aa4a59b715
Yggdrasil builds end-to-end encrypted networks with IPv6. Beyond the similarities with cjdns is a different routing algorithm. This globally-agreed spanning tree uses greedy routing in a metric space. Back-pressure routing techniques allow advanced link aggregation bonding on per-stream basis. In turn, a single stream will span across multiple network interfaces simultaneously with much greater throughput. Authored by: William Fleurant <meshnet@protonmail.com> Signed-off-by: Paul Spooren <mail@aparcar.org>
66 lines
2 KiB
Bash
66 lines
2 KiB
Bash
#!/bin/sh
|
|
|
|
yggConfig="/etc/yggdrasil.conf"
|
|
|
|
if [ ! -e ${yggConfig} ]; then
|
|
|
|
yggdrasil -genconf -json > ${yggConfig}
|
|
|
|
# create the firewall zone
|
|
uci -q batch <<-EOF >/dev/null
|
|
add firewall zone
|
|
set firewall.@zone[-1].name=yggdrasil
|
|
add_list firewall.@zone[-1].network=yggdrasil
|
|
set firewall.@zone[-1].input=REJECT
|
|
set firewall.@zone[-1].output=ACCEPT
|
|
set firewall.@zone[-1].forward=REJECT
|
|
set firewall.@zone[-1].conntrack=1
|
|
set firewall.@zone[-1].family=ipv6
|
|
EOF
|
|
|
|
# allow ICMP from yggdrasil zone, e.g. ping6
|
|
uci -q batch <<-EOF >/dev/null
|
|
add firewall rule
|
|
set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
|
|
set firewall.@rule[-1].src=yggdrasil
|
|
set firewall.@rule[-1].proto=icmp
|
|
add_list firewall.@rule[-1].icmp_type=echo-request
|
|
add_list firewall.@rule[-1].icmp_type=echo-reply
|
|
add_list firewall.@rule[-1].icmp_type=destination-unreachable
|
|
add_list firewall.@rule[-1].icmp_type=packet-too-big
|
|
add_list firewall.@rule[-1].icmp_type=time-exceeded
|
|
add_list firewall.@rule[-1].icmp_type=bad-header
|
|
add_list firewall.@rule[-1].icmp_type=unknown-header-type
|
|
set firewall.@rule[-1].limit='1000/sec'
|
|
set firewall.@rule[-1].family=ipv6
|
|
set firewall.@rule[-1].target=ACCEPT
|
|
EOF
|
|
|
|
# allow SSH from yggdrasil zone, needs to be explicitly enabled
|
|
uci -q batch <<-EOF >/dev/null
|
|
add firewall rule
|
|
set firewall.@rule[-1].enabled=0
|
|
set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
|
|
set firewall.@rule[-1].src=yggdrasil
|
|
set firewall.@rule[-1].proto=tcp
|
|
set firewall.@rule[-1].dest_port=22
|
|
set firewall.@rule[-1].target=ACCEPT
|
|
EOF
|
|
|
|
# allow LuCI access from yggdrasil zone, needs to be explicitly enabled
|
|
uci -q batch <<-EOF >/dev/null
|
|
add firewall rule
|
|
set firewall.@rule[-1].enabled=0
|
|
set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
|
|
set firewall.@rule[-1].src=yggdrasil
|
|
set firewall.@rule[-1].proto=tcp
|
|
set firewall.@rule[-1].dest_port=80
|
|
set firewall.@rule[-1].target=ACCEPT
|
|
EOF
|
|
|
|
|
|
else
|
|
:
|
|
fi
|
|
|
|
exit 0
|