fff-hoods: firewall fe80::1 from Client to Batman and Node

This firewall blocks all communication with fe80::1 from a Client to Batman and to the Node. We need this because some crap devices (e.g. a wrongly connected router on a clientport) have fe80::1 as address and break our setup. Signed-off-by: Christian Dresel <fff@chrisi01.de> Tested-by: Robert Langhammer <rlanghammer@web.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de> Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
FreifunkFranken · Dec 9, 2018 · f826910 · f826910
1 parent cb0420e
commit f826910
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/src/packages/fff/fff-hoods/Makefile b/src/packages/fff/fff-hoods/Makefile
@@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
     CATEGORY:=Freifunk
     TITLE:= Freifunk-Franken hoods
     URL:=http://www.freifunk-franken.de
-    DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select
+    DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select +fff-firewall
 endef
 
 define Package/$(PKG_NAME)/description

diff --git a/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
@@ -0,0 +1,5 @@
+# Erlaube nur fe80::1 von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+
+# Erlaube nur fe80::1 von KNOTEN -> CLIENT
+ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY