summaryrefslogtreecommitdiff
path: root/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'firewall')
-rw-r--r--firewall/Makefile62
-rw-r--r--firewall/files/firewall.config195
-rw-r--r--firewall/files/firewall.hotplug11
-rwxr-xr-xfirewall/files/firewall.init61
-rw-r--r--firewall/files/firewall.user7
-rw-r--r--firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch33
-rw-r--r--firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch38
-rw-r--r--firewall/patches/0003-Allow-NAT-for-IPv6.patch54
8 files changed, 461 insertions, 0 deletions
diff --git a/firewall/Makefile b/firewall/Makefile
new file mode 100644
index 0000000..012b289
--- /dev/null
+++ b/firewall/Makefile
@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2013-2016 OpenWrt.org
+# Copyright (C) 2016 LEDE project
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewall
+PKG_RELEASE:=4
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
+PKG_SOURCE_DATE:=2019-11-22
+PKG_SOURCE_VERSION:=8174814a507489ebbe8bb85c1004e1f02919ca82
+PKG_MIRROR_HASH:=84e0cca2d47470bdb1788a8ae044cc425be8ff650a1137474ba43a15040085da
+PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
+PKG_LICENSE:=ISC
+
+PKG_CONFIG_DEPENDS := CONFIG_IPV6
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/firewall
+ SECTION:=net
+ CATEGORY:=Base system
+ TITLE:=OpenWrt C Firewall
+ DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
+endef
+
+define Package/firewall/description
+ This package provides a config-compatible C implementation of the UCI firewall.
+endef
+
+define Package/firewall/conffiles
+/etc/config/firewall
+/etc/firewall.user
+endef
+
+TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
+TARGET_LDFLAGS += -Wl,--gc-sections -flto
+CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1)
+
+define Package/firewall/install
+ $(INSTALL_DIR) $(1)/sbin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
+ $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+ $(INSTALL_CONF) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
+ $(INSTALL_DIR) $(1)/etc/config/
+ $(INSTALL_CONF) ./files/firewall.config $(1)/etc/config/firewall
+ $(INSTALL_DIR) $(1)/etc/
+ $(INSTALL_CONF) ./files/firewall.user $(1)/etc/firewall.user
+ $(INSTALL_DIR) $(1)/usr/share/fw3
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/helpers.conf $(1)/usr/share/fw3
+endef
+
+$(eval $(call BuildPackage,firewall))
diff --git a/firewall/files/firewall.config b/firewall/files/firewall.config
new file mode 100644
index 0000000..8874e98
--- /dev/null
+++ b/firewall/files/firewall.config
@@ -0,0 +1,195 @@
+config defaults
+ option syn_flood 1
+ option input ACCEPT
+ option output ACCEPT
+ option forward REJECT
+# Uncomment this line to disable ipv6 rules
+# option disable_ipv6 1
+
+config zone
+ option name lan
+ list network 'lan'
+ option input ACCEPT
+ option output ACCEPT
+ option forward ACCEPT
+
+config zone
+ option name wan
+ list network 'wan'
+ list network 'wan6'
+ option input REJECT
+ option output ACCEPT
+ option forward REJECT
+ option masq 1
+ option mtu_fix 1
+
+config forwarding
+ option src lan
+ option dest wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+ option name Allow-DHCP-Renew
+ option src wan
+ option proto udp
+ option dest_port 68
+ option target ACCEPT
+ option family ipv4
+
+# Allow IPv4 ping
+config rule
+ option name Allow-Ping
+ option src wan
+ option proto icmp
+ option icmp_type echo-request
+ option family ipv4
+ option target ACCEPT
+
+config rule
+ option name Allow-IGMP
+ option src wan
+ option proto igmp
+ option family ipv4
+ option target ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+ option name Allow-DHCPv6
+ option src wan
+ option proto udp
+ option src_ip fc00::/6
+ option dest_ip fc00::/6
+ option dest_port 546
+ option family ipv6
+ option target ACCEPT
+
+config rule
+ option name Allow-MLD
+ option src wan
+ option proto icmp
+ option src_ip fe80::/10
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Input
+ option src wan
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ list icmp_type router-solicitation
+ list icmp_type neighbour-solicitation
+ list icmp_type router-advertisement
+ list icmp_type neighbour-advertisement
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Forward
+ option src wan
+ option dest *
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+config rule
+ option name Allow-IPSec-ESP
+ option src wan
+ option dest lan
+ option proto esp
+ option target ACCEPT
+
+config rule
+ option name Allow-ISAKMP
+ option src wan
+ option dest lan
+ option dest_port 500
+ option proto udp
+ option target ACCEPT
+
+# include a file with users custom iptables rules
+config include
+ option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option dest wan
+# option proto tcp
+# option target REJECT
+
+# block a specific mac on wan
+#config rule
+# option dest wan
+# option src_mac 00:11:22:33:44:66
+# option target REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+# option src lan
+# option proto ICMP
+# option target DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+# option src wan
+# option src_dport 80
+# option dest lan
+# option dest_ip 192.168.16.235
+# option dest_port 80
+# option proto tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+# option src wan
+# option src_dport 22001
+# option dest lan
+# option dest_port 22
+# option proto tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 80
+# option dest wan
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
+# option target REJECT
+
+#config redirect
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 1024
+# option src_dport 80
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
diff --git a/firewall/files/firewall.hotplug b/firewall/files/firewall.hotplug
new file mode 100644
index 0000000..f1eab00
--- /dev/null
+++ b/firewall/files/firewall.hotplug
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
+[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
+
+/etc/init.d/firewall enabled || exit 0
+
+fw3 -q network "$INTERFACE" >/dev/null || exit 0
+
+logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)"
+fw3 -q reload
diff --git a/firewall/files/firewall.init b/firewall/files/firewall.init
new file mode 100755
index 0000000..ee3ed1a
--- /dev/null
+++ b/firewall/files/firewall.init
@@ -0,0 +1,61 @@
+#!/bin/sh /etc/rc.common
+
+START=19
+USE_PROCD=1
+QUIET=""
+
+validate_firewall_redirect()
+{
+ uci_validate_section firewall redirect "${1}" \
+ 'proto:or(uinteger, string)' \
+ 'src:string' \
+ 'src_ip:cidr' \
+ 'src_dport:or(port, portrange)' \
+ 'dest:string' \
+ 'dest_ip:cidr' \
+ 'dest_port:or(port, portrange)' \
+ 'target:or("SNAT", "DNAT")'
+}
+
+validate_firewall_rule()
+{
+ uci_validate_section firewall rule "${1}" \
+ 'proto:or(uinteger, string)' \
+ 'src:string' \
+ 'dest:string' \
+ 'src_port:or(port, portrange)' \
+ 'dest_port:or(port, portrange)' \
+ 'target:string'
+}
+
+service_triggers() {
+ procd_add_reload_trigger firewall
+
+ procd_open_validate
+ validate_firewall_redirect
+ validate_firewall_rule
+ procd_close_validate
+}
+
+restart() {
+ fw3 restart
+}
+
+start_service() {
+ fw3 ${QUIET} start
+}
+
+stop_service() {
+ fw3 flush
+}
+
+reload_service() {
+ fw3 reload
+}
+
+boot() {
+ # Be silent on boot, firewall might be started by hotplug already,
+ # so don't complain in syslog.
+ QUIET=-q
+ start
+}
diff --git a/firewall/files/firewall.user b/firewall/files/firewall.user
new file mode 100644
index 0000000..6f79906
--- /dev/null
+++ b/firewall/files/firewall.user
@@ -0,0 +1,7 @@
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
diff --git a/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
new file mode 100644
index 0000000..9e23dfd
--- /dev/null
+++ b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
@@ -0,0 +1,33 @@
+From 4a7df7d8c4e40fd2ce0d9f125755249dee17a8bd Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Fri, 24 Jul 2020 12:52:59 +0800
+Subject: [PATCH] zones: apply tcp mss clamping also on ingress path
+
+Fixes FS#3231
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+Acked-by: Jo-Philipp Wich <jo@mein.io>
+(cherry picked from commit e9b90dfac2225927c035f6a76277b850c282dc9a)
+---
+ zones.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/zones.c b/zones.c
+index 01fb706..3d54a76 100644
+--- a/zones.c
++++ b/zones.c
+@@ -552,6 +552,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ fw3_ipt_rule_target(r, "TCPMSS");
+ fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
+ fw3_ipt_rule_replace(r, "FORWARD");
++
++ r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL);
++ fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
++ fw3_ipt_rule_addarg(r, false, "SYN", NULL);
++ fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name);
++ fw3_ipt_rule_target(r, "TCPMSS");
++ fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
++ fw3_ipt_rule_replace(r, "FORWARD");
+ }
+ }
+ else if (handle->table == FW3_TABLE_RAW)
diff --git a/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
new file mode 100644
index 0000000..c7a4593
--- /dev/null
+++ b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
@@ -0,0 +1,38 @@
+From 78d52a28c66ad0fd2af250038fdcf4239ad37bf2 Mon Sep 17 00:00:00 2001
+From: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+Date: Sat, 15 Aug 2020 13:50:27 +0900
+Subject: [PATCH] options: fix parsing of boolean attributes
+
+Boolean attributes were parsed the same way as string attributes,
+so a value of { "bool_attr": "true" } would be parsed correctly, but
+{ "bool_attr": true } (without quotes) was parsed as false.
+
+Fixes FS#3284
+
+Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+---
+ options.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/options.c
++++ b/options.c
+@@ -1170,6 +1170,9 @@ fw3_parse_blob_options(void *s, const st
+ if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
+ snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
+ v = buf;
++ } else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++ snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++ v = buf;
+ } else {
+ v = blobmsg_get_string(e);
+ }
+@@ -1189,6 +1192,9 @@ fw3_parse_blob_options(void *s, const st
+ if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
+ snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
+ v = buf;
++ } else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++ snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++ v = buf;
+ } else {
+ v = blobmsg_get_string(o);
+ }
diff --git a/firewall/patches/0003-Allow-NAT-for-IPv6.patch b/firewall/patches/0003-Allow-NAT-for-IPv6.patch
new file mode 100644
index 0000000..71f50c8
--- /dev/null
+++ b/firewall/patches/0003-Allow-NAT-for-IPv6.patch
@@ -0,0 +1,54 @@
+From c0d53458a7d06e116b6ef8c95b5c0c7a0826a0dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
+Date: Sat, 15 May 2021 13:15:32 +0200
+Subject: [PATCH] Allow NAT for IPv6
+
+---
+ defaults.c | 4 ++--
+ zones.c | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/defaults.c b/defaults.c
+index 7ad4fba..b0b4698 100644
+--- a/defaults.c
++++ b/defaults.c
+@@ -29,8 +29,8 @@ static const struct fw3_chain_spec default_chains[] = {
+ C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
+ C(ANY, FILTER, SYN_FLOOD, "syn_flood"),
+
+- C(V4, NAT, CUSTOM_CHAINS, "prerouting_rule"),
+- C(V4, NAT, CUSTOM_CHAINS, "postrouting_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "prerouting_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "postrouting_rule"),
+
+ { }
+ };
+diff --git a/zones.c b/zones.c
+index 51a8fdf..545ced4 100644
+--- a/zones.c
++++ b/zones.c
+@@ -37,8 +37,8 @@ static const struct fw3_chain_spec zone_chains[] = {
+ C(ANY, FILTER, REJECT, "zone_?_dest_REJECT"),
+ C(ANY, FILTER, DROP, "zone_?_dest_DROP"),
+
+- C(V4, NAT, SNAT, "zone_?_postrouting"),
+- C(V4, NAT, DNAT, "zone_?_prerouting"),
++ C(ANY, NAT, SNAT, "zone_?_postrouting"),
++ C(ANY, NAT, DNAT, "zone_?_prerouting"),
+
+ C(ANY, RAW, HELPER, "zone_?_helper"),
+ C(ANY, RAW, NOTRACK, "zone_?_notrack"),
+@@ -47,8 +47,8 @@ static const struct fw3_chain_spec zone_chains[] = {
+ C(ANY, FILTER, CUSTOM_CHAINS, "output_?_rule"),
+ C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_?_rule"),
+
+- C(V4, NAT, CUSTOM_CHAINS, "prerouting_?_rule"),
+- C(V4, NAT, CUSTOM_CHAINS, "postrouting_?_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "prerouting_?_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "postrouting_?_rule"),
+
+ { }
+ };
+--
+2.31.1
+