[Freifunk-Bonn] /etc/config/firewall
edgar.soldin at web.de
edgar.soldin at web.de
Do Mai 25 19:08:31 CEST 2023
hab mal ohne firewall ersetzen gebaut. dann ohne übernahme der einstellungen geflasht.
die default Gluon firewall config unterscheidet sich schon etwas (sh.Anhg.)
fahr jetzt erstmal über Pfingsten hinaus was durch's Land. danach werd ich dann mit den neuen Erkenntnissen versuchen ne Beta2 zusammenzukleben die Gluon v2022.1.4 basiert ist.
sowas.. sonnige ede
-------------- nächster Teil --------------
config rule 'wan_vxlan'
option dest_port '4789'
option src 'wan'
option name 'wan_vxlan'
option src_ip 'fe80::/64'
option family 'ipv6'
option target 'ACCEPT'
option proto 'udp'
config rule 'wired_mesh_vxlan'
option dest_port '4789'
option src 'wired_mesh'
option name 'wired_mesh_vxlan'
option src_ip 'fe80::/64'
option family 'ipv6'
option target 'ACCEPT'
option proto 'udp'
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option conntrack '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'wan_igmp'
option src 'wan'
option name 'Allow-IGMP'
option family 'ipv4'
option target 'ACCEPT'
option proto 'igmp'
config rule 'wan_mld'
option src 'wan'
option name 'Allow-MLD'
option src_ip 'fe80::/10'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config zone 'mesh'
option name 'mesh'
option forward 'REJECT'
option output 'ACCEPT'
list network 'client'
option input 'ACCEPT'
config rule 'mesh_ICMPv6_in'
option src 'mesh'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config zone 'wired_mesh'
option name 'wired_mesh'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'mesh_lan'
config rule 'wired_mesh_ICMPv6_in'
option src 'wired_mesh'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config rule 'wan_ssh'
option dest_port '22'
option src 'wan'
option name 'wan_ssh'
option target 'ACCEPT'
option proto 'tcp'
config rule 'mesh_ssh'
option dest_port '22'
option src 'mesh'
option name 'mesh_ssh'
option target 'ACCEPT'
option proto 'tcp'
config zone 'drop'
option name 'drop'
option input 'DROP'
option forward 'DROP'
option output 'DROP'
config rule 'wan_respondd_reply'
option src_port '1001'
option src 'wan'
option name 'wan_respondd_reply'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
option dest_port '32768:61000'
config rule 'mesh_respondd_reply'
option src_port '1001'
option src 'mesh'
option name 'mesh_respondd_reply'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
option dest_port '32768:61000'
config rule 'wan_respondd'
option dest_port '1001'
option src 'wan'
option name 'wan_respondd'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
config rule 'client_respondd'
option dest_port '1001'
option name 'client_respondd'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
option src 'loc_client'
config rule 'mesh_respondd_ll'
option dest_port '1001'
option src 'mesh'
option name 'mesh_respondd_ll'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
config rule 'mesh_respondd_siteprefix'
option dest_port '1001'
option src 'mesh'
option name 'mesh_respondd_siteprefix'
option src_ip 'fdff::/64'
option target 'ACCEPT'
option proto 'udp'
config include 'mesh_vpn_dns'
option family 'ipv4'
option type 'restore'
option path '/lib/gluon/mesh-vpn/iptables.rules'
config rule 'mesh_http'
option dest_port '80'
option src 'mesh'
option target 'ACCEPT'
option proto 'tcp'
config zone 'loc_client'
option name 'loc_client'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'local_node'
config rule 'loc_client_ICMPv6_in'
option src 'loc_client'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config rule 'loc_client_ICMPv4_in'
option src 'loc_client'
option family 'ipv4'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
config rule 'loc_client_ssh'
option dest_port '22'
option src 'loc_client'
option name 'loc_client_ssh'
option target 'ACCEPT'
option proto 'tcp'
config rule 'loc_client_http'
option dest_port '80'
option src 'loc_client'
option target 'ACCEPT'
option proto 'tcp'
-------------- nächster Teil --------------
config rule 'wan_vxlan'
option dest_port '4789'
option src 'wan'
option name 'wan_vxlan'
option src_ip 'fe80::/64'
option family 'ipv6'
option target 'ACCEPT'
option proto 'udp'
config rule 'wired_mesh_vxlan'
option dest_port '4789'
option src 'wired_mesh'
option name 'wired_mesh_vxlan'
option src_ip 'fe80::/64'
option family 'ipv6'
option target 'ACCEPT'
option proto 'udp'
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option conntrack '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config rule 'wan_igmp'
option src 'wan'
option name 'Allow-IGMP'
option family 'ipv4'
option target 'ACCEPT'
option proto 'igmp'
config rule 'wan_mld'
option src 'wan'
option name 'Allow-MLD'
option src_ip 'fe80::/10'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config zone 'mesh'
option name 'mesh'
option forward 'REJECT'
option output 'ACCEPT'
list network 'client'
option input 'ACCEPT'
config rule 'mesh_ICMPv6_in'
option src 'mesh'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config zone 'loc_client'
option name 'loc_client'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'local_node'
config rule 'loc_client_ICMPv6_in'
option src 'loc_client'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config zone 'wired_mesh'
option name 'wired_mesh'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'mesh_other'
config rule 'wired_mesh_ICMPv6_in'
option src 'wired_mesh'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config rule 'loc_client_ICMPv4_in'
option src 'loc_client'
option family 'ipv4'
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
config rule 'wan_ssh'
option dest_port '22'
option src 'wan'
option name 'wan_ssh'
option target 'ACCEPT'
option proto 'tcp'
config rule 'loc_client_ssh'
option dest_port '22'
option src 'loc_client'
option name 'loc_client_ssh'
option target 'ACCEPT'
option proto 'tcp'
config rule 'mesh_ssh'
option dest_port '22'
option src 'mesh'
option name 'mesh_ssh'
option target 'ACCEPT'
option proto 'tcp'
config zone 'drop'
option name 'drop'
option input 'DROP'
option forward 'DROP'
option output 'DROP'
config rule 'wan_respondd_reply'
option src_port '1001'
option src 'wan'
option name 'wan_respondd_reply'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
option dest_port '32768:61000'
config rule 'mesh_respondd_reply'
option src_port '1001'
option src 'mesh'
option name 'mesh_respondd_reply'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
option dest_port '32768:61000'
config rule 'wan_respondd'
option dest_port '1001'
option src 'wan'
option name 'wan_respondd'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
config rule 'client_respondd'
option dest_port '1001'
option src 'loc_client'
option name 'client_respondd'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
config rule 'mesh_respondd_ll'
option dest_port '1001'
option src 'mesh'
option name 'mesh_respondd_ll'
option src_ip 'fe80::/64'
option target 'ACCEPT'
option proto 'udp'
config rule 'mesh_respondd_siteprefix'
option dest_port '1001'
option src 'mesh'
option name 'mesh_respondd_siteprefix'
option src_ip 'fdff::/64'
option target 'ACCEPT'
option proto 'udp'
config include 'mesh_vpn_dns'
option family 'ipv4'
option type 'restore'
option path '/lib/gluon/mesh-vpn/iptables.rules'
config rule 'mesh_http'
option dest_port '80'
option src 'mesh'
option target 'ACCEPT'
option proto 'tcp'
config rule 'loc_client_http'
option dest_port '80'
option src 'loc_client'
option target 'ACCEPT'
option proto 'tcp'
Mehr Informationen über die Mailingliste Freifunk-Bonn