openwrt/upstream - upstream openwrt

	Commit message (Collapse)	Author	Age	Files	Lines
*	firewall: add rule for traceroute support	Philip Prindeville	2020-05-21	1	-0/+13
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Running your firewall's "wan" zone in REJECT zone (1) exposes the presence of the router, (2) depending on the sophistication of fingerprinting tools might identify the OS and release running on the firewall which then identifies known vulnerabilities with it and (3) perhaps most importantly of all, your firewall can be used in a DDoS reflection attack with spoofed traffic generating ICMP Unreachables or TCP RST's to overwhelm a victim or saturate his link. This rule, when enabled, allows traceroute to work even when the default input policy of the firewall for the wan zone has been set to DROP. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
*	firewall: document rules for IPSec ESP/ISAKMP with 'name' option	Yousong Zhou	2017-03-28	1	-14/+15
\| \| \| \| \| \| \| \| \| \|	These are recommended practices by REC-22 and REC-24 of RFC6092: "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" Fixes FS#640 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
*	firewall: allow DHCPv6 traffic to/from fc00::/6 instead of fe80::/10	Jo-Philipp Wich	2015-09-25	1	-2/+2
\| \| \| \| \| \| \| \| \| \|	There is no RFC requirement that DHCPv6 servers must reply with a link local address and some ISP servers in the wild appear to using addresses in the ULA range to send DHCPv6 offers. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 47048
*	firewall: Remove src_port from firewall.config to receive dhcpv6 replies	Steven Barth	2015-09-11	1	-1/+0
\| \| \| \| \| \| \| \| \| \|	Seems like my second try was again whitespace broken. Sorry for the noise. Remove src_port from firewall.config to receive dhcpv6 replies. Fixes #20295. Signed-off-by: Anselm Eberhardt <a.eberhardt@cygnusnetworks.de> SVN-Revision: 46842
*	firewall: fix typo in ESP rule	Steven Barth	2015-07-27	1	-1/+1
\| \| \| \| \| \|	Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46506
*	firewall: comply with REC-22, REC-24 of RFC 6092	Steven Barth	2015-07-24	1	-12/+11
\| \| \| \| \| \|	Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46478
*	firewall: Allow IGMP and MLD input on WAN	Steven Barth	2015-05-05	1	-0/+19
\| \| \| \| \| \| \| \| \| \| \| \|	The WAN port should at least respond to IGMP and MLD queries as otherwise a snooping bridge/switch might drop traffic. RFC4890 recommends to leave IGMP and MLD unfiltered as they are always link-scoped anyways. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> SVN-Revision: 45613
*	firewall: allow routed lan<->lan traffic by default	Jo-Philipp Wich	2013-07-04	1	-1/+1
\| \| \| \|	SVN-Revision: 37171
*	firewall3: rename to firewall, move into base system menu, update to git ↵	Jo-Philipp Wich	2013-06-04	1	-0/+177
\| \| \| \| \| \|	head with compatibility fixes for AA SVN-Revision: 36838
*	Drop legacy firewall package	Jo-Philipp Wich	2013-06-04	1	-176/+0
\| \| \| \|	SVN-Revision: 36837
*	firewall: Remove obsoleted ULA-border rule	Steven Barth	2013-05-13	1	-19/+0
\| \| \| \|	SVN-Revision: 36622
*	firewall: Add ULA site border for IPv6 traffic This prevents private traffic ↵	Steven Barth	2013-01-04	1	-0/+19
\| \| \| \| \| \|	from leaking out to the internet SVN-Revision: 35012
*	packages: sort network related packages into package/network/	Felix Fietkau	2012-10-10	1	-0/+176
	SVN-Revision: 33688