New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#640 - Undocumented / unnamed firewall rules installed by default #5644
Comments
yousong: Quote hnyman in the forum post
Well, the config file has a short header explaining that rule:
# allow IPsec/ESP and ISAKMP passthrough
|
jonesmz: Since you marked this bug report as "not-a-bug", I take it that you consider it desirable for default configuration files to show up with blank name in LUCI? Perhaps I should submit a patch to the mailing list that removes the lines containing
option name 'Allow-DHCP-Renew'
option name 'Allow-Ping'
option name 'Allow-IGMP'
option name 'Allow-DHCPv6'
option name 'Allow-MLD'
option name 'Allow-ICMPv6-Input'
and
option name 'Allow-ICMPv6-Forward'
from /etc/config/firewall That'll save roughly 160 bytes, give or take. If you don't want to remove the human readable names from the configuration file, while still making sure they show up as blank in LUCI, we could instead replace them with # style comments above the respective rules. If you wouldn't be willing to merge that, why not? It'll make all the other default installed rules match the rules I'm complaining about in this bug report. Please reopen this bug report. You missed the point. LUCI displays no information to the user about the firewall rule for the ESP protocol, and no information to the user about UDP port 500. The configuration file and/or git commit history isn't sufficent, as that information isn't accessible to a user via LUCI, |
yousong: Moving the content of comment line of these two rules to option name is more desirable. A patch by you will be even nicer. I thought the udp port 500 and ip proto esp itself are quite self-evident, not to mention the kind of redundant comment line. That's why I closed the task as I thought it was not a "have no documentation" issue... Please propose a patch to the mailing list and add a line in the commit message body that reads "Fixes FS#640". But there is no need to re-open this task and close it later, is there? |
yousong: The change was just pushed to both master and lede-17.01 branch: https://git.lede-project.org/?p=source.git;a=commitdiff;h=910a9430a0c0da2e60c1b84bbf640d310aba4bd7 Thank you for the heads-up |
jonesmz:
Supply the following if possible:
Please see this forum post: https://forum.lede-project.org/t/where-does-the-udp-port-500-firewall-rule-come-from/2220/7
There are firewall rules installed by default for UDP port 500, and protocol ESP that have no documentation.
Personally, I would prefer to see these rules removed, as they are unneeded unless using IPSec, but I would alternatively be happy to see them be given names by default.
The text was updated successfully, but these errors were encountered: