Skip to content
Snippets Groups Projects
Unverified Commit 2b1ffb30 authored by Matthias Schiffer's avatar Matthias Schiffer
Browse files

gluon-core, gluon-client-bridge: create local_client zone in core

As core defines basic rules for this zone, it makes sense to create it
there.
parent 8ea5810b
Branches
Tags
No related merge requests found
......@@ -51,14 +51,9 @@ uci:section('firewall', 'zone', 'drop', {
forward = 'DROP',
})
uci:section('firewall', 'zone', 'local_client', {
name = 'local_client',
network = {'local_node'},
input = 'REJECT',
output = 'ACCEPT',
forward = 'REJECT',
})
local networks = uci:get_list('firewall', 'local_client', 'network')
util.add_to_set(networks, 'local_node')
uci:set_list('firewall', 'local_client', 'network', networks)
local dnsmasq = uci:get_first('dhcp', 'dnsmasq')
......
......@@ -14,40 +14,16 @@ end
uci:foreach('firewall', 'zone', reject_input_on_wan)
-- the client zone is set up by gluon-client-bridge
--
uci:section('firewall', 'zone', 'mesh', {
name = 'mesh',
network = {},
input = 'REJECT',
output = 'ACCEPT',
forward = 'REJECT',
})
-- allow inbound ssh from anywhere
for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
uci:section('firewall', 'rule', zone .. '_ssh', {
name = zone .. '_ssh',
src = zone,
dest_port = '22',
proto = 'tcp',
target = 'ACCEPT',
for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
-- Other packages assign interfaces to these zones
uci:section('firewall', 'zone', zone, {
name = zone,
network = {},
input = 'REJECT',
output = 'ACCEPT',
forward = 'REJECT',
})
end
-- allow icmp in/out on all relevant zones
uci:section('firewall', 'rule', 'local_client_ICMPv4_in', {
src = 'local_client',
proto = 'icmp',
icmp_type = {
'echo-request',
},
family = 'ipv4',
target = 'ACCEPT',
})
uci:section('firewall', 'rule', zone .. '_ICMPv6_in', {
src = zone,
proto = 'icmp',
......@@ -77,4 +53,27 @@ for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
uci:delete('firewall', zone .. '_ICMPv6_out')
end
uci:section('firewall', 'rule', 'local_client_ICMPv4_in', {
src = 'local_client',
proto = 'icmp',
icmp_type = {
'echo-request',
},
family = 'ipv4',
target = 'ACCEPT',
})
-- allow inbound SSH from anywhere
for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
uci:section('firewall', 'rule', zone .. '_ssh', {
name = zone .. '_ssh',
src = zone,
dest_port = '22',
proto = 'tcp',
target = 'ACCEPT',
})
end
uci:save('firewall')
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment