diff options
author | Seth Mos <seth.mos@xs4all.nl> | 2006-12-02 12:53:16 +0000 |
---|---|---|
committer | Seth Mos <seth.mos@xs4all.nl> | 2006-12-02 12:53:16 +0000 |
commit | 7d5b8f4a0df22c3e3dc4ba61fce6aafc365b7ce5 (patch) | |
tree | a84830da6f1502673de967d6a4631b6f7b4ddada /etc/inc | |
parent | 86c2b56182c97dcb4d0928341035943028efbccb (diff) | |
download | pfsense-7d5b8f4a0df22c3e3dc4ba61fce6aafc365b7ce5.zip pfsense-7d5b8f4a0df22c3e3dc4ba61fce6aafc365b7ce5.tar.gz |
Do no install default pass in rules for openvpn interfaces with a
gateway.
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/filter.inc | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 0c1ce04..5213a25 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2635,13 +2635,27 @@ function create_firewall_outgoing_rules_to_itself() { for($x=0; $x<100; $x++) { if(does_interface_exist("tun{$x}") == true) { $rule .="pass out quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; - $rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; + $friendlytunif = convert_real_interface_to_friendly_interface_name("tun{$x}"); + /* If the interface has a gateway we do not add a pass in rule. */ + /* Some people use a TUN tunnel with public IP as a Multiwan interface */ + if(isset($config['interfaces'][$friendlytunif]['gateway'])) { + $rule .= "# Not adding default pass in rule for interface $friendlytunif - tun{$x} with a gateway!"; + } else { + $rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; + } } } for($x=0; $x<100; $x++) { if(does_interface_exist("tap{$x}") == true) { $rule .="pass out quick on tap{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; - $rule .="pass in quick on tap{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; + $friendlytapif = convert_real_interface_to_friendly_interface_name("tap{$x}"); + /* If the interface has a gateway we do not add a pass in rule. */ + /* Some people use a TAP tunnel with public IP as a Multiwan interface */ + if(isset($config['interfaces'][$friendlytapif]['gateway'])) { + $rule .= "# Not adding default pass in rule for interface $friendlytapif - tap{$x} with a gateway!"; + } else { + $rule .="pass in quick on tap{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n"; + } } } |