mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 23:59:01 +01:00
Relax source port = 500 ISAKMP restriction
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1538 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
24e6d1191d
commit
fae7312553
@ -40,3 +40,5 @@ Changes since 2.0.3
|
|||||||
18) Removed DNAT ONLY column.
|
18) Removed DNAT ONLY column.
|
||||||
|
|
||||||
19) Added IPSEC column to /etc/shorewall/masq.
|
19) Added IPSEC column to /etc/shorewall/masq.
|
||||||
|
|
||||||
|
20) No longer enforce source port 500 for ISAKMP.
|
||||||
|
@ -1472,10 +1472,10 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
|
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
|
run_iptables -A $outchain -p udp -d $1 --dport 500 $options
|
||||||
|
|
||||||
if [ $kind = ipsec ]; then
|
if [ $kind = ipsec ]; then
|
||||||
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
||||||
else
|
else
|
||||||
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
||||||
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
|
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
|
||||||
@ -1483,9 +1483,9 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
|
|
||||||
for z in $(separate_list $3); do
|
for z in $(separate_list $3); do
|
||||||
if validate_zone $z; then
|
if validate_zone $z; then
|
||||||
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
|
addrule ${FW}2${z} -p udp --dport 500 $options
|
||||||
if [ $kind = ipsec ]; then
|
if [ $kind = ipsec ]; then
|
||||||
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
addrule ${z}2${FW} -p udp --dport 500 $options
|
||||||
else
|
else
|
||||||
addrule ${z}2${FW} -p udp --dport 500 $options
|
addrule ${z}2${FW} -p udp --dport 500 $options
|
||||||
addrule ${z}2${FW} -p udp --dport 4500 $options
|
addrule ${z}2${FW} -p udp --dport 4500 $options
|
||||||
|
@ -262,3 +262,5 @@ New Features:
|
|||||||
have their source address changed. Otherwise, the unencrypted
|
have their source address changed. Otherwise, the unencrypted
|
||||||
packets will not have their source addresses changed.
|
packets will not have their source addresses changed.
|
||||||
|
|
||||||
|
8) To improve interoperability, tunnels of type 'ipsec' no longer
|
||||||
|
enforce the use of source port 500 for ISAKMP.
|
||||||
|
Loading…
Reference in New Issue
Block a user