--- /dev/null
+#
+# Copyright (C) 2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewall
+PKG_VERSION:=2013-06-04
+PKG_RELEASE:=$(PKG_SOURCE_VERSION)
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=git://nbd.name/firewall3.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=5ee2129eaa23a28bfef6d20c273cafc0be559b3d
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org>
+
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/firewall
+ SECTION:=net
+ CATEGORY:=Base system
+ TITLE:=OpenWrt C Firewall
+ DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables
+endef
+
+define Package/firewall/description
+ This package provides a config-compatible C implementation of the UCI firewall.
+endef
+
+define Package/firewall/conffiles
+/etc/config/firewall
+/etc/firewall.user
+endef
+
+define Build/Configure
+ $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext.a)
+ $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext4.a)
+ $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext6.a)
+ $(call Build/Configure/Default)
+endef
+
+TARGET_CFLAGS += -ffunction-sections -fdata-sections
+TARGET_LDFLAGS += -Wl,--gc-sections
+CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1)
+
+define Package/firewall/install
+ $(INSTALL_DIR) $(1)/sbin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
+ $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+ $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
+ $(INSTALL_DIR) $(1)/etc/config/
+ $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
+ $(INSTALL_DIR) $(1)/etc/
+ $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
+endef
+
+$(eval $(call BuildPackage,firewall))
--- /dev/null
+config defaults
+ option syn_flood 1
+ option input ACCEPT
+ option output ACCEPT
+ option forward REJECT
+# Uncomment this line to disable ipv6 rules
+# option disable_ipv6 1
+
+config zone
+ option name lan
+ list network 'lan'
+ option input ACCEPT
+ option output ACCEPT
+ option forward REJECT
+
+config zone
+ option name wan
+ list network 'wan'
+ list network 'wan6'
+ option input REJECT
+ option output ACCEPT
+ option forward REJECT
+ option masq 1
+ option mtu_fix 1
+
+config forwarding
+ option src lan
+ option dest wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+ option name Allow-DHCP-Renew
+ option src wan
+ option proto udp
+ option dest_port 68
+ option target ACCEPT
+ option family ipv4
+
+# Allow IPv4 ping
+config rule
+ option name Allow-Ping
+ option src wan
+ option proto icmp
+ option icmp_type echo-request
+ option family ipv4
+ option target ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+ option name Allow-DHCPv6
+ option src wan
+ option proto udp
+ option src_ip fe80::/10
+ option src_port 547
+ option dest_ip fe80::/10
+ option dest_port 546
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Input
+ option src wan
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ list icmp_type router-solicitation
+ list icmp_type neighbour-solicitation
+ list icmp_type router-advertisement
+ list icmp_type neighbour-advertisement
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Forward
+ option src wan
+ option dest *
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+# include a file with users custom iptables rules
+config include
+ option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option dest wan
+# option proto tcp
+# option target REJECT
+
+# block a specific mac on wan
+#config rule
+# option dest wan
+# option src_mac 00:11:22:33:44:66
+# option target REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+# option src lan
+# option proto ICMP
+# option target DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+# option src wan
+# option src_dport 80
+# option dest lan
+# option dest_ip 192.168.16.235
+# option dest_port 80
+# option proto tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+# option src wan
+# option src_dport 22001
+# option dest lan
+# option dest_port 22
+# option proto tcp
+
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+# option src wan
+# option dest lan
+# option protocol esp
+# option target ACCEPT
+
+#config rule
+# option src wan
+# option dest lan
+# option src_port 500
+# option dest_port 500
+# option proto udp
+# option target ACCEPT
+
+### FULL CONFIG SECTIONS
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 80
+# option dest wan
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
+# option target REJECT
+
+#config redirect
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 1024
+# option src_dport 80
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
--- /dev/null
+#!/bin/sh
+
+[ "$ACTION" = ifup ] || exit 0
+
+/etc/init.d/firewall enabled || exit 0
+
+fw3 -q network "$INTERFACE" >/dev/null || exit 0
+
+logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)"
+fw3 -q reload
--- /dev/null
+#!/bin/sh /etc/rc.common
+
+START=19
+
+boot() {
+ # Be silent on boot, firewall might be started by hotplug already,
+ # so don't complain in syslog.
+ fw3 -q start
+}
+
+start() {
+ fw3 start
+}
+
+stop() {
+ fw3 flush
+}
+
+restart() {
+ fw3 restart
+}
+
+reload() {
+ fw3 reload
+}
--- /dev/null
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
+++ /dev/null
-#
-# Copyright (C) 2013 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=firewall3
-PKG_VERSION:=2013-06-04
-PKG_RELEASE:=$(PKG_SOURCE_VERSION)
-
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=git://nbd.name/firewall3.git
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=182abe47ae4686944482580b42a972827a0e4b51
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
-PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org>
-
-
-include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/kernel.mk
-include $(INCLUDE_DIR)/cmake.mk
-
-define Package/firewall3
- SECTION:=net
- CATEGORY:=Network
- TITLE:=UCI C Firewall
- DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables
-endef
-
-define Package/firewall3/description
- This package provides a config-compatible C implementation of the UCI firewall.
-endef
-
-define Package/firewall3/conffiles
-/etc/config/firewall
-/etc/firewall.user
-endef
-
-define Build/Configure
- $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext.a)
- $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext4.a)
- $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext6.a)
- $(call Build/Configure/Default)
-endef
-
-TARGET_CFLAGS += -ffunction-sections -fdata-sections
-TARGET_LDFLAGS += -Wl,--gc-sections
-CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1)
-
-define Package/firewall3/install
- $(INSTALL_DIR) $(1)/sbin
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
- $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
- $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
- $(INSTALL_DIR) $(1)/etc/config/
- $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
- $(INSTALL_DIR) $(1)/etc/
- $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
-endef
-
-$(eval $(call BuildPackage,firewall3))
+++ /dev/null
-config defaults
- option syn_flood 1
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
-# Uncomment this line to disable ipv6 rules
-# option disable_ipv6 1
-
-config zone
- option name lan
- list network 'lan'
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
-
-config zone
- option name wan
- list network 'wan'
- list network 'wan6'
- option input REJECT
- option output ACCEPT
- option forward REJECT
- option masq 1
- option mtu_fix 1
-
-config forwarding
- option src lan
- option dest wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
- option name Allow-DHCP-Renew
- option src wan
- option proto udp
- option dest_port 68
- option target ACCEPT
- option family ipv4
-
-# Allow IPv4 ping
-config rule
- option name Allow-Ping
- option src wan
- option proto icmp
- option icmp_type echo-request
- option family ipv4
- option target ACCEPT
-
-# Allow DHCPv6 replies
-# see https://dev.openwrt.org/ticket/10381
-config rule
- option name Allow-DHCPv6
- option src wan
- option proto udp
- option src_ip fe80::/10
- option src_port 547
- option dest_ip fe80::/10
- option dest_port 546
- option family ipv6
- option target ACCEPT
-
-# Allow essential incoming IPv6 ICMP traffic
-config rule
- option name Allow-ICMPv6-Input
- option src wan
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- list icmp_type router-solicitation
- list icmp_type neighbour-solicitation
- list icmp_type router-advertisement
- list icmp_type neighbour-advertisement
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
-
-# Allow essential forwarded IPv6 ICMP traffic
-config rule
- option name Allow-ICMPv6-Forward
- option src wan
- option dest *
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
-
-# include a file with users custom iptables rules
-config include
- option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option dest wan
-# option proto tcp
-# option target REJECT
-
-# block a specific mac on wan
-#config rule
-# option dest wan
-# option src_mac 00:11:22:33:44:66
-# option target REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-# option src lan
-# option proto ICMP
-# option target DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-# option src wan
-# option src_dport 80
-# option dest lan
-# option dest_ip 192.168.16.235
-# option dest_port 80
-# option proto tcp
-
-# port redirect of remapped ssh port (22001) on wan
-#config redirect
-# option src wan
-# option src_dport 22001
-# option dest lan
-# option dest_port 22
-# option proto tcp
-
-# allow IPsec/ESP and ISAKMP passthrough
-#config rule
-# option src wan
-# option dest lan
-# option protocol esp
-# option target ACCEPT
-
-#config rule
-# option src wan
-# option dest lan
-# option src_port 500
-# option dest_port 500
-# option proto udp
-# option target ACCEPT
-
-### FULL CONFIG SECTIONS
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 80
-# option dest wan
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
-# option target REJECT
-
-#config redirect
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 1024
-# option src_dport 80
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
+++ /dev/null
-#!/bin/sh
-
-[ "$ACTION" = ifup ] || exit 0
-
-/etc/init.d/firewall enabled || exit 0
-
-fw3 -q network "$INTERFACE" >/dev/null || exit 0
-
-logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)"
-fw3 -q reload
+++ /dev/null
-#!/bin/sh /etc/rc.common
-
-START=19
-
-boot() {
- # Be silent on boot, firewall might be started by hotplug already,
- # so don't complain in syslog.
- fw3 -q start
-}
-
-start() {
- fw3 start
-}
-
-stop() {
- fw3 flush
-}
-
-restart() {
- fw3 restart
-}
-
-reload() {
- fw3 reload
-}
+++ /dev/null
-# This file is interpreted as shell script.
-# Put your custom iptables rules here, they will
-# be executed with each firewall (re-)start.
-
-# Internal uci firewall chains are flushed and recreated on reload, so
-# put custom rules into the root chains e.g. INPUT or FORWARD or into the
-# special user chains, e.g. input_wan_rule or postrouting_lan_rule.