[Ninux-Calabria] Impostazione firewall ninux-casa su NS M5

Danilo Larizza dlarizza a tiscali.it
Mar 8 Apr 2014 19:33:47 UTC

Il 08/04/14 17:01, Vincenzo Pirrone ha scritto:
> Meglio ancora se posti
> /etc/config/network
> /etc/config/firewall
> Cosė ti spiego come configurare il firewall di OpenWrt che č pių 
> semplice che mettersi a scrivere le regole di iptables

I file sono quelli standard di Scroorreggione....con i miei settaggi in 
base alla mappa.

cat /etc/config/network

config interface 'loopback'
     option ifname 'lo'
     option proto 'static'
     option ipaddr ''
     option netmask ''

config interface 'lan'
     option ifname 'eth0'
     option proto 'static'
     option ipaddr ''
     option netmask ''
     option dns ''

config interface 'wan'
     option ifname 'eth1'
     option proto 'static'

config interface 'backbone'
     option proto 'static'
     option ipaddr ''
     option netmask ''
     option dns ''
     option ifname 'wlan0'

cat /etc/config/firewall
config defaults
     option syn_flood    1
     option input        ACCEPT
     option output        ACCEPT
     option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
     option name        lan
     option network        'lan'
     option input        ACCEPT
     option output        ACCEPT
     option forward        REJECT

config zone
     option name        wan
     option network        'wan'
     option input        REJECT
     option output        ACCEPT
     option forward        REJECT
     option masq        1
     option mtu_fix        1

config forwarding
     option src        lan
     option dest        wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
     option name        Allow-DHCP-Renew
     option src        wan
     option proto        udp
     option dest_port    68
     option target        ACCEPT
     option family        ipv4

# Allow IPv4 ping
config rule
     option name        Allow-Ping
     option src        wan
     option proto        icmp
     option icmp_type    echo-request
     option family        ipv4
     option target        ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
     option name        Allow-DHCPv6
     option src        wan
     option proto        udp
     option src_ip        fe80::/10
     option src_port        547
     option dest_ip        fe80::/10
     option dest_port    546
     option family        ipv6
     option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
     option name        Allow-ICMPv6-Input
     option src        wan
     option proto    icmp
     list icmp_type        echo-request
     list icmp_type        echo-reply
     list icmp_type        destination-unreachable
     list icmp_type        packet-too-big
     list icmp_type        time-exceeded
     list icmp_type        bad-header
     list icmp_type        unknown-header-type
     list icmp_type        router-solicitation
     list icmp_type        neighbour-solicitation
     list icmp_type        router-advertisement
     list icmp_type        neighbour-advertisement
     option limit        1000/sec
     option family        ipv6
     option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
     option name        Allow-ICMPv6-Forward
     option src        wan
     option dest        *
     option proto        icmp
     list icmp_type        echo-request
     list icmp_type        echo-reply
     list icmp_type        destination-unreachable
     list icmp_type        packet-too-big
     list icmp_type        time-exceeded
     list icmp_type        bad-header
     list icmp_type        unknown-header-type
     option limit        1000/sec
     option family        ipv6
     option target        ACCEPT

# include a file with users custom iptables rules
config include
     option path /etc/firewall.user

Maggiori informazioni sulla lista Calabria