Setup network interfaces into external and internal zones

This replaces the /etc/init.d/(freedombox-)proxy script that enables masquerading traffic from internal interface using and external interface. It makes the same assumptions about the nature of network interfaces as the proxy script. FirewallD automatcially takes care of loading masquerading modules, enabling kernel parameter for forwarding and allowing masquerading using external interfaces.
2026-01-21 07:55:00 +00:00 · 2014-04-27 20:25:33 +05:30 · 2014-04-27 20:25:33 +05:30 · 51d1afbcb9
commit 51d1afbcb9
parent 3ef1ed83ce
1 changed files with 41 additions and 0 deletions
--- a/lib/freedombox/first-run.d/90_firewall
+++ b/lib/freedombox/first-run.d/90_firewall
@ -1,5 +1,46 @@
 #!/bin/sh

+# Enable tracing to see the commands in
+# /var/log/freedombox-first-run.log
+set -x
+
+# Setup interfaces into appropriate zones. XXX: This is ideally done
+# by network configuration as network configuration tool/scripts have
+# better idea of what the interfaces are. There should also be a UI in
+# Plinth to classify each interface as external or internal.
+
+# If more than one interfaces is available, assume eth0 is external
+# and rest are internal interfaces.
+INTERFACES=$(interface-detect | grep wired | grep -v lo | cut -f1 -d,)
+NO_OF_INTERFACES=$(echo $INTERFACES | wc --words)
+if [ $NO_OF_INTERFACES -gt '1' ]
+then
+    for INTERFACE in $INTERFACES
+    do
+        if [ $INTERFACE = 'eth0' ]
+        then
+            ZONE='external'
+        else
+            ZONE='internal'
+        fi
+
+        firewall-cmd --zone=$ZONE --permanent --add-interface=$INTERFACE
+    done
+fi
+
+# If only one interface is available, assume it to be internal so that
+# services are available on this only possible interface. This means
+# that all services which are meant to available only internally will
+# be available externally if the interface is publicly accessible.
+# XXX: To avoid this, FreedomBox should configure at least two
+# interfaces. If only one network hardware device is available, an
+# alias such as 'eth0:1' could be created and can act as internal
+# interface.
+if [ $NO_OF_INTERFACES -eq '1' ]
+then
+    firewall-cmd --zone=internal --permanent --add-interface="$INTERFACES"
+fi
+

 # Setup firewall rules for all the services enabled by default.
 # Ideally all non-essential services are enabled from Plinth which