[PATCH 4/9] fff-firewall: new package
Steffen Pankratz
kratz00 at gmx.de
Mi Mär 16 22:02:44 CET 2016
On Tue, 15 Mar 2016 07:31:28 +0100
Tim Niemeyer <tim at tn-x.org> wrote:
Hi Tim
Anmerkungen 'inline'.
> - moves the node<-->client ra rules to package fff-uradvd
>
> Signed-off-by: Tim Niemeyer <tim at tn-x.org>
> ---
>
> bsp/default/root_file_system/etc/config/firewall | 103 ------------------
> bsp/default/root_file_system/etc/firewall.user | 120 ---------------------
> bsp/default/root_file_system/etc/rc.local.tpl | 2 -
> src/packages/fff/fff-firewall/Makefile | 43 ++++++++
> .../fff/fff-firewall/files/etc/init.d/fff-firewall | 27 +++++
> .../files/usr/lib/firewall.d/00-prepare | 6 ++
> .../files/usr/lib/firewall.d/05-setup-chains | 34 ++++++
> .../files/usr/lib/firewall.d/20-clamp-mss | 2 +
> .../files/usr/lib/firewall.d/20-filter-ssh | 8 ++
> .../files/usr/lib/firewall.d/30-client-dhcp | 8 ++
> .../files/usr/lib/firewall.d/30-client-dhcpv6 | 8 ++
> .../files/usr/lib/firewall.d/30-client-ra | 5 +
> .../files/usr/lib/firewall.d/31-node-dhcp | 5 +
> .../files/usr/lib/firewall.d/31-node-dhcpv6 | 5 +
> .../files/usr/lib/firewall.d/31-node-ra | 11 ++
> .../fff-firewall/files/usr/lib/firewall.d/35-mc | 6 ++
> .../files/usr/lib/firewall.d/35-mc-arp | 8 ++
> .../files/usr/lib/firewall.d/35-mc-ping | 6 ++
> .../files/usr/lib/firewall.d/40-local-node | 11 ++
> .../files/usr/lib/firewall.d/32-local-ra | 5 +
> 20 files changed, 198 insertions(+), 225 deletions(-)
> delete mode 100644 bsp/default/root_file_system/etc/config/firewall
> delete mode 100755 bsp/default/root_file_system/etc/firewall.user
> create mode 100644 src/packages/fff/fff-firewall/Makefile
> create mode 100755 src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> create mode 100755 src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
>
> diff --git a/bsp/default/root_file_system/etc/config/firewall b/bsp/default/root_file_system/etc/config/firewall
> deleted file mode 100644
> index ed57672..0000000
> --- a/bsp/default/root_file_system/etc/config/firewall
> +++ /dev/null
> @@ -1,103 +0,0 @@
> -config defaults
> - option syn_flood 1
> - option input ACCEPT
> - option output ACCEPT
> - option forward REJECT
> -
> -config zone
> - option name lan
> - option input ACCEPT
> - option output ACCEPT
> - option forward REJECT
> -
> -config zone
> - option name wan
> - option input REJECT
> - option output ACCEPT
> - option forward REJECT
> - option masq 1
> - option mtu_fix 1
> -
> -config forwarding
> - option src lan
> - option dest wan
> -
> -# We need to accept udp packets on port 68,
> -# see https://dev.openwrt.org/ticket/4108
> -config rule
> - option src wan
> - option proto udp
> - option dest_port 68
> - option target ACCEPT
> -
> -#Allow ping
> -config rule
> - option src wan
> - option proto icmp
> - option icmp_type echo-request
> - option target ACCEPT
> -
> -#Allow SSH on WAN
> -config rule
> - option src wan
> - option dest_port 22
> - option target ACCEPT
> - option proto tcp
> -
> -# include a file with users custom iptables rules
> -config include
> - option path /etc/firewall.user
> -
> -
> -### EXAMPLE CONFIG SECTIONS
> -# do not allow a specific ip to access wan
> -#config rule
> -# option src lan
> -# option src_ip 192.168.45.2
> -# option dest wan
> -# option proto tcp
> -# option target REJECT
> -
> -# block a specific mac on wan
> -#config rule
> -# option dest wan
> -# option src_mac 00:11:22:33:44:66
> -# option target REJECT
> -
> -# block incoming ICMP traffic on a zone
> -#config rule
> -# option src lan
> -# option proto ICMP
> -# option target DROP
> -
> -# port redirect port coming in on wan to lan
> -#config redirect
> -# option src wan
> -# option src_dport 80
> -# option dest lan
> -# option dest_ip 192.168.16.235
> -# option dest_port 80
> -# option proto tcp
> -
> -
> -### FULL CONFIG SECTIONS
> -#config rule
> -# option src lan
> -# option src_ip 192.168.45.2
> -# option src_mac 00:11:22:33:44:55
> -# option src_port 80
> -# option dest wan
> -# option dest_ip 194.25.2.129
> -# option dest_port 120
> -# option proto tcp
> -# option target REJECT
> -
> -#config redirect
> -# option src lan
> -# option src_ip 192.168.45.2
> -# option src_mac 00:11:22:33:44:55
> -# option src_port 1024
> -# option src_dport 80
> -# option dest_ip 194.25.2.129
> -# option dest_port 120
> -# option proto tcp
> \ No newline at end of file
> diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
> deleted file mode 100755
> index 8ae48dc..0000000
> --- a/bsp/default/root_file_system/etc/firewall.user
> +++ /dev/null
> @@ -1,120 +0,0 @@
> -#!/bin/sh
> -
> -#solves MTU problem with bad ISPs
> -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> -
> -# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
> -# Das wirkt bei kleinen Geräten wie ein DOS
> -WAN=$(uci get network.wan.ifname)
> -iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -iptables -A INPUT -i $WAN -j REJECT
> -
> -# Limit ssh to 3 new connections per 60 seconds
> -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
> -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
> -
> -
> -# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen:
> -
> -######## CLEAN UP ############
> -ebtables -F
> -ebtables -X
> -
> -######## IN_ONLY ############
> -ebtables -N IN_ONLY -P RETURN
> -
> -# Daten aus dem BATMAN werden erlaubt
> -# Alles außer Daten von BATMAN werden DROP'ed
> -ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
> -
> -######## OUT_ONLY ############
> -ebtables -N OUT_ONLY -P RETURN
> -
> -# Daten ins BATMAN werden erlaubt
> -# Alles außer Daten ins BATMAN werden DROP'ed
> -ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
> -
> -######## MULTICAST_OUT ############
> -ebtables -N MULTICAST_OUT -P DROP
> -
> -# Verbiete ARP Antworten an alle
> -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
> -# Verbiete ARP Requests an alle
> -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
> -# Erlaube alle anderen ARP's
> -ebtables -A MULTICAST_OUT -p ARP -j RETURN
> -# Erlaube DHCP Requests
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
> -# Erlaube DHCPv6 Requests
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
> -# Erlaube PING
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
> -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
> -# Erlaube PINGv6
> -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
> -# Erlaube Organisation der Multicast Gruppen
> -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
> -
> -######## INPUT ############
> -ebtables -P INPUT ACCEPT
> -
> -# Erlaube router solicitation von client zu knoten
> -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
> -ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
> -
> -# No input from/to local node ip from batman
> -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> -ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> -
> -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> -# Verbiete Router-Solicitation von BATMAN -> KNOTEN
> -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
> -
> -######## FORWARD ############
> -ebtables -P FORWARD ACCEPT
> -
> -# Do not forward local node ip
> -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> -ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> -
> -# Erlaube nur DHCP Request von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
> -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> -# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
> -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> -# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
> -ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> -
> -######## OUTPUT ############
> -ebtables -P OUTPUT ACCEPT
> -
> -# Erlaube router advertisment von knoten zu client
> -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
> -
> -# Do not output local node ip to batman
> -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> -ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> -
> -# Erlaube nur DHCP Request von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> -# Verbiete Router-Advertisment von KNOTEN -> BATMAN
> -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
> -# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
> -ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> diff --git a/bsp/default/root_file_system/etc/rc.local.tpl b/bsp/default/root_file_system/etc/rc.local.tpl
> index ddf208d..d6384d8 100755
> --- a/bsp/default/root_file_system/etc/rc.local.tpl
> +++ b/bsp/default/root_file_system/etc/rc.local.tpl
> @@ -56,8 +56,6 @@ fi
> # Starting NTP-Client Daemon after 30s to ensure that the interface is up
> ( sleep 30 ; ntpd -p ${NTPD_IP} ) &
>
> -. /etc/firewall.user
> -
> /etc/init.d/qos disable
> /etc/init.d/qos stop
>
> diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
> new file mode 100644
> index 0000000..e2a3b19
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/Makefile
> @@ -0,0 +1,43 @@
> +include $(TOPDIR)/rules.mk
> +
> +PKG_NAME:=fff-firewall
> +PKG_VERSION:=1
> +PKG_RELEASE:=1
> +
> +PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall
> +
> +include $(INCLUDE_DIR)/package.mk
> +
> +define Package/fff-firewall
> + SECTION:=base
> + CATEGORY:=Freifunk
> + TITLE:=Freifunk-Franken firewall
> + URL:=http://www.freifunk-franken.de
> + DEPENDS:=+arptables \
> + +ebtables +ebtables-utils \
> + +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
> + +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra
> +endef
> +
> +define Package/fff-batman-adv-legacy/description
> + This is the firewall for the Freifunk Franken Firmware
> + It is used to configure firewall.
> +endef
> +
> +define Build/Prepare
> + echo "all: " > $(PKG_BUILD_DIR)/Makefile
> +endef
> +
> +define Build/Configure
> + # nothing
> +endef
> +
> +define Build/Compile
> + # nothing
> +endef
> +
> +define Package/fff-firewall/install
> + $(CP) ./files/* $(1)/
> +endef
> +
> +$(eval $(call BuildPackage,fff-firewall))
> diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
> new file mode 100755
> index 0000000..f681646
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
> @@ -0,0 +1,27 @@
> +#!/bin/sh /etc/rc.common
> +
> +START=50
> +
> +USE_PROCD=1
> +
> +SERVICE_WRITE_PID=1
> +SERVICE_DAEMONIZE=1
> +
> +FIREWALL_DIR=/usr/lib/firewall.d
> +
> +service_triggers()
> +{
> + procd_add_reload_trigger "fff-firewall"
> +}
> +
Die Einrueckung sieht komisch aus.
Die Coding-Style ist insgesamt auch nicht konsistent.
Mal kommt die oeffnende Klammer in der naechsten Zeile und dann mal direkt dahinter.
> +start_service() {
> + local file
> +
> + IF_WAN=$(uci get network.wan.ifname)
> +
> + for file in /usr/lib/firewall.d/*; do
Wieso verwendest du nicht FIREWALL_DIR?
Oder wieso braucht es FIREWALL_DIR?
Entweder so oder so :)
> + if [ -f "$file" ]; then
> + . $file
$file besser "double quoten".
> + fi
> + done
> +}
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> new file mode 100755
> index 0000000..4807e61
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
> @@ -0,0 +1,6 @@
> +######## CLEAN UP ############
> +ebtables -F
> +ebtables -X
> +
> +iptables -F
> +iptables -X
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> new file mode 100755
> index 0000000..94d8d61
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
> @@ -0,0 +1,34 @@
> +######## IN_ONLY ############
> +ebtables -N IN_ONLY -P RETURN
> +
> +# Daten aus dem BATMAN werden erlaubt
> +# Alles außer Daten von BATMAN werden DROP'ed
> +ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
> +
> +######## OUT_ONLY ############
> +ebtables -N OUT_ONLY -P RETURN
> +
> +# Daten ins BATMAN werden erlaubt
> +# Alles außer Daten ins BATMAN werden DROP'ed
> +ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
> +
> +######## MULTICAST_OUT ############
> +ebtables -N MULTICAST_OUT -P DROP
> +
> +######## INPUT ############
> +ebtables -P INPUT ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
> +ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
> +
> +######## FORWARD ############
> +ebtables -P FORWARD ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
> +ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> +
> +######## OUTPUT ############
> +ebtables -P OUTPUT ACCEPT
> +
> +# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
> +ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
> new file mode 100755
> index 0000000..f2ee439
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
> @@ -0,0 +1,2 @@
> +#solves MTU problem with bad ISPs
> +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> new file mode 100755
> index 0000000..b8bf541
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> @@ -0,0 +1,8 @@
> +# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
> +# Das wirkt bei kleinen Geräten wie ein DOS
> +iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> +iptables -A INPUT -i $IF_WAN -j REJECT
> +
> +# Limit ssh to 3 new connections per 60 seconds
> +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
> +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> new file mode 100755
> index 0000000..a50c799
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
> @@ -0,0 +1,8 @@
> +# Erlaube DHCP Requests
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
> +
> +# Erlaube nur DHCP Request von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> +
> +# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> new file mode 100755
> index 0000000..068ef06
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
> @@ -0,0 +1,8 @@
> +# Erlaube DHCPv6 Requests
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
> +
> +# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> +
> +# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> new file mode 100755
> index 0000000..29562de
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
> @@ -0,0 +1,5 @@
> +# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
> +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> +
> +# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
> +ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> new file mode 100755
> index 0000000..9280a91
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
> @@ -0,0 +1,5 @@
> +# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
> +
> +# Erlaube nur DHCP Request von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> new file mode 100755
> index 0000000..97c3df3
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
> @@ -0,0 +1,5 @@
> +# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
> +
> +# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> new file mode 100755
> index 0000000..e619201
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
> @@ -0,0 +1,11 @@
> +# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
> +
> +# Verbiete Router-Solicitation von BATMAN -> KNOTEN
> +ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
> +
> +# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
> +
> +# Verbiete Router-Advertisment von KNOTEN -> BATMAN
> +ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> new file mode 100755
> index 0000000..50cc31f
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
> @@ -0,0 +1,6 @@
> +# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
> +
> +# Erlaube Organisation der Multicast Gruppen
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
> +
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> new file mode 100755
> index 0000000..50e0191
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
> @@ -0,0 +1,8 @@
> +# Verbiete ARP Antworten an alle
> +ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
> +
> +# Verbiete ARP Requests an alle
> +ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
> +
> +# Erlaube alle anderen ARP's
> +ebtables -A MULTICAST_OUT -p ARP -j RETURN
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> new file mode 100755
> index 0000000..877b027
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
> @@ -0,0 +1,6 @@
> +# Erlaube PING
> +ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
> +
> +# Erlaube PINGv6
> +ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
> +
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> new file mode 100755
> index 0000000..cce7231
> --- /dev/null
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
> @@ -0,0 +1,11 @@
> +# No input from/to local node ip from batman
> +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> +
> +# Do not forward local node ip
> +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> +
> +# Do not output local node ip to batman
> +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
> +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
> diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> new file mode 100755
> index 0000000..ae2dba2
> --- /dev/null
> +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
> @@ -0,0 +1,5 @@
> +# Erlaube router solicitation von client zu knoten
> +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
> +
> +# Erlaube router advertisment von knoten zu client
> +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
> --
> 2.1.4
Gruss
-Steffen
--
Hermes powered by Manjaro Linux (Linux 4.4.5)
Best regards, Steffen Pankratz.
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : nicht verfügbar
Dateityp : application/pgp-signature
Dateigröße : 181 bytes
Beschreibung: OpenPGP digital signature
URL : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20160316/2211e8d0/attachment-0002.sig>
Mehr Informationen über die Mailingliste franken-dev