mr/openwrt
2
0
Fork 1
Code Issues 7 Pull Requests Releases Wiki Activity
21,201 Commits 3 Branches 0 Tags 517 MiB
4acdbb1d87
Commit Graph

19 Commits

Author SHA1 Message Date
Jo-Philipp Wich
dd6c299d2e firewall: fix fw__uci_state_del() procedure (#11132) 
SVN-Revision: 30938
 2012-03-13 21:22:13 +00:00
Jo-Philipp Wich
50a22f4f9e firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again 
SVN-Revision: 28669
 2011-10-29 18:02:45 +00:00
Jo-Philipp Wich
90ac92e8be firewall: fix serious bug in state var handling (#9746) 
SVN-Revision: 27711
 2011-07-20 15:29:10 +00:00
Jo-Philipp Wich
78fa88ca81 firewall: rework state variable handling, use uci_toggle_state() where applicable and properly handle duplicates in add and del state helpers (#9152, #9710) 
SVN-Revision: 27618
 2011-07-15 15:03:57 +00:00
Jo-Philipp Wich
2e9e4c435f firewall: revert accidential committed changes from r26805 
SVN-Revision: 26806
 2011-05-02 12:55:36 +00:00
Jo-Philipp Wich
ad23dd94b6 firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course): 
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.

(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26805
 2011-05-02 12:54:31 +00:00
Jo-Philipp Wich
2a386cee99 firewall: prevent excessive uci state data aggregation (#9152) 
SVN-Revision: 26740
 2011-04-20 11:49:09 +00:00
Jo-Philipp Wich
af82471525 firewall: prevent duplicate values in interface state vars 
SVN-Revision: 26382
 2011-03-30 20:29:17 +00:00
Jo-Philipp Wich
1ca64678bb firewall: fix rule generation for v4 or v6 only zones (#8955) 
SVN-Revision: 25813
 2011-03-01 18:04:14 +00:00
Jo-Philipp Wich
b07620df31 firewall: protect iptables invocations with locks in interface ops, it might run concurrently due to hotplug invocations on network restart 
SVN-Revision: 23090
 2010-09-19 15:01:47 +00:00
Jo-Philipp Wich
1fe50da4bb firewall: deliver remove hotplug events for all active zones/networks when restarting the firewall 
SVN-Revision: 23062
 2010-09-14 23:11:12 +00:00
Jo-Philipp Wich
f3dd8278bb firewall: - simplify masquerade rule setup - remove various subshell invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source 
SVN-Revision: 23024
 2010-09-11 20:04:34 +00:00
Jo-Philipp Wich
ca5bf9e291 firewall: - handle NAT reflection in firewall hotplug, solves synchronizing issues on boot - introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation 
SVN-Revision: 22888
 2010-09-04 15:49:13 +00:00
Jo-Philipp Wich
ee4dd61b10 firewall: - fix processing of rules with an ip family option - append interface rules at the end of internal zone chains, simplifies injecting user or addon rules - support simple file logging (option log + option log_limit per zone) 
SVN-Revision: 22847
 2010-08-31 01:54:08 +00:00
Jo-Philipp Wich
48c357ec01 firewall: - support alias ifnames different from parent ifname - properly handle multiple subnets per alias (v4+v6) 
SVN-Revision: 21656
 2010-06-02 00:59:35 +00:00
Jo-Philipp Wich
07b571a239 firewall: Initial alias interface support. This allows to define zones covering alias interfaces and associated entries like rules and forwardings. 
SVN-Revision: 21653
 2010-06-01 21:58:48 +00:00
Jo-Philipp Wich
40ad9defcc firewall: - fix ip6tables rules when icmp_type option is set - add "family" option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables 
SVN-Revision: 21508
 2010-05-19 21:35:23 +00:00
Jo-Philipp Wich
c6fdffd932 firewall (#7355) - partially revert r21486, start firewall on init again - skip iface hotplug events if base fw is not up yet - get ifname and up state with uci_get_state() in iface setup since the values gathered by scan_interfaces() may be outdated when iface coldplugging happens (observed with pptp) - ignore up state when bringing down interfaces because ifdown reverts state vars before dispatching the iface event - bump package revision 
SVN-Revision: 21502
 2010-05-19 00:50:14 +00:00
Jo-Philipp Wich
c284cb51c0 firewall: - replace uci firewall with a modular dual stack implementation developed by Malte S. Stretz - bump version to 2 
SVN-Revision: 21286
 2010-05-01 18:22:01 +00:00