diff options
author | Yousong Zhou <yszhou4tech@gmail.com> | 2017-03-28 17:41:14 +0800 |
---|---|---|
committer | Yousong Zhou <yszhou4tech@gmail.com> | 2017-03-28 17:46:30 +0800 |
commit | 910a9430a0c0da2e60c1b84bbf640d310aba4bd7 (patch) | |
tree | 9fff6e8c7399ee27446d394ce0eaf9e7e488a693 /package/network/config/firewall | |
parent | 1b94737824bb046bd9796aa6ab01a56dacc49622 (diff) | |
download | upstream-910a9430a0c0da2e60c1b84bbf640d310aba4bd7.tar.gz upstream-910a9430a0c0da2e60c1b84bbf640d310aba4bd7.tar.bz2 upstream-910a9430a0c0da2e60c1b84bbf640d310aba4bd7.zip |
firewall: document rules for IPSec ESP/ISAKMP with 'name' option
These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"
Fixes FS#640
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Diffstat (limited to 'package/network/config/firewall')
-rw-r--r-- | package/network/config/firewall/Makefile | 2 | ||||
-rw-r--r-- | package/network/config/firewall/files/firewall.config | 29 |
2 files changed, 16 insertions, 15 deletions
diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile index 0d57340ab9..0c00501ebd 100644 --- a/package/network/config/firewall/Makefile +++ b/package/network/config/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config index 749dbecb97..8874e9882c 100644 --- a/package/network/config/firewall/files/firewall.config +++ b/package/network/config/firewall/files/firewall.config @@ -114,6 +114,21 @@ config rule option family ipv6 option target ACCEPT +config rule + option name Allow-IPSec-ESP + option src wan + option dest lan + option proto esp + option target ACCEPT + +config rule + option name Allow-ISAKMP + option src wan + option dest lan + option dest_port 500 + option proto udp + option target ACCEPT + # include a file with users custom iptables rules config include option path /etc/firewall.user @@ -157,20 +172,6 @@ config include # option dest_port 22 # option proto tcp -# allow IPsec/ESP and ISAKMP passthrough -config rule - option src wan - option dest lan - option proto esp - option target ACCEPT - -config rule - option src wan - option dest lan - option dest_port 500 - option proto udp - option target ACCEPT - ### FULL CONFIG SECTIONS #config rule # option src lan |