[PATCH] fff-hoods: firewall fe80::1 from Client to Batman and Node
Christian Dresel
fff at chrisi01.de
Do Dez 6 14:47:01 CET 2018
This firewall block all communication with fe80::1 from a
Client to Batman and to the Node.
We need this because some crap devices (e.g. some wrong
connectet router on a clientport) have the fe80::1 as address
and break our setup.
This is an alternative Patch to
https://pw.freifunk-franken.de/patch/967/
Signed-off-by: Christian Dresel <fff at chrisi01.de>
---
src/packages/fff/fff-hoods/Makefile | 2 +-
.../fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
create mode 100644 src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
diff --git a/src/packages/fff/fff-hoods/Makefile b/src/packages/fff/fff-hoods/Makefile
index 264d28a..fb1ae18 100644
--- a/src/packages/fff/fff-hoods/Makefile
+++ b/src/packages/fff/fff-hoods/Makefile
@@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
CATEGORY:=Freifunk
TITLE:= Freifunk-Franken hoods
URL:=http://www.freifunk-franken.de
- DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select
+ DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select +fff-firewall
endef
define Package/$(PKG_NAME)/description
diff --git a/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
new file mode 100644
index 0000000..754e070
--- /dev/null
+++ b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
@@ -0,0 +1,6 @@
+# Erlaube nur fe80::1 von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+
+# Erlaube nur fe80::1 von KNOTEN -> CLIENT
+ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+
--
2.11.0
Mehr Informationen über die Mailingliste franken-dev