diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2016-11-06 22:17:50 -0600 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2016-11-06 22:17:50 -0600 |
commit | 55fcc035d117ea4f9707662f450e0fef706877b3 (patch) | |
tree | f557b182478bc8ed26b7f4db0ba8749941fc9f33 /src | |
parent | 411d4e6e55475cc66b997ca3e47478dbe10b4e1b (diff) | |
download | pfsense-55fcc035d117ea4f9707662f450e0fef706877b3.zip pfsense-55fcc035d117ea4f9707662f450e0fef706877b3.tar.gz |
Do not generate IPv6 rules when IPv6 is disabled.
Ticket #6206
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/filter.inc | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 96607af..9c9a5b6 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -3105,6 +3105,10 @@ EOD; #--------------------------------------------------------------------------- block in {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" block out {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" +EOD; + + if (isset($config['system']['ipv6allow'])) { + $ipfrules .= <<<EOD block in {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" block out {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" @@ -3127,11 +3131,20 @@ pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 i pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state +EOD; + } + $ipfrules .= <<<EOD # We use the mighty pf, we cannot be fooled. block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} label "Block traffic from port 0" block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} label "Block traffic to port 0" +EOD; + if (isset($config['system']['ipv6allow'])) { + $ipfrules .= <<<EOD block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} label "Block traffic from port 0" block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} label "Block traffic to port 0" +EOD; + } + $ipfrules .= <<<EOD # Snort package block {$log['block']} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts" @@ -3472,13 +3485,23 @@ EOD; # loopback pass in {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" pass out {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" +EOD; + if (isset($config['system']['ipv6allow'])) { + $ipfrules .= <<<EOD pass in {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" pass out {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" +EOD; + } + $ipfrules .= <<<EOD # let out anything from the firewall host itself and decrypted IPsec traffic pass out {$log['pass']} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself" +EOD; + if (isset($config['system']['ipv6allow'])) { + $ipfrules .= <<<EOD pass out {$log['pass']} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself" - EOD; + } + $ipfrules .= "\n"; $saved_tracker += 100; $tracker = $saved_tracker; |