domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
20,410 Commits 6 Branches 28 Tags
63a532a472c29844f224f5ec20b51f50b260b742
Commit Graph

141 Commits

Author SHA1 Message Date
Mirko Vogt
075618c6e3 minor change: adjust formatting of firewall.config 
- remove trailing whitespaces (s/\ $//g)
 - replace spaces with tabs between options and values

SVN-Revision: 31427
 2012-04-21 19:42:28 +00:00
Jo-Philipp Wich
d74c6ce7c5 firewall: revert processing order of redirects and rules, ensures that rules can be used to filter before redirects are reached 
SVN-Revision: 31014
 2012-03-18 23:34:06 +00:00
Jo-Philipp Wich
dd6c299d2e firewall: fix fw__uci_state_del() procedure (#11132) 
SVN-Revision: 30938
 2012-03-13 21:22:13 +00:00
Jo-Philipp Wich
9aaca7f1b1 firewall: allow ICMPv6 type 129 (echo reply) - this fixes basic ICMPv6 in case no connection tracking is used 
SVN-Revision: 30727
 2012-02-25 21:00:23 +00:00
Jo-Philipp Wich
fe2d387a8c firewall: bail out if uci is used in firewall include files 
SVN-Revision: 30694
 2012-02-23 18:50:47 +00:00
Felix Fietkau
d85a504d3c iptables: make it possible to dynamically configure built-in statically linked extensions, fold -mod-conntrack and -mod-nat into the default package. saves about 8k on an ar71xx default squashfs 
SVN-Revision: 30676
 2012-02-22 01:47:48 +00:00
Jo-Philipp Wich
5609ad736e firewall: don't filter IPv4 ICMP types (#10928) 
SVN-Revision: 30363
 2012-02-07 18:35:48 +00:00
Jo-Philipp Wich
8094fa46da firewall: add support for "local" port forwards which target an internal address on the router itself 
SVN-Revision: 29687
 2012-01-08 15:29:24 +00:00
Jo-Philipp Wich
77dda8d67a firewall: - introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them - annotate default traffic rules with names - bump version 
SVN-Revision: 29577
 2011-12-20 01:10:15 +00:00
Jo-Philipp Wich
10f199d832 firewall: add DHCPv6 default rule (#10381) 
SVN-Revision: 28874
 2011-11-09 11:10:37 +00:00
Jo-Philipp Wich
50a22f4f9e firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again 
SVN-Revision: 28669
 2011-10-29 18:02:45 +00:00
Jo-Philipp Wich
c7ac1b5b0c firewall: do not produce 0.0.0.0/0 if a symbolic masq_src or masq_dest is given but does not resolve to an ip 
SVN-Revision: 28628
 2011-10-27 18:14:55 +00:00
Jo-Philipp Wich
204bf6e5fe firewall: prevent ip6tables -t nat rules (#10265) 
SVN-Revision: 28535
 2011-10-23 12:25:57 +00:00
Jo-Philipp Wich
69df551be3 firewall: fix another instance of unquoted "*" 
SVN-Revision: 28529
 2011-10-22 21:38:10 +00:00
Jo-Philipp Wich
9a61d9e513 firewall: fix possible expansion of "*" when rules with "option src *" are processed 
SVN-Revision: 28527
 2011-10-22 20:11:25 +00:00
Jo-Philipp Wich
e0e73928da firewall: do not check for module availability, let iptables fail if a feature is not present (#7610) 
SVN-Revision: 28525
 2011-10-22 19:50:35 +00:00
Jo-Philipp Wich
995face56d firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrack instead of state match (#10038) 
SVN-Revision: 28148
 2011-09-01 20:37:22 +00:00
Jo-Philipp Wich
f1e7045d30 firewall: further tune ICMPv6 default rules according to RFC4890 (#9893) 
SVN-Revision: 27979
 2011-08-14 00:33:29 +00:00
Jo-Philipp Wich
7a206885df firewall: prevent redundant rules if multiple ports and multiple icmp types are given in a rule block for both icmp and other protocols 
SVN-Revision: 27792
 2011-07-26 22:21:39 +00:00
Jo-Philipp Wich
90ac92e8be firewall: fix serious bug in state var handling (#9746) 
SVN-Revision: 27711
 2011-07-20 15:29:10 +00:00
Jo-Philipp Wich
78fa88ca81 firewall: rework state variable handling, use uci_toggle_state() where applicable and properly handle duplicates in add and del state helpers (#9152, #9710) 
SVN-Revision: 27618
 2011-07-15 15:03:57 +00:00
Jo-Philipp Wich
a92ed1808c firewall: make sure that -m mac is used with --mac-source, follow up to r27508 
SVN-Revision: 27519
 2011-07-07 10:28:31 +00:00
Daniel Dickinson
ca7383e701 firewall: also correct another variable missed in previous commit 
SVN-Revision: 27508
 2011-07-07 08:59:40 +00:00
Daniel Dickinson
c8531fca5d firewall: fix wrong variable names for protocol command line parameter - were missed during r27500 
SVN-Revision: 27507
 2011-07-07 08:54:29 +00:00
Jo-Philipp Wich
dd4934a943 firewall: - solve scoping issues when multiple values are used, thanks Daniel Dickinson - ignore src_port/dest_port for proto icmp rules, ignore icmp_type for non-icmp rules - properly handle icmp when proto is given in numerical form (1, 58) - support negated icmp types 
SVN-Revision: 27500
 2011-07-06 22:10:46 +00:00
Daniel Dickinson
05c45f0f5e firewall: fix udp rules for tcpudp proto rules using src_port and dest_port after modification by the parsing of the tcp rule 
SVN-Revision: 27469
 2011-07-06 06:26:12 +00:00
Jo-Philipp Wich
600a8517ad firewall: fix port range quirk in previous commit 
SVN-Revision: 27335
 2011-07-01 11:50:48 +00:00
Jo-Philipp Wich
df14a48dc9 firewall: properly handle negated ports in nat reflection 
SVN-Revision: 27334
 2011-07-01 11:48:14 +00:00
Jo-Philipp Wich
07abf4a81e firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward link local ICMP message types, allow parameter problem 
SVN-Revision: 27321
 2011-06-30 12:22:05 +00:00
Jo-Philipp Wich
8f0fb81dfe firewall: restore local port relocation ability from r26617 
SVN-Revision: 27318
 2011-06-30 01:36:09 +00:00
Jo-Philipp Wich
68a1c8e1e3 firewall: - allow multiple ports, protocols, macs, icmp types per rule - implement "limit" and "limit_burst" options for rules - implement "extra" option to rules and redirects for passing arbritary flags to iptables - implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options - allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination - validate symbolic icmp-type names against the selected iptables binary - properly handle forwarded ICMPv6 traffic in the default configuration 
SVN-Revision: 27317
 2011-06-30 01:31:23 +00:00
Jo-Philipp Wich
9f37422f2f firewall: ensure that fw_get_subnet4() sets an empty value if no (valid) IPv4 addr was found 
SVN-Revision: 27198
 2011-06-16 22:18:45 +00:00
Jo-Philipp Wich
c014101d73 firewall: allow symbolic names of interfaces and aliases in masq_src and masq_dest 
SVN-Revision: 27196
 2011-06-16 21:54:59 +00:00
Jo-Philipp Wich
f2b7c81d46 firewall: explictely mention network in default configuration, makes it less confusing 
SVN-Revision: 26961
 2011-05-20 13:45:40 +00:00
Jo-Philipp Wich
2e9e4c435f firewall: revert accidential committed changes from r26805 
SVN-Revision: 26806
 2011-05-02 12:55:36 +00:00
Jo-Philipp Wich
ad23dd94b6 firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course): 
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.

(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26805
 2011-05-02 12:54:31 +00:00
Jo-Philipp Wich
2a386cee99 firewall: prevent excessive uci state data aggregation (#9152) 
SVN-Revision: 26740
 2011-04-20 11:49:09 +00:00
Jo-Philipp Wich
a9977eca91 firewall: allow local redirection of ports 
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26617
 2011-04-12 20:03:59 +00:00
Jo-Philipp Wich
af82471525 firewall: prevent duplicate values in interface state vars 
SVN-Revision: 26382
 2011-03-30 20:29:17 +00:00
Travis Kemen
a2cd7b2883 Keep firewall.user during sysupgrades 
SVN-Revision: 26241
 2011-03-20 00:57:47 +00:00
Jo-Philipp Wich
13333a6742 firewall: move include sourcing into a subshell, this makes the firewall init immune against exit in the include scripts 
SVN-Revision: 25835
 2011-03-02 19:20:29 +00:00
Jo-Philipp Wich
1ca64678bb firewall: fix rule generation for v4 or v6 only zones (#8955) 
SVN-Revision: 25813
 2011-03-01 18:04:14 +00:00
Jo-Philipp Wich
04b20727d8 firewall: fix wrong rule order if multiple protocols are used 
SVN-Revision: 25179
 2011-01-27 22:19:53 +00:00
Jo-Philipp Wich
a43f5b5038 firewall: insert SNAT and DNAT rules according to the order of the configuration file (#8052) 
SVN-Revision: 23318
 2010-10-08 12:11:55 +00:00
Jo-Philipp Wich
b0ca17ae6e firewall: mark /etc/firewall.user as conffile 
SVN-Revision: 23231
 2010-10-05 07:31:49 +00:00
Jo-Philipp Wich
7bf84dc4f8 firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled 
SVN-Revision: 23201
 2010-10-03 18:11:59 +00:00
Jo-Philipp Wich
1cb2abca8e add maintainer information 
SVN-Revision: 23159
 2010-09-30 10:48:37 +00:00
Jo-Philipp Wich
1a0d7a3612 firewall: fix chain selection logic, option dest must be ignored for notrack targets 
SVN-Revision: 23143
 2010-09-28 11:38:31 +00:00
Jo-Philipp Wich
a1a31f1831 firewall: don't setup nat reflection if negations are used 
SVN-Revision: 23142
 2010-09-28 11:11:11 +00:00
Jo-Philipp Wich
6a335579b8 fireall: - support negations for src_ip, dest_ip, src_dip options in rules and redirects - add NOTRACK target to rule sections, allows to define fine grained notrack rules 
SVN-Revision: 23141
 2010-09-28 10:42:56 +00:00