From db1097bdca9f4ac6f37f4ec28a63e6e89e4b9d26 Mon Sep 17 00:00:00 2001 From: Chris Fiege Date: Sun, 20 Oct 2024 18:36:02 +0200 Subject: [PATCH] ffbs-parker-nodeconfig: firewall: Allow respondd from all internal addr This firewall rules make sure, that respondd is only accessible from inside the Freifunk network (client network or VPN) - but not from other interfaces (e.g. `br-wan`). While we were only using it for Freifunk Braunschweig the `src_ip` limitation did not really matter: Per definition these are the only IPv6 addresses on these interfaces anyway. But while preparing this tooling for a wider use we should rethink this decision. There is no need to limit access to a specific IPv6 range, as long as the requests are still coming from the inside. --- .../files/lib/gluon/upgrade/904-parker-firewall | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ffbs-parker-nodeconfig/files/lib/gluon/upgrade/904-parker-firewall b/ffbs-parker-nodeconfig/files/lib/gluon/upgrade/904-parker-firewall index 4f9afa06..90fa1715 100755 --- a/ffbs-parker-nodeconfig/files/lib/gluon/upgrade/904-parker-firewall +++ b/ffbs-parker-nodeconfig/files/lib/gluon/upgrade/904-parker-firewall @@ -52,11 +52,10 @@ uci set firewall.vpn_parker_mesh='forwarding' uci set firewall.vpn_parker_mesh.src='vpn_parker' uci set firewall.vpn_parker_mesh.dest='mesh' -# allow respondd to be reached from mesh an vpn_parker +# allow respondd to be reached from mesh and vpn_parker uci set firewall.respondd_mesh_parker=rule uci set firewall.respondd_mesh_parker.dest_port='1001' uci set firewall.respondd_mesh_parker.name='respondd_mesh_parker' -uci set firewall.respondd_mesh_parker.src_ip='2001:bf7:381::/64' uci set firewall.respondd_mesh_parker.target='ACCEPT' uci set firewall.respondd_mesh_parker.proto='udp' uci set firewall.respondd_mesh_parker.src='mesh' @@ -64,7 +63,6 @@ uci set firewall.respondd_mesh_parker.src='mesh' uci set firewall.respondd_vpn_parker_mesh=rule uci set firewall.respondd_vpn_parker_mesh.dest_port='1001' uci set firewall.respondd_vpn_parker_mesh.name='respondd_vpn_parker_mesh' -uci set firewall.respondd_vpn_parker_mesh.src_ip='2001:bf7:381::/64' uci set firewall.respondd_vpn_parker_mesh.target='ACCEPT' uci set firewall.respondd_vpn_parker_mesh.proto='udp' uci set firewall.respondd_vpn_parker_mesh.src='vpn_parker'