diff options
Diffstat (limited to 'etc/inc/filter.inc')
-rw-r--r-- | etc/inc/filter.inc | 98 |
1 files changed, 49 insertions, 49 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7322b81..dbaeea4 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -783,12 +783,12 @@ function filter_nat_rules_generate() { } if(!isset($config['system']['disableftpproxy'])) - $natrules .= "rdr on " . $lanif . " proto tcp from any to any port 21 -> 127.0.0.1 port 8021\n"; + $natrules .= "rdr on lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021\n"; /* DIAG: add ipv6 NAT, if requested */ if (isset($config['diag']['ipv6nat']['enable'])) { - $natrules .= "rdr on $wanif proto ipv6 from any to any port 0 -> " . + $natrules .= "rdr on wan proto ipv6 from any to any port 0 -> " . "{$config['diag']['ipv6nat']['ipaddr']}\n"; } @@ -846,8 +846,8 @@ function filter_nat_rules_generate() { $natrules .= <<<EOD # PPTP -rdr on $wanif proto gre from any to any -> $pptpdtarget -rdr on $wanif proto tcp from any to any port 1723 -> $pptpdtarget +rdr on wan proto gre from any to any -> $pptpdtarget +rdr on wan proto tcp from any to any port 1723 -> $pptpdtarget EOD; } @@ -855,7 +855,7 @@ EOD; $squid_installed = run_command_return_string("/bin/ls /var/db/pkg/ | grep squid"); if ($squid_installed <> "") { - $natrules .= "rdr on " . $lanif . " inet proto tcp from any to any port www -> 127.0.0.1 port 3128\n"; + $natrules .= "rdr on lan inet proto tcp from any to any port www -> 127.0.0.1 port 3128\n"; } return $natrules; @@ -936,8 +936,8 @@ function filter_rules_generate() { /* if squid is installed, lets install its rule */ $squid_installed = run_command_return_string("/bin/ls /var/db/pkg/ | grep squid"); if ($squid_installed <> "") { - $ipfrules .= "pass in quick on " . $lanif . " inet proto tcp from any to 127.0.0.1 port 3128 keep state label \"transparent proxy\"\n"; - $ipfrules .= "pass out quick on " . $wanif . " inet proto tcp from any to any port www keep state label \"transparent proxy\"\n"; + $ipfrules .= "pass in quick on lan inet proto tcp from any to 127.0.0.1 port 3128 keep state label \"transparent proxy\"\n"; + $ipfrules .= "pass out quick on wan inet proto tcp from any to any port www keep state label \"transparent proxy\"\n"; } $ipfrules .= create_firewall_outgoing_rules_to_itself(); @@ -946,8 +946,8 @@ function filter_rules_generate() { # loopback anchor "loopback" -pass in quick on lo0 all label "pass loopback" -pass out quick on lo0 all label "pass loopback" +pass in quick on (lo0) all label "pass loopback" +pass out quick on (lo0) all label "pass loopback" # package manager early specific hook anchor "packageearly" @@ -957,14 +957,14 @@ anchor "carp" # enable ftp-proxy anchor "ftpproxy" -pass in quick on $wanif inet proto tcp from port 20 to ($wanif) user proxy flags S/SA keep state -pass in quick on $wanif inet proto tcp from any to $wanif port > 49000 user proxy keep state +pass in quick on wan inet proto tcp from port 20 to wan user proxy flags S/SA keep state +pass in quick on wan inet proto tcp from any to wan port > 49000 user proxy keep state # allow access to DHCP server on LAN anchor "dhcpserverlan" -pass in quick on $lanif proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN" -pass in quick on $lanif proto udp from any port = 68 to $lanip port = 67 label "allow access to DHCP server on LAN" -pass out quick on $lanif proto udp from $lanip port = 67 to any port = 68 label "allow access to DHCP server on LAN" +pass in quick on lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN" +pass in quick on lan proto udp from any port = 68 to $lanip port = 67 label "allow access to DHCP server on LAN" +pass out quick on lan proto udp from $lanip port = 67 to any port = 68 label "allow access to DHCP server on LAN" EOD; @@ -975,10 +975,10 @@ EOD; # allow access to DHCP server on {$on} anchor "dhcpserver" -pass in quick on {$oc['if']} proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" -pass in quick on {$oc['if']} proto udp from any port = 68 to {$oc['ip']} port = 67 label "allow access to DHCP server" -pass out quick on {$oc['if']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server" -pass out on {$oc['if']} proto icmp from any to any keep state label "allow access to DHCP server" +pass in quick on ({$oc['if']}) proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" +pass in quick on ({$oc['if']}) proto udp from any port = 68 to {$oc['ip']} port = 67 label "allow access to DHCP server" +pass out quick on ({$oc['if']}) proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server" +pass out on ({$oc['if']}) proto icmp from any to any keep state label "allow access to DHCP server" EOD; } @@ -1022,10 +1022,10 @@ EOD; if ($sa) { $ipfrules .= <<<EOD anchor "staticrouted" -pass in quick on {$if} from {$sa}/{$sn} to {$route['network']} label "pass traffic between statically routed subnets" -pass in quick on {$if} from {$route['network']} to {$sa}/{$sn} label "pass traffic between statically routed subnets" -pass out quick on {$if} from {$sa}/{$sn} to {$route['network']} label "pass traffic between statically routed subnets" -pass out quick on {$if} from {$route['network']} to {$sa}/{$sn} label "pass traffic between statically routed subnets" +pass in quick on ({$if}) from {$sa}/{$sn} to {$route['network']} label "pass traffic between statically routed subnets" +pass in quick on ({$if}) from {$route['network']} to {$sa}/{$sn} label "pass traffic between statically routed subnets" +pass out quick on ({$if}) from {$sa}/{$sn} to {$route['network']} label "pass traffic between statically routed subnets" +pass out quick on ({$if}) from {$route['network']} to {$sa}/{$sn} label "pass traffic between statically routed subnets" EOD; } @@ -1036,13 +1036,13 @@ EOD; # WAN spoof check anchor "wanspoof" -block in $log quick on $wanif from $lansa/$lansn to any label "WAN spoof check" +block in $log quick on wan from $lansa/$lansn to any label "WAN spoof check" EOD; foreach ($optcfg as $oc) { if (!$oc['bridge']) - $ipfrules .= "block in $log quick on $wanif from {$oc['sa']}/{$oc['sn']} to any label \"interface spoof check\"\n"; + $ipfrules .= "block in $log quick on wan from {$oc['sa']}/{$oc['sn']} to any label \"interface spoof check\"\n"; } /* allow PPTP traffic if PPTP client is enabled on WAN */ @@ -1051,10 +1051,10 @@ EOD; # allow PPTP client anchor "pptpclient" -pass in quick on {$wancfg['if']} proto gre from any to any keep state label "allow PPTP client" -pass out quick on {$wancfg['if']} proto gre from any to any keep state label "allow PPTP client" -pass in quick on {$wancfg['if']} proto tcp from any port = 1723 to any keep state label "allow PPTP client" -pass out quick on {$wancfg['if']} proto tcp from any to any port = 1723 keep state label "allow PPTP client" +pass in quick on wan proto gre from any to any keep state label "allow PPTP client" +pass out quick on wan proto gre from any to any keep state label "allow PPTP client" +pass in quick on wan proto tcp from any port = 1723 to any keep state label "allow PPTP client" +pass out quick on wan proto tcp from any to any port = 1723 keep state label "allow PPTP client" EOD; } @@ -1065,9 +1065,9 @@ EOD; # XXX - should be more restrictive # (not possible at the moment - need 'me' like in ipfw) anchor "wandhcp" -pass out quick on $wanif proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan" -block in $log quick on $wanif proto udp from any port = 67 to $lansa/$lansn port = 68 label "allow dhcp client out wan" -pass in quick on $wanif proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan" +pass out quick on wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan" +block in $log quick on wan proto udp from any port = 67 to $lansa/$lansn port = 68 label "allow dhcp client out wan" +pass in quick on wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan" # LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses) @@ -1088,10 +1088,10 @@ EOD; # block anything from private networks on WAN interface anchor "spoofing" -block in $log quick on $wanif from 10.0.0.0/8 to any label "block private networks from wan block 10/8" -block in $log quick on $wanif from 127.0.0.0/8 to any label "block private networks from wan block 127/8" -block in $log quick on $wanif from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" -block in $log quick on $wanif from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" +block in $log quick on wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8" +block in $log quick on wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8" +block in $log quick on wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" +block in $log quick on wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" EOD; @@ -1102,7 +1102,7 @@ EOD; # let out anything from the firewall host itself and decrypted IPsec traffic -pass out quick on $wanif all keep state label "let out anything from firewall host itself" +pass out quick on wan all keep state label "let out anything from firewall host itself" EOD; @@ -1115,7 +1115,7 @@ EOD; # let out anything from the firewall host itself and decrypted IPsec traffic -pass out quick on {$oc['if']} all keep state label "let out anything from firewall host itself" +pass out quick on ({$oc['if']}) all keep state label "let out anything from firewall host itself" EOD; @@ -1272,7 +1272,7 @@ EOD; $line .= "quick "; if ($ispptp) { - $line .= "on ng" . ($iif+1) . " "; + $line .= "on (ng" . ($iif+1) . ") "; } else { // translate wan, man, lan, opt to real interface. $interface = $rule['interface']; @@ -1287,7 +1287,7 @@ EOD; $canadd = 1; } if($canadd == 0) - $line .= "on \$" . $interface . " "; + $line .= "on (\$" . $interface . ") "; } if (isset($rule['protocol'])) { @@ -1521,17 +1521,17 @@ EOD; if(is_array($config['ipsec']['tunnel'])) { foreach ($config['ipsec']['tunnel'] as $tunnel) { $remote_gateway = $tunnel['remote-gateway']; - $ipfrules .= "pass quick on " . $wanif . " proto udp from " . $wan_ip . " to " . $remote_gateway . " port = 500 keep state label \"IPSEC: ". $tunnel['descr'] ." udp\"\n"; - $ipfrules .= "pass quick on " . $wanif . " proto udp from " . $remote_gateway . " to " . $wan_ip . " port = 500 keep state label \"". $tunnel['descr'] ." udp\"\n"; + $ipfrules .= "pass quick on wan proto udp from " . $wan_ip . " to " . $remote_gateway . " port = 500 keep state label \"IPSEC: ". $tunnel['descr'] ." udp\"\n"; + $ipfrules .= "pass quick on wan proto udp from " . $remote_gateway . " to " . $wan_ip . " port = 500 keep state label \"". $tunnel['descr'] ." udp\"\n"; - $ipfrules .= "pass quick on " . $wanif . " proto esp from " . $wan_ip . " to " . $remote_gateway . " keep state label \"IPSEC: ". $tunnel['descr'] ." esp proto\"\n"; - $ipfrules .= "pass quick on " . $wanif . " proto esp from " . $remote_gateway . " to " . $wan_ip . " keep state label \"IPSEC: ". $tunnel['descr'] ." esp proto\"\n"; + $ipfrules .= "pass quick on wan proto esp from " . $wan_ip . " to " . $remote_gateway . " keep state label \"IPSEC: ". $tunnel['descr'] ." esp proto\"\n"; + $ipfrules .= "pass quick on wan proto esp from " . $remote_gateway . " to " . $wan_ip . " keep state label \"IPSEC: ". $tunnel['descr'] ." esp proto\"\n"; - $ipfrules .= "pass quick on " . $wanif . " proto ah from " . $wan_ip . " to " . $remote_gateway . " keep state label \"IPSEC: ". $tunnel['descr'] ." ah proto\"\n"; - $ipfrules .= "pass quick on " . $wanif . " proto ah from " . $remote_gateway . " to " . $wan_ip . " keep state label \"IPSEC: ". $tunnel['descr'] ." ah proto\"\n"; + $ipfrules .= "pass quick on wan proto ah from " . $wan_ip . " to " . $remote_gateway . " keep state label \"IPSEC: ". $tunnel['descr'] ." ah proto\"\n"; + $ipfrules .= "pass quick on wan proto ah from " . $remote_gateway . " to " . $wan_ip . " keep state label \"IPSEC: ". $tunnel['descr'] ." ah proto\"\n"; - $ipfrules .= "pass quick on " . $lanif . " from " . $tunnel['remote-subnet'] . " to " . $internal_subnet . " keep state label \"IPSEC: " . $tunnel['descr'] ."\"\n"; - $ipfrules .= "pass quick on " . $lanif . " from " . $internal_subnet . " to " . $tunnel['remote-subnet'] . " keep state label \"IPSEC: " . $tunnel['descr'] ."\"\n"; + $ipfrules .= "pass quick on lan from " . $tunnel['remote-subnet'] . " to " . $internal_subnet . " keep state label \"IPSEC: " . $tunnel['descr'] ."\"\n"; + $ipfrules .= "pass quick on lan from " . $internal_subnet . " to " . $tunnel['remote-subnet'] . " keep state label \"IPSEC: " . $tunnel['descr'] ."\"\n"; } } @@ -1584,11 +1584,11 @@ function create_firewall_outgoing_rules_to_itself() { } foreach ($ifdescrs as $ifdescr => $ifname) { $int = filter_translate_type_to_real_interface($ifname); - $rule .="pass out quick on {$int} inet from any to any keep state\n"; + $rule .="pass out quick on ({$int}) inet from any to any keep state\n"; /* XXX - billm: temp fix for pppoe, needs better fix */ if ($config['interfaces'][$ifname]['ipaddr'] == "pppoe") $int = "ng0"; - $rule .="pass out quick on {$int} inet from {$int} to any keep state\n"; + $rule .="pass out quick on ({$int}) inet from ({$int}) to any keep state\n"; } return $rule; } |