Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
packages/net/yggdrasil/files/yggdrasil.defaults
William Fleurant 2baab77b77 yggdrasil: uci firewall Section name and cover both IP versions 
- rename the section instance to yggdrasil (feat. request)
- allow zone to cover both ip4 and ip6 fam

Signed-off-by: William Fleurant <meshnet@protonmail.com>
2019-10-26 14:13:47 -04:00

100 lines
3 KiB
Bash
Raw Blame History

#!/bin/sh
yggConfig="/etc/yggdrasil.conf"
first_boot_genConfig()
{
. /usr/share/libubox/jshn.sh
boardcfg=$(ubus call system board)
yggcfg=$(yggdrasil -genconf -json | grep NodeInfo -v)
json_load "$boardcfg"
json_get_var kernel kernel
json_get_var hostname hostname
json_get_var system system
json_get_var model model
json_get_var board_name board_name
json_load "$yggcfg"
json_add_string "IfName" "ygg0"
json_add_object "NodeInfo"
json_add_string "kernel" "$kernel"
json_add_string "hostname" "$hostname"
json_add_string "system" "$system"
json_add_string "model" "$model"
json_add_string "board_name" "$board_name"
json_close_object
json_dump
}
if [ ! -e ${yggConfig} ]; then
echo "first_boot: adding system board details to NodeInfo[] in NEW config: ${yggConfig}" | logger -t yggdrasil
first_boot_genConfig > ${yggConfig}
# create the network interface
uci -q batch <<-EOF >/dev/null
set network.yggdrasil=interface
set network.yggdrasil.ifname=ygg0
set network.yggdrasil.proto=none
EOF
# create the firewall zone
uci -q batch <<-EOF >/dev/null
set firewall.yggdrasil=zone
set firewall.yggdrasil.name=yggdrasil
add_list firewall.yggdrasil.network=yggdrasil
set firewall.yggdrasil.input=REJECT
set firewall.yggdrasil.output=ACCEPT
set firewall.yggdrasil.forward=REJECT
set firewall.yggdrasil.conntrack=1
EOF
# allow ICMP from yggdrasil zone, e.g. ping6
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=icmp
add_list firewall.@rule[-1].icmp_type=echo-request
add_list firewall.@rule[-1].icmp_type=echo-reply
add_list firewall.@rule[-1].icmp_type=destination-unreachable
add_list firewall.@rule[-1].icmp_type=packet-too-big
add_list firewall.@rule[-1].icmp_type=time-exceeded
add_list firewall.@rule[-1].icmp_type=bad-header
add_list firewall.@rule[-1].icmp_type=unknown-header-type
set firewall.@rule[-1].limit='1000/sec'
set firewall.@rule[-1].family=ipv6
set firewall.@rule[-1].target=ACCEPT
EOF
# allow SSH from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=22
set firewall.@rule[-1].target=ACCEPT
EOF
# allow LuCI access from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=80
set firewall.@rule[-1].target=ACCEPT
EOF
uci commit firewall
uci commit network
else
:
fi
exit 0
Reference in a new issue View git blame Copy permalink