From 8fb39f168249f15697ab930245ad08ea66a1b926 Mon Sep 17 00:00:00 2001 From: Yousong Zhou Date: Tue, 28 Mar 2017 17:41:14 +0800 Subject: [PATCH] firewall: document rules for IPSec ESP/ISAKMP with 'name' option These are recommended practices by REC-22 and REC-24 of RFC6092: "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" Fixes FS#640 Signed-off-by: Yousong Zhou --- package/network/config/firewall/Makefile | 2 +- .../config/firewall/files/firewall.config | 29 ++++++++++--------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile index 6fb82c49da..0f52ab98da 100644 --- a/package/network/config/firewall/Makefile +++ b/package/network/config/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config index 749dbecb97..8874e9882c 100644 --- a/package/network/config/firewall/files/firewall.config +++ b/package/network/config/firewall/files/firewall.config @@ -114,6 +114,21 @@ config rule option family ipv6 option target ACCEPT +config rule + option name Allow-IPSec-ESP + option src wan + option dest lan + option proto esp + option target ACCEPT + +config rule + option name Allow-ISAKMP + option src wan + option dest lan + option dest_port 500 + option proto udp + option target ACCEPT + # include a file with users custom iptables rules config include option path /etc/firewall.user @@ -157,20 +172,6 @@ config include # option dest_port 22 # option proto tcp -# allow IPsec/ESP and ISAKMP passthrough -config rule - option src wan - option dest lan - option proto esp - option target ACCEPT - -config rule - option src wan - option dest lan - option dest_port 500 - option proto udp - option target ACCEPT - ### FULL CONFIG SECTIONS #config rule # option src lan