From 76a26d12a537aeb2e331d3184f2d0e28fb9e809d Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Mon, 14 Jul 2014 17:53:41 +0200 Subject: [PATCH] Move essential firewall rules from gluon-firewall to gluon-core and gluon-mesh-batman-adv The now empty gluon-firewall is removed. --- gluon/gluon-core/Makefile | 2 +- .../core/invariant/014-firewall-rules} | 11 ------ gluon/gluon-firewall/Makefile | 37 ------------------- .../mesh-batman-adv/invariant/011-mesh | 12 ++++++ 4 files changed, 13 insertions(+), 49 deletions(-) rename gluon/{gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules => gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules} (79%) delete mode 100644 gluon/gluon-firewall/Makefile diff --git a/gluon/gluon-core/Makefile b/gluon/gluon-core/Makefile index 27babd758..17cde4d4f 100644 --- a/gluon/gluon-core/Makefile +++ b/gluon/gluon-core/Makefile @@ -12,7 +12,7 @@ define Package/gluon-core SECTION:=gluon CATEGORY:=Gluon TITLE:=Base files of Gluon - DEPENDS:=+gluon-config +lua-platform-info +luci-lib-core +odhcp6c + DEPENDS:=+gluon-config +lua-platform-info +luci-lib-core +odhcp6c +firewall endef define Package/gluon-core/description diff --git a/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules b/gluon/gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules similarity index 79% rename from gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules rename to gluon/gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules index 1a422ca37..792e06a2c 100755 --- a/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules +++ b/gluon/gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules @@ -26,16 +26,5 @@ c:section('firewall', 'rule', 'wan_ssh', } ) - -c:section('firewall', 'rule', 'client_dns', - { - name = 'client_dns', - src = 'client', - dest_port = '53', - target = 'REJECT', - } -) - - c:save('firewall') c:commit('firewall') diff --git a/gluon/gluon-firewall/Makefile b/gluon/gluon-firewall/Makefile deleted file mode 100644 index ceb4820ce..000000000 --- a/gluon/gluon-firewall/Makefile +++ /dev/null @@ -1,37 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-firewall -PKG_VERSION:=1 - -PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) - -include $(INCLUDE_DIR)/package.mk - -define Package/gluon-firewall - SECTION:=gluon - CATEGORY:=Gluon - TITLE:=Restrictive firewall rules - DEPENDS:=+gluon-core +firewall -endef - -define Package/gluon-firewall/description - Gluon community wifi mesh firmware framework: - Firewall rules which try to ensure a node can't be abused - (e.g. for DNS amplification attacks) -endef - -define Build/Prepare - mkdir -p $(PKG_BUILD_DIR) -endef - -define Build/Configure -endef - -define Build/Compile -endef - -define Package/gluon-firewall/install - $(CP) ./files/* $(1)/ -endef - -$(eval $(call BuildPackage,gluon-firewall)) diff --git a/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh b/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh index 565505d20..ab80bd3d2 100755 --- a/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh +++ b/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh @@ -31,6 +31,7 @@ uci:section('network', 'interface', 'bat0', uci:save('network') uci:commit('network') + uci:delete('firewall', 'client') uci:section('firewall', 'zone', 'client', { @@ -41,9 +42,20 @@ uci:section('firewall', 'zone', 'client', forward = 'REJECT', } ) + +c:section('firewall', 'rule', 'client_dns', + { + name = 'client_dns', + src = 'client', + dest_port = '53', + target = 'REJECT', + } +) + uci:save('firewall') uci:commit('firewall') + local dnsmasq = uci:get_first('dhcp', 'dnsmasq') uci:set('dhcp', dnsmasq, 'boguspriv', 0) uci:set('dhcp', dnsmasq, 'localise_queries', 0)