Relax source port = 500 ISAKMP restriction

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1538 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-14 19:03:10 +00:00
parent 24e6d1191d
commit fae7312553
3 changed files with 8 additions and 4 deletions

View File

@ -40,3 +40,5 @@ Changes since 2.0.3
18) Removed DNAT ONLY column. 18) Removed DNAT ONLY column.
19) Added IPSEC column to /etc/shorewall/masq. 19) Added IPSEC column to /etc/shorewall/masq.
20) No longer enforce source port 500 for ISAKMP.

View File

@ -1472,10 +1472,10 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
fi fi
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options run_iptables -A $outchain -p udp -d $1 --dport 500 $options
if [ $kind = ipsec ]; then if [ $kind = ipsec ]; then
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 500 $options
else else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 500 $options
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
@ -1483,9 +1483,9 @@ setup_tunnels() # $1 = name of tunnels file
for z in $(separate_list $3); do for z in $(separate_list $3); do
if validate_zone $z; then if validate_zone $z; then
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options addrule ${FW}2${z} -p udp --dport 500 $options
if [ $kind = ipsec ]; then if [ $kind = ipsec ]; then
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options addrule ${z}2${FW} -p udp --dport 500 $options
else else
addrule ${z}2${FW} -p udp --dport 500 $options addrule ${z}2${FW} -p udp --dport 500 $options
addrule ${z}2${FW} -p udp --dport 4500 $options addrule ${z}2${FW} -p udp --dport 4500 $options

View File

@ -262,3 +262,5 @@ New Features:
have their source address changed. Otherwise, the unencrypted have their source address changed. Otherwise, the unencrypted
packets will not have their source addresses changed. packets will not have their source addresses changed.
8) To improve interoperability, tunnels of type 'ipsec' no longer
enforce the use of source port 500 for ISAKMP.