Two examples of potentially useful configurations (commented out, of course):
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a LAN-based machine if desired, or if not, simply obscures the port from external attack. (b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN. Signed-off-by: Philip Prindeville <[email protected]>
Index: package/firewall/files/firewall.config =================================================================== --- package/firewall/files/firewall.config (revision 26748) +++ package/firewall/files/firewall.config (working copy) @@ -75,7 +75,29 @@ # option dest_port 80 # option proto tcp +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + ### FULL CONFIG SECTIONS #config rule # option src lan
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
