From fae7312553c5098dcee4007a78d567f959b595ff Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 14 Aug 2004 19:03:10 +0000 Subject: [PATCH] Relax source port = 500 ISAKMP restriction git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1538 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 8 ++++---- Shorewall2/releasenotes.txt | 2 ++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 91d663669..b4945320e 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -40,3 +40,5 @@ Changes since 2.0.3 18) Removed DNAT ONLY column. 19) Added IPSEC column to /etc/shorewall/masq. + +20) No longer enforce source port 500 for ISAKMP. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 4d00c00ff..3b7c8f63c 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1472,10 +1472,10 @@ setup_tunnels() # $1 = name of tunnels file run_iptables -A $outchain -p 51 -d $1 -j ACCEPT fi - run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options + run_iptables -A $outchain -p udp -d $1 --dport 500 $options if [ $kind = ipsec ]; then - run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options + run_iptables -A $inchain -p udp -s $1 --dport 500 $options else run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 4500 $options @@ -1483,9 +1483,9 @@ setup_tunnels() # $1 = name of tunnels file for z in $(separate_list $3); do if validate_zone $z; then - addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options + addrule ${FW}2${z} -p udp --dport 500 $options if [ $kind = ipsec ]; then - addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + addrule ${z}2${FW} -p udp --dport 500 $options else addrule ${z}2${FW} -p udp --dport 500 $options addrule ${z}2${FW} -p udp --dport 4500 $options diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 1c40e9b7a..6fb32e27d 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -262,3 +262,5 @@ New Features: have their source address changed. Otherwise, the unencrypted packets will not have their source addresses changed. +8) To improve interoperability, tunnels of type 'ipsec' no longer + enforce the use of source port 500 for ISAKMP.