diff options
author | jim-p <jimp@pfsense.org> | 2013-07-10 15:41:46 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2013-07-10 15:49:19 -0400 |
commit | f34fcff4b42eb0f863264ff0eb9e85ed6d202497 (patch) | |
tree | 07130c9d31b392bf27ddbcd333e4755031f13510 | |
parent | bc59bcff382f9310a58b310ec75f94ee650491ed (diff) | |
download | pfsense-f34fcff4b42eb0f863264ff0eb9e85ed6d202497.zip pfsense-f34fcff4b42eb0f863264ff0eb9e85ed6d202497.tar.gz |
Don't automatically add hidden rules to pass all IPv6 traffic to/from delegated prefixes. Default IPv6 from LAN -> any rule covers outbound properly as-is, and WAN rules shouldn't pass in that permissively. Also the prefix length calculation was off and the LAN rule(s) would be too permissive anyhow.
-rw-r--r-- | etc/inc/filter.inc | 18 |
1 files changed, 0 insertions, 18 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index cbb5e79..6235d89 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2959,24 +2959,6 @@ EOD; unset($rule_arr1, $rule_arr2, $rule_arr3); } - $ipfrules .= "\n# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients\n"; - /* add automatic LAN rules to allow IPv6 traffic out for dynamic IPv6 networks */ - foreach ($FilterIflist as $ifdescr => $ifcfg) { - if (isset($ifcfg['track6-interface'])) { - if (is_ipaddrv6($ifcfg['ipv6'])) { - $trackifname = $ifcfg['track6-interface']; - $trackcfg = $FilterIflist[$trackifname]; - $pdlen = 64 - calculate_ipv6_delegation_length($trackifname); - $prefix = Net_IPv6::getNetmask($ifcfg['ipv6'], $pdlen); - $ipfrules .= "pass in on \${$ifcfg['descr']} inet6 from $prefix/$pdlen to any keep state label \"Allow IPv6 on {$ifcfg['descr']} to any\"\n"; - /* add rules on the WAN for traffic back in, let the downstream router - * figure out what to do with the traffic */ - if (is_ipaddrv6($trackcfg['ipv6'])) - $ipfrules .= "pass in on \${$trackcfg['descr']} inet6 from any to $prefix/$pdlen keep state label \"Allow IPv6 in on {$trackcfg['descr']} to $prefix/$pdlen\"\n"; - } - } - } - /* pass traffic between statically routed subnets and the subnet on the * interface in question to avoid problems with complicated routing * topologies |