Disable WAN access to node by default. (#854)

This commit is contained in:
Tim Wilkinson 2023-05-29 09:22:09 -07:00 committed by GitHub
parent ab541c3d35
commit df77276075
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 61 additions and 18 deletions

View File

@ -88,24 +88,6 @@ config include
option path /etc/firewall.user option path /etc/firewall.user
option fw4_compatible 1 option fw4_compatible 1
config rule
option src wan
option dest_port 2222
option proto tcp
option target ACCEPT
config rule
option src wan
option dest_port 8080
option proto tcp
option target ACCEPT
config rule
option src wan
option dest_port 80
option proto tcp
option target ACCEPT
config rule config rule
option name Allow-Ping option name Allow-Ping
option src wan option src wan

View File

@ -0,0 +1,45 @@
<<'LICENSE'
Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
Copyright (C) 2023 Tim Wilkinson
See Contributors file for additional contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 3 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Additional Terms:
Additional use restrictions exist on the AREDN(TM) trademark and logo.
See AREDNLicense.txt for more info.
Attributions to the AREDN Project must be retained in the source code.
If importing this code into a new or existing project attribution
to the AREDN project must be added to the source code.
You must not misrepresent the origin of the material contained within.
Modified versions must be modified to attribute to the original source
and be marked in reasonable ways as differentiate it from the original
version.
LICENSE
MESHFW_WAN_WEB=$(/sbin/uci -q get aredn.@wan[0].web_access)
MESHFW_WAN_SSH=$(/sbin/uci -q get aredn.@wan[0].ssh_access)
if [ "${MESHFW_WAN_WEB}" = "1" ]; then
nft insert rule ip fw4 input_wan tcp dport 80 accept comment \"wan web access\" 2> /dev/null
nft insert rule ip fw4 input_wan tcp dport 8080 accept comment \"wan web access\" > /dev/null
fi
if [ "${MESHFW_WAN_SSH}" = "1" ]; then
nft insert rule ip fw4 input_wan tcp dport 2222 accept comment \"wan ssh access\" 2> /dev/null
fi

View File

@ -194,6 +194,22 @@ local settings = {
postcallback = "changeWANVLAN()", postcallback = "changeWANVLAN()",
needreboot = true needreboot = true
}, },
{
category = "WAN Settings",
key = "aredn.@wan[0].web_access",
type = "boolean",
desc = "<b>Enable web access</b> to the node from the WAN interface<br><br><small>aredn.@wan[0].web_access</small>",
default = "0",
needreboot = true
},
{
category = "WAN Settings",
key = "aredn.@wan[0].ssh_access",
type = "boolean",
desc = "<b>Enable SSH access</b> to the node from the WAN interface<br><br><small>aredn.@wan[0].ssh_access</small>",
default = "0",
needreboot = true
},
{ {
category = "Power Options", category = "Power Options",
key = "aredn.@poe[0].passthrough", key = "aredn.@poe[0].passthrough",