diff options
| author | Chris Buechler <cmb@pfsense.org> | 2009-04-21 00:04:51 -0400 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2009-04-21 00:04:51 -0400 |
| commit | 7c71c208d432a1bde892b9b1c0aa8b15928e5a5d (patch) | |
| tree | d86fef4bf73438ff1e9564feb1cdec3a1b335a7c | |
| parent | 549b9772bdbf7078945dbdfe221355d75d1fa329 (diff) | |
| parent | 23df7095ab98bc753ed222d9d69d4e26b6956e77 (diff) | |
| download | pfsense-7c71c208d432a1bde892b9b1c0aa8b15928e5a5d.zip pfsense-7c71c208d432a1bde892b9b1c0aa8b15928e5a5d.tar.gz | |
Merge branch 'RELENG_1_2' of http://gitweb.pfsense.org/pfsense/mainline into RELENG_1_2
| -rw-r--r-- | etc/inc/filter.inc | 23 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 8 | ||||
| -rwxr-xr-x | usr/local/www/system_advanced.php | 16 |
3 files changed, 34 insertions, 13 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 5ae41b5..5075d18 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2635,7 +2635,8 @@ EOD; $pptpdtarget = $pptpdcfg['redir']; if($pptpdtarget) { - $ipfrules .= <<<EOD + if(!isset($config['system']['disablevpnrules'])) { + $ipfrules .= <<<EOD # PPTPd rules anchor "pptp" @@ -2643,6 +2644,7 @@ pass in quick on \$wan proto gre from any to $pptpdtarget keep state label "allo pass in quick on \$wan proto tcp from any to $pptpdtarget port = 1723 modulate state label "allow pptpd {$pptpdtarget}" EOD; + } } else { /* this shouldnt ever happen but instead of breaking the clients ruleset @@ -2822,7 +2824,10 @@ EOD; continue; if(!$remote_gateway) continue; - $shorttunneldescr = substr($tunnel['descr'], 0, 26); + if(isset($config['system']['disablevpnrules'])) + continue; + + $shorttunneldescr = substr($tunnel['descr'], 0, 26); $ipfrules .= "pass out quick on \${$iface} proto udp from any to {$remote_gateway} port = 500 keep state label \"IPSEC: {$shorttunneldescr} - outbound isakmp\"\n"; $ipfrules .= "pass in quick on \${$iface} proto udp from {$remote_gateway} to any port = 500 keep state label \"IPSEC: {$shorttunneldescr} - inbound isakmp\"\n"; if ($tunnel['p2']['protocol'] == 'esp') { @@ -2843,10 +2848,12 @@ EOD; */ $ipseccfg = $config['ipsec']; if (isset($ipseccfg['mobileclients']['enable'])) { - foreach($ifdescrs as $iface) { - $ipfrules .= "pass in quick on \${$iface} proto udp from any to any port = 500 keep state label \"IPSEC: Mobile - inbound isakmp\"\n"; - $ipfrules .= "pass in quick on \${$iface} proto esp from any to any keep state label \"IPSEC: Mobile - inbound esp proto\"\n"; - $ipfrules .= "pass in quick on \${$iface} proto ah from any to any keep state label \"IPSEC: Mobile - inbound ah proto\"\n"; + if(!isset($config['system']['disablevpnrules'])) { + foreach($ifdescrs as $iface) { + $ipfrules .= "pass in quick on \${$iface} proto udp from any to any port = 500 keep state label \"IPSEC: Mobile - inbound isakmp\"\n"; + $ipfrules .= "pass in quick on \${$iface} proto esp from any to any keep state label \"IPSEC: Mobile - inbound esp proto\"\n"; + $ipfrules .= "pass in quick on \${$iface} proto ah from any to any keep state label \"IPSEC: Mobile - inbound ah proto\"\n"; + } } } } @@ -3036,7 +3043,7 @@ function create_firewall_outgoing_rules_to_itself() { /* Some people use a TUN tunnel with public IP as a Multiwan interface */ if(interface_has_gateway("tun{$x}")) { $rule .= "# Not adding default pass in rule for interface $friendlytunif - tun{$x} with a gateway!"; - } else { + } elseif (!isset($config['system']['disablevpnrules'])) { $rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; } } @@ -3049,7 +3056,7 @@ function create_firewall_outgoing_rules_to_itself() { /* Some people use a TAP tunnel with public IP as a Multiwan interface */ if(interface_has_gateway("tap{$x}")) { $rule .= "# Not adding default pass in rule for interface $friendlytapif - tap{$x} with a gateway!"; - } else { + } elseif (!isset($config['system']['disablevpnrules'])) { $rule .="pass in quick on tap{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; } } diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 7f67509..f310f41 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -1063,10 +1063,7 @@ function setup_polling() { setup_polling_defaults(); - if(isset($config['system']['polling'])) - $supported_ints = array('dc', 'em', 'fwe', 'fwip', 'fxp', 'ixgb', 'ste', 'nge', 're', 'rl', 'sf', 'sis', 'ste', 'vge', 'vr', 'xl'); - else - $supported_ints = array(); + $supported_ints = array('bge', 'dc', 'em', 'fwe', 'fwip', 'fxp', 'ixgb', 'nfe', 'nge', 're', 'rl', 'sf', 'sis', 'ste', 'stge', 'vge', 'vr', 'xl'); /* build an array of interfaces to work with */ $iflist = array("lan" => "LAN", "wan" => "WAN"); @@ -1075,7 +1072,8 @@ function setup_polling() { foreach ($iflist as $ifent => $ifname) { $real_interface = convert_friendly_interface_to_real_interface_name($ifname); - if(!in_array($real_interface, $supported_ints)) { + $ifdevice = substr($real_interface, 0, -1); + if(!in_array($ifdevice, $supported_ints)) { continue; } if(isset($config['system']['polling'])) { diff --git a/usr/local/www/system_advanced.php b/usr/local/www/system_advanced.php index 0c2eed8..0bf1bc3 100755 --- a/usr/local/www/system_advanced.php +++ b/usr/local/www/system_advanced.php @@ -63,6 +63,7 @@ $pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksum $pconfig['disablescrub'] = isset($config['system']['disablescrub']); $pconfig['shapertype'] = $config['system']['shapertype']; $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']); +$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']); if ($_POST) { @@ -122,6 +123,11 @@ if ($_POST) { } else { unset($config['system']['disablefilter']); } + if($_POST['disablevpnrules'] == "yes") { + $config['system']['disablevpnrules'] = true; + } else { + unset($config['system']['disablevpnrules']); + } if($_POST['enablesshd'] == "yes") { $config['system']['enablesshd'] = "enabled"; touch("{$g['tmp_path']}/start_sshd"); @@ -647,6 +653,16 @@ include("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Disable Auto-added VPN rules</td> + <td width="78%" class="vtable"> + <input name="disablevpnrules" type="checkbox" id="disablevpnrules" value="yes" <?php if (isset($config['system']['disablevpnrules'])) echo "checked"; ?> onclick="enable_change(false)" /> + <strong>Disable all auto-added VPN rules.</strong> + <br /> + <span class="vexpl">Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN. + </span> + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td> </tr> |
