firewall: document rules for IPSec ESP/ISAKMP with 'name' option

These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"

Fixes FS#640

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This commit is contained in:
Yousong Zhou 2017-03-28 17:41:14 +08:00
parent 17f60b1cd2
commit 8fb39f1682
2 changed files with 16 additions and 15 deletions

View file

@ -9,7 +9,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=firewall
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git

View file

@ -114,6 +114,21 @@ config rule
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
@ -157,20 +172,6 @@ config include
# option dest_port 22
# option proto tcp
# allow IPsec/ESP and ISAKMP passthrough
config rule
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### FULL CONFIG SECTIONS
#config rule
# option src lan