Modify

Opened 10 years ago

Closed 8 years ago

Last modified 2 years ago

#1327 closed enhancement (fixed)

updated default iptables configuration

Reported by: Kevin Cody Jr <kcody@…> Owned by: nbd
Priority: normal Milestone: Barrier Breaker 14.07
Component: base system Version:
Keywords: Cc:

Description

Vastly reworked firewall.init and firewall.user.

Highlights:

  • supports the bridged and routed wireless cases
  • fixes dynamic rules surviving firewall restarts
  • /etc/config/firewall moved to firewall.user
  • firewall.site added for host permissions rules
  • routing policy configurable in firewall.user
  • hooks for fine grained routing permissions
  • hooks for dynamic vpn tunnel rules

About the dynamic rule behavior: input_rule, output_rule, and forwarding_rule are set aside for programs to register their rules at runtime. Those rules are not, and should not be, manipulated in /etc/firewall.user - the '*_user' rules are provided for that.

In that way, a user can "/etc/firewall.user" to reload /etc/config/firewall changes, or /etc/firewall.site host rules, without disturbing rules that were added by, for example, an ipsec or other vpn tunnel application; thus preventing a tunnel restart due to firewall rules.

Explanation of tables:

forwarding_lan - like forwarding_wan, but for lan interfaces only
forwarding_wap - like forwarding_wan, but for wireless only

forwarding_lan_wan - policy & permissions for lan->wan traffic
forwarding_wap_wan - policy & permissions for wap->wan traffic
forwarding_lan_wap - policy & permissions for lan->wap traffic
forwarding_wap_lan - policy & permissions for wap->lan traffic

input_user, output_user, forwarding_user, prerouting_user, postrouting_user
should be used like the corresponding _rule's used to be, in firewall.user

forwarding_vpn_in - policy & permissions for inbound traffic from vpn
forwarding_vpn_out - policy & permissions for outbound traffic to vpn

In the bridged case, "wap" traffic shows up as "lan" traffic.

Attachments (9)

iptables.patch (11.1 KB) - added by Kevin Cody Jr <kcody@…> 10 years ago.
firewall.conf (921 bytes) - added by kcody@… 10 years ago.
new /etc/config/firewall
firewall.init (867 bytes) - added by kcody@… 10 years ago.
new /etc/init.d/firewall
firewall.sh (10.6 KB) - added by kcody@… 10 years ago.
new /usr/lib/firewall.sh
firewall.spec (658 bytes) - added by kcody@… 10 years ago.
new /lib/config/specs/firewall.spec
firewall.user (1.1 KB) - added by kcody@… 10 years ago.
new /etc/firewall.user
firewall.2.sh (11.7 KB) - added by kcody@… 10 years ago.
Better firewall.sh
firewall.2.user (1.6 KB) - added by kcody@… 10 years ago.
Better firewall.user
firewall.init-iptables-restore (4.4 KB) - added by matteo 9 years ago.

Download all attachments as: .zip

Change History (17)

Changed 10 years ago by Kevin Cody Jr <kcody@…>

comment:1 Changed 10 years ago by kcody@…

OK, take two. This time, based on a UCI /etc/config/firewall.

Gets rid of the old firewall.awk and old /etc/config/firewall entirely.

Should deal with as many or as few routed LAN interface as you like,
or a single bridged LAN interface.

All files are entirely new. Posting them straight-up, no patches.

Changed 10 years ago by kcody@…

new /etc/config/firewall

Changed 10 years ago by kcody@…

new /etc/init.d/firewall

Changed 10 years ago by kcody@…

new /usr/lib/firewall.sh

Changed 10 years ago by kcody@…

new /lib/config/specs/firewall.spec

Changed 10 years ago by kcody@…

new /etc/firewall.user

comment:2 Changed 10 years ago by kcody@…

OK, new firewall.sh and firewall.user coming.

These fix the major parser issues, completing the config interface.

I changed the 'src' parameter to 'from', because it seemed better at the time. There's no reason why aliased parameter names can't be supported, I simply haven't done it yet, but I should.

Requested 'iface' parameter is added, as well as the 'all' pseudo-interface.
Be careful setting forward rules for port 22 on 'all'!!!!!

Host specific rules are left out pending further debate, put them in firewall.site for now.

I have verified that it doesn't puke in a bridged wireless configuration, but I don't have enough hosts kicking around to actually put anything behind my development router. Let me know.

I'm also thinking, ignore the firewall.spec above, I'm not sure it's needed or useful.

Changed 10 years ago by kcody@…

Better firewall.sh

Changed 10 years ago by kcody@…

Better firewall.user

comment:3 Changed 9 years ago by nbd

  • Owner changed from developers to nbd
  • Status changed from new to assigned

comment:4 Changed 9 years ago by nbd

  • Milestone changed from Kamikaze to Kamikaze Milestone 1

comment:5 Changed 9 years ago by florian

  • Milestone changed from Kamikaze Milestone 1 to Kamikaze

comment:6 Changed 9 years ago by matteo

I'm trying to rewrite the init scripts so they generates all the rules, then load them with iptables-restore
This is very very fast, maybe you wanna have a look at this

Changed 9 years ago by matteo

comment:7 Changed 8 years ago by florian

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:8 Changed 2 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.