These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"
Fixes FS#640
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
include $(TOPDIR)/rules.mk
PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
option family ipv6
option target ACCEPT
+config rule
+ option name Allow-IPSec-ESP
+ option src wan
+ option dest lan
+ option proto esp
+ option target ACCEPT
+
+config rule
+ option name Allow-ISAKMP
+ option src wan
+ option dest lan
+ option dest_port 500
+ option proto udp
+ option target ACCEPT
+
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
# option dest_port 22
# option proto tcp
-# allow IPsec/ESP and ISAKMP passthrough
-config rule
- option src wan
- option dest lan
- option proto esp
- option target ACCEPT
-
-config rule
- option src wan
- option dest lan
- option dest_port 500
- option proto udp
- option target ACCEPT
-
### FULL CONFIG SECTIONS
#config rule
# option src lan