diff options
| author | Chris Buechler <cmb@pfsense.org> | 2008-10-04 22:03:48 +0000 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2008-10-04 22:03:48 +0000 |
| commit | d78e676308082c5d3a95b8c978e5d3a301e97ade (patch) | |
| tree | 90dcbc996e7893062d5a9aced078afb8b66e7d23 /etc | |
| parent | 9d51486c6948cef32e15110d799ce04e4381a4fa (diff) | |
| download | pfsense-d78e676308082c5d3a95b8c978e5d3a301e97ade.zip pfsense-d78e676308082c5d3a95b8c978e5d3a301e97ade.tar.gz | |
trim description so long descriptions on IPsec doesn't create an invalid ruleset
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index ca670f7..6c8460e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2545,16 +2545,17 @@ EOD; } /* Add rules to allow IKE to pass */ + $shorttunneldescr = substr($descr, 0, 36); $ipfrules .= <<<EOD -pass out on \${$ifcfg['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label \"IPsec: {$descr} - outbound isakmp\" -pass in on \${$ifcfg['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label \"IPsec: {$descr} - inbound isakmp\" +pass out on \${$ifcfg['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\" +pass in on \${$ifcfg['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label \"IPsec: {$shorttunneldescr} - inbound isakmp\" EOD; /* If NAT-T is enabled, add additional rules */ if ($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out on \${$ifcfg['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label \"IPsec: {$descr} - outbound nat-t\" -pass in on \${$ifcfg['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label \"IPsec: {$descr} - inbound nat-t\" +pass out on \${$ifcfg['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\" +pass in on \${$ifcfg['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label \"IPsec: {$shorttunneldescr} - inbound nat-t\" EOD; } @@ -2562,15 +2563,15 @@ EOD; /* Add rules to allow the protocols in use */ if ($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out on \${$ifcfg['descr']} $route_to proto esp from any to {$rgip} keep state label \"IPsec: {$descr} - outbound esp proto\" -pass in on \${$ifcfg['descr']} $reply_to proto esp from {$rgip} to any keep state label \"IPsec: {$descr} - inbound esp proto\" +pass out on \${$ifcfg['descr']} $route_to proto esp from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\" +pass in on \${$ifcfg['descr']} $reply_to proto esp from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound esp proto\" EOD; } if ($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out on \${$ifcfg['descr']} $route_to proto ah from any to {$rgip} keep state label \"IPsec: {$descr} - outbound ah proto\" -pass in on \${$ifcfg['descr']} $reply_to proto ah from {$rgip} to any keep state label \"IPsec: {$descr} - inbound ah proto\" +pass out on \${$ifcfg['descr']} $route_to proto ah from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\" +pass in on \${$ifcfg['descr']} $reply_to proto ah from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound ah proto\" EOD; } |
