aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall/files/firewall.config
Commit message (Collapse)AuthorAgeFilesLines
* firewall: further tune ICMPv6 default rules according to RFC4890 (#9893)Jo-Philipp Wich2011-08-141-0/+16
| | | | SVN-Revision: 27979
* firewall: refine default ICMPv6 rules to better conform with RFC4890, do not ↵Jo-Philipp Wich2011-06-301-13/+2
| | | | | | forward link local ICMP message types, allow parameter problem SVN-Revision: 27321
* firewall: - allow multiple ports, protocols, macs, icmp types per rule - ↵Jo-Philipp Wich2011-06-301-17/+44
| | | | | | implement "limit" and "limit_burst" options for rules - implement "extra" option to rules and redirects for passing arbritary flags to iptables - implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options - allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination - validate symbolic icmp-type names against the selected iptables binary - properly handle forwarded ICMPv6 traffic in the default configuration SVN-Revision: 27317
* firewall: explictely mention network in default configuration, makes it less ↵Jo-Philipp Wich2011-05-201-0/+2
| | | | | | confusing SVN-Revision: 26961
* firewall: provide examples of ssh port relocation on firewall and IPsec ↵Jo-Philipp Wich2011-05-021-0/+22
| | | | | | | | | | | | | passthrough Two examples of potentially useful configurations (commented out, of course): (a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a LAN-based machine if desired, or if not, simply obscures the port from external attack. (b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> SVN-Revision: 26805
* firewall: don't apply default udp/68 rule to ip6tablesJo-Philipp Wich2010-05-191-0/+1
| | | | SVN-Revision: 21509
* firewall: add commented disable_ipv6 option to default configJo-Philipp Wich2010-05-191-0/+2
| | | | SVN-Revision: 21505
* allow pingTravis Kemen2010-03-181-0/+7
| | | | SVN-Revision: 20261
* firewall: fix MSS issue affection RELATED new connections (closes: #5173)Nicolas Thill2009-09-271-1/+1
| | | | SVN-Revision: 17762
* firewall: allow incoming udp/68 packets in the default configuration (#4108, ↵Jo-Philipp Wich2009-08-131-0/+8
| | | | | | #4781) SVN-Revision: 17238
* firewall: enable /etc/firewall.user by default and install sample ↵Jo-Philipp Wich2009-04-121-4/+4
| | | | | | firewall.user file SVN-Revision: 15221
* re-enable the mss fix by default for now - see discussion at ↵Felix Fietkau2009-01-311-5/+1
| | | | | | http://lists.openwrt.org/pipermail/openwrt-devel/2009-January/003724.html for more information SVN-Revision: 14293
* disable the MSS fixup hack by default (most ISPs don't require this as a ↵Felix Fietkau2008-12-311-0/+5
| | | | | | workaround for MTU problems, only some do). this should give a nice speedup for routing on standard-compliant ISPs SVN-Revision: 13788
* set default input policy to ACCEPT to bring the firewall behavior closer to ↵Felix Fietkau2008-09-281-1/+1
| | | | | | the one of previous versions SVN-Revision: 12766
* firewall changes: - implement a REJECT policy and enable it by default, ↵Nicolas Thill2008-09-241-5/+5
| | | | | | reject packets with approriate response (closes: #3970) - cleanup syn_flood and remove logging SVN-Revision: 12688
* use proto instead of protocol in uci firewallJohn Crispin2008-08-261-1/+1
| | | | SVN-Revision: 12391
* uci firewall - make uci firewall default and remove old code - fix up ↵John Crispin2008-08-111-0/+80
dependencies SVN-Revision: 12284