Revision ec509679
Added by Ermal LUÇI over 12 years ago
etc/inc/captiveportal.inc | ||
---|---|---|
513 | 513 |
/* init dummynet/ipfw rules number database */ |
514 | 514 |
captiveportal_init_ipfw_ruleno(); |
515 | 515 |
|
516 |
$cprules = "add 65291 set 1 allow pfsync from any to any\n";
|
|
517 |
$cprules .= "add 65292 set 1 allow carp from any to any\n";
|
|
516 |
$cprules = "add 65291 allow pfsync from any to any\n"; |
|
517 |
$cprules .= "add 65292 allow carp from any to any\n"; |
|
518 | 518 |
|
519 | 519 |
$cprules .= <<<EOD |
520 |
# add 65300 set 1 skipto 65534 all from any to any not layer2 |
|
521 | 520 |
# layer 2: pass ARP |
522 |
add 65301 set 1 pass layer2 mac-type arp,rarp
|
|
521 |
add 65301 pass layer2 mac-type arp,rarp |
|
523 | 522 |
# pfsense requires for WPA |
524 |
add 65302 set 1 pass layer2 mac-type 0x888e,0x88c7
|
|
523 |
add 65302 pass layer2 mac-type 0x888e,0x88c7 |
|
525 | 524 |
# PPP Over Ethernet Session Stage/Discovery Stage |
526 |
add 65303 set 1 pass layer2 mac-type 0x8863,0x8864
|
|
525 |
add 65303 pass layer2 mac-type 0x8863,0x8864 |
|
527 | 526 |
|
528 | 527 |
# layer 2: block anything else non-IP(v4/v6) |
529 |
add 65307 set 1 deny layer2 not mac-type ip,ipv6
|
|
528 |
add 65307 deny layer2 not mac-type ip,ipv6 |
|
530 | 529 |
|
531 | 530 |
EOD; |
532 | 531 |
|
... | ... | |
542 | 541 |
$ipcount++; |
543 | 542 |
} |
544 | 543 |
$ips = "{ 255.255.255.255 or {$ips} }"; |
545 |
$cprules .= "add {$rulenum} set 1 pass ip from any to {$ips} in\n";
|
|
544 |
$cprules .= "add {$rulenum} pass ip from any to {$ips} in\n"; |
|
546 | 545 |
$rulenum++; |
547 |
$cprules .= "add {$rulenum} set 1 pass ip from {$ips} to any out\n";
|
|
546 |
$cprules .= "add {$rulenum} pass ip from {$ips} to any out\n"; |
|
548 | 547 |
$rulenum++; |
549 |
$cprules .= "add {$rulenum} set 1 pass icmp from {$ips} to any out icmptype 0\n";
|
|
548 |
$cprules .= "add {$rulenum} pass icmp from {$ips} to any out icmptype 0\n"; |
|
550 | 549 |
$rulenum++; |
551 |
$cprules .= "add {$rulenum} set 1 pass icmp from any to {$ips} in icmptype 8 \n";
|
|
550 |
$cprules .= "add {$rulenum} pass icmp from any to {$ips} in icmptype 8 \n"; |
|
552 | 551 |
$rulenum++; |
553 | 552 |
/* Allowed ips */ |
554 | 553 |
$cprules .= "add {$rulenum} allow ip from table(3) to any in\n"; |
... | ... | |
569 | 568 |
$rulenum++; |
570 | 569 |
|
571 | 570 |
/* Authenticated users rules. */ |
572 |
$cprules .= "add {$rulenum} set 1 pipe tablearg ip from table(1) to any in\n";
|
|
571 |
$cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n"; |
|
573 | 572 |
$rulenum++; |
574 |
$cprules .= "add {$rulenum} set 1 pipe tablearg ip from any to table(2) out\n";
|
|
573 |
$cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n"; |
|
575 | 574 |
$rulenum++; |
576 | 575 |
|
577 | 576 |
$listenporthttp = |
... | ... | |
581 | 580 |
|
582 | 581 |
if (isset($cpcfg['httpslogin'])) { |
583 | 582 |
$listenporthttps = $listenporthttp + 1; |
584 |
$cprules .= "add 65531 set 1 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n";
|
|
583 |
$cprules .= "add 65531 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n"; |
|
585 | 584 |
} |
586 | 585 |
|
587 | 586 |
$cprules .= <<<EOD |
588 | 587 |
|
589 | 588 |
# redirect non-authenticated clients to captive portal |
590 |
add 65532 set 1 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in
|
|
589 |
add 65532 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in |
|
591 | 590 |
# let the responses from the captive portal web server back out |
592 |
add 65533 set 1 pass tcp from any to any out
|
|
591 |
add 65533 pass tcp from any to any out |
|
593 | 592 |
# block everything else |
594 |
add 65534 set 1 deny all from any to any
|
|
593 |
add 65534 deny all from any to any |
|
595 | 594 |
|
596 | 595 |
EOD; |
597 | 596 |
|
Also available in: Unified diff
Remove set 1 keywords from rules since sets are not used in CP since long time.