[PATCH v2 4/9] fff-firewall: new package
Tim Niemeyer
tim at tn-x.org
So Mär 27 10:42:31 CEST 2016
- moves the node<-->client ra rules to package fff-uradvd
Signed-off-by: Tim Niemeyer <tim at tn-x.org>
---
Changes in v2:
- fix indention and code styles
- fix variable usage
- fix utf8
bsp/default/root_file_system/etc/config/firewall | 103 ------------------
bsp/default/root_file_system/etc/firewall.user | 120 ---------------------
bsp/default/root_file_system/etc/rc.local.tpl | 2 -
src/packages/fff/fff-firewall/Makefile | 43 ++++++++
.../fff/fff-firewall/files/etc/init.d/fff-firewall | 28 +++++
.../files/usr/lib/firewall.d/00-prepare | 6 ++
.../files/usr/lib/firewall.d/05-setup-chains | 34 ++++++
.../files/usr/lib/firewall.d/20-clamp-mss | 2 +
.../files/usr/lib/firewall.d/20-filter-ssh | 7 ++
.../files/usr/lib/firewall.d/30-client-dhcp | 8 ++
.../files/usr/lib/firewall.d/30-client-dhcpv6 | 8 ++
.../files/usr/lib/firewall.d/30-client-ra | 5 +
.../files/usr/lib/firewall.d/31-node-dhcp | 5 +
.../files/usr/lib/firewall.d/31-node-dhcpv6 | 5 +
.../files/usr/lib/firewall.d/31-node-ra | 11 ++
.../fff-firewall/files/usr/lib/firewall.d/35-mc | 6 ++
.../files/usr/lib/firewall.d/35-mc-arp | 8 ++
.../files/usr/lib/firewall.d/35-mc-ping | 6 ++
.../files/usr/lib/firewall.d/40-local-node | 11 ++
.../files/usr/lib/firewall.d/32-local-ra | 5 +
20 files changed, 198 insertions(+), 225 deletions(-)
delete mode 100644 bsp/default/root_file_system/etc/config/firewall
delete mode 100755 bsp/default/root_file_system/etc/firewall.user
create mode 100644 src/packages/fff/fff-firewall/Makefile
create mode 100755 src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
create mode 100755 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
create mode 100755 src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
diff --git a/bsp/default/root_file_system/etc/config/firewall b/bsp/default/root_file_system/etc/config/firewall
deleted file mode 100644
index ed57672..0000000
--- a/bsp/default/root_file_system/etc/config/firewall
+++ /dev/null
@@ -1,103 +0,0 @@
-config defaults
- option syn_flood 1
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
-
-config zone
- option name lan
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
-
-config zone
- option name wan
- option input REJECT
- option output ACCEPT
- option forward REJECT
- option masq 1
- option mtu_fix 1
-
-config forwarding
- option src lan
- option dest wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
- option src wan
- option proto udp
- option dest_port 68
- option target ACCEPT
-
-#Allow ping
-config rule
- option src wan
- option proto icmp
- option icmp_type echo-request
- option target ACCEPT
-
-#Allow SSH on WAN
-config rule
- option src wan
- option dest_port 22
- option target ACCEPT
- option proto tcp
-
-# include a file with users custom iptables rules
-config include
- option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option dest wan
-# option proto tcp
-# option target REJECT
-
-# block a specific mac on wan
-#config rule
-# option dest wan
-# option src_mac 00:11:22:33:44:66
-# option target REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-# option src lan
-# option proto ICMP
-# option target DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-# option src wan
-# option src_dport 80
-# option dest lan
-# option dest_ip 192.168.16.235
-# option dest_port 80
-# option proto tcp
-
-
-### FULL CONFIG SECTIONS
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 80
-# option dest wan
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
-# option target REJECT
-
-#config redirect
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 1024
-# option src_dport 80
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
\ No newline at end of file
diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
deleted file mode 100755
index 8ae48dc..0000000
--- a/bsp/default/root_file_system/etc/firewall.user
+++ /dev/null
@@ -1,120 +0,0 @@
-#!/bin/sh
-
-#solves MTU problem with bad ISPs
-iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-
-# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
-# Das wirkt bei kleinen Geräten wie ein DOS
-WAN=$(uci get network.wan.ifname)
-iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i $WAN -j REJECT
-
-# Limit ssh to 3 new connections per 60 seconds
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
-
-
-# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen:
-
-######## CLEAN UP ############
-ebtables -F
-ebtables -X
-
-######## IN_ONLY ############
-ebtables -N IN_ONLY -P RETURN
-
-# Daten aus dem BATMAN werden erlaubt
-# Alles außer Daten von BATMAN werden DROP'ed
-ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
-
-######## OUT_ONLY ############
-ebtables -N OUT_ONLY -P RETURN
-
-# Daten ins BATMAN werden erlaubt
-# Alles außer Daten ins BATMAN werden DROP'ed
-ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
-
-######## MULTICAST_OUT ############
-ebtables -N MULTICAST_OUT -P DROP
-
-# Verbiete ARP Antworten an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
-# Verbiete ARP Requests an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
-# Erlaube alle anderen ARP's
-ebtables -A MULTICAST_OUT -p ARP -j RETURN
-# Erlaube DHCP Requests
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
-# Erlaube DHCPv6 Requests
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
-# Erlaube PING
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
-# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
-# Erlaube PINGv6
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
-# Erlaube Organisation der Multicast Gruppen
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
-
-######## INPUT ############
-ebtables -P INPUT ACCEPT
-
-# Erlaube router solicitation von client zu knoten
-ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
-ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
-
-# No input from/to local node ip from batman
-ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-
-# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
-# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
-# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
-# Verbiete Router-Solicitation von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
-
-######## FORWARD ############
-ebtables -P FORWARD ACCEPT
-
-# Do not forward local node ip
-ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-
-# Erlaube nur DHCP Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
-# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
-# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
-# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
-# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
-# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
-# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
-ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
-
-######## OUTPUT ############
-ebtables -P OUTPUT ACCEPT
-
-# Erlaube router advertisment von knoten zu client
-ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
-
-# Do not output local node ip to batman
-ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-
-# Erlaube nur DHCP Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
-# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
-# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
-# Verbiete Router-Advertisment von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
-# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
-ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
diff --git a/bsp/default/root_file_system/etc/rc.local.tpl b/bsp/default/root_file_system/etc/rc.local.tpl
index ddf208d..d6384d8 100755
--- a/bsp/default/root_file_system/etc/rc.local.tpl
+++ b/bsp/default/root_file_system/etc/rc.local.tpl
@@ -56,8 +56,6 @@ fi
# Starting NTP-Client Daemon after 30s to ensure that the interface is up
( sleep 30 ; ntpd -p ${NTPD_IP} ) &
-. /etc/firewall.user
-
/etc/init.d/qos disable
/etc/init.d/qos stop
diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
new file mode 100644
index 0000000..e2a3b19
--- /dev/null
+++ b/src/packages/fff/fff-firewall/Makefile
@@ -0,0 +1,43 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-firewall
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-firewall
+ SECTION:=base
+ CATEGORY:=Freifunk
+ TITLE:=Freifunk-Franken firewall
+ URL:=http://www.freifunk-franken.de
+ DEPENDS:=+arptables \
+ +ebtables +ebtables-utils \
+ +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
+ +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra
+endef
+
+define Package/fff-batman-adv-legacy/description
+ This is the firewall for the Freifunk Franken Firmware
+ It is used to configure firewall.
+endef
+
+define Build/Prepare
+ echo "all: " > $(PKG_BUILD_DIR)/Makefile
+endef
+
+define Build/Configure
+ # nothing
+endef
+
+define Build/Compile
+ # nothing
+endef
+
+define Package/fff-firewall/install
+ $(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-firewall))
diff --git a/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
new file mode 100755
index 0000000..d460222
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall
@@ -0,0 +1,28 @@
+#!/bin/sh /etc/rc.common
+
+START=50
+
+USE_PROCD=1
+
+SERVICE_WRITE_PID=1
+SERVICE_DAEMONIZE=1
+
+FIREWALL_DIR=/usr/lib/firewall.d
+
+service_triggers()
+{
+ procd_add_reload_trigger "fff-firewall"
+}
+
+start_service()
+{
+ local file
+
+ IF_WAN=$(uci get network.wan.ifname)
+
+ for file in ${FIREWALL_DIR}/*; do
+ if [ -f "$file" ]; then
+ . "$file"
+ fi
+ done
+}
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
new file mode 100755
index 0000000..4807e61
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare
@@ -0,0 +1,6 @@
+######## CLEAN UP ############
+ebtables -F
+ebtables -X
+
+iptables -F
+iptables -X
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
new file mode 100755
index 0000000..3d2069f
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/05-setup-chains
@@ -0,0 +1,34 @@
+######## IN_ONLY ############
+ebtables -N IN_ONLY -P RETURN
+
+# Daten aus dem BATMAN werden erlaubt
+# Alles ausser Daten von BATMAN werden DROP'ed
+ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
+
+######## OUT_ONLY ############
+ebtables -N OUT_ONLY -P RETURN
+
+# Daten ins BATMAN werden erlaubt
+# Alles ausser Daten ins BATMAN werden DROP'ed
+ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
+
+######## MULTICAST_OUT ############
+ebtables -N MULTICAST_OUT -P DROP
+
+######## INPUT ############
+ebtables -P INPUT ACCEPT
+
+# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
+ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
+
+######## FORWARD ############
+ebtables -P FORWARD ACCEPT
+
+# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
+ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
+
+######## OUTPUT ############
+ebtables -P OUTPUT ACCEPT
+
+# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
+ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
new file mode 100755
index 0000000..f2ee439
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
@@ -0,0 +1,2 @@
+#solves MTU problem with bad ISPs
+iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
new file mode 100755
index 0000000..7fd4e30
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
@@ -0,0 +1,7 @@
+# If an router has a direct internet connection simple attack act as DOS attack
+iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i $IF_WAN -j REJECT
+
+# Limit ssh to 3 new connections per 60 seconds
+/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
+/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
new file mode 100755
index 0000000..a50c799
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcp
@@ -0,0 +1,8 @@
+# Erlaube DHCP Requests
+ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
+
+# Erlaube nur DHCP Request von CLIENT -> BATMAN
+ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+
+# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
new file mode 100755
index 0000000..068ef06
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-dhcpv6
@@ -0,0 +1,8 @@
+# Erlaube DHCPv6 Requests
+ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
+
+# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
+ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+
+# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
new file mode 100755
index 0000000..29562de
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/30-client-ra
@@ -0,0 +1,5 @@
+# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
+ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+
+# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
new file mode 100755
index 0000000..9280a91
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcp
@@ -0,0 +1,5 @@
+# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+
+# Erlaube nur DHCP Request von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
new file mode 100755
index 0000000..97c3df3
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-dhcpv6
@@ -0,0 +1,5 @@
+# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+
+# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
new file mode 100755
index 0000000..e619201
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/31-node-ra
@@ -0,0 +1,11 @@
+# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+
+# Verbiete Router-Solicitation von BATMAN -> KNOTEN
+ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
+
+# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+
+# Verbiete Router-Advertisment von KNOTEN -> BATMAN
+ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
new file mode 100755
index 0000000..50cc31f
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc
@@ -0,0 +1,6 @@
+# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
+ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
+
+# Erlaube Organisation der Multicast Gruppen
+ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
+
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
new file mode 100755
index 0000000..50e0191
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-arp
@@ -0,0 +1,8 @@
+# Verbiete ARP Antworten an alle
+ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
+
+# Verbiete ARP Requests an alle
+ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
+
+# Erlaube alle anderen ARP's
+ebtables -A MULTICAST_OUT -p ARP -j RETURN
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
new file mode 100755
index 0000000..877b027
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/35-mc-ping
@@ -0,0 +1,6 @@
+# Erlaube PING
+ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
+
+# Erlaube PINGv6
+ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
+
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
new file mode 100755
index 0000000..cce7231
--- /dev/null
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/40-local-node
@@ -0,0 +1,11 @@
+# No input from/to local node ip from batman
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+
+# Do not forward local node ip
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
+# Do not output local node ip to batman
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
new file mode 100755
index 0000000..ae2dba2
--- /dev/null
+++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra
@@ -0,0 +1,5 @@
+# Erlaube router solicitation von client zu knoten
+ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+
+# Erlaube router advertisment von knoten zu client
+ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
--
2.1.4
Mehr Informationen über die Mailingliste franken-dev