mptcp/openmptcprouter-feeds
1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter-feeds.git synced 2025-03-09 15:40:03 +00:00
Code Issues Releases Wiki Activity
openmptcprouter-feeds/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall
Ycarus (Yannick Chabanois) 284fda5ec7 Fix firewall from update
2020-11-27 18:13:36 +01:00

174 lines
5.2 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
# Set REJECT as default rule if an interface is not in a zone
uci -q batch <<-EOF >/dev/null
set firewall.@defaults[0].input='REJECT'
set firewall.@defaults[0].output='REJECT'
set firewall.@defaults[0].forward='REJECT'
EOF
if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then
uci -q batch <<-EOF >/dev/null
del firewall.@zone[2]
commit firewall
EOF
fi
if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then
uci -q batch <<-EOF >/dev/null
set firewall.zone_vpn=zone
set firewall.zone_vpn.name=vpn
set firewall.zone_vpn.network=glorytun
set firewall.zone_vpn.masq=1
set firewall.zone_vpn.input=REJECT
set firewall.zone_vpn.forward=ACCEPT
set firewall.zone_vpn.output=ACCEPT
commit firewall
EOF
fi
if [ "$(uci -q get firewall.@rule[5].name)" = "Allow-ICMPv6-Input" ]; then
uci -q batch <<-EOF >/dev/null
del firewall.@rule[5]
commit firewall
EOF
fi
if [ "$(uci -q get firewall.@rule[6].name)" = "Allow-ICMPv6-Forward" ]; then
uci -q batch <<-EOF >/dev/null
del firewall.@rule[6]
commit firewall
EOF
fi
if [ "$(uci -q show firewall | grep Allow-All-Ping)" = "" ]; then
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled='1'
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].name='Allow-All-Ping'
set firewall.@rule[-1].proto='icmp'
set firewall.@rule[-1].dest='*'
set firewall.@rule[-1].src='*'
set firewall.@rule[-1].icmp_type='echo-request'
commit firewall
EOF
fi
if [ "$(uci -q show firewall | grep Allow-VPN-ICMP)" = "" ]; then
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled='1'
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].name='Allow-VPN-ICMP'
set firewall.@rule[-1].proto='icmp'
set firewall.@rule[-1].src='vpn'
commit firewall
EOF
fi
if [ "$(uci -q show firewall | grep Allow-Lan-to-Wan)" = "" ]; then
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled='1'
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].name='Allow-Lan-to-Wan'
set firewall.@rule[-1].dest='wan'
set firewall.@rule[-1].src='lan'
commit firewall
EOF
fi
if [ "$(uci -q show firewall | grep ICMPv6-Lan-to-OMR)" = "" ]; then
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled='1'
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR'
set firewall.@rule[-1].src='lan'
set firewall.@rule[-1].family='ipv6'
set firewall.@rule[-1].proto='icmp'
set firewall.@rule[-1].limit='1000/sec'
set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'
commit firewall
EOF
fi
uci -q batch <<-EOF >/dev/null
del_list firewall.wan.masq_dest='!10.0.0.0/8'
del_list firewall.wan.masq_dest='!172.16.0.0/12'
del_list firewall.wan.masq_dest='!192.168.0.0/16'
add_list firewall.wan.masq_dest='!10.0.0.0/8'
add_list firewall.wan.masq_dest='!172.16.0.0/12'
add_list firewall.wan.masq_dest='!192.168.0.0/16'
EOF
if [ "$(ubus call system board | jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] || [ "$(ubus call system board | jsonfilter -e '@.board_name' | grep -i wrt)" != "" ]; then
uci -q batch <<-EOF >/dev/null
set firewall.@defaults[0].flow_offloading='1'
set firewall.@defaults[0].flow_offloading_hw='1'
EOF
fi
if [ "$(uci -q get firewall.omr_server)" = "" ]; then
uci -q batch <<-EOF >/dev/null
set firewall.omr_server=include
set firewall.omr_server.path=/etc/firewall.omr-server
set firewall.omr_server.reload=1
commit firewall
EOF
fi
if [ "$(uci -q get firewall.gre_tunnel)" = "" ]; then
uci -q batch <<-EOF >/dev/null
set firewall.gre_tunnel=include
set firewall.gre_tunnel.path=/etc/firewall.gre-tunnel
set firewall.gre_tunnel.reload=1
commit firewall
EOF
fi
if [ "$(uci -q get firewall.fwlantovpn)" = "" ]; then
uci -q batch <<-EOF >/dev/null
set firewall.@zone[0].auto_helper='0'
set firewall.fwlantovpn=forwarding
set firewall.fwlantovpn.src='lan'
set firewall.fwlantovpn.dest='vpn'
commit firewall
EOF
fi
if [ "$(uci -q get firewall.blockquicproxy)" = "" ]; then
uci -q batch <<-EOF >/dev/null
set firewall.blockquicproxy=rule
set firewall.blockquicproxy.name='Block QUIC Proxy'
set firewall.blockquicproxy.proto='udp'
set firewall.blockquicproxy.dest_port='443'
set firewall.blockquicproxy.target='DROP'
set firewall.blockquicproxy.src='lan'
set firewall.blockquicall=rule
set firewall.blockquicall.name='Block QUIC All'
set firewall.blockquicall.proto='udp'
set firewall.blockquicall.src='*'
set firewall.blockquicall.dest='*'
set firewall.blockquicall.dest_port='443'
set firewall.blockquicall.target='DROP'
commit firewall
EOF
fi
# Fix firewall config from some old config
allintf=$(uci -q get firewall.@zone[1].network)
uci -q del firewall.@zone[1].network
for intf in $allintf; do
uci -q add_list firewall.@zone[1].network=$intf
done
allintf=$(uci -q get firewall.zone_vpn.network)
uci -q del firewall.zone_vpn.network
for intf in $allintf; do
uci -q add_list firewall.zone_vpn.network=$intf
done
uci -q batch <<-EOF >/dev/null
set firewall.@zone[0].mtu_fix='1'
set firewall.zone_vpn.mtu_fix='1'
commit firewall
EOF
rm -f /tmp/luci-indexcache
exit 0
Reference in a new issue View git blame Copy permalink