diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-02-18 16:00:17 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-02-18 16:00:30 -0300 |
commit | 8a4d1dbd2a4d536201363a0f8d8a42fb6e057b33 (patch) | |
tree | b0d759bb0fd8785af57fed1c1b7f525717997694 | |
parent | 69a0c7351bed26b4fb0259ce893442bd99d9d89d (diff) | |
download | pfsense-8a4d1dbd2a4d536201363a0f8d8a42fb6e057b33.zip pfsense-8a4d1dbd2a4d536201363a0f8d8a42fb6e057b33.tar.gz |
Move 'allow dhcpv6 client' rules above block bogonsv6 ones, it should fix #3395
-rw-r--r-- | etc/inc/filter.inc | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 9b537e9..a5d8135 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2664,19 +2664,32 @@ EOD; if(isset($config['interfaces'][$on]['blockbogons'])) { $ipfrules .= <<<EOD -# block bogon networks +# block bogon networks (IPv4) # http://www.cymru.com/Documents/bogon-bn-nonagg.txt -# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" EOD; - if(isset($config['system']['ipv6allow'])) { - $ipfrules .= <<<EOD + } + + if($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6") { + $ipfrules .= <<<EOD +# allow our DHCPv6 client out to the {$oc['descr']} +pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" + +EOD; + } + + if(isset($config['interfaces'][$on]['blockbogons']) && isset($config['system']['ipv6allow'])) { + $ipfrules .= <<<EOD +# block bogon networks (IPv6) +# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" EOD; - } } + $isbridged = false; if(is_array($config['bridges']['bridged'])) { foreach ($config['bridges']['bridged'] as $oc2) { @@ -2761,16 +2774,6 @@ EOD; break; } switch($oc['type6']) { - case "slaac": - case "dhcp6": - $ipfrules .= <<<EOD -# allow our DHCPv6 client out to the {$oc['descr']} -pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" - -EOD; - break; case "6rd": $ipfrules .= <<<EOD # allow our proto 41 traffic from the 6RD border relay in |