Two examples of potentially useful configurations (commented out, of course):
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.
(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26805 3c298f89-4303-0410-b956-a3cf2f4a3e73
- simplify masquerade rule setup
- remove various subshell invocations
- speedup fw() by not relying on xargs and pipes
- rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23024 3c298f89-4303-0410-b956-a3cf2f4a3e73
- handle NAT reflection in firewall hotplug, solves synchronizing issues on boot
- introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22888 3c298f89-4303-0410-b956-a3cf2f4a3e73
- fix processing of rules with an ip family option
- append interface rules at the end of internal zone chains, simplifies injecting user or addon rules
- support simple file logging (option log + option log_limit per zone)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22847 3c298f89-4303-0410-b956-a3cf2f4a3e73
- support alias ifnames different from parent ifname
- properly handle multiple subnets per alias (v4+v6)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21656 3c298f89-4303-0410-b956-a3cf2f4a3e73
- fix ip6tables rules when icmp_type option is set
- add "family" option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21508 3c298f89-4303-0410-b956-a3cf2f4a3e73
- partially revert r21486, start firewall on init again
- skip iface hotplug events if base fw is not up yet
- get ifname and up state with uci_get_state() in iface setup
since the values gathered by scan_interfaces() may be outdated
when iface coldplugging happens (observed with pptp)
- ignore up state when bringing down interfaces because ifdown
reverts state vars before dispatching the iface event
- bump package revision
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21502 3c298f89-4303-0410-b956-a3cf2f4a3e73
- replace uci firewall with a modular dual stack implementation developed by Malte S. Stretz
- bump version to 2
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21286 3c298f89-4303-0410-b956-a3cf2f4a3e73
Jo-Philipp Wich