firewall: document rules for IPSec ESP/ISAKMP with 'name' option
authorYousong Zhou <yszhou4tech@gmail.com>
Tue, 28 Mar 2017 09:41:14 +0000 (17:41 +0800)
committerYousong Zhou <yszhou4tech@gmail.com>
Tue, 28 Mar 2017 09:46:30 +0000 (17:46 +0800)
These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"

Fixes FS#640

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
package/network/config/firewall/Makefile
package/network/config/firewall/files/firewall.config

index 0d57340..0c00501 100644 (file)
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
index 749dbec..8874e98 100644 (file)
@@ -114,6 +114,21 @@ config rule
        option family           ipv6
        option target           ACCEPT
 
+config rule
+       option name             Allow-IPSec-ESP
+       option src              wan
+       option dest             lan
+       option proto            esp
+       option target           ACCEPT
+
+config rule
+       option name             Allow-ISAKMP
+       option src              wan
+       option dest             lan
+       option dest_port        500
+       option proto            udp
+       option target           ACCEPT
+
 # include a file with users custom iptables rules
 config include
        option path /etc/firewall.user
@@ -157,20 +172,6 @@ config include
 #      option dest_port        22
 #      option proto            tcp
 
-# allow IPsec/ESP and ISAKMP passthrough
-config rule
-       option src              wan
-       option dest             lan
-       option proto            esp
-       option target           ACCEPT
-
-config rule
-       option src              wan
-       option dest             lan
-       option dest_port        500
-       option proto            udp
-       option target           ACCEPT
-
 ### FULL CONFIG SECTIONS
 #config rule
 #      option src              lan