|
|
- #!/bin/sh
-
- yggConfig="/etc/yggdrasil.conf"
-
- if [ ! -e ${yggConfig} ]; then
-
- yggdrasil -genconf -json > ${yggConfig}
-
- # create the firewall zone
- uci -q batch <<-EOF >/dev/null
- add firewall zone
- set firewall.@zone[-1].name=yggdrasil
- add_list firewall.@zone[-1].network=yggdrasil
- set firewall.@zone[-1].input=REJECT
- set firewall.@zone[-1].output=ACCEPT
- set firewall.@zone[-1].forward=REJECT
- set firewall.@zone[-1].conntrack=1
- set firewall.@zone[-1].family=ipv6
- EOF
-
- # allow ICMP from yggdrasil zone, e.g. ping6
- uci -q batch <<-EOF >/dev/null
- add firewall rule
- set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
- set firewall.@rule[-1].src=yggdrasil
- set firewall.@rule[-1].proto=icmp
- add_list firewall.@rule[-1].icmp_type=echo-request
- add_list firewall.@rule[-1].icmp_type=echo-reply
- add_list firewall.@rule[-1].icmp_type=destination-unreachable
- add_list firewall.@rule[-1].icmp_type=packet-too-big
- add_list firewall.@rule[-1].icmp_type=time-exceeded
- add_list firewall.@rule[-1].icmp_type=bad-header
- add_list firewall.@rule[-1].icmp_type=unknown-header-type
- set firewall.@rule[-1].limit='1000/sec'
- set firewall.@rule[-1].family=ipv6
- set firewall.@rule[-1].target=ACCEPT
- EOF
-
- # allow SSH from yggdrasil zone, needs to be explicitly enabled
- uci -q batch <<-EOF >/dev/null
- add firewall rule
- set firewall.@rule[-1].enabled=0
- set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
- set firewall.@rule[-1].src=yggdrasil
- set firewall.@rule[-1].proto=tcp
- set firewall.@rule[-1].dest_port=22
- set firewall.@rule[-1].target=ACCEPT
- EOF
-
- # allow LuCI access from yggdrasil zone, needs to be explicitly enabled
- uci -q batch <<-EOF >/dev/null
- add firewall rule
- set firewall.@rule[-1].enabled=0
- set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
- set firewall.@rule[-1].src=yggdrasil
- set firewall.@rule[-1].proto=tcp
- set firewall.@rule[-1].dest_port=80
- set firewall.@rule[-1].target=ACCEPT
- EOF
-
-
- else
- :
- fi
-
- exit 0
|