Reduce impact of firewall rules

henrygab · henrygab · commit a441f0ececf4 · 2019-11-07T17:03:29.000-08:00
This modification reduces the IPTABLES rules to the minimum needed.
Specifically, it does NOT create default rules, or edit any existing rules.
Instead, it only adds rules to drop mDNS at 5353/udp, and to drop all
incoming traffic that's addressed to the mDNS multicast IP address.
diff --git a/.travis.yml b/.travis.yml
@@ -43,6 +43,10 @@ addons:
       confinement: classic
 
 install:
+  # Filter only mDNS / Bonjour traffic
+  - sudo iptables --insert INPUT  --jump DROP --protocol udp --dport 5353  -m comment --comment "silently drop all 5353/udp input"
+  - sudo iptables --insert INPUT  --jump DROP --destination 224.0.0.251    -m comment --comment "silently drop all mDNS ipv4 broadcast"
+  # Install the nRF52 support files for arduino
   - pip3 install --user adafruit-nrfutil
   - umake electronics arduino $HOME/arduino_ide
   - export PATH=$HOME/arduino_ide:$PATH
@@ -53,17 +57,6 @@ install:
   - rm -r $BSP_PATH/*
   - ln -s $TRAVIS_BUILD_DIR $BSP_PATH/$BSP_VERSION
   - arduino --install-library "Adafruit NeoPixel","Adafruit NeoMatrix","Adafruit GFX Library","Adafruit SSD1306","MIDI Library","Adafruit ILI9341","Adafruit HX8357 Library"
-  # TODO: find way to filter out the noisy mDNS output from arduino IDE...
-  # See https://forum.arduino.cc/index.php?topic=469428.0
-  # See https://github.com/per1234/arduino-ci-script/issues/1
-  # Arduino IDE adds a lot of noise caused by network traffic (mDNS?)
-  # The following lines attempt to firewall it to prevent polluted error logs....
-  - sudo iptables -P INPUT DROP
-  - sudo iptables -P FORWARD DROP
-  - sudo iptables -P OUTPUT ACCEPT
-  - sudo iptables -A INPUT -i lo -j ACCEPT
-  - sudo iptables -A OUTPUT -o lo -j ACCEPT
-  - sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
 before_script:
   
