[PATCH 3/3] Move node-specific firewall rules to fff-node
Fabian Bläse
fabian at blaese.de
So Sep 8 20:34:43 CEST 2019
Richtig, die ganzen Regeln filtern aber nur Dinge gegen bat0, was es Stand heute in der Gatewayfirmware gar nicht gibt.
Generell gibt es in der Gatewayfirmware auch nur wenig zum Firewallen. Die ganzen fdff-Dinge braucht man (ohne batman) nicht filtern, da das Layer2 Netz eh nicht getunnelt wird.
Das einzige, was interessant sein könnte, ist ein
iptables -A FORWARD -o <WANIF> -j REJECT --reject-with icmp-net-unreachable
ip6tables -A FORWARD -o <WANIF> -j REJECT --reject-with no-route
um zu verhindern, dass niemals nicht-Tunnel-Pakete auf dem WAN Interface herausfallen.
Gruß
Fabian
On 08.09.19 16:59, Tim Niemeyer wrote:
> Hmm.. Da sind auch Sachen von fdff::1 drin.. Die sind auch in
> configurenetwork. Bin mir nicht sicher, aber ich habe das Gefühl so
> einfach ist es nicht.
>
> Tim
>
> Am Sonntag, den 08.09.2019, 15:08 +0200 schrieb Fabian Bläse:
>> Signed-off-by: Fabian Bläse <fabian at blaese.de>
>> ---
>> .../files/usr/lib/firewall.d/06-disable-forwarding |
>> 0
>> .../files/usr/lib/firewall.d/30-client-dhcp |
>> 0
>> .../files/usr/lib/firewall.d/30-client-dhcpv6 |
>> 0
>> .../files/usr/lib/firewall.d/30-client-ra |
>> 0
>> .../files/usr/lib/firewall.d/31-node-dhcp |
>> 0
>> .../files/usr/lib/firewall.d/31-node-dhcpv6 |
>> 0
>> .../files/usr/lib/firewall.d/31-node-ra |
>> 0
>> .../fff/{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc |
>> 0
>> .../{fff-firewall => fff-node}/files/usr/lib/firewall.d/35-mc-arp |
>> 0
>> .../files/usr/lib/firewall.d/35-mc-ping |
>> 0
>> .../files/usr/lib/firewall.d/40-local-node |
>> 0
>> 11 files changed, 0 insertions(+), 0 deletions(-)
>> rename src/packages/fff/{fff-network => fff-
>> node}/files/usr/lib/firewall.d/06-disable-forwarding (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/30-client-dhcp (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/30-client-dhcpv6 (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/30-client-ra (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/31-node-dhcp (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/31-node-dhcpv6 (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/31-node-ra (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/35-mc (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/35-mc-arp (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/35-mc-ping (100%)
>> rename src/packages/fff/{fff-firewall => fff-
>> node}/files/usr/lib/firewall.d/40-local-node (100%)
>>
>> diff --git a/src/packages/fff/fff-
>> network/files/usr/lib/firewall.d/06-disable-forwarding
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-
>> forwarding
>> similarity index 100%
>> rename from src/packages/fff/fff-network/files/usr/lib/firewall.d/06-
>> disable-forwarding
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/06-
>> disable-forwarding
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcp
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
>> client-dhcp
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcpv6
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-dhcpv6
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
>> client-dhcpv6
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-ra
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/30-client-ra
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/30-
>> client-ra
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcp
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
>> dhcp
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcpv6
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-dhcpv6
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
>> dhcpv6
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/31-node-ra
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/31-node-ra
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-
>> ra
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/35-mc
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/35-mc-arp
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-arp
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-
>> arp
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-
>> node/files/usr/lib/firewall.d/35-mc-ping
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/35-mc-ping
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-
>> ping
>> diff --git a/src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/40-local-node
>> b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
>> similarity index 100%
>> rename from src/packages/fff/fff-
>> firewall/files/usr/lib/firewall.d/40-local-node
>> rename to src/packages/fff/fff-node/files/usr/lib/firewall.d/40-
>> local-node
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : signature.asc
Dateityp : application/pgp-signature
Dateigröße : 833 bytes
Beschreibung: OpenPGP digital signature
URL : <https://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20190908/deab2ac3/attachment.sig>
Mehr Informationen über die Mailingliste franken-dev