diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index fc38ea3..e20e099 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -714,21 +714,52 @@ remote_console_port=5900 # - Ubiquiti Unifi # ====== -# - Notice: -# - The Accesspoint IP is not needed (i think so), because the -# - AP uses port 8080 for cummunication with the controller, and -# - this port will be configured with the rules concerning the -# - controllers. +# - By default, the UniFi controller will operate on the following ports: # - -# - again: setting unifi_ap_local_ips is not needed -#unifi_ap_local_ips="192.168.64.50" +# - unifi_http_port=8080 (port for UAP to inform controller) +# - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser) +# - unifi_portal_http_port=8880 (port for HTTP portal redirect) +# - unifi_portal_https_port=8843 (port for HTTPS portal redirect) +# - unifi_http_port=6789 (port used for throughput measurement) +# - unifi_db_port=27117 (local-bound port for DB server) +# - +# - +# - In version 4.5.2 and later, users can also define the port assigned to STUN services, +# - for scenarios where two or more separate UniFi instances are desired on the +# - same controller machine. +# - +# - unifi_stun_port=3478 # UDP port used for STUN +# - +# - +# - Ubiquity Networks uses port 10001/UDP for its AirControl +# - management discovery protocol +# - +# - unifi_aircontroll_port=10001 +# - +# - +# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. +# - There is no need to open firewall for these ports on controller. However, on +# - controller, avoid to use these ports: +# - +# - port 8881 for redirector port for wireless clients +# - port 8882 for redirector port for wired clients +# - +# - +# - For AP-EDU Broadcasts: +# - +# - UDP ports 5656-5699 +# - +unify_tcp_ports="8080,8443,8880,8843,6789,27117" +unify_udp_ports="3478" +unify_broadcast_udp_ports="10001,5656:5699" -unifi_controller_gateway_ips="" +# - Unifi Controller at gateway? +# - +local_unifi_controller_service=false + +# - UniFi Controllers on local network (other than this machine) +# - unify_controller_local_net_ips="" -unify_controller_ports="8080,8443" - -provide_hotspot=true -hotspot_ports="8880,8843" # ====== diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 9ee7a86..5dfb10f 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -697,21 +697,52 @@ remote_console_port=5900 # - Ubiquiti Unifi # ====== -# - Notice: -# - The Accesspoint IP is not needed (i think so), because the -# - AP uses port 8080 for cummunication with the controller, and -# - this port will be configured with the rules concerning the -# - controllers. +# - By default, the UniFi controller will operate on the following ports: # - -# - again: setting unifi_ap_local_ips is not needed -#unifi_ap_local_ips="2001:6f8:107e:64::50" +# - unifi_http_port=8080 (port for UAP to inform controller) +# - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser) +# - unifi_portal_http_port=8880 (port for HTTP portal redirect) +# - unifi_portal_https_port=8843 (port for HTTPS portal redirect) +# - unifi_http_port=6789 (port used for throughput measurement) +# - unifi_db_port=27117 (local-bound port for DB server) +# - +# - +# - In version 4.5.2 and later, users can also define the port assigned to STUN services, +# - for scenarios where two or more separate UniFi instances are desired on the +# - same controller machine. +# - +# - unifi_stun_port=3478 # UDP port used for STUN +# - +# - +# - Ubiquity Networks uses port 10001/UDP for its AirControl +# - management discovery protocol +# - +# - unifi_aircontroll_port=10001 +# - +# - +# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. +# - There is no need to open firewall for these ports on controller. However, on +# - controller, avoid to use these ports: +# - +# - port 8881 for redirector port for wireless clients +# - port 8882 for redirector port for wired clients +# - +# - +# - For AP-EDU Broadcasts: +# - +# - UDP ports 5656-5699 +# - +unify_tcp_ports="8080,8443,8880,8843,6789,27117" +unify_udp_ports="3478" +unify_broadcast_udp_ports="10001,5656:5699" -unifi_controller_gateway_ips="" +# - Unifi Controller at gateway? +# - +local_unifi_controller_service=false + +# - UniFi Controllers on local network (other than this machine) +# - unify_controller_local_net_ips="" -unify_controller_ports="8080,8443" - -provide_hotspot=true -hotspot_ports="8880,8843" # ====== diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index b7844e1..5886d98 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -798,7 +798,8 @@ fi echononl "\tAllow these local networks any access to the internet" if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ - && $kernel_forward_between_interfaces ; then + && $kernel_forward_between_interfaces \ + && ! $permit_local_net_to_inet ; then for _net in ${any_access_to_inet_network_arr[@]}; do for _dev in ${ext_if_arr[@]} ; do @@ -817,12 +818,9 @@ fi # --- echononl "\tAllow local services from given local networks" - -# - !! Note: -# - does NOT depend on settings 'permit_between_local_networks' !! -# - if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ - && $kernel_forward_between_interfaces ; then + && $kernel_forward_between_interfaces \ + && ! $permit_local_net_to_inet ; then for _val in "${allow_local_net_to_local_service_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" @@ -853,11 +851,9 @@ fi echononl "\tAllow all traffic from local network to local ip-address" -# - !! Note: -# - does NOT depend on settings 'permit_between_local_networks' !! -# - if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \ - && $kernel_forward_between_interfaces ; then + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then for _val in ${allow_local_net_to_local_ip_arr[@]} ; do IFS=',' read -a _val_arr <<< "${_val}" @@ -885,11 +881,9 @@ fi echononl "\tAllow all traffic from local ip-address to local network" -# - !! Note: -# - does NOT depend on settings 'permit_between_local_networks' !! -# - if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \ - && $kernel_forward_between_interfaces ; then + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then for _val in ${allow_local_ip_to_local_net_arr[@]} ; do IFS=',' read -a _val_arr <<< "${_val}" @@ -917,11 +911,9 @@ fi echononl "\tAllow all traffic from local network to (another) local network" -# - !! Note: -# - does NOT depend on settings 'permit_between_local_networks' !! -# - if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \ - && $kernel_forward_between_interfaces ; then + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then for _val in ${allow_local_net_to_local_net_arr[@]} ; do IFS=',' read -a _val_arr <<< "${_val}" @@ -949,11 +941,9 @@ fi echononl "\tAllow local ip address from given local interface" -# - !! Note: -# - does NOT depend on settings 'permit_between_local_networks' !! -# - if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \ - && $kernel_forward_between_interfaces ; then + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then for _val in ${allow_local_if_to_local_ip_arr[@]} ; do IFS=',' read -a _val_arr <<< "${_val}" @@ -980,10 +970,6 @@ fi # --- echononl "\tSeparate local networks.." - -# - !! Note: -# - does NOT depend on settings 'permit_between_local_networks' !! -# - if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _net in ${separate_local_network_arr[@]}; do for _dev in ${local_if_arr[@]} ; do @@ -1002,10 +988,6 @@ fi # --- echononl "\tSeparate local interfaces.." - -# - !! Note: -# - does NOT depend on settings 'permit_between_local_networks' !! -# - if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _dev_1 in ${separate_local_if_arr[@]}; do for _dev_2 in ${local_if_arr[@]} ; do @@ -2724,27 +2706,23 @@ fi # --- echononl "\t\tUbiquiti Unifi Accesspoints" -if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then +if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + if $local_unifi_controller_service ; then - for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do - for _dev in ${local_if_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT - if $provide_hotspot ; then - $ip6t -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT - fi - done + $ip6t -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ip6t -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT - done fi if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT - if $provide_hotspot ; then - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT - fi + $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT done # - Note: @@ -2752,12 +2730,8 @@ if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_ # - special rule. # - if $kernel_forward_between_interfaces && $local_alias_interfaces ; then - $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT - if $provide_hotspot ; then - $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT - fi + $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT fi done diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 429d815..3f9d782 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -3162,27 +3162,23 @@ fi # --- echononl "\t\tUbiquiti Unifi Accesspoints" -if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then +if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + if $local_unifi_controller_service ; then - for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do - for _dev in ${local_if_arr[@]} ; do - $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT - if $provide_hotspot ; then - $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT - fi - done + $ipt -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT - done fi if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT - if $provide_hotspot ; then - $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT - fi + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT done # - Note: @@ -3190,12 +3186,8 @@ if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_ # - special rule. # - if $kernel_activate_forwarding && $local_alias_interfaces ; then - $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT - if $provide_hotspot ; then - $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT - fi + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT fi done