diff options
| author | Ermal <eri@pfsense.org> | 2014-03-26 19:17:17 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2014-03-26 19:17:17 +0000 |
| commit | 2553d943aa813aa846a5e3ee7ebba2d2d8592065 (patch) | |
| tree | 06dce8b2420e6ca229356c607d754cb6879d9ed1 /etc/inc/filter.inc | |
| parent | 6e331564545a55fa6fce94933434fb71f0fc7f37 (diff) | |
| download | pfsense-2553d943aa813aa846a5e3ee7ebba2d2d8592065.zip pfsense-2553d943aa813aa846a5e3ee7ebba2d2d8592065.tar.gz | |
Give each rule hardcoded on the ruleset a tracker so log entries give up proper results there
Diffstat (limited to 'etc/inc/filter.inc')
| -rw-r--r-- | etc/inc/filter.inc | 286 |
1 files changed, 183 insertions, 103 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 6a63998..8d9e6bb 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -58,6 +58,16 @@ $filterdns = array(); /* Used for aliases and interface macros */ $aliases = ""; +global $tracker; +$tracker = 1000000000; + +function filter_rule_tracker($tracker) { + global $tracker; + + return (++$tracker); + +} + function fix_rule_label($descr) { $descr = str_replace('"', '', $descr); if (strlen($descr) > 63) @@ -2592,9 +2602,10 @@ function filter_generate_user_rule($rule) { } function filter_rules_generate() { - global $config, $g, $FilterIflist, $time_based_rules, $GatewaysList; + global $config, $g, $FilterIflist, $time_based_rules, $GatewaysList, $tracker; $fix_rule_label = 'fix_rule_label'; + $increment_tracker = 'filter_rule_tracker'; update_filter_reload_status(gettext("Creating default rules")); if(isset($config['system']['developerspew'])) { @@ -2619,21 +2630,26 @@ function filter_rules_generate() { $log = "log"; else $log = ""; - + + $saved_tracker = $tracker; + if(!isset($config['system']['ipv6allow'])) { $ipfrules .= "# Block all IPv6\n"; - $ipfrules .= "block in {$log} quick inet6 all label \"Block all IPv6\"\n"; - $ipfrules .= "block out {$log} quick inet6 all label \"Block all IPv6\"\n"; + $ipfrules .= "block in {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; + $ipfrules .= "block out {$log} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; } - + + $saved_tracker += 100; + $tracker = $saved_tracker; + $ipfrules .= <<<EOD #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- -block in $log inet all label "Default deny rule IPv4" -block out $log inet all label "Default deny rule IPv4" -block in $log inet6 all label "Default deny rule IPv6" -block out $log inet6 all label "Default deny rule IPv6" +block in $log inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" +block out $log inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" +block in $log inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" +block out $log inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" # IPv6 ICMP is not auxilary, it is required for operation # See man icmp6(4) @@ -2645,43 +2661,52 @@ block out $log inet6 all label "Default deny rule IPv6" # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement -pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state +pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) -pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state -pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state -pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state -pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state -pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state +pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state # We use the mighty pf, we cannot be fooled. -block quick inet proto { tcp, udp } from any port = 0 to any -block quick inet proto { tcp, udp } from any to any port = 0 -block quick inet6 proto { tcp, udp } from any port = 0 to any -block quick inet6 proto { tcp, udp } from any to any port = 0 +block quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} +block quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} +block quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} +block quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} # Snort package -block quick from <snort2c> to any label "Block snort2c hosts" -block quick from any to <snort2c> label "Block snort2c hosts" +block quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts" +block quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts" EOD; + $saved_tracker += 100; + $tracker = $saved_tracker; + $ipfrules .= filter_process_carp_rules($log); + $saved_tracker += 100; + $tracker = $saved_tracker; + $ipfrules .= "\n# SSH lockout\n"; if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { $ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port "; $ipfrules .= $config['system']['ssh']['port']; - $ipfrules .= " label \"sshlockout\"\n"; + $ipfrules .= " tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; } else { if($config['system']['ssh']['port'] <> "") $sshport = $config['system']['ssh']['port']; else $sshport = 22; if($sshport) - $ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port {$sshport} label \"sshlockout\"\n"; + $ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; } + $saved_tracker += 50; + $tracker = $saved_tracker; + $ipfrules .= "\n# webConfigurator lockout\n"; if(!$config['system']['webgui']['port']) { if($config['system']['webgui']['protocol'] == "http") @@ -2692,13 +2717,19 @@ EOD; $webConfiguratorlockoutport = $config['system']['webgui']['port']; } if($webConfiguratorlockoutport) - $ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} label \"webConfiguratorlockout\"\n"; + $ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n"; + + $saved_tracker += 100; + $tracker = $saved_tracker; /* * Support for allow limiting of TCP connections by establishment rate * Useful for protecting against sudden outburts, etc. */ - $ipfrules .= "block in quick from <virusprot> to any label \"virusprot overload table\"\n"; + $ipfrules .= "block in quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n"; + + $saved_tracker += 100; + $tracker = $saved_tracker; /* if captive portal is enabled, ensure that access to this port * is allowed on a locked down interface @@ -2739,14 +2770,18 @@ EOD; $listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : $cpcfg['zoneid']; $portalias = $listenporthttps; $portalias .= " {$listenporthttp}"; - $ipfrules .= "pass in quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } keep state(sloppy)\n"; - $ipfrules .= "pass out quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n"; + $ipfrules .= "pass in quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; + $ipfrules .= "pass out quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; } } } $bogontableinstalled = 0; foreach ($FilterIflist as $on => $oc) { + /* XXX: Not static but give a step of 1000 for each interface to at least be able to match rules. */ + $saved_tracker += 1000; + $tracker = $saved_tracker; + /* block bogon networks */ /* http://www.cymru.com/Documents/bogon-bn-nonagg.txt */ /* file is automatically in cron every 3000 minutes */ @@ -2759,26 +2794,32 @@ EOD; $ipfrules .= <<<EOD # block bogon networks (IPv4) # http://www.cymru.com/Documents/bogon-bn-nonagg.txt -block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" +block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" EOD; } + $saved_tracker += 10; + $tracker = $saved_tracker; + if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) { $ipfrules .= <<<EOD # allow our DHCPv6 client out to the {$oc['descr']} -pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" +pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" EOD; } + $saved_tracker += 10; + $tracker = $saved_tracker; + if(isset($config['interfaces'][$on]['blockbogons']) && isset($config['system']['ipv6allow'])) { $ipfrules .= <<<EOD # block bogon networks (IPv6) # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt -block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" +block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" EOD; } @@ -2792,43 +2833,52 @@ EOD; } } } + if($oc['ip'] && !($isbridged) && isset($oc['spoofcheck'])) $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); + /* block private networks ? */ if(!isset($config['syslog']['nologprivatenets'])) $privnetlog = "log"; else $privnetlog = ""; + $saved_tracker += 10; + $tracker = $saved_tracker; + if(isset($config['interfaces'][$on]['blockpriv'])) { if($isbridged == false) { $ipfrules .= <<<EOD # block anything from private networks on interfaces with the option set antispoof for \${$oc['descr']} -block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" -block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" -block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}" -block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}" -block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}" -block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}" +block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" +block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" +block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}" +block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}" +block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}" +block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}" EOD; } } + + $saved_tracker += 10; + $tracker = $saved_tracker; + switch ($oc['type']) { case "pptp": $ipfrules .= <<<EOD # allow PPTP client -pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" -pass in on \${$oc['descr']} proto gre from any to any keep state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" +pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" +pass in on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" EOD; break; case "dhcp": $ipfrules .= <<<EOD # allow our DHCP client out to the {$oc['descr']} -pass in on \${$oc['descr']} proto udp from any port = 67 to any port = 68 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" -pass out on \${$oc['descr']} proto udp from any port = 68 to any port = 67 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" +pass in on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" +pass out on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" # Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP. EOD; @@ -2843,13 +2893,13 @@ EOD; if(isset($config['dhcpd'][$on]['enable'])) { $ipfrules .= <<<EOD # allow access to DHCP server on {$oc['descr']} -pass in quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" +pass in quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" EOD; if (is_ipaddrv4($oc['ip'])) { $ipfrules .= <<<EOD -pass in quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 label "allow access to DHCP server" -pass out quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server" +pass in quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" +pass out quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" EOD; } @@ -2857,8 +2907,8 @@ EOD; if(is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") { $ipfrules .= <<<EOD # allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']} -pass in quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover" -pass in quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover" +pass in quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" +pass in quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" EOD; } @@ -2866,19 +2916,22 @@ EOD; } break; } + + $saved_tracker += 10; + $tracker = $saved_tracker; switch($oc['type6']) { case "6rd": $ipfrules .= <<<EOD # allow our proto 41 traffic from the 6RD border relay in -pass in on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}" -pass out on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" +pass in on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}" +pass out on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" EOD; /* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */ if (0 && is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD -pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}" -pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}" +pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}" +pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}" EOD; } @@ -2887,16 +2940,16 @@ EOD; if (is_ipaddrv4($oc['ip'])) { $ipfrules .= <<<EOD # allow our proto 41 traffic from the 6to4 border relay in -pass in on \${$oc['descr']} proto 41 from any to {$oc['ip']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" -pass out on \${$oc['descr']} proto 41 from {$oc['ip']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" +pass in on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" +pass out on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" EOD; } /* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */ if (0 && is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD -pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" -pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" +pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" +pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" EOD; } @@ -2907,16 +2960,16 @@ EOD; $ipfrules .= <<<EOD # allow access to DHCPv6 server on {$oc['descr']} # We need inet6 icmp for stateless autoconfig and dhcpv6 -pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server" -pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server" -pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server" -pass quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server" +pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" EOD; if (is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD -pass in quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 label "allow access to DHCPv6 server" -pass out quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 label "allow access to DHCPv6 server" +pass in quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" +pass out quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" EOD; } @@ -2924,6 +2977,10 @@ EOD; break; } } + + $saved_tracker += 10; + $tracker = $saved_tracker; + /* * NB: The loopback rules are needed here since the antispoof would take precedence then. * If you ever add the 'quick' keyword to the antispoof rules above move the looback @@ -2932,33 +2989,32 @@ EOD; $ipfrules .= <<<EOD # loopback -pass in on \$loopback inet all label "pass IPv4 loopback" -pass out on \$loopback inet all label "pass IPv4 loopback" -pass in on \$loopback inet6 all label "pass IPv6 loopback" -pass out on \$loopback inet6 all label "pass IPv6 loopback" +pass in on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" +pass out on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" +pass in on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" +pass out on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" -EOD; - - $ipfrules .= <<<EOD # let out anything from the firewall host itself and decrypted IPsec traffic -pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself" -pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself" +pass out inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself" +pass out inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself" EOD; + $saved_tracker += 100; + $tracker = $saved_tracker; foreach ($FilterIflist as $ifdescr => $ifcfg) { if(isset($ifcfg['virtual'])) continue; $gw = get_interface_gateway($ifdescr); if (is_ipaddrv4($gw) && is_ipaddrv4($ifcfg['ip'])) { - $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; if (is_array($ifcfg['vips'])) { foreach ($ifcfg['vips'] as $vip) if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}")) - $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; else - $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; } } @@ -2966,19 +3022,23 @@ EOD; $stf = get_real_interface($ifdescr, "inet6"); $pdlen = 64 - calculate_ipv6_delegation_length($ifdescr); if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) { - $ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; if (is_array($ifcfg['vips6'])) { foreach ($ifcfg['vips6'] as $vip) - $ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + $ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; } } } + $saved_tracker += 300; + $tracker = $saved_tracker; /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) - $ipfrules .= "pass out on \$IPsec all keep state label \"IPsec internal host to host\"\n"; + $ipfrules .= "pass out on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n"; + $saved_tracker += 10; + $tracker = $saved_tracker; if(is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) { $alports = filter_get_antilockout_ports(); @@ -2989,7 +3049,7 @@ EOD; $lanif = $FilterIflist['lan']['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule" +pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" EOD; } else if (count($config['interfaces']) == 1) { @@ -2997,13 +3057,15 @@ EOD; $wanif = $FilterIflist["wan"]['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule" +pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" EOD; } unset($alports); } + $saved_tracker += 10; + $tracker = $saved_tracker; /* PPTPd enabled? */ if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off") && !isset($config['system']['disablevpnrules'])) { if($pptpdcfg['mode'] == "server") @@ -3013,8 +3075,8 @@ EOD; if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) { $ipfrules .= <<<EOD # PPTPd rules -pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}" -pass in on \${$FilterIflist['wan']['descr']} proto gre from any to any keep state label "allow gre pptpd" +pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}" +pass in on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd" EOD; @@ -3026,13 +3088,15 @@ EOD; } } + $saved_tracker += 10; + $tracker = $saved_tracker; if(isset($config['nat']['rule']) && is_array($config['nat']['rule'])) { foreach ($config['nat']['rule'] as $rule) { if((!isset($config['system']['disablenatreflection']) || $rule['natreflection'] == "enable") && $rule['natreflection'] != "disable") { $ipfrules .= "# NAT Reflection rules\n"; $ipfrules .= <<<EOD -pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost" +pass in inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost" EOD; break; @@ -3111,6 +3175,9 @@ EOD; unset($rule_arr1, $rule_arr2, $rule_arr3); } + $saved_tracker += 100; + $tracker = $saved_tracker; + /* pass traffic between statically routed subnets and the subnet on the * interface in question to avoid problems with complicated routing * topologies @@ -3129,10 +3196,10 @@ EOD; } if ($sa && is_ipaddrv4($routeent[0])) { $ipfrules .= <<<EOD -pass quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets" -pass quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets" -pass quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any keep state(sloppy) label "pass traffic between statically routed subnets" -pass quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" EOD; } @@ -3143,10 +3210,10 @@ EOD; } if ($sa && is_ipaddrv6($routeent[0])) { $ipfrules .= <<<EOD -pass quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets" -pass quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets" -pass quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any keep state(sloppy) label "pass traffic between statically routed subnets" -pass quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" EOD; } @@ -3155,10 +3222,14 @@ EOD; } update_filter_reload_status(gettext("Creating IPsec rules...")); + $saved_tracker += 100000; + $tracker = $saved_tracker; $ipfrules .= filter_generate_ipsec_rules(); $ipfrules .= "\nanchor \"tftp-proxy/*\"\n"; + $saved_tracker += 200; + $tracker = $saved_tracker; update_filter_reload_status("Creating uPNP rules..."); if (is_array($config['installedpackages']['miniupnpd']) && is_array($config['installedpackages']['miniupnpd']['config'][0])) { if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable'])) @@ -3176,7 +3247,7 @@ EOD; } if($sa) { $ipfrules .= <<<EOD -pass in on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 keep state label "pass multicast traffic to miniupnpd" +pass in on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd" EOD; } @@ -3190,12 +3261,14 @@ EOD; } function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) { - global $g, $config; + global $g, $config, $tracker; if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_rules_spoofcheck_generate() being called $mt\n"; } $ipfrules = "antispoof for {$if}\n"; + $tracker++; + return $ipfrules; } @@ -3411,24 +3484,26 @@ function filter_setup_logging_interfaces() { } function filter_process_carp_rules($log) { - global $g, $config; + global $g, $config, $tracker; if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_process_carp_rules($log) being called $mt\n"; } + + $increment_tracker = 'filter_rule_tracker'; $lines = ""; /* return if there are no carp configured items */ if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) { - $lines .= "block in $log quick proto carp from (self) to any\n"; - $lines .= "pass quick proto carp\n"; + $lines .= "block in $log quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n"; + $lines .= "pass quick proto carp tracker {$increment_tracker($tracker)}\n"; } return $lines; } /* Generate IPSEC Filter Items */ function filter_generate_ipsec_rules() { - global $config, $g, $FilterIflist; + global $config, $g, $FilterIflist, $tracker; if(isset($config['system']['developerspew'])) { $mt = microtime(); @@ -3438,6 +3513,8 @@ function filter_generate_ipsec_rules() { if (isset($config['system']['disablevpnrules'])) return "\n# VPN Rules not added disabled in System->Advanced.\n"; + $increment_tracker = 'filter_rule_tracker'; + $ipfrules = "\n# VPN Rules\n"; /* Is IP Compression enabled? */ if(isset($config['ipsec']['ipcomp'])) @@ -3449,6 +3526,8 @@ function filter_generate_ipsec_rules() { is_array($config['ipsec']['phase1'])) { /* step through all phase1 entries */ foreach ($config['ipsec']['phase1'] as $ph1ent) { + $tracker += 10; + if(isset ($ph1ent['disabled'])) continue; /* determine local and remote peer addresses */ @@ -3521,30 +3600,30 @@ function filter_generate_ipsec_rules() { /* Add rules to allow IKE to pass */ $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; } @@ -3588,6 +3667,7 @@ function discover_pkg_rules($ruletype) { function filter_get_antilockout_ports($wantarray = false) { global $config; + $lockoutports = array(); $guiport = ($config['system']['webgui']['protocol'] == "https") ? "443" : "80"; $guiport = empty($config['system']['webgui']['port']) ? $guiport : $config['system']['webgui']['port']; |
