Jo-Philipp Wich
8693b9821b
[package] firewall: fix fw__uci_state_del() procedure ( #11132 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30938 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-03-13 21:22:13 +00:00
Jo-Philipp Wich
b70a65718f
[package] firewall: allow ICMPv6 type 129 (echo reply) - this fixes basic ICMPv6 in case no connection tracking is used
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30727 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-02-25 21:00:23 +00:00
Jo-Philipp Wich
716e67dbf7
[package] firewall: bail out if uci is used in firewall include files
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30694 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-02-23 18:50:47 +00:00
Felix Fietkau
539e529fb5
iptables: make it possible to dynamically configure built-in statically linked extensions, fold -mod-conntrack and -mod-nat into the default package. saves about 8k on an ar71xx default squashfs
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30676 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-02-22 01:47:48 +00:00
Jo-Philipp Wich
1a0c80a2dd
[package] firewall: don't filter IPv4 ICMP types ( #10928 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@30363 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-02-07 18:35:48 +00:00
Jo-Philipp Wich
457062fb53
[package] firewall: add support for "local" port forwards which target an internal address on the router itself
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29687 3c298f89-4303-0410-b956-a3cf2f4a3e73
2012-01-08 15:29:24 +00:00
Jo-Philipp Wich
d1d3cd65a8
[package] firewall:
...
- introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them
- annotate default traffic rules with names
- bump version
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29577 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-12-20 01:10:15 +00:00
Jo-Philipp Wich
3f4137d170
[package] firewall: add DHCPv6 default rule ( #10381 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28874 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-11-09 11:10:37 +00:00
Jo-Philipp Wich
c3b8a2419c
[package] firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28669 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-29 18:02:45 +00:00
Jo-Philipp Wich
281468d9cd
[package] firewall: do not produce 0.0.0.0/0 if a symbolic masq_src or masq_dest is given but does not resolve to an ip
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28628 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-27 18:14:55 +00:00
Jo-Philipp Wich
3dfbfb9eeb
[package] firewall: prevent ip6tables -t nat rules ( #10265 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28535 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-23 12:25:57 +00:00
Jo-Philipp Wich
d9ac523b00
[package] firewall: fix another instance of unquoted "*"
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28529 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 21:38:10 +00:00
Jo-Philipp Wich
091d0e2e9d
[package] firewall: fix possible expansion of "*" when rules with "option src *" are processed
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28527 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 20:11:25 +00:00
Jo-Philipp Wich
6ee2c2b79c
[package] firewall: do not check for module availability, let iptables fail if a feature is not present ( #7610 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28525 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 19:50:35 +00:00
Jo-Philipp Wich
6922eff85b
[package] firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrack instead of state match ( #10038 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28148 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-09-01 20:37:22 +00:00
Jo-Philipp Wich
3906d96764
[package] firewall: further tune ICMPv6 default rules according to RFC4890 ( #9893 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27979 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-08-14 00:33:29 +00:00
Jo-Philipp Wich
6292b0603f
[package] firewall: prevent redundant rules if multiple ports and multiple icmp types are given in a rule block for both icmp and other protocols
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27792 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-26 22:21:39 +00:00
Jo-Philipp Wich
247397ca80
[package] firewall: fix serious bug in state var handling ( #9746 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27711 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-20 15:29:10 +00:00
Jo-Philipp Wich
4885c7ec71
[package] firewall: rework state variable handling, use uci_toggle_state() where applicable and properly handle duplicates in add and del state helpers ( #9152 , #9710 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27618 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-15 15:03:57 +00:00
Jo-Philipp Wich
27aea2ff2d
[package] firewall: make sure that -m mac is used with --mac-source, follow up to r27508
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27519 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-07 10:28:31 +00:00
Daniel Dickinson
b83eb47cb9
[package] firewall: also correct another variable missed in previous commit
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27508 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-07 08:59:40 +00:00
Daniel Dickinson
741b6c9b3c
[package] firewall: fix wrong variable names for protocol command line parameter - were missed during r27500
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27507 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-07 08:54:29 +00:00
Jo-Philipp Wich
aa43abb8d1
[package] firewall:
...
- solve scoping issues when multiple values are used, thanks Daniel Dickinson
- ignore src_port/dest_port for proto icmp rules, ignore icmp_type for non-icmp rules
- properly handle icmp when proto is given in numerical form (1, 58)
- support negated icmp types
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27500 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-06 22:10:46 +00:00
Daniel Dickinson
54aa8cb28a
[package] firewall: fix udp rules for tcpudp proto rules using src_port and dest_port after modification by the parsing of the tcp rule
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27469 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-06 06:26:12 +00:00
Jo-Philipp Wich
72b1dea82a
[package] firewall: fix port range quirk in previous commit
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27335 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-01 11:50:48 +00:00
Jo-Philipp Wich
3c544257f5
[package] firewall: properly handle negated ports in nat reflection
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27334 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-01 11:48:14 +00:00
Jo-Philipp Wich
80af758239
[package] firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward link local ICMP message types, allow parameter problem
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27321 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-30 12:22:05 +00:00
Jo-Philipp Wich
3628ff05e4
[package] firewall: restore local port relocation ability from r26617
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27318 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-30 01:36:09 +00:00
Jo-Philipp Wich
534feb8c9b
[package] firewall:
...
- allow multiple ports, protocols, macs, icmp types per rule
- implement "limit" and "limit_burst" options for rules
- implement "extra" option to rules and redirects for passing arbritary flags to iptables
- implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options
- allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination
- validate symbolic icmp-type names against the selected iptables binary
- properly handle forwarded ICMPv6 traffic in the default configuration
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27317 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-30 01:31:23 +00:00
Jo-Philipp Wich
bf8e00c96d
[package] firewall: ensure that fw_get_subnet4() sets an empty value if no (valid) IPv4 addr was found
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27198 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-16 22:18:45 +00:00
Jo-Philipp Wich
a847a25be9
[package] firewall: allow symbolic names of interfaces and aliases in masq_src and masq_dest
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27196 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-16 21:54:59 +00:00
Jo-Philipp Wich
4677fcc57d
[package] firewall: explictely mention network in default configuration, makes it less confusing
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26961 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-05-20 13:45:40 +00:00
Jo-Philipp Wich
5cc94f2ac6
[package] firewall: revert accidential committed changes from r26805
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26806 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-05-02 12:55:36 +00:00
Jo-Philipp Wich
244b5fcbdb
[PATCH] firewall: provide examples of ssh port relocation on firewall and IPsec passthrough
...
Two examples of potentially useful configurations (commented out, of course):
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.
(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26805 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-05-02 12:54:31 +00:00
Jo-Philipp Wich
35791d9e95
[package] firewall: prevent excessive uci state data aggregation ( #9152 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26740 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-20 11:49:09 +00:00
Jo-Philipp Wich
b457e4cfc9
firewall: allow local redirection of ports
...
Allow a redirect like:
config redirect
option src 'wan'
option dest 'lan'
option src_dport '22001'
option dest_port '22'
option proto 'tcp'
note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.
This patch makes three changes:
(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
connections.
In the above example,
ssh -p 22 root@myrouter
would fail from the outside, but:
ssh -p 22001 root@myrouter
would succeed. This is handy if:
(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
still want to allow firewall access from outside.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26617 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-12 20:03:59 +00:00
Jo-Philipp Wich
506e7cb67a
[package] firewall: prevent duplicate values in interface state vars
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26382 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-30 20:29:17 +00:00
Travis Kemen
bea7583b5e
Keep firewall.user during sysupgrades
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26241 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-20 00:57:47 +00:00
Jo-Philipp Wich
ba9bc394c7
[package] firewall: move include sourcing into a subshell, this makes the firewall init immune against exit in the include scripts
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25835 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-02 19:20:29 +00:00
Jo-Philipp Wich
2caca9f378
[package] firewall: fix rule generation for v4 or v6 only zones ( #8955 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25813 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-01 18:04:14 +00:00
Jo-Philipp Wich
887cbd0e59
[package] firewall: fix wrong rule order if multiple protocols are used
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25179 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-01-27 22:19:53 +00:00
Jo-Philipp Wich
7ed5a844a3
[package] firewall: insert SNAT and DNAT rules according to the order of the configuration file ( #8052 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23318 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-08 12:11:55 +00:00
Jo-Philipp Wich
9d4221adef
[package] firewall: mark /etc/firewall.user as conffile
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23231 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-05 07:31:49 +00:00
Jo-Philipp Wich
7cd9ce2291
[package] firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23201 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-03 18:11:59 +00:00
Jo-Philipp Wich
20e84127cd
[package] add maintainer information
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23159 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-30 10:48:37 +00:00
Jo-Philipp Wich
7e3379391f
[package] firewall: fix chain selection logic, option dest must be ignored for notrack targets
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23143 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-28 11:38:31 +00:00
Jo-Philipp Wich
96be565c54
[package] firewall: don't setup nat reflection if negations are used
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23142 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-28 11:11:11 +00:00
Jo-Philipp Wich
5baf4fe290
[package] fireall:
...
- support negations for src_ip, dest_ip, src_dip options in rules and redirects
- add NOTRACK target to rule sections, allows to define fine grained notrack rules
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23141 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-28 10:42:56 +00:00
Jo-Philipp Wich
45585b8777
[package] firewall: protect iptables invocations with locks in interface ops, it might run concurrently due to hotplug invocations on network restart
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23090 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-19 15:01:47 +00:00
Jo-Philipp Wich
4cc4a08534
[package] firewall: make invalid redirects and duplicate zones non-fatal, print a notice and discard them
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23080 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-16 11:47:35 +00:00