diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2011-05-02 12:54:31 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2011-05-02 12:54:31 +0000 |
commit | ad23dd94b6a2c913ec1fac64a34befc472b0c552 (patch) | |
tree | e6738c2df81e1715318e027f74659915284a2ad1 /package/firewall/files | |
parent | 8324bf036c736a49b0d27612ba08d9596556a7cf (diff) | |
download | upstream-ad23dd94b6a2c913ec1fac64a34befc472b0c552.tar.gz upstream-ad23dd94b6a2c913ec1fac64a34befc472b0c552.tar.bz2 upstream-ad23dd94b6a2c913ec1fac64a34befc472b0c552.zip |
firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course):
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.
(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
SVN-Revision: 26805
Diffstat (limited to 'package/firewall/files')
-rw-r--r-- | package/firewall/files/firewall.config | 22 | ||||
-rw-r--r-- | package/firewall/files/lib/core_interface.sh | 50 |
2 files changed, 61 insertions, 11 deletions
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config index 7904cedb87..bee162549e 100644 --- a/package/firewall/files/firewall.config +++ b/package/firewall/files/firewall.config @@ -75,6 +75,28 @@ config include # option dest_port 80 # option proto tcp +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT ### FULL CONFIG SECTIONS #config rule diff --git a/package/firewall/files/lib/core_interface.sh b/package/firewall/files/lib/core_interface.sh index bc9eb96dde..5386292a48 100644 --- a/package/firewall/files/lib/core_interface.sh +++ b/package/firewall/files/lib/core_interface.sh @@ -1,27 +1,55 @@ -# Copyright (C) 2009-2010 OpenWrt.org +# Copyright (C) 2009-2011 OpenWrt.org fw__uci_state_add() { local var="$1" local item="$2" - local val=" $(uci_get_state firewall core $var) " - val="${val// $item / }" - val="${val# }" - val="${val% }" + local list="$(uci_get_state firewall core $var)" + list=" ${list:+$list }" + + for item in $item; do + case "$list" in + "* $item *") continue;; + *) list="$list$item ";; + esac + done + + list="${list% }" + list="${list# }" + uci_revert_state firewall core $var - uci_set_state firewall core $var "${val:+$val }$item" + uci_set_state firewall core $var "$list" } fw__uci_state_del() { local var="$1" local item="$2" - local val=" $(uci_get_state firewall core $var) " - val="${val// $item / }" - val="${val# }" - val="${val% }" + echo "del[$item]" + + local list val + for val in $(uci_get_state firewall core "$var" | sort -u); do + list="${list:+$list }$val" + done + + echo "list[$list]" + uci_revert_state firewall core $var - uci_set_state firewall core $var "$val" + + [ -n "$list" ] && { + list=" $list " + + for item in $item; do + list="${list// $item / }" + done + + list="${list# }" + list="${list% }" + + echo "list2[$list]" + + uci_set_state firewall core $var "$list" + } } fw_configure_interface() { |