[RFC PATCH 5/5] fff-network: enable forwarding; filter forwarding
Tim Niemeyer
tim at tn-x.org
Mi Feb 14 11:37:25 CET 2018
Hi
Am 14. Februar 2018 11:05:36 MEZ schrieb robert <rlanghammer at web.de>:
>Hi Tim,
>
>Am 13.02.2018 um 21:40 schrieb Tim Niemeyer:
>> Fixes #83
>> Signed-off-by: Tim Niemeyer <tim at tn-x.org>
>> ---
>>
>> src/packages/fff/fff-network/Makefile
>| 2 +-
>> src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>| 5 ++++-
>> .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>| 2 ++
>> src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>| 1 +
>> 4 files changed, 8 insertions(+), 2 deletions(-)
>> create mode 100644
>src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>>
>> diff --git a/src/packages/fff/fff-network/Makefile
>b/src/packages/fff/fff-network/Makefile
>> index 348897d..980800a 100644
>> --- a/src/packages/fff/fff-network/Makefile
>> +++ b/src/packages/fff/fff-network/Makefile
>> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
>> CATEGORY:=Freifunk
>> TITLE:= Freifunk-Franken network configuration
>> URL:=http://www.freifunk-franken.de
>> - DEPENDS:=+fff-uradvd +fff-boardname
>> + DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
>> endef
>>
>> define Package/$(PKG_NAME)/description
>> diff --git
>a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>> index 7fe4725..4f1c24f 100644
>> ---
>a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>> +++
>b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
>> net.ipv4.icmp_echo_ignore_broadcasts=1
>> net.ipv4.icmp_ignore_bogus_error_responses=1
>> net.ipv4.ip_forward=0
>> -# net.ipv6.conf.all.forwarding=1
>>
>> # disable bridge firewalling by default
>> net.bridge.bridge-nf-call-arptables=0
>> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3
>> # How many global unicast IPv6 addresses can be assigned to each
>interface?
>> net.ipv6.conf.default.max_addresses = 0
>> net.ipv6.conf.all.max_addresses = 0
>Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0
>ist
>ja unbegrenzt.
Also default lassen.. Denke ich auch.
>> +
>> +# Enable forwarding, otherwise not all local route are examined
>> +net.ipv6.conf.default.forwarding=0
>> +net.ipv6.conf.all.forwarding=1
>Das muss man umdrehen. conf.all ueberschreibt auch conf.default und
>dann
>ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein. Damit
>das IsRouter Flag nicht gesetzt wird.
Ich wollte es am liebsten auf allen interfaces abschalten, aber das hab ich gestern nicht mehr hinbekommen. Deswegen is das hier auch nur RFC.
Meinst du br-mesh zu nehmen reicht?
Tim
>Robert
>> diff --git
>a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>> new file mode 100644
>> index 0000000..793b0d8
>> --- /dev/null
>> +++
>b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>> @@ -0,0 +1,2 @@
>> +/sbin/iptables -P FORWARD DROP
>> +/sbin/ip6tables -P FORWARD DROP
>> diff --git
>a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>> index 38d7413..e0f2ba4 100755
>> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>> @@ -40,6 +40,7 @@ setAutoConf() {
>> echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>> echo "net.ipv6.conf.$iface.autoconf = $on" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>> echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>> + echo "net.ipv6.conf.$iface.forwarding = 0" >>
>/etc/sysctl.d/51-fff-network-wan.conf
>>
>> /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
>> }
Mehr Informationen über die Mailingliste franken-dev