From d450229089df736837490b024448d14605bc6433 Mon Sep 17 00:00:00 2001 From: Himbeer Date: Sat, 5 Apr 2025 20:32:48 +0200 Subject: Relax WAN input rules This has the purpose of ensuring that DS-Lite works correctly and reliably, even if the exact headers differ from the expectations. All ports that are bound to are still blocked, using a denylist instead of an allowlist. --- src/main.rs | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 87 insertions(+), 6 deletions(-) diff --git a/src/main.rs b/src/main.rs index 22c6f81..f74cd5c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -145,14 +145,95 @@ fn filter() -> Result<()> { let allow_any_exposed_vpn = Rule::new(&input)?.dport(51821, Protocol::UDP).accept(); batch.add(&allow_any_exposed_vpn, MsgType::Add); - let deny_wan = Rule::new(&input)?.iface("ppp0")?.drop(); - batch.add(&deny_wan, MsgType::Add); + let deny_wan_netdump = Rule::new(&input)? + .iface("ppp0")? + .dport(22, Protocol::TCP) + .drop(); + batch.add(&deny_wan_netdump, MsgType::Add); + + let deny_wan_admin = Rule::new(&input)? + .iface("ppp0")? + .dport(8443, Protocol::TCP) + .drop(); + batch.add(&deny_wan_admin, MsgType::Add); + + let deny_wan_diag = Rule::new(&input)? + .iface("ppp0")? + .dport(12808, Protocol::TCP) + .drop(); + batch.add(&deny_wan_diag, MsgType::Add); + + let deny_wan_dns = Rule::new(&input)? + .iface("ppp0")? + .dport(53, Protocol::UDP) + .drop(); + batch.add(&deny_wan_dns, MsgType::Add); + + let deny_wan_dhcpv4 = Rule::new(&input)? + .iface("ppp0")? + .dport(67, Protocol::UDP) + .drop(); + batch.add(&deny_wan_dhcpv4, MsgType::Add); + + let deny_wan_dhcpv6 = Rule::new(&input)? + .iface("ppp0")? + .dport(547, Protocol::UDP) + .drop(); + batch.add(&deny_wan_dhcpv6, MsgType::Add); + + let deny_wan_dslite_netdump = Rule::new(&input)? + .iface("dslite0")? + .dport(22, Protocol::TCP) + .drop(); + batch.add(&deny_wan_dslite_netdump, MsgType::Add); + + let deny_wan_dslite_admin = Rule::new(&input)? + .iface("dslite0")? + .dport(8443, Protocol::TCP) + .drop(); + batch.add(&deny_wan_dslite_admin, MsgType::Add); + + let deny_wan_dslite_diag = Rule::new(&input)? + .iface("dslite0")? + .dport(12808, Protocol::TCP) + .drop(); + batch.add(&deny_wan_dslite_diag, MsgType::Add); + + let deny_wan_dslite_dns = Rule::new(&input)?.dport(53, Protocol::UDP).drop(); + batch.add(&deny_wan_dslite_dns, MsgType::Add); + + let deny_wan_dslite_dhcpv4 = Rule::new(&input)?.dport(67, Protocol::UDP).drop(); + batch.add(&deny_wan_dslite_dhcpv4, MsgType::Add); + + let deny_wan_dslite_dhcpv6 = Rule::new(&input)?.dport(547, Protocol::UDP).drop(); + batch.add(&deny_wan_dslite_dhcpv6, MsgType::Add); + + let deny_wan6in4_netdump = Rule::new(&input)? + .iface("he6in4")? + .dport(22, Protocol::TCP) + .drop(); + batch.add(&deny_wan6in4_netdump, MsgType::Add); + + let deny_wan6in4_admin = Rule::new(&input)? + .iface("he6in4")? + .dport(8443, Protocol::TCP) + .drop(); + batch.add(&deny_wan6in4_admin, MsgType::Add); + + let deny_wan6in4_diag = Rule::new(&input)? + .iface("he6in4")? + .dport(12808, Protocol::TCP) + .drop(); + batch.add(&deny_wan6in4_diag, MsgType::Add); + + let deny_wan6in4_dns = Rule::new(&input)?.dport(53, Protocol::UDP).drop(); + batch.add(&deny_wan6in4_dns, MsgType::Add); - let deny_wan_dslite = Rule::new(&input)?.iface("dslite0")?.drop(); - batch.add(&deny_wan_dslite, MsgType::Add); + let deny_wan6in4_dhcpv4 = Rule::new(&input)?.dport(67, Protocol::UDP).drop(); + batch.add(&deny_wan6in4_dhcpv4, MsgType::Add); - let deny_wan6in4 = Rule::new(&input)?.iface("he6in4")?.drop(); - batch.add(&deny_wan6in4, MsgType::Add); + let deny_wan6in4_dhcpv6 = Rule::new(&input)?.dport(547, Protocol::UDP).drop(); + batch.add(&deny_wan6in4_dhcpv6, MsgType::Add); let allow_isolated_dhcp = Rule::new(&input)? .iface("eth0.30")? -- cgit v1.2.3