OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version lede-17.01
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Michael Jones - 19.03.2017
Last edited by Yousong Zhou - 22.03.2017

FS#640 - Undocumented / unnamed firewall rules installed by default

Supply the following if possible:
- Device problem occurs on
- Software versions of LEDE release, packages, etc.
- Steps to reproduce

 

Please see this forum post: https://forum.lede-project.org/t/where-does-the-udp-port-500-firewall-rule-come-from/2220/7

There are firewall rules installed by default for UDP port 500, and protocol ESP that have no documentation.

Personally, I would prefer to see these rules removed, as they are unneeded unless using IPSec, but I would alternatively be happy to see them be given names by default.

Closed by  Yousong Zhou
22.03.2017 09:22
Reason for closing:  Not a bug
Project Manager
Yousong Zhou commented on 22.03.2017 09:21

Quote hnyman in the forum post

Well, the config file has a short header explaining that rule:
# allow IPsec/ESP and ISAKMP passthrough

And the commit history reveals the reasoning for that rule:
"firewall: comply with REC-22, REC-24 of RFC 6092"
https://git.lede-project.org/?p=source.git;a=commitdiff;h=f6abd042c29f5a69d56151f884fbf4f4e834e674;hp=1b6a6abf0439177cba1fdea3ae91a7354fe748413

https://tools.ietf.org/html/rfc60922

REC-22 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of packets, to and from legitimate
node addresses, with an upper-layer protocol of type
"Encapsulating Security Payload (ESP)" [RFC4303] in their
outer IP extension header chain.

REC-24 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of any UDP packets, to and from
legitimate node addresses, with a destination port of 500,
i.e., the port reserved by IANA for the Internet Key Exchange
(IKE) Protocol [RFC5996].
Michael Jones commented on 22.03.2017 14:18

Since you marked this bug report as "not-a-bug", I take it that you consider it desirable for default configuration files to show up with blank name in LUCI?

Perhaps I should submit a patch to the mailing list that removes the lines containing

option name 'Allow-DHCP-Renew'
option name 'Allow-Ping'
option name 'Allow-IGMP'
option name 'Allow-DHCPv6'
option name 'Allow-MLD'
option name 'Allow-ICMPv6-Input'

and

option name 'Allow-ICMPv6-Forward'

from /etc/config/firewall

That'll save roughly 160 bytes, give or take.

If you don't want to remove the human readable names from the configuration file, while still making sure they show up as blank in LUCI, we could instead replace them with # style comments above the respective rules.

If you wouldn't be willing to merge that, why not? It'll make all the other default installed rules match the rules I'm complaining about in this bug report.

Please reopen this bug report. You missed the point.

LUCI displays no information to the user about the firewall rule for the ESP protocol, and no information to the user about UDP port 500. The configuration file and/or git commit history isn't sufficent, as that information isn't accessible to a user via LUCI,

Project Manager
Yousong Zhou commented on 22.03.2017 14:53

Moving the content of comment line of these two rules to option name is more desirable. A patch by you will be even nicer.

I thought the udp port 500 and ip proto esp itself are quite self-evident, not to mention the kind of redundant comment line. That's why I closed the task as I thought it was not a "have no documentation" issue...

Please propose a patch to the mailing list and add a line in the commit message body that reads "Fixes  FS#640 ". But there is no need to re-open this task and close it later, is there?

Project Manager
Yousong Zhou commented on 28.03.2017 10:07

The change was just pushed to both master and lede-17.01 branch: https://git.lede-project.org/?p=source.git;a=commitdiff;h=910a9430a0c0da2e60c1b84bbf640d310aba4bd7

Thank you for the heads-up

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing