[v2] fff-gateway: Add firewall rules to ensure nothing is forwarded onto WAN

Submitted by Fabian Blaese on Sept. 10, 2019, 8:09 p.m.

Details

Message ID 20190910200901.31225-1-fabian@blaese.de
State Accepted
Headers show

Commit Message

Fabian Blaese Sept. 10, 2019, 8:09 p.m. 
Signed-off-by: Fabian Bläse <fabian@blaese.de>
---
Changes in v2:
- Fix redundant --reject-with parameter
---
 .../fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan

Patch hide | download patch | download mbox 

diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
new file mode 100644
index 0000000..f989d6b
--- /dev/null
+++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
@@ -0,0 +1,3 @@ 
+# Ensure nothing is forwarded onto WAN interface
+iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
+ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route

Comments

Christian Dresel Sept. 11, 2019, 9:40 a.m. 
Reviewed-by: Christian Dresel <fff@chrisi01.de>

On 10.09.19 22:09, Fabian Bläse wrote:
> Signed-off-by: Fabian Bläse <fabian@blaese.de>
> ---
> Changes in v2:
> - Fix redundant --reject-with parameter
> ---
>  .../fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 3 +++
>  1 file changed, 3 insertions(+)
>  create mode 100644 src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> 
> diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> new file mode 100644
> index 0000000..f989d6b
> --- /dev/null
> +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> @@ -0,0 +1,3 @@
> +# Ensure nothing is forwarded onto WAN interface
> +iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
> +ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
>
Robert Langhammer Sept. 11, 2019, 7:12 p.m. 
Hi Fabian,

kann man machen. Sollte bei richtigem Routing zwar nicht nötig sein,
aber sicher ist sicher.

Reviewed-by: Robert Langhammer <rlanghammer@web.de>

Am 10.09.19 um 22:09 schrieb Fabian Bläse:
> Signed-off-by: Fabian Bläse <fabian@blaese.de>
> ---
> Changes in v2:
> - Fix redundant --reject-with parameter
> ---
>  .../fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 3 +++
>  1 file changed, 3 insertions(+)
>  create mode 100644 src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
>
> diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> new file mode 100644
> index 0000000..f989d6b
> --- /dev/null
> +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> @@ -0,0 +1,3 @@
> +# Ensure nothing is forwarded onto WAN interface
> +iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
> +ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
Fabian Blaese Sept. 29, 2019, 8:17 p.m. 
applied.