You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

66 lines
2.0 KiB

  1. #!/bin/sh
  2. yggConfig="/etc/yggdrasil.conf"
  3. if [ ! -e ${yggConfig} ]; then
  4. yggdrasil -genconf -json > ${yggConfig}
  5. # create the firewall zone
  6. uci -q batch <<-EOF >/dev/null
  7. add firewall zone
  8. set firewall.@zone[-1].name=yggdrasil
  9. add_list firewall.@zone[-1].network=yggdrasil
  10. set firewall.@zone[-1].input=REJECT
  11. set firewall.@zone[-1].output=ACCEPT
  12. set firewall.@zone[-1].forward=REJECT
  13. set firewall.@zone[-1].conntrack=1
  14. set firewall.@zone[-1].family=ipv6
  15. EOF
  16. # allow ICMP from yggdrasil zone, e.g. ping6
  17. uci -q batch <<-EOF >/dev/null
  18. add firewall rule
  19. set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
  20. set firewall.@rule[-1].src=yggdrasil
  21. set firewall.@rule[-1].proto=icmp
  22. add_list firewall.@rule[-1].icmp_type=echo-request
  23. add_list firewall.@rule[-1].icmp_type=echo-reply
  24. add_list firewall.@rule[-1].icmp_type=destination-unreachable
  25. add_list firewall.@rule[-1].icmp_type=packet-too-big
  26. add_list firewall.@rule[-1].icmp_type=time-exceeded
  27. add_list firewall.@rule[-1].icmp_type=bad-header
  28. add_list firewall.@rule[-1].icmp_type=unknown-header-type
  29. set firewall.@rule[-1].limit='1000/sec'
  30. set firewall.@rule[-1].family=ipv6
  31. set firewall.@rule[-1].target=ACCEPT
  32. EOF
  33. # allow SSH from yggdrasil zone, needs to be explicitly enabled
  34. uci -q batch <<-EOF >/dev/null
  35. add firewall rule
  36. set firewall.@rule[-1].enabled=0
  37. set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
  38. set firewall.@rule[-1].src=yggdrasil
  39. set firewall.@rule[-1].proto=tcp
  40. set firewall.@rule[-1].dest_port=22
  41. set firewall.@rule[-1].target=ACCEPT
  42. EOF
  43. # allow LuCI access from yggdrasil zone, needs to be explicitly enabled
  44. uci -q batch <<-EOF >/dev/null
  45. add firewall rule
  46. set firewall.@rule[-1].enabled=0
  47. set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
  48. set firewall.@rule[-1].src=yggdrasil
  49. set firewall.@rule[-1].proto=tcp
  50. set firewall.@rule[-1].dest_port=80
  51. set firewall.@rule[-1].target=ACCEPT
  52. EOF
  53. else
  54. :
  55. fi
  56. exit 0