Message ID | 20180213204041.17528-5-tim@tn-x.org |
---|---|
State | Superseded |
Headers | show |
diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile index 348897d..980800a 100644 --- a/src/packages/fff/fff-network/Makefile +++ b/src/packages/fff/fff-network/Makefile @@ -13,7 +13,7 @@ define Package/$(PKG_NAME) CATEGORY:=Freifunk TITLE:= Freifunk-Franken network configuration URL:=http://www.freifunk-franken.de - DEPENDS:=+fff-uradvd +fff-boardname + DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall endef define Package/$(PKG_NAME)/description diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf index 7fe4725..4f1c24f 100644 --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.ip_forward=0 -# net.ipv6.conf.all.forwarding=1 # disable bridge firewalling by default net.bridge.bridge-nf-call-arptables=0 @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3 # How many global unicast IPv6 addresses can be assigned to each interface? net.ipv6.conf.default.max_addresses = 0 net.ipv6.conf.all.max_addresses = 0 + +# Enable forwarding, otherwise not all local route are examined +net.ipv6.conf.default.forwarding=0 +net.ipv6.conf.all.forwarding=1 diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding new file mode 100644 index 0000000..793b0d8 --- /dev/null +++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding @@ -0,0 +1,2 @@ +/sbin/iptables -P FORWARD DROP +/sbin/ip6tables -P FORWARD DROP diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork index 38d7413..e0f2ba4 100755 --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork @@ -40,6 +40,7 @@ setAutoConf() { echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> /etc/sysctl.d/51-fff-network-wan.conf echo "net.ipv6.conf.$iface.autoconf = $on" >> /etc/sysctl.d/51-fff-network-wan.conf echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> /etc/sysctl.d/51-fff-network-wan.conf + echo "net.ipv6.conf.$iface.forwarding = 0" >> /etc/sysctl.d/51-fff-network-wan.conf /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf }
Hallo Tim, s.u. Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: > Fixes #83 > Signed-off-by: Tim Niemeyer <tim@tn-x.org> > --- > > src/packages/fff/fff-network/Makefile | 2 +- > src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf | 5 ++++- > .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding | 2 ++ > src/packages/fff/fff-network/files/usr/sbin/configurenetwork | 1 + > 4 files changed, 8 insertions(+), 2 deletions(-) > create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding > > diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile > index 348897d..980800a 100644 > --- a/src/packages/fff/fff-network/Makefile > +++ b/src/packages/fff/fff-network/Makefile > @@ -13,7 +13,7 @@ define Package/$(PKG_NAME) > CATEGORY:=Freifunk > TITLE:= Freifunk-Franken network configuration > URL:=http://www.freifunk-franken.de > - DEPENDS:=+fff-uradvd +fff-boardname > + DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall > endef > > define Package/$(PKG_NAME)/description > diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > index 7fe4725..4f1c24f 100644 > --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0 > net.ipv4.icmp_echo_ignore_broadcasts=1 > net.ipv4.icmp_ignore_bogus_error_responses=1 > net.ipv4.ip_forward=0 > -# net.ipv6.conf.all.forwarding=1 > > # disable bridge firewalling by default > net.bridge.bridge-nf-call-arptables=0 > @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3 > # How many global unicast IPv6 addresses can be assigned to each interface? > net.ipv6.conf.default.max_addresses = 0 > net.ipv6.conf.all.max_addresses = 0 Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0 ist ja unbegrenzt. > + > +# Enable forwarding, otherwise not all local route are examined > +net.ipv6.conf.default.forwarding=0 > +net.ipv6.conf.all.forwarding=1 Das muss man umdrehen. conf.all ueberschreibt auch conf.default und dann ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein. Damitdas IsRouter Flag nicht gesetzt wird. Robert > diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding > new file mode 100644 > index 0000000..793b0d8 > --- /dev/null > +++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding > @@ -0,0 +1,2 @@ > +/sbin/iptables -P FORWARD DROP > +/sbin/ip6tables -P FORWARD DROP > diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork > index 38d7413..e0f2ba4 100755 > --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork > +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork > @@ -40,6 +40,7 @@ setAutoConf() { > echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> /etc/sysctl.d/51-fff-network-wan.conf > echo "net.ipv6.conf.$iface.autoconf = $on" >> /etc/sysctl.d/51-fff-network-wan.conf > echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> /etc/sysctl.d/51-fff-network-wan.conf > + echo "net.ipv6.conf.$iface.forwarding = 0" >> /etc/sysctl.d/51-fff-network-wan.conf > > /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf > }
Hi Am 14. Februar 2018 11:05:36 MEZ schrieb robert <rlanghammer@web.de>: >Hi Tim, > >Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: >> Fixes #83 >> Signed-off-by: Tim Niemeyer <tim@tn-x.org> >> --- >> >> src/packages/fff/fff-network/Makefile >| 2 +- >> src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >| 5 ++++- >> .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >| 2 ++ >> src/packages/fff/fff-network/files/usr/sbin/configurenetwork >| 1 + >> 4 files changed, 8 insertions(+), 2 deletions(-) >> create mode 100644 >src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >> >> diff --git a/src/packages/fff/fff-network/Makefile >b/src/packages/fff/fff-network/Makefile >> index 348897d..980800a 100644 >> --- a/src/packages/fff/fff-network/Makefile >> +++ b/src/packages/fff/fff-network/Makefile >> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME) >> CATEGORY:=Freifunk >> TITLE:= Freifunk-Franken network configuration >> URL:=http://www.freifunk-franken.de >> - DEPENDS:=+fff-uradvd +fff-boardname >> + DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall >> endef >> >> define Package/$(PKG_NAME)/description >> diff --git >a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >> index 7fe4725..4f1c24f 100644 >> --- >a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >> +++ >b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0 >> net.ipv4.icmp_echo_ignore_broadcasts=1 >> net.ipv4.icmp_ignore_bogus_error_responses=1 >> net.ipv4.ip_forward=0 >> -# net.ipv6.conf.all.forwarding=1 >> >> # disable bridge firewalling by default >> net.bridge.bridge-nf-call-arptables=0 >> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3 >> # How many global unicast IPv6 addresses can be assigned to each >interface? >> net.ipv6.conf.default.max_addresses = 0 >> net.ipv6.conf.all.max_addresses = 0 >Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0 >ist >ja unbegrenzt. Also default lassen.. Denke ich auch. >> + >> +# Enable forwarding, otherwise not all local route are examined >> +net.ipv6.conf.default.forwarding=0 >> +net.ipv6.conf.all.forwarding=1 >Das muss man umdrehen. conf.all ueberschreibt auch conf.default und >dann >ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein. Damit >das IsRouter Flag nicht gesetzt wird. Ich wollte es am liebsten auf allen interfaces abschalten, aber das hab ich gestern nicht mehr hinbekommen. Deswegen is das hier auch nur RFC. Meinst du br-mesh zu nehmen reicht? Tim >Robert >> diff --git >a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >> new file mode 100644 >> index 0000000..793b0d8 >> --- /dev/null >> +++ >b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >> @@ -0,0 +1,2 @@ >> +/sbin/iptables -P FORWARD DROP >> +/sbin/ip6tables -P FORWARD DROP >> diff --git >a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >> index 38d7413..e0f2ba4 100755 >> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >> @@ -40,6 +40,7 @@ setAutoConf() { >> echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> >/etc/sysctl.d/51-fff-network-wan.conf >> echo "net.ipv6.conf.$iface.autoconf = $on" >> >/etc/sysctl.d/51-fff-network-wan.conf >> echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> >/etc/sysctl.d/51-fff-network-wan.conf >> + echo "net.ipv6.conf.$iface.forwarding = 0" >> >/etc/sysctl.d/51-fff-network-wan.conf >> >> /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf >> }
Am 14.02.2018 um 11:37 schrieb Tim Niemeyer: > Hi > > Am 14. Februar 2018 11:05:36 MEZ schrieb robert <rlanghammer@web.de>: >> Hi Tim, >> >> Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: >>> Fixes #83 >>> Signed-off-by: Tim Niemeyer <tim@tn-x.org> >>> --- >>> >>> src/packages/fff/fff-network/Makefile >> | 2 +- >>> src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >> | 5 ++++- >>> .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >> | 2 ++ >>> src/packages/fff/fff-network/files/usr/sbin/configurenetwork >> | 1 + >>> 4 files changed, 8 insertions(+), 2 deletions(-) >>> create mode 100644 >> src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >>> diff --git a/src/packages/fff/fff-network/Makefile >> b/src/packages/fff/fff-network/Makefile >>> index 348897d..980800a 100644 >>> --- a/src/packages/fff/fff-network/Makefile >>> +++ b/src/packages/fff/fff-network/Makefile >>> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME) >>> CATEGORY:=Freifunk >>> TITLE:= Freifunk-Franken network configuration >>> URL:=http://www.freifunk-franken.de >>> - DEPENDS:=+fff-uradvd +fff-boardname >>> + DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall >>> endef >>> >>> define Package/$(PKG_NAME)/description >>> diff --git >> a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >> b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >>> index 7fe4725..4f1c24f 100644 >>> --- >> a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >>> +++ >> b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >>> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0 >>> net.ipv4.icmp_echo_ignore_broadcasts=1 >>> net.ipv4.icmp_ignore_bogus_error_responses=1 >>> net.ipv4.ip_forward=0 >>> -# net.ipv6.conf.all.forwarding=1 >>> >>> # disable bridge firewalling by default >>> net.bridge.bridge-nf-call-arptables=0 >>> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3 >>> # How many global unicast IPv6 addresses can be assigned to each >> interface? >>> net.ipv6.conf.default.max_addresses = 0 >>> net.ipv6.conf.all.max_addresses = 0 >> Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0 >> ist >> ja unbegrenzt. > Also default lassen.. Denke ich auch. > > >>> + >>> +# Enable forwarding, otherwise not all local route are examined >>> +net.ipv6.conf.default.forwarding=0 >>> +net.ipv6.conf.all.forwarding=1 >> Das muss man umdrehen. conf.all ueberschreibt auch conf.default und >> dann >> ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein. Damit >> das IsRouter Flag nicht gesetzt wird. > Ich wollte es am liebsten auf allen interfaces abschalten, aber das hab ich gestern nicht mehr hinbekommen. Deswegen is das hier auch nur RFC. > > Meinst du br-mesh zu nehmen reicht? Ich habs ausprobiert, wenn man die 2 Zeilen umdreht, steht default auf 0 und alle dazukommenden Interfaces, also auch br-mesh haben die 0. So sieht es dann mit umgedrehten Zeilen aus (1043v4) sysctl -a 2>/dev/null | grep ipv6.*\\.forwarding net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.bat0.forwarding = 0 net.ipv6.conf.br-mesh.forwarding = 0 net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.eth0.forwarding = 1 net.ipv6.conf.eth0.1.forwarding = 0 net.ipv6.conf.eth0.2.forwarding = 0 net.ipv6.conf.eth0.3.forwarding = 0 net.ipv6.conf.fffVPN.forwarding = 0 net.ipv6.conf.ifb0.forwarding = 1 net.ipv6.conf.ifb1.forwarding = 1 net.ipv6.conf.l2tp0.forwarding = 0 net.ipv6.conf.lo.forwarding = 1 net.ipv6.conf.teql0.forwarding = 1 net.ipv6.conf.w2ap.forwarding = 0 net.ipv6.conf.w2configap.forwarding = 0 net.ipv6.conf.w2mesh.forwarding = 0 bei allen wichtigen nach aussen 0. Oder/und um sicher zu gehen, koennte man ja in configurenetwork br-mesh nochmal extra setzen. Um alle ab zu schalten sehe ich keine sysctl Moeglichkeit, da muesste man scripten, und das waere dann doch zu doof. Robert > > Tim > > >> Robert >>> diff --git >> a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >> b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >>> new file mode 100644 >>> index 0000000..793b0d8 >>> --- /dev/null >>> +++ >> b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding >>> @@ -0,0 +1,2 @@ >>> +/sbin/iptables -P FORWARD DROP >>> +/sbin/ip6tables -P FORWARD DROP >>> diff --git >> a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >> b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >>> index 38d7413..e0f2ba4 100755 >>> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >>> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork >>> @@ -40,6 +40,7 @@ setAutoConf() { >>> echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> >> /etc/sysctl.d/51-fff-network-wan.conf >>> echo "net.ipv6.conf.$iface.autoconf = $on" >> >> /etc/sysctl.d/51-fff-network-wan.conf >>> echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> >> /etc/sysctl.d/51-fff-network-wan.conf >>> + echo "net.ipv6.conf.$iface.forwarding = 0" >> >> /etc/sysctl.d/51-fff-network-wan.conf >>> >>> /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf >>> }
Fixes #83 Signed-off-by: Tim Niemeyer <tim@tn-x.org> --- src/packages/fff/fff-network/Makefile | 2 +- src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf | 5 ++++- .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding | 2 ++ src/packages/fff/fff-network/files/usr/sbin/configurenetwork | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding