Revision 3e975038
Added by Kristof Provost over 3 years ago
| src/etc/inc/filter.inc | ||
|---|---|---|
| 160 | 160 |
global $negate_tracker; |
| 161 | 161 |
|
| 162 | 162 |
++$negate_tracker; |
| 163 |
return "tracker {$negate_tracker} ";
|
|
| 163 |
return "ridentifier {$negate_tracker} ";
|
|
| 164 | 164 |
} |
| 165 | 165 |
|
| 166 | 166 |
function user_rule_descr_maxlen() {
|
| ... | ... | |
| 3434 | 3434 |
} |
| 3435 | 3435 |
|
| 3436 | 3436 |
if (!empty($rule['tracker'])) {
|
| 3437 |
$aline['tracker'] = "tracker {$rule['tracker']} ";
|
|
| 3437 |
$aline['tracker'] = "ridentifier {$rule['tracker']} ";
|
|
| 3438 | 3438 |
} |
| 3439 | 3439 |
|
| 3440 | 3440 |
$line = ""; |
| ... | ... | |
| 3500 | 3500 |
|
| 3501 | 3501 |
if (!isset($config['system']['ipv6allow'])) {
|
| 3502 | 3502 |
$ipfrules .= "# Allow IPv6 on loopback\n"; |
| 3503 |
$ipfrules .= "pass in {$log['pass']} quick on \$loopback inet6 all tracker {$increment_tracker()} label \"pass IPv6 loopback\"\n";
|
|
| 3504 |
$ipfrules .= "pass out {$log['pass']} quick on \$loopback inet6 all tracker {$increment_tracker()} label \"pass IPv6 loopback\"\n";
|
|
| 3503 |
$ipfrules .= "pass in {$log['pass']} quick on \$loopback inet6 all ridentifier {$increment_tracker()} label \"pass IPv6 loopback\"\n";
|
|
| 3504 |
$ipfrules .= "pass out {$log['pass']} quick on \$loopback inet6 all ridentifier {$increment_tracker()} label \"pass IPv6 loopback\"\n";
|
|
| 3505 | 3505 |
$ipfrules .= "# Block all IPv6\n"; |
| 3506 |
$ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker()} label \"Block all IPv6\"\n";
|
|
| 3507 |
$ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker()} label \"Block all IPv6\"\n";
|
|
| 3506 |
$ipfrules .= "block in {$log['block']} quick inet6 all ridentifier {$increment_tracker()} label \"Block all IPv6\"\n";
|
|
| 3507 |
$ipfrules .= "block out {$log['block']} quick inet6 all ridentifier {$increment_tracker()} label \"Block all IPv6\"\n";
|
|
| 3508 | 3508 |
} |
| 3509 | 3509 |
|
| 3510 | 3510 |
$saved_tracker += 100; |
| ... | ... | |
| 3515 | 3515 |
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, |
| 3516 | 3516 |
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but |
| 3517 | 3517 |
# route-to can override that, causing problems such as in redmine #2073 |
| 3518 |
block in {$log['block']} quick from 169.254.0.0/16 to any tracker {$increment_tracker()} label "Block IPv4 link-local"
|
|
| 3519 |
block in {$log['block']} quick from any to 169.254.0.0/16 tracker {$increment_tracker()} label "Block IPv4 link-local"
|
|
| 3518 |
block in {$log['block']} quick from 169.254.0.0/16 to any ridentifier {$increment_tracker()} label "Block IPv4 link-local"
|
|
| 3519 |
block in {$log['block']} quick from any to 169.254.0.0/16 ridentifier {$increment_tracker()} label "Block IPv4 link-local"
|
|
| 3520 | 3520 |
|
| 3521 | 3521 |
EOD; |
| 3522 | 3522 |
} |
| ... | ... | |
| 3525 | 3525 |
#--------------------------------------------------------------------------- |
| 3526 | 3526 |
# default deny rules |
| 3527 | 3527 |
#--------------------------------------------------------------------------- |
| 3528 |
block in {$log['block']} inet all tracker {$increment_tracker()} label "Default deny rule IPv4"
|
|
| 3529 |
block out {$log['block']} inet all tracker {$increment_tracker()} label "Default deny rule IPv4"
|
|
| 3530 |
block in {$log['block']} inet6 all tracker {$increment_tracker()} label "Default deny rule IPv6"
|
|
| 3531 |
block out {$log['block']} inet6 all tracker {$increment_tracker()} label "Default deny rule IPv6"
|
|
| 3528 |
block in {$log['block']} inet all ridentifier {$increment_tracker()} label "Default deny rule IPv4"
|
|
| 3529 |
block out {$log['block']} inet all ridentifier {$increment_tracker()} label "Default deny rule IPv4"
|
|
| 3530 |
block in {$log['block']} inet6 all ridentifier {$increment_tracker()} label "Default deny rule IPv6"
|
|
| 3531 |
block out {$log['block']} inet6 all ridentifier {$increment_tracker()} label "Default deny rule IPv6"
|
|
| 3532 | 3532 |
|
| 3533 | 3533 |
EOD; |
| 3534 | 3534 |
|
| ... | ... | |
| 3545 | 3545 |
# 134 routeradv Router advertisement |
| 3546 | 3546 |
# 135 neighbrsol Neighbor solicitation |
| 3547 | 3547 |
# 136 neighbradv Neighbor advertisement |
| 3548 |
pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker()} keep state
|
|
| 3548 |
pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier {$increment_tracker()} keep state
|
|
| 3549 | 3549 |
|
| 3550 | 3550 |
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) |
| 3551 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker()} keep state
|
|
| 3552 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker()} keep state
|
|
| 3553 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker()} keep state
|
|
| 3554 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker()} keep state
|
|
| 3555 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker()} keep state
|
|
| 3556 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker()} keep state
|
|
| 3551 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier {$increment_tracker()} keep state
|
|
| 3552 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier {$increment_tracker()} keep state
|
|
| 3553 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier {$increment_tracker()} keep state
|
|
| 3554 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier {$increment_tracker()} keep state
|
|
| 3555 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier {$increment_tracker()} keep state
|
|
| 3556 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier {$increment_tracker()} keep state
|
|
| 3557 | 3557 |
|
| 3558 | 3558 |
EOD; |
| 3559 | 3559 |
} |
| 3560 | 3560 |
$ipfrules .= <<<EOD |
| 3561 | 3561 |
# We use the mighty pf, we cannot be fooled. |
| 3562 |
block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker()} label "Block traffic from port 0"
|
|
| 3563 |
block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker()} label "Block traffic to port 0"
|
|
| 3562 |
block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any ridentifier {$increment_tracker()} label "Block traffic from port 0"
|
|
| 3563 |
block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 ridentifier {$increment_tracker()} label "Block traffic to port 0"
|
|
| 3564 | 3564 |
|
| 3565 | 3565 |
EOD; |
| 3566 | 3566 |
if (isset($config['system']['ipv6allow'])) {
|
| 3567 | 3567 |
$ipfrules .= <<<EOD |
| 3568 |
block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker()} label "Block traffic from port 0"
|
|
| 3569 |
block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker()} label "Block traffic to port 0"
|
|
| 3568 |
block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any ridentifier {$increment_tracker()} label "Block traffic from port 0"
|
|
| 3569 |
block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 ridentifier {$increment_tracker()} label "Block traffic to port 0"
|
|
| 3570 | 3570 |
|
| 3571 | 3571 |
EOD; |
| 3572 | 3572 |
} |
| 3573 | 3573 |
$ipfrules .= <<<EOD |
| 3574 | 3574 |
|
| 3575 | 3575 |
# Snort package |
| 3576 |
block {$log['block']} quick from <snort2c> to any tracker {$increment_tracker()} label "Block snort2c hosts"
|
|
| 3577 |
block {$log['block']} quick from any to <snort2c> tracker {$increment_tracker()} label "Block snort2c hosts"
|
|
| 3576 |
block {$log['block']} quick from <snort2c> to any ridentifier {$increment_tracker()} label "Block snort2c hosts"
|
|
| 3577 |
block {$log['block']} quick from any to <snort2c> ridentifier {$increment_tracker()} label "Block snort2c hosts"
|
|
| 3578 | 3578 |
|
| 3579 | 3579 |
EOD; |
| 3580 | 3580 |
|
| ... | ... | |
| 3590 | 3590 |
if (is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) {
|
| 3591 | 3591 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port ";
|
| 3592 | 3592 |
$ipfrules .= $config['system']['ssh']['port']; |
| 3593 |
$ipfrules .= " tracker {$increment_tracker()} label \"sshguard\"\n";
|
|
| 3593 |
$ipfrules .= " ridentifier {$increment_tracker()} label \"sshguard\"\n";
|
|
| 3594 | 3594 |
} else {
|
| 3595 | 3595 |
if ($config['system']['ssh']['port'] <> "") {
|
| 3596 | 3596 |
$sshport = $config['system']['ssh']['port']; |
| ... | ... | |
| 3598 | 3598 |
$sshport = 22; |
| 3599 | 3599 |
} |
| 3600 | 3600 |
if ($sshport) {
|
| 3601 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port {$sshport} tracker {$increment_tracker()} label \"sshguard\"\n";
|
|
| 3601 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port {$sshport} ridentifier {$increment_tracker()} label \"sshguard\"\n";
|
|
| 3602 | 3602 |
} |
| 3603 | 3603 |
} |
| 3604 | 3604 |
|
| ... | ... | |
| 3616 | 3616 |
$webConfiguratorlockoutport = $config['system']['webgui']['port']; |
| 3617 | 3617 |
} |
| 3618 | 3618 |
if ($webConfiguratorlockoutport) {
|
| 3619 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker()} label \"GUI Lockout\"\n";
|
|
| 3619 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port {$webConfiguratorlockoutport} ridentifier {$increment_tracker()} label \"GUI Lockout\"\n";
|
|
| 3620 | 3620 |
} |
| 3621 | 3621 |
|
| 3622 | 3622 |
$saved_tracker += 100; |
| ... | ... | |
| 3626 | 3626 |
* Support for allow limiting of TCP connections by establishment rate |
| 3627 | 3627 |
* Useful for protecting against sudden outbursts, etc. |
| 3628 | 3628 |
*/ |
| 3629 |
$ipfrules .= "block in {$log['block']} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n";
|
|
| 3629 |
$ipfrules .= "block in {$log['block']} quick from <virusprot> to any ridentifier 1000000400 label \"virusprot overload table\"\n";
|
|
| 3630 | 3630 |
|
| 3631 | 3631 |
$saved_tracker += 100; |
| 3632 | 3632 |
$tracker = $saved_tracker; |
| ... | ... | |
| 3670 | 3670 |
$listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : 8000 + $cpcfg['zoneid']; |
| 3671 | 3671 |
$portalias = $listenporthttps; |
| 3672 | 3672 |
$portalias .= " {$listenporthttp}";
|
| 3673 |
$ipfrules .= "pass in {$log['pass']} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker()} keep state(sloppy)\n";
|
|
| 3674 |
$ipfrules .= "pass out {$log['pass']} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker()} keep state(sloppy)\n";
|
|
| 3673 |
$ipfrules .= "pass in {$log['pass']} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } ridentifier {$increment_tracker()} keep state(sloppy)\n";
|
|
| 3674 |
$ipfrules .= "pass out {$log['pass']} quick on { {$cpinterface} } proto tcp from any to any flags any ridentifier {$increment_tracker()} keep state(sloppy)\n";
|
|
| 3675 | 3675 |
} |
| 3676 | 3676 |
} |
| 3677 | 3677 |
} |
| ... | ... | |
| 3685 | 3685 |
$vlantag = isset($config['interfaces'][$on]['dhcpvlanenable']) ? "set prio {$vlanprio_values[$config['interfaces'][$on]['dhcpcvpt']]}" : "";
|
| 3686 | 3686 |
$ipfrules .= <<<EOD |
| 3687 | 3687 |
# allow our DHCP client out to the {$oc['descr']}
|
| 3688 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker()} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
| 3689 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker()} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" {$vlantag}
|
|
| 3688 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 67 to any port = 68 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
| 3689 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to any port = 67 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" {$vlantag}
|
|
| 3690 | 3690 |
# Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP.
|
| 3691 | 3691 |
|
| 3692 | 3692 |
EOD; |
| ... | ... | |
| 3698 | 3698 |
|
| 3699 | 3699 |
$ipfrules .= <<<EOD |
| 3700 | 3700 |
# allow our DHCPv6 client out to the {$oc['descr']}
|
| 3701 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
| 3702 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
| 3701 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
| 3702 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
| 3703 | 3703 |
# Add Priority to dhcp6c packets if enabled |
| 3704 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" {$vlantag}
|
|
| 3704 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" {$vlantag}
|
|
| 3705 | 3705 |
|
| 3706 | 3706 |
EOD; |
| 3707 | 3707 |
} |
| ... | ... | |
| 3723 | 3723 |
$ipfrules .= <<<EOD |
| 3724 | 3724 |
# block bogon networks (IPv4) |
| 3725 | 3725 |
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt |
| 3726 |
block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker {$bogons_increment()} label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"
|
|
| 3726 |
block in $bogonlog quick on \${$oc['descr']} from <bogons> to any ridentifier {$bogons_increment()} label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"
|
|
| 3727 | 3727 |
|
| 3728 | 3728 |
EOD; |
| 3729 | 3729 |
|
| ... | ... | |
| 3731 | 3731 |
$ipfrules .= <<<EOD |
| 3732 | 3732 |
# block bogon networks (IPv6) |
| 3733 | 3733 |
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt |
| 3734 |
block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker {$bogons_increment()} label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
|
|
| 3734 |
block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any ridentifier {$bogons_increment()} label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
|
|
| 3735 | 3735 |
|
| 3736 | 3736 |
EOD; |
| 3737 | 3737 |
} |
| ... | ... | |
| 3768 | 3768 |
if ($isbridged == false) {
|
| 3769 | 3769 |
$ipfrules .= <<<EOD |
| 3770 | 3770 |
# block anything from private networks on interfaces with the option set |
| 3771 |
block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
|
|
| 3772 |
block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
|
|
| 3773 |
block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
|
|
| 3774 |
block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
|
|
| 3775 |
block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker {$rfc1918_increment()} label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"
|
|
| 3771 |
block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any ridentifier {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
|
|
| 3772 |
block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any ridentifier {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
|
|
| 3773 |
block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any ridentifier {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
|
|
| 3774 |
block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any ridentifier {$rfc1918_increment()} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
|
|
| 3775 |
block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any ridentifier {$rfc1918_increment()} label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"
|
|
| 3776 | 3776 |
|
| 3777 | 3777 |
EOD; |
| 3778 | 3778 |
} |
| ... | ... | |
| 3785 | 3785 |
case "pptp": |
| 3786 | 3786 |
$ipfrules .= <<<EOD |
| 3787 | 3787 |
# allow PPTP client |
| 3788 |
pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker()} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
| 3788 |
pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state ridentifier {$increment_tracker()} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
| 3789 | 3789 |
|
| 3790 | 3790 |
EOD; |
| 3791 | 3791 |
break; |
| ... | ... | |
| 3798 | 3798 |
if (isset($config['dhcpd'][$on]['enable'])) {
|
| 3799 | 3799 |
$ipfrules .= <<<EOD |
| 3800 | 3800 |
# allow access to DHCP server on {$oc['descr']}
|
| 3801 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker()} label "allow access to DHCP server"
|
|
| 3801 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier {$increment_tracker()} label "allow access to DHCP server"
|
|
| 3802 | 3802 |
|
| 3803 | 3803 |
EOD; |
| 3804 | 3804 |
if (is_ipaddrv4($oc['ip'])) {
|
| 3805 | 3805 |
$ipfrules .= <<<EOD |
| 3806 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker()} label "allow access to DHCP server"
|
|
| 3807 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker()} label "allow access to DHCP server"
|
|
| 3806 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 ridentifier {$increment_tracker()} label "allow access to DHCP server"
|
|
| 3807 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 ridentifier {$increment_tracker()} label "allow access to DHCP server"
|
|
| 3808 | 3808 |
|
| 3809 | 3809 |
EOD; |
| 3810 | 3810 |
} |
| ... | ... | |
| 3812 | 3812 |
if (is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") {
|
| 3813 | 3813 |
$ipfrules .= <<<EOD |
| 3814 | 3814 |
# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
|
| 3815 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker()} label "allow access to DHCP failover"
|
|
| 3816 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker()} label "allow access to DHCP failover"
|
|
| 3815 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 ridentifier {$increment_tracker()} label "allow access to DHCP failover"
|
|
| 3816 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 ridentifier {$increment_tracker()} label "allow access to DHCP failover"
|
|
| 3817 | 3817 |
|
| 3818 | 3818 |
EOD; |
| 3819 | 3819 |
} |
| ... | ... | |
| 3826 | 3826 |
if ($dhcrelayif == $on) {
|
| 3827 | 3827 |
$ipfrules .= <<<EOD |
| 3828 | 3828 |
# allow access to DHCP relay on {$oc['descr']}
|
| 3829 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker()} label "allow access to DHCP relay"
|
|
| 3829 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier {$increment_tracker()} label "allow access to DHCP relay"
|
|
| 3830 | 3830 |
|
| 3831 | 3831 |
EOD; |
| 3832 | 3832 |
} |
| ... | ... | |
| 3842 | 3842 |
if (is_ipaddrv4($config['interfaces'][$on]['gateway-6rd'])) {
|
| 3843 | 3843 |
$ipfrules .= <<<EOD |
| 3844 | 3844 |
# allow our proto 41 traffic from the 6RD border relay in |
| 3845 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
|
|
| 3846 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"
|
|
| 3845 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
|
|
| 3846 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"
|
|
| 3847 | 3847 |
|
| 3848 | 3848 |
EOD; |
| 3849 | 3849 |
} |
| ... | ... | |
| 3851 | 3851 |
/* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */ |
| 3852 | 3852 |
if (0 && is_ipaddrv6($oc['ipv6'])) {
|
| 3853 | 3853 |
$ipfrules .= <<<EOD |
| 3854 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
|
|
| 3855 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"
|
|
| 3854 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
|
|
| 3855 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"
|
|
| 3856 | 3856 |
|
| 3857 | 3857 |
EOD; |
| 3858 | 3858 |
} |
| ... | ... | |
| 3861 | 3861 |
if (is_ipaddrv4($oc['ip'])) {
|
| 3862 | 3862 |
$ipfrules .= <<<EOD |
| 3863 | 3863 |
# allow our proto 41 traffic from the 6to4 border relay in |
| 3864 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
| 3865 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
| 3864 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from any to {$oc['ip']} ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
| 3865 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from {$oc['ip']} to any ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
| 3866 | 3866 |
|
| 3867 | 3867 |
EOD; |
| 3868 | 3868 |
} |
| 3869 | 3869 |
/* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */ |
| 3870 | 3870 |
if (0 && is_ipaddrv6($oc['ipv6'])) {
|
| 3871 | 3871 |
$ipfrules .= <<<EOD |
| 3872 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
| 3873 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
| 3872 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
| 3873 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any ridentifier {$increment_tracker()} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
| 3874 | 3874 |
|
| 3875 | 3875 |
EOD; |
| 3876 | 3876 |
} |
| ... | ... | |
| 3882 | 3882 |
$ipfrules .= <<<EOD |
| 3883 | 3883 |
# allow access to DHCPv6 server on {$oc['descr']}
|
| 3884 | 3884 |
# We need inet6 icmp for stateless autoconfig and dhcpv6 |
| 3885 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3886 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3887 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3888 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3885 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3886 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3887 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3888 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3889 | 3889 |
|
| 3890 | 3890 |
EOD; |
| 3891 | 3891 |
if (is_ipaddrv6($oc['ipv6'])) {
|
| 3892 | 3892 |
$ipfrules .= <<<EOD |
| 3893 |
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3894 |
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3893 |
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3894 |
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
|
|
| 3895 | 3895 |
|
| 3896 | 3896 |
EOD; |
| 3897 | 3897 |
} |
| ... | ... | |
| 3911 | 3911 |
$ipfrules .= <<<EOD |
| 3912 | 3912 |
|
| 3913 | 3913 |
# loopback |
| 3914 |
pass in {$log['pass']} on \$loopback inet all tracker {$increment_tracker()} label "pass IPv4 loopback"
|
|
| 3915 |
pass out {$log['pass']} on \$loopback inet all tracker {$increment_tracker()} label "pass IPv4 loopback"
|
|
| 3914 |
pass in {$log['pass']} on \$loopback inet all ridentifier {$increment_tracker()} label "pass IPv4 loopback"
|
|
| 3915 |
pass out {$log['pass']} on \$loopback inet all ridentifier {$increment_tracker()} label "pass IPv4 loopback"
|
|
| 3916 | 3916 |
|
| 3917 | 3917 |
EOD; |
| 3918 | 3918 |
if (isset($config['system']['ipv6allow'])) {
|
| 3919 | 3919 |
$ipfrules .= <<<EOD |
| 3920 |
pass in {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker()} label "pass IPv6 loopback"
|
|
| 3921 |
pass out {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker()} label "pass IPv6 loopback"
|
|
| 3920 |
pass in {$log['pass']} on \$loopback inet6 all ridentifier {$increment_tracker()} label "pass IPv6 loopback"
|
|
| 3921 |
pass out {$log['pass']} on \$loopback inet6 all ridentifier {$increment_tracker()} label "pass IPv6 loopback"
|
|
| 3922 | 3922 |
|
| 3923 | 3923 |
EOD; |
| 3924 | 3924 |
} |
| 3925 | 3925 |
$ipfrules .= <<<EOD |
| 3926 | 3926 |
# let out anything from the firewall host itself and decrypted IPsec traffic |
| 3927 |
pass out {$log['pass']} inet all keep state allow-opts tracker {$increment_tracker()} label "let out anything IPv4 from firewall host itself"
|
|
| 3927 |
pass out {$log['pass']} inet all keep state allow-opts ridentifier {$increment_tracker()} label "let out anything IPv4 from firewall host itself"
|
|
| 3928 | 3928 |
|
| 3929 | 3929 |
EOD; |
| 3930 | 3930 |
if (isset($config['system']['ipv6allow'])) {
|
| 3931 | 3931 |
$ipfrules .= <<<EOD |
| 3932 |
pass out {$log['pass']} inet6 all keep state allow-opts tracker {$increment_tracker()} label "let out anything IPv6 from firewall host itself"
|
|
| 3932 |
pass out {$log['pass']} inet6 all keep state allow-opts ridentifier {$increment_tracker()} label "let out anything IPv6 from firewall host itself"
|
|
| 3933 | 3933 |
|
| 3934 | 3934 |
EOD; |
| 3935 | 3935 |
} |
| ... | ... | |
| 3945 | 3945 |
$gw = get_interface_gateway($ifdescr); |
| 3946 | 3946 |
$routeto = (substr($ifcfg['if'], 0, 5) != "ipsec") ? "route-to ( {$ifcfg['if']} {$gw} )" : "";
|
| 3947 | 3947 |
if (is_ipaddrv4($gw) && is_ipaddrv4($ifcfg['ip']) && is_subnetv4("{$ifcfg['sa']}/{$ifcfg['sn']}")) {
|
| 3948 |
$ipfrules .= "pass out {$log['pass']} {$routeto} from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3948 |
$ipfrules .= "pass out {$log['pass']} {$routeto} from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} ridentifier {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3949 | 3949 |
if (is_array($ifcfg['vips'])) {
|
| 3950 | 3950 |
foreach ($ifcfg['vips'] as $vip) {
|
| 3951 | 3951 |
if ($vip['mode'] == "proxyarp") {
|
| ... | ... | |
| 3955 | 3955 |
continue; |
| 3956 | 3956 |
} |
| 3957 | 3957 |
if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}")) {
|
| 3958 |
$ipfrules .= "pass out {$log['pass']} {$routeto} from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3958 |
$ipfrules .= "pass out {$log['pass']} {$routeto} from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} ridentifier {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3959 | 3959 |
} else {
|
| 3960 |
$ipfrules .= "pass out {$log['pass']} {$routeto} from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3960 |
$ipfrules .= "pass out {$log['pass']} {$routeto} from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} ridentifier {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3961 | 3961 |
} |
| 3962 | 3962 |
} |
| 3963 | 3963 |
} |
| ... | ... | |
| 3968 | 3968 |
$pdlen = 64 - (int) calculate_ipv6_delegation_length($ifdescr); |
| 3969 | 3969 |
$routeto = (substr($ifcfg['if'], 0, 5) != "ipsec") ? "route-to ( {$stf} {$gwv6} )" : "";
|
| 3970 | 3970 |
if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6']) && is_subnetv6("{$ifcfg['ipv6']}/{$pdlen}")) {
|
| 3971 |
$ipfrules .= "pass out {$log['pass']} {$routeto} inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3971 |
$ipfrules .= "pass out {$log['pass']} {$routeto} inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} ridentifier {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3972 | 3972 |
if (is_array($ifcfg['vips6'])) {
|
| 3973 | 3973 |
foreach ($ifcfg['vips6'] as $vip) {
|
| 3974 | 3974 |
if (!is_ipaddrv6($vip['ip']) || !is_subnetv6("{$vip['ip']}/{$pdlen}")) {
|
| 3975 | 3975 |
continue; |
| 3976 | 3976 |
} |
| 3977 |
$ipfrules .= "pass out {$log['pass']} {$routeto} inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3977 |
$ipfrules .= "pass out {$log['pass']} {$routeto} inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} ridentifier {$increment_tracker()} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
| 3978 | 3978 |
} |
| 3979 | 3979 |
} |
| 3980 | 3980 |
} |
| ... | ... | |
| 3988 | 3988 |
require_once("ipsec.inc");
|
| 3989 | 3989 |
} |
| 3990 | 3990 |
if (ipsec_enabled()) {
|
| 3991 |
$ipfrules .= "pass out {$log['pass']} on \$IPsec all tracker {$increment_tracker()} tracker {$increment_tracker()} keep state label \"IPsec internal host to host\"\n";
|
|
| 3991 |
$ipfrules .= "pass out {$log['pass']} on \$IPsec all ridentifier {$increment_tracker()} ridentifier {$increment_tracker()} keep state label \"IPsec internal host to host\"\n";
|
|
| 3992 | 3992 |
} |
| 3993 | 3993 |
|
| 3994 | 3994 |
$saved_tracker += 10; |
| ... | ... | |
| 4003 | 4003 |
$lanif = $FilterIflist['lan']['if']; |
| 4004 | 4004 |
$ipfrules .= <<<EOD |
| 4005 | 4005 |
# make sure the user cannot lock himself out of the webConfigurator or SSH |
| 4006 |
pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$antilockout_increment()} keep state label "anti-lockout rule"
|
|
| 4006 |
pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } ridentifier {$antilockout_increment()} keep state label "anti-lockout rule"
|
|
| 4007 | 4007 |
|
| 4008 | 4008 |
EOD; |
| 4009 | 4009 |
} else if (count($config['interfaces']) == 1) {
|
| ... | ... | |
| 4011 | 4011 |
$wanif = $FilterIflist["wan"]['if']; |
| 4012 | 4012 |
$ipfrules .= <<<EOD |
| 4013 | 4013 |
# make sure the user cannot lock himself out of the webConfigurator or SSH |
| 4014 |
pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$antilockout_increment()} keep state label "anti-lockout rule"
|
|
| 4014 |
pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } ridentifier {$antilockout_increment()} keep state label "anti-lockout rule"
|
|
| 4015 | 4015 |
|
| 4016 | 4016 |
EOD; |
| 4017 | 4017 |
} |
| ... | ... | |
| 4026 | 4026 |
($rule['natreflection'] != "disable")) {
|
| 4027 | 4027 |
$ipfrules .= "# NAT Reflection rules\n"; |
| 4028 | 4028 |
$ipfrules .= <<<EOD |
| 4029 |
pass in {$log['pass']} inet tagged PFREFLECT tracker {$increment_tracker()} keep state label "NAT REFLECT: Allow traffic to localhost"
|
|
| 4029 |
pass in {$log['pass']} inet tagged PFREFLECT ridentifier {$increment_tracker()} keep state label "NAT REFLECT: Allow traffic to localhost"
|
|
| 4030 | 4030 |
|
| 4031 | 4031 |
EOD; |
| 4032 | 4032 |
break; |
| ... | ... | |
| 4139 | 4139 |
} |
| 4140 | 4140 |
if ($sa && is_ipaddrv4($routeent[0])) {
|
| 4141 | 4141 |
$ipfrules .= <<<EOD |
| 4142 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4143 |
pass {$log['pass']} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4144 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4145 |
pass {$log['pass']} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4142 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4143 |
pass {$log['pass']} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4144 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4145 |
pass {$log['pass']} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4146 | 4146 |
|
| 4147 | 4147 |
EOD; |
| 4148 | 4148 |
} |
| ... | ... | |
| 4153 | 4153 |
} |
| 4154 | 4154 |
if ($sa && is_ipaddrv6($routeent[0])) {
|
| 4155 | 4155 |
$ipfrules .= <<<EOD |
| 4156 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4157 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4158 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4159 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4156 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4157 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4158 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4159 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} ridentifier {$increment_tracker()} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
| 4160 | 4160 |
|
| 4161 | 4161 |
EOD; |
| 4162 | 4162 |
} |
| ... | ... | |
| 4191 | 4191 |
} |
| 4192 | 4192 |
if ($sa) {
|
| 4193 | 4193 |
$ipfrules .= <<<EOD |
| 4194 |
pass in {$log['pass']} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker()} keep state label "pass multicast traffic to miniupnpd"
|
|
| 4194 |
pass in {$log['pass']} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 ridentifier {$increment_tracker()} keep state label "pass multicast traffic to miniupnpd"
|
|
| 4195 | 4195 |
|
| 4196 | 4196 |
EOD; |
| 4197 | 4197 |
} |
| ... | ... | |
| 4209 | 4209 |
$mt = microtime(); |
| 4210 | 4210 |
echo "filter_rules_spoofcheck_generate() being called $mt\n"; |
| 4211 | 4211 |
} |
| 4212 |
$ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} tracker {$tracker}\n";
|
|
| 4212 |
$ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} ridentifier {$tracker}\n";
|
|
| 4213 | 4213 |
$tracker++; |
| 4214 | 4214 |
|
| 4215 | 4215 |
return $ipfrules; |
| ... | ... | |
| 4452 | 4452 |
/* return if there are no carp configured items */ |
| 4453 | 4453 |
if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) {
|
| 4454 | 4454 |
$lines .= "\n# CARP rules\n"; |
| 4455 |
$lines .= "block in {$log['block']} quick proto carp from (self) to any tracker {$increment_tracker()}\n";
|
|
| 4456 |
$lines .= "pass {$log['pass']} quick proto carp tracker {$increment_tracker()} no state\n";
|
|
| 4455 |
$lines .= "block in {$log['block']} quick proto carp from (self) to any ridentifier {$increment_tracker()}\n";
|
|
| 4456 |
$lines .= "pass {$log['pass']} quick proto carp ridentifier {$increment_tracker()} no state\n";
|
|
| 4457 | 4457 |
} |
| 4458 | 4458 |
return $lines; |
| 4459 | 4459 |
} |
| ... | ... | |
| 4588 | 4588 |
// don't add "pass out" rules where $rgip is any, 0.0.0.0/0 or ::/0 as it will over-match and often break VPN clients behind the system in multi-WAN scenarios. redmine #5819, #12262 |
| 4589 | 4589 |
if ($passout) {
|
| 4590 | 4590 |
$ike_out = isset($ph1ent['ikeport']) ? $ph1ent['ikeport'] : 500; |
| 4591 |
$ipfrules .= "pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = {$ike_out} tracker {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\"\n";
|
|
| 4591 |
$ipfrules .= "pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = {$ike_out} ridentifier {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\"\n";
|
|
| 4592 | 4592 |
} |
| 4593 | 4593 |
$ike_in = isset($config['ipsec']['port']) ? $config['ipsec']['port'] : 500; |
| 4594 | 4594 |
$ipfrules .= <<<EOD |
| 4595 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = {$ike_in} tracker {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
|
|
| 4595 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = {$ike_in} ridentifier {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
|
|
| 4596 | 4596 |
|
| 4597 | 4597 |
EOD; |
| 4598 | 4598 |
if ($passout) {
|
| 4599 | 4599 |
$natt_out = isset($ph1ent['nattport']) ? $ph1ent['nattport'] : 4500; |
| 4600 |
$ipfrules .= "pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = {$natt_out} tracker {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\"\n";
|
|
| 4600 |
$ipfrules .= "pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = {$natt_out} ridentifier {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\"\n";
|
|
| 4601 | 4601 |
} |
| 4602 | 4602 |
$natt_in = isset($config['ipsec']['port_nat_t']) ? $config['ipsec']['port_nat_t'] : 4500; |
| 4603 | 4603 |
$ipfrules .= <<<EOD |
| 4604 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = {$natt_in} tracker {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
|
|
| 4604 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = {$natt_in} ridentifier {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
|
|
| 4605 | 4605 |
|
| 4606 | 4606 |
EOD; |
| 4607 | 4607 |
/* Add rules to allow the protocols in use */ |
| 4608 | 4608 |
if ($prot_used_esp) {
|
| 4609 | 4609 |
if ($passout) {
|
| 4610 |
$ipfrules .= "pass out {$log['pass']} $route_to proto esp from (self) to {$rgip} tracker {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\"\n";
|
|
| 4610 |
$ipfrules .= "pass out {$log['pass']} $route_to proto esp from (self) to {$rgip} ridentifier {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\"\n";
|
|
| 4611 | 4611 |
} |
| 4612 | 4612 |
$ipfrules .= <<<EOD |
| 4613 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to (self) tracker {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
|
|
| 4613 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to (self) ridentifier {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
|
|
| 4614 | 4614 |
|
| 4615 | 4615 |
EOD; |
| 4616 | 4616 |
} |
| 4617 | 4617 |
if ($prot_used_ah) {
|
| 4618 | 4618 |
if ($passout) {
|
| 4619 |
$ipfrules .= "pass out {$log['pass']} $route_to proto ah from (self) to {$rgip} tracker {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\"\n";
|
|
| 4619 |
$ipfrules .= "pass out {$log['pass']} $route_to proto ah from (self) to {$rgip} ridentifier {$increment_tracker()} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\"\n";
|
|
| 4620 | 4620 |
} |
| 4621 | 4621 |
$ipfrules .= <<<EOD |
| 4622 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to (self) tracker {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
|
|
| 4622 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to (self) ridentifier {$increment_tracker()} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
|
|
| 4623 | 4623 |
|
| 4624 | 4624 |
EOD; |
| 4625 | 4625 |
} |
Also available in: Unified diff
Rename 'tracker' to 'ridentifier'
FreeBSD has included our 'tracker' functionality, but calls it
'ridentifier' instead. Change the rule generating code to cope with
that.