From c5eccfae1f48f183af80847fcabcc35e3563469d Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sat, 27 Apr 2024 17:03:04 -0400
Subject: [PATCH] handle ssh redirects programatically

---
 wrt-setup       |  2 +-
 wrt-setup-local | 64 ++-----------------------------------------------
 2 files changed, 3 insertions(+), 63 deletions(-)

diff --git a/wrt-setup b/wrt-setup
index ec91ed7..bce6a4a 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -77,7 +77,7 @@ scp /a/work/libremanage/libremanage /a/bin/fai/wrt-init /a/bin/fai/wrt-setup-loc
 #/a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk \
 
 scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \
-     /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} /p/c/ptr-data /p/c/dnsmasq-data /b/bash-bear-trap/bash-bear $h:
+     /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} /p/c/ptr-data /p/c/{dnsmasq,cmc-firewall}-data /b/bash-bear-trap/bash-bear $h:
 scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys
 
 ssh $h wrt-init ${HOME_DOMAIN:-b8.nz} "$@"
diff --git a/wrt-setup-local b/wrt-setup-local
index aabfca3..3d2edb8 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -666,6 +666,7 @@ config rule
  option target REJECT
 ## end no external dns for ziva
 
+$(. /root/cmc-firewall-data)
 
 config rule
  option src              wan
@@ -684,18 +685,6 @@ config rule
  option target           ACCEPT
  option dest_port        9091
 
-config redirect
- option name sshkd
- option src              wan
- option src_dport        2202
- option dest_port        22
- option dest_ip          $l.2
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2202
-
 # was working on an openvpn server, didn't finish
 # config redirect
 #  option name vpnkd
@@ -723,55 +712,6 @@ config rule
  option dest_port        8989
 
 
-config redirect
- option name sshx2
- option src              wan
- option src_dport        2205
- option dest_port        22
- option dest_ip          $l.5
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2205
-
-config redirect
- option name sshx3
- option src              wan
- option src_dport        2207
- option dest_port        22
- option dest_ip          $l.7
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2207
-
-config redirect
- option name sshbb8
- option src              wan
- option src_dport        2209
- option dest_port        22
- option dest_ip          $l.32
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2209
-
-
-config redirect
- option name sshfrodo
- option src              wan
- option src_dport        2234
- option dest_port        34
- option dest_ip          $l.34
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2234
-
 
 config redirect
  option name icecast
@@ -822,7 +762,7 @@ config rule
  option target           ACCEPT
  option dest_port        4533
 
-# So a client can just have i.b8.nz dns even when they
+# So a client can just have b8.nz dns even when they
 # are on the lan.
 #config redirect
 # option name navidromelan
-- 
2.30.2