diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2006-07-04 18:37:20 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2006-07-04 18:37:20 +0000 |
commit | 769c5c761d73fbdcfe520dafca089e6fc09ea872 (patch) | |
tree | aed355aa9bfa6ac6085a6cdb99124767609ce349 | |
parent | 7a6c350f05dddbe00f28ea1c94dbbedd9487ffe6 (diff) | |
download | pfsense-769c5c761d73fbdcfe520dafca089e6fc09ea872.zip pfsense-769c5c761d73fbdcfe520dafca089e6fc09ea872.tar.gz |
Add $force_ftp_source_ip option
Ticket #1037
-rw-r--r-- | etc/inc/filter.inc | 390 |
1 files changed, 197 insertions, 193 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 0805039..8df1e38 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -47,12 +47,12 @@ function filter_pflog_start() { if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_pflog_start() being called $mt\n"; - } + } mute_kernel_msgs(); mwexec_bg("/usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0 | logger -t pf -p local0.info"); - + unmute_kernel_msgs(); } @@ -62,7 +62,7 @@ function filter_configure() { if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_configure() being called $mt\n"; - } + } global $g; touch($g['tmp_path'] . "/filter_dirty"); } @@ -74,12 +74,12 @@ function filter_configure_sync() { if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_configure_sync() being called $mt\n"; - } + } unlink_if_exists("{$g['tmp_path']}/filter_dirty"); $lan_if = $config['interfaces']['lan']['if']; $wan_if = get_real_wan_interface(); - + /* generate aliases */ if($g['booting'] == true) echo " aliases "; update_filter_reload_status("Creating aliases"); @@ -112,9 +112,9 @@ function filter_configure_sync() { update_filter_reload_status("Generating ALTQ rules"); $pf_altq_rules .= filter_generate_pf_altq_rules(); } - + update_filter_reload_status("Loading filter rules"); - + /* enable pf if we need to, otherwise disable */ if( !isset( $config['system']['disablefilter'] ) ) { mwexec("/sbin/pfctl -e"); @@ -153,16 +153,16 @@ function filter_configure_sync() { $rules.= "set optimization {$config['system']['optimization']}\n"; else $rules.= "set optimization normal\n"; - + if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) { /* User defined maximum states in Advanced menu. */ $rules.= "set limit states {$config['system']['maximumstates']}\n"; } $rules.= "\n"; $rules.= "scrub on {$wanif} all {$scrubnodf} {$mssclamp} fragment reassemble\n"; // reassemble all directions - + update_filter_reload_status("Setting up SCRUB information"); - + /* loop through optional interfaces. if a gateway is set, lets scrub em down! */ for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { if($config['interfaces']["opt" . $j]['gateway'] <> "") { @@ -204,9 +204,9 @@ function filter_configure_sync() { } unlink_if_exists("/usr/local/pkg/pf/carp_sync_client.php"); - + update_filter_reload_status("Running plugins"); - + /* process packager manager custom rules */ $files = return_dir_as_array("/usr/local/pkg/pf/"); if($files <> "") { @@ -221,7 +221,7 @@ function filter_configure_sync() { if($g['booting'] == true) echo "\t{$file}... "; eval($text); - if($g['booting'] == true) + if($g['booting'] == true) echo "done.\n"; } } @@ -229,12 +229,12 @@ function filter_configure_sync() { } } } - + update_filter_reload_status("Syncing CARP data"); - + /* sync carp entries to other firewalls */ carp_sync_client(); - + /* we need a way to let a user run a shell cmd after each filter_configure() call. run this xml command after @@ -243,12 +243,12 @@ function filter_configure_sync() { if($config['system']['afterfilterchangeshellcmd'] <> "") { mwexec($config['system']['afterfilterchangeshellcmd']); } - + /* run items scheduled for after filter configure run */ foreach($after_filter_configure_run as $afcr) { mwexec($afcr); } - + update_filter_reload_status("Done"); return 0; @@ -270,9 +270,9 @@ function filter_generate_aliases() { $lan_aliases = " " . link_ip_to_carp_interface($lanip); $wan_aliases = " " . link_ip_to_carp_interface($wanip); - if(link_int_to_bridge_interface("lan")) + if(link_int_to_bridge_interface("lan")) $lan_aliases .= " " . link_int_to_bridge_interface("lan"); - if(link_int_to_bridge_interface("wan")) + if(link_int_to_bridge_interface("wan")) $wan_aliases .= " " . link_int_to_bridge_interface("wan"); $aliases .= "# System Aliases \n"; @@ -283,27 +283,27 @@ function filter_generate_aliases() { $aliases .= "ng0 = \"{ " . $config['interfaces']['wan']['if'] . " " . get_real_wan_interface() . " }\" \n"; $aliases .= "wan = \"{ " . $config['interfaces']['wan']['if'] . "{$wan_aliases} ng0 }\"\n"; } else { - $aliases .= "wan = \"{ " . get_real_wan_interface() . "{$wan_aliases} }\"\n"; + $aliases .= "wan = \"{ " . get_real_wan_interface() . "{$wan_aliases} }\"\n"; } - + /* used to count netgraph interfaces */ $counter = 0; - + /* ng ordering is VERY important here. do not alter orer */ if($config['pptpd']['mode'] == "server") { /* build pptp alias */ $tmp = "pptp = \"{ "; $starting_pptp = 0; - if($config['interfaces']['wan']['ipaddr'] == "pppoe") + if($config['interfaces']['wan']['ipaddr'] == "pppoe") $starting_pptp = 1; - for($x=$starting_pptp; $x<$g["n_pptp_units"]+$starting_pptp; $x++) + for($x=$starting_pptp; $x<$g["n_pptp_units"]+$starting_pptp; $x++) $tmp .= "ng{$x} "; $counter = $x; $tmp .= "}\" \n"; if($counter > 0) $aliases .= $tmp; } - if($config['pppoe']['mode'] == "server") { + if($config['pppoe']['mode'] == "server") { /* build pppoe alias */ $tmp = "pppoe = \"{ "; for($x=0; $x<$g["n_pppoe_units"]; $x++) { @@ -325,8 +325,8 @@ function filter_generate_aliases() { /* do process tun interfaces for openvpn compatibility */ /* if(stristr(filter_opt_interface_to_real($ifname), "tun") == true) continue; */ $aliases .= convert_friendly_interface_to_friendly_descr($ifname) . " = \"{ " . filter_opt_interface_to_real($ifname); - if(link_int_to_bridge_interface($ifname)) - $aliases .= " " . link_int_to_bridge_interface($ifname); + if(link_int_to_bridge_interface($ifname)) + $aliases .= " " . link_int_to_bridge_interface($ifname); $aliases .= " }\"\n"; } $aliases .= "# User Aliases \n"; @@ -416,7 +416,7 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " /* XXX: billm - any idea if this code is needed? */ if($src == "/32" || $src{0} == "/") return; - + /* Use interface name if IP isn't specified */ if ($natip != "") $tgt = "{$natip}/32"; @@ -426,7 +426,7 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " /* Add the hard set source port (useful for ISAKMP) */ if ($natport != "") $tgt .= " port {$natport}"; - + /* sometimes this gets called with "" instead of a value */ if ($src == "") $src = "any"; @@ -529,7 +529,7 @@ function filter_nat_rules_generate() { $natrules .= "rdr-anchor \"pftpx/*\"\n"; update_filter_reload_status("Creating 1:1 rules..."); - + /* any 1:1 mappings? */ if (is_array($config['nat']['onetoone'])) { foreach ($config['nat']['onetoone'] as $natent) { @@ -566,7 +566,7 @@ function filter_nat_rules_generate() { $natif = $wanif; else $natif = $config['interfaces'][$obent['interface']]['if']; - + $natrules .= filter_nat_rules_generate_if($natif, $src, $obent['sourceport'], @@ -576,7 +576,7 @@ function filter_nat_rules_generate() { $obent['natport'], isset($obent['nonat']), isset($obent['staticnatport']) - ); + ); } } } else { @@ -586,11 +586,11 @@ function filter_nat_rules_generate() { $natrules .= filter_nat_rules_generate_if($wanif, "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); } - + update_filter_reload_status("Creating outbound rules"); - + $natrules .= filter_nat_rules_generate_if($wanif, "{$lansa}/{$lancfg['subnet']}"); - + /* optional interfaces */ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { update_filter_reload_status("Creating outbound rules (opt{$i})"); @@ -602,10 +602,10 @@ function filter_nat_rules_generate() { /* setup nat mappings for lan -> opt[$i] * interface if a gateway is defined */ - if($optcfg['gateway'] <> "" or $optcfg['ipaddr'] == "dhcp") + if($optcfg['gateway'] <> "" or $optcfg['ipaddr'] == "dhcp") $natrules .= filter_nat_rules_generate_if($optcfg['if'], "{$lansa}/{$lancfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); - + /* create outbound nat entries for all opt wans */ $optints = array(); generate_optcfg_array($optints); @@ -615,7 +615,7 @@ function filter_nat_rules_generate() { $natrules .= filter_nat_rules_generate_if($opt_interface, "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); } - + /* create outbound nat entries for primary wan */ $natrules .= filter_nat_rules_generate_if($wanif, "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); @@ -657,7 +657,7 @@ function filter_nat_rules_generate() { /* is SPAMD insalled? */ if (is_package_installed("spamd") == 1) { $natrules .= "\n# spam table \n"; - + $natrules .= "table <whitelist> persist\n"; $natrules .= "table <blacklist> persist\n"; $natrules .= "table <spamd> persist\n"; @@ -666,11 +666,11 @@ function filter_nat_rules_generate() { $natrules .= "rdr pass on {$wanif} proto tcp from <spamd> to port smtp -> 127.0.0.1 port spamd\n"; $natrules .= "rdr pass on {$wanif} proto tcp from !<spamd-white> to port smtp -> 127.0.0.1 port spamd\n"; if($config['installedpackages']['spamdsettings']['config']) - foreach($config['installedpackages']['spamdsettings']['config'] as $ss) + foreach($config['installedpackages']['spamdsettings']['config'] as $ss) $nextmta = $ss['nextmta']; if($nextmta <> "") { $natrules .= "rdr pass on {$wanif} proto tcp from <spamd-white> to port smtp -> {$nextmta} port smtp\n"; - } + } } /* load balancer anchor */ @@ -682,9 +682,9 @@ function filter_nat_rules_generate() { $natrules .= "\n# FTP Proxy/helper\n"; /* build an array of interfaces to work with */ $iflist = array("lan" => "LAN"); - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) $iflist['opt' . $i] = "opt{$i}"; - $interface_counter = 0; + $interface_counter = 0; /* loop through all interfaces and handle pftpx redirections */ foreach ($iflist as $ifent => $ifname) { $ifname_lower = convert_friendly_interface_to_friendly_descr(strtolower($ifname)); @@ -705,12 +705,12 @@ function filter_nat_rules_generate() { $vpns = "any"; $int_ip = find_interface_ip($tmp_interface); /* if interface lacks an ip, dont setup a rdr for ftp. they are most likely on a bridged interface */ - if($int_ip) + if($int_ip) $natrules .= "rdr on \${$ifname_lower} proto tcp from any to {$vpns} port 21 -> 127.0.0.1 port {$tmp_port}\n"; $interface_counter++; } $natrules .= "\n"; - + /* DIAG: add ipv6 NAT, if requested */ if (isset($config['diag']['ipv6nat']['enable']) and $config['diag']['ipv6nat']['ipaddr'] <> "") { /* XXX: FIX ME! IPV6 */ @@ -723,31 +723,31 @@ function filter_nat_rules_generate() { if (isset($config['nat']['rule'])) { $natrules .= "# NAT Inbound Redirects\n"; - + if(!isset($config['system']['disablenatreflection'])) { - $inetd_fd = fopen("/var/etc/inetd.conf","w"); + $inetd_fd = fopen("/var/etc/inetd.conf","w"); /* start redirects on port 19000 of localhost */ $starting_localhost_port = 18999; } - + foreach ($config['nat']['rule'] as $rule) { - update_filter_reload_status("Creating NAT rule {$rule['descr']}"); + update_filter_reload_status("Creating NAT rule {$rule['descr']}"); /* if item is an alias, expand */ if(alias_expand($rule['external-port'])) $extport[0] = alias_expand_value($rule['external-port']); - else + else $extport = explode("-", $rule['external-port']); /* if item is an alias, expand */ - if(alias_expand($rule['local-port'])) + if(alias_expand($rule['local-port'])) $localport = ""; else $localport = " port {$rule['local-port']}"; $target = alias_expand_host($rule['target']); - + if (!$target) continue; /* unresolvable alias */ @@ -764,7 +764,7 @@ function filter_nat_rules_generate() { else if($rule['interface'] == "\$pptp") $natif = "pptp"; else if($rule['interface'] == "\$pppoe") - $natif = "pppoe"; + $natif = "pppoe"; else $natif = $config['interfaces'][$rule['interface']]['if']; @@ -793,18 +793,22 @@ function filter_nat_rules_generate() { if($external_address == "") $external_address = find_interface_ip(get_real_wan_interface()); /* install a pftpx helper, do not set a rule. also use the delay filter configure run - * routines because if this is the first bootup the filter is not completely configured - * and thus pf is not fully running. otherwise we end up with: pftpx: pf is disabled - */ - $after_filter_configure_run[] = "/usr/local/sbin/pftpx -f {$target} -b {$external_address} -c 21 -g 21 2>>/tmp/pftpx_errors"; + * routines because if this is the first bootup the filter is not completely configured + * and thus pf is not fully running. otherwise we end up with: pftpx: pf is disabled + */ + if($rule['force_ftp_source_ip']) + $force_ftp_source_ip = $rule['force_ftp_source_ip']; + else + $force_ftp_source_ip = ""; + $after_filter_configure_run[] = "/usr/local/sbin/pftpx -f {$target} -b {$external_address} -c 21 -g 21 {$force_ftp_source_ip} 2>>/tmp/pftpx_errors"; } $dontinstallrdr = true; } } - + if($extaddr == "") $dontinstallrdr = true; - + $rdr_on = convert_real_interface_to_friendly_descr($rule['interface']); if($dontinstallrdr == false) { @@ -816,9 +820,9 @@ function filter_nat_rules_generate() { break; case "udp": case "tcp": - if($extport[0]) + if($extport[0]) $natrules .= "rdr on $natif proto {$rule['protocol']} from any to {$extaddr} port { {$extport[0]} } -> {$target}{$localport}"; - else + else $natrules .= "rdr on $natif proto {$rule['protocol']} from any to {$extaddr} -> {$target}{$localport}"; break; default: @@ -854,12 +858,12 @@ function filter_nat_rules_generate() { } if(!isset($config['system']['disablenatreflection'])) { - + update_filter_reload_status("Setting up reflection"); - - $natrules .= "\n# Reflection redirects\n"; + + $natrules .= "\n# Reflection redirects\n"; foreach ($iflist as $ifent => $ifname) { - + /* do not process interfaces with gateways*/ if($config['interfaces'][$ifname]['gateway'] <> "") continue; @@ -872,33 +876,33 @@ function filter_nat_rules_generate() { continue; $ifname_real = convert_friendly_interface_to_real_interface_name($ifname); - + if($extport[1]) $range_end = ($extport[1]); else $range_end = ($extport[0]); - + $range_end++; - - if($rule['local-port']) + + if($rule['local-port']) $lrange_start = $rule['local-port']; if($range_end - $extport[0] > 500) { $range_end = $extport[0]+1; log_error("Not installing nat reflection rules for a port range > 500"); - } else { + } else { /* only install reflection rules for < 19991 items */ if($starting_localhost_port < 19991) { $loc_pt = $lrange_start; for($x=$extport[0]; $x<$range_end; $x++) { - + update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); - + $starting_localhost_port++; $ifname_real = convert_friendly_interface_to_friendly_descr(strtolower($ifname)); - switch($rule['protocol']) { + switch($rule['protocol']) { case "tcp/udp": $protocol = "{ tcp udp }"; @@ -922,22 +926,22 @@ function filter_nat_rules_generate() { } } } - + } - + } - + $natrules .= "\n"; } - + if(!isset($config['system']['disablenatreflection'])) { - fclose($inetd_fd); + fclose($inetd_fd); $helpers = trim(exec("/bin/ps ax | /usr/bin/grep inetd | /usr/bin/grep -v grep | /usr/bin/grep 127")); if(!$helpers) mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); else mwexec("/usr/bin/killall -HUP inetd"); - + } } @@ -980,8 +984,8 @@ function run_command_return_string($cmd) { if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "generate_user_filter_rule() being called $mt\n"; - } - + } + $fd = popen($cmd, "r"); while(!feof($fd)) { $tmp .= fread($fd,49); @@ -996,7 +1000,7 @@ function generate_user_filter_rule_arr($rule, $ngcounter) { if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "generate_user_filter_rule() being called $mt\n"; - } + } $ret = array(); $line = generate_user_filter_rule($rule, $ngcounter); $ret['rule'] = $line; @@ -1005,9 +1009,9 @@ function generate_user_filter_rule_arr($rule, $ngcounter) { else $ret['descr'] = "label \"USER_RULE\""; $ret['ackq'] = get_ack_queue($rule['interface']); - - return $ret; -} + + return $ret; +} function generate_user_filter_rule($rule, $ngcounter) { global $config, $g; @@ -1023,19 +1027,19 @@ function generate_user_filter_rule($rule, $ngcounter) { $lancfg = $config['interfaces']['lan']; $pptpdcfg = $config['pptpd']; $pppoecfg = $config['pppoe']; - + $lanif = $lancfg['if']; $wanif = get_real_wan_interface(); - + $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; - + $optcfg = array(); generate_optcfg_array($optcfg); - + $curwanip = get_current_wan_address(); - + /* don't include disabled rules */ if (isset($rule['disabled'])) { return "# rule " . $rule['descr'] . " disabled \n"; @@ -1059,10 +1063,10 @@ function generate_user_filter_rule($rule, $ngcounter) { if($config['pppoe']['pppoe_subnet'] <> "") $pppoesn = $config['pppoe']['pppoe_subnet']; } - + /* does the rule deal with a PPTP interface? */ if ($rule['interface'] == "pptp") { - if ($pptpdcfg['mode'] != "server") + if ($pptpdcfg['mode'] != "server") return ""; $nif = $g['n_pptp_units']; if($config['pptp']['n_pptp_units'] <> "") @@ -1075,30 +1079,30 @@ function generate_user_filter_rule($rule, $ngcounter) { $nif = $g['n_pppoe_units']; if($config['pppoe']['n_pppoe_units'] <> "") $nif = $config['pppoe']['n_pppoe_units']; - $ispppoe = true; + $ispppoe = true; } else { - + /* Check to see if the interface is opt and in our opt list */ if (strstr($rule['interface'], "opt")) { if (!array_key_exists($rule['interface'], $optcfg)) { $item = ""; - foreach($optcfg as $oc) $item .= $oc['if']; + foreach($optcfg as $oc) $item .= $oc['if']; return "# {$real_int} {$item} {$rule['interface']} array key does not exist for " . $rule['descr']; } } - + $nif = 1; $ispptp = false; $ispppoe = false; } - + if ($pptpdcfg['mode'] != "server") { if (($rule['source']['network'] == "pptp") || ($rule['destination']['network'] == "pptp")) { return "# source network or destination network == pptp on " . $rule['descr']; } } - + if ($rule['source']['network'] && strstr($rule['source']['network'], "opt")) { if (!array_key_exists($rule['source']['network'], $optcfg)) { return "# {$rule['source']['network']} !array_key_exists source network " . $rule['descr']; @@ -1111,7 +1115,7 @@ function generate_user_filter_rule($rule, $ngcounter) { return "# {$item} {$rule['destination']['network']} !array_key_exists dest network " . $rule['descr']; } } - + /* check for unresolvable aliases */ if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) { return "# unresolvable source aliases {$rule['descr']}"; @@ -1121,18 +1125,18 @@ function generate_user_filter_rule($rule, $ngcounter) { } $ifdescrs = array(); - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) $ifdescrs[] = "opt" . $i; - + update_filter_reload_status("Setting up pass/block rules"); - + for ($iif = 0; $iif < $nif; $iif++) { $type = $rule['type']; if ($type != "pass" && $type != "block" && $type != "reject") { /* default (for older rules) is pass */ $type = "pass"; } - + if ($type == "reject") { /* special reject packet */ if ($rule['protocol'] == "tcp") { @@ -1147,15 +1151,15 @@ function generate_user_filter_rule($rule, $ngcounter) { } else { $line = $type; } - + /* ensure the direction is in */ $line .= " in "; - + if (isset($rule['log'])) $line .= "log "; - + $line .= "quick "; - + if ($ispptp) { $line .= "on \$pptp "; } else if ($ispppoe) { @@ -1176,8 +1180,8 @@ function generate_user_filter_rule($rule, $ngcounter) { if($canadd == 0) $line .= "on \$" . convert_real_interface_to_friendly_descr($rule['interface']) . " "; } - - + + /* set the gateway interface */ $ri = filter_translate_type_to_real_interface($rule['interface']); @@ -1287,7 +1291,7 @@ function generate_user_filter_rule($rule, $ngcounter) { } } } - + if (isset($rule['protocol'])) { if($rule['protocol'] == "tcp/udp") $line .= "proto { tcp udp } "; @@ -1316,10 +1320,10 @@ function generate_user_filter_rule($rule, $ngcounter) { switch ($rule['source']['network']) { case 'wanip': $src = $curwanip; - break; + break; case 'lanip': $src = $lanip; - break; + break; case 'lan': $src = "{$lansa}/{$lansn}"; break; @@ -1357,15 +1361,15 @@ function generate_user_filter_rule($rule, $ngcounter) { else $src = "{ {$not} {$expsrc} }"; } - + if (!$src || ($src == "/")) { return "# at the break!"; } - + $line .= "from $src "; - + if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - + if ($rule['source']['port']) { $srcport = explode("-", $rule['source']['port']); if(alias_expand($srcport[0])) @@ -1408,10 +1412,10 @@ function generate_user_filter_rule($rule, $ngcounter) { switch ($rule['destination']['network']) { case 'wanip': $dst = $curwanip; - break; + break; case 'lanip': $dst = $lanip; - break; + break; case 'lan': $dst = "{$lansa}/{$lansn}"; break; @@ -1420,7 +1424,7 @@ function generate_user_filter_rule($rule, $ngcounter) { break; case 'pppoe': $dst = "{$ppoesa}/{$pppoesn}"; - break; + break; } if (isset($rule['destination']['not'])) $dst = " !{$dst}"; } @@ -1449,15 +1453,15 @@ function generate_user_filter_rule($rule, $ngcounter) { else $dst = "{ {$not} {$expdst} }"; } - + if (!$dst || ($dst == "/")) { return "# returning at $dst == \"/\""; } - + $line .= "to $dst "; - + if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - + if ($rule['destination']['port']) { $dstport = explode("-", $rule['destination']['port']); if(alias_expand($dstport[0])) @@ -1520,10 +1524,10 @@ function generate_user_filter_rule($rule, $ngcounter) { } else { $line .= "keep state "; } - if( isset($rule['source-track']) and $rule['source-track'] <> "" or - isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or - isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or - isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or + if( isset($rule['source-track']) and $rule['source-track'] <> "" or + isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or + isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or + isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or isset($rule['max-src-states']) and $rule['max-src-states'] <> "" ) { $line .= "( "; if(isset($rule['source-track']) and $rule['source-track'] <> "") @@ -1536,7 +1540,7 @@ function generate_user_filter_rule($rule, $ngcounter) { $line .= "tcp.established " . $rule['statetimeout'] . " "; if(isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" and isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") { - $line .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; + $line .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; $line .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; } $line .= " ) "; @@ -1572,7 +1576,7 @@ function filter_rules_generate() { $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; - if($lansa) + if($lansa) $lansa_sn_combo = "{$lansa}/{$lansn}"; else $lansa_sn_combo = "192.168.1.1/32"; @@ -1636,9 +1640,9 @@ anchor "carp" EOD; if(!isset($config['system']['disableftpproxy'])) { - + $ipfrules .= "# enable ftp-proxy\n"; - + $optcfg = array(); generate_optcfg_array($optcfg); $ftp_counter = "8022"; @@ -1649,7 +1653,7 @@ EOD; } $ftp_counter++; } - + $ipfrules .= <<<EOD anchor "ftpproxy" @@ -1673,7 +1677,7 @@ pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user pr EOD; $optcfg = array(); - generate_optcfg_array($optcfg); + generate_optcfg_array($optcfg); foreach($optcfg as $oc) { if($oc['gateway'] <> "") $ipfrules .= "pass in quick on {$oc['if']} inet proto tcp from any to ({$oc['if']}) port > 49000 user proxy flags S/SA keep state label \"FTP PROXY: RFC959 violation workaround\" \n"; @@ -1831,9 +1835,9 @@ EOD; foreach ($optcfg as $on => $oc) { if (isset($config['dhcpd'][$on]['enable']) && (!$oc['bridge']) || ($oc['bridge'] && isset($config['dhcpd'][$oc['bridge']]['enable']))) { - + $friendly_on = filter_get_opt_interface_descr($on); - + $ipfrules .= <<<EOD # allow access to DHCP server on {$on} @@ -1896,7 +1900,7 @@ EOD; foreach ($optcfg as $oc) { if (!$oc['bridge']) - if($oc['sa'] <> "") + if($oc['sa'] <> "") if(isset($oc['enable'])) $ipfrules .= "block in $log quick on \$wan from {$oc['sa']}/{$oc['sn']} to any label \"interface spoof check\"\n"; } @@ -1939,9 +1943,9 @@ EOD; /* LAN spoof check */ $lanbridge = false; - foreach($config['interfaces'] as $int) + foreach($config['interfaces'] as $int) if($int['bridge'] == "lan") - $lanbridge = true; + $lanbridge = true; if(!$lanbridge) $ipfrules .= filter_rules_spoofcheck_generate('lan', $lanif, $lansa, $lansn, $log); @@ -1957,7 +1961,7 @@ EOD; if ($oc['ip'] && !(($oc['bridge'] || $isbridged) && isset($config['bridge']['filteringbridge']))) $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); } - + /* block private networks on WAN? */ if (isset($config['interfaces']['wan']['blockpriv'])) { $ipfrules .= <<<EOD @@ -1973,7 +1977,7 @@ block in $log quick on \$wan from 192.168.0.0/16 to any label "block private net EOD; } - + /* * Support for allow limiting of TCP connections by establishment rate * Useful for protecting against sudden outburts, etc. @@ -2099,7 +2103,7 @@ EOD; if (!isset($rule['disabled'])) { if ($rule['interface'] == "pptp") { /* we have a pptp rule but its turned off, ignore */ - if(!$config['pptpd']['mode'] == "server") + if(!$config['pptpd']['mode'] == "server") continue; $n_pptp_units = $g['n_pptp_units']; if($config['pptp']['n_pptp_units'] <> "") @@ -2112,7 +2116,7 @@ EOD; $rule_arr[] = generate_user_filter_rule_arr($rule, 0); } else if($rule['interface'] == "pppoe") { if(!$config['pppoe']['mode'] == "server") - continue; + continue; $n_pppoe_units = $g['n_pppoe_units']; if($config['pppoe']['n_pppoe_units'] <> "") $nif = $config['pppoe']['n_pppoe_units']; @@ -2148,23 +2152,23 @@ EOD; fclose($fd); } } - + if (isset($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $rule) { if($rule['interface'] == "pptp") { - if(!$config['pptpd']['mode'] == "server") - continue; + if(!$config['pptpd']['mode'] == "server") + continue; } if($rule['interface'] == "pppoe") { - if(!$config['pppoe']['mode'] == "server") - continue; + if(!$config['pppoe']['mode'] == "server") + continue; } /* Pre-cache all our rules so we only have to generate them once */ update_filter_reload_status("Pre-caching information for {$rule['descr']} ..."); $line = ""; if (!isset($rule['disabled'])) { $line = generate_user_filter_rule($rule, 0); - if($line <> "") + if($line <> "") if (isset($config['shaper']['enable']) && is_array($config['shaper']['queue'])) { $defq = find_default_queue($rule['interface']); $ackq = get_ack_queue($rule['interface']); @@ -2181,9 +2185,9 @@ EOD; $ipfrules .= $line; } } - + $ipfrules .= process_carp_rules(); - + update_filter_reload_status("Creating carp rules..."); $ipfrules .= "\n# VPN Rules\n"; @@ -2201,10 +2205,10 @@ EOD; /* set failover ip if defined */ if(isset($config['installedpackages']['sasyncd']['config'])) foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { - if($sasyncd['ip'] <> "") + if($sasyncd['ip'] <> "") $ipsec_failoverip = $sasyncd['ip']; } - + if(is_array($config['ipsec']['tunnel']) && isset($config['ipsec']['enable'])) { foreach ($config['ipsec']['tunnel'] as $tunnel) { update_filter_reload_status("Creating IPSEC tunnel items {$tunnel['descr']}..."); @@ -2223,28 +2227,28 @@ EOD; /* do not add items with blank remote_gateway */ if(!$remote_gateway) { $ipfrules .= "# ERROR! Remote gateway not found on ... pass quick on {$wanif} proto udp from {$ipsec_ip} to {$remote_gateway} port = 500 keep state label \"IPSEC: {$tunnel['descr']} udp\"\n"; - continue; + continue; } $local_subnet = return_vpn_subnet($tunnel['local-subnet']); $ipfrules .= "pass out quick on {$wanif} proto udp from {$ipsec_ip} to {$remote_gateway} port = 500 keep state label \"IPSEC: {$tunnel['descr']} - outbound isakmp\"\n"; $ipfrules .= "pass in quick on {$wanif} proto udp from {$remote_gateway} to {$ipsec_ip} port = 500 keep state label \"IPSEC: {$tunnel['descr']} - inbound isakmp\"\n"; - + if ($tunnel['p2']['protocol'] == 'esp') { $ipfrules .= "pass out quick on {$wanif} proto esp from {$ipsec_ip} to {$remote_gateway} keep state label \"IPSEC: {$tunnel['descr']} - outbound esp proto\"\n"; $ipfrules .= "pass in quick on {$wanif} proto esp from {$remote_gateway} to {$ipsec_ip} keep state label \"IPSEC: {$tunnel['descr']} - inbound esp proto\"\n"; } - + if ($tunnel['p2']['protocol'] == 'ah') { $ipfrules .= "pass out quick on {$wanif} proto ah from {$ipsec_ip} to {$remote_gateway} keep state label \"IPSEC: {$tunnel['descr']} - outbound ah proto\"\n"; $ipfrules .= "pass in quick on {$wanif} proto ah from {$remote_gateway} to {$ipsec_ip} keep state label \"IPSEC: {$tunnel['descr']} - inbound ah proto\"\n"; } - + //$ipfrules .= "pass out quick on {$lanif} from {$tunnel['remote-subnet']} to {$local_subnet} keep state label \"IPSEC: {$tunnel['descr']} - remote to local\"\n"; //$ipfrules .= "pass in quick on {$lanif} from {$local_subnet} to {$tunnel['remote-subnet']} keep state label \"IPSEC: {$tunnel['descr']} - local to remote\"\n"; } } - - /* is mobile ipsec enabled? if so lets allow some pretty + + /* is mobile ipsec enabled? if so lets allow some pretty * loose rules to allow mobile clients to phone in. */ $ipseccfg = $config['ipsec']; @@ -2282,12 +2286,12 @@ function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) { } -function setup_logging_interfaces() { +function setup_logging_interfaces() { global $config; if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "setup_logging_interfaces() being called $mt\n"; - } + } $rules = ""; $i = 0; $ifdescrs = array('wan', 'lan'); @@ -2305,19 +2309,19 @@ function setup_logging_interfaces() { function create_firewall_outgoing_rules_to_itself() { global $config, $g; - + if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "create_firewall_outgoing_rules_to_itself() being called $mt\n"; - } - + } + $i = 0; $rule .= "# pass traffic from firewall -> out\n"; $rule .= "anchor \"firewallout\"\n"; $ifdescrs = array('wan', 'lan'); for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) $ifdescrs['opt' . $j] = "opt" . $j; - + /* go through primary and optional interfaces */ foreach ($ifdescrs as $ifdescr => $ifname) { $return_gateway = $config['interfaces'][$ifname]['gateway']; @@ -2356,54 +2360,54 @@ function create_firewall_outgoing_rules_to_itself() { $rule .="pass out quick on {$int} all keep state label \"let out anything from firewall host itself\"\n"; } } - + update_filter_reload_status("Setting up bridging items"); /* is bridging turned on? */ for($x=0; $x<10; $x++) { - if(does_interface_exist("bridge{$x}") == true) + if(does_interface_exist("bridge{$x}") == true) $rule .="pass out quick on bridge{$x} all keep state label \"let out anything from firewall host itself\"\n"; } - + update_filter_reload_status("Setting up pptp items"); if($config['pptpd']['mode'] == "server") $rule .="pass out quick on \$pptp all keep state label \"let out anything from firewall host itself pptp\"\n"; - + update_filter_reload_status("Setting up pppoe items"); if($config['pppoe']['mode'] == "server") $rule .="pass out quick on \$pppoe all keep state label \"let out anything from firewall host itself pppoe\"\n"; - + update_filter_reload_status("Setting up gif tunnels"); /* setup outgoing gif tunnels */ $number_of_gifs = find_last_gif_device(); $number_of_gifs++; for($x=0; $x<$number_of_gifs; $x++) { - if(does_interface_exist("gif{$x}") == true) + if(does_interface_exist("gif{$x}") == true) $rule .="pass out quick on gif{$x} all keep state label \"let out anything from firewall host itself ipsec gif\"\n"; } update_filter_reload_status("Setting up tun interfaces (openvpn)"); /* openvpn tun interfaces. check for 100. */ for($x=0; $x<100; $x++) { - if(does_interface_exist("tun{$x}") == true) { + if(does_interface_exist("tun{$x}") == true) { $rule .="pass out quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; $rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; } } - + return $rule; } function process_carp_nat_rules() { global $g, $config; - + update_filter_reload_status("Creating CARP NAT rules"); - + $wan_interface = get_real_wan_interface(); - + if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "process_carp_nat_rules() being called $mt\n"; - } + } $lines = ""; if($config['installedpackages']['carp']['config'] != "") foreach($config['installedpackages']['carp']['config'] as $carp) { @@ -2412,7 +2416,7 @@ function process_carp_nat_rules() { $ipnet = "any"; } else { $int = find_ip_interface($ip); - $carp_int = find_carp_interface($ip); + $carp_int = find_carp_interface($ip); } if($int != false and $int != $wan_interface) { $ipnet = convert_ip_to_network_format($ip, $carp['netmask']); @@ -2427,7 +2431,7 @@ function process_carp_rules() { if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "process_carp_rules() being called $mt\n"; - } + } $lines = ""; /* return if there are no carp configured items */ if($config['installedpackages']['carpsettings']['config'] <> "" or @@ -2455,7 +2459,7 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens if($g['booting']) return; - + update_filter_reload_status("Syncing CARP data to {$url}"); /* make a copy of config */ @@ -2490,7 +2494,7 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens $xml[$section] = backup_vip_config_section(); } } - + $params = array( XML_RPC_encode($password), XML_RPC_encode($xml) @@ -2510,16 +2514,16 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens } elseif($resp->faultCode()) { $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - file_notice("sync_settings", $error, "Settings Sync", ""); + file_notice("sync_settings", $error, "Settings Sync", ""); } else { log_error("XMLRPC sync successfully completed with {$url}:{$port}."); } } - + function carp_sync_client() { global $config, $g; - + update_filter_reload_status("Building CARP sync information"); if($g['booting']) @@ -2566,7 +2570,7 @@ function carp_sync_client() { } if($carp['synchronizestaticroutes'] != "" and is_array($config['staticroutes'])) { $sections[] = 'staticroutes'; - } + } if($carp['synchronizevirtualip'] != "" and is_array($config['virtualip'])) { $sections[] = 'virtualip'; } @@ -2575,10 +2579,10 @@ function carp_sync_client() { } if($carp['synchronizeipsec'] != "" and is_array($config['ipsec'])) { $sections[] = 'ipsec'; - } + } if($carp['synchronizednsforwarder'] != "" and is_array($config['dnsmasq'])) { $sections[] = 'dnsmasq'; - } + } if(count($sections) > 0) { update_filter_reload_status("Signaling CARP reload signal..."); carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port); @@ -2588,7 +2592,7 @@ function carp_sync_client() { $cli->send($msg, "900"); /* signal a carp reload */ $msg = new XML_RPC_Message('pfsense.interfaces_carp_configure'); - $cli->send($msg, "900"); + $cli->send($msg, "900"); } } } @@ -2605,19 +2609,19 @@ function return_vpn_subnet($adr) { if ($adr['address']) { list($padr, $pmask) = explode("/", $adr['address']); - if (is_null($pmask)) + if (is_null($pmask)) return "{$padr}/32"; return "{$padr}/{$pmask}"; } - + /* XXX: do not return wan, lan, etc */ - if(strstr($adr['network'], "wan") or strstr($adr['network'], "lan") or strstr($adr['network'], "opt")) + if(strstr($adr['network'], "wan") or strstr($adr['network'], "lan") or strstr($adr['network'], "opt")) return convert_ip_to_network_format($config['interfaces'][$adr['network']]['ipaddr'], $config['interfaces'][$adr['network']]['subnet']); - + /* fallback - error */ return " # error - {$adr['network']} "; - + } ?> |