firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course):
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a LAN-based machine if desired, or if not, simply obscures the port from external attack. (b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> SVN-Revision: 26805
This commit is contained in:
Jo-Philipp Wich
@@ -75,6 +75,28 @@ config include
|
|||||||
# option dest_port 80
|
# option dest_port 80
|
||||||
# option proto tcp
|
# option proto tcp
|
||||||
|
|
||||||
|
# port redirect of remapped ssh port (22001) on wan
|
||||||
|
#config redirect
|
||||||
|
# option src wan
|
||||||
|
# option src_dport 22001
|
||||||
|
# option dest lan
|
||||||
|
# option dest_port 22
|
||||||
|
# option proto tcp
|
||||||
|
|
||||||
|
# allow IPsec/ESP and ISAKMP passthrough
|
||||||
|
#config rule
|
||||||
|
# option src wan
|
||||||
|
# option dest lan
|
||||||
|
# option protocol esp
|
||||||
|
# option target ACCEPT
|
||||||
|
|
||||||
|
#config rule
|
||||||
|
# option src wan
|
||||||
|
# option dest lan
|
||||||
|
# option src_port 500
|
||||||
|
# option dest_port 500
|
||||||
|
# option proto udp
|
||||||
|
# option target ACCEPT
|
||||||
|
|
||||||
### FULL CONFIG SECTIONS
|
### FULL CONFIG SECTIONS
|
||||||
#config rule
|
#config rule
|
||||||
|
|||||||
@@ -1,27 +1,55 @@
|
|||||||
# Copyright (C) 2009-2010 OpenWrt.org
|
# Copyright (C) 2009-2011 OpenWrt.org
|
||||||
|
|
||||||
fw__uci_state_add() {
|
fw__uci_state_add() {
|
||||||
local var="$1"
|
local var="$1"
|
||||||
local item="$2"
|
local item="$2"
|
||||||
|
|
||||||
local val=" $(uci_get_state firewall core $var) "
|
local list="$(uci_get_state firewall core $var)"
|
||||||
val="${val// $item / }"
|
list=" ${list:+$list }"
|
||||||
val="${val# }"
|
|
||||||
val="${val% }"
|
for item in $item; do
|
||||||
|
case "$list" in
|
||||||
|
"* $item *") continue;;
|
||||||
|
*) list="$list$item ";;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
list="${list% }"
|
||||||
|
list="${list# }"
|
||||||
|
|
||||||
uci_revert_state firewall core $var
|
uci_revert_state firewall core $var
|
||||||
uci_set_state firewall core $var "${val:+$val }$item"
|
uci_set_state firewall core $var "$list"
|
||||||
}
|
}
|
||||||
|
|
||||||
fw__uci_state_del() {
|
fw__uci_state_del() {
|
||||||
local var="$1"
|
local var="$1"
|
||||||
local item="$2"
|
local item="$2"
|
||||||
|
|
||||||
local val=" $(uci_get_state firewall core $var) "
|
echo "del[$item]"
|
||||||
val="${val// $item / }"
|
|
||||||
val="${val# }"
|
local list val
|
||||||
val="${val% }"
|
for val in $(uci_get_state firewall core "$var" | sort -u); do
|
||||||
|
list="${list:+$list }$val"
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "list[$list]"
|
||||||
|
|
||||||
uci_revert_state firewall core $var
|
uci_revert_state firewall core $var
|
||||||
uci_set_state firewall core $var "$val"
|
|
||||||
|
[ -n "$list" ] && {
|
||||||
|
list=" $list "
|
||||||
|
|
||||||
|
for item in $item; do
|
||||||
|
list="${list// $item / }"
|
||||||
|
done
|
||||||
|
|
||||||
|
list="${list# }"
|
||||||
|
list="${list% }"
|
||||||
|
|
||||||
|
echo "list2[$list]"
|
||||||
|
|
||||||
|
uci_set_state firewall core $var "$list"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fw_configure_interface() {
|
fw_configure_interface() {
|
||||||
|
|||||||
Reference in New Issue
Block a user