[RFC,5/5] fff-network: enable forwarding; filter forwarding

Details

Message ID	20180213204041.17528-5-tim@tn-x.org
State	Superseded
Headers	show Return-Path: <franken-dev-bounces@freifunk.net> From: Tim Niemeyer <tim@tn-x.org> To: franken-dev@freifunk.net Subject: [RFC PATCH 5/5] fff-network: enable forwarding; filter forwarding Date: Tue, 13 Feb 2018 21:40:41 +0100 Message-Id: <20180213204041.17528-5-tim@tn-x.org> In-Reply-To: <20180213204041.17528-1-tim@tn-x.org> References: <20180213204041.17528-1-tim@tn-x.org> Precedence: list Reply-To: Tim Niemeyer <tim@tn-x.org>, franken-dev@freifunk.net MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: franken-dev-bounces@freifunk.net Sender: "franken-dev" <franken-dev-bounces@freifunk.net>

Message ID

20180213204041.17528-5-tim@tn-x.org

State

Superseded

Headers

From: Tim Niemeyer <tim@tn-x.org>
To: franken-dev@freifunk.net
Subject: [RFC PATCH 5/5] fff-network: enable forwarding; filter forwarding
Date: Tue, 13 Feb 2018 21:40:41 +0100
Message-Id: <20180213204041.17528-5-tim@tn-x.org>
In-Reply-To: <20180213204041.17528-1-tim@tn-x.org>
References: <20180213204041.17528-1-tim@tn-x.org>
Precedence: list
Reply-To: Tim Niemeyer <tim@tn-x.org>, franken-dev@freifunk.net
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Errors-To: franken-dev-bounces@freifunk.net
Sender: "franken-dev" <franken-dev-bounces@freifunk.net>

Commit Message

Tim Niemeyer Feb. 13, 2018, 8:40 p.m.

Fixes #83
Signed-off-by: Tim Niemeyer <tim@tn-x.org>
---

 src/packages/fff/fff-network/Makefile                                | 2 +-
 src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf  | 5 ++++-
 .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding   | 2 ++
 src/packages/fff/fff-network/files/usr/sbin/configurenetwork         | 1 +
 4 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding

Patch hide | download patch | download mbox

diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile
index 348897d..980800a 100644
--- a/src/packages/fff/fff-network/Makefile
+++ b/src/packages/fff/fff-network/Makefile
@@ -13,7 +13,7 @@  define Package/$(PKG_NAME)
     CATEGORY:=Freifunk
     TITLE:= Freifunk-Franken network configuration
     URL:=http://www.freifunk-franken.de
-    DEPENDS:=+fff-uradvd +fff-boardname
+    DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
 endef
 
 define Package/$(PKG_NAME)/description
diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
index 7fe4725..4f1c24f 100644
--- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
+++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
@@ -26,7 +26,6 @@  net.ipv4.conf.default.accept_redirects=0
 net.ipv4.icmp_echo_ignore_broadcasts=1
 net.ipv4.icmp_ignore_bogus_error_responses=1
 net.ipv4.ip_forward=0
-# net.ipv6.conf.all.forwarding=1
 
 # disable bridge firewalling by default
 net.bridge.bridge-nf-call-arptables=0
@@ -68,3 +67,7 @@  net.ipv6.conf.all.dad_transmits = 3
 # How many global unicast IPv6 addresses can be assigned to each interface?
 net.ipv6.conf.default.max_addresses = 0
 net.ipv6.conf.all.max_addresses = 0
+
+# Enable forwarding, otherwise not all local route are examined
+net.ipv6.conf.default.forwarding=0
+net.ipv6.conf.all.forwarding=1
diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
new file mode 100644
index 0000000..793b0d8
--- /dev/null
+++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
@@ -0,0 +1,2 @@ 
+/sbin/iptables -P FORWARD DROP
+/sbin/ip6tables -P FORWARD DROP
diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
index 38d7413..e0f2ba4 100755
--- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
+++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
@@ -40,6 +40,7 @@  setAutoConf() {
     echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
     echo "net.ipv6.conf.$iface.autoconf = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
     echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
+    echo "net.ipv6.conf.$iface.forwarding = 0" >> /etc/sysctl.d/51-fff-network-wan.conf
 
     /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
 }

Comments

Robert Langhammer Feb. 14, 2018, 10:31 a.m.

Hallo Tim, s.u.


Am 13.02.2018 um 21:40 schrieb Tim Niemeyer:
> Fixes #83
> Signed-off-by: Tim Niemeyer <tim@tn-x.org>
> ---
>
>  src/packages/fff/fff-network/Makefile                                | 2 +-
>  src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf  | 5 ++++-
>  .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding   | 2 ++
>  src/packages/fff/fff-network/files/usr/sbin/configurenetwork         | 1 +
>  4 files changed, 8 insertions(+), 2 deletions(-)
>  create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>
> diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile
> index 348897d..980800a 100644
> --- a/src/packages/fff/fff-network/Makefile
> +++ b/src/packages/fff/fff-network/Makefile
> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
>      CATEGORY:=Freifunk
>      TITLE:= Freifunk-Franken network configuration
>      URL:=http://www.freifunk-franken.de
> -    DEPENDS:=+fff-uradvd +fff-boardname
> +    DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
>  endef
>  
>  define Package/$(PKG_NAME)/description
> diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> index 7fe4725..4f1c24f 100644
> --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
>  net.ipv4.icmp_echo_ignore_broadcasts=1
>  net.ipv4.icmp_ignore_bogus_error_responses=1
>  net.ipv4.ip_forward=0
> -# net.ipv6.conf.all.forwarding=1
>  
>  # disable bridge firewalling by default
>  net.bridge.bridge-nf-call-arptables=0
> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3
>  # How many global unicast IPv6 addresses can be assigned to each interface?
>  net.ipv6.conf.default.max_addresses = 0
>  net.ipv6.conf.all.max_addresses = 0
Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0 ist
ja unbegrenzt.
> +
> +# Enable forwarding, otherwise not all local route are examined
> +net.ipv6.conf.default.forwarding=0
> +net.ipv6.conf.all.forwarding=1
Das muss man umdrehen. conf.all ueberschreibt auch conf.default und dann
ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein.
Damitdas IsRouter Flag nicht gesetzt wird.

Robert
> diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> new file mode 100644
> index 0000000..793b0d8
> --- /dev/null
> +++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> @@ -0,0 +1,2 @@
> +/sbin/iptables -P FORWARD DROP
> +/sbin/ip6tables -P FORWARD DROP
> diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> index 38d7413..e0f2ba4 100755
> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> @@ -40,6 +40,7 @@ setAutoConf() {
>      echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
>      echo "net.ipv6.conf.$iface.autoconf = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
>      echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
> +    echo "net.ipv6.conf.$iface.forwarding = 0" >> /etc/sysctl.d/51-fff-network-wan.conf
>  
>      /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
>  }

Tim Niemeyer Feb. 14, 2018, 10:37 a.m.

Hi

Am 14. Februar 2018 11:05:36 MEZ schrieb robert <rlanghammer@web.de>:
>Hi Tim,
>
>Am 13.02.2018 um 21:40 schrieb Tim Niemeyer:
>> Fixes #83
>> Signed-off-by: Tim Niemeyer <tim@tn-x.org>
>> ---
>>
>>  src/packages/fff/fff-network/Makefile                               
>| 2 +-
>>  src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf 
>| 5 ++++-
>>  .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding  
>| 2 ++
>>  src/packages/fff/fff-network/files/usr/sbin/configurenetwork        
>| 1 +
>>  4 files changed, 8 insertions(+), 2 deletions(-)
>>  create mode 100644
>src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>>
>> diff --git a/src/packages/fff/fff-network/Makefile
>b/src/packages/fff/fff-network/Makefile
>> index 348897d..980800a 100644
>> --- a/src/packages/fff/fff-network/Makefile
>> +++ b/src/packages/fff/fff-network/Makefile
>> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
>>      CATEGORY:=Freifunk
>>      TITLE:= Freifunk-Franken network configuration
>>      URL:=http://www.freifunk-franken.de
>> -    DEPENDS:=+fff-uradvd +fff-boardname
>> +    DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
>>  endef
>>  
>>  define Package/$(PKG_NAME)/description
>> diff --git
>a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>> index 7fe4725..4f1c24f 100644
>> ---
>a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>> +++
>b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
>>  net.ipv4.icmp_echo_ignore_broadcasts=1
>>  net.ipv4.icmp_ignore_bogus_error_responses=1
>>  net.ipv4.ip_forward=0
>> -# net.ipv6.conf.all.forwarding=1
>>  
>>  # disable bridge firewalling by default
>>  net.bridge.bridge-nf-call-arptables=0
>> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3
>>  # How many global unicast IPv6 addresses can be assigned to each
>interface?
>>  net.ipv6.conf.default.max_addresses = 0
>>  net.ipv6.conf.all.max_addresses = 0
>Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0
>ist
>ja unbegrenzt.

Also default lassen.. Denke ich auch.


>> +
>> +# Enable forwarding, otherwise not all local route are examined
>> +net.ipv6.conf.default.forwarding=0
>> +net.ipv6.conf.all.forwarding=1
>Das muss man umdrehen. conf.all ueberschreibt auch conf.default und
>dann
>ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein. Damit
>das IsRouter Flag nicht gesetzt wird.

Ich wollte es am liebsten auf allen interfaces abschalten, aber das hab ich gestern nicht mehr hinbekommen. Deswegen is das hier auch nur RFC.

Meinst du br-mesh zu nehmen reicht?

Tim


>Robert
>> diff --git
>a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>> new file mode 100644
>> index 0000000..793b0d8
>> --- /dev/null
>> +++
>b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>> @@ -0,0 +1,2 @@
>> +/sbin/iptables -P FORWARD DROP
>> +/sbin/ip6tables -P FORWARD DROP
>> diff --git
>a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>> index 38d7413..e0f2ba4 100755
>> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>> @@ -40,6 +40,7 @@ setAutoConf() {
>>      echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>>      echo "net.ipv6.conf.$iface.autoconf = $on" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>>      echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>> +    echo "net.ipv6.conf.$iface.forwarding = 0" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>>  
>>      /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
>>  }

Robert Langhammer Feb. 14, 2018, 10:57 a.m.

Am 14.02.2018 um 11:37 schrieb Tim Niemeyer:
> Hi
>
> Am 14. Februar 2018 11:05:36 MEZ schrieb robert <rlanghammer@web.de>:
>> Hi Tim,
>>
>> Am 13.02.2018 um 21:40 schrieb Tim Niemeyer:
>>> Fixes #83
>>> Signed-off-by: Tim Niemeyer <tim@tn-x.org>
>>> ---
>>>
>>>  src/packages/fff/fff-network/Makefile                               
>> | 2 +-
>>>  src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf 
>> | 5 ++++-
>>>  .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding  
>> | 2 ++
>>>  src/packages/fff/fff-network/files/usr/sbin/configurenetwork        
>> | 1 +
>>>  4 files changed, 8 insertions(+), 2 deletions(-)
>>>  create mode 100644
>> src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>>> diff --git a/src/packages/fff/fff-network/Makefile
>> b/src/packages/fff/fff-network/Makefile
>>> index 348897d..980800a 100644
>>> --- a/src/packages/fff/fff-network/Makefile
>>> +++ b/src/packages/fff/fff-network/Makefile
>>> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
>>>      CATEGORY:=Freifunk
>>>      TITLE:= Freifunk-Franken network configuration
>>>      URL:=http://www.freifunk-franken.de
>>> -    DEPENDS:=+fff-uradvd +fff-boardname
>>> +    DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
>>>  endef
>>>  
>>>  define Package/$(PKG_NAME)/description
>>> diff --git
>> a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>> b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>>> index 7fe4725..4f1c24f 100644
>>> ---
>> a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>>> +++
>> b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>>> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
>>>  net.ipv4.icmp_echo_ignore_broadcasts=1
>>>  net.ipv4.icmp_ignore_bogus_error_responses=1
>>>  net.ipv4.ip_forward=0
>>> -# net.ipv6.conf.all.forwarding=1
>>>  
>>>  # disable bridge firewalling by default
>>>  net.bridge.bridge-nf-call-arptables=0
>>> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3
>>>  # How many global unicast IPv6 addresses can be assigned to each
>> interface?
>>>  net.ipv6.conf.default.max_addresses = 0
>>>  net.ipv6.conf.all.max_addresses = 0
>> Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0
>> ist
>> ja unbegrenzt.
> Also default lassen.. Denke ich auch.
>
>
>>> +
>>> +# Enable forwarding, otherwise not all local route are examined
>>> +net.ipv6.conf.default.forwarding=0
>>> +net.ipv6.conf.all.forwarding=1
>> Das muss man umdrehen. conf.all ueberschreibt auch conf.default und
>> dann
>> ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein. Damit
>> das IsRouter Flag nicht gesetzt wird.
> Ich wollte es am liebsten auf allen interfaces abschalten, aber das hab ich gestern nicht mehr hinbekommen. Deswegen is das hier auch nur RFC.
>
> Meinst du br-mesh zu nehmen reicht?
Ich habs ausprobiert, wenn man die 2 Zeilen umdreht, steht default auf 0
und alle dazukommenden Interfaces, also auch br-mesh haben die 0. So
sieht es dann mit umgedrehten Zeilen aus (1043v4)

sysctl -a 2>/dev/null | grep ipv6.*\\.forwarding
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.bat0.forwarding = 0
net.ipv6.conf.br-mesh.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.1.forwarding = 0
net.ipv6.conf.eth0.2.forwarding = 0
net.ipv6.conf.eth0.3.forwarding = 0
net.ipv6.conf.fffVPN.forwarding = 0
net.ipv6.conf.ifb0.forwarding = 1
net.ipv6.conf.ifb1.forwarding = 1
net.ipv6.conf.l2tp0.forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.teql0.forwarding = 1
net.ipv6.conf.w2ap.forwarding = 0
net.ipv6.conf.w2configap.forwarding = 0
net.ipv6.conf.w2mesh.forwarding = 0

bei allen wichtigen nach aussen 0.

Oder/und um sicher zu gehen, koennte man ja in configurenetwork br-mesh
nochmal extra setzen.

Um alle ab zu schalten sehe ich keine sysctl Moeglichkeit, da muesste
man scripten, und das waere dann doch zu doof.
Robert
>
> Tim
>
>
>> Robert
>>> diff --git
>> a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>> b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>>> new file mode 100644
>>> index 0000000..793b0d8
>>> --- /dev/null
>>> +++
>> b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>>> @@ -0,0 +1,2 @@
>>> +/sbin/iptables -P FORWARD DROP
>>> +/sbin/ip6tables -P FORWARD DROP
>>> diff --git
>> a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>> b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>>> index 38d7413..e0f2ba4 100755
>>> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>>> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>>> @@ -40,6 +40,7 @@ setAutoConf() {
>>>      echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >>
>> /etc/sysctl.d/51-fff-network-wan.conf
>>>      echo "net.ipv6.conf.$iface.autoconf = $on" >>
>> /etc/sysctl.d/51-fff-network-wan.conf
>>>      echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >>
>> /etc/sysctl.d/51-fff-network-wan.conf
>>> +    echo "net.ipv6.conf.$iface.forwarding = 0" >>
>> /etc/sysctl.d/51-fff-network-wan.conf
>>>  
>>>      /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
>>>  }