summaryrefslogtreecommitdiffstats
path: root/etc/inc/filter.inc
Commit message (Collapse)AuthorAgeFilesLines
* Move main pfSense content to src/Renato Botelho2015-08-251-4228/+0
|
* Merge pull request #1804 from phil-davis/bogons-not-existsRenato Botelho2015-08-031-5/+9
|\
| * Allow to create empty bogons on nanoBSDPhil Davis2015-07-301-5/+9
| | | | | | | | | | | | | | If for some reason the bogons file/s do not exist then this code creates empty ones before making any use of them in the rule set. On nanoBSD this can fail if the file system is mount RO. Protect against this possibility by use conf_mount_rw and conf_mount_ro
* | Drop support for jail platformRenato Botelho2015-07-311-3/+1
|/
* Use an alternate method to find VIP targets that should be allowed for ↵jim-p2015-07-291-10/+7
| | | | Captive Portal. Fixes #4903
* Fix typo in variable name, spotted by Phil DavisRenato Botelho2015-07-271-1/+1
|
* Consider url_port alias type when checking port-type aliases V2Phil Davis2015-07-271-1/+1
| | | | This time I have typed url_ports correctly.
* Merge pull request #1763 from doktornotor/patch-4Renato Botelho2015-07-181-4/+4
|\
| * Add labels to some default firewall rulesdoktornotor2015-07-181-4/+4
| | | | | | ... so that people can get useful descriptions in the System Logs - Firewall GUI, instead of useless tracker numbers. This is for master branch.
* | Really avoid error loading rules for numeric host name in aliasPhil Davis2015-07-171-1/+2
|/ | | | | | | | | | | Create a host-type alias. Put just a number in "IP or FQDN" - e.g. I made alias name "Zqw" and a single host "23". The webGUI reports: There were error(s) loading the rules: /tmp/rules.debug:44: syntax error - The line in question reads [44]: table { 23 } and /tmp/rules.debug has: table { 23 } Zqw = "" which pf does not cope with. This change will differentiate between a number in the context of a port alias and a number that is_hostname. This time I think it really works :) The call to alias_get_type() needed to send the alias name as parameter. alias_get_type() is a bit expensive - it scans through the whole list of aliases looking for a match on the name. So I made this code just call it once for the name and then use that $alias_type var each time as it loops through all the addresses in an alias. I have tried this successfully with a few combinations of nested port/host/network aliases. But maybe there is some wacky combination of nested aliases possible that could still break this? I don't see how, but it needs testing on some configs that have all sorts of nested alias types.
* Revert "Avoid error loading rules for numeric host name in alias"Renato Botelho2015-07-151-1/+1
| | | | This reverts commit 81a73bcba3b3a79bb3a7add2e14a46e6af748f50.
* Avoid error loading rules for numeric host name in aliasPhil Davis2015-07-121-1/+1
| | | | | | | | | | Create a host-type alias. Put just a number in "IP or FQDN" - e.g. I made alias name "Zqw" and a single host "23". The webGUI reports: There were error(s) loading the rules: /tmp/rules.debug:44: syntax error - The line in question reads [44]: table { 23 } and /tmp/rules.debug has: table <Zqw> { 23 } Zqw = "<Zqw>" which pf does not cope with. It is possible to have a host name that is a number, and end up with a domain name like 23.mycompany.com - unfortunately some Wally allowed such things in standards many years ago, so it can be rather difficult to tell the difference between a number and a host name. This change improves the check when looking through alias entries and deciding if they are meant to be a name or a "bottom-level" value (address, subnet, port, port range). Anything that ends up looking like a host name gets given to filterdns to sort out. "Names" like "23" now get given to filterdns instead of being put directly into the table in pf. This makes things happier. Even if filterdns cannot resolve "23", at least it tries and nothing barfs.
* Add a GUI field to increase the pf frag entries limit. Fixes ticket #4775jim-p2015-06-181-0/+5
|
* Blacklist invalid "from" sources since they can be picked up accidentally ↵jim-p2015-06-171-1/+3
| | | | and cause rule errors. Fixes #4772
* Code spacingPhil Davis2015-06-151-1/+1
| | | | | | | and other random stuff I noticed. I think this finishes messing with code style. The codebase should match the developer style guide closely enough that 99.9% of changes will not feel the need to also massage the formatting.
* Fixes #4651 use proper var name on global to have the correct id put on the ruleErmal LUÇI2015-06-071-1/+1
|
* Code style bits and pieces from etcPhil Davis2015-05-311-21/+22
|
* Remove artifacts from latin1 to utf8 conversionsJose Luis Duran2015-05-161-1/+1
| | | | | | String replacement: s/Ermal L.../Ermal Luçi/g
* Ticket #4235 put reply-to/route-to rules even for mobile-ipsec.Ermal LUÇI2015-05-011-5/+4
|
* Fixes #4651 Assign a proper tracker for NEGATE rulesErmal LUÇI2015-05-011-1/+9
|
* Skip reflection rdrs where the interface doesn't have an IP. Ticket #4564Chris Buechler2015-04-091-1/+8
|
* Allow disabling the APIPA block via hidden config option. Very rarely ↵Chris Buechler2015-04-081-2/+8
| | | | necessary or desirable, but Amazon VPC VPNs use that as their tunnel subnet with BGP setups.
* Prevent empty addresses for being put in the ruleset. Ticket #4564Ermal LUÇI2015-04-031-0/+3
|
* Bug #4566 Only route-to a gateway if it is not force_downPhil Davis2015-03-311-1/+1
| | | When generating policy-routing rules there was no check if a gateway had force-down set, so gateway with force_down set would still get policy-routing rules written for it, even if skip_rules_gw_down was enabled.
* Use subnet address in OPT net rulesPhil Davis2015-03-141-6/+6
| | | | | | | | Example: LAN IP 10.0.1.1/24 OPT1 IP 10.0.2.1/24 Rules with SRC or DST LANnet correctly have 10.0.0.0/24 (the subnet base address) in /tmp/rules.debug Rules with SRC or DST OPT1net have 10.0.2.1/24 (the OPT1 IP address with OPT1 net mask) in /tmp/rules.debug It still works (I think) because actually 10.0.2.1/24 and 10.0.2.0/24 interpreted as a subnet still describes the same set of IP addresses, but it looks odd, as reported by: https://forum.pfsense.org/index.php?topic=90096.msg498474#msg498474 Same issue with IPv6 for OPT1net rules. This fixes the rule generation to that OPT1net uses the base subnet address in the rule, in the same way that LANnet and WANnet does.
* Do not start filterdns during boot until a proper fix is done. Ticket #4296Renato Botelho2015-03-121-17/+19
|
* White space in filter.incPhil Davis2015-03-121-45/+45
|
* add granular control of state timeouts. Ticket #4509Chris Buechler2015-03-111-0/+48
| | | | | Conflicts: etc/inc/filter.inc
* Leave adaptive.start and end at their defaults (60% and 120% of the state ↵Chris Buechler2015-03-111-3/+1
| | | | limit, respectively) if not user-overridden.
* Skip any numeric-only aliases in the ruleset to prevent errors from thoseChris Buechler2015-03-041-0/+5
| | | | who configured them on previous versions where that was allowed. Ticket
* Code style guide changes for filter.inc 2nd versionPhil Davis2015-02-261-760/+1098
| | | This is the changes to filter.inc as per the commits in https://github.com/pfsense/pfsense/pull/1521 but done in just 1 clean commit.
* remove unused legacy codeChris Buechler2015-02-261-6/+0
|
* Merge pull request #1484 from phil-davis/more-text-typosRenato Botelho2015-02-131-6/+6
|\
| * Random text typosPhil Davis2015-02-111-6/+6
| | | | | | | | | | | | and I "corrected" function names that had "_choosen_" in them. That is not technically an error - function names do not have to be English words. But it does look nicer to read.
* | DHCPv6 client rules MUST come before bogons. Add a comment that hopefullyChris Buechler2015-02-111-15/+15
|/ | | | sticks out so this stops getting broken. Ticket #3395
* remove CGN from "Block private networks" as it was in 2.0x and earlierChris Buechler2015-02-051-1/+0
| | | | | releases since it specifically notes RFC 1918 and CGN is more bogon. Ticket #4379
* Fixes #4381 this was a leftover of the change of zoneids to start from 2.Ermal LUÇI2015-02-051-2/+2
|
* Fixes #4274 same fix as #4302 enclose in double quotes to tell yacc this is ↵Ermal LUÇI2015-01-281-2/+6
| | | | a string to be parsed.
* Apparently yacc became more strict in FreeBSD 10. Fixes #4302Ermal LUÇI2015-01-281-8/+9
|
* Ticket #3997, teach code to track carp through uniqids(). Missing carp GUI ↵Ermal LUÇI2015-01-151-1/+1
| | | | changes and upgrade code
* Add tracker and label to IPv4 Link-Local block rules.jim-p2015-01-091-2/+2
|
* Catch packets on all iunterfaces and send them out the correct one. Fixes #4174Ermal LUÇI2015-01-081-4/+4
|
* This is not the place for this setting and werid its here!Ermal LUÇI2015-01-081-6/+0
|
* Don't hard code the target IP in auto-generated outbound NAT rules, useChris Buechler2015-01-071-2/+2
| | | | previous behavior of setting it to the interface IP.
* Enforce subnet check here to avoid any issues resulting from function call.Ermal LUÇI2015-01-061-1/+1
|
* Allow IPv6 on loopback needs quickPhil Davis2015-01-041-2/+2
| | | | | | | | | | | | | | | The following block uses "quick" which causes that block to come into effect before the "pass in" here. The pass rule also needs to be "quick". Problem noted by Andy Sayler on https://redmine.pfsense.org/issues/4074 Before this change, an attempt to manually do something local with IPv6 fails: [2.2-RC][root@xxx]/root: ntpq -pn ntpq: write to localhost failed: Operation not permitted After this change, it works: [2.2-RC][root@xxx]/root: ntpq -pn remote refid st t when poll reach delay offset jitter ============================================================================== *27.114.150.12 193.190.230.65 2 u 21 64 377 1424.66 -126.52 371.131 Note that there are other pass rules later for IPv6 necessary functions, loopback... that do not have "quick". Those are correct and help to allow various essential IPv6 stuff, but still let someone block it with user rules (which will have quick), in the case when IPv6 Allow is checked. This one here is just for the special case of IPv6 Allow not set, and in this case this special IPv6 pass-block sequence needs to be done with "quick" so we can be sure it applies regardless of whatever other IPv6 might come later.
* Use binat, not nat, where IPsec NAT is configured with an address for local ↵Chris Buechler2014-12-311-10/+6
| | | | and NAT. Ticket #4169
* Allow IPv6 on loopback even where IPv6 is otherwise disabled. The intent of ↵Chris Buechler2014-12-311-0/+3
| | | | that feature is to prevent IPv6 from communicating on the network. Blocking it on localhost can result in issues and is unnecessary. Ticket #4074
* Only set route-to and reply-to on ESP and ISAKMP rules if the remote ↵Chris Buechler2014-12-301-12/+18
| | | | endpoint is not within the parent interface's subnet. Ticket #4157
* Unbreak IPsec rules generation for IPsec over CARP. Should help even Ticket ↵Ermal LUÇI2014-12-301-1/+1
| | | | #4157
OpenPOWER on IntegriCloud