From 4b5f2b63d06cebc29194ec4d2e8f03462a7bc4bf Mon Sep 17 00:00:00 2001 From: William Petit Date: Wed, 11 Oct 2023 08:57:33 +0200 Subject: [PATCH] feat(bpi-r3): add default firewall rules --- install/bananapi.mk | 4 ++ misc/bpi-r3/uci-defaults/99-x86-uci-custom.sh | 37 +++++++++++++++++++ targets/bananapi.mk | 2 +- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 misc/bpi-r3/uci-defaults/99-x86-uci-custom.sh diff --git a/install/bananapi.mk b/install/bananapi.mk index 32f596b..590f4f2 100644 --- a/install/bananapi.mk +++ b/install/bananapi.mk @@ -1,3 +1,7 @@ install-bpi-r3-network-config: mkdir -p files/etc/config cp misc/bpi-r3/uci/network files/etc/config/network + +install-bpi-r3-uci-defaults: + mkdir -p files/etc/uci-defaults + cp misc/bpi-r3/uci-defaults/* files/etc/uci-defaults/ \ No newline at end of file diff --git a/misc/bpi-r3/uci-defaults/99-x86-uci-custom.sh b/misc/bpi-r3/uci-defaults/99-x86-uci-custom.sh new file mode 100644 index 0000000..ab96e76 --- /dev/null +++ b/misc/bpi-r3/uci-defaults/99-x86-uci-custom.sh @@ -0,0 +1,37 @@ +#/bin/sh + +set -e + +main() { + # Update default firewall ruleset + uci add firewall rule + uci set firewall.@rule[-1].name='Allow SSH on WAN' + uci set firewall.@rule[-1].src='wan' + uci set firewall.@rule[-1].proto='tcp' + uci set firewall.@rule[-1].dest_port='22' + uci set firewall.@rule[-1].target='ACCEPT' + + uci add firewall rule + uci set firewall.@rule[-1].name='Allow HTTP on WAN' + uci set firewall.@rule[-1].src='wan' + uci set firewall.@rule[-1].proto='tcp' + uci set firewall.@rule[-1].dest_port='80' + uci set firewall.@rule[-1].target='ACCEPT' + + uci add firewall rule + uci set firewall.@rule[-1].name='Allow HTTPS on WAN' + uci set firewall.@rule[-1].src='wan' + uci set firewall.@rule[-1].proto='tcp' + uci set firewall.@rule[-1].dest_port='443' + uci set firewall.@rule[-1].target='ACCEPT' + + uci commit firewall + + # Disable DNS-rebind protection + uci set dhcp.@dnsmasq[0].rebind_protection='0' + uci commit dhcp + + reload_config +} + +main \ No newline at end of file diff --git a/targets/bananapi.mk b/targets/bananapi.mk index 747d501..3347c1c 100644 --- a/targets/bananapi.mk +++ b/targets/bananapi.mk @@ -4,7 +4,7 @@ bpi-r3: $(MAKE) \ OPENWRT_VERSION="23.05.0-rc3" \ IMAGEBUILDER_URL=https://downloads.openwrt.org/releases/23.05.0-rc3/targets/mediatek/filogic/openwrt-imagebuilder-23.05.0-rc3-mediatek-filogic.Linux-x86_64.tar.xz \ - ADDITIONAL_INSTALL="install-bpi-r3-network-config" \ + ADDITIONAL_INSTALL="install-bpi-r3-network-config install-bpi-r3-uci-defaults" \ ADDITIONAL_OPENWRT_PACKAGES="block-mount kmod-fs-ext4 kmod-usb-storage kmod-usb2" \ OPENWRT_TARGET="mediatek/filogic" \ EMISSARY_ARCH="arm64" \