cleanup login script, change firewall example

git-svn-id: svn://svn.openwrt.org/openwrt/trunk/openwrt@881 3c298f89-4303-0410-b956-a3cf2f4a3e73

diff --git a/target/default/target_skeleton/bin/login b/target/default/target_skeleton/bin/login
index 238e971..bb065e5 100755 (executable)
--- a/target/default/target_skeleton/bin/login
+++ b/target/default/target_skeleton/bin/login
@@ -1,21 +1,20 @@
 #!/bin/sh
-[ "$FAILSAFE" = "true" ] && exec /bin/ash --login
-
-[ -f /etc/sysconf ] && . /etc/sysconf
-
-if [ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ]; then
-        if grep '^root:!' /etc/passwd > /dev/null 2>/dev/null; then
-                echo "You need to set a login password to protect your"
-                echo "Router from unauthorized access."
-                echo
-                echo "Use 'passwd' to set your password."
-                echo "telnet login will be disabled afterwards,"
-                echo "You can then login using SSH."
-                echo
-        else
-                echo "Login failed."
-                exit 0
-        fi
-fi
+. /etc/sysconf 2>&-
 
+[ "$FAILSAFE" != "true" ] &&
+[ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ] &&
+{
+  grep '^root:[^!]' /etc/passwd >&- 2>&- &&
+  {
+    echo "Login failed."
+    exit 0
+  } || {
+cat << EOF
+ === IMPORTANT ============================
+  Use 'passwd' to set your login password
+  this will disable telnet and enable SSH
+ ------------------------------------------
+EOF
+  }
+}
 exec /bin/ash --login

diff --git a/target/default/target_skeleton/etc/init.d/S45firewall b/target/default/target_skeleton/etc/init.d/S45firewall
index 7b55643..a506637 100755 (executable)
--- a/target/default/target_skeleton/etc/init.d/S45firewall
+++ b/target/default/target_skeleton/etc/init.d/S45firewall
@@ -1,7 +1,7 @@
 #!/bin/sh
 . /etc/functions.sh
-export WAN=$(nvram get wan_ifname)
-export LAN=$(nvram get lan_ifname)
+WAN=$(nvram get wan_ifname)
+LAN=$(nvram get lan_ifname)
 
 ## CLEAR TABLES
 for T in filter nat mangle; do
@@ -17,8 +17,8 @@ iptables -t nat -N prerouting_rule
 iptables -t nat -N postrouting_rule
 
 ### Port forwarding
-# iptables -t nat -A prerouting_rule -p tcp --dport 22 -j DNAT --to 192.168.1.2
-# iptables        -A forwarding_rule -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
+# iptables        -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
 
 ### INPUT
 ###  (connections with the router as destination)
@@ -27,12 +27,12 @@ iptables -t nat -N postrouting_rule
   iptables -P INPUT DROP
   iptables -A INPUT -m state --state INVALID -j DROP
   iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+  iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j  DROP
 
   # allow
-  iptables -A INPUT -i \! $WAN -j ACCEPT       # allow from lan/wifi interfaces 
-  iptables -A INPUT -p icmp -j ACCEPT          # allow ICMP
-  iptables -A INPUT -p 47 -j ACCEPT            # allow GRE
-  iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j  DROP
+  iptables -A INPUT -i \! $WAN -j ACCEPT       # allow from lan/wifi interfaces 
+  iptables -A INPUT -p icmp    -j ACCEPT       # allow ICMP
+  iptables -A INPUT -p gre     -j ACCEPT       # allow GRE
   #
   # insert accept rule or to jump to new accept-check table here
   #