diff options
| author | Chris Buechler <cmb@pfsense.org> | 2015-04-08 21:42:36 -0500 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2015-04-08 21:42:36 -0500 |
| commit | e636f37393efe0810789e30158f73f3499613677 (patch) | |
| tree | 8b762548df2a166ed10fe0d08a1154b33a22f06f /etc/inc/filter.inc | |
| parent | 05b7eef94f28fc73dcd07faa322e8d569f6938ea (diff) | |
| download | pfsense-e636f37393efe0810789e30158f73f3499613677.zip pfsense-e636f37393efe0810789e30158f73f3499613677.tar.gz | |
Allow disabling the APIPA block via hidden config option. Very rarely necessary or desirable, but Amazon VPC VPNs use that as their tunnel subnet with BGP setups.
Diffstat (limited to 'etc/inc/filter.inc')
| -rw-r--r-- | etc/inc/filter.inc | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 07350cc..fdc7e61 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2814,13 +2814,19 @@ function filter_rules_generate() { $saved_tracker += 100; $tracker = $saved_tracker; - - $ipfrules .= <<<EOD + + if (!isset($config['system']['no_apipa_block'])) { + $ipfrules .= <<<EOD # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but # route-to can override that, causing problems such as in redmine #2073 block in {$log['block']} quick from 169.254.0.0/16 to any tracker {$increment_tracker($tracker)} label "Block IPv4 link-local" block in {$log['block']} quick from any to 169.254.0.0/16 tracker {$increment_tracker($tracker)} label "Block IPv4 link-local" + +EOD; + } + + $ipfrules .= <<<EOD #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- |
