Jo-Philipp Wich
ad23dd94b6
firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course):
...
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.
(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
SVN-Revision: 26805
2011-05-02 12:54:31 +00:00
Jo-Philipp Wich
2a386cee99
firewall: prevent excessive uci state data aggregation ( #9152 )
...
SVN-Revision: 26740
2011-04-20 11:49:09 +00:00
Jo-Philipp Wich
af82471525
firewall: prevent duplicate values in interface state vars
...
SVN-Revision: 26382
2011-03-30 20:29:17 +00:00
Jo-Philipp Wich
1ca64678bb
firewall: fix rule generation for v4 or v6 only zones ( #8955 )
...
SVN-Revision: 25813
2011-03-01 18:04:14 +00:00
Jo-Philipp Wich
b07620df31
firewall: protect iptables invocations with locks in interface ops, it might run concurrently due to hotplug invocations on network restart
...
SVN-Revision: 23090
2010-09-19 15:01:47 +00:00
Jo-Philipp Wich
1fe50da4bb
firewall: deliver remove hotplug events for all active zones/networks when restarting the firewall
...
SVN-Revision: 23062
2010-09-14 23:11:12 +00:00
Jo-Philipp Wich
f3dd8278bb
firewall: - simplify masquerade rule setup - remove various subshell invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source
...
SVN-Revision: 23024
2010-09-11 20:04:34 +00:00
Jo-Philipp Wich
ca5bf9e291
firewall: - handle NAT reflection in firewall hotplug, solves synchronizing issues on boot - introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation
...
SVN-Revision: 22888
2010-09-04 15:49:13 +00:00
Jo-Philipp Wich
ee4dd61b10
firewall: - fix processing of rules with an ip family option - append interface rules at the end of internal zone chains, simplifies injecting user or addon rules - support simple file logging (option log + option log_limit per zone)
...
SVN-Revision: 22847
2010-08-31 01:54:08 +00:00
Jo-Philipp Wich
48c357ec01
firewall: - support alias ifnames different from parent ifname - properly handle multiple subnets per alias (v4+v6)
...
SVN-Revision: 21656
2010-06-02 00:59:35 +00:00
Jo-Philipp Wich
07b571a239
firewall: Initial alias interface support. This allows to define zones covering alias interfaces and associated entries like rules and forwardings.
...
SVN-Revision: 21653
2010-06-01 21:58:48 +00:00
Jo-Philipp Wich
40ad9defcc
firewall: - fix ip6tables rules when icmp_type option is set - add "family" option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables
...
SVN-Revision: 21508
2010-05-19 21:35:23 +00:00
Jo-Philipp Wich
c6fdffd932
firewall ( #7355 ) - partially revert r21486, start firewall on init again - skip iface hotplug events if base fw is not up yet - get ifname and up state with uci_get_state() in iface setup since the values gathered by scan_interfaces() may be outdated when iface coldplugging happens (observed with pptp) - ignore up state when bringing down interfaces because ifdown reverts state vars before dispatching the iface event - bump package revision
...
SVN-Revision: 21502
2010-05-19 00:50:14 +00:00
Jo-Philipp Wich
c284cb51c0
firewall: - replace uci firewall with a modular dual stack implementation developed by Malte S. Stretz - bump version to 2
...
SVN-Revision: 21286
2010-05-01 18:22:01 +00:00