diff options
author | Chris Buechler <cmb@cmb-macbook-pro.local> | 2009-04-16 01:30:38 -0400 |
---|---|---|
committer | Chris Buechler <cmb@cmb-macbook-pro.local> | 2009-04-16 01:30:38 -0400 |
commit | f031a007d5e9ee5782ed1508d8af52373727731e (patch) | |
tree | d75c5a60e66be7bb095d40db999dfc3a43ba49dc | |
parent | 3901843ab1103a76fa56a8d5999d58435b41f45c (diff) | |
download | pfsense-f031a007d5e9ee5782ed1508d8af52373727731e.zip pfsense-f031a007d5e9ee5782ed1508d8af52373727731e.tar.gz |
Allow disabling of auto-added VPN rules
-rw-r--r-- | etc/inc/filter.inc | 23 | ||||
-rwxr-xr-x | usr/local/www/system_advanced.php | 16 |
2 files changed, 31 insertions, 8 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 5ae41b5..5075d18 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2635,7 +2635,8 @@ EOD; $pptpdtarget = $pptpdcfg['redir']; if($pptpdtarget) { - $ipfrules .= <<<EOD + if(!isset($config['system']['disablevpnrules'])) { + $ipfrules .= <<<EOD # PPTPd rules anchor "pptp" @@ -2643,6 +2644,7 @@ pass in quick on \$wan proto gre from any to $pptpdtarget keep state label "allo pass in quick on \$wan proto tcp from any to $pptpdtarget port = 1723 modulate state label "allow pptpd {$pptpdtarget}" EOD; + } } else { /* this shouldnt ever happen but instead of breaking the clients ruleset @@ -2822,7 +2824,10 @@ EOD; continue; if(!$remote_gateway) continue; - $shorttunneldescr = substr($tunnel['descr'], 0, 26); + if(isset($config['system']['disablevpnrules'])) + continue; + + $shorttunneldescr = substr($tunnel['descr'], 0, 26); $ipfrules .= "pass out quick on \${$iface} proto udp from any to {$remote_gateway} port = 500 keep state label \"IPSEC: {$shorttunneldescr} - outbound isakmp\"\n"; $ipfrules .= "pass in quick on \${$iface} proto udp from {$remote_gateway} to any port = 500 keep state label \"IPSEC: {$shorttunneldescr} - inbound isakmp\"\n"; if ($tunnel['p2']['protocol'] == 'esp') { @@ -2843,10 +2848,12 @@ EOD; */ $ipseccfg = $config['ipsec']; if (isset($ipseccfg['mobileclients']['enable'])) { - foreach($ifdescrs as $iface) { - $ipfrules .= "pass in quick on \${$iface} proto udp from any to any port = 500 keep state label \"IPSEC: Mobile - inbound isakmp\"\n"; - $ipfrules .= "pass in quick on \${$iface} proto esp from any to any keep state label \"IPSEC: Mobile - inbound esp proto\"\n"; - $ipfrules .= "pass in quick on \${$iface} proto ah from any to any keep state label \"IPSEC: Mobile - inbound ah proto\"\n"; + if(!isset($config['system']['disablevpnrules'])) { + foreach($ifdescrs as $iface) { + $ipfrules .= "pass in quick on \${$iface} proto udp from any to any port = 500 keep state label \"IPSEC: Mobile - inbound isakmp\"\n"; + $ipfrules .= "pass in quick on \${$iface} proto esp from any to any keep state label \"IPSEC: Mobile - inbound esp proto\"\n"; + $ipfrules .= "pass in quick on \${$iface} proto ah from any to any keep state label \"IPSEC: Mobile - inbound ah proto\"\n"; + } } } } @@ -3036,7 +3043,7 @@ function create_firewall_outgoing_rules_to_itself() { /* Some people use a TUN tunnel with public IP as a Multiwan interface */ if(interface_has_gateway("tun{$x}")) { $rule .= "# Not adding default pass in rule for interface $friendlytunif - tun{$x} with a gateway!"; - } else { + } elseif (!isset($config['system']['disablevpnrules'])) { $rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; } } @@ -3049,7 +3056,7 @@ function create_firewall_outgoing_rules_to_itself() { /* Some people use a TAP tunnel with public IP as a Multiwan interface */ if(interface_has_gateway("tap{$x}")) { $rule .= "# Not adding default pass in rule for interface $friendlytapif - tap{$x} with a gateway!"; - } else { + } elseif (!isset($config['system']['disablevpnrules'])) { $rule .="pass in quick on tap{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; } } diff --git a/usr/local/www/system_advanced.php b/usr/local/www/system_advanced.php index 0c2eed8..0bf1bc3 100755 --- a/usr/local/www/system_advanced.php +++ b/usr/local/www/system_advanced.php @@ -63,6 +63,7 @@ $pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksum $pconfig['disablescrub'] = isset($config['system']['disablescrub']); $pconfig['shapertype'] = $config['system']['shapertype']; $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']); +$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']); if ($_POST) { @@ -122,6 +123,11 @@ if ($_POST) { } else { unset($config['system']['disablefilter']); } + if($_POST['disablevpnrules'] == "yes") { + $config['system']['disablevpnrules'] = true; + } else { + unset($config['system']['disablevpnrules']); + } if($_POST['enablesshd'] == "yes") { $config['system']['enablesshd'] = "enabled"; touch("{$g['tmp_path']}/start_sshd"); @@ -647,6 +653,16 @@ include("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Disable Auto-added VPN rules</td> + <td width="78%" class="vtable"> + <input name="disablevpnrules" type="checkbox" id="disablevpnrules" value="yes" <?php if (isset($config['system']['disablevpnrules'])) echo "checked"; ?> onclick="enable_change(false)" /> + <strong>Disable all auto-added VPN rules.</strong> + <br /> + <span class="vexpl">Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN. + </span> + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td> </tr> |