Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | remove old DISABLE_PHP_LINT_CHECKING, which dates way back to the CVS days ↵ | Chris Buechler | 2014-11-04 | 1 | -1/+0 |
| | | | | and hasn't been relevant in years. | ||||
* | block IPv4 link-local. Per RFC 3927, hosts "MUST NOT send the packet to | Chris Buechler | 2014-10-14 | 1 | -0/+5 |
| | | | | | | | | | any router for forwarding", and "any network device receiving such a packet MUST NOT forward it". FreeBSD won't route it (route-to can override in some circumstances), so it can't be in use as a real network anywhere with the possible exception of local-only networks. Unlikely any such situation exists anywhere. Fixes ticket #2073 | ||||
* | Fix pf syntax s/divert/divert-to/. It should fix #3921 | Renato Botelho | 2014-10-10 | 1 | -1/+1 |
| | |||||
* | Fix not rules for OPTn network case | Phil Davis | 2014-10-06 | 1 | -10/+7 |
| | | | | | | Reported in forum https://forum.pfsense.org/index.php?topic=82319.0 The "if (is_subnet($src)) ... filter_address_add_vips_subnets" code needs to go outside all of the if that checks for opt interfaces (not just in the else part). That makes filter_address_add_vips_subnets get called in all cases, including when optn network is specified. (line 2264, 2265) Then filter_address_add_vips_subnets needs to process the "not" code early, before checking if there are any VIPs (which was causing the routine to exit early in simple cases) - lines 2093-2100 chunk. This should also fix cases of using "LANnet", "WANnet" and "not" in rules on an interface that has just a plain address (no VIPs). Lines 2144 and 2158 are no functional change. The formatting of the multi-line statement was odd, so I put it back all on 1 line. | ||||
* | get back to our standard RFC-defined capitalization of IPsec | Chris Buechler | 2014-10-02 | 1 | -2/+2 |
| | |||||
* | Change is_port() to only validate a single port, we have is_portrange() for ↵ | Renato Botelho | 2014-09-10 | 1 | -1/+1 |
| | | | | specific cases. Make necessary adjustments after check all is_port() calls. It fixes #3857 | ||||
* | As pointed out by Ermal, VIPs should go first in the list since NAT is first ↵ | Renato Botelho | 2014-09-09 | 1 | -2/+2 |
| | | | | match. Ticket #983 | ||||
* | Take virtual IPs into consideration for automatic outbound NAT rules, it ↵ | Renato Botelho | 2014-08-22 | 1 | -0/+18 |
| | | | | should now fix #983 | ||||
* | Remove double defined 'localhost' on the list of networks to create outbound ↵ | Renato Botelho | 2014-08-11 | 1 | -1/+1 |
| | | | | NAT rules. It should fix #3800 | ||||
* | Do not create automatic outbound NAT rule for disabled openvpn servers and ↵ | Renato Botelho | 2014-08-11 | 1 | -2/+2 |
| | | | | clients | ||||
* | Fix #983 - Add IP aliases subnets to interface subnet macro on GUI, since ↵ | Renato Botelho | 2014-07-22 | 1 | -6/+52 |
| | | | | I'm here also fix not rules for PPTP clients macro. | ||||
* | Convert almost all /sbin/sysctl calls to php functions | Renato Botelho | 2014-07-07 | 1 | -8/+10 |
| | |||||
* | Fix dscp values and provide a config upgrade to fix values stored in ↵ | Renato Botelho | 2014-06-24 | 1 | -1/+1 |
| | | | | config.xml. This is a proper fix for #3688 | ||||
* | Merge pull request #1239 from phil-davis/patch-9 | jim-p | 2014-06-20 | 1 | -1/+1 |
|\ | |||||
| * | Only include a scheduled rule if it is strictly before the end time | Phil Davis | 2014-06-19 | 1 | -1/+1 |
| | | | | | | The exact moment of the end time is the end of the schedule. We do not want to include a rule when filter_configure_sync wakes up at 00:15:00 etc and is on a not-slow system that processes this code during the interval 00:15:00 to 00:15:01. This should help intermittent issues with schedules not finishing at the appropriate 15-minute boundary. Might help or fix #3558 | ||||
* | | Remove extra data after space and fix pf rule syntax. It should fix #3688 | Renato Botelho | 2014-06-20 | 1 | -1/+1 |
| | | |||||
* | | Replace some backticks by exec ans simplify commands | Renato Botelho | 2014-06-19 | 1 | -1/+1 |
|/ | |||||
* | Make logging of pass rules opt-in rather than opt-out | Ermal | 2014-05-27 | 1 | -1/+1 |
| | |||||
* | Split the setting of logging pass and block into 2 separate settings. Maybe ↵ | Ermal | 2014-05-27 | 1 | -92/+93 |
| | | | | this can be extended to control even the user rules? | ||||
* | Add (self) keyword for specifying "any IP address on this firewall" as a ↵ | jim-p | 2014-05-23 | 1 | -0/+6 |
| | | | | rule choice. | ||||
* | Expose all p0f OS types that it supports so that subtypes of various ↵ | jim-p | 2014-04-29 | 1 | -1/+1 |
| | | | | Operating Systems can be detected | ||||
* | check gateway for IPv6 also for reply-to rules. | PiBa-NL | 2014-04-19 | 1 | -1/+1 |
| | |||||
* | Switch over to filterlog sooner than later | Ermal | 2014-04-14 | 1 | -13/+3 |
| | |||||
* | Use proper variable name for the interface | Ermal | 2014-03-28 | 1 | -1/+1 |
| | |||||
* | Log everything when selected to do so | Ermal | 2014-03-26 | 1 | -93/+93 |
| | |||||
* | Correct the generation of antifpoof rules with tracker. Also honor the log ↵ | Ermal | 2014-03-26 | 1 | -4/+3 |
| | | | | directive. While here remove a duplicate antispoof declaration further down | ||||
* | Give each rule hardcoded on the ruleset a tracker so log entries give up ↵ | Ermal | 2014-03-26 | 1 | -103/+183 |
| | | | | proper results there | ||||
* | Do not garble the error logging message | Ermal | 2014-03-20 | 1 | -3/+4 |
| | |||||
* | Try to restore last working ruleset rather than staying without ↵ | Ermal | 2014-03-20 | 1 | -6/+11 |
| | | | | configuration at all | ||||
* | Disable default allow incoming rules for 6to4 and 6rd interfaces. This rule ↵ | Ermal | 2014-03-17 | 1 | -2/+4 |
| | | | | unintentionally allows all services on the interface to be reachble and maybe more! | ||||
* | Only add dhcpv6 client allow rules if ipv6allow is set | Renato Botelho | 2014-02-18 | 1 | -1/+1 |
| | |||||
* | Move 'allow dhcpv6 client' rules above block bogonsv6 ones, it should fix #3395 | Renato Botelho | 2014-02-18 | 1 | -15/+18 |
| | |||||
* | Merge pull request #891 from PiBa-NL/captive_disable | Renato Botelho | 2014-02-18 | 1 | -0/+2 |
|\ | | | | | captive portal, don't generate rules for a disabled portal | ||||
| * | captive portal, don't generate rules for disabled portal | PiBa-NL | 2014-01-25 | 1 | -0/+2 |
| | | |||||
* | | Move this global declaration to the proper file rather than backend code | Ermal | 2014-02-17 | 1 | -12/+0 |
| | | |||||
* | | fix syntax | Renato Botelho | 2014-01-02 | 1 | -1/+1 |
| | | |||||
* | | Generate a tracker id for the filter rules for now. Maybe for nat rules as well? | Ermal | 2013-12-31 | 1 | -2/+5 |
| | | |||||
* | | Use _vip as identified for CARP vip IPs to allow easier upgrade code. This ↵ | Ermal | 2013-12-06 | 1 | -1/+4 |
| | | | | | | | | way only ipaliases on carp need to be upgraded. | ||||
* | | Load only the options and nothing else | Ermal | 2013-12-06 | 1 | -1/+1 |
| | | |||||
* | | Remove 0.0.0.0 from automatic outbound nat rules | Renato Botelho | 2013-11-28 | 1 | -1/+1 |
| | | |||||
* | | Remove references to _vip interface and provide proper configuration for ↵ | Ermal | 2013-11-28 | 1 | -5/+1 |
| | | | | | | | | carp on FreeBSD 10. Still some places to deal with this and certainly missing upgrade code | ||||
* | | fix 0.0.0.0 subnet for automatic outbound NAT rules, fixes #2416 | Renato Botelho | 2013-11-26 | 1 | -1/+1 |
| | | |||||
* | | Fix #3331. Set interface subnet as destination when VIP is in the same ↵ | Renato Botelho | 2013-11-21 | 1 | -1/+4 |
| | | | | | | | | subnet, otherwise use VIP subnet instead of IP address | ||||
* | | FreeBSD 10 pf does not have a limit for table entries | Ermal | 2013-11-21 | 1 | -3/+0 |
| | | |||||
* | | Add gettext() to recently added strings | Renato Botelho | 2013-11-18 | 1 | -9/+9 |
| | | |||||
* | | Add an option to return outbound NAT automatic to nat hosts with ↵ | Renato Botelho | 2013-11-18 | 1 | -11/+41 |
| | | | | | | | | description, ticket #2416 | ||||
* | | Add subnet to 0.0.0.0 otherwise it's not added to table, ticket #2416 | Renato Botelho | 2013-11-18 | 1 | -1/+1 |
| | | |||||
* | | Make sure automatic rules are created even if mode is not set, ticket #2416 | Renato Botelho | 2013-11-18 | 1 | -1/+3 |
| | | |||||
* | | Split automatic to nat hosts fill into a function to be able to call it from ↵ | Renato Botelho | 2013-11-14 | 1 | -95/+132 |
| | | | | | | | | other place, ticket #2416 | ||||
* | | Remove unused variables and fix automatic nat to alias-address | Renato Botelho | 2013-11-14 | 1 | -5/+1 |
| | |