(ipfw) reverse behaviour for non captiveportal pass rules in ipfw, issue...

(ipfw) reverse behaviour for non captiveportal pass rules in ipfw, issue https://github.com/opnsense/core/issues/369 same issue could appear on otheri non physical interfaces as well in the previous version

(ipfw) reverse behaviour for non captiveportal pass rules in ipfw, issue...
(ipfw) reverse behaviour for non captiveportal pass rules in ipfw, issue https://github.com/opnsense/core/issues/369 same issue could appear on otheri non physical interfaces as well in the previous version
a6c6016f · Ad Schellevis · e03a4ce7 · a6c6016f
Commit a6c6016f authored Oct 12, 2015 by Ad Schellevis
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 17 deletions

ipfw.conf src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +7 -17

No files found.
--- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
+++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
 {# collect interfaces list (with / without captive portal enabled) #}
 {% set cp_interface_list = [] %}
-{% set no_cp_interface_list = [] %}
 {% if helpers.exists('captiveportal') %}
 {% for intf_key,interface in interfaces.iteritems()%}
 {%      set is_cp=[] %}
@@ -12,14 +11,7 @@
 {%              endif %}
 {%          endif %}
 {%      endfor %}
-{%      if not is_cp%}
-{%              do no_cp_interface_list.append(interface) %}
-{%      endif %}
 {% endfor %}
-{% else %}
-{%      for intf_key,interface in interfaces.iteritems() %}
-{%              do no_cp_interface_list.append(interface) %}
-{%      endfor %}
 {% endif %}
 #======================================================================================
 # flush ruleset
@@ -112,16 +104,14 @@ add {{5000 + item.zoneid|int }} allow ip from any to any dst-port 80 via {{item.
 #======================================================================================
 # accept traffic from all interfaces not used by captive portal
 #======================================================================================
-{% for item in no_cp_interface_list %}
-add {{6001 + loop.index }} skipto 60000 all from any to any via {{item.if}}
-{% endfor %}
-# skip ipsec tunnel device from captive portal rules
-add 6199 skipto 60000 all from any to any via enc0
 # let the responses from the captive portal web server back out
-add 6200 pass tcp from any to any out
-# block everything else (not mentioned before)
-add 6201 skipto 65534 all from any to any
-
+add 6000 skipto 60000 tcp from any to any out
+# forward unauthorized traffic from captiveportal interfaces to block rule
+{% for item in cp_interface_list %}
+      add {{6001 + loop.index }} skipto 65534 all from any to any via {{item.if}}
+{% endfor %}
+# send all the rest to the traffic shaper rules
+add 6000 skipto 60000 all from any to any

 #======================================================================================
 # setup zone accounting section