2622 |
2622 |
$ipfrules .= "anchor \"ipsec/*\"\n";
|
2623 |
2623 |
# BEGIN OF firewall rules
|
2624 |
2624 |
/* default block logging? */
|
|
2625 |
$log = array();
|
2625 |
2626 |
if(!isset($config['syslog']['nologdefaultblock']))
|
2626 |
|
$log = "log";
|
2627 |
|
else
|
2628 |
|
$log = "";
|
|
2627 |
$log['block'] = "log";
|
|
2628 |
if(!isset($config['syslog']['nologdefaultpass']))
|
|
2629 |
$log['pass'] = "log";
|
2629 |
2630 |
|
2630 |
2631 |
$saved_tracker = $tracker;
|
2631 |
2632 |
|
2632 |
2633 |
if(!isset($config['system']['ipv6allow'])) {
|
2633 |
2634 |
$ipfrules .= "# Block all IPv6\n";
|
2634 |
|
$ipfrules .= "block in {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n";
|
2635 |
|
$ipfrules .= "block out {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n";
|
|
2635 |
$ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n";
|
|
2636 |
$ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n";
|
2636 |
2637 |
}
|
2637 |
2638 |
|
2638 |
2639 |
$saved_tracker += 100;
|
... | ... | |
2642 |
2643 |
#---------------------------------------------------------------------------
|
2643 |
2644 |
# default deny rules
|
2644 |
2645 |
#---------------------------------------------------------------------------
|
2645 |
|
block in {$log} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"
|
2646 |
|
block out {$log} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"
|
2647 |
|
block in {$log} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6"
|
2648 |
|
block out {$log} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6"
|
|
2646 |
block in {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"
|
|
2647 |
block out {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"
|
|
2648 |
block in {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6"
|
|
2649 |
block out {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6"
|
2649 |
2650 |
|
2650 |
2651 |
# IPv6 ICMP is not auxilary, it is required for operation
|
2651 |
2652 |
# See man icmp6(4)
|
... | ... | |
2657 |
2658 |
# 134 routeradv Router advertisement
|
2658 |
2659 |
# 135 neighbrsol Neighbor solicitation
|
2659 |
2660 |
# 136 neighbradv Neighbor advertisement
|
2660 |
|
pass {$log} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2661 |
pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state
|
2661 |
2662 |
|
2662 |
2663 |
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
|
2663 |
|
pass out {$log} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
2664 |
|
pass out {$log} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
2665 |
|
pass in {$log} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
2666 |
|
pass in {$log} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
2667 |
|
pass in {$log} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2664 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2665 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2666 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2667 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2668 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
2668 |
2669 |
|
2669 |
2670 |
# We use the mighty pf, we cannot be fooled.
|
2670 |
|
block {$log} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)}
|
2671 |
|
block {$log} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)}
|
2672 |
|
block {$log} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)}
|
2673 |
|
block {$log} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)}
|
|
2671 |
block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)}
|
|
2672 |
block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)}
|
|
2673 |
block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)}
|
|
2674 |
block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)}
|
2674 |
2675 |
|
2675 |
2676 |
# Snort package
|
2676 |
|
block {$log} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts"
|
2677 |
|
block {$log} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts"
|
|
2677 |
block {$log['block']} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts"
|
|
2678 |
block {$log['block']} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts"
|
2678 |
2679 |
|
2679 |
2680 |
EOD;
|
2680 |
2681 |
|
... | ... | |
2688 |
2689 |
|
2689 |
2690 |
$ipfrules .= "\n# SSH lockout\n";
|
2690 |
2691 |
if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) {
|
2691 |
|
$ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port ";
|
|
2692 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port ";
|
2692 |
2693 |
$ipfrules .= $config['system']['ssh']['port'];
|
2693 |
2694 |
$ipfrules .= " tracker {$increment_tracker($tracker)} label \"sshlockout\"\n";
|
2694 |
2695 |
} else {
|
... | ... | |
2697 |
2698 |
else
|
2698 |
2699 |
$sshport = 22;
|
2699 |
2700 |
if($sshport)
|
2700 |
|
$ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n";
|
|
2701 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n";
|
2701 |
2702 |
}
|
2702 |
2703 |
|
2703 |
2704 |
$saved_tracker += 50;
|
... | ... | |
2713 |
2714 |
$webConfiguratorlockoutport = $config['system']['webgui']['port'];
|
2714 |
2715 |
}
|
2715 |
2716 |
if($webConfiguratorlockoutport)
|
2716 |
|
$ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n";
|
|
2717 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n";
|
2717 |
2718 |
|
2718 |
2719 |
$saved_tracker += 100;
|
2719 |
2720 |
$tracker = $saved_tracker;
|
... | ... | |
2722 |
2723 |
* Support for allow limiting of TCP connections by establishment rate
|
2723 |
2724 |
* Useful for protecting against sudden outburts, etc.
|
2724 |
2725 |
*/
|
2725 |
|
$ipfrules .= "block in {$log} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n";
|
|
2726 |
$ipfrules .= "block in {$log['block']} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n";
|
2726 |
2727 |
|
2727 |
2728 |
$saved_tracker += 100;
|
2728 |
2729 |
$tracker = $saved_tracker;
|
... | ... | |
2766 |
2767 |
$listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : $cpcfg['zoneid'];
|
2767 |
2768 |
$portalias = $listenporthttps;
|
2768 |
2769 |
$portalias .= " {$listenporthttp}";
|
2769 |
|
$ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n";
|
2770 |
|
$ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n";
|
|
2770 |
$ipfrules .= "pass in {$log['pass']} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n";
|
|
2771 |
$ipfrules .= "pass out {$log['pass']} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n";
|
2771 |
2772 |
}
|
2772 |
2773 |
}
|
2773 |
2774 |
}
|
... | ... | |
2811 |
2812 |
if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) {
|
2812 |
2813 |
$ipfrules .= <<<EOD
|
2813 |
2814 |
# allow our DHCPv6 client out to the {$oc['descr']}
|
2814 |
|
pass in {$log} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
2815 |
|
pass in {$log} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
2816 |
|
pass out {$log} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
|
|
2815 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
2816 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
2817 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
|
2817 |
2818 |
|
2818 |
2819 |
EOD;
|
2819 |
2820 |
}
|
... | ... | |
2865 |
2866 |
case "pptp":
|
2866 |
2867 |
$ipfrules .= <<<EOD
|
2867 |
2868 |
# allow PPTP client
|
2868 |
|
pass in {$log} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
2869 |
|
pass in {$log} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
2869 |
pass in {$log['pass']} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
2870 |
pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
2870 |
2871 |
|
2871 |
2872 |
EOD;
|
2872 |
2873 |
break;
|
2873 |
2874 |
case "dhcp":
|
2874 |
2875 |
$ipfrules .= <<<EOD
|
2875 |
2876 |
# allow our DHCP client out to the {$oc['descr']}
|
2876 |
|
pass in {$log} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
2877 |
|
pass out {$log} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
2877 |
pass in {$log['pass']} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
2878 |
pass out {$log['pass']} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
2878 |
2879 |
# Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP.
|
2879 |
2880 |
|
2880 |
2881 |
EOD;
|
... | ... | |
2889 |
2890 |
if(isset($config['dhcpd'][$on]['enable'])) {
|
2890 |
2891 |
$ipfrules .= <<<EOD
|
2891 |
2892 |
# allow access to DHCP server on {$oc['descr']}
|
2892 |
|
pass in {$log} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
|
2893 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
2893 |
2894 |
|
2894 |
2895 |
EOD;
|
2895 |
2896 |
if (is_ipaddrv4($oc['ip'])) {
|
2896 |
2897 |
$ipfrules .= <<<EOD
|
2897 |
|
pass in {$log} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
2898 |
|
pass out {$log} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
|
2898 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
|
2899 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
2899 |
2900 |
|
2900 |
2901 |
EOD;
|
2901 |
2902 |
}
|
... | ... | |
2903 |
2904 |
if(is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") {
|
2904 |
2905 |
$ipfrules .= <<<EOD
|
2905 |
2906 |
# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
|
2906 |
|
pass in {$log} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover"
|
2907 |
|
pass in {$log} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover"
|
|
2907 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover"
|
|
2908 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover"
|
2908 |
2909 |
|
2909 |
2910 |
EOD;
|
2910 |
2911 |
}
|
... | ... | |
2919 |
2920 |
case "6rd":
|
2920 |
2921 |
$ipfrules .= <<<EOD
|
2921 |
2922 |
# allow our proto 41 traffic from the 6RD border relay in
|
2922 |
|
pass in {$log} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
|
2923 |
|
pass out {$log} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"
|
|
2923 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
|
|
2924 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"
|
2924 |
2925 |
|
2925 |
2926 |
EOD;
|
2926 |
2927 |
/* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */
|
2927 |
2928 |
if (0 && is_ipaddrv6($oc['ipv6'])) {
|
2928 |
2929 |
$ipfrules .= <<<EOD
|
2929 |
|
pass in {$log} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
|
2930 |
|
pass out {$log} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"
|
|
2930 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
|
|
2931 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"
|
2931 |
2932 |
|
2932 |
2933 |
EOD;
|
2933 |
2934 |
}
|
... | ... | |
2936 |
2937 |
if (is_ipaddrv4($oc['ip'])) {
|
2937 |
2938 |
$ipfrules .= <<<EOD
|
2938 |
2939 |
# allow our proto 41 traffic from the 6to4 border relay in
|
2939 |
|
pass in {$log} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
2940 |
|
pass out {$log} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
2940 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
2941 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
2941 |
2942 |
|
2942 |
2943 |
EOD;
|
2943 |
2944 |
}
|
2944 |
2945 |
/* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */
|
2945 |
2946 |
if (0 && is_ipaddrv6($oc['ipv6'])) {
|
2946 |
2947 |
$ipfrules .= <<<EOD
|
2947 |
|
pass in {$log} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
2948 |
|
pass out {$log} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
2948 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
2949 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
2949 |
2950 |
|
2950 |
2951 |
EOD;
|
2951 |
2952 |
}
|
... | ... | |
2956 |
2957 |
$ipfrules .= <<<EOD
|
2957 |
2958 |
# allow access to DHCPv6 server on {$oc['descr']}
|
2958 |
2959 |
# We need inet6 icmp for stateless autoconfig and dhcpv6
|
2959 |
|
pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
2960 |
|
pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
2961 |
|
pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
2962 |
|
pass {$log} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2960 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2961 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2962 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2963 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
2963 |
2964 |
|
2964 |
2965 |
EOD;
|
2965 |
2966 |
if (is_ipaddrv6($oc['ipv6'])) {
|
2966 |
2967 |
$ipfrules .= <<<EOD
|
2967 |
|
pass in {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
2968 |
|
pass out {$log} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2968 |
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2969 |
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
2969 |
2970 |
|
2970 |
2971 |
EOD;
|
2971 |
2972 |
}
|
... | ... | |
2985 |
2986 |
$ipfrules .= <<<EOD
|
2986 |
2987 |
|
2987 |
2988 |
# loopback
|
2988 |
|
pass in {$log} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback"
|
2989 |
|
pass out {$log} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback"
|
2990 |
|
pass in {$log} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback"
|
2991 |
|
pass out {$log} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback"
|
|
2989 |
pass in {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback"
|
|
2990 |
pass out {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback"
|
|
2991 |
pass in {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback"
|
|
2992 |
pass out {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback"
|
2992 |
2993 |
# let out anything from the firewall host itself and decrypted IPsec traffic
|
2993 |
|
pass out {$log} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself"
|
2994 |
|
pass out {$log} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself"
|
|
2994 |
pass out {$log['pass']} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself"
|
|
2995 |
pass out {$log['pass']} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself"
|
2995 |
2996 |
|
2996 |
2997 |
EOD;
|
2997 |
2998 |
|
... | ... | |
3003 |
3004 |
|
3004 |
3005 |
$gw = get_interface_gateway($ifdescr);
|
3005 |
3006 |
if (is_ipaddrv4($gw) && is_ipaddrv4($ifcfg['ip'])) {
|
3006 |
|
$ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3007 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
3007 |
3008 |
if (is_array($ifcfg['vips'])) {
|
3008 |
3009 |
foreach ($ifcfg['vips'] as $vip)
|
3009 |
3010 |
if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}"))
|
3010 |
|
$ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3011 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
3011 |
3012 |
else
|
3012 |
|
$ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3013 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
3013 |
3014 |
}
|
3014 |
3015 |
}
|
3015 |
3016 |
|
... | ... | |
3017 |
3018 |
$stf = get_real_interface($ifdescr, "inet6");
|
3018 |
3019 |
$pdlen = 64 - calculate_ipv6_delegation_length($ifdescr);
|
3019 |
3020 |
if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) {
|
3020 |
|
$ipfrules .= "pass out {$log} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3021 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
3021 |
3022 |
if (is_array($ifcfg['vips6'])) {
|
3022 |
3023 |
foreach ($ifcfg['vips6'] as $vip)
|
3023 |
|
$ipfrules .= "pass out {$log} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3024 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
3024 |
3025 |
}
|
3025 |
3026 |
}
|
3026 |
3027 |
}
|
... | ... | |
3030 |
3031 |
$tracker = $saved_tracker;
|
3031 |
3032 |
/* add ipsec interfaces */
|
3032 |
3033 |
if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable']))
|
3033 |
|
$ipfrules .= "pass out {$log} on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n";
|
|
3034 |
$ipfrules .= "pass out {$log['pass']} on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n";
|
3034 |
3035 |
|
3035 |
3036 |
$saved_tracker += 10;
|
3036 |
3037 |
$tracker = $saved_tracker;
|
... | ... | |
3044 |
3045 |
$lanif = $FilterIflist['lan']['if'];
|
3045 |
3046 |
$ipfrules .= <<<EOD
|
3046 |
3047 |
# make sure the user cannot lock himself out of the webConfigurator or SSH
|
3047 |
|
pass in {$log} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
|
|
3048 |
pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
|
3048 |
3049 |
|
3049 |
3050 |
EOD;
|
3050 |
3051 |
} else if (count($config['interfaces']) == 1) {
|
... | ... | |
3052 |
3053 |
$wanif = $FilterIflist["wan"]['if'];
|
3053 |
3054 |
$ipfrules .= <<<EOD
|
3054 |
3055 |
# make sure the user cannot lock himself out of the webConfigurator or SSH
|
3055 |
|
pass in {$log} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
|
|
3056 |
pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
|
3056 |
3057 |
|
3057 |
3058 |
EOD;
|
3058 |
3059 |
}
|
... | ... | |
3070 |
3071 |
if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) {
|
3071 |
3072 |
$ipfrules .= <<<EOD
|
3072 |
3073 |
# PPTPd rules
|
3073 |
|
pass in {$log} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}"
|
3074 |
|
pass in {$log} on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd"
|
|
3074 |
pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}"
|
|
3075 |
pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd"
|
3075 |
3076 |
|
3076 |
3077 |
EOD;
|
3077 |
3078 |
|
... | ... | |
3091 |
3092 |
&& $rule['natreflection'] != "disable") {
|
3092 |
3093 |
$ipfrules .= "# NAT Reflection rules\n";
|
3093 |
3094 |
$ipfrules .= <<<EOD
|
3094 |
|
pass in {$log} inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost"
|
|
3095 |
pass in {$log['pass']} inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost"
|
3095 |
3096 |
|
3096 |
3097 |
EOD;
|
3097 |
3098 |
break;
|
... | ... | |
3191 |
3192 |
}
|
3192 |
3193 |
if ($sa && is_ipaddrv4($routeent[0])) {
|
3193 |
3194 |
$ipfrules .= <<<EOD
|
3194 |
|
pass {$log} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3195 |
|
pass {$log} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3196 |
|
pass {$log} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3197 |
|
pass {$log} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3195 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3196 |
pass {$log['pass']} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3197 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3198 |
pass {$log['pass']} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3198 |
3199 |
|
3199 |
3200 |
EOD;
|
3200 |
3201 |
}
|
... | ... | |
3205 |
3206 |
}
|
3206 |
3207 |
if ($sa && is_ipaddrv6($routeent[0])) {
|
3207 |
3208 |
$ipfrules .= <<<EOD
|
3208 |
|
pass {$log} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3209 |
|
pass {$log} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3210 |
|
pass {$log} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3211 |
|
pass {$log} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3209 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3210 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3211 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3212 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
3212 |
3213 |
|
3213 |
3214 |
EOD;
|
3214 |
3215 |
}
|
... | ... | |
3242 |
3243 |
}
|
3243 |
3244 |
if($sa) {
|
3244 |
3245 |
$ipfrules .= <<<EOD
|
3245 |
|
pass in {$log} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd"
|
|
3246 |
pass in {$log['pass']} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd"
|
3246 |
3247 |
|
3247 |
3248 |
EOD;
|
3248 |
3249 |
}
|
... | ... | |
3261 |
3262 |
$mt = microtime();
|
3262 |
3263 |
echo "filter_rules_spoofcheck_generate() being called $mt\n";
|
3263 |
3264 |
}
|
3264 |
|
$ipfrules = "antispoof {$log} for \${$ifcfg['descr']} tracker {$tracker}\n";
|
|
3265 |
$ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} tracker {$tracker}\n";
|
3265 |
3266 |
$tracker++;
|
3266 |
3267 |
|
3267 |
3268 |
return $ipfrules;
|
... | ... | |
3483 |
3484 |
|
3484 |
3485 |
if(isset($config['system']['developerspew'])) {
|
3485 |
3486 |
$mt = microtime();
|
3486 |
|
echo "filter_process_carp_rules($log) being called $mt\n";
|
|
3487 |
echo "filter_process_carp_rules() being called $mt\n";
|
3487 |
3488 |
}
|
3488 |
3489 |
|
3489 |
3490 |
$increment_tracker = 'filter_rule_tracker';
|
3490 |
3491 |
$lines = "";
|
3491 |
3492 |
/* return if there are no carp configured items */
|
3492 |
3493 |
if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) {
|
3493 |
|
$lines .= "block in {$log} quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n";
|
3494 |
|
$lines .= "pass {$log} quick proto carp tracker {$increment_tracker($tracker)}\n";
|
|
3494 |
$lines .= "block in {$log['block']} quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n";
|
|
3495 |
$lines .= "pass {$log['pass']} quick proto carp tracker {$increment_tracker($tracker)}\n";
|
3495 |
3496 |
}
|
3496 |
3497 |
return $lines;
|
3497 |
3498 |
}
|
3498 |
3499 |
|
3499 |
3500 |
/* Generate IPSEC Filter Items */
|
3500 |
|
function filter_generate_ipsec_rules($log = "") {
|
|
3501 |
function filter_generate_ipsec_rules($log = array()) {
|
3501 |
3502 |
global $config, $g, $FilterIflist, $tracker;
|
3502 |
3503 |
|
3503 |
3504 |
if(isset($config['system']['developerspew'])) {
|
... | ... | |
3595 |
3596 |
/* Add rules to allow IKE to pass */
|
3596 |
3597 |
$shorttunneldescr = substr($descr, 0, 35);
|
3597 |
3598 |
$ipfrules .= <<<EOD
|
3598 |
|
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp"
|
3599 |
|
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
|
|
3599 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp"
|
|
3600 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
|
3600 |
3601 |
|
3601 |
3602 |
EOD;
|
3602 |
3603 |
/* If NAT-T is enabled, add additional rules */
|
3603 |
3604 |
if($ph1ent['nat_traversal'] != "off" ) {
|
3604 |
3605 |
$ipfrules .= <<<EOD
|
3605 |
|
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t"
|
3606 |
|
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
|
|
3606 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t"
|
|
3607 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
|
3607 |
3608 |
|
3608 |
3609 |
EOD;
|
3609 |
3610 |
}
|
3610 |
3611 |
/* Add rules to allow the protocols in use */
|
3611 |
3612 |
if($prot_used_esp == true) {
|
3612 |
3613 |
$ipfrules .= <<<EOD
|
3613 |
|
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto"
|
3614 |
|
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
|
|
3614 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto"
|
|
3615 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
|
3615 |
3616 |
|
3616 |
3617 |
EOD;
|
3617 |
3618 |
}
|
3618 |
3619 |
if($prot_used_ah == true) {
|
3619 |
3620 |
$ipfrules .= <<<EOD
|
3620 |
|
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto"
|
3621 |
|
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
|
|
3621 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto"
|
|
3622 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
|
3622 |
3623 |
|
3623 |
3624 |
EOD;
|
3624 |
3625 |
}
|
Split the setting of logging pass and block into 2 separate settings. Maybe this can be extended to control even the user rules?