summaryrefslogtreecommitdiffstats
path: root/etc/inc/filter.inc
Commit message (Collapse)AuthorAgeFilesLines
* Revert to previous version it was incorrectly patched.Ermal Luçi2008-07-221-2/+1
|
* Create rules for dummynet propperly and add support on filter rule ↵Ermal Luçi2008-07-161-3/+18
| | | | generation for differentiating between pipes and queues.
* Foreach only if it is an array to be on the safe side.Ermal Luçi2008-07-161-1/+2
|
* Fix some bugs and provide small style(9) to shaper.incErmal Luçi2008-07-161-26/+20
|
* Log Error to system logs when we don't have any gateway availableSeth Mos2008-07-161-0/+1
|
* If somehow all members are marked, proceed with the configured XML settingsSeth Mos2008-07-161-1/+12
|
* * Merge multiple PPPoE/PPTP interfaces from RELENG_1_MULTI_ANYTHINGErmal Luçi2008-07-141-1614/+1041
| | | | | | | * Much improved rule generation speed * Many bug fixing in general of the interface handling NOTE: this is only half part of the changes the other half will come after
* * Start inetd regardless if nat entries exist due to tftp proxy needing it.Scott Ullrich2008-07-141-15/+16
|
* Introduce a new and improved version of IPsec mobile client support. TheMatthew Grooms2008-07-131-18/+29
| | | | | | | mobile client tab is now used to configure user authentication (Xauth) and client configuration (mode-cfg) options. User authentication is currently limited to system password file entries. This will be extended to support external RADIUS and LDAP account DBs in a follow up comiit.
* Do not build unparsable rulesets to avoid rule errors.Ermal Luçi2008-07-121-3/+7
|
* Overhaul IPsec related code. Shared functions have been consolidated intoMatthew Grooms2008-07-111-103/+140
| | | | | | | | | | | | | | a new file named /etc/ipsec.inc. Tunnel definitions have been split into phase1 and phase2. This allows any number of phase2 definitions to be created for a single phase1 definition. Several facets of configuration have also been improved. The key size for variable length algorithms can now be selected and the phase1 ID options have been extended to allow for more flexible configuration. Several NAT-T related issues have also been resolved. Please note, IPsec remote access functionality has been temporarily disabled. An improved implementation will be included in a follow up commit.
* Reactivate the rdr so the pptp server works normally now that pptp ↵Ermal Luçi2008-07-091-1/+1
| | | | workaround is disabled.
* Commit missed pftpx -> ftp-proxy entriesScott Ullrich2008-07-091-2/+2
|
* Fixup for now utterly complex/braindead interface finding for user rules ↵Ermal Luçi2008-07-091-2/+3
| | | | | | till the merge of the RELENG_1_MULTI_ANYTHING happens.
* Remove slbd anchor from pf rulesSeth Mos2008-07-081-2/+1
|
* Do not generate empty queue fields when the rule queue fields are empty but set.Seth Mos2008-07-051-2/+2
|
* do not create unparseable rules for VPN behind the scene rulesSeth Mos2008-07-021-6/+10
|
* Fixup VPN interface rule creation after the break the cosmetic change ↵Ermal Luçi2008-06-231-24/+29
| | | | yesterday did.
* Fix single gateway in both IP address and gateway name format.Seth Mos2008-06-201-9/+14
| | | | Not sure if this works for DHCP yet.
* Fix nat rule creation for optional interfaces.Ermal Luçi2008-06-201-4/+4
|
* Propperly generate natrules with new interface changes.Ermal Luçi2008-06-201-3/+3
|
* Generate mobile ipsec rules before static ipsec rules.Seth Mos2008-06-201-7/+43
| | | | | | | | Do not generate static ipsec rules when mobile is already enabled. Set route-to for outbound and reply-to for inbound traffic. Only generate rules for interfaces with a gateway. .. (do we need really need ipsec rules on interfaces without a gateway? .. This might work around the need to set static routes for static ipsec tunnels.
* Reenable this anchor someones scripts might rely on it.Ermal Luçi2008-06-181-0/+1
|
* Remove dead code.Ermal Luçi2008-06-181-51/+0
|
* Continue interfaces improvments on backend code.Ermal Luçi2008-06-181-83/+67
|
* Replace slbd gateway pool code with new gateway groups code.Seth Mos2008-06-181-82/+51
| | | | | | | A few FIXME efforts here - Tested with static everything. - Dynamic interfaces dhcp/pppoe are not tested. - Single gateway rules probably don't parse, need testing and adaptation.
* Bring in relayd to perform server load balancingBill Marquette2008-06-161-0/+5
| | | | | | | | Move gateway load balancing code into gwlb.inc - still uses slbd TODO: vs and pool status screens are currently broken...and wouldn't work with the gateway pools anyway, ultimately, the gateway pools need to move.
* Correct path for siproxd.Scott Ullrich2008-06-141-4/+4
|
* Merge better NEGATE rules by building table once and then refer it in the ↵Seth Mos2008-06-141-26/+48
| | | | | | negate rule instead of looping it every rule it applies to. Also add function that returns locally connected networks.
* trim spaces for proper evaluation. This fixes loadbalancer/gateway rule ↵Seth Mos2008-06-131-1/+1
| | | | negation for local and vpn networks
* Replace silly vpns list logicSeth Mos2008-06-021-15/+15
| | | | Add subnet checking for robustness
* Missing commitsScott Ullrich2008-05-281-0/+1
|
* Only enumerate if item is an array.Scott Ullrich2008-05-271-0/+2
|
* Take into account all DHCP type CarpDEV interfaces. With this changeScott Ullrich2008-05-251-2/+5
| | | | | | | multiple IP addresses can be of the type DHCP on WAN. This is nice because prior it was impossible to run dhclient on WAN to obtain multiple IP addresses. This is much cleaner than the previous proposed ethernet cloning mojo using netgraph.
* CarpDEV-DHCP fixesScott Ullrich2008-05-251-3/+3
|
* CarpDEV fixes. It now works!!Scott Ullrich2008-05-251-9/+39
|
* Update for CarpDEV-DHCP support.Scott Ullrich2008-05-241-3/+3
|
* Pass description along to generate_optcfg_array callers.Scott Ullrich2008-05-241-1/+2
|
* Now that we have a solution for PPTP passthrough unbreak other GRE traffic ↵Ermal Luçi2008-05-211-1/+7
| | | | | | passing through pfSense when PPTP redirecting is active.
* Ticket #1706 - reply-to shouldn't be tied to opt interfaces onlyBill Marquette2008-05-201-2/+2
|
* Report correct syncing username.Scott Ullrich2008-05-021-5/+7
|
* Disable this rules alltogether with the note that tap(4) devices do not need ↵Ermal Luçi2008-04-231-1/+3
| | | | | | | | any special treatment other than get exposed to the GUI of OpenVPN. This will come incrementally. For rules a note would be added to the OpenVPN page as it is currently for PPTP/PPPoE to create filter rules themselves to allow traffic to flow. NOTE: This is as a code cleanup as a security fix since it opened people firewalls under their hood.
* First try to cope with the new ability of mpd to rename its interfaces.Ermal Luçi2008-04-161-3/+6
| | | | | | | This is just a s/ng0/typeof connection0/ for now. The major work should be done to allow all optX and lan to be pppoe or pptp interafaces and take just assign the network interface accordingly. It simplifies a lot o things but this has to be done. This would propperly identifying interfaces and not hardcoding names around.
* Change the renaming of openvpn tun devices to ovpnX so netstat copes with ↵Ermal Luçi2008-04-141-1/+1
| | | | | | the names. Better do this than patch netstat to allow space for IFNAMSIZ in the interface column.
* If gateway isn't an IP (ie. it's in the gateways array), then get the IPBill Marquette2008-04-081-0/+2
|
* * Create tun interfaces for openvpn explicitly.Ermal Luçi2008-03-301-72/+7
| | | | | | | | | | | | | * The only downside for now is that we can leak tun devices when tunnels are deleted. The propper fix can be by using devd script on down interface event or use the on down script called by openvpn itself. * Rename those to openvpnX names and add tehm to the openvpn group(to not rely on groups created by FreeBSD automatically). * Use group openvpn on filtering for all OpenVPN tunnels. * Remove redundant creation of rules for allowing traffic outside of the pfSense itself since pf allows this with a rule without interface specified. NOTE: left in place are the TAP interface rules which i do not know if they can be configured for openvpn as of now. There is even a check for tun/openvpn and tap interfaces if they are being used as WAN interfaces to create explicit pass in rules which are questionable if are needed since there are outgoing rules whith keep state active which should compensate this. For now leave those untouched.
* FreeBSD 7 has pf 4.1 which for stateless rules needs the "no state" keyword.Ermal Luçi2008-03-271-2/+3
| | | | | | | Make the needed change to make stateless rules be generated correctly. Also there are no advanced options to be generated with this. Fix this regression too.
* Correctly generate Floating rules.Ermal Luçi2008-03-191-2/+2
|
* Make OpenVPN rules work.Ermal Luçi2008-03-191-0/+5
|
* If XML Carp configuration sync fails, rerun the sync with setDebug(1).Scott Ullrich2008-03-181-18/+24
|
OpenPOWER on IntegriCloud