Project

General

Profile

« Previous | Next » 

Revision ec509679

Added by Ermal LUÇI over 12 years ago

Remove set 1 keywords from rules since sets are not used in CP since long time.

View differences:

etc/inc/captiveportal.inc
513 513 
	/* init dummynet/ipfw rules number database */
514 514 
	captiveportal_init_ipfw_ruleno();
515 515 

  		




  516
  
  
    
	$cprules =	"add 65291 set 1 allow pfsync from any to any\n";


  		




  517
  
  
    
	$cprules .= "add 65292 set 1 allow carp from any to any\n";


  		




  
  516
  
    
	$cprules =	"add 65291 allow pfsync from any to any\n";


  		




  
  517
  
    
	$cprules .= "add 65292 allow carp from any to any\n";


  		




  518
  518
  
    

  		




  519
  519
  
    
	$cprules .= <<<EOD


  		




  520
  
  
    
# add 65300 set 1 skipto 65534 all from any to any not layer2


  		




  521
  520
  
    
# layer 2: pass ARP


  		




  522
  
  
    
add 65301 set 1 pass layer2 mac-type arp,rarp


  		




  
  521
  
    
add 65301 pass layer2 mac-type arp,rarp


  		




  523
  522
  
    
# pfsense requires for WPA


  		




  524
  
  
    
add 65302 set 1 pass layer2 mac-type 0x888e,0x88c7


  		




  
  523
  
    
add 65302 pass layer2 mac-type 0x888e,0x88c7


  		




  525
  524
  
    
# PPP Over Ethernet Session Stage/Discovery Stage


  		




  526
  
  
    
add 65303 set 1 pass layer2 mac-type 0x8863,0x8864


  		




  
  525
  
    
add 65303 pass layer2 mac-type 0x8863,0x8864


  		




  527
  526
  
    

  		




  528
  527
  
    
# layer 2: block anything else non-IP(v4/v6)


  		




  529
  
  
    
add 65307 set 1 deny layer2 not mac-type ip,ipv6


  		




  
  528
  
    
add 65307 deny layer2 not mac-type ip,ipv6


  		




  530
  529
  
    

  		




  531
  530
  
    
EOD;


  		




  532
  531
  
    

  		




  ......




  542
  541
  
    
		$ipcount++;


  		




  543
  542
  
    
	}


  		




  544
  543
  
    
	$ips = "{ 255.255.255.255 or {$ips} }";


  		




  545
  
  
    
	$cprules .= "add {$rulenum} set 1 pass ip from any to {$ips} in\n";


  		




  
  544
  
    
	$cprules .= "add {$rulenum} pass ip from any to {$ips} in\n";


  		




  546
  545
  
    
	$rulenum++;


  		




  547
  
  
    
	$cprules .= "add {$rulenum} set 1 pass ip from {$ips} to any out\n";


  		




  
  546
  
    
	$cprules .= "add {$rulenum} pass ip from {$ips} to any out\n";


  		




  548
  547
  
    
	$rulenum++;


  		




  549
  
  
    
	$cprules .= "add {$rulenum} set 1 pass icmp from {$ips} to any out icmptype 0\n";


  		




  
  548
  
    
	$cprules .= "add {$rulenum} pass icmp from {$ips} to any out icmptype 0\n";


  		




  550
  549
  
    
	$rulenum++;


  		




  551
  
  
    
	$cprules .= "add {$rulenum} set 1 pass icmp from any to {$ips} in icmptype 8 \n";


  		




  
  550
  
    
	$cprules .= "add {$rulenum} pass icmp from any to {$ips} in icmptype 8 \n";


  		




  552
  551
  
    
	$rulenum++;


  		




  553
  552
  
    
	/* Allowed ips */


  		




  554
  553
  
    
	$cprules .= "add {$rulenum} allow ip from table(3) to any in\n";


  		




  ......




  569
  568
  
    
	$rulenum++;


  		




  570
  569
  
    

  		




  571
  570
  
    
	/* Authenticated users rules. */


  		




  572
  
  
    
	$cprules .= "add {$rulenum} set 1 pipe tablearg ip from table(1) to any in\n";


  		




  
  571
  
    
	$cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n";


  		




  573
  572
  
    
	$rulenum++;


  		




  574
  
  
    
	$cprules .= "add {$rulenum} set 1 pipe tablearg ip from any to table(2) out\n";


  		




  
  573
  
    
	$cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n";


  		




  575
  574
  
    
	$rulenum++;


  		




  576
  575
  
    
	


  		




  577
  576
  
    
	$listenporthttp =


  		




  ......




  581
  580
  
    

  		




  582
  581
  
    
	if (isset($cpcfg['httpslogin'])) {


  		




  583
  582
  
    
		$listenporthttps = $listenporthttp + 1;


  		




  584
  
  
    
		$cprules .= "add 65531 set 1 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n";


  		




  
  583
  
    
		$cprules .= "add 65531 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n";


  		




  585
  584
  
    
	}


  		




  586
  585
  
    
	


  		




  587
  586
  
    
	$cprules .= <<<EOD


  		




  588
  587
  
    

  		




  589
  588
  
    
# redirect non-authenticated clients to captive portal


  		




  590
  
  
    
add 65532 set 1 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in 


  		




  
  589
  
    
add 65532 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in 


  		




  591
  590
  
    
# let the responses from the captive portal web server back out


  		




  592
  
  
    
add 65533 set 1 pass tcp from any to any out


  		




  
  591
  
    
add 65533 pass tcp from any to any out


  		




  593
  592
  
    
# block everything else


  		




  594
  
  
    
add 65534 set 1 deny all from any to any


  		




  
  593
  
    
add 65534 deny all from any to any


  		




  595
  594
  
    

  		




  596
  595
  
    
EOD;


  		




  597
  596
  
    

  		












Also available in:  Unified diff