-
Notifications
You must be signed in to change notification settings - Fork 5
/
firewall.uci
152 lines (128 loc) · 3.69 KB
/
firewall.uci
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
package firewall
# The firewall seperates the mesh from other networkss such es wan or lan.
# Mind, that this configuration is not trusted
# your mesh router can still be compromies i.e. by exploiting babeld.
# This allows unfiltered access to your wan network.
# Allow: fastd from wan (roaming, meshing using vpn)
config rule
option name 'fastd'
option src 'wan'
option dest_port '10000'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
# Freifunk zone definition
# It has all the interfaces used for mesh routing (babel) and the central freifunk brdige.
config zone 'freifunk'
option forward 'ACCEPT'
option output 'ACCEPT'
option input 'REJECT'
option name 'freifunk'
list network 'freifunk'
list network 'babel_mesh'
list network 'babel_mesh5'
list network 'fastd'
option mtu_fix '1'
# In the freifunk zone, the router can be access by
# 1st Babel
config rule
option name 'Babel'
option src 'freifunk'
option proto 'udp'
option dest_port '6696'
option limit '1000/sec'
option target 'ACCEPT'
# 2nd IGMP
config rule
option name 'Allow IGMP (Freifunk)'
option src 'freifunk'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
# 3rd ICMP
config rule
option name 'Allow ICMP (Freifunk)'
option src 'freifunk'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
# 4th DHCP
config rule
option name 'Allow DHCP request (Freifunk)'
option src 'freifunk'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
# 5th ICMP v6
config rule
option name 'Allow-ICMPv6-Input (Freifunk)'
option src 'freifunk'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
# 6th SSH (Mind setting a password)
config rule
option name 'Allow SSH (Freifunk)'
option src 'freifunk'
option dest_port '22'
option proto 'tcp'
option target 'ACCEPT'
# Internet exit through VPNs need another zone, since it has to by masquerade
config zone
option forward 'ACCEPT'
option output 'ACCEPT'
option input 'REJECT'
option name 'vpn'
option network 'vpn vpn6 vpn_pptp vpn_pptp6'
option masq '1'
option mtu_fix '1'
# In the VPN zone, some incoming traffic is allowed
# 1st ICMPv6 incoming
config rule
option name 'Allow-ICMPv6-Input (VPN)'
option src 'vpn'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
# 1st ICMPv6 outgoing
config rule
option name 'Allow-ICMPv6-Output (VPN)'
option dest 'vpn'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
# This allows accessing the internet to a vpn tunnel
config forwarding 'freifunk_internet'
option dest 'vpn'
option src 'freifunk'
# To allow direct access, change it to:
# config forwarding 'freifunk_internet'
# option dest 'wan'
# option src 'freifunk'
# Mind handling abuse
# To prevent direct exit traffic accessing your uplink network,
# RFC1918 and ULA addresses are blocked.
# Please mind, that accessing public IP addresses is allowed, still.
config rule
option name 'Do not forward freifunk traffic to RFC1918 address in WAN zone'
option src 'freifunk'
option dest 'wan'
list dest_ip '10.0.0.0/8'
list dest_ip '192.168.0.0/16'
list dest_ip '172.16.0.0/12'
option family 'ipv4'
option target 'REJECT'
option proto 'all'
config rule
option name 'Do not forward freifunk traffic to local ipv6-addresses in WAN zone'
option src 'freifunk'
option dest 'wan'
list dest_ip 'fc00::/7'
list dest_ip 'fec0::/10'
option family 'ipv6'
option target 'REJECT'
option proto 'all'