diff options
| author | Chris Buechler <cmb@pfsense.org> | 2016-01-26 21:32:58 -0600 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2016-01-26 21:32:58 -0600 |
| commit | bc3e61c4950740128ef7d2200e6399ada2e0fae9 (patch) | |
| tree | bce03dcc6de804cba94e270048dbc874247a8343 | |
| parent | e296be60e0d8ef2c94d9141ecefe234cb8f1b1a1 (diff) | |
| download | pfsense-bc3e61c4950740128ef7d2200e6399ada2e0fae9.zip pfsense-bc3e61c4950740128ef7d2200e6399ada2e0fae9.tar.gz | |
Skip 'pass out' rules for mobile IPsec. Ticket #5819
| -rw-r--r-- | src/etc/inc/filter.inc | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index ab314ee..bfe0c15 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -4118,30 +4118,39 @@ function filter_generate_ipsec_rules($log = array()) { /* Add rules to allow IKE to pass */ $shorttunneldescr = substr($descr, 0, 35); + // don't add "pass out" rules where $rgip is any as it will over-match and often break VPN clients behind the system in multi-WAN scenarios. redmine #5819 + if ($rgip != " any ") { + $ipfrules .= "pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\"\n"; + } $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if ($ph1ent['nat_traversal'] != "off") { + if ($rgip != " any ") { + $ipfrules .= "pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\"\n"; + } $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if ($prot_used_esp) { + if ($rgip != " any ") { + $ipfrules .= "pass out {$log['pass']} $route_to proto esp from (self) to {$rgip} tracker {$increment_tracker($tracker)} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\"\n"; + } $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto esp from (self) to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to (self) tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if ($prot_used_ah) { + if ($rgip != " any ") { + $ipfrules .= "pass out {$log['pass']} $route_to proto ah from (self) to {$rgip} tracker {$increment_tracker($tracker)} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\"\n"; + } $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto ah from (self) to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to (self) tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; |
