11 files changed, 648 insertions, 0 deletions
diff --git a/package/network/config/firewall3/files/.svn/entries b/package/network/config/firewall3/files/.svn/entries
new file mode 100644
index 0000000..9baf8d9
--- /dev/null
+++ b/package/network/config/firewall3/files/.svn/entries
@@ -0,0 +1,164 @@
+10
+
+dir
+36060
+svn://svn.openwrt.org/openwrt/trunk/package/network/config/firewall3/files
+svn://svn.openwrt.org/openwrt
+
+
+
+2013-03-13T15:46:30.571192Z
+35998
+jow
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+3c298f89-4303-0410-b956-a3cf2f4a3e73
+
+firewall.user
+file
+
+
+
+
+2013-03-17T12:13:19.000000Z
+f482960e5c24821f077e601d9a7f3068
+2013-03-11T20:52:20.179524Z
+35969
+jow
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+352
+
+firewall.hotplug
+file
+
+
+
+
+2013-03-17T12:13:19.000000Z
+8d17f1b0dbce5fe0f59a693af482f2c5
+2013-03-13T15:46:30.571192Z
+35998
+jow
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+223
+
+firewall.init
+file
+
+
+
+
+2013-03-17T12:13:19.000000Z
+2c5f74740c6b69a390dfaf075f2e72a6
+2013-03-13T15:46:30.571192Z
+35998
+jow
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+262
+
+firewall.config
+file
+
+
+
+
+2013-03-17T12:13:19.000000Z
+f952253dc6cb85d189857c3fead88362
+2013-03-05T13:45:09.488580Z
+35889
+jow
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+4244
+
diff --git a/package/network/config/firewall3/files/.svn/prop-base/firewall.config.svn-base b/package/network/config/firewall3/files/.svn/prop-base/firewall.config.svn-base
new file mode 100644
index 0000000..3160658
--- /dev/null
+++ b/package/network/config/firewall3/files/.svn/prop-base/firewall.config.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:mergeinfo
+V 0
+
+END
diff --git a/package/network/config/firewall3/files/.svn/prop-base/firewall.init.svn-base b/package/network/config/firewall3/files/.svn/prop-base/firewall.init.svn-base
new file mode 100644
index 0000000..869ac71
--- /dev/null
+++ b/package/network/config/firewall3/files/.svn/prop-base/firewall.init.svn-base
@@ -0,0 +1,5 @@
+K 14
+svn:executable
+V 1
+*
+END
diff --git a/package/network/config/firewall3/files/.svn/text-base/firewall.config.svn-base b/package/network/config/firewall3/files/.svn/text-base/firewall.config.svn-base
new file mode 100644
index 0000000..6acfe1e
--- /dev/null
+++ b/package/network/config/firewall3/files/.svn/text-base/firewall.config.svn-base
@@ -0,0 +1,195 @@
+config defaults
+	option syn_flood	1
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		lan
+	option network		'lan'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		wan
+	option network		'wan'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		lan
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option src_ip		fe80::/10
+	option src_port		547
+	option dest_ip		fe80::/10
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Block ULA-traffic from leaking out
+config rule
+	option name		Enforce-ULA-Border-Src
+	option src		*
+	option dest		wan
+	option proto		all
+	option src_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
+config rule
+	option name		Enforce-ULA-Border-Dest
+	option src		*
+	option dest		wan
+	option proto		all
+	option dest_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		lan
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option protocol		esp
+#	option target		ACCEPT
+
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option src_port		500
+#	option dest_port	500
+#	option proto		udp
+#	option target		ACCEPT
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
diff --git a/package/network/config/firewall3/files/.svn/text-base/firewall.hotplug.svn-base b/package/network/config/firewall3/files/.svn/text-base/firewall.hotplug.svn-base
new file mode 100644
index 0000000..34f3afe
--- /dev/null
+++ b/package/network/config/firewall3/files/.svn/text-base/firewall.hotplug.svn-base
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup ] || exit 0
+
+/etc/init.d/firewall enabled || exit 0
+
+fw3 -q network "$INTERFACE" >/dev/null || exit 0
+
+logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)"
+fw3 -q reload
diff --git a/package/network/config/firewall3/files/.svn/text-base/firewall.init.svn-base b/package/network/config/firewall3/files/.svn/text-base/firewall.init.svn-base
new file mode 100644
index 0000000..64e3a8c
--- /dev/null
+++ b/package/network/config/firewall3/files/.svn/text-base/firewall.init.svn-base
@@ -0,0 +1,25 @@
+#!/bin/sh /etc/rc.common
+
+START=19
+
+boot() {
+	# Be silent on boot, firewall might be started by hotplug already,
+	# so don't complain in syslog.
+	fw3 -q start
+}
+
+start() {
+	fw3 start
+}
+
+stop() {
+	fw3 flush
+}
+
+restart() {
+	fw3 restart
+}
+
+reload() {
+	fw3 reload
+}
diff --git a/package/network/config/firewall3/files/.svn/text-base/firewall.user.svn-base b/package/network/config/firewall3/files/.svn/text-base/firewall.user.svn-base
new file mode 100644
index 0000000..6f79906
--- /dev/null
+++ b/package/network/config/firewall3/files/.svn/text-base/firewall.user.svn-base
@@ -0,0 +1,7 @@
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
diff --git a/package/network/config/firewall3/files/firewall.config b/package/network/config/firewall3/files/firewall.config
new file mode 100644
index 0000000..6acfe1e
--- /dev/null
+++ b/package/network/config/firewall3/files/firewall.config
@@ -0,0 +1,195 @@
+config defaults
+	option syn_flood	1
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		lan
+	option network		'lan'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		wan
+	option network		'wan'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		lan
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option src_ip		fe80::/10
+	option src_port		547
+	option dest_ip		fe80::/10
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Block ULA-traffic from leaking out
+config rule
+	option name		Enforce-ULA-Border-Src
+	option src		*
+	option dest		wan
+	option proto		all
+	option src_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
+config rule
+	option name		Enforce-ULA-Border-Dest
+	option src		*
+	option dest		wan
+	option proto		all
+	option dest_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		lan
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option protocol		esp
+#	option target		ACCEPT
+
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option src_port		500
+#	option dest_port	500
+#	option proto		udp
+#	option target		ACCEPT
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
diff --git a/package/network/config/firewall3/files/firewall.hotplug b/package/network/config/firewall3/files/firewall.hotplug
new file mode 100644
index 0000000..34f3afe
--- /dev/null
+++ b/package/network/config/firewall3/files/firewall.hotplug
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup ] || exit 0
+
+/etc/init.d/firewall enabled || exit 0
+
+fw3 -q network "$INTERFACE" >/dev/null || exit 0
+
+logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)"
+fw3 -q reload
diff --git a/package/network/config/firewall3/files/firewall.init b/package/network/config/firewall3/files/firewall.init
new file mode 100755
index 0000000..64e3a8c
--- /dev/null
+++ b/package/network/config/firewall3/files/firewall.init
@@ -0,0 +1,25 @@
+#!/bin/sh /etc/rc.common
+
+START=19
+
+boot() {
+	# Be silent on boot, firewall might be started by hotplug already,
+	# so don't complain in syslog.
+	fw3 -q start
+}
+
+start() {
+	fw3 start
+}
+
+stop() {
+	fw3 flush
+}
+
+restart() {
+	fw3 restart
+}
+
+reload() {
+	fw3 reload
+}
diff --git a/package/network/config/firewall3/files/firewall.user b/package/network/config/firewall3/files/firewall.user
new file mode 100644
index 0000000..6f79906
--- /dev/null
+++ b/package/network/config/firewall3/files/firewall.user
@@ -0,0 +1,7 @@
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.