diff options
| author | Himbeer <himbeer@disroot.org> | 2025-04-05 20:32:48 +0200 |
|---|---|---|
| committer | Himbeer <himbeer@disroot.org> | 2025-04-05 20:32:48 +0200 |
| commit | d450229089df736837490b024448d14605bc6433 (patch) | |
| tree | 7b085a3e86af296f1d9b73b7c4943d4d623d8406 | |
| parent | 9aaaf0c2fb2f3100fa613c92680f1da33ff05e8a (diff) | |
This has the purpose of ensuring that DS-Lite works correctly and
reliably, even if the exact headers differ from the expectations. All
ports that are bound to are still blocked, using a denylist instead of
an allowlist.
| -rw-r--r-- | src/main.rs | 93 |
1 files changed, 87 insertions, 6 deletions
diff --git a/src/main.rs b/src/main.rs index 22c6f81..f74cd5c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -145,14 +145,95 @@ fn filter() -> Result<()> { let allow_any_exposed_vpn = Rule::new(&input)?.dport(51821, Protocol::UDP).accept(); batch.add(&allow_any_exposed_vpn, MsgType::Add); - let deny_wan = Rule::new(&input)?.iface("ppp0")?.drop(); - batch.add(&deny_wan, MsgType::Add); + let deny_wan_netdump = Rule::new(&input)? + .iface("ppp0")? + .dport(22, Protocol::TCP) + .drop(); + batch.add(&deny_wan_netdump, MsgType::Add); + + let deny_wan_admin = Rule::new(&input)? + .iface("ppp0")? + .dport(8443, Protocol::TCP) + .drop(); + batch.add(&deny_wan_admin, MsgType::Add); + + let deny_wan_diag = Rule::new(&input)? + .iface("ppp0")? + .dport(12808, Protocol::TCP) + .drop(); + batch.add(&deny_wan_diag, MsgType::Add); + + let deny_wan_dns = Rule::new(&input)? + .iface("ppp0")? + .dport(53, Protocol::UDP) + .drop(); + batch.add(&deny_wan_dns, MsgType::Add); + + let deny_wan_dhcpv4 = Rule::new(&input)? + .iface("ppp0")? + .dport(67, Protocol::UDP) + .drop(); + batch.add(&deny_wan_dhcpv4, MsgType::Add); + + let deny_wan_dhcpv6 = Rule::new(&input)? + .iface("ppp0")? + .dport(547, Protocol::UDP) + .drop(); + batch.add(&deny_wan_dhcpv6, MsgType::Add); + + let deny_wan_dslite_netdump = Rule::new(&input)? + .iface("dslite0")? + .dport(22, Protocol::TCP) + .drop(); + batch.add(&deny_wan_dslite_netdump, MsgType::Add); + + let deny_wan_dslite_admin = Rule::new(&input)? + .iface("dslite0")? + .dport(8443, Protocol::TCP) + .drop(); + batch.add(&deny_wan_dslite_admin, MsgType::Add); + + let deny_wan_dslite_diag = Rule::new(&input)? + .iface("dslite0")? + .dport(12808, Protocol::TCP) + .drop(); + batch.add(&deny_wan_dslite_diag, MsgType::Add); + + let deny_wan_dslite_dns = Rule::new(&input)?.dport(53, Protocol::UDP).drop(); + batch.add(&deny_wan_dslite_dns, MsgType::Add); + + let deny_wan_dslite_dhcpv4 = Rule::new(&input)?.dport(67, Protocol::UDP).drop(); + batch.add(&deny_wan_dslite_dhcpv4, MsgType::Add); + + let deny_wan_dslite_dhcpv6 = Rule::new(&input)?.dport(547, Protocol::UDP).drop(); + batch.add(&deny_wan_dslite_dhcpv6, MsgType::Add); + + let deny_wan6in4_netdump = Rule::new(&input)? + .iface("he6in4")? + .dport(22, Protocol::TCP) + .drop(); + batch.add(&deny_wan6in4_netdump, MsgType::Add); + + let deny_wan6in4_admin = Rule::new(&input)? + .iface("he6in4")? + .dport(8443, Protocol::TCP) + .drop(); + batch.add(&deny_wan6in4_admin, MsgType::Add); + + let deny_wan6in4_diag = Rule::new(&input)? + .iface("he6in4")? + .dport(12808, Protocol::TCP) + .drop(); + batch.add(&deny_wan6in4_diag, MsgType::Add); + + let deny_wan6in4_dns = Rule::new(&input)?.dport(53, Protocol::UDP).drop(); + batch.add(&deny_wan6in4_dns, MsgType::Add); - let deny_wan_dslite = Rule::new(&input)?.iface("dslite0")?.drop(); - batch.add(&deny_wan_dslite, MsgType::Add); + let deny_wan6in4_dhcpv4 = Rule::new(&input)?.dport(67, Protocol::UDP).drop(); + batch.add(&deny_wan6in4_dhcpv4, MsgType::Add); - let deny_wan6in4 = Rule::new(&input)?.iface("he6in4")?.drop(); - batch.add(&deny_wan6in4, MsgType::Add); + let deny_wan6in4_dhcpv6 = Rule::new(&input)?.dport(547, Protocol::UDP).drop(); + batch.add(&deny_wan6in4_dhcpv6, MsgType::Add); let allow_isolated_dhcp = Rule::new(&input)? .iface("eth0.30")? |