lime-proto-wan fails trying to allow link local traffic on WAN. Fix or erase? #1241
Description
Restarting the firewall using /etc/init.d/firewall restart on a LibreMesh with the latest LibreMesh code on top of OpenWrt 24.10, I observed this message:
Section lime_allow_wan_all_link_local (lime_allow_wan_all_link_local) is restricted to IPv4 but referenced source IP is IPv6 only, skipping
That is caused by this section present in /etc/config/firewall:
config rule 'lime_allow_wan_all_link_local'
option name 'lime_allow_wan_all_link_local'
option src 'wan'
option family 'ipv6'
option src_ip 'fe80::/10'
option dest_ip 'fe80::/10'
option target 'ACCEPT'
option family ipv4
The option family is specified twice, which is wrong.
Weirdly, in lime-proto-wan, only option family ipv6 is present:
Running again lime-config made disappear that option family ipv4 line, so now I am a bit confused, can anyone confirm this?
Anyway, before trying to fix, I would like to make sure that we still want to have this section. What this section means is that even if the firewall blocks all ports (e.g. blocks SSH connections on port 22 coming from the internet), it does not block any of them if IPv6 is used for the connection. Which means that the internet cannot access your port 22, but that your internet service provider can. Or whatever you have on the other side of the WAN cable, which can be a not-so-trusted network. I think that this is a bit risky AND nobody would expect this, also because it is not documented at all.
Negative aspect of having that section: lowers security without the user expecting it.
Positive aspect of having that section: an additional way to log in when some seriously bad configuration blocks you from using the LAN ports or the WiFi access point or the WiFi mesh.
This has been added by @altergui and approved by @p4u and @G10h4ck in #239. Do we still want this?