1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 |
- #!/usr/bin/lua
- local uci = require('simple-uci').cursor()
- local function reject_input_on_wan(zone)
- if zone.name == 'wan' then
- uci:set('firewall', zone['.name'], 'input', 'REJECT')
- uci:set('firewall', zone['.name'], 'conntrack', true)
- end
- return true
- end
- uci:foreach('firewall', 'zone', reject_input_on_wan)
- -- the client zone is set up by gluon-client-bridge
- --
- uci:section('firewall', 'zone', 'mesh', {
- name = 'mesh',
- network = {},
- input = 'REJECT',
- output = 'ACCEPT',
- forward = 'REJECT',
- })
- -- allow inbound ssh from anywhere
- for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
- uci:section('firewall', 'rule', zone .. '_ssh', {
- name = zone .. '_ssh',
- src = zone,
- dest_port = '22',
- proto = 'tcp',
- target = 'ACCEPT',
- })
- end
- -- allow icmp in/out on all relevant zones
- uci:section('firewall', 'rule', 'local_client_ICMPv4_in', {
- src = 'local_client',
- proto = 'icmp',
- icmp_type = {
- 'echo-request',
- },
- family = 'ipv4',
- target = 'ACCEPT',
- })
- for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
- uci:section('firewall', 'rule', zone .. '_ICMPv6_in', {
- src = zone,
- proto = 'icmp',
- icmp_type = {
- 'echo-request',
- 'echo-reply',
- 'destination-unreachable',
- 'packet-too-big',
- 'time-exceeded',
- 'bad-header',
- 'unknown-header-type',
- 'router-solicitation',
- 'neighbour-solicitation',
- 'router-advertisement',
- 'neighbour-advertisement',
- '130/0', -- Multicast Listener Query
- '131/0', -- Multicast Listener Report
- '132/0', -- Multicast Listener Done
- '143/0', -- MLDv2
- },
- limit = '1000/sec',
- family = 'ipv6',
- target = 'ACCEPT',
- })
- -- Can be removed soon: was never in a release
- uci:delete('firewall', zone .. '_ICMPv6_out')
- end
- uci:save('firewall')
|