[source] firewall: document rules for IPSec ESP/ISAKMP with 'name' option

LEDE Commits lede-commits at lists.infradead.org
Tue Mar 28 02:45:26 PDT 2017


yousong pushed a commit to source.git, branch master:
https://git.lede-project.org/8fb39f168249f15697ab930245ad08ea66a1b926

commit 8fb39f168249f15697ab930245ad08ea66a1b926
Author: Yousong Zhou <yszhou4tech at gmail.com>
AuthorDate: Tue Mar 28 17:41:14 2017 +0800

    firewall: document rules for IPSec ESP/ISAKMP with 'name' option
    
    These are recommended practices by REC-22 and REC-24 of RFC6092:
    "Recommended Simple Security Capabilities in Customer Premises Equipment
    (CPE) for Providing Residential IPv6 Internet Service"
    
    Fixes FS#640
    
    Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
---
 package/network/config/firewall/Makefile           |  2 +-
 .../network/config/firewall/files/firewall.config  | 29 +++++++++++-----------
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 6fb82c4..0f52ab9 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 749dbec..8874e98 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -114,6 +114,21 @@ config rule
 	option family		ipv6
 	option target		ACCEPT
 
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		lan
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		lan
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
 # include a file with users custom iptables rules
 config include
 	option path /etc/firewall.user
@@ -157,20 +172,6 @@ config include
 #	option dest_port	22
 #	option proto		tcp
 
-# allow IPsec/ESP and ISAKMP passthrough
-config rule
-	option src		wan
-	option dest		lan
-	option proto		esp
-	option target		ACCEPT
-
-config rule
-	option src		wan
-	option dest		lan
-	option dest_port	500
-	option proto		udp
-	option target		ACCEPT
-
 ### FULL CONFIG SECTIONS
 #config rule
 #	option src		lan



More information about the lede-commits mailing list