turret: update config files & improve derivation

author: seth <[email protected]> 2023-10-31 03:26:11 -0400
committer: seth <[email protected]> 2023-10-31 03:26:11 -0400
commit: 0a582b523fd1a53cb1f15b31d1b54a49e8d65f28 (patch)
tree: 73ecb01b0faa0861ad5d054d1d504c90a1f46b5b /systems/turret/files/etc/config/firewall
parent: 49021bd62a0e605c6d05518f428b6777ead61470 (diff)
1 files changed, 95 insertions, 163 deletions
diff --git a/systems/turret/files/etc/config/firewall b/systems/turret/files/etc/config/firewall
index b9a4647..c1e4f84 100644
--- a/systems/turret/files/etc/config/firewall
+++ b/systems/turret/files/etc/config/firewall
@@ -1,189 +1,121 @@
+
 config defaults
-	option syn_flood	1
-	option input		ACCEPT
-	option output		ACCEPT
-	option forward		REJECT
-# Uncomment this line to disable ipv6 rules
-#	option disable_ipv6	1
+	option syn_flood '1'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
 
 config zone
-	option name		lan
-	list   network		'lan'
-	option input		ACCEPT
-	option output		ACCEPT
-	option forward		ACCEPT
+	option name 'lan'
+	list network 'lan'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
 
 config zone
-	option name		wan
-	list   network		'wan'
-	list   network		'wan6'
-	option input		REJECT
-	option output		ACCEPT
-	option forward		REJECT
-	option masq		1
-	option mtu_fix		1
+	option name 'wan'
+	list network 'wan'
+	list network 'wan6'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option masq '1'
+	option mtu_fix '1'
 
 config forwarding
-	option src		lan
-	option dest		wan
+	option src 'lan'
+	option dest 'wan'
 
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
 config rule
-	option name		Allow-DHCP-Renew
-	option src		wan
-	option proto		udp
-	option dest_port	68
-	option target		ACCEPT
-	option family		ipv4
+	option name 'Allow-DHCP-Renew'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '68'
+	option target 'ACCEPT'
+	option family 'ipv4'
 
-# Allow IPv4 ping
 config rule
-	option name		Allow-Ping
-	option src		wan
-	option proto		icmp
-	option icmp_type	echo-request
-	option family		ipv4
-	option target		ACCEPT
+	option name 'Allow-Ping'
+	option src 'wan'
+	option proto 'icmp'
+	option icmp_type 'echo-request'
+	option family 'ipv4'
+	option target 'ACCEPT'
 
 config rule
-	option name		Allow-IGMP
-	option src		wan
-	option proto		igmp
-	option family		ipv4
-	option target		ACCEPT
+	option name 'Allow-IGMP'
+	option src 'wan'
+	option proto 'igmp'
+	option family 'ipv4'
+	option target 'ACCEPT'
 
-# Allow DHCPv6 replies
-# see https://github.com/openwrt/openwrt/issues/5066
 config rule
-	option name		Allow-DHCPv6
-	option src		wan
-	option proto		udp
-	option dest_port	546
-	option family		ipv6
-	option target		ACCEPT
+	option name 'Allow-DHCPv6'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '546'
+	option family 'ipv6'
+	option target 'ACCEPT'
 
 config rule
-	option name		Allow-MLD
-	option src		wan
-	option proto		icmp
-	option src_ip		fe80::/10
-	list icmp_type		'130/0'
-	list icmp_type		'131/0'
-	list icmp_type		'132/0'
-	list icmp_type		'143/0'
-	option family		ipv6
-	option target		ACCEPT
+	option name 'Allow-MLD'
+	option src 'wan'
+	option proto 'icmp'
+	option src_ip 'fe80::/10'
+	list icmp_type '130/0'
+	list icmp_type '131/0'
+	list icmp_type '132/0'
+	list icmp_type '143/0'
+	option family 'ipv6'
+	option target 'ACCEPT'
 
-# Allow essential incoming IPv6 ICMP traffic
 config rule
-	option name		Allow-ICMPv6-Input
-	option src		wan
-	option proto	icmp
-	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	list icmp_type		router-solicitation
-	list icmp_type		neighbour-solicitation
-	list icmp_type		router-advertisement
-	list icmp_type		neighbour-advertisement
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
+	option name 'Allow-ICMPv6-Input'
+	option src 'wan'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	list icmp_type 'router-solicitation'
+	list icmp_type 'neighbour-solicitation'
+	list icmp_type 'router-advertisement'
+	list icmp_type 'neighbour-advertisement'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
 
-# Allow essential forwarded IPv6 ICMP traffic
 config rule
-	option name		Allow-ICMPv6-Forward
-	option src		wan
-	option dest		*
-	option proto		icmp
-	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
+	option name 'Allow-ICMPv6-Forward'
+	option src 'wan'
+	option dest '*'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
 
 config rule
-	option name		Allow-IPSec-ESP
-	option src		wan
-	option dest		lan
-	option proto		esp
-	option target		ACCEPT
+	option name 'Allow-IPSec-ESP'
+	option src 'wan'
+	option dest 'lan'
+	option proto 'esp'
+	option target 'ACCEPT'
 
 config rule
-	option name		Allow-ISAKMP
-	option src		wan
-	option dest		lan
-	option dest_port	500
-	option proto		udp
-	option target		ACCEPT
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option dest		wan
-#	option proto	tcp
-#	option target	REJECT
-
-# block a specific mac on wan
-#config rule
-#	option dest		wan
-#	option src_mac	00:11:22:33:44:66
-#	option target	REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-#	option src		lan
-#	option proto	ICMP
-#	option target	DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-#	option src			wan
-#	option src_dport	80
-#	option dest			lan
-#	option dest_ip		192.168.16.235
-#	option dest_port	80
-#	option proto		tcp
-
-# port redirect of remapped ssh port (22001) on wan
-#config redirect
-#	option src		wan
-#	option src_dport	22001
-#	option dest		lan
-#	option dest_port	22
-#	option proto		tcp
-
-### FULL CONFIG SECTIONS
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port	80
-#	option dest		wan
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
-#	option target	REJECT
+	option name 'Allow-ISAKMP'
+	option src 'wan'
+	option dest 'lan'
+	option dest_port '500'
+	option proto 'udp'
+	option target 'ACCEPT'
 
-#config redirect
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port		1024
-#	option src_dport	80
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
author	seth <[email protected]>	2023-10-31 03:26:11 -0400
committer	seth <[email protected]>	2023-10-31 03:26:11 -0400
commit	0a582b523fd1a53cb1f15b31d1b54a49e8d65f28 (patch)
tree	73ecb01b0faa0861ad5d054d1d504c90a1f46b5b /systems/turret/files/etc/config/firewall
parent	49021bd62a0e605c6d05518f428b6777ead61470 (diff)