diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 20:17:26 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 20:17:26 +0000 |
| commit | f997992b524dd0c64d55088a8673f3fae00692c5 (patch) | |
| tree | b649eb280c50482af7236ec16a52992b001a8cff /etc | |
| parent | 6cc1766f2117d46162c92b44a87972ce4bcd62e5 (diff) | |
| download | pfsense-f997992b524dd0c64d55088a8673f3fae00692c5.zip pfsense-f997992b524dd0c64d55088a8673f3fae00692c5.tar.gz | |
make sure we define the ipsec vpn rules correctly pf style
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 42 |
1 files changed, 18 insertions, 24 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 65156c8..417f3fa 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -40,7 +40,7 @@ function filter_resync() { function filter_ipmon_start() { global $config, $g; - mwexec("/pflogd -sD"); + mwexec("ifconfig pflog0 up && pflogd -sD"); } function filter_configure() { @@ -75,6 +75,7 @@ function filter_configure() { $fd = fopen("/tmp/rules.debug", "w"); fwrite($fd, "set loginterface $wanif \n"); fwrite($fd, "set optimization aggressive\n"); + fwrite($fd, "\nscrub in all\n"); fwrite($fd, $altq_ints); fwrite($fd, $altq_queues); fwrite($fd, $natrules); @@ -412,23 +413,6 @@ function filter_rules_generate() { # BEGIN OF firewall rules $ipfrules=""; - $ipfrules .= "\n# VPN Rules\n"; - $internal_subnet = "any"; - if(is_array($config['ipsec']['tunnel'])) { - foreach ($config['ipsec']['tunnel'] as $tunnel) { - if(isset($tunnel['local-subnet']['address'])) { - $internal_subnet = $tunnel['local-subnet']['address']; - } else { - $internal_subnet = "any"; - } - $ipfrules .= "pass in on " . $wanif . " proto tcp from " . $tunnel['remote-subnet'] . " to " . $internal_subnet . " keep state\n"; - if(isset($tunnel['local-subnet']['address'])) { - $ipfrules .= "pass in on " . $wanif . " proto tcp from " . $tunnel['local-subnet']['address'] . " to " . $tunnel['remote-subnet'] . " keep state\n"; - } - } - - } - $ipfrules .= <<<EOD # loopback @@ -568,11 +552,6 @@ EOD; } } - /* XXX - the first section is only needed because pfctl refuses to - parse rules that have "flags S/SAFR" and proto "tcp/udp" set because - UDP does not have flags, but we still want to offer the TCP/UDP protocol - option to the user */ - $ipfrules .= <<<EOD @@ -899,6 +878,21 @@ EOD; $i++; } + $ipfrules .= "\n# VPN Rules\n"; + $lan_ip = $config['interfaces']['lan']['ipaddr']; + $lan_subnet = $config['interfaces']['lan']['subnet']; + $wan_ip = $config['interfaces']['wan']['ipaddr']; + $internal_subnet = gen_subnet($lan_ip, $lan_subnet) . "/" . $config['interfaces']['lan']['subnet']; + if(is_array($config['ipsec']['tunnel'])) { + foreach ($config['ipsec']['tunnel'] as $tunnel) { + $remote_gateway = $tunnel['remote-gateway']; + $ipfrules .= "pass quick on " . $wanif . " from " . $wan_ip . " to " . $remote_gateway . " keep state\n"; + $ipfrules .= "pass quick on " . $wanif . " from " . $remote_gateway . " to " . $wan_ip . " keep state\n"; + $ipfrules .= "pass quick on " . $lanif . " from " . $tunnel['remote-subnet'] . " to " . $internal_subnet . " keep state\n"; + $ipfrules .= "pass quick on " . $lanif . " from " . $internal_subnet . " to " . $tunnel['remote-subnet'] . " keep state\n"; + } + } + $ipfrules .= <<<EOD #--------------------------------------------------------------------------- @@ -933,7 +927,7 @@ function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) { $n--; } } - $ipfrules .= "skip 1 in on $if from $sa/$sn to any\n"; + $ipfrules .= "#skip 1 in on $if from $sa/$sn to any\n"; $ipfrules .= "#block in $log quick on $if all\n"; } else { $ipfrules .= "#block in $log quick on $if from ! $sa/$sn to any\n"; |
