firewall: document rules for IPSec ESP/ISAKMP with 'name' option

[openwrt/staging/florian.git] / package / network / config / firewall / files / firewall.config
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config

index d149e77957de1c80358c1e8131920867a193c9ed..8874e9882c3083932fc90e061739dc265992eb61 100644 (file)
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -46,19 +46,37 @@ config rule
         option family           ipv4
         option target           ACCEPT
  
+config rule
+       option name             Allow-IGMP
+       option src              wan
+       option proto            igmp
+       option family           ipv4
+       option target           ACCEPT
+
  # Allow DHCPv6 replies
  # see https://dev.openwrt.org/ticket/10381
  config rule
         option name             Allow-DHCPv6
         option src              wan
         option proto            udp
-       option src_ip           fe80::/10
-       option src_port         547
-       option dest_ip          fe80::/10
+       option src_ip           fc00::/6
+       option dest_ip          fc00::/6
         option dest_port        546
         option family           ipv6
         option target           ACCEPT
  
+config rule
+       option name             Allow-MLD
+       option src              wan
+       option proto            icmp
+       option src_ip           fe80::/10
+       list icmp_type          '130/0'
+       list icmp_type          '131/0'
+       list icmp_type          '132/0'
+       list icmp_type          '143/0'
+       option family           ipv6
+       option target           ACCEPT
+
  # Allow essential incoming IPv6 ICMP traffic
  config rule
         option name             Allow-ICMPv6-Input
@@ -96,6 +114,21 @@ config rule
         option family           ipv6
         option target           ACCEPT
  
+config rule
+       option name             Allow-IPSec-ESP
+       option src              wan
+       option dest             lan
+       option proto            esp
+       option target           ACCEPT
+
+config rule
+       option name             Allow-ISAKMP
+       option src              wan
+       option dest             lan
+       option dest_port        500
+       option proto            udp
+       option target           ACCEPT
+
  # include a file with users custom iptables rules
  config include
         option path /etc/firewall.user
@@ -139,21 +172,6 @@ config include
  #      option dest_port        22
  #      option proto            tcp
  
-# allow IPsec/ESP and ISAKMP passthrough
-#config rule
-#      option src              wan
-#      option dest             lan
-#      option protocol         esp
-#      option target           ACCEPT
-
-#config rule
-#      option src              wan
-#      option dest             lan
-#      option src_port         500
-#      option dest_port        500
-#      option proto            udp
-#      option target           ACCEPT
-
  ### FULL CONFIG SECTIONS
  #config rule
  #      option src              lan