From b9d1d8108b0b57b062400f6d87704110b2023b1e Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Mon, 12 Jun 2006 04:16:19 +0000
Subject: Only allow mac-type 0x888e traffic for WPA.  This is a lot better
 than allowing all layer2.

Thanks Andrew Thompson for the suggestion!
---
 etc/inc/captiveportal.inc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'etc/inc/captiveportal.inc')

diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc
index 1807451..e2f9225 100644
--- a/etc/inc/captiveportal.inc
+++ b/etc/inc/captiveportal.inc
@@ -308,9 +308,6 @@ function captiveportal_rules_generate() {
 		$cprules .= "add 30 set 1 skipto 50000 all from any to any in via {$int} keep-state\n";
 	}
 	
-	/* Needed for WPA */
-	$cprules .= "add 1 set 1 allow all from any to any layer2";
-	
 	/* captive portal on LAN interface? */
 	if ($cpifn == "lan") {
 		/* add anti-lockout rules */
@@ -329,6 +326,8 @@ add 1001 set 1 pass layer2 not via $cpif
 
 # layer 2: pass ARP
 add 1100 set 1 pass layer2 mac-type arp
+# pfsense requires for WPA
+add 1100 set 1 pass layer2 mac-type 0x888e
 # layer 2: block anything else non-IP
 add 1101 set 1 deny layer2 not mac-type ip
 # layer 2: check if MAC addresses of authenticated clients are correct
-- 
cgit v1.1