From facd06ed142eb3ead783ed9246c5fe00c62a1f61 Mon Sep 17 00:00:00 2001 From: coolsnowwolf Date: Tue, 20 Jul 2021 14:08:13 +0800 Subject: [PATCH] luci-app-ipsec-vpnd: rules security optimization --- package/lean/luci-app-ipsec-vpnd/Makefile | 2 +- .../root/etc/uci-defaults/luci-ipsec | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/package/lean/luci-app-ipsec-vpnd/Makefile b/package/lean/luci-app-ipsec-vpnd/Makefile index 457d8eeeb..d9a888c19 100644 --- a/package/lean/luci-app-ipsec-vpnd/Makefile +++ b/package/lean/luci-app-ipsec-vpnd/Makefile @@ -9,7 +9,7 @@ LUCI_TITLE:=LuCI support for IPSec VPN Server (IKEv1 with PSK and Xauth) LUCI_DEPENDS:=+strongswan +strongswan-minimal +strongswan-mod-xauth-generic +strongswan-mod-kernel-libipsec LUCI_PKGARCH:=all PKG_VERSION:=1.0 -PKG_RELEASE:=10 +PKG_RELEASE:=11 include $(TOPDIR)/feeds/luci/luci.mk diff --git a/package/lean/luci-app-ipsec-vpnd/root/etc/uci-defaults/luci-ipsec b/package/lean/luci-app-ipsec-vpnd/root/etc/uci-defaults/luci-ipsec index dfc89e01d..fd7b33d36 100755 --- a/package/lean/luci-app-ipsec-vpnd/root/etc/uci-defaults/luci-ipsec +++ b/package/lean/luci-app-ipsec-vpnd/root/etc/uci-defaults/luci-ipsec @@ -18,9 +18,7 @@ uci -q batch <<-EOF >/dev/null set network.VPN.netmask="255.255.255.0" commit network - - set firewall.@defaults[0].forward="ACCEPT" - + delete firewall.ike add firewall rule rename firewall.@rule[-1]="ike" @@ -62,6 +60,12 @@ uci -q batch <<-EOF >/dev/null set firewall.VPN.forward="ACCEPT" set firewall.VPN.output="ACCEPT" set firewall.VPN.network="VPN" + + delete firewall.vpn + set firewall.vpn=forwarding + set firewall.vpn.name="vpn" + set firewall.vpn.dest="wan" + set firewall.vpn.src="VPN" commit firewall EOF