Update

services/firewall/global.policy.json

@@ -0,0 +1,13 @@
+{
+    "description": "Restrict all internet access",
+    "zone": {
+        "WAN": { "iface": "eth0" },
+        "VPN": { "iface": "wg0" }
+    },
+    "policy": [
+        { "in": "VPN", "action": "accept" },
+        { "out": "VPN", "action": "accept" },
+        { "in": "WAN", "action": "drop" },
+        { "action": "reject" }
+    ]
+}

services/firewall/icmp.policy.json

@@ -0,0 +1,12 @@
+{
+    "description": "Allow ping-pong",
+    "filter": [
+        {
+            "in": "WAN",
+            "out": "_fw",
+            "service": "ping",
+            "action": "accept",
+            "flow-limit": { "count": 10, "interval": 6 }
+        }
+    ]
+}

services/firewall/install.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+echo "Setting up firewall..."
+
+apk add -u awall # important -u flag!
+apk add ip6tables iptables
+modprobe -v ip_tables
+modprobe -v ip6_tables
+#modprobe -v iptable_nat #if NAT is used
+
+# Register services
+rc-update add iptables
+rc-update add ip6tables
+rc-service iptables start
+rc-service ip6tables start
+
+# In the global policy, LAN rules are omitted, as we are behind a NAT router.
+# If not, add this to global.policy.json:
+#         "LAN": { "iface": "eth1" },
+# ...
+#   { "in": "LAN", "action": "accept" },
+#   { "out": "LAN", "action": "accept" },

services/firewall/outgoing.policy.json

@@ -0,0 +1,11 @@
+{
+    "description": "Allow outgoing connections for http/https, dns, ssh, ntp, ssh and ping",
+    "filter": [
+        {
+            "in": "_fw",
+            "out": "WAN",
+            "service": ["http", "https", "dns", "ssh", "ntp", "ping"],
+            "action": "accept"
+        }
+    ]
+}