Disable WAN access to node by default. (#854)

files/etc/config.mesh/firewall

@@ -88,24 +88,6 @@ config include
        option	path             /etc/firewall.user
        option	fw4_compatible   1
 
-config rule
-       option src              wan
-       option dest_port        2222
-       option proto    tcp
-       option target   ACCEPT
-
-config rule
-       option src              wan
-       option dest_port        8080
-       option proto    tcp
-       option target   ACCEPT
-
-config rule
-       option src              wan
-       option dest_port        80
-       option proto    tcp
-       option target   ACCEPT
-
 config rule
         option name             Allow-Ping
         option src              wan

files/etc/local/mesh-firewall/12-wan-services

@@ -0,0 +1,45 @@
+<<'LICENSE'
+  Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
+  Copyright (C) 2023 Tim Wilkinson
+   See Contributors file for additional contributors
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation version 3 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+  Additional Terms:
+
+  Additional use restrictions exist on the AREDN(TM) trademark and logo.
+    See AREDNLicense.txt for more info.
+
+  Attributions to the AREDN Project must be retained in the source code.
+  If importing this code into a new or existing project attribution
+  to the AREDN project must be added to the source code.
+
+  You must not misrepresent the origin of the material contained within.
+
+  Modified versions must be modified to attribute to the original source
+  and be marked in reasonable ways as differentiate it from the original
+  version.
+
+LICENSE
+
+MESHFW_WAN_WEB=$(/sbin/uci -q get aredn.@wan[0].web_access)
+MESHFW_WAN_SSH=$(/sbin/uci -q get aredn.@wan[0].ssh_access)
+
+if [ "${MESHFW_WAN_WEB}" = "1" ]; then
+    nft insert rule ip fw4 input_wan tcp dport 80 accept comment \"wan web access\" 2> /dev/null
+    nft insert rule ip fw4 input_wan tcp dport 8080 accept comment \"wan web access\" > /dev/null
+fi
+
+if [ "${MESHFW_WAN_SSH}" = "1" ]; then
+    nft insert rule ip fw4 input_wan tcp dport 2222 accept comment \"wan ssh access\" 2> /dev/null
+fi

files/www/cgi-bin/advancedconfig

@@ -194,6 +194,22 @@ local settings = {
         postcallback = "changeWANVLAN()",
         needreboot = true
     },
+    {
+        category = "WAN Settings",
+        key = "aredn.@wan[0].web_access",
+        type = "boolean",
+        desc = "<b>Enable web access</b> to the node from the WAN interface<br><br><small>aredn.@wan[0].web_access</small>",
+        default = "0",
+        needreboot = true
+    },
+    {
+        category = "WAN Settings",
+        key = "aredn.@wan[0].ssh_access",
+        type = "boolean",
+        desc = "<b>Enable SSH access</b> to the node from the WAN interface<br><br><small>aredn.@wan[0].ssh_access</small>",
+        default = "0",
+        needreboot = true
+    },
     {
         category = "Power Options",
         key = "aredn.@poe[0].passthrough",