Steven Barth
eb866e413f
firewall: Remove src_port from firewall.config to receive dhcpv6 replies
...
Seems like my second try was again whitespace broken. Sorry for the noise.
Remove src_port from firewall.config to receive dhcpv6 replies. Fixes #20295 .
Signed-off-by: Anselm Eberhardt <a.eberhardt@cygnusnetworks.de>
SVN-Revision: 46842
9 years ago
Steven Barth
6831883100
firewall: fix typo in ESP rule
...
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46506
9 years ago
Steven Barth
f6abd042c2
firewall: comply with REC-22, REC-24 of RFC 6092
...
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46478
9 years ago
Steven Barth
d534883a52
firewall: Allow IGMP and MLD input on WAN
...
The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.
RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
SVN-Revision: 45613
10 years ago
Jo-Philipp Wich
4aa82d07a6
firewall: allow routed lan<->lan traffic by default
...
SVN-Revision: 37171
11 years ago
Jo-Philipp Wich
b721c92221
firewall3: rename to firewall, move into base system menu, update to git head with compatibility fixes for AA
...
SVN-Revision: 36838
12 years ago
Jo-Philipp Wich
3bb397c997
firewall3: use list notation for default zone network config to avoid "uci add_list" coercing the value wrongly
...
SVN-Revision: 36806
12 years ago
Steven Barth
32c6ffb5a1
firewall3: Remove abandonend include
...
SVN-Revision: 36692
12 years ago
Steven Barth
07d99b62b7
firewall3: add wan6 interface to wan-zone by default
...
SVN-Revision: 36623
12 years ago
Steven Barth
2c78c1457b
firewall3: Make IPv6 ULA-Border generation dynamic
...
This fixes working behind another router which gives out ULAs.
SVN-Revision: 36416
12 years ago
Jo-Philipp Wich
d75c632de6
firewall3: add default config and firewall.user
...
SVN-Revision: 35889
12 years ago
Steven Barth
b077480a59
firewall: Add ULA site border for IPv6 traffic This prevents private traffic from leaking out to the internet
...
SVN-Revision: 35012
12 years ago
Felix Fietkau
405e21d167
packages: sort network related packages into package/network/
...
SVN-Revision: 33688
12 years ago
Jo-Philipp Wich
15189a628a
firewall: allow incoming ICMPv6 router-advertisement and neighbor-advertisement, thanks swalker
...
SVN-Revision: 32127
13 years ago
Mirko Vogt
075618c6e3
minor change: adjust formatting of firewall.config
...
- remove trailing whitespaces (s/\ $//g)
- replace spaces with tabs between options and values
SVN-Revision: 31427
13 years ago
Jo-Philipp Wich
9aaca7f1b1
firewall: allow ICMPv6 type 129 (echo reply) - this fixes basic ICMPv6 in case no connection tracking is used
...
SVN-Revision: 30727
13 years ago
Jo-Philipp Wich
77dda8d67a
firewall: - introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them - annotate default traffic rules with names - bump version
...
SVN-Revision: 29577
13 years ago
Jo-Philipp Wich
10f199d832
firewall: add DHCPv6 default rule ( #10381 )
...
SVN-Revision: 28874
13 years ago
Jo-Philipp Wich
f1e7045d30
firewall: further tune ICMPv6 default rules according to RFC4890 ( #9893 )
...
SVN-Revision: 27979
13 years ago
Jo-Philipp Wich
07abf4a81e
firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward link local ICMP message types, allow parameter problem
...
SVN-Revision: 27321
14 years ago
Jo-Philipp Wich
68a1c8e1e3
firewall: - allow multiple ports, protocols, macs, icmp types per rule - implement "limit" and "limit_burst" options for rules - implement "extra" option to rules and redirects for passing arbritary flags to iptables - implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options - allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination - validate symbolic icmp-type names against the selected iptables binary - properly handle forwarded ICMPv6 traffic in the default configuration
...
SVN-Revision: 27317
14 years ago
Jo-Philipp Wich
f2b7c81d46
firewall: explictely mention network in default configuration, makes it less confusing
...
SVN-Revision: 26961
14 years ago
Jo-Philipp Wich
ad23dd94b6
firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course):
...
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.
(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
SVN-Revision: 26805
14 years ago
Jo-Philipp Wich
cc84e0672b
firewall: don't apply default udp/68 rule to ip6tables
...
SVN-Revision: 21509
15 years ago
Jo-Philipp Wich
3875f85110
firewall: add commented disable_ipv6 option to default config
...
SVN-Revision: 21505
15 years ago
Travis Kemen
431808b5bf
allow ping
...
SVN-Revision: 20261
15 years ago
Nicolas Thill
b3d3e5d752
firewall: fix MSS issue affection RELATED new connections ( closes : #5173 )
...
SVN-Revision: 17762
15 years ago
Jo-Philipp Wich
b44b066543
firewall: allow incoming udp/68 packets in the default configuration ( #4108 , #4781 )
...
SVN-Revision: 17238
15 years ago
Jo-Philipp Wich
97100e0248
firewall: enable /etc/firewall.user by default and install sample firewall.user file
...
SVN-Revision: 15221
16 years ago
Felix Fietkau
50be634a3c
re-enable the mss fix by default for now - see discussion at http://lists.openwrt.org/pipermail/openwrt-devel/2009-January/003724.html for more information
...
SVN-Revision: 14293
16 years ago
Felix Fietkau
359ce7f97e
disable the MSS fixup hack by default (most ISPs don't require this as a workaround for MTU problems, only some do). this should give a nice speedup for routing on standard-compliant ISPs
...
SVN-Revision: 13788
16 years ago
Felix Fietkau
aaf31c36f1
set default input policy to ACCEPT to bring the firewall behavior closer to the one of previous versions
...
SVN-Revision: 12766
16 years ago
Nicolas Thill
d7810ed63e
firewall changes: - implement a REJECT policy and enable it by default, reject packets with approriate response ( closes : #3970 ) - cleanup syn_flood and remove logging
...
SVN-Revision: 12688
16 years ago
John Crispin
aa6c019c11
use proto instead of protocol in uci firewall
...
SVN-Revision: 12391
16 years ago
John Crispin
5627667654
uci firewall - make uci firewall default and remove old code - fix up dependencies
...
SVN-Revision: 12284
16 years ago
John Crispin
21bbdc24c3
adds a new uci firewall - iptbales and netfilter packages need to be rewrapped when we switch to this firewall as default - there are some examples in the file /etc/config/firewall - iptables-save/restore are still missing - hotplug takes care of adding/removing netdevs during runtime - misisng features ? wishes ? let me know ...
...
SVN-Revision: 12089
16 years ago