summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--etc/inc/filter.inc62
-rwxr-xr-xetc/rc6
-rwxr-xr-xetc/rc.bootup15
3 files changed, 29 insertions, 54 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 530390a..4a0d018 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -55,7 +55,7 @@ function filter_resync() {
mwexec("/sbin/pfctl -y"); /* XXX */
}
-function filter_ipmon_start() {
+function filter_pflog_start() {
global $config, $g;
mwexec("ifconfig pflog0 up && pflogd -sD");
@@ -84,6 +84,9 @@ function filter_configure() {
mwexec("/sbin/pfctl -e");
mwexec("/sbin/pfctl -F nat");
mwexec("/sbin/pfctl -F rules");
+ } else {
+ mwexec("/sbin/pfctl -d");
+ return;
}
/* get our wan interface? */
@@ -98,29 +101,32 @@ function filter_configure() {
$mssclamp = "";
$fd = fopen("/tmp/rules.debug", "w");
- fwrite($fd, $aliases . " \n");
- fwrite($fd, "set loginterface $wanif \n");
+ $rules = $aliases . " \n";
+ $rules.= "set loginterface $wanif \n";
$optimization = "normal";
if($config['system']['optimization'] <> "") $optimization = $config['system']['optimization'];
- fwrite($fd, "set optimization " . $optimization . "\n");
+ $rules.= "set optimization " . $optimization . "\n";
if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) {
/* User defined maximum states in Advanced menu. */
$maximumstates = $config['system']['maximumstates'];
- fwrite($fd, "set limit states " . $maximumstates . "\n");
+ $rules.= "set limit states " . $maximumstates . "\n";
}
- fwrite($fd, "\nscrub all " . $mssclamp ."\n"); // reassemble all directions
- fwrite($fd, $altq_ints);
-
- /*
- * Anchors will be used to allow scripts and or users
- * to add or subtract rules from the system using shellcmd.
- */
- fwrite($fd, $altq_queues . "\n");
- fwrite($fd, $natrules);
- fwrite($fd, $pfrules);
+ $rules.= "\nscrub all " . $mssclamp ."\n"; // reassemble all directions
+ $rules.= $altq_ints;
+ $rules.= $altq_queues . "\n";
+ $rules.= $natrules;
+ $rules.= $pfrules;
+ fwrite($fd, $rules);
fclose($fd);
- $rules_loading = mwexec("/sbin/pfctl -f /tmp/rules.debug");
+ $rules_loading = popen("/sbin/pfctl -f - > /dev/null 2>&1", "w");
+ if (!$rules_loading) {
+ printf("Cannot open /sbin/pfctl in filter_configure()\n");
+ return 1;
+ }
+
+ fwrite($rules_loading, $rules);
+ pclose($rules_loading);
/* load ipfw+altq module */
if (isset($config['shaper']['enable'])) {
@@ -1485,30 +1491,8 @@ function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) {
$ipfrules = "antispoof for " . $if . "\n";
- return $ipfrules; /* testing above. once works get rid above below.*/
-
- if (is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) {
- /* count rules */
- $n = 1;
- foreach ($config['staticroutes']['route'] as $route) {
- if ($route['interface'] == $ifname)
- $n++;
- }
-
- /* output skip rules */
- foreach ($config['staticroutes']['route'] as $route) {
- if ($route['interface'] == $ifname) {
- //$ipfrules .= "skip $n in on $if from {$route['network']} to any\n";
- $n--;
- }
- }
- $ipfrules .= "#skip 1 in on $if from $sa/$sn to any\n";
- $ipfrules .= "#block in $log quick on $if all\n";
- } else {
- $ipfrules .= "#block in $log quick on $if from ! $sa/$sn to any\n";
- }
-
return $ipfrules;
+
}
?> \ No newline at end of file
diff --git a/etc/rc b/etc/rc
index 0a68834..248e38a 100755
--- a/etc/rc
+++ b/etc/rc
@@ -67,9 +67,6 @@ cd /var/run && cp /dev/null utmp && chmod 644 utmp
# let the PHP-based configuration subsystem set up the system now
/etc/rc.bootup
-/sbin/pfctl -f /tmp/rules.debug
-/sbin/pfctl -e
-
echo Starting INETD for FTP-PROXY...
/usr/sbin/inetd -wW -C 60
@@ -81,9 +78,6 @@ echo Starting USB...
/usr/sbin/cron 2>>/tmp/bootup_messages
-sleep 10
-/sbin/pfctl -f /tmp/rules.debug
-
for FILE in /usr/local/etc/rc.d/*.sh; do
if [ -e $FILE ]; then
echo "Starting ${FILE}..."
diff --git a/etc/rc.bootup b/etc/rc.bootup
index 2b7e960..bb694e5 100755
--- a/etc/rc.bootup
+++ b/etc/rc.bootup
@@ -65,9 +65,6 @@
if (!in_array($g['platform'], $g['nopccard_platforms']))
system_pccard_start();
- /* establish pf and altq ruleset */
- filter_configure();
-
/* configure loopback interface */
interfaces_loopback_configure();
@@ -83,14 +80,14 @@
/* set up Optional interfaces */
interfaces_optional_configure();
- /* start OpenVPN server & clients */
- ovpn_configure();
+ /* start pflog */
+ filter_pflog_start();
- /* resync ipfilter */
- filter_resync();
+ /* setup altq + pf */
+ filter_configure();
- /* start ipmon */
- filter_ipmon_start();
+ /* start OpenVPN server & clients */
+ ovpn_configure();
/* set up static routes */
system_routing_configure();
OpenPOWER on IntegriCloud