Commit Graph

137 Commits (cb32e76a01990169ac96d9ade4a5f39b39153ace)

Author SHA1 Message Date
Jo-Philipp Wich 92fb6d16b2 [package] firewall: also set up nat reflection rules for redirects with proto all and/or no src_dport set
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@32652 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-07-09 12:23:36 +00:00
Jo-Philipp Wich 0510c6ccf7 [package] firewall: allow incoming ICMPv6 router-advertisement and neighbor-advertisement, thanks swalker
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@32127 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-06-08 14:20:34 +00:00
Jo-Philipp Wich 75a299db50 [package] /etc/functions.sh => /lib/functions.sh
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@32062 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-06-05 16:04:23 +00:00
Jo-Philipp Wich 7607d0e41b [packages] firewall: fix nat reflection after netifd status format change
- use /lib/functions/network.sh
 - simplify nat reflection code

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@31936 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-05-28 03:15:05 +00:00
Jo-Philipp Wich 9d66c5c342 [package] firewall: rework interface address determination to skip ipv6 addresses
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@31755 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-05-16 13:37:49 +00:00
Jo-Philipp Wich 8eb607235e [package] firewall: fix nat reflection after netifd switch (#11460)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@31754 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-05-16 13:03:54 +00:00
Mirko Vogt eb2128eaa6 [package/firewall] minor change: adjust formatting of firewall.config
- remove trailing whitespaces (s/\ $//g)
 - replace spaces with tabs between options and values

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@31427 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-04-21 19:42:28 +00:00
Jo-Philipp Wich baa56db3f2 [package] firewall: revert processing order of redirects and rules, ensures that rules can be used to filter before redirects are reached
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@31014 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-03-18 23:34:06 +00:00
Jo-Philipp Wich 8693b9821b [package] firewall: fix fw__uci_state_del() procedure (#11132)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30938 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-03-13 21:22:13 +00:00
Jo-Philipp Wich b70a65718f [package] firewall: allow ICMPv6 type 129 (echo reply) - this fixes basic ICMPv6 in case no connection tracking is used
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30727 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-02-25 21:00:23 +00:00
Jo-Philipp Wich 716e67dbf7 [package] firewall: bail out if uci is used in firewall include files
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30694 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-02-23 18:50:47 +00:00
Jo-Philipp Wich 1a0c80a2dd [package] firewall: don't filter IPv4 ICMP types (#10928)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30363 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-02-07 18:35:48 +00:00
Jo-Philipp Wich 457062fb53 [package] firewall: add support for "local" port forwards which target an internal address on the router itself
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29687 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-01-08 15:29:24 +00:00
Jo-Philipp Wich d1d3cd65a8 [package] firewall:
- introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them
	- annotate default traffic rules with names
	- bump version


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29577 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-12-20 01:10:15 +00:00
Jo-Philipp Wich 3f4137d170 [package] firewall: add DHCPv6 default rule (#10381)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28874 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-11-09 11:10:37 +00:00
Jo-Philipp Wich c3b8a2419c [package] firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28669 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-29 18:02:45 +00:00
Jo-Philipp Wich 281468d9cd [package] firewall: do not produce 0.0.0.0/0 if a symbolic masq_src or masq_dest is given but does not resolve to an ip
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28628 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-27 18:14:55 +00:00
Jo-Philipp Wich 3dfbfb9eeb [package] firewall: prevent ip6tables -t nat rules (#10265)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28535 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-23 12:25:57 +00:00
Jo-Philipp Wich d9ac523b00 [package] firewall: fix another instance of unquoted "*"
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28529 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 21:38:10 +00:00
Jo-Philipp Wich 091d0e2e9d [package] firewall: fix possible expansion of "*" when rules with "option src *" are processed
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28527 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 20:11:25 +00:00
Jo-Philipp Wich 6ee2c2b79c [package] firewall: do not check for module availability, let iptables fail if a feature is not present (#7610)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28525 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 19:50:35 +00:00
Jo-Philipp Wich 6922eff85b [package] firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrack instead of state match (#10038)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28148 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-09-01 20:37:22 +00:00
Jo-Philipp Wich 3906d96764 [package] firewall: further tune ICMPv6 default rules according to RFC4890 (#9893)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27979 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-08-14 00:33:29 +00:00
Jo-Philipp Wich 6292b0603f [package] firewall: prevent redundant rules if multiple ports and multiple icmp types are given in a rule block for both icmp and other protocols
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27792 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-26 22:21:39 +00:00
Jo-Philipp Wich 247397ca80 [package] firewall: fix serious bug in state var handling (#9746)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27711 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-20 15:29:10 +00:00
Jo-Philipp Wich 4885c7ec71 [package] firewall: rework state variable handling, use uci_toggle_state() where applicable and properly handle duplicates in add and del state helpers (#9152, #9710)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27618 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-15 15:03:57 +00:00
Jo-Philipp Wich 27aea2ff2d [package] firewall: make sure that -m mac is used with --mac-source, follow up to r27508
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27519 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-07 10:28:31 +00:00
Daniel Dickinson b83eb47cb9 [package] firewall: also correct another variable missed in previous commit
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27508 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-07 08:59:40 +00:00
Daniel Dickinson 741b6c9b3c [package] firewall: fix wrong variable names for protocol command line parameter - were missed during r27500
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27507 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-07 08:54:29 +00:00
Jo-Philipp Wich aa43abb8d1 [package] firewall:
- solve scoping issues when multiple values are used, thanks Daniel Dickinson
	- ignore src_port/dest_port for proto icmp rules, ignore icmp_type for non-icmp rules
	- properly handle icmp when proto is given in numerical form (1, 58)
	- support negated icmp types


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27500 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-06 22:10:46 +00:00
Daniel Dickinson 54aa8cb28a [package] firewall: fix udp rules for tcpudp proto rules using src_port and dest_port after modification by the parsing of the tcp rule
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27469 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-06 06:26:12 +00:00
Jo-Philipp Wich 72b1dea82a [package] firewall: fix port range quirk in previous commit
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27335 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-01 11:50:48 +00:00
Jo-Philipp Wich 3c544257f5 [package] firewall: properly handle negated ports in nat reflection
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27334 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-01 11:48:14 +00:00
Jo-Philipp Wich 80af758239 [package] firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward link local ICMP message types, allow parameter problem
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27321 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-30 12:22:05 +00:00
Jo-Philipp Wich 3628ff05e4 [package] firewall: restore local port relocation ability from r26617
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27318 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-30 01:36:09 +00:00
Jo-Philipp Wich 534feb8c9b [package] firewall:
- allow multiple ports, protocols, macs, icmp types per rule
	- implement "limit" and "limit_burst" options for rules
	- implement "extra" option to rules and redirects for passing arbritary flags to iptables
	- implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options
	- allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination
	- validate symbolic icmp-type names against the selected iptables binary
	- properly handle forwarded ICMPv6 traffic in the default configuration


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27317 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-30 01:31:23 +00:00
Jo-Philipp Wich bf8e00c96d [package] firewall: ensure that fw_get_subnet4() sets an empty value if no (valid) IPv4 addr was found
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27198 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-16 22:18:45 +00:00
Jo-Philipp Wich a847a25be9 [package] firewall: allow symbolic names of interfaces and aliases in masq_src and masq_dest
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27196 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-16 21:54:59 +00:00
Jo-Philipp Wich 4677fcc57d [package] firewall: explictely mention network in default configuration, makes it less confusing
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26961 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-05-20 13:45:40 +00:00
Jo-Philipp Wich 5cc94f2ac6 [package] firewall: revert accidential committed changes from r26805
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26806 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-05-02 12:55:36 +00:00
Jo-Philipp Wich 244b5fcbdb [PATCH] firewall: provide examples of ssh port relocation on firewall and IPsec passthrough
Two examples of potentially useful configurations (commented out, of course):

(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a 
LAN-based machine if desired, or if not, simply obscures the port from external attack.

(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26805 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-05-02 12:54:31 +00:00
Jo-Philipp Wich 35791d9e95 [package] firewall: prevent excessive uci state data aggregation (#9152)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26740 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-20 11:49:09 +00:00
Jo-Philipp Wich b457e4cfc9 firewall: allow local redirection of ports
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26617 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-12 20:03:59 +00:00
Jo-Philipp Wich 506e7cb67a [package] firewall: prevent duplicate values in interface state vars
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26382 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-30 20:29:17 +00:00
Travis Kemen bea7583b5e Keep firewall.user during sysupgrades
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26241 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-20 00:57:47 +00:00
Jo-Philipp Wich ba9bc394c7 [package] firewall: move include sourcing into a subshell, this makes the firewall init immune against exit in the include scripts
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25835 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-02 19:20:29 +00:00
Jo-Philipp Wich 2caca9f378 [package] firewall: fix rule generation for v4 or v6 only zones (#8955)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25813 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-01 18:04:14 +00:00
Jo-Philipp Wich 887cbd0e59 [package] firewall: fix wrong rule order if multiple protocols are used
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25179 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-01-27 22:19:53 +00:00
Jo-Philipp Wich 7ed5a844a3 [package] firewall: insert SNAT and DNAT rules according to the order of the configuration file (#8052)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23318 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-08 12:11:55 +00:00
Jo-Philipp Wich 7cd9ce2291 [package] firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23201 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-03 18:11:59 +00:00