diff options
author | Ermal <eri@pfsense.org> | 2010-12-20 19:41:43 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2010-12-20 19:41:43 +0000 |
commit | 49659e1cc6f78af1287590fca7b64791fd6da6f1 (patch) | |
tree | 43d5e3341c35af955299e687feac43cae3446303 /etc | |
parent | 4cc233748fa7e79ac743364404152b7685c81288 (diff) | |
download | pfsense-49659e1cc6f78af1287590fca7b64791fd6da6f1.zip pfsense-49659e1cc6f78af1287590fca7b64791fd6da6f1.tar.gz |
Move the CP rule below webConfigurator abusal rule to allow adding the same protection to CP.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 73 |
1 files changed, 37 insertions, 36 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index b07d992..486cd12 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1965,42 +1965,6 @@ function filter_rules_generate() { $ipfrules = ""; //$ipfrules .= discover_pkg_rules("filter"); - /* if captive portal is enabled, ensure that access to this port - * is allowed on a locked down interface - */ - if(isset($config['captiveportal']['enable'])) { - $cpinterfaces = explode(",", $config['captiveportal']['interface']); - $cpiflist = array(); - $cpiplist = array(); - foreach ($cpinterfaces as $cpifgrp) { - if(!isset($FilterIflist[$cpifgrp])) - continue; - $tmpif = get_real_interface($cpifgrp); - if(!empty($tmpif)) { - $cpiflist[] = "{$tmpif}"; - $cpipm = get_interface_ip($cpifgrp); - if(is_ipaddr($cpipm)) { - $carpif = link_ip_to_carp_interface($cpipm); - if (!empty($carpif)) { - $cpiflist[] = $carpif; - $carpsif = explode(" ", $carpif); - foreach ($carpsif as $cpcarp) { - $carpip = find_interface_ip($cpcarp); - if (is_ipaddr($carpip)) - $cpiplist[] = $carpip; - } - } - $cpiplist[] = $cpipm; - } - } - } - if (count($cpiplist) > 0 && count($cpiflist) > 0) { - $cpinterface = implode(" ", $cpiflist); - $cpaddresses = implode(" ", $cpiplist); - $ipfrules .= "pass in quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; - $ipfrules .= "pass out quick on { {$cpinterface} } proto tcp from any port { 8000 8001 80 } to any flags any keep state(sloppy)\n"; - } - } /* relayd */ $ipfrules .= "anchor \"relayd/*\"\n"; # BEGIN OF firewall rules @@ -2071,6 +2035,43 @@ EOD; */ $ipfrules .= "block in quick from <virusprot> to any label \"virusprot overload table\"\n"; + /* if captive portal is enabled, ensure that access to this port + * is allowed on a locked down interface + */ + if(isset($config['captiveportal']['enable'])) { + $cpinterfaces = explode(",", $config['captiveportal']['interface']); + $cpiflist = array(); + $cpiplist = array(); + foreach ($cpinterfaces as $cpifgrp) { + if(!isset($FilterIflist[$cpifgrp])) + continue; + $tmpif = get_real_interface($cpifgrp); + if(!empty($tmpif)) { + $cpiflist[] = "{$tmpif}"; + $cpipm = get_interface_ip($cpifgrp); + if(is_ipaddr($cpipm)) { + $carpif = link_ip_to_carp_interface($cpipm); + if (!empty($carpif)) { + $cpiflist[] = $carpif; + $carpsif = explode(" ", $carpif); + foreach ($carpsif as $cpcarp) { + $carpip = find_interface_ip($cpcarp); + if (is_ipaddr($carpip)) + $cpiplist[] = $carpip; + } + } + $cpiplist[] = $cpipm; + } + } + } + if (count($cpiplist) > 0 && count($cpiflist) > 0) { + $cpinterface = implode(" ", $cpiflist); + $cpaddresses = implode(" ", $cpiplist); + $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; + $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any port { 8000 8001 80 } to any flags any keep state(sloppy)\n"; + } + } + $bogontableinstalled = 0; foreach ($FilterIflist as $on => $oc) { /* block bogon networks */ |