Add cjdns firewall zone and rules

ghost commented 9 years ago

Here come the firewall settings

adds a network interface covering the tuncjdns interface
rejects incoming traffic from cjdns
allows ICMP from cjdns
allows HTTP/LuCI access from cjdns (this rule is disabled by default)
allows SSH from cjdns (this rule is disabled by default)
if there's a wan zone, allows UDP peering from wan

WDYT?

ghost commented 9 years ago

With best regards from @dangowrt

dangowrt commented 9 years ago

Acked-by: Daniel Golle daniel@makrotopia.org

ghost commented 9 years ago

Only things I wasn't able to test yet are the rules for HTTP and SSH, cause I'm getting bitten by the Hidden Peers bug right now...

wfleurant commented 9 years ago

For sure, I'll patch locally and build with the new interface... I am seeing the possibility of the tuncjdns interface loosing its IP addr -- because it is not defined/managed (static). Let me double check this (hopefully soon).. I think this would happen when netifd reloads.. I think cjdns still routes even though it does not have an IPv6 addr, tho.. :)

dangowrt commented 9 years ago

proto 'none' tells netifd not to touch the interface configuration same is used e.g. for openvpn-managed tun devices and works well there. As cjdns angel does the interface setup, there is no need for netifd do anything about it.

ghost commented 9 years ago

Only things I wasn't able to test yet are the rules for HTTP and SSH

Tested now :+1:

wfleurant commented 9 years ago

Daniel I couldn't duplicate my issue/claim -- with even managed on/off, s'all hood here :)

[x] adds a network interface covering the tuncjdns interface
[x] rejects incoming traffic from cjdns
[x] allows ICMP from cjdns
[x] allows HTTP/LuCI access from cjdns (this rule is disabled by default)
[x] allows SSH from cjdns (this rule is disabled by default)
[x] if there's a wan zone, allows UDP peering from wan
[hold] if there's a wwan zone, allows UDP peering from wwan

We could use this, but rather finish #35 and discuss later..eh?

  # allow UDP peering from wan & wwan zone, if it exists
  for zone in wan wwan; do
    uci show network.${zone} >/dev/null 2>&1
    if [ $? -eq 0 ]; then
      peeringPort=$(uci get cjdns.@udp_interface[0].port)
      uci -q batch <<-EOF >/dev/null
        add firewall rule
        set firewall.@rule[-1].name='Allow-cjdns-${zone}'
        set firewall.@rule[-1].src=${zone}
        set firewall.@rule[-1].proto=udp
        set firewall.@rule[-1].dest_port=$peeringPort
        set firewall.@rule[-1].target=ACCEPT
EOF
    fi
  done

dangowrt commented 9 years ago

btw: wwan rarely got a firezone of it's own. usually, wwan interface is added to the wan zone. some people may use privacy-enhancing VPN default gateways which are usually put into a firewall zone of their own, and that we might need to think about. maybe the best approach would be to figure out the firewall zone of the default gateway(s) as well as the zone(s) of any outgoing peering (might be for example a local wifi mesh living in it's own firewall zone such as freifunk)

wfleurant commented 9 years ago

Thank you for correcting me here before i get too ahead of myself. I am trying to account for any wwan network interfaces. i see now that it is suggested that the new wan-interface (not the firewall zone) is named 'wwan' when created. Then wifi as wan/client (ltedongle, etc...) is assigned to the 'wan' network zone.

i've reverted wwan zone in [meshbox/firewall] eaf9fbecc0dc9cbae85a6f7c42fd8accebf08797

SeattleMeshnet / meshbox

Add cjdns firewall zone and rules #35