openmptcprouter-feeds/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall

#!/bin/sh

if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then
	uci -q batch <<-EOF >/dev/null
		del firewall.@zone[2]
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then
    uci -q batch <<-EOF >/dev/null
    set firewall.zone_vpn=zone
    set firewall.zone_vpn.name=vpn
    set firewall.zone_vpn.network=glorytun
    set firewall.zone_vpn.masq=1
    set firewall.zone_vpn.input=REJECT
    set firewall.zone_vpn.forward=ACCEPT
    set firewall.zone_vpn.output=ACCEPT
    commit firewall
    EOF
fi

if [ "$(uci -q show firewall | grep Allow-All-Ping)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-All-Ping'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].dest='*'
		set firewall.@rule[-1].src='*'
		set firewall.@rule[-1].icmp_type='echo-request'
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-VPN-ICMP)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-VPN-ICMP'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].src='vpn'
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-Lan-to-Wan)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-Lan-to-Wan'
		set firewall.@rule[-1].dest='wan'
		set firewall.@rule[-1].src='lan'
		commit firewall
	EOF
fi

if [ "$(uci -q show firewall | grep ICMPv6-Lan-to-OMR)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR'
		set firewall.@rule[-1].src='lan'
		set firewall.@rule[-1].family='ipv6'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].limit='1000/sec'
		set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'
		commit firewall
	EOF
fi
uci -q batch <<-EOF >/dev/null
	del_list firewall.wan.masq_dest='!10.0.0.0/8'
	del_list firewall.wan.masq_dest='!172.16.0.0/12'
	del_list firewall.wan.masq_dest='!192.168.0.0/16'
	add_list firewall.wan.masq_dest='!10.0.0.0/8'
	add_list firewall.wan.masq_dest='!172.16.0.0/12'
	add_list firewall.wan.masq_dest='!192.168.0.0/16'
EOF
if [ "$(ubus call system board | jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] || [ "$(ubus call system board | jsonfilter -e '@.board_name' | grep -i wrt)" != "" ]; then
	uci -q batch <<-EOF >/dev/null
	set firewall.@defaults[0].flow_offloading='1'
	set firewall.@defaults[0].flow_offloading_hw='1'
	EOF
fi

uci -q batch <<-EOF >/dev/null
	set firewall.@zone[0].mtu_fix='1'
	set firewall.zone_vpn.mtu_fix='1'
EOF

rm -f /tmp/luci-indexcache

exit 0
Allow ping from anywhere by default 2018-03-21 10:04:29 +00:00			`#!/bin/sh`

Use firewall zone name 2018-06-07 14:53:32 +00:00			`if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`del firewall.@zone[2]`
			`commit firewall`
			`EOF`
			`fi`

			`if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`set firewall.zone_vpn=zone`
			`set firewall.zone_vpn.name=vpn`
			`set firewall.zone_vpn.network=glorytun`
			`set firewall.zone_vpn.masq=1`
			`set firewall.zone_vpn.input=REJECT`
			`set firewall.zone_vpn.forward=ACCEPT`
			`set firewall.zone_vpn.output=ACCEPT`
			`commit firewall`
			`EOF`
			`fi`

Fix for packages updates and versions updates 2018-05-23 08:56:23 +00:00			`if [ "$(uci -q show firewall \| grep Allow-All-Ping)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='Allow-All-Ping'`
			`set firewall.@rule[-1].proto='icmp'`
			`set firewall.@rule[-1].dest='*'`
			`set firewall.@rule[-1].src='*'`
			`set firewall.@rule[-1].icmp_type='echo-request'`
			`commit firewall`
			`EOF`
			`fi`
Allow ICMP from VPN to OMR 2018-05-31 13:44:40 +00:00			`if [ "$(uci -q show firewall \| grep Allow-VPN-ICMP)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='Allow-VPN-ICMP'`
			`set firewall.@rule[-1].proto='icmp'`
			`set firewall.@rule[-1].src='vpn'`
			`commit firewall`
			`EOF`
			`fi`
Allow Lan to Wan 2018-05-28 15:27:14 +00:00			`if [ "$(uci -q show firewall \| grep Allow-Lan-to-Wan)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='Allow-Lan-to-Wan'`
			`set firewall.@rule[-1].dest='wan'`
			`set firewall.@rule[-1].src='lan'`
			`commit firewall`
			`EOF`
			`fi`
Accept ICMPv6 from LAN to router 2018-07-14 05:25:08 +00:00
			`if [ "$(uci -q show firewall \| grep ICMPv6-Lan-to-OMR)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR'`
			`set firewall.@rule[-1].src='lan'`
			`set firewall.@rule[-1].family='ipv6'`
			`set firewall.@rule[-1].proto='icmp'`
			`set firewall.@rule[-1].limit='1000/sec'`
			`set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'`
			`commit firewall`
			`EOF`
			`fi`
No masq for local IP 2018-08-16 14:57:53 +00:00			`uci -q batch <<-EOF >/dev/null`
			`del_list firewall.wan.masq_dest='!10.0.0.0/8'`
			`del_list firewall.wan.masq_dest='!172.16.0.0/12'`
			`del_list firewall.wan.masq_dest='!192.168.0.0/16'`
			`add_list firewall.wan.masq_dest='!10.0.0.0/8'`
			`add_list firewall.wan.masq_dest='!172.16.0.0/12'`
			`add_list firewall.wan.masq_dest='!192.168.0.0/16'`
			`EOF`
Force nat offload on wrt 2019-07-15 20:35:38 +00:00			`if [ "$(ubus call system board \| jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] \|\| [ "$(ubus call system board \| jsonfilter -e '@.board_name' \| grep -i wrt)" != "" ]; then`
Add HNAT by default for BPI-R2 2018-10-16 06:21:03 +00:00			`uci -q batch <<-EOF >/dev/null`
			`set firewall.@defaults[0].flow_offloading='1'`
			`set firewall.@defaults[0].flow_offloading_hw='1'`
			`EOF`
			`fi`
No masq for local IP 2018-08-16 14:57:53 +00:00
Set mtu fix by default 2019-05-21 19:37:45 +00:00			`uci -q batch <<-EOF >/dev/null`
			`set firewall.@zone[0].mtu_fix='1'`
			`set firewall.zone_vpn.mtu_fix='1'`
			`EOF`

Allow ping from anywhere by default 2018-03-21 10:04:29 +00:00			`rm -f /tmp/luci-indexcache`

			`exit 0`