[3/3] Move node-specific firewall rules to fff-node

Submitted by Fabian Blaese on Sept. 8, 2019, 1:08 p.m.

Details

Message ID 20190908130818.17706-3-fabian@blaese.de
State Superseded
Headers show

Commit Message

Fabian Blaese Sept. 8, 2019, 1:08 p.m. 
Signed-off-by: Fabian Bläse <fabian@blaese.de>
---
 .../files/usr/lib/firewall.d/06-disable-forwarding                | 0
 .../files/usr/lib/firewall.d/30-client-dhcp                       | 0
 .../files/usr/lib/firewall.d/30-client-dhcpv6                     | 0
 .../files/usr/lib/firewall.d/30-client-ra                         | 0
 .../files/usr/lib/firewall.d/31-node-dhcp                         | 0
 .../files/usr/lib/firewall.d/31-node-dhcpv6                       | 0
 .../files/usr/lib/firewall.d/31-node-ra                           | 0
 .../fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc | 0
 .../{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp | 0
 .../files/usr/lib/firewall.d/35-mc-ping                           | 0
 .../files/usr/lib/firewall.d/40-local-node                        | 0
 11 files changed, 0 insertions(+), 0 deletions(-)
 rename src/packages/fff/{fff-network => fff-node}/files/usr/lib/firewall.d/06-disable-forwarding (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcp (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcpv6 (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-ra (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcp (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcpv6 (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-ra (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-ping (100%)
 rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/40-local-node (100%)

Patch hide | download patch | download mbox 

diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
similarity index 100%
rename from src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
similarity index 100%
rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node

Comments

Tim Niemeyer Sept. 8, 2019, 2:59 p.m. 
Hmm.. Da sind auch Sachen von fdff::1 drin.. Die sind auch in
configurenetwork. Bin mir nicht sicher, aber ich habe das Gefühl so
einfach ist es nicht.

Tim

Am Sonntag, den 08.09.2019, 15:08 +0200 schrieb Fabian Bläse:
> Signed-off-by: Fabian Bläse <fabian@blaese.de>
> ---
>  .../files/usr/lib/firewall.d/06-disable-forwarding                |
> 0
>  .../files/usr/lib/firewall.d/30-client-dhcp                       |
> 0
>  .../files/usr/lib/firewall.d/30-client-dhcpv6                     |
> 0
>  .../files/usr/lib/firewall.d/30-client-ra                         |
> 0
>  .../files/usr/lib/firewall.d/31-node-dhcp                         |
> 0
>  .../files/usr/lib/firewall.d/31-node-dhcpv6                       |
> 0
>  .../files/usr/lib/firewall.d/31-node-ra                           |
> 0
>  .../fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc |
> 0
>  .../{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp |
> 0
>  .../files/usr/lib/firewall.d/35-mc-ping                           |
> 0
>  .../files/usr/lib/firewall.d/40-local-node                        |
> 0
>  11 files changed, 0 insertions(+), 0 deletions(-)
>  rename src/packages/fff/{fff-network => fff-
> node}/files/usr/lib/firewall.d/06-disable-forwarding (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/30-client-dhcp (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/30-client-dhcpv6 (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/30-client-ra (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/31-node-dhcp (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/31-node-dhcpv6 (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/31-node-ra (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/35-mc (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/35-mc-arp (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/35-mc-ping (100%)
>  rename src/packages/fff/{fff-firewall => fff-
> node}/files/usr/lib/firewall.d/40-local-node (100%)
> 
> diff --git a/src/packages/fff/fff-
> network/files/usr/lib/firewall.d/06-disable-forwarding
> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-
> forwarding
> similarity index 100%
> rename from src/packages/fff/fff-network/files/usr/lib/firewall.d/06-
> disable-forwarding
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/06-
> disable-forwarding
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/30-client-dhcp
> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/30-client-dhcp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
> client-dhcp
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
> client-dhcpv6
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/30-client-ra
> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/30-client-ra
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
> client-ra
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/31-node-dhcp
> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/31-node-dhcp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
> dhcp
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
> dhcpv6
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-
> node/files/usr/lib/firewall.d/31-node-ra
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/31-node-ra
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
> ra
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-
> node/files/usr/lib/firewall.d/35-mc
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/35-mc
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-
> node/files/usr/lib/firewall.d/35-mc-arp
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/35-mc-arp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-
> arp
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-
> node/files/usr/lib/firewall.d/35-mc-ping
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/35-mc-ping
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-
> ping
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/40-local-node
> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
> similarity index 100%
> rename from src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/40-local-node
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/40-
> local-node
Fabian Blaese Sept. 8, 2019, 6:34 p.m. 
Richtig, die ganzen Regeln filtern aber nur Dinge gegen bat0, was es Stand heute in der Gatewayfirmware gar nicht gibt.

Generell gibt es in der Gatewayfirmware auch nur wenig zum Firewallen. Die ganzen fdff-Dinge braucht man (ohne batman) nicht filtern, da das Layer2 Netz eh nicht getunnelt wird.
Das einzige, was interessant sein könnte, ist ein

  iptables -A FORWARD -o <WANIF> -j REJECT --reject-with icmp-net-unreachable
  ip6tables -A FORWARD -o <WANIF> -j REJECT --reject-with no-route

um zu verhindern, dass niemals nicht-Tunnel-Pakete auf dem WAN Interface herausfallen.

Gruß
Fabian

On 08.09.19 16:59, Tim Niemeyer wrote:
> Hmm.. Da sind auch Sachen von fdff::1 drin.. Die sind auch in
> configurenetwork. Bin mir nicht sicher, aber ich habe das Gefühl so
> einfach ist es nicht.
> 
> Tim
> 
> Am Sonntag, den 08.09.2019, 15:08 +0200 schrieb Fabian Bläse:
>> Signed-off-by: Fabian Bläse <fabian@blaese.de>
>> ---
>>  .../files/usr/lib/firewall.d/06-disable-forwarding                |
>> 0
>>  .../files/usr/lib/firewall.d/30-client-dhcp                       |
>> 0
>>  .../files/usr/lib/firewall.d/30-client-dhcpv6                     |
>> 0
>>  .../files/usr/lib/firewall.d/30-client-ra                         |
>> 0
>>  .../files/usr/lib/firewall.d/31-node-dhcp                         |
>> 0
>>  .../files/usr/lib/firewall.d/31-node-dhcpv6                       |
>> 0
>>  .../files/usr/lib/firewall.d/31-node-ra                           |
>> 0
>>  .../fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc |
>> 0
>>  .../{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp |
>> 0
>>  .../files/usr/lib/firewall.d/35-mc-ping                           |
>> 0
>>  .../files/usr/lib/firewall.d/40-local-node                        |
>> 0
>>  11 files changed, 0 insertions(+), 0 deletions(-)
>>  rename src/packages/fff/{fff-network => fff-
>> node}/files/usr/lib/firewall.d/06-disable-forwarding (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/30-client-dhcp (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/30-client-dhcpv6 (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/30-client-ra (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/31-node-dhcp (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/31-node-dhcpv6 (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/31-node-ra (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/35-mc (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/35-mc-arp (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/35-mc-ping (100%)
>>  rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/40-local-node (100%)
>>
>> diff --git a/src/packages/fff/fff-
>> network/files/usr/lib/firewall.d/06-disable-forwarding
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-
>> forwarding
>> similarity index 100%
>> rename from src/packages/fff/fff-network/files/usr/lib/firewall.d/06-
>> disable-forwarding
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/06-
>> disable-forwarding
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcp
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
>> client-dhcp
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcpv6
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcpv6
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
>> client-dhcpv6
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-ra
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-ra
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
>> client-ra
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcp
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
>> dhcp
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcpv6
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcpv6
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
>> dhcpv6
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/31-node-ra
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-ra
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
>> ra
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/35-mc
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/35-mc-arp
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-arp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-
>> arp
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/35-mc-ping
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-ping
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-
>> ping
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/40-local-node
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/40-local-node
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/40-
>> local-node
Robert Langhammer Sept. 8, 2019, 8:52 p.m. 
Hi Fabian,

wenn ich das richtig sehe, bleibt in der l3 variante nichts mehr übrig.
Da sollte man dann noch mal das ssh limit, dos usw. rein bauen.

Für das Verschieben hier:

Reviewed-by: Robert Langhammer <rlanghammer@web.de>

Am 08.09.19 um 15:08 schrieb Fabian Bläse:
> Signed-off-by: Fabian Bläse <fabian@blaese.de>
> ---
>  .../files/usr/lib/firewall.d/06-disable-forwarding                | 0
>  .../files/usr/lib/firewall.d/30-client-dhcp                       | 0
>  .../files/usr/lib/firewall.d/30-client-dhcpv6                     | 0
>  .../files/usr/lib/firewall.d/30-client-ra                         | 0
>  .../files/usr/lib/firewall.d/31-node-dhcp                         | 0
>  .../files/usr/lib/firewall.d/31-node-dhcpv6                       | 0
>  .../files/usr/lib/firewall.d/31-node-ra                           | 0
>  .../fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc | 0
>  .../{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp | 0
>  .../files/usr/lib/firewall.d/35-mc-ping                           | 0
>  .../files/usr/lib/firewall.d/40-local-node                        | 0
>  11 files changed, 0 insertions(+), 0 deletions(-)
>  rename src/packages/fff/{fff-network => fff-node}/files/usr/lib/firewall.d/06-disable-forwarding (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcp (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcpv6 (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-ra (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcp (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcpv6 (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-ra (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-ping (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/40-local-node (100%)
>
> diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
> similarity index 100%
> rename from src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
Fabian Blaese Sept. 8, 2019, 8:53 p.m. 
Hallo Robert,

On 08.09.19 22:52, robert wrote:
> Hi Fabian,
> 
> wenn ich das richtig sehe, bleibt in der l3 variante nichts mehr übrig.
> Da sollte man dann noch mal das ssh limit, dos usw. rein bauen.
das ist doch nach wie vor im fff-firewall Paket untergebracht und daher auch auf der layer3-variant aktiv.

Gruß
Fabian
Christian Dresel Oct. 4, 2019, 10:39 a.m. 
hi

in

[...]/fff-firewall/files/usr/lib/firewall.d/05-setup-chains

ist noch ein haufen Batman Zeug drinnen und das bleibt auch in der
Layer3 FW aktiv. Wie sieht es damit aus? Da wird auch div. Multicast
Magie gemacht? Mir fehlt da bisschen der komplette Zusammenhang.

Der Rest sieht soweit für mich logisch aus.

Gruß

Christian

On 08.09.19 15:08, Fabian Bläse wrote:
> Signed-off-by: Fabian Bläse <fabian@blaese.de>
> ---
>  .../files/usr/lib/firewall.d/06-disable-forwarding                | 0
>  .../files/usr/lib/firewall.d/30-client-dhcp                       | 0
>  .../files/usr/lib/firewall.d/30-client-dhcpv6                     | 0
>  .../files/usr/lib/firewall.d/30-client-ra                         | 0
>  .../files/usr/lib/firewall.d/31-node-dhcp                         | 0
>  .../files/usr/lib/firewall.d/31-node-dhcpv6                       | 0
>  .../files/usr/lib/firewall.d/31-node-ra                           | 0
>  .../fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc | 0
>  .../{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp | 0
>  .../files/usr/lib/firewall.d/35-mc-ping                           | 0
>  .../files/usr/lib/firewall.d/40-local-node                        | 0
>  11 files changed, 0 insertions(+), 0 deletions(-)
>  rename src/packages/fff/{fff-network => fff-node}/files/usr/lib/firewall.d/06-disable-forwarding (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcp (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcpv6 (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-ra (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcp (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcpv6 (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-ra (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-ping (100%)
>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/40-local-node (100%)
> 
> diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
> similarity index 100%
> rename from src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
> similarity index 100%
> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
>
Fabian Blaese Nov. 10, 2019, 12:33 a.m. 
Das stimmt, das sind Layer 2 Regeln, die in der Gatewayfirmware gar nichts bringen.
Kommen nach fff-node -> v2

Gruß
Fabian

On 04.10.19 12:39, Christian Dresel wrote:
> hi
> 
> in
> 
> [...]/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> 
> ist noch ein haufen Batman Zeug drinnen und das bleibt auch in der
> Layer3 FW aktiv. Wie sieht es damit aus? Da wird auch div. Multicast
> Magie gemacht? Mir fehlt da bisschen der komplette Zusammenhang.
> 
> Der Rest sieht soweit für mich logisch aus.
> 
> Gruß
> 
> Christian
> 
> On 08.09.19 15:08, Fabian Bläse wrote:
>> Signed-off-by: Fabian Bläse <fabian@blaese.de>
>> ---
>>  .../files/usr/lib/firewall.d/06-disable-forwarding                | 0
>>  .../files/usr/lib/firewall.d/30-client-dhcp                       | 0
>>  .../files/usr/lib/firewall.d/30-client-dhcpv6                     | 0
>>  .../files/usr/lib/firewall.d/30-client-ra                         | 0
>>  .../files/usr/lib/firewall.d/31-node-dhcp                         | 0
>>  .../files/usr/lib/firewall.d/31-node-dhcpv6                       | 0
>>  .../files/usr/lib/firewall.d/31-node-ra                           | 0
>>  .../fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc | 0
>>  .../{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp | 0
>>  .../files/usr/lib/firewall.d/35-mc-ping                           | 0
>>  .../files/usr/lib/firewall.d/40-local-node                        | 0
>>  11 files changed, 0 insertions(+), 0 deletions(-)
>>  rename src/packages/fff/{fff-network => fff-node}/files/usr/lib/firewall.d/06-disable-forwarding (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcp (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-dhcpv6 (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/30-client-ra (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcp (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-dhcpv6 (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/31-node-ra (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-ping (100%)
>>  rename src/packages/fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/40-local-node (100%)
>>
>> diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
>> similarity index 100%
>> rename from src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping
>> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
>> similarity index 100%
>> rename from src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
>>