Revision a4e4b560
Added by Renato Botelho almost 12 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 70 | 70 |
"vpn_networks", |
| 71 | 71 |
"webConfiguratorlockout"); |
| 72 | 72 |
|
| 73 |
function fix_rule_label($descr) {
|
|
| 74 |
$descr = str_replace('"', '', $descr);
|
|
| 75 |
if (strlen($descr) > 63) |
|
| 76 |
return substr($descr, 0, 60) . "..."; |
|
| 77 |
else |
|
| 78 |
return $descr; |
|
| 79 |
} |
|
| 80 |
|
|
| 73 | 81 |
function is_bogonsv6_used() {
|
| 74 | 82 |
global $config, $g; |
| 75 | 83 |
# Only use bogonsv6 table if IPv6 Allow is on, and at least 1 enabled interface also has "blockbogons" enabled. |
| ... | ... | |
| 1955 | 1963 |
$ret['rule'] = $line; |
| 1956 | 1964 |
$ret['interface'] = $rule['interface']; |
| 1957 | 1965 |
if($rule['descr'] != "" and $line != "") |
| 1958 |
$ret['descr'] = "label \"USER_RULE: " . str_replace('"', '', substr($rule['descr'], 0, 52)) . "\"";
|
|
| 1966 |
$ret['descr'] = "label \"" . fix_rule_label("USER_RULE: {$rule['descr']}") . "\"";
|
|
| 1959 | 1967 |
else |
| 1960 | 1968 |
$ret['descr'] = "label \"USER_RULE\""; |
| 1961 | 1969 |
|
| ... | ... | |
| 2514 | 2522 |
function filter_rules_generate() {
|
| 2515 | 2523 |
global $config, $g, $FilterIflist, $time_based_rules, $GatewaysList; |
| 2516 | 2524 |
|
| 2525 |
$fix_rule_label = 'fix_rule_label'; |
|
| 2526 |
|
|
| 2517 | 2527 |
update_filter_reload_status(gettext("Creating default rules"));
|
| 2518 | 2528 |
if(isset($config['system']['developerspew'])) {
|
| 2519 | 2529 |
$mt = microtime(); |
| ... | ... | |
| 2676 | 2686 |
# block bogon networks |
| 2677 | 2687 |
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt |
| 2678 | 2688 |
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt |
| 2679 |
block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}"
|
|
| 2689 |
block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"
|
|
| 2680 | 2690 |
|
| 2681 | 2691 |
EOD; |
| 2682 | 2692 |
if(isset($config['system']['ipv6allow'])) {
|
| 2683 | 2693 |
$ipfrules .= <<<EOD |
| 2684 |
block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}"
|
|
| 2694 |
block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
|
|
| 2685 | 2695 |
|
| 2686 | 2696 |
EOD; |
| 2687 | 2697 |
} |
| ... | ... | |
| 2708 | 2718 |
$ipfrules .= <<<EOD |
| 2709 | 2719 |
# block anything from private networks on interfaces with the option set |
| 2710 | 2720 |
antispoof for \${$oc['descr']}
|
| 2711 |
block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 10/8"
|
|
| 2712 |
block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 127/8"
|
|
| 2713 |
block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "Block private networks from {$oc['descr']} block 100.64/10"
|
|
| 2714 |
block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "Block private networks from {$oc['descr']} block 172.16/12"
|
|
| 2715 |
block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "Block private networks from {$oc['descr']} block 192.168/16"
|
|
| 2716 |
block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "Block ULA networks from {$oc['descr']} block fc00::/7"
|
|
| 2721 |
block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
|
|
| 2722 |
block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
|
|
| 2723 |
block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}"
|
|
| 2724 |
block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
|
|
| 2725 |
block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
|
|
| 2726 |
block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"
|
|
| 2717 | 2727 |
|
| 2718 | 2728 |
EOD; |
| 2719 | 2729 |
} |
| ... | ... | |
| 2722 | 2732 |
case "pptp": |
| 2723 | 2733 |
$ipfrules .= <<<EOD |
| 2724 | 2734 |
# allow PPTP client |
| 2725 |
pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on {$oc['descr']}"
|
|
| 2726 |
pass in on \${$oc['descr']} proto gre from any to any keep state label "allow PPTP client on {$oc['descr']}"
|
|
| 2735 |
pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
| 2736 |
pass in on \${$oc['descr']} proto gre from any to any keep state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
| 2727 | 2737 |
|
| 2728 | 2738 |
EOD; |
| 2729 | 2739 |
break; |
| 2730 | 2740 |
case "dhcp": |
| 2731 | 2741 |
$ipfrules .= <<<EOD |
| 2732 | 2742 |
# allow our DHCP client out to the {$oc['descr']}
|
| 2733 |
pass in on \${$oc['descr']} proto udp from any port = 67 to any port = 68 label "allow dhcp client out {$oc['descr']}"
|
|
| 2734 |
pass out on \${$oc['descr']} proto udp from any port = 68 to any port = 67 label "allow dhcp client out {$oc['descr']}"
|
|
| 2743 |
pass in on \${$oc['descr']} proto udp from any port = 67 to any port = 68 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
| 2744 |
pass out on \${$oc['descr']} proto udp from any port = 68 to any port = 67 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
| 2735 | 2745 |
# Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP.
|
| 2736 | 2746 |
|
| 2737 | 2747 |
EOD; |
| ... | ... | |
| 2774 | 2784 |
case "dhcp6": |
| 2775 | 2785 |
$ipfrules .= <<<EOD |
| 2776 | 2786 |
# allow our DHCPv6 client out to the {$oc['descr']}
|
| 2777 |
pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "allow dhcpv6 client in {$oc['descr']}"
|
|
| 2778 |
pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "allow dhcpv6 client in {$oc['descr']}"
|
|
| 2779 |
pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "allow dhcpv6 client out {$oc['descr']}"
|
|
| 2787 |
pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
| 2788 |
pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
| 2789 |
pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
|
|
| 2780 | 2790 |
|
| 2781 | 2791 |
EOD; |
| 2782 | 2792 |
break; |
| 2783 | 2793 |
case "6rd": |
| 2784 | 2794 |
$ipfrules .= <<<EOD |
| 2785 | 2795 |
# allow our proto 41 traffic from the 6RD border relay in |
| 2786 |
pass in on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any label "Allow 6in4 traffic in for 6rd on {$oc['descr']}"
|
|
| 2787 |
pass out on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} label "Allow 6in4 traffic out for 6rd on {$oc['descr']}"
|
|
| 2796 |
pass in on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
|
|
| 2797 |
pass out on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"
|
|
| 2788 | 2798 |
|
| 2789 | 2799 |
EOD; |
| 2790 | 2800 |
if (is_ipaddrv6($oc['ipv6'])) {
|
| 2791 | 2801 |
$ipfrules .= <<<EOD |
| 2792 |
pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "Allow 6rd traffic in for 6rd on {$oc['descr']}"
|
|
| 2793 |
pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "Allow 6rd traffic out for 6rd on {$oc['descr']}"
|
|
| 2802 |
pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
|
|
| 2803 |
pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"
|
|
| 2794 | 2804 |
|
| 2795 | 2805 |
EOD; |
| 2796 | 2806 |
} |
| ... | ... | |
| 2799 | 2809 |
if (is_ipaddrv4($oc['ip'])) {
|
| 2800 | 2810 |
$ipfrules .= <<<EOD |
| 2801 | 2811 |
# allow our proto 41 traffic from the 6to4 border relay in |
| 2802 |
pass in on \${$oc['descr']} proto 41 from any to {$oc['ip']} label "Allow 6in4 traffic in for 6to4 on {$oc['descr']}"
|
|
| 2803 |
pass out on \${$oc['descr']} proto 41 from {$oc['ip']} to any label "Allow 6in4 traffic out for 6to4 on {$oc['descr']}"
|
|
| 2812 |
pass in on \${$oc['descr']} proto 41 from any to {$oc['ip']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
| 2813 |
pass out on \${$oc['descr']} proto 41 from {$oc['ip']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
| 2804 | 2814 |
|
| 2805 | 2815 |
EOD; |
| 2806 | 2816 |
} |
| 2807 | 2817 |
if (is_ipaddrv6($oc['ipv6'])) {
|
| 2808 | 2818 |
$ipfrules .= <<<EOD |
| 2809 |
pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "Allow 6in4 traffic in for 6to4 on {$oc['descr']}"
|
|
| 2810 |
pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "Allow 6in4 traffic out for 6to4 on {$oc['descr']}"
|
|
| 2819 |
pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
| 2820 |
pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
| 2811 | 2821 |
|
| 2812 | 2822 |
EOD; |
| 2813 | 2823 |
} |
| ... | ... | |
| 2921 | 2931 |
if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) {
|
| 2922 | 2932 |
$ipfrules .= <<<EOD |
| 2923 | 2933 |
# PPTPd rules |
| 2924 |
pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "allow pptpd {$pptpdtarget}"
|
|
| 2934 |
pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}"
|
|
| 2925 | 2935 |
pass in on \${$FilterIflist['wan']['descr']} proto gre from any to any keep state label "allow gre pptpd"
|
| 2926 | 2936 |
|
| 2927 | 2937 |
EOD; |
Also available in: Unified diff
Make sure pf rule labels never have more than 63 chars. It should fix #3208