diff options
author | Ermal <eri@pfsense.org> | 2014-03-17 21:24:58 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-03-17 21:25:42 +0000 |
commit | 22889e9ee775c0bb5cda64b781e0c94bd8510f3e (patch) | |
tree | 88a8a257a7fe912c9d2de082c65097d005deba3f | |
parent | 01df403551bd3d15c4ba0cb3858b6a749bd64762 (diff) | |
download | pfsense-22889e9ee775c0bb5cda64b781e0c94bd8510f3e.zip pfsense-22889e9ee775c0bb5cda64b781e0c94bd8510f3e.tar.gz |
Disable default allow incoming rules for 6to4 and 6rd interfaces. This rule unintentionally allows all services on the interface to be reachble and maybe more!
-rw-r--r-- | etc/inc/filter.inc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 287fa3a..f193675 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2781,7 +2781,8 @@ pass in on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6 pass out on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" EOD; - if (is_ipaddrv6($oc['ipv6'])) { + /* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */ + if (0 && is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}" pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}" @@ -2798,7 +2799,8 @@ pass out on \${$oc['descr']} proto 41 from {$oc['ip']} to any label "{$fix_rule_ EOD; } - if (is_ipaddrv6($oc['ipv6'])) { + /* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */ + if (0 && is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" |