#!/bin/sh # Set REJECT as default rule if an interface is not in a zone uci -q batch <<-EOF >/dev/null set firewall.@defaults[0].input='REJECT' set firewall.@defaults[0].output='REJECT' set firewall.@defaults[0].forward='REJECT' EOF if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then uci -q batch <<-EOF >/dev/null del firewall.@zone[2] commit firewall EOF fi if [ "$(uci -q get firewall.@zone[1].name)" = "wan" ]; then uci -q batch <<-EOF >/dev/null rename firewall.@zone[1]="zone_wan" commit firewall EOF fi if [ "$(uci -q show firewall.zone_wan | grep wan6)" != "" ] && [ "$(uci -q get network.wan6)" = "" ]; then uci -q batch <<-EOF >/dev/null del_list firewall.zone_wan.network="wan6" commit firewall EOF fi if [ "$(uci -q show firewall.zone_wan | grep wan)" != "" ] && [ "$(uci -q get network.wan)" = "" ]; then uci -q batch <<-EOF >/dev/null del_list firewall.zone_wan.network="wan" commit firewall EOF fi if [ "$(uci -q get firewall.@zone[0].name)" = "lan" ]; then uci -q batch <<-EOF >/dev/null rename firewall.@zone[0]="zone_lan" commit firewall EOF fi if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.zone_vpn=zone set firewall.zone_vpn.name=vpn add_list firewall.zone_vpn.network=omrvpn add_list firewall.zone_vpn.network=omr6in4 set firewall.zone_vpn.masq=1 set firewall.zone_vpn.input=REJECT set firewall.zone_vpn.forward=ACCEPT set firewall.zone_vpn.output=ACCEPT commit firewall EOF fi if [ "$(uci -q get firewall.@rule[5].name)" = "Allow-ICMPv6-Input" ]; then uci -q batch <<-EOF >/dev/null del firewall.@rule[5] commit firewall EOF fi if [ "$(uci -q get firewall.@rule[6].name)" = "Allow-ICMPv6-Forward" ]; then uci -q batch <<-EOF >/dev/null del firewall.@rule[6] commit firewall EOF fi if [ "$(uci -q show firewall | grep Allow-All-Ping)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='Allow-All-Ping' set firewall.@rule[-1].proto='icmp' set firewall.@rule[-1].dest='*' set firewall.@rule[-1].src='*' set firewall.@rule[-1].icmp_type='echo-request' set firewall.@rule[-1].limit='1000/sec' commit firewall EOF fi if [ "$(uci -q show firewall | grep Allow-VPN-ICMP)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='Allow-VPN-ICMP' set firewall.@rule[-1].proto='icmp' set firewall.@rule[-1].src='vpn' commit firewall EOF fi if [ "$(uci -q show firewall | grep Allow-Lan-to-Wan)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='Allow-Lan-to-Wan' set firewall.@rule[-1].dest='wan' set firewall.@rule[-1].src='lan' set firewall.@rule[-1].proto='all' commit firewall EOF fi if [ "$(uci -q show firewall | grep ICMPv6-Lan-to-OMR)" = "" ]; then uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled='1' set firewall.@rule[-1].target='ACCEPT' set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR' set firewall.@rule[-1].src='lan' set firewall.@rule[-1].family='ipv6' set firewall.@rule[-1].proto='icmp' set firewall.@rule[-1].limit='1000/sec' set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded' commit firewall EOF fi #uci -q batch <<-EOF >/dev/null # del_list firewall.zone_wan.masq_dest='!10.0.0.0/8' # del_list firewall.zone_wan.masq_dest='!172.16.0.0/12' # del_list firewall.zone_wan.masq_dest='!192.168.0.0/16' # add_list firewall.zone_wan.masq_dest='!10.0.0.0/8' # add_list firewall.zone_wan.masq_dest='!172.16.0.0/12' # add_list firewall.zone_wan.masq_dest='!192.168.0.0/16' #EOF if [ "$(ubus call system board | jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] || [ "$(ubus call system board | jsonfilter -e '@.board_name' | grep -i wrt)" != "" ]; then uci -q batch <<-EOF >/dev/null set firewall.@defaults[0].flow_offloading='1' set firewall.@defaults[0].flow_offloading_hw='1' EOF fi if [ "$(uci -q get firewall.omr_server)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.omr_server=include set firewall.omr_server.path=/etc/firewall.omr-server set firewall.omr_server.reload=1 commit firewall EOF fi if [ "$(uci -q get firewall.gre_tunnel)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.gre_tunnel=include set firewall.gre_tunnel.path=/etc/firewall.gre-tunnel set firewall.gre_tunnel.reload=0 commit firewall EOF fi if [ "$(uci -q get firewall.ttl)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.ttl=include set firewall.ttl.path=/etc/firewall.ttl set firewall.ttl.reload=1 commit firewall EOF fi if [ "$(uci -q get firewall.fwlantovpn)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.zone_lan.auto_helper='0' set firewall.fwlantovpn=forwarding set firewall.fwlantovpn.src='lan' set firewall.fwlantovpn.dest='vpn' commit firewall EOF fi if [ "$(uci -q get firewall.blockquicproxy)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.blockquicproxy=rule set firewall.blockquicproxy.name='Block QUIC Proxy' set firewall.blockquicproxy.proto='udp' set firewall.blockquicproxy.dest_port='443' set firewall.blockquicproxy.target='DROP' set firewall.blockquicproxy.src='lan' set firewall.blockquicall=rule set firewall.blockquicall.name='Block QUIC All' set firewall.blockquicall.proto='udp' set firewall.blockquicall.src='*' set firewall.blockquicall.dest='*' set firewall.blockquicall.dest_port='443' set firewall.blockquicall.target='DROP' commit firewall EOF fi if [ "$(uci -q get firewall.allowicmpipv6)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.allowicmpipv6=rule set firewall.allowicmpipv6.proto='icmp' set firewall.allowicmpipv6.target='ACCEPT' set firewall.allowicmpipv6.src='wan' set firewall.allowicmpipv6.name='Allow IPv6 ICMP' set firewall.allowicmpipv6.family='ipv6' set firewall.@rule[-1].limit='1000/sec' set firewall.allowicmpipv6.icmp_type='neighbour-advertisement neighbour-solicitation router-advertisement router-solicitation' commit firewall EOF fi if [ "$(uci -q get firewall.allowdhcpv6546)" = "" ]; then uci -q batch <<-EOF >/dev/null set firewall.allowdhcpv6546=rule set firewall.allowdhcpv6546.target='ACCEPT' set firewall.allowdhcpv6546.src='wan' set firewall.allowdhcpv6546.proto='udp' set firewall.allowdhcpv6546.dest_port='547' set firewall.allowdhcpv6546.name='Allow DHCPv6 (546-to-547)' set firewall.allowdhcpv6546.family='ipv6' set firewall.allowdhcpv6546.src_port='546' set firewall.allowdhcpv6547=rule set firewall.allowdhcpv6547.target='ACCEPT' set firewall.allowdhcpv6547.src='wan' set firewall.allowdhcpv6547.proto='udp' set firewall.allowdhcpv6547.dest_port='546' set firewall.allowdhcpv6547.name='Allow DHCPv6 (547-to-546)' set firewall.allowdhcpv6547.family='ipv6' set firewall.allowdhcpv6547.src_port='547' commit firewall EOF fi # Fix firewall config from some old config allintf=$(uci -q get firewall.zone_wan.network) uci -q del firewall.zone_wan.network for intf in $allintf; do uci -q add_list firewall.zone_wan.network="${intf}" done allintf=$(uci -q get firewall.zone_vpn.network) uci -q del firewall.zone_vpn.network for intf in $allintf; do uci -q add_list firewall.zone_vpn.network="${intf}" done uci -q batch <<-EOF >/dev/null set firewall.zone_lan.mtu_fix='1' set firewall.zone_vpn.mtu_fix='1' set firewall.@include[0].reload='1' commit firewall EOF if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "" ]; then uci -q batch <<-EOF >/dev/null set openmptcprouter.settings.sipalg='1' commit openmptcprouter EOF fi if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "0" ]; then uci -q batch <<-EOF >/dev/null set firewall.zone_lan.auto_helper='0' set firewall.zone_wan.auto_helper='0' set firewall.zone_vpn.auto_helper='0' commit firewall EOF rmmod nf_nat_sip 2>&1 >/dev/null rmmod nf_conntrack_sip 2>&1 >/dev/null fi rm -f /tmp/luci-indexcache exit 0