packages/net/yggdrasil/files/yggdrasil.defaults
Paul Spooren aa4a59b715 routing-yggdrasil: add package
Yggdrasil builds end-to-end encrypted networks with IPv6. Beyond the
similarities with cjdns is a different routing algorithm. This
globally-agreed spanning tree uses greedy routing in a metric space.
Back-pressure routing techniques allow advanced link aggregation bonding
on per-stream basis.  In turn, a single stream will span across multiple
network interfaces simultaneously with much greater throughput.

Authored by: William Fleurant <meshnet@protonmail.com>
Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-03-19 15:53:28 +01:00

66 lines
2 KiB
Bash

#!/bin/sh
yggConfig="/etc/yggdrasil.conf"
if [ ! -e ${yggConfig} ]; then
yggdrasil -genconf -json > ${yggConfig}
# create the firewall zone
uci -q batch <<-EOF >/dev/null
add firewall zone
set firewall.@zone[-1].name=yggdrasil
add_list firewall.@zone[-1].network=yggdrasil
set firewall.@zone[-1].input=REJECT
set firewall.@zone[-1].output=ACCEPT
set firewall.@zone[-1].forward=REJECT
set firewall.@zone[-1].conntrack=1
set firewall.@zone[-1].family=ipv6
EOF
# allow ICMP from yggdrasil zone, e.g. ping6
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=icmp
add_list firewall.@rule[-1].icmp_type=echo-request
add_list firewall.@rule[-1].icmp_type=echo-reply
add_list firewall.@rule[-1].icmp_type=destination-unreachable
add_list firewall.@rule[-1].icmp_type=packet-too-big
add_list firewall.@rule[-1].icmp_type=time-exceeded
add_list firewall.@rule[-1].icmp_type=bad-header
add_list firewall.@rule[-1].icmp_type=unknown-header-type
set firewall.@rule[-1].limit='1000/sec'
set firewall.@rule[-1].family=ipv6
set firewall.@rule[-1].target=ACCEPT
EOF
# allow SSH from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=22
set firewall.@rule[-1].target=ACCEPT
EOF
# allow LuCI access from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=80
set firewall.@rule[-1].target=ACCEPT
EOF
else
:
fi
exit 0