diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-04-08 21:42:36 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-04-08 21:42:36 -0500 |
commit | e636f37393efe0810789e30158f73f3499613677 (patch) | |
tree | 8b762548df2a166ed10fe0d08a1154b33a22f06f | |
parent | 05b7eef94f28fc73dcd07faa322e8d569f6938ea (diff) | |
download | pfsense-e636f37393efe0810789e30158f73f3499613677.zip pfsense-e636f37393efe0810789e30158f73f3499613677.tar.gz |
Allow disabling the APIPA block via hidden config option. Very rarely necessary or desirable, but Amazon VPC VPNs use that as their tunnel subnet with BGP setups.
-rw-r--r-- | etc/inc/filter.inc | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 07350cc..fdc7e61 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2814,13 +2814,19 @@ function filter_rules_generate() { $saved_tracker += 100; $tracker = $saved_tracker; - - $ipfrules .= <<<EOD + + if (!isset($config['system']['no_apipa_block'])) { + $ipfrules .= <<<EOD # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but # route-to can override that, causing problems such as in redmine #2073 block in {$log['block']} quick from 169.254.0.0/16 to any tracker {$increment_tracker($tracker)} label "Block IPv4 link-local" block in {$log['block']} quick from any to 169.254.0.0/16 tracker {$increment_tracker($tracker)} label "Block IPv4 link-local" + +EOD; + } + + $ipfrules .= <<<EOD #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- |