Révision 1fd46d44
Ajouté par Ermal il y a presque 10 ans
etc/inc/filter.inc | ||
---|---|---|
2622 | 2622 |
$ipfrules .= "anchor \"ipsec/*\"\n"; |
2623 | 2623 |
# BEGIN OF firewall rules |
2624 | 2624 |
/* default block logging? */ |
2625 |
$log = array(); |
|
2625 | 2626 |
if(!isset($config['syslog']['nologdefaultblock'])) |
2626 |
$log = "log"; |
|
2627 |
else
|
|
2628 |
$log = "";
|
|
2627 |
$log['block'] = "log";
|
|
2628 |
if(!isset($config['syslog']['nologdefaultpass']))
|
|
2629 |
$log['pass'] = "log";
|
|
2629 | 2630 |
|
2630 | 2631 |
$saved_tracker = $tracker; |
2631 | 2632 |
|
2632 | 2633 |
if(!isset($config['system']['ipv6allow'])) { |
2633 | 2634 |
$ipfrules .= "# Block all IPv6\n"; |
2634 |
$ipfrules .= "block in {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; |
|
2635 |
$ipfrules .= "block out {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; |
|
2635 |
$ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n";
|
|
2636 |
$ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n";
|
|
2636 | 2637 |
} |
2637 | 2638 |
|
2638 | 2639 |
$saved_tracker += 100; |
... | ... | |
2642 | 2643 |
#--------------------------------------------------------------------------- |
2643 | 2644 |
# default deny rules |
2644 | 2645 |
#--------------------------------------------------------------------------- |
2645 |
block in {$log} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" |
|
2646 |
block out {$log} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" |
|
2647 |
block in {$log} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" |
|
2648 |
block out {$log} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" |
|
2646 |
block in {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"
|
|
2647 |
block out {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"
|
|
2648 |
block in {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6"
|
|
2649 |
block out {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6"
|
|
2649 | 2650 |
|
2650 | 2651 |
# IPv6 ICMP is not auxilary, it is required for operation |
2651 | 2652 |
# See man icmp6(4) |
... | ... | |
2657 | 2658 |
# 134 routeradv Router advertisement |
2658 | 2659 |
# 135 neighbrsol Neighbor solicitation |
2659 | 2660 |
# 136 neighbradv Neighbor advertisement |
2660 |
pass {$log} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state |
|
2661 |
pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2661 | 2662 |
|
2662 | 2663 |
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) |
2663 |
pass out {$log} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state |
|
2664 |
pass out {$log} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state |
|
2665 |
pass in {$log} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state |
|
2666 |
pass in {$log} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state |
|
2667 |
pass in {$log} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state |
|
2664 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2665 |
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2666 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2667 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2668 |
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
|
|
2668 | 2669 |
|
2669 | 2670 |
# We use the mighty pf, we cannot be fooled. |
2670 |
block {$log} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} |
|
2671 |
block {$log} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} |
|
2672 |
block {$log} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} |
|
2673 |
block {$log} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} |
|
2671 |
block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)}
|
|
2672 |
block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)}
|
|
2673 |
block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)}
|
|
2674 |
block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)}
|
|
2674 | 2675 |
|
2675 | 2676 |
# Snort package |
2676 |
block {$log} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts" |
|
2677 |
block {$log} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts" |
|
2677 |
block {$log['block']} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts"
|
|
2678 |
block {$log['block']} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts"
|
|
2678 | 2679 |
|
2679 | 2680 |
EOD; |
2680 | 2681 |
|
... | ... | |
2688 | 2689 |
|
2689 | 2690 |
$ipfrules .= "\n# SSH lockout\n"; |
2690 | 2691 |
if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { |
2691 |
$ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port ";
|
|
2692 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port ";
|
|
2692 | 2693 |
$ipfrules .= $config['system']['ssh']['port']; |
2693 | 2694 |
$ipfrules .= " tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; |
2694 | 2695 |
} else { |
... | ... | |
2697 | 2698 |
else |
2698 | 2699 |
$sshport = 22; |
2699 | 2700 |
if($sshport) |
2700 |
$ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n";
|
|
2701 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n";
|
|
2701 | 2702 |
} |
2702 | 2703 |
|
2703 | 2704 |
$saved_tracker += 50; |
... | ... | |
2713 | 2714 |
$webConfiguratorlockoutport = $config['system']['webgui']['port']; |
2714 | 2715 |
} |
2715 | 2716 |
if($webConfiguratorlockoutport) |
2716 |
$ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n";
|
|
2717 |
$ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n";
|
|
2717 | 2718 |
|
2718 | 2719 |
$saved_tracker += 100; |
2719 | 2720 |
$tracker = $saved_tracker; |
... | ... | |
2722 | 2723 |
* Support for allow limiting of TCP connections by establishment rate |
2723 | 2724 |
* Useful for protecting against sudden outburts, etc. |
2724 | 2725 |
*/ |
2725 |
$ipfrules .= "block in {$log} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n"; |
|
2726 |
$ipfrules .= "block in {$log['block']} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n";
|
|
2726 | 2727 |
|
2727 | 2728 |
$saved_tracker += 100; |
2728 | 2729 |
$tracker = $saved_tracker; |
... | ... | |
2766 | 2767 |
$listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : $cpcfg['zoneid']; |
2767 | 2768 |
$portalias = $listenporthttps; |
2768 | 2769 |
$portalias .= " {$listenporthttp}"; |
2769 |
$ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; |
|
2770 |
$ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; |
|
2770 |
$ipfrules .= "pass in {$log['pass']} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n";
|
|
2771 |
$ipfrules .= "pass out {$log['pass']} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n";
|
|
2771 | 2772 |
} |
2772 | 2773 |
} |
2773 | 2774 |
} |
... | ... | |
2811 | 2812 |
if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) { |
2812 | 2813 |
$ipfrules .= <<<EOD |
2813 | 2814 |
# allow our DHCPv6 client out to the {$oc['descr']} |
2814 |
pass in {$log} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" |
|
2815 |
pass in {$log} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" |
|
2816 |
pass out {$log} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" |
|
2815 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
2816 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
|
|
2817 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
|
|
2817 | 2818 |
|
2818 | 2819 |
EOD; |
2819 | 2820 |
} |
... | ... | |
2865 | 2866 |
case "pptp": |
2866 | 2867 |
$ipfrules .= <<<EOD |
2867 | 2868 |
# allow PPTP client |
2868 |
pass in {$log} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" |
|
2869 |
pass in {$log} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" |
|
2869 |
pass in {$log['pass']} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
2870 |
pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
|
|
2870 | 2871 |
|
2871 | 2872 |
EOD; |
2872 | 2873 |
break; |
2873 | 2874 |
case "dhcp": |
2874 | 2875 |
$ipfrules .= <<<EOD |
2875 | 2876 |
# allow our DHCP client out to the {$oc['descr']} |
2876 |
pass in {$log} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" |
|
2877 |
pass out {$log} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" |
|
2877 |
pass in {$log['pass']} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
2878 |
pass out {$log['pass']} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
|
|
2878 | 2879 |
# Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP. |
2879 | 2880 |
|
2880 | 2881 |
EOD; |
... | ... | |
2889 | 2890 |
if(isset($config['dhcpd'][$on]['enable'])) { |
2890 | 2891 |
$ipfrules .= <<<EOD |
2891 | 2892 |
# allow access to DHCP server on {$oc['descr']} |
2892 |
pass in {$log} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" |
|
2893 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
|
2893 | 2894 |
|
2894 | 2895 |
EOD; |
2895 | 2896 |
if (is_ipaddrv4($oc['ip'])) { |
2896 | 2897 |
$ipfrules .= <<<EOD |
2897 |
pass in {$log} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" |
|
2898 |
pass out {$log} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" |
|
2898 |
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
|
2899 |
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server"
|
|
2899 | 2900 |
|
2900 | 2901 |
EOD; |
2901 | 2902 |
} |
... | ... | |
2903 | 2904 |
if(is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") { |
2904 | 2905 |
$ipfrules .= <<<EOD |
2905 | 2906 |
# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']} |
2906 |
pass in {$log} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" |
|
2907 |
pass in {$log} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" |
|
2907 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover"
|
|
2908 |
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover"
|
|
2908 | 2909 |
|
2909 | 2910 |
EOD; |
2910 | 2911 |
} |
... | ... | |
2919 | 2920 |
case "6rd": |
2920 | 2921 |
$ipfrules .= <<<EOD |
2921 | 2922 |
# allow our proto 41 traffic from the 6RD border relay in |
2922 |
pass in {$log} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}" |
|
2923 |
pass out {$log} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" |
|
2923 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
|
|
2924 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"
|
|
2924 | 2925 |
|
2925 | 2926 |
EOD; |
2926 | 2927 |
/* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */ |
2927 | 2928 |
if (0 && is_ipaddrv6($oc['ipv6'])) { |
2928 | 2929 |
$ipfrules .= <<<EOD |
2929 |
pass in {$log} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}" |
|
2930 |
pass out {$log} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}" |
|
2930 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
|
|
2931 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"
|
|
2931 | 2932 |
|
2932 | 2933 |
EOD; |
2933 | 2934 |
} |
... | ... | |
2936 | 2937 |
if (is_ipaddrv4($oc['ip'])) { |
2937 | 2938 |
$ipfrules .= <<<EOD |
2938 | 2939 |
# allow our proto 41 traffic from the 6to4 border relay in |
2939 |
pass in {$log} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" |
|
2940 |
pass out {$log} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" |
|
2940 |
pass in {$log['pass']} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
2941 |
pass out {$log['pass']} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
2941 | 2942 |
|
2942 | 2943 |
EOD; |
2943 | 2944 |
} |
2944 | 2945 |
/* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */ |
2945 | 2946 |
if (0 && is_ipaddrv6($oc['ipv6'])) { |
2946 | 2947 |
$ipfrules .= <<<EOD |
2947 |
pass in {$log} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" |
|
2948 |
pass out {$log} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" |
|
2948 |
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
|
|
2949 |
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
|
|
2949 | 2950 |
|
2950 | 2951 |
EOD; |
2951 | 2952 |
} |
... | ... | |
2956 | 2957 |
$ipfrules .= <<<EOD |
2957 | 2958 |
# allow access to DHCPv6 server on {$oc['descr']} |
2958 | 2959 |
# We need inet6 icmp for stateless autoconfig and dhcpv6 |
2959 |
pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" |
|
2960 |
pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" |
|
2961 |
pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" |
|
2962 |
pass {$log} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" |
|
2960 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2961 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2962 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2963 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2963 | 2964 |
|
2964 | 2965 |
EOD; |
2965 | 2966 |
if (is_ipaddrv6($oc['ipv6'])) { |
2966 | 2967 |
$ipfrules .= <<<EOD |
2967 |
pass in {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" |
|
2968 |
pass out {$log} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" |
|
2968 |
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2969 |
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server"
|
|
2969 | 2970 |
|
2970 | 2971 |
EOD; |
2971 | 2972 |
} |
... | ... | |
2985 | 2986 |
$ipfrules .= <<<EOD |
2986 | 2987 |
|
2987 | 2988 |
# loopback |
2988 |
pass in {$log} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" |
|
2989 |
pass out {$log} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" |
|
2990 |
pass in {$log} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" |
|
2991 |
pass out {$log} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" |
|
2989 |
pass in {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback"
|
|
2990 |
pass out {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback"
|
|
2991 |
pass in {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback"
|
|
2992 |
pass out {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback"
|
|
2992 | 2993 |
# let out anything from the firewall host itself and decrypted IPsec traffic |
2993 |
pass out {$log} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself" |
|
2994 |
pass out {$log} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself" |
|
2994 |
pass out {$log['pass']} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself"
|
|
2995 |
pass out {$log['pass']} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself"
|
|
2995 | 2996 |
|
2996 | 2997 |
EOD; |
2997 | 2998 |
|
... | ... | |
3003 | 3004 |
|
3004 | 3005 |
$gw = get_interface_gateway($ifdescr); |
3005 | 3006 |
if (is_ipaddrv4($gw) && is_ipaddrv4($ifcfg['ip'])) { |
3006 |
$ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
|
3007 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3007 | 3008 |
if (is_array($ifcfg['vips'])) { |
3008 | 3009 |
foreach ($ifcfg['vips'] as $vip) |
3009 | 3010 |
if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}")) |
3010 |
$ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
|
3011 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3011 | 3012 |
else |
3012 |
$ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
|
3013 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3013 | 3014 |
} |
3014 | 3015 |
} |
3015 | 3016 |
|
... | ... | |
3017 | 3018 |
$stf = get_real_interface($ifdescr, "inet6"); |
3018 | 3019 |
$pdlen = 64 - calculate_ipv6_delegation_length($ifdescr); |
3019 | 3020 |
if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) { |
3020 |
$ipfrules .= "pass out {$log} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
|
3021 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3021 | 3022 |
if (is_array($ifcfg['vips6'])) { |
3022 | 3023 |
foreach ($ifcfg['vips6'] as $vip) |
3023 |
$ipfrules .= "pass out {$log} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
|
3024 |
$ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n";
|
|
3024 | 3025 |
} |
3025 | 3026 |
} |
3026 | 3027 |
} |
... | ... | |
3030 | 3031 |
$tracker = $saved_tracker; |
3031 | 3032 |
/* add ipsec interfaces */ |
3032 | 3033 |
if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) |
3033 |
$ipfrules .= "pass out {$log} on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n"; |
|
3034 |
$ipfrules .= "pass out {$log['pass']} on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n";
|
|
3034 | 3035 |
|
3035 | 3036 |
$saved_tracker += 10; |
3036 | 3037 |
$tracker = $saved_tracker; |
... | ... | |
3044 | 3045 |
$lanif = $FilterIflist['lan']['if']; |
3045 | 3046 |
$ipfrules .= <<<EOD |
3046 | 3047 |
# make sure the user cannot lock himself out of the webConfigurator or SSH |
3047 |
pass in {$log} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" |
|
3048 |
pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
|
|
3048 | 3049 |
|
3049 | 3050 |
EOD; |
3050 | 3051 |
} else if (count($config['interfaces']) == 1) { |
... | ... | |
3052 | 3053 |
$wanif = $FilterIflist["wan"]['if']; |
3053 | 3054 |
$ipfrules .= <<<EOD |
3054 | 3055 |
# make sure the user cannot lock himself out of the webConfigurator or SSH |
3055 |
pass in {$log} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" |
|
3056 |
pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
|
|
3056 | 3057 |
|
3057 | 3058 |
EOD; |
3058 | 3059 |
} |
... | ... | |
3070 | 3071 |
if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) { |
3071 | 3072 |
$ipfrules .= <<<EOD |
3072 | 3073 |
# PPTPd rules |
3073 |
pass in {$log} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}" |
|
3074 |
pass in {$log} on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd" |
|
3074 |
pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}"
|
|
3075 |
pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd"
|
|
3075 | 3076 |
|
3076 | 3077 |
EOD; |
3077 | 3078 |
|
... | ... | |
3091 | 3092 |
&& $rule['natreflection'] != "disable") { |
3092 | 3093 |
$ipfrules .= "# NAT Reflection rules\n"; |
3093 | 3094 |
$ipfrules .= <<<EOD |
3094 |
pass in {$log} inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost" |
|
3095 |
pass in {$log['pass']} inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost"
|
|
3095 | 3096 |
|
3096 | 3097 |
EOD; |
3097 | 3098 |
break; |
... | ... | |
3191 | 3192 |
} |
3192 | 3193 |
if ($sa && is_ipaddrv4($routeent[0])) { |
3193 | 3194 |
$ipfrules .= <<<EOD |
3194 |
pass {$log} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3195 |
pass {$log} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3196 |
pass {$log} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3197 |
pass {$log} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3195 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3196 |
pass {$log['pass']} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3197 |
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3198 |
pass {$log['pass']} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3198 | 3199 |
|
3199 | 3200 |
EOD; |
3200 | 3201 |
} |
... | ... | |
3205 | 3206 |
} |
3206 | 3207 |
if ($sa && is_ipaddrv6($routeent[0])) { |
3207 | 3208 |
$ipfrules .= <<<EOD |
3208 |
pass {$log} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3209 |
pass {$log} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3210 |
pass {$log} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3211 |
pass {$log} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" |
|
3209 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3210 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3211 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3212 |
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets"
|
|
3212 | 3213 |
|
3213 | 3214 |
EOD; |
3214 | 3215 |
} |
... | ... | |
3242 | 3243 |
} |
3243 | 3244 |
if($sa) { |
3244 | 3245 |
$ipfrules .= <<<EOD |
3245 |
pass in {$log} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd" |
|
3246 |
pass in {$log['pass']} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd"
|
|
3246 | 3247 |
|
3247 | 3248 |
EOD; |
3248 | 3249 |
} |
... | ... | |
3261 | 3262 |
$mt = microtime(); |
3262 | 3263 |
echo "filter_rules_spoofcheck_generate() being called $mt\n"; |
3263 | 3264 |
} |
3264 |
$ipfrules = "antispoof {$log} for \${$ifcfg['descr']} tracker {$tracker}\n"; |
|
3265 |
$ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} tracker {$tracker}\n";
|
|
3265 | 3266 |
$tracker++; |
3266 | 3267 |
|
3267 | 3268 |
return $ipfrules; |
... | ... | |
3483 | 3484 |
|
3484 | 3485 |
if(isset($config['system']['developerspew'])) { |
3485 | 3486 |
$mt = microtime(); |
3486 |
echo "filter_process_carp_rules($log) being called $mt\n";
|
|
3487 |
echo "filter_process_carp_rules() being called $mt\n"; |
|
3487 | 3488 |
} |
3488 | 3489 |
|
3489 | 3490 |
$increment_tracker = 'filter_rule_tracker'; |
3490 | 3491 |
$lines = ""; |
3491 | 3492 |
/* return if there are no carp configured items */ |
3492 | 3493 |
if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) { |
3493 |
$lines .= "block in {$log} quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n"; |
|
3494 |
$lines .= "pass {$log} quick proto carp tracker {$increment_tracker($tracker)}\n"; |
|
3494 |
$lines .= "block in {$log['block']} quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n";
|
|
3495 |
$lines .= "pass {$log['pass']} quick proto carp tracker {$increment_tracker($tracker)}\n";
|
|
3495 | 3496 |
} |
3496 | 3497 |
return $lines; |
3497 | 3498 |
} |
3498 | 3499 |
|
3499 | 3500 |
/* Generate IPSEC Filter Items */ |
3500 |
function filter_generate_ipsec_rules($log = "") {
|
|
3501 |
function filter_generate_ipsec_rules($log = array()) {
|
|
3501 | 3502 |
global $config, $g, $FilterIflist, $tracker; |
3502 | 3503 |
|
3503 | 3504 |
if(isset($config['system']['developerspew'])) { |
... | ... | |
3595 | 3596 |
/* Add rules to allow IKE to pass */ |
3596 | 3597 |
$shorttunneldescr = substr($descr, 0, 35); |
3597 | 3598 |
$ipfrules .= <<<EOD |
3598 |
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" |
|
3599 |
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" |
|
3599 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp"
|
|
3600 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
|
|
3600 | 3601 |
|
3601 | 3602 |
EOD; |
3602 | 3603 |
/* If NAT-T is enabled, add additional rules */ |
3603 | 3604 |
if($ph1ent['nat_traversal'] != "off" ) { |
3604 | 3605 |
$ipfrules .= <<<EOD |
3605 |
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" |
|
3606 |
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" |
|
3606 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t"
|
|
3607 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
|
|
3607 | 3608 |
|
3608 | 3609 |
EOD; |
3609 | 3610 |
} |
3610 | 3611 |
/* Add rules to allow the protocols in use */ |
3611 | 3612 |
if($prot_used_esp == true) { |
3612 | 3613 |
$ipfrules .= <<<EOD |
3613 |
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" |
|
3614 |
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" |
|
3614 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto"
|
|
3615 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
|
|
3615 | 3616 |
|
3616 | 3617 |
EOD; |
3617 | 3618 |
} |
3618 | 3619 |
if($prot_used_ah == true) { |
3619 | 3620 |
$ipfrules .= <<<EOD |
3620 |
pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" |
|
3621 |
pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" |
|
3621 |
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto"
|
|
3622 |
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
|
|
3622 | 3623 |
|
3623 | 3624 |
EOD; |
3624 | 3625 |
} |
Formats disponibles : Unified diff
Split the setting of logging pass and block into 2 separate settings. Maybe this can be extended to control even the user rules?