diff options
| author | Ermal <eri@pfsense.org> | 2014-05-27 13:12:40 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2014-05-27 13:14:10 +0000 |
| commit | 1fd46d44c599886bf9490c85081ee4bdc2b30326 (patch) | |
| tree | 4791da51aa6de11287347111c9e401205848449a | |
| parent | d758288839b46bc09507cdb9236d7cd110c0a01a (diff) | |
| download | pfsense-1fd46d44c599886bf9490c85081ee4bdc2b30326.zip pfsense-1fd46d44c599886bf9490c85081ee4bdc2b30326.tar.gz | |
Split the setting of logging pass and block into 2 separate settings. Maybe this can be extended to control even the user rules?
| -rw-r--r-- | etc/inc/filter.inc | 185 | ||||
| -rw-r--r-- | usr/local/www/diag_logs_settings.php | 10 |
2 files changed, 102 insertions, 93 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7ded056..ae11bbc 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2622,17 +2622,18 @@ function filter_rules_generate() { $ipfrules .= "anchor \"ipsec/*\"\n"; # BEGIN OF firewall rules /* default block logging? */ + $log = array(); if(!isset($config['syslog']['nologdefaultblock'])) - $log = "log"; - else - $log = ""; + $log['block'] = "log"; + if(!isset($config['syslog']['nologdefaultpass'])) + $log['pass'] = "log"; $saved_tracker = $tracker; if(!isset($config['system']['ipv6allow'])) { $ipfrules .= "# Block all IPv6\n"; - $ipfrules .= "block in {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; - $ipfrules .= "block out {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; + $ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; + $ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; } $saved_tracker += 100; @@ -2642,10 +2643,10 @@ function filter_rules_generate() { #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- -block in {$log} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" -block out {$log} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" -block in {$log} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" -block out {$log} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" +block in {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" +block out {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" +block in {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" +block out {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" # IPv6 ICMP is not auxilary, it is required for operation # See man icmp6(4) @@ -2657,24 +2658,24 @@ block out {$log} inet6 all tracker {$increment_tracker($tracker)} label "Default # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement -pass {$log} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state +pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) -pass out {$log} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state -pass out {$log} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state -pass in {$log} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state -pass in {$log} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state -pass in {$log} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state # We use the mighty pf, we cannot be fooled. -block {$log} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} -block {$log} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} -block {$log} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} -block {$log} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} +block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} +block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} +block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} +block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} # Snort package -block {$log} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts" -block {$log} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts" +block {$log['block']} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts" +block {$log['block']} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts" EOD; @@ -2688,7 +2689,7 @@ EOD; $ipfrules .= "\n# SSH lockout\n"; if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { - $ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port "; + $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port "; $ipfrules .= $config['system']['ssh']['port']; $ipfrules .= " tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; } else { @@ -2697,7 +2698,7 @@ EOD; else $sshport = 22; if($sshport) - $ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; + $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; } $saved_tracker += 50; @@ -2713,7 +2714,7 @@ EOD; $webConfiguratorlockoutport = $config['system']['webgui']['port']; } if($webConfiguratorlockoutport) - $ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n"; + $ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n"; $saved_tracker += 100; $tracker = $saved_tracker; @@ -2722,7 +2723,7 @@ EOD; * Support for allow limiting of TCP connections by establishment rate * Useful for protecting against sudden outburts, etc. */ - $ipfrules .= "block in {$log} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n"; + $ipfrules .= "block in {$log['block']} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n"; $saved_tracker += 100; $tracker = $saved_tracker; @@ -2766,8 +2767,8 @@ EOD; $listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : $cpcfg['zoneid']; $portalias = $listenporthttps; $portalias .= " {$listenporthttp}"; - $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; - $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; + $ipfrules .= "pass in {$log['pass']} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; + $ipfrules .= "pass out {$log['pass']} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; } } } @@ -2811,9 +2812,9 @@ EOD; if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) { $ipfrules .= <<<EOD # allow our DHCPv6 client out to the {$oc['descr']} -pass in {$log} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass in {$log} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass out {$log} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" +pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" EOD; } @@ -2865,16 +2866,16 @@ EOD; case "pptp": $ipfrules .= <<<EOD # allow PPTP client -pass in {$log} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" -pass in {$log} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" +pass in {$log['pass']} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" +pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" EOD; break; case "dhcp": $ipfrules .= <<<EOD # allow our DHCP client out to the {$oc['descr']} -pass in {$log} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" -pass out {$log} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" +pass in {$log['pass']} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" +pass out {$log['pass']} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" # Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP. EOD; @@ -2889,13 +2890,13 @@ EOD; if(isset($config['dhcpd'][$on]['enable'])) { $ipfrules .= <<<EOD # allow access to DHCP server on {$oc['descr']} -pass in {$log} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" +pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" EOD; if (is_ipaddrv4($oc['ip'])) { $ipfrules .= <<<EOD -pass in {$log} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" -pass out {$log} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" +pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" +pass out {$log['pass']} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" EOD; } @@ -2903,8 +2904,8 @@ EOD; if(is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") { $ipfrules .= <<<EOD # allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']} -pass in {$log} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" -pass in {$log} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" +pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" +pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" EOD; } @@ -2919,15 +2920,15 @@ EOD; case "6rd": $ipfrules .= <<<EOD # allow our proto 41 traffic from the 6RD border relay in -pass in {$log} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}" -pass out {$log} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" +pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}" +pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" EOD; /* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */ if (0 && is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD -pass in {$log} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}" -pass out {$log} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}" +pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}" +pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}" EOD; } @@ -2936,16 +2937,16 @@ EOD; if (is_ipaddrv4($oc['ip'])) { $ipfrules .= <<<EOD # allow our proto 41 traffic from the 6to4 border relay in -pass in {$log} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" -pass out {$log} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" +pass in {$log['pass']} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" +pass out {$log['pass']} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" EOD; } /* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */ if (0 && is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD -pass in {$log} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" -pass out {$log} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" +pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" +pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" EOD; } @@ -2956,16 +2957,16 @@ EOD; $ipfrules .= <<<EOD # allow access to DHCPv6 server on {$oc['descr']} # We need inet6 icmp for stateless autoconfig and dhcpv6 -pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" -pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" -pass {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" -pass {$log} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" EOD; if (is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD -pass in {$log} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" -pass out {$log} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" EOD; } @@ -2985,13 +2986,13 @@ EOD; $ipfrules .= <<<EOD # loopback -pass in {$log} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" -pass out {$log} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" -pass in {$log} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" -pass out {$log} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" +pass in {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" +pass out {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" +pass in {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" +pass out {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" # let out anything from the firewall host itself and decrypted IPsec traffic -pass out {$log} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself" -pass out {$log} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself" +pass out {$log['pass']} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself" +pass out {$log['pass']} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself" EOD; @@ -3003,13 +3004,13 @@ EOD; $gw = get_interface_gateway($ifdescr); if (is_ipaddrv4($gw) && is_ipaddrv4($ifcfg['ip'])) { - $ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; if (is_array($ifcfg['vips'])) { foreach ($ifcfg['vips'] as $vip) if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}")) - $ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; else - $ipfrules .= "pass out {$log} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; } } @@ -3017,10 +3018,10 @@ EOD; $stf = get_real_interface($ifdescr, "inet6"); $pdlen = 64 - calculate_ipv6_delegation_length($ifdescr); if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) { - $ipfrules .= "pass out {$log} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; if (is_array($ifcfg['vips6'])) { foreach ($ifcfg['vips6'] as $vip) - $ipfrules .= "pass out {$log} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; } } } @@ -3030,7 +3031,7 @@ EOD; $tracker = $saved_tracker; /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) - $ipfrules .= "pass out {$log} on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n"; + $ipfrules .= "pass out {$log['pass']} on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n"; $saved_tracker += 10; $tracker = $saved_tracker; @@ -3044,7 +3045,7 @@ EOD; $lanif = $FilterIflist['lan']['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in {$log} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" +pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" EOD; } else if (count($config['interfaces']) == 1) { @@ -3052,7 +3053,7 @@ EOD; $wanif = $FilterIflist["wan"]['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in {$log} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" +pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" EOD; } @@ -3070,8 +3071,8 @@ EOD; if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) { $ipfrules .= <<<EOD # PPTPd rules -pass in {$log} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}" -pass in {$log} on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd" +pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}" +pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd" EOD; @@ -3091,7 +3092,7 @@ EOD; && $rule['natreflection'] != "disable") { $ipfrules .= "# NAT Reflection rules\n"; $ipfrules .= <<<EOD -pass in {$log} inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost" +pass in {$log['pass']} inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost" EOD; break; @@ -3191,10 +3192,10 @@ EOD; } if ($sa && is_ipaddrv4($routeent[0])) { $ipfrules .= <<<EOD -pass {$log} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" -pass {$log} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" -pass {$log} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" -pass {$log} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" EOD; } @@ -3205,10 +3206,10 @@ EOD; } if ($sa && is_ipaddrv6($routeent[0])) { $ipfrules .= <<<EOD -pass {$log} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" -pass {$log} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" -pass {$log} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" -pass {$log} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" EOD; } @@ -3242,7 +3243,7 @@ EOD; } if($sa) { $ipfrules .= <<<EOD -pass in {$log} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd" +pass in {$log['pass']} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd" EOD; } @@ -3261,7 +3262,7 @@ function filter_rules_spoofcheck_generate($ifname, $ifcfg, $log) { $mt = microtime(); echo "filter_rules_spoofcheck_generate() being called $mt\n"; } - $ipfrules = "antispoof {$log} for \${$ifcfg['descr']} tracker {$tracker}\n"; + $ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} tracker {$tracker}\n"; $tracker++; return $ipfrules; @@ -3483,21 +3484,21 @@ function filter_process_carp_rules($log) { if(isset($config['system']['developerspew'])) { $mt = microtime(); - echo "filter_process_carp_rules($log) being called $mt\n"; + echo "filter_process_carp_rules() being called $mt\n"; } $increment_tracker = 'filter_rule_tracker'; $lines = ""; /* return if there are no carp configured items */ if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) { - $lines .= "block in {$log} quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n"; - $lines .= "pass {$log} quick proto carp tracker {$increment_tracker($tracker)}\n"; + $lines .= "block in {$log['block']} quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n"; + $lines .= "pass {$log['pass']} quick proto carp tracker {$increment_tracker($tracker)}\n"; } return $lines; } /* Generate IPSEC Filter Items */ -function filter_generate_ipsec_rules($log = "") { +function filter_generate_ipsec_rules($log = array()) { global $config, $g, $FilterIflist, $tracker; if(isset($config['system']['developerspew'])) { @@ -3595,30 +3596,30 @@ function filter_generate_ipsec_rules($log = "") { /* Add rules to allow IKE to pass */ $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD -pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" -pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" +pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" -pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" +pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" -pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" +pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out {$log} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" -pass in {$log} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" +pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; } diff --git a/usr/local/www/diag_logs_settings.php b/usr/local/www/diag_logs_settings.php index 5f40bd7..07e6397 100644 --- a/usr/local/www/diag_logs_settings.php +++ b/usr/local/www/diag_logs_settings.php @@ -65,6 +65,7 @@ $pconfig['logall'] = isset($config['syslog']['logall']); $pconfig['system'] = isset($config['syslog']['system']); $pconfig['enable'] = isset($config['syslog']['enable']); $pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']); +$pconfig['logdefaultpass'] = !isset($config['syslog']['nologdefaultpass']); $pconfig['logbogons'] = !isset($config['syslog']['nologbogons']); $pconfig['logprivatenets'] = !isset($config['syslog']['nologprivatenets']); $pconfig['loglighttpd'] = !isset($config['syslog']['nologlighttpd']); @@ -138,10 +139,12 @@ if ($_POST['resetlogs'] == gettext("Reset Log Files")) { $config['syslog']['disablelocallogging'] = $_POST['disablelocallogging'] ? true : false; $config['syslog']['enable'] = $_POST['enable'] ? true : false; $oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']); + $oldnologdefaultpass = isset($config['syslog']['nologdefaultpass']); $oldnologbogons = isset($config['syslog']['nologbogons']); $oldnologprivatenets = isset($config['syslog']['nologprivatenets']); $oldnologlighttpd = isset($config['syslog']['nologlighttpd']); $config['syslog']['nologdefaultblock'] = $_POST['logdefaultblock'] ? false : true; + $config['syslog']['nologdefaultpass'] = $_POST['logdefaultpass'] ? false : true; $config['syslog']['nologbogons'] = $_POST['logbogons'] ? false : true; $config['syslog']['nologprivatenets'] = $_POST['logprivatenets'] ? false : true; $config['syslog']['nologlighttpd'] = $_POST['loglighttpd'] ? false : true; @@ -161,6 +164,7 @@ if ($_POST['resetlogs'] == gettext("Reset Log Files")) { $retval = 0; $retval = system_syslogd_start(); if (($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) + || ($oldnologdefaultpass !== isset($config['syslog']['nologdefaultpass'])) || ($oldnologbogons !== isset($config['syslog']['nologbogons'])) || ($oldnologprivatenets !== isset($config['syslog']['nologprivatenets']))) $retval |= filter_configure(); @@ -307,9 +311,13 @@ function check_everything() { <td valign="top" class="vtable">Log Firewall Default Blocks</td> <td class="vtable"> <input name="logdefaultblock" type="checkbox" id="logdefaultblock" value="yes" <?php if ($pconfig['logdefaultblock']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Log packets matched from the default rules put in the ruleset");?></strong><br /> + <strong><?=gettext("Log packets matched from the default block rules put in the ruleset");?></strong><br /> <?=gettext("Hint: packets that are blocked by the implicit default block rule will not be logged if you uncheck this option. Per-rule logging options are still respected.");?> <br /> + <input name="logdefaultpass" type="checkbox" id="logdefaultpass" value="yes" <?php if ($pconfig['logdefaultpass']) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Log packets matched from the default pass rules put in the ruleset");?></strong><br /> + <?=gettext("Hint: packets that are allowed by the implicit default pass rule will not be logged if you uncheck this option. Per-rule logging options are still respected.");?> + <br /> <input name="logbogons" type="checkbox" id="logbogons" value="yes" <?php if ($pconfig['logbogons']) echo "checked=\"checked\""; ?> /> <strong><?=gettext("Log packets blocked by 'Block Bogon Networks' rules");?></strong><br /> <br /> |
