aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/config/firewall
diff options
context:
space:
mode:
authorYousong Zhou <yszhou4tech@gmail.com>2017-03-28 17:41:14 +0800
committerYousong Zhou <yszhou4tech@gmail.com>2017-03-28 17:46:30 +0800
commit910a9430a0c0da2e60c1b84bbf640d310aba4bd7 (patch)
tree9fff6e8c7399ee27446d394ce0eaf9e7e488a693 /package/network/config/firewall
parent1b94737824bb046bd9796aa6ab01a56dacc49622 (diff)
downloadupstream-910a9430a0c0da2e60c1b84bbf640d310aba4bd7.tar.gz
upstream-910a9430a0c0da2e60c1b84bbf640d310aba4bd7.tar.bz2
upstream-910a9430a0c0da2e60c1b84bbf640d310aba4bd7.zip
firewall: document rules for IPSec ESP/ISAKMP with 'name' option
These are recommended practices by REC-22 and REC-24 of RFC6092: "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" Fixes FS#640 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Diffstat (limited to 'package/network/config/firewall')
-rw-r--r--package/network/config/firewall/Makefile2
-rw-r--r--package/network/config/firewall/files/firewall.config29
2 files changed, 16 insertions, 15 deletions
diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 0d57340ab9..0c00501ebd 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 749dbecb97..8874e9882c 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -114,6 +114,21 @@ config rule
option family ipv6
option target ACCEPT
+config rule
+ option name Allow-IPSec-ESP
+ option src wan
+ option dest lan
+ option proto esp
+ option target ACCEPT
+
+config rule
+ option name Allow-ISAKMP
+ option src wan
+ option dest lan
+ option dest_port 500
+ option proto udp
+ option target ACCEPT
+
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
@@ -157,20 +172,6 @@ config include
# option dest_port 22
# option proto tcp
-# allow IPsec/ESP and ISAKMP passthrough
-config rule
- option src wan
- option dest lan
- option proto esp
- option target ACCEPT
-
-config rule
- option src wan
- option dest lan
- option dest_port 500
- option proto udp
- option target ACCEPT
-
### FULL CONFIG SECTIONS
#config rule
# option src lan