From patchwork Tue Apr 5 05:29:19 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [v3,4/9] fff-firewall: new package From: Tim Niemeyer X-Patchwork-Id: 59 Message-Id: <1459834164-6815-5-git-send-email-tim@tn-x.org> To: franken-dev@freifunk.net Cc: Tim Niemeyer Date: Tue, 5 Apr 2016 07:29:19 +0200 - moves the node<-->client ra rules to package fff-uradvd Signed-off-by: Tim Niemeyer --- Changes in v2: - fix indention and code styles - fix variable usage - fix utf8 bsp/default/root_file_system/etc/config/firewall | 103 ------------------ bsp/default/root_file_system/etc/firewall.user | 120 --------------------- bsp/default/root_file_system/etc/rc.local.tpl | 2 - src/packages/fff/fff-firewall/Makefile | 43 ++++++++ .../fff/fff-firewall/files/etc/init.d/fff-firewall | 28 +++++ .../files/usr/lib/firewall.d/00-prepare | 6 ++ .../files/usr/lib/firewall.d/05-setup-chains | 34 ++++++ .../files/usr/lib/firewall.d/20-clamp-mss | 2 + .../files/usr/lib/firewall.d/20-filter-ssh | 7 ++ .../files/usr/lib/firewall.d/30-client-dhcp | 8 ++ .../files/usr/lib/firewall.d/30-client-dhcpv6 | 8 ++ .../files/usr/lib/firewall.d/30-client-ra | 5 + .../files/usr/lib/firewall.d/31-node-dhcp | 5 + .../files/usr/lib/firewall.d/31-node-dhcpv6 | 5 + .../files/usr/lib/firewall.d/31-node-ra | 11 ++ .../fff-firewall/files/usr/lib/firewall.d/35-mc | 6 ++ .../files/usr/lib/firewall.d/35-mc-arp | 8 ++ .../files/usr/lib/firewall.d/35-mc-ping | 6 ++ .../files/usr/lib/firewall.d/40-local-node | 11 ++ .../files/usr/lib/firewall.d/32-local-ra | 5 + 20 files changed, 198 insertions(+), 225 deletions(-) delete mode 100644 bsp/default/root_file_system/etc/config/firewall delete mode 100755 bsp/default/root_file_system/etc/firewall.user create mode 100644 src/packages/fff/fff-firewall/Makefile create mode 100755 src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node create mode 100755 src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra diff --git a/bsp/default/root_file_system/etc/config/firewall b/bsp/default/root_file_system/etc/config/firewall deleted file mode 100644 index ed57672..0000000 --- a/bsp/default/root_file_system/etc/config/firewall +++ /dev/null @@ -1,103 +0,0 @@ -config defaults - option syn_flood 1 - option input ACCEPT - option output ACCEPT - option forward REJECT - -config zone - option name lan - option input ACCEPT - option output ACCEPT - option forward REJECT - -config zone - option name wan - option input REJECT - option output ACCEPT - option forward REJECT - option masq 1 - option mtu_fix 1 - -config forwarding - option src lan - option dest wan - -# We need to accept udp packets on port 68, -# see https://dev.openwrt.org/ticket/4108 -config rule - option src wan - option proto udp - option dest_port 68 - option target ACCEPT - -#Allow ping -config rule - option src wan - option proto icmp - option icmp_type echo-request - option target ACCEPT - -#Allow SSH on WAN -config rule - option src wan - option dest_port 22 - option target ACCEPT - option proto tcp - -# include a file with users custom iptables rules -config include - option path /etc/firewall.user - - -### EXAMPLE CONFIG SECTIONS -# do not allow a specific ip to access wan -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option dest wan -# option proto tcp -# option target REJECT - -# block a specific mac on wan -#config rule -# option dest wan -# option src_mac 00:11:22:33:44:66 -# option target REJECT - -# block incoming ICMP traffic on a zone -#config rule -# option src lan -# option proto ICMP -# option target DROP - -# port redirect port coming in on wan to lan -#config redirect -# option src wan -# option src_dport 80 -# option dest lan -# option dest_ip 192.168.16.235 -# option dest_port 80 -# option proto tcp - - -### FULL CONFIG SECTIONS -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 80 -# option dest wan -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp -# option target REJECT - -#config redirect -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 1024 -# option src_dport 80 -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp \ No newline at end of file diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user deleted file mode 100755 index 8ae48dc..0000000 --- a/bsp/default/root_file_system/etc/firewall.user +++ /dev/null @@ -1,120 +0,0 @@ -#!/bin/sh - -#solves MTU problem with bad ISPs -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - -# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt. -# Das wirkt bei kleinen Geräten wie ein DOS -WAN=$(uci get network.wan.ifname) -iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -i $WAN -j REJECT - -# Limit ssh to 3 new connections per 60 seconds -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP - - -# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen: - -######## CLEAN UP ############ -ebtables -F -ebtables -X - -######## IN_ONLY ############ -ebtables -N IN_ONLY -P RETURN - -# Daten aus dem BATMAN werden erlaubt -# Alles außer Daten von BATMAN werden DROP'ed -ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP - -######## OUT_ONLY ############ -ebtables -N OUT_ONLY -P RETURN - -# Daten ins BATMAN werden erlaubt -# Alles außer Daten ins BATMAN werden DROP'ed -ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP - -######## MULTICAST_OUT ############ -ebtables -N MULTICAST_OUT -P DROP - -# Verbiete ARP Antworten an alle -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP -# Verbiete ARP Requests an alle -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP -# Erlaube alle anderen ARP's -ebtables -A MULTICAST_OUT -p ARP -j RETURN -# Erlaube DHCP Requests -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN -# Erlaube DHCPv6 Requests -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN -# Erlaube PING -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN -# Erlaube PINGv6 -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN -# Erlaube Organisation der Multicast Gruppen -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN - -######## INPUT ############ -ebtables -P INPUT ACCEPT - -# Erlaube router solicitation von client zu knoten -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT -ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT - -# No input from/to local node ip from batman -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP - -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY -# Verbiete Router-Solicitation von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP - -######## FORWARD ############ -ebtables -P FORWARD ACCEPT - -# Do not forward local node ip -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP - -# Erlaube nur DHCP Request von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY -# Erlaube nur Router-Advertisment von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY -# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT -ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT - -######## OUTPUT ############ -ebtables -P OUTPUT ACCEPT - -# Erlaube router advertisment von knoten zu client -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT - -# Do not output local node ip to batman -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP - -# Erlaube nur DHCP Request von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY -# Verbiete Router-Advertisment von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP -# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT -ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT diff --git a/bsp/default/root_file_system/etc/rc.local.tpl b/bsp/default/root_file_system/etc/rc.local.tpl index ddf208d..d6384d8 100755 --- a/bsp/default/root_file_system/etc/rc.local.tpl +++ b/bsp/default/root_file_system/etc/rc.local.tpl @@ -56,8 +56,6 @@ fi # Starting NTP-Client Daemon after 30s to ensure that the interface is up ( sleep 30 ; ntpd -p ${NTPD_IP} ) & -. /etc/firewall.user - /etc/init.d/qos disable /etc/init.d/qos stop diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile new file mode 100644 index 0000000..e2a3b19 --- /dev/null +++ b/src/packages/fff/fff-firewall/Makefile @@ -0,0 +1,43 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=fff-firewall +PKG_VERSION:=1 +PKG_RELEASE:=1 + +PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall + +include $(INCLUDE_DIR)/package.mk + +define Package/fff-firewall + SECTION:=base + CATEGORY:=Freifunk + TITLE:=Freifunk-Franken firewall + URL:=http://www.freifunk-franken.de + DEPENDS:=+arptables \ + +ebtables +ebtables-utils \ + +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ + +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra +endef + +define Package/fff-batman-adv-legacy/description + This is the firewall for the Freifunk Franken Firmware + It is used to configure firewall. +endef + +define Build/Prepare + echo "all: " > $(PKG_BUILD_DIR)/Makefile +endef + +define Build/Configure + # nothing +endef + +define Build/Compile + # nothing +endef + +define Package/fff-firewall/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,fff-firewall)) diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall new file mode 100755 index 0000000..d460222 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall @@ -0,0 +1,28 @@ +#!/bin/sh /etc/rc.common + +START=50 + +USE_PROCD=1 + +SERVICE_WRITE_PID=1 +SERVICE_DAEMONIZE=1 + +FIREWALL_DIR=/usr/lib/firewall.d + +service_triggers() +{ + procd_add_reload_trigger "fff-firewall" +} + +start_service() +{ + local file + + IF_WAN=$(uci get network.wan.ifname) + + for file in ${FIREWALL_DIR}/*; do + if [ -f "$file" ]; then + . "$file" + fi + done +} diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare new file mode 100755 index 0000000..4807e61 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare @@ -0,0 +1,6 @@ +######## CLEAN UP ############ +ebtables -F +ebtables -X + +iptables -F +iptables -X diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains new file mode 100755 index 0000000..3d2069f --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains @@ -0,0 +1,34 @@ +######## IN_ONLY ############ +ebtables -N IN_ONLY -P RETURN + +# Daten aus dem BATMAN werden erlaubt +# Alles ausser Daten von BATMAN werden DROP'ed +ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP + +######## OUT_ONLY ############ +ebtables -N OUT_ONLY -P RETURN + +# Daten ins BATMAN werden erlaubt +# Alles ausser Daten ins BATMAN werden DROP'ed +ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP + +######## MULTICAST_OUT ############ +ebtables -N MULTICAST_OUT -P DROP + +######## INPUT ############ +ebtables -P INPUT ACCEPT + +# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT +ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT + +######## FORWARD ############ +ebtables -P FORWARD ACCEPT + +# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT +ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT + +######## OUTPUT ############ +ebtables -P OUTPUT ACCEPT + +# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT +ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss new file mode 100755 index 0000000..f2ee439 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss @@ -0,0 +1,2 @@ +#solves MTU problem with bad ISPs +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh new file mode 100755 index 0000000..7fd4e30 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh @@ -0,0 +1,7 @@ +# If an router has a direct internet connection simple attack act as DOS attack +iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A INPUT -i $IF_WAN -j REJECT + +# Limit ssh to 3 new connections per 60 seconds +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp new file mode 100755 index 0000000..a50c799 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp @@ -0,0 +1,8 @@ +# Erlaube DHCP Requests +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN + +# Erlaube nur DHCP Request von CLIENT -> BATMAN +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY + +# Erlaube nur DHCP Antworten von BATMAN -> CLIENT +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 new file mode 100755 index 0000000..068ef06 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 @@ -0,0 +1,8 @@ +# Erlaube DHCPv6 Requests +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN + +# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY + +# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra new file mode 100755 index 0000000..29562de --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra @@ -0,0 +1,5 @@ +# Erlaube nur Router-Solicitation von CLIENT -> BATMAN +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + +# Erlaube nur Router-Advertisment von BATMAN -> CLIENT +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp new file mode 100755 index 0000000..9280a91 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp @@ -0,0 +1,5 @@ +# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY + +# Erlaube nur DHCP Request von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 new file mode 100755 index 0000000..97c3df3 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 @@ -0,0 +1,5 @@ +# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY + +# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra new file mode 100755 index 0000000..e619201 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra @@ -0,0 +1,11 @@ +# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY + +# Verbiete Router-Solicitation von BATMAN -> KNOTEN +ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP + +# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + +# Verbiete Router-Advertisment von KNOTEN -> BATMAN +ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc new file mode 100755 index 0000000..50cc31f --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc @@ -0,0 +1,6 @@ +# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN + +# Erlaube Organisation der Multicast Gruppen +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN + diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp new file mode 100755 index 0000000..50e0191 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp @@ -0,0 +1,8 @@ +# Verbiete ARP Antworten an alle +ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP + +# Verbiete ARP Requests an alle +ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP + +# Erlaube alle anderen ARP's +ebtables -A MULTICAST_OUT -p ARP -j RETURN diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping new file mode 100755 index 0000000..877b027 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping @@ -0,0 +1,6 @@ +# Erlaube PING +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN + +# Erlaube PINGv6 +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN + diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node new file mode 100755 index 0000000..cce7231 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node @@ -0,0 +1,11 @@ +# No input from/to local node ip from batman +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP + +# Do not forward local node ip +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP + +# Do not output local node ip to batman +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra new file mode 100755 index 0000000..ae2dba2 --- /dev/null +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra @@ -0,0 +1,5 @@ +# Erlaube router solicitation von client zu knoten +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT + +# Erlaube router advertisment von knoten zu client +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT