mirror of
https://github.com/EFForg/rayhunter.git
synced 2026-06-03 19:53:33 -07:00
Remove firewall feature (#996)
https://github.com/EFForg/rayhunter/pull/888 contained an entire set of iptables rules to ensure that no traffic leaked. We know that many of these devices are fairly insecure, that's how we get rayhunter installed on most of them. But if an attacker already is able to run commands on this device, they are most likely going to be able to run iptables -F too. We should discuss real threatmodels before adding stuff like this, because messing with iptables also just makes accidental bricking more likely (see the moxee disk space fiasco)
This commit is contained in:
Markus Unterwaditzer
committed by
GitHub
GitHub
parent
3c1a164361
commit
54de3b3a38
Vendored
-12
@@ -43,18 +43,6 @@ wifi_enabled = false
|
||||
# Defaults to ["9.9.9.9", "149.112.112.112"] (Quad9) if not specified.
|
||||
# dns_servers = ["9.9.9.9", "149.112.112.112"]
|
||||
|
||||
# Device Security
|
||||
# Restrict outbound traffic to essential services only (DHCP, DNS,
|
||||
# HTTPS, and replies to inbound connections). Applies to all outbound
|
||||
# interfaces (WiFi and cellular). Loopback and hotspot bridge traffic
|
||||
# are always allowed. Defaults to true (recommended).
|
||||
firewall_restrict_outbound = true
|
||||
|
||||
# Additional TCP ports to allow outbound when the firewall is active.
|
||||
# DHCP (67-68), DNS (53), and HTTPS (443) are always allowed.
|
||||
# Example: allow HTTP (80) and SSH (22).
|
||||
# firewall_allowed_ports = [80, 22]
|
||||
|
||||
# WebDAV Upload
|
||||
# If a [webdav] section is present, finished recordings (both the raw .qmdl file
|
||||
# and its .ndjson analysis output) are uploaded in the background to a WebDAV
|
||||
|
||||
Vendored
-24
@@ -1,24 +0,0 @@
|
||||
#!/bin/sh
|
||||
CONFIG="/data/rayhunter/config.toml"
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
if grep -q '^firewall_restrict_outbound = true' "$CONFIG" 2>/dev/null; then
|
||||
iptables -F OUTPUT
|
||||
iptables -A OUTPUT -o lo -j ACCEPT
|
||||
for br in bridge0 br0; do
|
||||
[ -d "/sys/class/net/$br" ] && iptables -A OUTPUT -o "$br" -j ACCEPT
|
||||
done
|
||||
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT
|
||||
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
|
||||
iptables -A OUTPUT -j DROP
|
||||
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables 2>/dev/null
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
iptables -F OUTPUT
|
||||
iptables -P OUTPUT ACCEPT
|
||||
;;
|
||||
esac
|
||||
Reference in New Issue
Block a user