From 51d1afbcb9987c5183bd437dae5b2631d1a992cf Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Sun, 27 Apr 2014 20:25:33 +0530 Subject: [PATCH] Setup network interfaces into external and internal zones This replaces the /etc/init.d/(freedombox-)proxy script that enables masquerading traffic from internal interface using and external interface. It makes the same assumptions about the nature of network interfaces as the proxy script. FirewallD automatcially takes care of loading masquerading modules, enabling kernel parameter for forwarding and allowing masquerading using external interfaces. --- lib/freedombox/first-run.d/90_firewall | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/lib/freedombox/first-run.d/90_firewall b/lib/freedombox/first-run.d/90_firewall index 9e53235b8..a71d52abc 100755 --- a/lib/freedombox/first-run.d/90_firewall +++ b/lib/freedombox/first-run.d/90_firewall @@ -1,5 +1,46 @@ #!/bin/sh +# Enable tracing to see the commands in +# /var/log/freedombox-first-run.log +set -x + +# Setup interfaces into appropriate zones. XXX: This is ideally done +# by network configuration as network configuration tool/scripts have +# better idea of what the interfaces are. There should also be a UI in +# Plinth to classify each interface as external or internal. + +# If more than one interfaces is available, assume eth0 is external +# and rest are internal interfaces. +INTERFACES=$(interface-detect | grep wired | grep -v lo | cut -f1 -d,) +NO_OF_INTERFACES=$(echo $INTERFACES | wc --words) +if [ $NO_OF_INTERFACES -gt '1' ] +then + for INTERFACE in $INTERFACES + do + if [ $INTERFACE = 'eth0' ] + then + ZONE='external' + else + ZONE='internal' + fi + + firewall-cmd --zone=$ZONE --permanent --add-interface=$INTERFACE + done +fi + +# If only one interface is available, assume it to be internal so that +# services are available on this only possible interface. This means +# that all services which are meant to available only internally will +# be available externally if the interface is publicly accessible. +# XXX: To avoid this, FreedomBox should configure at least two +# interfaces. If only one network hardware device is available, an +# alias such as 'eth0:1' could be created and can act as internal +# interface. +if [ $NO_OF_INTERFACES -eq '1' ] +then + firewall-cmd --zone=internal --permanent --add-interface="$INTERFACES" +fi + # Setup firewall rules for all the services enabled by default. # Ideally all non-essential services are enabled from Plinth which