nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gluon-respondd: allow access to respondd from mesh-internal addresses

Browse Source
This commit is contained in:
Christof Schulze 2017-08-06 00:02:39 +02:00 committed by Matthias Schiffer
parent 1c1c9f8fc7
commit e5b4d25451
No known key found for this signature in database
GPG Key ID: 16EF3F64CB201D9C
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall
View File

@ -1,6 +1,7 @@
#!/usr/bin/lua #!/usr/bin/lua
local uci = require('simple-uci').cursor() local uci = require('simple-uci').cursor()
local site = require('gluon.site')
uci:delete('firewall', 'wan_announced') uci:delete('firewall', 'wan_announced')
@ -14,7 +15,7 @@ uci:section('firewall', 'rule', 'wan_respondd', {
target = 'ACCEPT', target = 'ACCEPT',
}) })
-- Restrict respondd queries to link-local addresses to prevent amplification attacks from outside -- Allow respondd-access on client_local
uci:section('firewall', 'rule', 'client_respondd', { uci:section('firewall', 'rule', 'client_respondd', {
name = 'client_respondd', name = 'client_respondd',
src = 'client_local', src = 'client_local',
@ -33,4 +34,13 @@ uci:section('firewall', 'rule', 'mesh_respondd_ll', {
target = 'ACCEPT', target = 'ACCEPT',
}) })
uci:section('firewall', 'rule', 'mesh_respondd_siteprefix', {
name = 'mesh_respondd_siteprefix',
src = 'mesh',
src_ip = site.prefix6(),
dest_port = '1001',
proto = 'udp',
target = 'ACCEPT',
})
uci:save('firewall') uci:save('firewall')