diff options
| author | Matthew Grooms <mgrooms@pfsense.org> | 2008-09-05 03:16:33 +0000 |
|---|---|---|
| committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-09-05 03:16:33 +0000 |
| commit | 0770c295d1d43034da9949058e429b99cffb3031 (patch) | |
| tree | c06e7a9f037e58e50609f6bab2a5e80f593fe0ea /etc | |
| parent | 3f066eb8107b00fbf552ea0c2bb4f26f0b3c18e6 (diff) | |
| download | pfsense-0770c295d1d43034da9949058e429b99cffb3031.zip pfsense-0770c295d1d43034da9949058e429b99cffb3031.tar.gz | |
Remove the code that auto-generates an outbound NAT rule for traffic that
originates from a private network to a distant OpenVPN network. We don't
want to unconditionally hide all traffic behind the vpn interface address.
If a admin wants to do this manually, nothing is stopping them.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 13 |
1 files changed, 2 insertions, 11 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 5fbd2e0..3162d05 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -736,23 +736,14 @@ function filter_nat_rules_generate() if ($numberofnathosts > 0): - if (!empty($config['openvpn']['openvpn-client'])) { - foreach ($config['openvpn']['openvpn-client'] as $settings) { - $vpnid = $settings['vpnid']; - if (!empty($settings['remote_network'])) - $natrules .= "nat on ovpnc{$vpnid} from \$tonatsubnets to any -> (ovpnc{$vpnid})\n"; - } - } - foreach ($FilterIflist as $if => $ifcfg) { update_filter_reload_status("Creating outbound rules {$if} - ({$ifcfg['descr']})"); if (interface_has_gateway($if)) { $target = get_current_wan_address($if); - /* do not nat tftp proxy */ - $natrules .= "no nat on \${$ifcfg['descr']} to port tftp\n"; - + /* do not nat tftp proxy */ + $natrules .= "no nat on \${$ifcfg['descr']} to port tftp\n"; /* create outbound nat entries for all local networks */ $natrules .= filter_nat_rules_generate_if($if, |
