fff-hoods: firewall fe80::1 from Client to Batman and Node

This firewall blocks all communication with fe80::1 from a Client to Batman and to the Node. We need this because some crap devices (e.g. a wrongly connected router on a clientport) have fe80::1 as address and break our setup. Signed-off-by: Christian Dresel <fff@chrisi01.de> Tested-by: Robert Langhammer <rlanghammer@web.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de> Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2018-12-06 14:47:01 +01:00 · 2018-12-06 14:47:01 +01:00 · f8269102a5
parent cb0420e2d3
commit f8269102a5
2 changed files with 6 additions and 1 deletions
--- a/src/packages/fff/fff-hoods/Makefile
+++ b/src/packages/fff/fff-hoods/Makefile
@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
    CATEGORY:=Freifunk
    TITLE:= Freifunk-Franken hoods
    URL:=http://www.freifunk-franken.de
-    DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select
+    DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select +fff-firewall
 endef

 define Package/$(PKG_NAME)/description
--- a/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
+++ b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
@ -0,0 +1,5 @@
+# Erlaube nur fe80::1 von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+
+# Erlaube nur fe80::1 von KNOTEN -> CLIENT
+ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY