diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2006-06-12 04:16:19 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2006-06-12 04:16:19 +0000 |
commit | b9d1d8108b0b57b062400f6d87704110b2023b1e (patch) | |
tree | c00eef48f0827a997fb50e20f59b273052b72471 /etc | |
parent | bcd92a924da4205e019991793aba51bddc5bf1ee (diff) | |
download | pfsense-b9d1d8108b0b57b062400f6d87704110b2023b1e.zip pfsense-b9d1d8108b0b57b062400f6d87704110b2023b1e.tar.gz |
Only allow mac-type 0x888e traffic for WPA. This is a lot better than allowing all layer2.
Thanks Andrew Thompson for the suggestion!
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/captiveportal.inc | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 1807451..e2f9225 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -308,9 +308,6 @@ function captiveportal_rules_generate() { $cprules .= "add 30 set 1 skipto 50000 all from any to any in via {$int} keep-state\n"; } - /* Needed for WPA */ - $cprules .= "add 1 set 1 allow all from any to any layer2"; - /* captive portal on LAN interface? */ if ($cpifn == "lan") { /* add anti-lockout rules */ @@ -329,6 +326,8 @@ add 1001 set 1 pass layer2 not via $cpif # layer 2: pass ARP add 1100 set 1 pass layer2 mac-type arp +# pfsense requires for WPA +add 1100 set 1 pass layer2 mac-type 0x888e # layer 2: block anything else non-IP add 1101 set 1 deny layer2 not mac-type ip # layer 2: check if MAC addresses of authenticated clients are correct |