firewall: provide examples of ssh port relocation on firewall and IPsec passthrough...

(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.

(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
SVN-Revision: 26805

diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index 7904cedb879140804a8afa1f7f76258538a05516..bee162549e78e2c73abfeb4e9acdbed6bca2f822 100644 (file)
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -75,6 +75,28 @@ config include
 #      option dest_port        80 
 #      option proto            tcp
 
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#      option src              wan
+#      option src_dport        22001
+#      option dest             lan
+#      option dest_port        22
+#      option proto            tcp
+
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+#      option src              wan
+#      option dest             lan
+#      option protocol         esp
+#      option target           ACCEPT
+
+#config rule
+#      option src              wan
+#      option dest             lan
+#      option src_port         500
+#      option dest_port        500
+#      option proto            udp
+#      option target           ACCEPT
 
 ### FULL CONFIG SECTIONS
 #config rule

diff --git a/package/firewall/files/lib/core_interface.sh b/package/firewall/files/lib/core_interface.sh
index bc9eb96ddedc2faa349ccc40d72fa63203229a00..5386292a4827764db6eb387d305b9d520b61112e 100644 (file)
--- a/package/firewall/files/lib/core_interface.sh
+++ b/package/firewall/files/lib/core_interface.sh
@@ -1,27 +1,55 @@
-# Copyright (C) 2009-2010 OpenWrt.org
+# Copyright (C) 2009-2011 OpenWrt.org
 
 fw__uci_state_add() {
        local var="$1"
        local item="$2"
 
-       local val=" $(uci_get_state firewall core $var) "
-       val="${val// $item / }"
-       val="${val# }"
-       val="${val% }"
+       local list="$(uci_get_state firewall core $var)"
+             list=" ${list:+$list }"
+
+       for item in $item; do
+               case "$list" in
+                       "* $item *") continue;;
+                       *) list="$list$item ";;
+               esac
+       done
+
+       list="${list% }"
+       list="${list# }"
+
        uci_revert_state firewall core $var
-       uci_set_state firewall core $var "${val:+$val }$item"
+       uci_set_state firewall core $var "$list"
 }
 
 fw__uci_state_del() {
        local var="$1"
        local item="$2"
 
-       local val=" $(uci_get_state firewall core $var) "
-       val="${val// $item / }"
-       val="${val# }"
-       val="${val% }"
+       echo "del[$item]"
+
+       local list val
+       for val in $(uci_get_state firewall core "$var" | sort -u); do
+               list="${list:+$list }$val"
+       done
+
+       echo "list[$list]"
+
        uci_revert_state firewall core $var
-       uci_set_state firewall core $var "$val"
+
+       [ -n "$list" ] && {
+               list=" $list "
+
+               for item in $item; do
+                       list="${list// $item / }"
+               done
+
+               list="${list# }"
+               list="${list% }"
+
+               echo "list2[$list]"
+
+               uci_set_state firewall core $var "$list"
+       }
 }
 
 fw_configure_interface() {