Project

General

Profile

Bug #131

"Static route filtering" doesn't add rules for routes on WAN

Added by Garret Huntress almost 10 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
11/04/2009
Due date:
% Done:

0%

Estimated time:
Affected Version:
1.2.3
Affected Architecture:

Description

The "Static route filtering" option (under System -> Advanced) doesn't account for packets entering and leaving the same interface when that interface goes to the default route.

While it's possible for a user to add a rule to pass in traffic on the WAN interface from the wan subnet to any statelessly, it's not possible to create a corresponding stateless outgoing rule (since the pass out rule is stateful and specifies on S/SA flags).

For our install, I modified the end of the filter_rules_generate() function with the following, although this codes doesn't handle certain situations (such as when the default route isn't present on the WAN interface, or multi-wan setups).

$ipfrules .= <<&lt;EOD
  1. IMSpector
    anchor "imspector"
  1. uPnPd
    anchor "miniupnpd"
EOD;
  1. default deny rules
    #---------------------------------------------------------------------------
    block in $log quick all label "Default deny rule"
    block out $log quick all label "Default deny rule"
if (isset($config['filter']['bypassstaticroutes'])) {
$wansa = gen_subnet($wancfg['ipaddr'], $wancfg['subnet']);
$wansn = $wancfg['subnet'];
$ipfrules .= "pass out quick on $wanif inet from $wansa/$wansn to any no state label \"pass traffic between local wan subnet and the default route\" \n";
}
$ipfrules .= <<&lt;EOD
#---------------------------------------------------------------------------

EOD;

return $ipfrules;
}

History

#1 Updated by Garret Huntress almost 10 years ago

That code didn't paste well. Here's a second go at it:

        $ipfrules .= <<<EOD

# IMSpector
anchor "imspector" 

# uPnPd
anchor "miniupnpd" 

EOD;

        if (isset($config['filter']['bypassstaticroutes'])) {
                $wansa = gen_subnet($wancfg['ipaddr'], $wancfg['subnet']);
                $wansn = $wancfg['subnet'];
                $ipfrules .= "pass out quick on $wanif inet from $wansa/$wansn to any no state label \"pass traffic between local wan subnet and the default route\" \n";
        }

        $ipfrules .= <<<EOD
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in $log quick all label "Default deny rule" 
block out $log quick all label "Default deny rule" 

EOD;

        return $ipfrules;
}

#2 Updated by Chris Buechler almost 10 years ago

  • Subject changed from Static route filtering doesn't account for wan subnet and default route to "Static route filtering" doesn't add rules for routes on WAN
  • Target version set to 2.0

It's intentionally skipped for WAN (and WAN only, OPT WANs are handled correctly - except in the case of a DHCP interface, where it will get skipped as well), but there are some rare scenarios where this is necessary. The above doesn't add the correct rule (too open) and doesn't accommodate DHCP, PPPoE, and PPTP WAN types.

#3 Updated by Scott Ullrich over 9 years ago

If you can describe the logic involved I can take a look.

#4 Updated by Ermal Lu├ži over 9 years ago

  • Status changed from New to Feedback

This is not the case anymore in 2.0.
It will add the bypass for each interface a static route is there and you can create a out rule through Floating rules.

#5 Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF