Project

General

Profile

Actions
Copy link

Bug #131

closed

"Static route filtering" doesn't add rules for routes on WAN

Added by Garret Huntress about 15 years ago. Updated over 14 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Rules / NAT
Target version:
2.0
Start date:
11/04/2009
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
1.2.3
Affected Architecture:

Description

The "Static route filtering" option (under System -> Advanced) doesn't account for packets entering and leaving the same interface when that interface goes to the default route.

While it's possible for a user to add a rule to pass in traffic on the WAN interface from the wan subnet to any statelessly, it's not possible to create a corresponding stateless outgoing rule (since the pass out rule is stateful and specifies on S/SA flags).

For our install, I modified the end of the filter_rules_generate() function with the following, although this codes doesn't handle certain situations (such as when the default route isn't present on the WAN interface, or multi-wan setups).

$ipfrules .= <<&lt;EOD
  1. IMSpector
    anchor "imspector"
  1. uPnPd
    anchor "miniupnpd"
EOD;
  1. default deny rules
    #---------------------------------------------------------------------------
    block in $log quick all label "Default deny rule"
    block out $log quick all label "Default deny rule"
if (isset($config['filter']['bypassstaticroutes'])) {
                $wansa = gen_subnet($wancfg['ipaddr'], $wancfg['subnet']);
                $wansn = $wancfg['subnet'];
                $ipfrules .= "pass out quick on $wanif inet from $wansa/$wansn to any no state label \"pass traffic between local wan subnet and the default route\" \n";
        }
$ipfrules .= <<&lt;EOD
#---------------------------------------------------------------------------

EOD;

return $ipfrules;
}
Actions
Copy link
 #1

Updated by Garret Huntress about 15 years ago

That code didn't paste well. Here's a second go at it:

        $ipfrules .= <<<EOD

# IMSpector
anchor "imspector" 

# uPnPd
anchor "miniupnpd" 

EOD;

        if (isset($config['filter']['bypassstaticroutes'])) {
                $wansa = gen_subnet($wancfg['ipaddr'], $wancfg['subnet']);
                $wansn = $wancfg['subnet'];
                $ipfrules .= "pass out quick on $wanif inet from $wansa/$wansn to any no state label \"pass traffic between local wan subnet and the default route\" \n";
        }

        $ipfrules .= <<<EOD
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in $log quick all label "Default deny rule" 
block out $log quick all label "Default deny rule" 

EOD;

        return $ipfrules;
}

Actions
Copy link
 #2

Updated by Chris Buechler about 15 years ago

  • Subject changed from Static route filtering doesn't account for wan subnet and default route to "Static route filtering" doesn't add rules for routes on WAN
  • Target version set to 2.0

It's intentionally skipped for WAN (and WAN only, OPT WANs are handled correctly - except in the case of a DHCP interface, where it will get skipped as well), but there are some rare scenarios where this is necessary. The above doesn't add the correct rule (too open) and doesn't accommodate DHCP, PPPoE, and PPTP WAN types.

Actions
Copy link
 #3

Updated by Scott Ullrich almost 15 years ago

If you can describe the logic involved I can take a look.

Actions
Copy link
 #4

Updated by Ermal Luçi over 14 years ago

  • Status changed from New to Feedback

This is not the case anymore in 2.0.
It will add the bypass for each interface a static route is there and you can create a out rule through Floating rules.

Actions
Copy link
 #5

Updated by Chris Buechler over 14 years ago

  • Status changed from Feedback to Resolved

fixed

Actions
Copy link

Also available in: Atom PDF