diff options
author | Yousong Zhou <yszhou4tech@gmail.com> | 2017-03-28 17:41:14 +0800 |
---|---|---|
committer | Yousong Zhou <yszhou4tech@gmail.com> | 2017-03-28 17:43:58 +0800 |
commit | 8fb39f168249f15697ab930245ad08ea66a1b926 (patch) | |
tree | 9d6ce3cc12204b98cf967e083504af181b5213a6 /package/network/config/firewall | |
parent | 17f60b1cd260a24ef990d6622f9c5ed6951c0722 (diff) | |
download | upstream-8fb39f168249f15697ab930245ad08ea66a1b926.tar.gz upstream-8fb39f168249f15697ab930245ad08ea66a1b926.tar.bz2 upstream-8fb39f168249f15697ab930245ad08ea66a1b926.zip |
firewall: document rules for IPSec ESP/ISAKMP with 'name' option
These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"
Fixes FS#640
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Diffstat (limited to 'package/network/config/firewall')
-rw-r--r-- | package/network/config/firewall/Makefile | 2 | ||||
-rw-r--r-- | package/network/config/firewall/files/firewall.config | 29 |
2 files changed, 16 insertions, 15 deletions
diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile index 6fb82c49da..0f52ab98da 100644 --- a/package/network/config/firewall/Makefile +++ b/package/network/config/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config index 749dbecb97..8874e9882c 100644 --- a/package/network/config/firewall/files/firewall.config +++ b/package/network/config/firewall/files/firewall.config @@ -114,6 +114,21 @@ config rule option family ipv6 option target ACCEPT +config rule + option name Allow-IPSec-ESP + option src wan + option dest lan + option proto esp + option target ACCEPT + +config rule + option name Allow-ISAKMP + option src wan + option dest lan + option dest_port 500 + option proto udp + option target ACCEPT + # include a file with users custom iptables rules config include option path /etc/firewall.user @@ -157,20 +172,6 @@ config include # option dest_port 22 # option proto tcp -# allow IPsec/ESP and ISAKMP passthrough -config rule - option src wan - option dest lan - option proto esp - option target ACCEPT - -config rule - option src wan - option dest lan - option dest_port 500 - option proto udp - option target ACCEPT - ### FULL CONFIG SECTIONS #config rule # option src lan |