Message ID | 20190910200901.31225-1-fabian@blaese.de |
---|---|
State | Accepted |
Headers | show |
diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan new file mode 100644 index 0000000..f989d6b --- /dev/null +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan @@ -0,0 +1,3 @@ +# Ensure nothing is forwarded onto WAN interface +iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable +ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
Reviewed-by: Christian Dresel <fff@chrisi01.de> On 10.09.19 22:09, Fabian Bläse wrote: > Signed-off-by: Fabian Bläse <fabian@blaese.de> > --- > Changes in v2: > - Fix redundant --reject-with parameter > --- > .../fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 3 +++ > 1 file changed, 3 insertions(+) > create mode 100644 src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > > diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > new file mode 100644 > index 0000000..f989d6b > --- /dev/null > +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > @@ -0,0 +1,3 @@ > +# Ensure nothing is forwarded onto WAN interface > +iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable > +ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route >
Hi Fabian, kann man machen. Sollte bei richtigem Routing zwar nicht nötig sein, aber sicher ist sicher. Reviewed-by: Robert Langhammer <rlanghammer@web.de> Am 10.09.19 um 22:09 schrieb Fabian Bläse: > Signed-off-by: Fabian Bläse <fabian@blaese.de> > --- > Changes in v2: > - Fix redundant --reject-with parameter > --- > .../fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 3 +++ > 1 file changed, 3 insertions(+) > create mode 100644 src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > > diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > new file mode 100644 > index 0000000..f989d6b > --- /dev/null > +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > @@ -0,0 +1,3 @@ > +# Ensure nothing is forwarded onto WAN interface > +iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable > +ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
applied.
Signed-off-by: Fabian Bläse <fabian@blaese.de> --- Changes in v2: - Fix redundant --reject-with parameter --- .../fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan