diff --git a/gluon/gluon-firewall/Makefile b/gluon/gluon-firewall/Makefile new file mode 100644 index 0000000..cac1cf7 --- /dev/null +++ b/gluon/gluon-firewall/Makefile @@ -0,0 +1,38 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-firewall +PKG_VERSION:=1 +PKG_RELEASE:=1.$(GLUON_CONFIG_VERSION) + +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) + +include $(INCLUDE_DIR)/package.mk + +define Package/gluon-firewall + SECTION:=gluon + CATEGORY:=Gluon + TITLE:=Restrictive firewall settings + DEPENDS:=+gluon-core +endef + +define Package/gluon-firewall/description + Gluon community wifi mesh firmware framework: + Firewall rules blocking incoming connections on wan interfaces, + with an exception for ssh. +endef + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR) +endef + +define Build/Configure +endef + +define Build/Compile +endef + +define Package/gluon-firewall/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,gluon-firewall)) diff --git a/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/11-wan-firewall b/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/11-wan-firewall new file mode 100755 index 0000000..2ba460b --- /dev/null +++ b/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/11-wan-firewall @@ -0,0 +1,29 @@ +#!/bin/sh + +. /lib/functions.sh + +config_load firewall +reject_input_on_wan() { + config_get name "$1" name + [ "$name" = 'wan' ] && uci_set firewall "$1" input 'REJECT' +} +config_foreach reject_input_on_wan 'zone' + +uci_remove firewall wan_ssh +uci_add firewall rule wan_ssh +uci_set firewall wan_ssh name 'wan_ssh' +uci_set firewall wan_ssh src 'wan' +uci_set firewall wan_ssh dest_port '22' +uci_set firewall wan_ssh proto 'tcp' +uci_set firewall wan_ssh family 'ipv4' +uci_set firewall wan_ssh target 'ACCEPT' + +uci_remove firewall wan_ssh6 +uci_add firewall rule wan_ssh6 +uci_set firewall wan_ssh6 name 'wan_ssh6' +uci_set firewall wan_ssh6 src 'wan' +uci_set firewall wan_ssh6 dest_port '22' +uci_set firewall wan_ssh6 proto 'tcp' +uci_set firewall wan_ssh6 family 'ipv6' +uci_set firewall wan_ssh6 target 'ACCEPT' +uci_commit firewall