -WAN=$(uci get network.wan.ifname)
> -iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT -iptables -A INPUT -i $WAN -j REJECT
> -
> -# Limit ssh to 3 new connections per 60 seconds
> -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m
> recent --set --name dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport
> 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl
> --name dropbear -j DROP -
> -
> -# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren
> sollen: -
> -######## CLEAN UP ############
> -ebtables -F
> -ebtables -X
> -
> -######## IN_ONLY ############
> -ebtables -N IN_ONLY -P RETURN
> -
> -# Daten aus dem BATMAN werden erlaubt
> -# Alles außer Daten von BATMAN werden DROP'ed
> -ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
> -
> -######## OUT_ONLY ############
> -ebtables -N OUT_ONLY -P RETURN
> -
> -# Daten ins BATMAN werden erlaubt
> -# Alles außer Daten ins BATMAN werden DROP'ed
> -ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
> -
> -######## MULTICAST_OUT ############
> -ebtables -N MULTICAST_OUT -P DROP
> -
> -# Verbiete ARP Antworten an alle
> -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j
> DROP -# Verbiete ARP Requests an alle
> -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j
> DROP -# Erlaube alle anderen ARP's
> -ebtables -A MULTICAST_OUT -p ARP -j RETURN
> -# Erlaube DHCP Requests
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
> -# Erlaube DHCPv6 Requests
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
> -# Erlaube PING
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
> -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
> -# Erlaube PINGv6
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
> -# Erlaube Organisation der Multicast Gruppen
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
> -
> -######## INPUT ############
> -ebtables -P INPUT ACCEPT
> -
> -# Erlaube router solicitation von client zu knoten
> -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j ACCEPT -ebtables -A INPUT -d Multicast --logical-in
> br-mesh -i ! bat0 -j ACCEPT -
> -# No input from/to local node ip from batman
> -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source
> fdff::1/128 -j DROP -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6
> --ip6-destination fdff::1/128 -j DROP -
> -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j IN_ONLY -# Verbiete Router-Solicitation von BATMAN
> -> KNOTEN
> -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j DROP -
> -######## FORWARD ############
> -ebtables -P FORWARD ACCEPT
> -
> -# Do not forward local node ip
> -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination
> fdff::1/128 -j DROP -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p
> IPv6 --ip6-source fdff::1/128 -j DROP -
> -# Erlaube nur DHCP Request von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j OUT_ONLY -# Erlaube nur Router-Advertisment von
> BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j IN_ONLY -# Regelt alles was an Multicast/Broadcast
> von CLIENT -> BATMAN geht bei MULTICAST_OUT -ebtables -A FORWARD -d
> Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT -
> -######## OUTPUT ############
> -ebtables -P OUTPUT ACCEPT
> -
> -# Erlaube router advertisment von knoten zu client
> -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j ACCEPT -
> -# Do not output local node ip to batman
> -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination
> fdff::1/128 -j DROP -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p
> IPv6 --ip6-source fdff::1/128 -j DROP -
> -# Erlaube nur DHCP Request von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j OUT_ONLY -# Verbiete Router-Advertisment von KNOTEN
> -> BATMAN
> -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j DROP -# Regelt alles was an Multicast/Broadcast von
> KNOTEN -> BATMAN geht bei MULTICAST_OUT -ebtables -A OUTPUT -d Multicast
> --logical-out br-mesh -o bat0 -j MULTICAST_OUT diff --git
> a/bsp/default/root_file_system/etc/rc.local.tpl
> b/bsp/default/root_file_system/etc/rc.local.tpl index ddf208d..d6384d8
> 100755
> --- a/bsp/default/root_file_system/etc/rc.local.tpl
> +++ b/bsp/default/root_file_system/etc/rc.local.tpl
> @@ -56,8 +56,6 @@ fi
>  # Starting NTP-Client Daemon after 30s to ensure that the interface is up
>  ( sleep 30 ; ntpd -p ${NTPD_IP} ) &
> 
> -. /etc/firewall.user
> -
>  /etc/init.d/qos disable
>  /etc/init.d/qos stop
> 
> diff --git a/src/packages/fff/fff-firewall/Makefile
> b/src/packages/fff/fff-firewall/Makefile new file mode 100644
> index 0000000..e2a3b19
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/Makefile
> @@ -0,0 +1,43 @@
> +include $(TOPDIR)/rules.mk
> +
> +PKG_NAME:=fff-firewall
> +PKG_VERSION:=1
> +PKG_RELEASE:=1
> +
> +PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall
> +
> +include $(INCLUDE_DIR)/package.mk
> +
> +define Package/fff-firewall
> +    SECTION:=base
> +    CATEGORY:=Freifunk
> +    TITLE:=Freifunk-Franken firewall
> +    URL:=http://www.freifunk-franken.de
> +    DEPENDS:=+arptables \
> +             +ebtables +ebtables-utils \
> +             +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
> +             +iptables-mod-filter +iptables-mod-ipopt
> +iptables-mod-conntrack-extra +endef
> +
> +define Package/fff-batman-adv-legacy/description
> +    This is the firewall for the Freifunk Franken Firmware
> +    It is used to configure firewall.
> +endef
> +
> +define Build/Prepare
> +	echo "all: " > $(PKG_BUILD_DIR)/Makefile
> +endef
> +
> +define Build/Configure
> +	# nothing
> +endef
> +
> +define Build/Compile
> +	# nothing
> +endef
> +
> +define Package/fff-firewall/install
> +	$(CP) ./files/* $(1)/
> +endef
> +
> +$(eval $(call BuildPackage,fff-firewall))
> diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
> b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall new file mode
> 100755
> index 0000000..f681646
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
> @@ -0,0 +1,27 @@
> +#!/bin/sh /etc/rc.common
> +
> +START=50
> +
> +USE_PROCD=1
> +
> +SERVICE_WRITE_PID=1
> +SERVICE_DAEMONIZE=1
> +
> +FIREWALL_DIR=/usr/lib/firewall.d
> +
> +service_triggers()
> +{
> +        procd_add_reload_trigger "fff-firewall"
> +}
> +
> +start_service() {
> +    local file
> +
> +    IF_WAN=$(uci get network.wan.ifname)
> +
> +    for file in /usr/lib/firewall.d/*; do
> +        if [ -f "$file" ]; then
> +            . $file
> +        fi
> +    done
> +}
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare new
> file mode 100755
> index 0000000..4807e61
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> @@ -0,0 +1,6 @@
> +######## CLEAN UP ############
> +ebtables -F
> +ebtables -X
> +
> +iptables -F
> +iptables -X
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> new file mode 100755
> index 0000000..94d8d61
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> @@ -0,0 +1,34 @@
> +######## IN_ONLY ############
> +ebtables -N IN_ONLY -P RETURN
> +
> +# Daten aus dem BATMAN werden erlaubt
> +# Alles außer Daten von BATMAN werden DROP'ed
> +ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
> +
> +######## OUT_ONLY ############
> +ebtables -N OUT_ONLY -P RETURN
> +
> +# Daten ins BATMAN werden erlaubt
> +# Alles außer Daten ins BATMAN werden DROP'ed
> +ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
> +
> +######## MULTICAST_OUT ############
> +ebtables -N MULTICAST_OUT -P DROP
> +
> +######## INPUT ############
> +ebtables -P INPUT ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei
> MULTICAST_OUT +ebtables -A INPUT -d Multicast --logical-in br-mesh -i !
> bat0 -j ACCEPT +
> +######## FORWARD ############
> +ebtables -P FORWARD ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei
> MULTICAST_OUT +ebtables -A FORWARD -d Multicast --logical-out br-mesh -o
> bat0 -j MULTICAST_OUT +
> +######## OUTPUT ############
> +ebtables -P OUTPUT ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei
> MULTICAST_OUT +ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o
> bat0 -j MULTICAST_OUT diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss new
> file mode 100755
> index 0000000..f2ee439
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
> @@ -0,0 +1,2 @@
> +#solves MTU problem with bad ISPs
> +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh new
> file mode 100755
> index 0000000..b8bf541
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> @@ -0,0 +1,8 @@
> +# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen
> ausgesetzt. +# Das wirkt bei kleinen Geräten wie ein DOS
> +iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT +iptables -A INPUT -i $IF_WAN -j REJECT
> +
> +# Limit ssh to 3 new connections per 60 seconds
> +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m
> recent --set --name dropbear +/usr/sbin/ip6tables -A INPUT -p tcp --dport
> 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl
> --name dropbear -j DROP diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp new
> file mode 100755
> index 0000000..a50c799
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> @@ -0,0 +1,8 @@
> +# Erlaube DHCP Requests
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
> +
> +# Erlaube nur DHCP Request von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> +
> +# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> new file mode 100755
> index 0000000..068ef06
> --- /dev/null
> +++
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> @@ -0,0 +1,8 @@
> +# Erlaube DHCPv6 Requests
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
> +
> +# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> +
> +# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra new
> file mode 100755
> index 0000000..29562de
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> @@ -0,0 +1,5 @@
> +# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j OUT_ONLY +
> +# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j IN_ONLY diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp new
> file mode 100755
> index 0000000..9280a91
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> @@ -0,0 +1,5 @@
> +# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> +
> +# Erlaube nur DHCP Request von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 new
> file mode 100755
> index 0000000..97c3df3
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> @@ -0,0 +1,5 @@
> +# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> +
> +# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra new
> file mode 100755
> index 0000000..e619201
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> @@ -0,0 +1,11 @@
> +# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j IN_ONLY +
> +# Verbiete Router-Solicitation von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j DROP +
> +# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j OUT_ONLY +
> +# Verbiete Router-Advertisment von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j DROP diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc new file
> mode 100755
> index 0000000..50cc31f
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> @@ -0,0 +1,6 @@
> +# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
> +
> +# Erlaube Organisation der Multicast Gruppen
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
> +
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp new file
> mode 100755
> index 0000000..50e0191
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> @@ -0,0 +1,8 @@
> +# Verbiete ARP Antworten an alle
> +ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j
> DROP +
> +# Verbiete ARP Requests an alle
> +ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j
> DROP +
> +# Erlaube alle anderen ARP's
> +ebtables -A MULTICAST_OUT -p ARP -j RETURN
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping new
> file mode 100755
> index 0000000..877b027
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> @@ -0,0 +1,6 @@
> +# Erlaube PING
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
> +
> +# Erlaube PINGv6
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
> +
> diff --git
> a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node new
> file mode 100755
> index 0000000..cce7231
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> @@ -0,0 +1,11 @@
> +# No input from/to local node ip from batman
> +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source
> fdff::1/128 -j DROP +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6
> --ip6-destination fdff::1/128 -j DROP +
> +# Do not forward local node ip
> +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination
> fdff::1/128 -j DROP +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p
> IPv6 --ip6-source fdff::1/128 -j DROP +
> +# Do not output local node ip to batman
> +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination
> fdff::1/128 -j DROP +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p
> IPv6 --ip6-source fdff::1/128 -j DROP diff --git
> a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra new file
> mode 100755
> index 0000000..ae2dba2
> --- /dev/null
> +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> @@ -0,0 +1,5 @@
> +# Erlaube router solicitation von client zu knoten
> +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-solicitation -j ACCEPT +
> +# Erlaube router advertisment von knoten zu client
> +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-advertisement -j ACCEPT