[RFC PATCH 5/5] fff-network: enable forwarding; filter forwarding
Tim Niemeyer
tim at tn-x.org
Di Feb 13 21:40:41 CET 2018
Fixes #83
Signed-off-by: Tim Niemeyer <tim at tn-x.org>
---
src/packages/fff/fff-network/Makefile | 2 +-
src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf | 5 ++++-
.../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding | 2 ++
src/packages/fff/fff-network/files/usr/sbin/configurenetwork | 1 +
4 files changed, 8 insertions(+), 2 deletions(-)
create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile
index 348897d..980800a 100644
--- a/src/packages/fff/fff-network/Makefile
+++ b/src/packages/fff/fff-network/Makefile
@@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
CATEGORY:=Freifunk
TITLE:= Freifunk-Franken network configuration
URL:=http://www.freifunk-franken.de
- DEPENDS:=+fff-uradvd +fff-boardname
+ DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
endef
define Package/$(PKG_NAME)/description
diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
index 7fe4725..4f1c24f 100644
--- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
+++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
@@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.ip_forward=0
-# net.ipv6.conf.all.forwarding=1
# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
@@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 0
net.ipv6.conf.all.max_addresses = 0
+
+# Enable forwarding, otherwise not all local route are examined
+net.ipv6.conf.default.forwarding=0
+net.ipv6.conf.all.forwarding=1
diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
new file mode 100644
index 0000000..793b0d8
--- /dev/null
+++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
@@ -0,0 +1,2 @@
+/sbin/iptables -P FORWARD DROP
+/sbin/ip6tables -P FORWARD DROP
diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
index 38d7413..e0f2ba4 100755
--- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
+++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
@@ -40,6 +40,7 @@ setAutoConf() {
echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
echo "net.ipv6.conf.$iface.autoconf = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
+ echo "net.ipv6.conf.$iface.forwarding = 0" >> /etc/sysctl.d/51-fff-network-wan.conf
/sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
}
--
2.11.0
Mehr Informationen über die Mailingliste franken-dev