Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#640 - Undocumented / unnamed firewall rules installed by default #5644

Closed
openwrt-bot opened this issue Mar 19, 2017 · 4 comments
Closed

FS#640 - Undocumented / unnamed firewall rules installed by default #5644

openwrt-bot opened this issue Mar 19, 2017 · 4 comments
Labels

Comments

@openwrt-bot
Copy link

@openwrt-bot openwrt-bot commented Mar 19, 2017

jonesmz:

Supply the following if possible:

  • Device problem occurs on
  • Software versions of LEDE release, packages, etc.
  • Steps to reproduce

Please see this forum post: https://forum.lede-project.org/t/where-does-the-udp-port-500-firewall-rule-come-from/2220/7

There are firewall rules installed by default for UDP port 500, and protocol ESP that have no documentation.

Personally, I would prefer to see these rules removed, as they are unneeded unless using IPSec, but I would alternatively be happy to see them be given names by default.

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Mar 22, 2017

yousong:

Quote hnyman in the forum post

Well, the config file has a short header explaining that rule: # allow IPsec/ESP and ISAKMP passthrough

And the commit history reveals the reasoning for that rule:
"firewall: comply with REC-22, REC-24 of RFC 6092"
https://git.lede-project.org/?p=source.git;a=commitdiff;h=f6abd042c29f5a69d56151f884fbf4f4e834e674;hp=1b6a6abf0439177cba1fdea3ae91a7354fe748413

https://tools.ietf.org/html/rfc60922

REC-22 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of packets, to and from legitimate
node addresses, with an upper-layer protocol of type
"Encapsulating Security Payload (ESP)" [RFC4303] in their
outer IP extension header chain.

REC-24 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of any UDP packets, to and from
legitimate node addresses, with a destination port of 500,
i.e., the port reserved by IANA for the Internet Key Exchange
(IKE) Protocol [RFC5996].

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Mar 22, 2017

jonesmz:

Since you marked this bug report as "not-a-bug", I take it that you consider it desirable for default configuration files to show up with blank name in LUCI?

Perhaps I should submit a patch to the mailing list that removes the lines containing

option name 'Allow-DHCP-Renew' option name 'Allow-Ping' option name 'Allow-IGMP' option name 'Allow-DHCPv6' option name 'Allow-MLD' option name 'Allow-ICMPv6-Input'

and

option name 'Allow-ICMPv6-Forward'

from /etc/config/firewall

That'll save roughly 160 bytes, give or take.

If you don't want to remove the human readable names from the configuration file, while still making sure they show up as blank in LUCI, we could instead replace them with # style comments above the respective rules.

If you wouldn't be willing to merge that, why not? It'll make all the other default installed rules match the rules I'm complaining about in this bug report.

Please reopen this bug report. You missed the point.

LUCI displays no information to the user about the firewall rule for the ESP protocol, and no information to the user about UDP port 500. The configuration file and/or git commit history isn't sufficent, as that information isn't accessible to a user via LUCI,

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Mar 22, 2017

yousong:

Moving the content of comment line of these two rules to option name is more desirable. A patch by you will be even nicer.

I thought the udp port 500 and ip proto esp itself are quite self-evident, not to mention the kind of redundant comment line. That's why I closed the task as I thought it was not a "have no documentation" issue...

Please propose a patch to the mailing list and add a line in the commit message body that reads "Fixes FS#640". But there is no need to re-open this task and close it later, is there?

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Mar 28, 2017

yousong:

The change was just pushed to both master and lede-17.01 branch: https://git.lede-project.org/?p=source.git;a=commitdiff;h=910a9430a0c0da2e60c1b84bbf640d310aba4bd7

Thank you for the heads-up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant