Remove firewall feature (#996)

https://github.com/EFForg/rayhunter/pull/888 contained an entire set of iptables rules to ensure that no traffic leaked. We know that many of these devices are fairly insecure, that's how we get rayhunter installed on most of them. But if an attacker already is able to run commands on this device, they are most likely going to be able to run iptables -F too. We should discuss real threatmodels before adding stuff like this, because messing with iptables also just makes accidental bricking more likely (see the moxee disk space fiasco)
2026-06-01 02:33:35 -07:00 · 2026-05-02 13:42:22 +02:00
parent 3c1a164361
commit 54de3b3a38
11 changed files with 0 additions and 221 deletions
@@ -1,24 +0,0 @@
-#!/bin/sh
-CONFIG="/data/rayhunter/config.toml"
-
-case "$1" in
-  start)
-    if grep -q '^firewall_restrict_outbound = true' "$CONFIG" 2>/dev/null; then
-        iptables -F OUTPUT
-        iptables -A OUTPUT -o lo -j ACCEPT
-        for br in bridge0 br0; do
-            [ -d "/sys/class/net/$br" ] && iptables -A OUTPUT -o "$br" -j ACCEPT
-        done
-        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-        iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT
-        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
-        iptables -A OUTPUT -j DROP
-        echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables 2>/dev/null
-    fi
-    ;;
-  stop)
-    iptables -F OUTPUT
-    iptables -P OUTPUT ACCEPT
-    ;;
-esac