diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-09-28 15:37:07 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-09-28 15:37:07 -0500 |
commit | 0e512ee3a5cf37cb5f91eb41b7fb38f5ac5363f7 (patch) | |
tree | 2483cd71fe3aa276ed45259f44bc449ad994471a /etc | |
parent | 635ee4eb05b2ca97b3b7e4a909f5d01d57563c3a (diff) | |
download | pfsense-0e512ee3a5cf37cb5f91eb41b7fb38f5ac5363f7.zip pfsense-0e512ee3a5cf37cb5f91eb41b7fb38f5ac5363f7.tar.gz |
Use self rather than any in auto-added IPsec rules to prevent
over-matching. Ticket #5211
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 9b9dd0c..701fbbd 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -3804,30 +3804,30 @@ function filter_generate_ipsec_rules($log = array()) { /* Add rules to allow IKE to pass */ $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" -pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" +pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if ($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" -pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" +pass out {$log['pass']} $route_to proto udp from (self) to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to (self) port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" -pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" +pass out {$log['pass']} $route_to proto esp from (self) to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to (self) tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out {$log['pass']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" -pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" +pass out {$log['pass']} $route_to proto ah from (self) to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" +pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to (self) tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; } |