| Message ID | 20191009162705.58991-1-freifunk@adrianschmutzler.de |
|---|---|
| State | Accepted |
| Headers | show |
diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 7bb82b17..56543331 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-firewall -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh index 50fa087b..aa04ce93 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh @@ -1,6 +1,8 @@ # If an router has a direct internet connection simple attack act as DOS attack -iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -i $IF_WAN -j REJECT +if [ -n "$IF_WAN" ]; then + iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -i $IF_WAN -j REJECT +fi # Limit ssh to 6 new connections per 60 seconds /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear diff --git a/src/packages/fff/fff-gateway/Makefile b/src/packages/fff/fff-gateway/Makefile index 7a10544c..71075858 100644 --- a/src/packages/fff/fff-gateway/Makefile +++ b/src/packages/fff/fff-gateway/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-gateway -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan index f989d6be..2d4ee926 100644 --- a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan @@ -1,3 +1,5 @@ # Ensure nothing is forwarded onto WAN interface -iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable -ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route +if [ -n "$IF_WAN" ]; then + iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable + ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route +fi
Hi Adrian, Fehler abfangen ist immer gut! Reviewed-by: Robert Langhammer <rlanghammer@web.de> Am 09.10.19 um 18:27 schrieb Adrian Schmutzler: > In some cases (mostly for one-port devices) IF_WAN was used > although not set, resulting in not obviously iptables error > messages like > > - Bad argument `conntrack' > > - Bad argument `REJECT' > > Thus, check whether IF_WAN is set to something before using it. > > Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> > --- > src/packages/fff/fff-firewall/Makefile | 2 +- > .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ++++-- > src/packages/fff/fff-gateway/Makefile | 2 +- > .../fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 6 ++++-- > 4 files changed, 10 insertions(+), 6 deletions(-) > > diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile > index 7bb82b17..56543331 100644 > --- a/src/packages/fff/fff-firewall/Makefile > +++ b/src/packages/fff/fff-firewall/Makefile > @@ -1,7 +1,7 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=fff-firewall > -PKG_RELEASE:=3 > +PKG_RELEASE:=4 > > PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) > > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > index 50fa087b..aa04ce93 100644 > --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > @@ -1,6 +1,8 @@ > # If an router has a direct internet connection simple attack act as DOS attack > -iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -iptables -A INPUT -i $IF_WAN -j REJECT > +if [ -n "$IF_WAN" ]; then > + iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > + iptables -A INPUT -i $IF_WAN -j REJECT > +fi > > # Limit ssh to 6 new connections per 60 seconds > /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear > diff --git a/src/packages/fff/fff-gateway/Makefile b/src/packages/fff/fff-gateway/Makefile > index 7a10544c..71075858 100644 > --- a/src/packages/fff/fff-gateway/Makefile > +++ b/src/packages/fff/fff-gateway/Makefile > @@ -1,7 +1,7 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=fff-gateway > -PKG_RELEASE:=2 > +PKG_RELEASE:=3 > > PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway > > diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > index f989d6be..2d4ee926 100644 > --- a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan > @@ -1,3 +1,5 @@ > # Ensure nothing is forwarded onto WAN interface > -iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable > -ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route > +if [ -n "$IF_WAN" ]; then > + iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable > + ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route > +fi
Applied. > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of robert > Sent: Samstag, 19. Oktober 2019 21:03 > To: franken-dev@freifunk.net > Subject: Re: [PATCH] firewall.d: Check for unset IF_WAN > > Hi Adrian, > > Fehler abfangen ist immer gut! > > Reviewed-by: Robert Langhammer <rlanghammer@web.de> > > Am 09.10.19 um 18:27 schrieb Adrian Schmutzler: > > In some cases (mostly for one-port devices) IF_WAN was used although > > not set, resulting in not obviously iptables error messages like > > > > - Bad argument `conntrack' > > > > - Bad argument `REJECT' > > > > Thus, check whether IF_WAN is set to something before using it. > > > > Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> > > --- > > src/packages/fff/fff-firewall/Makefile | 2 +- > > .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ++++-- > > src/packages/fff/fff-gateway/Makefile | 2 +- > > .../fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 6 > > ++++-- > > 4 files changed, 10 insertions(+), 6 deletions(-) > > > > diff --git a/src/packages/fff/fff-firewall/Makefile > > b/src/packages/fff/fff-firewall/Makefile > > index 7bb82b17..56543331 100644 > > --- a/src/packages/fff/fff-firewall/Makefile > > +++ b/src/packages/fff/fff-firewall/Makefile > > @@ -1,7 +1,7 @@ > > include $(TOPDIR)/rules.mk > > > > PKG_NAME:=fff-firewall > > -PKG_RELEASE:=3 > > +PKG_RELEASE:=4 > > > > PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) > > > > diff --git > > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > > index 50fa087b..aa04ce93 100644 > > --- > > a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter > > +++ -ssh > > @@ -1,6 +1,8 @@ > > # If an router has a direct internet connection simple attack act as > > DOS attack -iptables -A INPUT -i $IF_WAN -m conntrack --ctstate > > RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -i $IF_WAN -j REJECT > > +if [ -n "$IF_WAN" ]; then > > + iptables -A INPUT -i $IF_WAN -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT > > + iptables -A INPUT -i $IF_WAN -j REJECT fi > > > > # Limit ssh to 6 new connections per 60 seconds /usr/sbin/ip6tables > > -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set > > --name dropbear diff --git a/src/packages/fff/fff-gateway/Makefile > > b/src/packages/fff/fff-gateway/Makefile > > index 7a10544c..71075858 100644 > > --- a/src/packages/fff/fff-gateway/Makefile > > +++ b/src/packages/fff/fff-gateway/Makefile > > @@ -1,7 +1,7 @@ > > include $(TOPDIR)/rules.mk > > > > PKG_NAME:=fff-gateway > > -PKG_RELEASE:=2 > > +PKG_RELEASE:=3 > > > > PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway > > > > diff --git > > a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward- > > wan > > b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward- > > wan > > index f989d6be..2d4ee926 100644 > > --- > > a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward- > > wan > > +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forw > > +++ ard-wan > > @@ -1,3 +1,5 @@ > > # Ensure nothing is forwarded onto WAN interface -iptables -A FORWARD > > -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable -ip6tables -A > > FORWARD -o $IF_WAN -j REJECT --reject-with no-route > > +if [ -n "$IF_WAN" ]; then > > + iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net- > unreachable > > + ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route fi
In some cases (mostly for one-port devices) IF_WAN was used although not set, resulting in not obviously iptables error messages like - Bad argument `conntrack' - Bad argument `REJECT' Thus, check whether IF_WAN is set to something before using it. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> --- src/packages/fff/fff-firewall/Makefile | 2 +- .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ++++-- src/packages/fff/fff-gateway/Makefile | 2 +- .../fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 6 ++++-- 4 files changed, 10 insertions(+), 6 deletions(-)