aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall/files
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2011-05-02 12:54:31 +0000
committerJo-Philipp Wich <jow@openwrt.org>2011-05-02 12:54:31 +0000
commitad23dd94b6a2c913ec1fac64a34befc472b0c552 (patch)
treee6738c2df81e1715318e027f74659915284a2ad1 /package/firewall/files
parent8324bf036c736a49b0d27612ba08d9596556a7cf (diff)
downloadupstream-ad23dd94b6a2c913ec1fac64a34befc472b0c552.tar.gz
upstream-ad23dd94b6a2c913ec1fac64a34befc472b0c552.tar.bz2
upstream-ad23dd94b6a2c913ec1fac64a34befc472b0c552.zip
firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course):
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a LAN-based machine if desired, or if not, simply obscures the port from external attack. (b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> SVN-Revision: 26805
Diffstat (limited to 'package/firewall/files')
-rw-r--r--package/firewall/files/firewall.config22
-rw-r--r--package/firewall/files/lib/core_interface.sh50
2 files changed, 61 insertions, 11 deletions
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index 7904cedb87..bee162549e 100644
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -75,6 +75,28 @@ config include
# option dest_port 80
# option proto tcp
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+# option src wan
+# option src_dport 22001
+# option dest lan
+# option dest_port 22
+# option proto tcp
+
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+# option src wan
+# option dest lan
+# option protocol esp
+# option target ACCEPT
+
+#config rule
+# option src wan
+# option dest lan
+# option src_port 500
+# option dest_port 500
+# option proto udp
+# option target ACCEPT
### FULL CONFIG SECTIONS
#config rule
diff --git a/package/firewall/files/lib/core_interface.sh b/package/firewall/files/lib/core_interface.sh
index bc9eb96dde..5386292a48 100644
--- a/package/firewall/files/lib/core_interface.sh
+++ b/package/firewall/files/lib/core_interface.sh
@@ -1,27 +1,55 @@
-# Copyright (C) 2009-2010 OpenWrt.org
+# Copyright (C) 2009-2011 OpenWrt.org
fw__uci_state_add() {
local var="$1"
local item="$2"
- local val=" $(uci_get_state firewall core $var) "
- val="${val// $item / }"
- val="${val# }"
- val="${val% }"
+ local list="$(uci_get_state firewall core $var)"
+ list=" ${list:+$list }"
+
+ for item in $item; do
+ case "$list" in
+ "* $item *") continue;;
+ *) list="$list$item ";;
+ esac
+ done
+
+ list="${list% }"
+ list="${list# }"
+
uci_revert_state firewall core $var
- uci_set_state firewall core $var "${val:+$val }$item"
+ uci_set_state firewall core $var "$list"
}
fw__uci_state_del() {
local var="$1"
local item="$2"
- local val=" $(uci_get_state firewall core $var) "
- val="${val// $item / }"
- val="${val# }"
- val="${val% }"
+ echo "del[$item]"
+
+ local list val
+ for val in $(uci_get_state firewall core "$var" | sort -u); do
+ list="${list:+$list }$val"
+ done
+
+ echo "list[$list]"
+
uci_revert_state firewall core $var
- uci_set_state firewall core $var "$val"
+
+ [ -n "$list" ] && {
+ list=" $list "
+
+ for item in $item; do
+ list="${list// $item / }"
+ done
+
+ list="${list# }"
+ list="${list% }"
+
+ echo "list2[$list]"
+
+ uci_set_state firewall core $var "$list"
+ }
}
fw_configure_interface() {