diff options
| author | Ermal Luçi <eri@pfsense.org> | 2009-08-11 20:45:29 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2009-08-11 20:45:29 +0000 |
| commit | 5bdddd2d95c46594fecb389f4befafe008378e85 (patch) | |
| tree | f723f4516e8ece4b446fa997fdc8071e7f1d9ddd | |
| parent | db2116d3959c1119b47f4efa6072c2ff00a67c98 (diff) | |
| download | pfsense-5bdddd2d95c46594fecb389f4befafe008378e85.zip pfsense-5bdddd2d95c46594fecb389f4befafe008378e85.tar.gz | |
Reduce some unneeded overhead in CP generated ipfw rules.
| -rw-r--r-- | etc/inc/captiveportal.inc | 34 |
1 files changed, 4 insertions, 30 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index d529ade..5838b84 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -63,8 +63,11 @@ function captiveportal_configure() { $cpinterface .= "via {$tmpif}"; $firsttime = 1; $cpipm = get_interface_ip($cpifgrp); - if (is_ipaddr($cpipm)) + if (is_ipaddr($cpipm)) { $cpips[] = $cpipm; + mwexec("/sbin/ifconfig {$tmpif} ipfwfilter"); + } else + mwexec("/sbin/ifconfig {$tmpif} -ipfwfilter"); } } if (count($cpips) > 0) { @@ -316,18 +319,6 @@ function captiveportal_rules_generate($cpif, &$cpiparray) { $cprules = "add 500 set 1 allow pfsync from any to any\n"; $cprules .= "add 500 set 1 allow carp from any to any\n"; - /* allow nat redirects to work see - http://cvstrac.pfsense.com/tktview?tn=651 - */ - /* if list */ - $iflist = get_configured_interface_list(); - foreach ($iflist as $ifent => $ifname) { - if(stristr($cpifn, $ifname)) - continue; - $int = get_real_interface($ifname); - $cprules .= "add 30 set 1 skipto 50000 all from any to any in via {$int} keep-state\n"; - } - /* captive portal on LAN interface? */ if (stristr($cpifn, "lan")) { /* add anti-lockout rules */ @@ -339,13 +330,6 @@ EOD; } $cprules .= <<<EOD -add 1000 set 1 skipto 1200 all from any to any not layer2 $cpif -# skip to traffic shaper if not on captive portal interface -add 1001 set 1 skipto 50000 all from any to any not layer2 -add 1003 set 1 skipto 1100 layer2 $cpif -# pass all layer2 traffic on other interfaces -add 1004 set 1 pass layer2 - # layer 2: pass ARP add 1100 set 1 pass layer2 mac-type arp # pfsense requires for WPA @@ -398,16 +382,6 @@ EOD; } $rulenum++; - //# allow access to our DNS forwarder if it incorrectly resolves the hostname to $lanip - $cprules .= "add {$rulenum} set 1 pass udp from any to {$lanip} 53 in \n"; - $rulenum++; - $cprules .= "add {$rulenum} set 1 pass udp from {$lanip} 53 to any out \n"; - //# allow access to lan web server incase the dns name resolves incorrectly to $lanip - $rulenum++; - $cprules .= "add {$rulenum} set 1 pass tcp from any to {$lanip} 8000 in \n"; - $rulenum++; - $cprules .= "add {$rulenum} set 1 pass tcp from {$lanip} 8000 to any out \n"; - $cprules .= <<<EOD # ... 10000-19899: rules per authenticated client go here... |
