[FS#640] Undocumented / unnamed firewall rules installed by default
LEDE Bugs
lede-bugs at lists.infradead.org
Wed Mar 22 02:21:49 PDT 2017
The following task has a new comment added:
FS#640 - Undocumented / unnamed firewall rules installed by default
User who did this - Yousong Zhou (yousong)
----------
Quote hnyman in the forum post
Well, the config file has a short header explaining that rule:
# allow IPsec/ESP and ISAKMP passthrough
And the commit history reveals the reasoning for that rule:
"firewall: comply with REC-22, REC-24 of RFC 6092"
https://git.lede-project.org/?p=source.git;a=commitdiff;h=f6abd042c29f5a69d56151f884fbf4f4e834e674;hp=1b6a6abf0439177cba1fdea3ae91a7354fe748413
https://tools.ietf.org/html/rfc60922
REC-22 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of packets, to and from legitimate
node addresses, with an upper-layer protocol of type
"Encapsulating Security Payload (ESP)" [RFC4303] in their
outer IP extension header chain.
REC-24 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of any UDP packets, to and from
legitimate node addresses, with a destination port of 500,
i.e., the port reserved by IANA for the Internet Key Exchange
(IKE) Protocol [RFC5996].
----------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=640#comment2203
More information about the lede-bugs
mailing list