summaryrefslogtreecommitdiffstats
path: root/etc/inc/filter.inc
Commit message (Collapse)AuthorAgeFilesLines
* remove old DISABLE_PHP_LINT_CHECKING, which dates way back to the CVS days ↵Chris Buechler2014-11-041-1/+0
| | | | and hasn't been relevant in years.
* block IPv4 link-local. Per RFC 3927, hosts "MUST NOT send the packet toChris Buechler2014-10-141-0/+5
| | | | | | | | | any router for forwarding", and "any network device receiving such a packet MUST NOT forward it". FreeBSD won't route it (route-to can override in some circumstances), so it can't be in use as a real network anywhere with the possible exception of local-only networks. Unlikely any such situation exists anywhere. Fixes ticket #2073
* Fix pf syntax s/divert/divert-to/. It should fix #3921Renato Botelho2014-10-101-1/+1
|
* Fix not rules for OPTn network casePhil Davis2014-10-061-10/+7
| | | | | | Reported in forum https://forum.pfsense.org/index.php?topic=82319.0 The "if (is_subnet($src)) ... filter_address_add_vips_subnets" code needs to go outside all of the if that checks for opt interfaces (not just in the else part). That makes filter_address_add_vips_subnets get called in all cases, including when optn network is specified. (line 2264, 2265) Then filter_address_add_vips_subnets needs to process the "not" code early, before checking if there are any VIPs (which was causing the routine to exit early in simple cases) - lines 2093-2100 chunk. This should also fix cases of using "LANnet", "WANnet" and "not" in rules on an interface that has just a plain address (no VIPs). Lines 2144 and 2158 are no functional change. The formatting of the multi-line statement was odd, so I put it back all on 1 line.
* get back to our standard RFC-defined capitalization of IPsecChris Buechler2014-10-021-2/+2
|
* Change is_port() to only validate a single port, we have is_portrange() for ↵Renato Botelho2014-09-101-1/+1
| | | | specific cases. Make necessary adjustments after check all is_port() calls. It fixes #3857
* As pointed out by Ermal, VIPs should go first in the list since NAT is first ↵Renato Botelho2014-09-091-2/+2
| | | | match. Ticket #983
* Take virtual IPs into consideration for automatic outbound NAT rules, it ↵Renato Botelho2014-08-221-0/+18
| | | | should now fix #983
* Remove double defined 'localhost' on the list of networks to create outbound ↵Renato Botelho2014-08-111-1/+1
| | | | NAT rules. It should fix #3800
* Do not create automatic outbound NAT rule for disabled openvpn servers and ↵Renato Botelho2014-08-111-2/+2
| | | | clients
* Fix #983 - Add IP aliases subnets to interface subnet macro on GUI, since ↵Renato Botelho2014-07-221-6/+52
| | | | I'm here also fix not rules for PPTP clients macro.
* Convert almost all /sbin/sysctl calls to php functionsRenato Botelho2014-07-071-8/+10
|
* Fix dscp values and provide a config upgrade to fix values stored in ↵Renato Botelho2014-06-241-1/+1
| | | | config.xml. This is a proper fix for #3688
* Merge pull request #1239 from phil-davis/patch-9jim-p2014-06-201-1/+1
|\
| * Only include a scheduled rule if it is strictly before the end timePhil Davis2014-06-191-1/+1
| | | | | | The exact moment of the end time is the end of the schedule. We do not want to include a rule when filter_configure_sync wakes up at 00:15:00 etc and is on a not-slow system that processes this code during the interval 00:15:00 to 00:15:01. This should help intermittent issues with schedules not finishing at the appropriate 15-minute boundary. Might help or fix #3558
* | Remove extra data after space and fix pf rule syntax. It should fix #3688Renato Botelho2014-06-201-1/+1
| |
* | Replace some backticks by exec ans simplify commandsRenato Botelho2014-06-191-1/+1
|/
* Make logging of pass rules opt-in rather than opt-outErmal2014-05-271-1/+1
|
* Split the setting of logging pass and block into 2 separate settings. Maybe ↵Ermal2014-05-271-92/+93
| | | | this can be extended to control even the user rules?
* Add (self) keyword for specifying "any IP address on this firewall" as a ↵jim-p2014-05-231-0/+6
| | | | rule choice.
* Expose all p0f OS types that it supports so that subtypes of various ↵jim-p2014-04-291-1/+1
| | | | Operating Systems can be detected
* check gateway for IPv6 also for reply-to rules.PiBa-NL2014-04-191-1/+1
|
* Switch over to filterlog sooner than laterErmal2014-04-141-13/+3
|
* Use proper variable name for the interfaceErmal2014-03-281-1/+1
|
* Log everything when selected to do soErmal2014-03-261-93/+93
|
* Correct the generation of antifpoof rules with tracker. Also honor the log ↵Ermal2014-03-261-4/+3
| | | | directive. While here remove a duplicate antispoof declaration further down
* Give each rule hardcoded on the ruleset a tracker so log entries give up ↵Ermal2014-03-261-103/+183
| | | | proper results there
* Do not garble the error logging messageErmal2014-03-201-3/+4
|
* Try to restore last working ruleset rather than staying without ↵Ermal2014-03-201-6/+11
| | | | configuration at all
* Disable default allow incoming rules for 6to4 and 6rd interfaces. This rule ↵Ermal2014-03-171-2/+4
| | | | unintentionally allows all services on the interface to be reachble and maybe more!
* Only add dhcpv6 client allow rules if ipv6allow is setRenato Botelho2014-02-181-1/+1
|
* Move 'allow dhcpv6 client' rules above block bogonsv6 ones, it should fix #3395Renato Botelho2014-02-181-15/+18
|
* Merge pull request #891 from PiBa-NL/captive_disableRenato Botelho2014-02-181-0/+2
|\ | | | | captive portal, don't generate rules for a disabled portal
| * captive portal, don't generate rules for disabled portalPiBa-NL2014-01-251-0/+2
| |
* | Move this global declaration to the proper file rather than backend codeErmal2014-02-171-12/+0
| |
* | fix syntaxRenato Botelho2014-01-021-1/+1
| |
* | Generate a tracker id for the filter rules for now. Maybe for nat rules as well?Ermal2013-12-311-2/+5
| |
* | Use _vip as identified for CARP vip IPs to allow easier upgrade code. This ↵Ermal2013-12-061-1/+4
| | | | | | | | way only ipaliases on carp need to be upgraded.
* | Load only the options and nothing elseErmal2013-12-061-1/+1
| |
* | Remove 0.0.0.0 from automatic outbound nat rulesRenato Botelho2013-11-281-1/+1
| |
* | Remove references to _vip interface and provide proper configuration for ↵Ermal2013-11-281-5/+1
| | | | | | | | carp on FreeBSD 10. Still some places to deal with this and certainly missing upgrade code
* | fix 0.0.0.0 subnet for automatic outbound NAT rules, fixes #2416Renato Botelho2013-11-261-1/+1
| |
* | Fix #3331. Set interface subnet as destination when VIP is in the same ↵Renato Botelho2013-11-211-1/+4
| | | | | | | | subnet, otherwise use VIP subnet instead of IP address
* | FreeBSD 10 pf does not have a limit for table entriesErmal2013-11-211-3/+0
| |
* | Add gettext() to recently added stringsRenato Botelho2013-11-181-9/+9
| |
* | Add an option to return outbound NAT automatic to nat hosts with ↵Renato Botelho2013-11-181-11/+41
| | | | | | | | description, ticket #2416
* | Add subnet to 0.0.0.0 otherwise it's not added to table, ticket #2416Renato Botelho2013-11-181-1/+1
| |
* | Make sure automatic rules are created even if mode is not set, ticket #2416Renato Botelho2013-11-181-1/+3
| |
* | Split automatic to nat hosts fill into a function to be able to call it from ↵Renato Botelho2013-11-141-95/+132
| | | | | | | | other place, ticket #2416
* | Remove unused variables and fix automatic nat to alias-addressRenato Botelho2013-11-141-5/+1
| |
OpenPOWER on IntegriCloud