diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 20:17:26 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 20:17:26 +0000 |
commit | f997992b524dd0c64d55088a8673f3fae00692c5 (patch) | |
tree | b649eb280c50482af7236ec16a52992b001a8cff | |
parent | 6cc1766f2117d46162c92b44a87972ce4bcd62e5 (diff) | |
download | pfsense-f997992b524dd0c64d55088a8673f3fae00692c5.zip pfsense-f997992b524dd0c64d55088a8673f3fae00692c5.tar.gz |
make sure we define the ipsec vpn rules correctly pf style
-rw-r--r-- | etc/inc/filter.inc | 42 | ||||
-rwxr-xr-x | usr/local/www/status.php | 7 |
2 files changed, 22 insertions, 27 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 65156c8..417f3fa 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -40,7 +40,7 @@ function filter_resync() { function filter_ipmon_start() { global $config, $g; - mwexec("/pflogd -sD"); + mwexec("ifconfig pflog0 up && pflogd -sD"); } function filter_configure() { @@ -75,6 +75,7 @@ function filter_configure() { $fd = fopen("/tmp/rules.debug", "w"); fwrite($fd, "set loginterface $wanif \n"); fwrite($fd, "set optimization aggressive\n"); + fwrite($fd, "\nscrub in all\n"); fwrite($fd, $altq_ints); fwrite($fd, $altq_queues); fwrite($fd, $natrules); @@ -412,23 +413,6 @@ function filter_rules_generate() { # BEGIN OF firewall rules $ipfrules=""; - $ipfrules .= "\n# VPN Rules\n"; - $internal_subnet = "any"; - if(is_array($config['ipsec']['tunnel'])) { - foreach ($config['ipsec']['tunnel'] as $tunnel) { - if(isset($tunnel['local-subnet']['address'])) { - $internal_subnet = $tunnel['local-subnet']['address']; - } else { - $internal_subnet = "any"; - } - $ipfrules .= "pass in on " . $wanif . " proto tcp from " . $tunnel['remote-subnet'] . " to " . $internal_subnet . " keep state\n"; - if(isset($tunnel['local-subnet']['address'])) { - $ipfrules .= "pass in on " . $wanif . " proto tcp from " . $tunnel['local-subnet']['address'] . " to " . $tunnel['remote-subnet'] . " keep state\n"; - } - } - - } - $ipfrules .= <<<EOD # loopback @@ -568,11 +552,6 @@ EOD; } } - /* XXX - the first section is only needed because pfctl refuses to - parse rules that have "flags S/SAFR" and proto "tcp/udp" set because - UDP does not have flags, but we still want to offer the TCP/UDP protocol - option to the user */ - $ipfrules .= <<<EOD @@ -899,6 +878,21 @@ EOD; $i++; } + $ipfrules .= "\n# VPN Rules\n"; + $lan_ip = $config['interfaces']['lan']['ipaddr']; + $lan_subnet = $config['interfaces']['lan']['subnet']; + $wan_ip = $config['interfaces']['wan']['ipaddr']; + $internal_subnet = gen_subnet($lan_ip, $lan_subnet) . "/" . $config['interfaces']['lan']['subnet']; + if(is_array($config['ipsec']['tunnel'])) { + foreach ($config['ipsec']['tunnel'] as $tunnel) { + $remote_gateway = $tunnel['remote-gateway']; + $ipfrules .= "pass quick on " . $wanif . " from " . $wan_ip . " to " . $remote_gateway . " keep state\n"; + $ipfrules .= "pass quick on " . $wanif . " from " . $remote_gateway . " to " . $wan_ip . " keep state\n"; + $ipfrules .= "pass quick on " . $lanif . " from " . $tunnel['remote-subnet'] . " to " . $internal_subnet . " keep state\n"; + $ipfrules .= "pass quick on " . $lanif . " from " . $internal_subnet . " to " . $tunnel['remote-subnet'] . " keep state\n"; + } + } + $ipfrules .= <<<EOD #--------------------------------------------------------------------------- @@ -933,7 +927,7 @@ function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) { $n--; } } - $ipfrules .= "skip 1 in on $if from $sa/$sn to any\n"; + $ipfrules .= "#skip 1 in on $if from $sa/$sn to any\n"; $ipfrules .= "#block in $log quick on $if all\n"; } else { $ipfrules .= "#block in $log quick on $if from ! $sa/$sn to any\n"; diff --git a/usr/local/www/status.php b/usr/local/www/status.php index 0b54797..d1668a7 100755 --- a/usr/local/www/status.php +++ b/usr/local/www/status.php @@ -15,7 +15,7 @@ function doCmdT($title, $command) { echo "<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n"; echo "<tr><td class=\"listlr\"><pre>"; /* no newline after pre */ - + if ($command == "dumpconfigxml") { $fd = @fopen("/conf/config.xml", "r"); if ($fd) { @@ -90,6 +90,7 @@ defCmdT("ipfw show", "/sbin/ipfw show"); defCmdT("pfctl -s nat ", "/sbin/pfctl -s nat"); defCmdT("pfctl -s rules", "/sbin/pfctl -s rules"); defCmdT("pfctl -s all"," /sbin/pfctl -s all"); +defCmdT("pfctl -s rules -v"," /sbin/pfctl -s rules -v"); defCmdT("resolv.conf","cat /etc/resolv.conf"); @@ -137,8 +138,8 @@ pre { <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <p><span class="pgtitle"><?=$pageTitle;?></span><br> <strong><?=$currentDate;?></strong> -<p><span class="red"><strong>Note: make sure to remove any sensitive information -(passwords, maybe also IP addresses) before posting +<p><span class="red"><strong>Note: make sure to remove any sensitive information +(passwords, maybe also IP addresses) before posting information from this page in public places (like mailing lists)!</strong></span><br> Passwords in config.xml have been automatically removed. |