diff options
Diffstat (limited to 'package/firewall')
-rw-r--r-- | package/firewall/Makefile | 66 | ||||
-rw-r--r-- | package/firewall/files/firewall.config | 177 | ||||
-rw-r--r-- | package/firewall/files/firewall.hotplug | 10 | ||||
-rwxr-xr-x | package/firewall/files/firewall.init | 25 | ||||
-rw-r--r-- | package/firewall/files/firewall.user | 7 |
5 files changed, 285 insertions, 0 deletions
diff --git a/package/firewall/Makefile b/package/firewall/Makefile new file mode 100644 index 0000000000..18a86014cb --- /dev/null +++ b/package/firewall/Makefile @@ -0,0 +1,66 @@ +# +# Copyright (C) 2013 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewall +PKG_VERSION:=2013-06-04 +PKG_RELEASE:=$(PKG_SOURCE_VERSION) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=git://nbd.name/firewall3.git +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=5ee2129eaa23a28bfef6d20c273cafc0be559b3d +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org> + + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/firewall + SECTION:=net + CATEGORY:=Base system + TITLE:=OpenWrt C Firewall + DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +endef + +define Package/firewall/description + This package provides a config-compatible C implementation of the UCI firewall. +endef + +define Package/firewall/conffiles +/etc/config/firewall +/etc/firewall.user +endef + +define Build/Configure + $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext.a) + $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext4.a) + $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext6.a) + $(call Build/Configure/Default) +endef + +TARGET_CFLAGS += -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections +CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1) + +define Package/firewall/install + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3 + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall + $(INSTALL_DIR) $(1)/etc/config/ + $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall + $(INSTALL_DIR) $(1)/etc/ + $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user +endef + +$(eval $(call BuildPackage,firewall)) diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config new file mode 100644 index 0000000000..acfb5e5abd --- /dev/null +++ b/package/firewall/files/firewall.config @@ -0,0 +1,177 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + list network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + list network 'wan' + list network 'wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/firewall/files/firewall.hotplug b/package/firewall/files/firewall.hotplug new file mode 100644 index 0000000000..34f3afec9b --- /dev/null +++ b/package/firewall/files/firewall.hotplug @@ -0,0 +1,10 @@ +#!/bin/sh + +[ "$ACTION" = ifup ] || exit 0 + +/etc/init.d/firewall enabled || exit 0 + +fw3 -q network "$INTERFACE" >/dev/null || exit 0 + +logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)" +fw3 -q reload diff --git a/package/firewall/files/firewall.init b/package/firewall/files/firewall.init new file mode 100755 index 0000000000..64e3a8c12b --- /dev/null +++ b/package/firewall/files/firewall.init @@ -0,0 +1,25 @@ +#!/bin/sh /etc/rc.common + +START=19 + +boot() { + # Be silent on boot, firewall might be started by hotplug already, + # so don't complain in syslog. + fw3 -q start +} + +start() { + fw3 start +} + +stop() { + fw3 flush +} + +restart() { + fw3 restart +} + +reload() { + fw3 reload +} diff --git a/package/firewall/files/firewall.user b/package/firewall/files/firewall.user new file mode 100644 index 0000000000..6f799063f5 --- /dev/null +++ b/package/firewall/files/firewall.user @@ -0,0 +1,7 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + +# Internal uci firewall chains are flushed and recreated on reload, so +# put custom rules into the root chains e.g. INPUT or FORWARD or into the +# special user chains, e.g. input_wan_rule or postrouting_lan_rule. |