gluon-firewall: Accept common services.

Allow ssh on client and wan, additional allow http,dns and icmpv6
on client network. Also ensure that the client and wan interfaces reject
incoming connections as default.

gluon/gluon-firewall/Makefile

@@ -0,0 +1,38 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-firewall
+PKG_VERSION:=1
+PKG_RELEASE:=1.$(GLUON_CONFIG_VERSION)
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-firewall
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Restrictive firewall settings
+  DEPENDS:=+gluon-core
+endef
+
+define Package/gluon-firewall/description
+	Gluon community wifi mesh firmware framework:
+	Firewall rules blocking incoming connections on wan interfaces,
+	with an exception for ssh.
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-firewall/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-firewall))

gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/11-wan-firewall

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+config_load firewall
+reject_input_on_wan() {
+       config_get name "$1" name
+       [ "$name" = 'wan' ] && uci_set firewall "$1" input 'REJECT'
+}
+config_foreach reject_input_on_wan 'zone'
+
+uci_remove firewall wan_ssh
+uci_add firewall rule wan_ssh
+uci_set firewall wan_ssh name 'wan_ssh'
+uci_set firewall wan_ssh src 'wan'
+uci_set firewall wan_ssh dest_port '22'
+uci_set firewall wan_ssh proto 'tcp'
+uci_set firewall wan_ssh family 'ipv4'
+uci_set firewall wan_ssh target 'ACCEPT'
+
+uci_remove firewall wan_ssh6
+uci_add firewall rule wan_ssh6
+uci_set firewall wan_ssh6 name 'wan_ssh6'
+uci_set firewall wan_ssh6 src 'wan'
+uci_set firewall wan_ssh6 dest_port '22'
+uci_set firewall wan_ssh6 proto 'tcp'
+uci_set firewall wan_ssh6 family 'ipv6'
+uci_set firewall wan_ssh6 target 'ACCEPT'
+uci_commit firewall