#!/bin/sh # Set REJECT as default rule if an interface is not in a zone uci -q batch <<-EOF >/dev/null set firewall.@defaults[0].input='REJECT' set firewall.@defaults[0].output='REJECT' set firewall.@defaults[0].forward='REJECT' EOF if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then uci -q batch <<-EOF >/dev/null del firewall.@zone[2] commit firewall EOF fi if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.zone_vpn=zone set firewall.zone_vpn.name=vpn set firewall.zone_vpn.network=glorytun set firewall.zone_vpn.masq=1 set firewall.zone_vpn.input=REJECT set firewall.zone_vpn.forward=ACCEPT set firewall.zone_vpn.output=ACCEPT commit firewall EOF fi if [ "$(uci -q get firewall.@rule[5].name)" = "Allow-ICMPv6-Input" ]; then uci -q batch <<-EOF >/dev/null del firewall.@rule[5] commit firewall EOF fi if [ "$(uci -q get firewall.@rule[6].name)" = "Allow-ICMPv6-Forward" ]; then uci -q batch <<-EOF >/dev/null del firewall.@rule[6] commit firewall EOF fi if [ "$(uci -q show firewall | grep Allow-All-Ping)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='Allow-All-Ping' set firewall.@rule[-1].proto='icmp' set firewall.@rule[-1].dest='*' set firewall.@rule[-1].src='*' set firewall.@rule[-1].icmp_type='echo-request' commit firewall EOF fi if [ "$(uci -q show firewall | grep Allow-VPN-ICMP)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='Allow-VPN-ICMP' set firewall.@rule[-1].proto='icmp' set firewall.@rule[-1].src='vpn' commit firewall EOF fi if [ "$(uci -q show firewall | grep Allow-Lan-to-Wan)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='Allow-Lan-to-Wan' set firewall.@rule[-1].dest='wan' set firewall.@rule[-1].src='lan' commit firewall EOF fi if [ "$(uci -q show firewall | grep ICMPv6-Lan-to-OMR)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR' set firewall.@rule[-1].src='lan' set firewall.@rule[-1].family='ipv6' set firewall.@rule[-1].proto='icmp' set firewall.@rule[-1].limit='1000/sec' set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded' commit firewall EOF fi uci -q batch <<-EOF >/dev/null del_list firewall.wan.masq_dest='!10.0.0.0/8' del_list firewall.wan.masq_dest='!172.16.0.0/12' del_list firewall.wan.masq_dest='!192.168.0.0/16' add_list firewall.wan.masq_dest='!10.0.0.0/8' add_list firewall.wan.masq_dest='!172.16.0.0/12' add_list firewall.wan.masq_dest='!192.168.0.0/16' EOF if [ "$(ubus call system board | jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] || [ "$(ubus call system board | jsonfilter -e '@.board_name' | grep -i wrt)" != "" ]; then uci -q batch <<-EOF >/dev/null set firewall.@defaults[0].flow_offloading='1' set firewall.@defaults[0].flow_offloading_hw='1' EOF fi if [ "$(uci -q get firewall.omr_server)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.omr_server=include set firewall.omr_server.path=/etc/firewall.omr-server set firewall.omr_server.reload=1 commit firewall EOF fi if [ "$(uci -q get firewall.gre_tunnel)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.gre_tunnel=include set firewall.gre_tunnel.path=/etc/firewall.gre-tunnel set firewall.gre_tunnel.reload=1 commit firewall EOF fi uci -q batch <<-EOF >/dev/null set firewall.@zone[0].mtu_fix='1' set firewall.zone_vpn.mtu_fix='1' EOF rm -f /tmp/luci-indexcache exit 0