Skip to content

O
OpnSense
Commit e8cfc0ff authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

remove non standard tracking feature from pf scripts

parent 8f531b11
Hide whitespace changes
Inline Side-by-side
Showing with 100 additions and 165 deletions
src/etc/inc/filter.inc
View file @ e8cfc0ff
...@@ -57,15 +57,7 @@ $filterdns = array(); ...@@ -57,15 +57,7 @@ $filterdns = array();
/* Used for aliases and interface macros */ /* Used for aliases and interface macros */
$aliases = ""; $aliases = "";
global $tracker;
$tracker = 1000000000;
function filter_rule_tracker($tracker) {
global $tracker;
return (++$tracker);
}
function fix_rule_label($descr) { function fix_rule_label($descr) {
$descr = str_replace('"', '', $descr); $descr = str_replace('"', '', $descr);
...@@ -2595,8 +2587,6 @@ function filter_generate_user_rule($rule) ...@@ -2595,8 +2587,6 @@ function filter_generate_user_rule($rule)
} }
} }
if (!empty($rule['tracker']))
$aline['tracker'] = "tracker {$rule['tracker']} ";
$line = ""; $line = "";
/* exception(s) to a user rules can go here. */ /* exception(s) to a user rules can go here. */
...@@ -2607,7 +2597,7 @@ function filter_generate_user_rule($rule) ...@@ -2607,7 +2597,7 @@ function filter_generate_user_rule($rule)
$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] .
$aline['interface'] . $aline['ipprotocol'] . $aline['prot'] . $aline['src'] . $aline['os'] . $aline['interface'] . $aline['ipprotocol'] . $aline['prot'] . $aline['src'] . $aline['os'] .
$negate_networks . $aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] . $negate_networks . $aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] .
$aline['vlanprio'] . $aline['vlanprioset'] . $aline['dscp'] . $aline['tracker'] . $aline['allowopts'] . $aline['flags'] . $aline['vlanprio'] . $aline['vlanprioset'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'] .
$aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'] . $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'] .
" label \"NEGATE_ROUTE: Negate policy routing for destination\"\n"; " label \"NEGATE_ROUTE: Negate policy routing for destination\"\n";
...@@ -2615,7 +2605,7 @@ function filter_generate_user_rule($rule) ...@@ -2615,7 +2605,7 @@ function filter_generate_user_rule($rule)
/* piece together the actual user rule */ /* piece together the actual user rule */
$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] .
$aline['reply'] . $aline['route'] . $aline['ipprotocol'] . $aline['prot'] . $aline['src'] . $aline['os'] . $aline['dst'] . $aline['reply'] . $aline['route'] . $aline['ipprotocol'] . $aline['prot'] . $aline['src'] . $aline['os'] . $aline['dst'] .
$aline['divert'] . $aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['tracker'] . $aline['divert'] . $aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] .
$aline['vlanprio'] . $aline['vlanprioset'] . $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel']; $aline['vlanprio'] . $aline['vlanprioset'] . $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'];
unset($aline); unset($aline);
...@@ -2625,10 +2615,9 @@ function filter_generate_user_rule($rule) ...@@ -2625,10 +2615,9 @@ function filter_generate_user_rule($rule)
function filter_rules_generate() function filter_rules_generate()
{ {
global $config, $g, $FilterIflist, $time_based_rules, $GatewaysList, $tracker; global $config, $g, $FilterIflist, $time_based_rules, $GatewaysList;
$fix_rule_label = 'fix_rule_label'; $fix_rule_label = 'fix_rule_label';
$increment_tracker = 'filter_rule_tracker';
update_filter_reload_status(gettext("Creating default rules")); update_filter_reload_status(gettext("Creating default rules"));
...@@ -2651,25 +2640,22 @@ function filter_rules_generate() ...@@ -2651,25 +2640,22 @@ function filter_rules_generate()
if(isset($config['syslog']['nologdefaultpass'])) if(isset($config['syslog']['nologdefaultpass']))
$log['pass'] = "log"; $log['pass'] = "log";
$saved_tracker = $tracker;
if(!isset($config['system']['ipv6allow'])) { if(!isset($config['system']['ipv6allow'])) {
$ipfrules .= "# Block all IPv6\n"; $ipfrules .= "# Block all IPv6\n";
$ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; $ipfrules .= "block in {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
$ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; $ipfrules .= "block out {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
} }
$saved_tracker += 100;
$tracker = $saved_tracker;
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
#--------------------------------------------------------------------------- #---------------------------------------------------------------------------
# default deny rules # default deny rules
#--------------------------------------------------------------------------- #---------------------------------------------------------------------------
block in {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" block in {$log['block']} inet all label "Default deny rule IPv4"
block out {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4" block out {$log['block']} inet all label "Default deny rule IPv4"
block in {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" block in {$log['block']} inet6 all label "Default deny rule IPv6"
block out {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label "Default deny rule IPv6" block out {$log['block']} inet6 all label "Default deny rule IPv6"
# IPv6 ICMP is not auxilary, it is required for operation # IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4) # See man icmp6(4)
...@@ -2681,51 +2667,45 @@ block out {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label ...@@ -2681,51 +2667,45 @@ block out {$log['block']} inet6 all tracker {$increment_tracker($tracker)} label
# 134 routeradv Router advertisement # 134 routeradv Router advertisement
# 135 neighbrsol Neighbor solicitation # 135 neighbrsol Neighbor solicitation
# 136 neighbradv Neighbor advertisement # 136 neighbradv Neighbor advertisement
pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker {$increment_tracker($tracker)} keep state pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
# We use the mighty pf, we cannot be fooled. # We use the mighty pf, we cannot be fooled.
block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any
block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0
block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any
block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0
# Snort package # Snort package
block {$log['block']} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts" block {$log['block']} quick from <snort2c> to any label "Block snort2c hosts"
block {$log['block']} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts" block {$log['block']} quick from any to <snort2c> label "Block snort2c hosts"
EOD; EOD;
$saved_tracker += 100;
$tracker = $saved_tracker;
$ipfrules .= filter_process_carp_rules($log); $ipfrules .= filter_process_carp_rules($log);
$saved_tracker += 100;
$tracker = $saved_tracker;
$ipfrules .= "\n# SSH lockout\n"; $ipfrules .= "\n# SSH lockout\n";
if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) {
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port "; $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port ";
$ipfrules .= $config['system']['ssh']['port']; $ipfrules .= $config['system']['ssh']['port'];
$ipfrules .= " tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; $ipfrules .= " label \"sshlockout\"\n";
} else { } else {
if($config['system']['ssh']['port'] <> "") if($config['system']['ssh']['port'] <> "")
$sshport = $config['system']['ssh']['port']; $sshport = $config['system']['ssh']['port'];
else else
$sshport = 22; $sshport = 22;
if($sshport) if($sshport)
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port {$sshport} label \"sshlockout\"\n";
} }
$saved_tracker += 50;
$tracker = $saved_tracker;
$ipfrules .= "\n# webConfigurator lockout\n"; $ipfrules .= "\n# webConfigurator lockout\n";
if(!$config['system']['webgui']['port']) { if(!$config['system']['webgui']['port']) {
...@@ -2737,19 +2717,15 @@ EOD; ...@@ -2737,19 +2717,15 @@ EOD;
$webConfiguratorlockoutport = $config['system']['webgui']['port']; $webConfiguratorlockoutport = $config['system']['webgui']['port'];
} }
if($webConfiguratorlockoutport) if($webConfiguratorlockoutport)
$ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n"; $ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} label \"webConfiguratorlockout\"\n";
$saved_tracker += 100;
$tracker = $saved_tracker;
/* /*
* Support for allow limiting of TCP connections by establishment rate * Support for allow limiting of TCP connections by establishment rate
* Useful for protecting against sudden outburts, etc. * Useful for protecting against sudden outburts, etc.
*/ */
$ipfrules .= "block in {$log['block']} quick from <virusprot> to any tracker 1000000400 label \"virusprot overload table\"\n"; $ipfrules .= "block in {$log['block']} quick from <virusprot> to any label \"virusprot overload table\"\n";
$saved_tracker += 100;
$tracker = $saved_tracker;
/* if captive portal is enabled, ensure that access to this port /* if captive portal is enabled, ensure that access to this port
* is allowed on a locked down interface * is allowed on a locked down interface
...@@ -2790,18 +2766,14 @@ EOD; ...@@ -2790,18 +2766,14 @@ EOD;
$listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : $cpcfg['zoneid']; $listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : $cpcfg['zoneid'];
$portalias = $listenporthttps; $portalias = $listenporthttps;
$portalias .= " {$listenporthttp}"; $portalias .= " {$listenporthttp}";
$ipfrules .= "pass in {$log['pass']} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; $ipfrules .= "pass in {$log['pass']} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } keep state(sloppy)\n";
$ipfrules .= "pass out {$log['pass']} quick on { {$cpinterface} } proto tcp from any to any flags any tracker {$increment_tracker($tracker)} keep state(sloppy)\n"; $ipfrules .= "pass out {$log['pass']} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n";
} }
} }
} }
$bogontableinstalled = 0; $bogontableinstalled = 0;
foreach ($FilterIflist as $on => $oc) { foreach ($FilterIflist as $on => $oc) {
/* XXX: Not static but give a step of 1000 for each interface to at least be able to match rules. */
$saved_tracker += 1000;
$tracker = $saved_tracker;
/* block bogon networks */ /* block bogon networks */
/* http://www.cymru.com/Documents/bogon-bn-nonagg.txt */ /* http://www.cymru.com/Documents/bogon-bn-nonagg.txt */
/* file is automatically in cron every 3000 minutes */ /* file is automatically in cron every 3000 minutes */
...@@ -2814,7 +2786,7 @@ EOD; ...@@ -2814,7 +2786,7 @@ EOD;
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# block bogon networks (IPv4) # block bogon networks (IPv4)
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"
EOD; EOD;
...@@ -2822,29 +2794,23 @@ EOD; ...@@ -2822,29 +2794,23 @@ EOD;
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# block bogon networks (IPv6) # block bogon networks (IPv6)
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
EOD; EOD;
} }
} }
$saved_tracker += 10;
$tracker = $saved_tracker;
if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) { if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow our DHCPv6 client out to the {$oc['descr']} # allow our DHCPv6 client out to the {$oc['descr']}
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
EOD; EOD;
} }
$saved_tracker += 10;
$tracker = $saved_tracker;
$isbridged = false; $isbridged = false;
if(is_array($config['bridges']['bridged'])) { if(is_array($config['bridges']['bridged'])) {
foreach ($config['bridges']['bridged'] as $oc2) { foreach ($config['bridges']['bridged'] as $oc2) {
...@@ -2864,41 +2830,35 @@ EOD; ...@@ -2864,41 +2830,35 @@ EOD;
else else
$privnetlog = ""; $privnetlog = "";
$saved_tracker += 10;
$tracker = $saved_tracker;
if(isset($config['interfaces'][$on]['blockpriv'])) { if(isset($config['interfaces'][$on]['blockpriv'])) {
if($isbridged == false) { if($isbridged == false) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# block anything from private networks on interfaces with the option set # block anything from private networks on interfaces with the option set
block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}" block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}"
block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}" block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}" block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}" block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"
EOD; EOD;
} }
} }
$saved_tracker += 10;
$tracker = $saved_tracker;
switch ($oc['type']) { switch ($oc['type']) {
case "pptp": case "pptp":
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow PPTP client # allow PPTP client
pass in {$log['pass']} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
EOD; EOD;
break; break;
case "dhcp": case "dhcp":
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow our DHCP client out to the {$oc['descr']} # allow our DHCP client out to the {$oc['descr']}
pass in {$log['pass']} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} proto udp from any port = 67 to any port = 68 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
pass out {$log['pass']} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}" pass out {$log['pass']} on \${$oc['descr']} proto udp from any port = 68 to any port = 67 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
# Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP. # Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP.
EOD; EOD;
...@@ -2913,13 +2873,13 @@ EOD; ...@@ -2913,13 +2873,13 @@ EOD;
if(isset($config['dhcpd'][$on]['enable'])) { if(isset($config['dhcpd'][$on]['enable'])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow access to DHCP server on {$oc['descr']} # allow access to DHCP server on {$oc['descr']}
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
EOD; EOD;
if (is_ipaddrv4($oc['ip'])) { if (is_ipaddrv4($oc['ip'])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 label "allow access to DHCP server"
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 tracker {$increment_tracker($tracker)} label "allow access to DHCP server" pass out {$log['pass']} quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server"
EOD; EOD;
} }
...@@ -2927,8 +2887,8 @@ EOD; ...@@ -2927,8 +2887,8 @@ EOD;
if(is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") { if(is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']} # allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover"
pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 tracker {$increment_tracker($tracker)} label "allow access to DHCP failover" pass in {$log['pass']} quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover"
EOD; EOD;
} }
...@@ -2937,21 +2897,19 @@ EOD; ...@@ -2937,21 +2897,19 @@ EOD;
break; break;
} }
$saved_tracker += 10;
$tracker = $saved_tracker;
switch($oc['type6']) { switch($oc['type6']) {
case "6rd": case "6rd":
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow our proto 41 traffic from the 6RD border relay in # allow our proto 41 traffic from the 6RD border relay in
pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"
EOD; EOD;
/* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */ /* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */
if (0 && is_ipaddrv6($oc['ipv6'])) { if (0 && is_ipaddrv6($oc['ipv6'])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}" pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"
EOD; EOD;
} }
...@@ -2960,16 +2918,16 @@ EOD; ...@@ -2960,16 +2918,16 @@ EOD;
if (is_ipaddrv4($oc['ip'])) { if (is_ipaddrv4($oc['ip'])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow our proto 41 traffic from the 6to4 border relay in # allow our proto 41 traffic from the 6to4 border relay in
pass in {$log['pass']} on \${$oc['descr']} proto 41 from any to {$oc['ip']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} proto 41 from any to {$oc['ip']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
pass out {$log['pass']} on \${$oc['descr']} proto 41 from {$oc['ip']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" pass out {$log['pass']} on \${$oc['descr']} proto 41 from {$oc['ip']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
EOD; EOD;
} }
/* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */ /* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */
if (0 && is_ipaddrv6($oc['ipv6'])) { if (0 && is_ipaddrv6($oc['ipv6'])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}" pass out {$log['pass']} on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"
EOD; EOD;
} }
...@@ -2980,16 +2938,16 @@ EOD; ...@@ -2980,16 +2938,16 @@ EOD;
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# allow access to DHCPv6 server on {$oc['descr']} # allow access to DHCPv6 server on {$oc['descr']}
# We need inet6 icmp for stateless autoconfig and dhcpv6 # We need inet6 icmp for stateless autoconfig and dhcpv6
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
EOD; EOD;
if (is_ipaddrv6($oc['ipv6'])) { if (is_ipaddrv6($oc['ipv6'])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 label "allow access to DHCPv6 server"
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 tracker {$increment_tracker($tracker)} label "allow access to DHCPv6 server" pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 label "allow access to DHCPv6 server"
EOD; EOD;
} }
...@@ -2998,9 +2956,6 @@ EOD; ...@@ -2998,9 +2956,6 @@ EOD;
} }
} }
$saved_tracker += 10;
$tracker = $saved_tracker;
/* /*
* NB: The loopback rules are needed here since the antispoof would take precedence then. * NB: The loopback rules are needed here since the antispoof would take precedence then.
* If you ever add the 'quick' keyword to the antispoof rules above move the looback * If you ever add the 'quick' keyword to the antispoof rules above move the looback
...@@ -3009,31 +2964,29 @@ EOD; ...@@ -3009,31 +2964,29 @@ EOD;
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# loopback # loopback
pass in {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" pass in {$log['pass']} on \$loopback inet all label "pass IPv4 loopback"
pass out {$log['pass']} on \$loopback inet all tracker {$increment_tracker($tracker)} label "pass IPv4 loopback" pass out {$log['pass']} on \$loopback inet all label "pass IPv4 loopback"
pass in {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" pass in {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback"
pass out {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label "pass IPv6 loopback" pass out {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic # let out anything from the firewall host itself and decrypted IPsec traffic
pass out {$log['pass']} inet all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv4 from firewall host itself" pass out {$log['pass']} inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out {$log['pass']} inet6 all keep state allow-opts tracker {$increment_tracker($tracker)} label "let out anything IPv6 from firewall host itself" pass out {$log['pass']} inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
EOD; EOD;
$saved_tracker += 100;
$tracker = $saved_tracker;
foreach ($FilterIflist as $ifdescr => $ifcfg) { foreach ($FilterIflist as $ifdescr => $ifcfg) {
if(isset($ifcfg['virtual'])) if(isset($ifcfg['virtual']))
continue; continue;
$gw = get_interface_gateway($ifdescr); $gw = get_interface_gateway($ifdescr);
if (is_ipaddrv4($gw) && is_ipaddrv4($ifcfg['ip'])) { if (is_ipaddrv4($gw) && is_ipaddrv4($ifcfg['ip'])) {
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; $ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
if (is_array($ifcfg['vips'])) { if (is_array($ifcfg['vips'])) {
foreach ($ifcfg['vips'] as $vip) foreach ($ifcfg['vips'] as $vip)
if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}")) if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}"))
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; $ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
else else
$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; $ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
} }
} }
...@@ -3041,23 +2994,19 @@ EOD; ...@@ -3041,23 +2994,19 @@ EOD;
$stf = get_real_interface($ifdescr, "inet6"); $stf = get_real_interface($ifdescr, "inet6");
$pdlen = 64 - calculate_ipv6_delegation_length($ifdescr); $pdlen = 64 - calculate_ipv6_delegation_length($ifdescr);
if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) { if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) {
$ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; $ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n";
if (is_array($ifcfg['vips6'])) { if (is_array($ifcfg['vips6'])) {
foreach ($ifcfg['vips6'] as $vip) foreach ($ifcfg['vips6'] as $vip)
$ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} tracker {$increment_tracker($tracker)} keep state allow-opts label \"let out anything from firewall host itself\"\n"; $ipfrules .= "pass out {$log['pass']} route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ip']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n";
} }
} }
} }
$saved_tracker += 300;
$tracker = $saved_tracker;
/* add ipsec interfaces */ /* add ipsec interfaces */
if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable']))
$ipfrules .= "pass out {$log['pass']} on \$IPsec all tracker {$increment_tracker($tracker)} tracker {$increment_tracker($tracker)} keep state label \"IPsec internal host to host\"\n"; $ipfrules .= "pass out {$log['pass']} on \$IPsec all keep state label \"IPsec internal host to host\"\n";
$saved_tracker += 10;
$tracker = $saved_tracker;
if(is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) { if(is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) {
$alports = filter_get_antilockout_ports(); $alports = filter_get_antilockout_ports();
...@@ -3068,7 +3017,7 @@ EOD; ...@@ -3068,7 +3017,7 @@ EOD;
$lanif = $FilterIflist['lan']['if']; $lanif = $FilterIflist['lan']['if'];
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH # make sure the user cannot lock himself out of the webConfigurator or SSH
pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule"
EOD; EOD;
} else if (count($config['interfaces']) == 1) { } else if (count($config['interfaces']) == 1) {
...@@ -3076,15 +3025,13 @@ EOD; ...@@ -3076,15 +3025,13 @@ EOD;
$wanif = $FilterIflist["wan"]['if']; $wanif = $FilterIflist["wan"]['if'];
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH # make sure the user cannot lock himself out of the webConfigurator or SSH
pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule"
EOD; EOD;
} }
unset($alports); unset($alports);
} }
$saved_tracker += 10;
$tracker = $saved_tracker;
/* PPTPd enabled? */ /* PPTPd enabled? */
if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off") && !isset($config['system']['disablevpnrules'])) { if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off") && !isset($config['system']['disablevpnrules'])) {
if($pptpdcfg['mode'] == "server") if($pptpdcfg['mode'] == "server")
...@@ -3094,8 +3041,8 @@ EOD; ...@@ -3094,8 +3041,8 @@ EOD;
if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) { if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# PPTPd rules # PPTPd rules
pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 tracker {$increment_tracker($tracker)} modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}" pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}"
pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto gre from any to any tracker {$increment_tracker($tracker)} keep state label "allow gre pptpd" pass in {$log['pass']} on \${$FilterIflist['wan']['descr']} proto gre from any to any keep state label "allow gre pptpd"
EOD; EOD;
...@@ -3107,15 +3054,13 @@ EOD; ...@@ -3107,15 +3054,13 @@ EOD;
} }
} }
$saved_tracker += 10;
$tracker = $saved_tracker;
if(isset($config['nat']['rule']) && is_array($config['nat']['rule'])) { if(isset($config['nat']['rule']) && is_array($config['nat']['rule'])) {
foreach ($config['nat']['rule'] as $rule) { foreach ($config['nat']['rule'] as $rule) {
if((!isset($config['system']['disablenatreflection']) || $rule['natreflection'] == "enable") if((!isset($config['system']['disablenatreflection']) || $rule['natreflection'] == "enable")
&& $rule['natreflection'] != "disable") { && $rule['natreflection'] != "disable") {
$ipfrules .= "# NAT Reflection rules\n"; $ipfrules .= "# NAT Reflection rules\n";
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass in {$log['pass']} inet tagged PFREFLECT tracker {$increment_tracker($tracker)} keep state label "NAT REFLECT: Allow traffic to localhost" pass in {$log['pass']} inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"
EOD; EOD;
break; break;
...@@ -3194,8 +3139,6 @@ EOD; ...@@ -3194,8 +3139,6 @@ EOD;
unset($rule_arr1, $rule_arr2, $rule_arr3); unset($rule_arr1, $rule_arr2, $rule_arr3);
} }
$saved_tracker += 100;
$tracker = $saved_tracker;
/* pass traffic between statically routed subnets and the subnet on the /* pass traffic between statically routed subnets and the subnet on the
* interface in question to avoid problems with complicated routing * interface in question to avoid problems with complicated routing
...@@ -3215,10 +3158,10 @@ EOD; ...@@ -3215,10 +3158,10 @@ EOD;
} }
if ($sa && is_ipaddrv4($routeent[0])) { if ($sa && is_ipaddrv4($routeent[0])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass {$log['pass']} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets"
pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass {$log['pass']} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} keep state(sloppy) label "pass traffic between statically routed subnets"
EOD; EOD;
} }
...@@ -3229,10 +3172,10 @@ EOD; ...@@ -3229,10 +3172,10 @@ EOD;
} }
if ($sa && is_ipaddrv6($routeent[0])) { if ($sa && is_ipaddrv6($routeent[0])) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets"
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto tcp from {$route['network']} to {$sa}/{$sn} flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} tracker {$increment_tracker($tracker)} keep state(sloppy) label "pass traffic between statically routed subnets" pass {$log['pass']} quick on \${$oc['descr']} inet6 from {$route['network']} to {$sa}/{$sn} keep state(sloppy) label "pass traffic between statically routed subnets"
EOD; EOD;
} }
...@@ -3241,14 +3184,10 @@ EOD; ...@@ -3241,14 +3184,10 @@ EOD;
} }
update_filter_reload_status(gettext("Creating IPsec rules...")); update_filter_reload_status(gettext("Creating IPsec rules..."));
$saved_tracker += 100000;
$tracker = $saved_tracker;
$ipfrules .= filter_generate_ipsec_rules($log); $ipfrules .= filter_generate_ipsec_rules($log);
$ipfrules .= "\nanchor \"tftp-proxy/*\"\n"; $ipfrules .= "\nanchor \"tftp-proxy/*\"\n";
$saved_tracker += 200;
$tracker = $saved_tracker;
update_filter_reload_status("Creating uPNP rules..."); update_filter_reload_status("Creating uPNP rules...");
if (is_array($config['installedpackages']['miniupnpd']) && is_array($config['installedpackages']['miniupnpd']['config'][0])) { if (is_array($config['installedpackages']['miniupnpd']) && is_array($config['installedpackages']['miniupnpd']['config'][0])) {
if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable'])) if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable']))
...@@ -3266,7 +3205,7 @@ EOD; ...@@ -3266,7 +3205,7 @@ EOD;
} }
if($sa) { if($sa) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass in {$log['pass']} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 tracker {$increment_tracker($tracker)} keep state label "pass multicast traffic to miniupnpd" pass in {$log['pass']} on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 keep state label "pass multicast traffic to miniupnpd"
EOD; EOD;
} }
...@@ -3281,10 +3220,9 @@ EOD; ...@@ -3281,10 +3220,9 @@ EOD;
function filter_rules_spoofcheck_generate($ifname, $ifcfg, $log) function filter_rules_spoofcheck_generate($ifname, $ifcfg, $log)
{ {
global $g, $config, $tracker; global $g, $config;
$ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} \n"; $ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} \n";
$tracker++;
return $ipfrules; return $ipfrules;
} }
...@@ -3499,14 +3437,13 @@ function filter_setup_logging_interfaces() ...@@ -3499,14 +3437,13 @@ function filter_setup_logging_interfaces()
function filter_process_carp_rules($log) function filter_process_carp_rules($log)
{ {
global $g, $config, $tracker; global $g, $config;
$increment_tracker = 'filter_rule_tracker';
$lines = ''; $lines = '';
/* return if there are no carp configured items */ /* return if there are no carp configured items */
if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) { if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) {
$lines .= "block in {$log['block']} quick proto carp from (self) to any tracker {$increment_tracker($tracker)}\n"; $lines .= "block in {$log['block']} quick proto carp from (self) to any \n";
$lines .= "pass {$log['pass']} quick proto carp tracker {$increment_tracker($tracker)}\n"; $lines .= "pass {$log['pass']} quick proto carp \n";
} }
return $lines; return $lines;
} }
...@@ -3514,13 +3451,12 @@ function filter_process_carp_rules($log) ...@@ -3514,13 +3451,12 @@ function filter_process_carp_rules($log)
/* Generate IPsec Filter Items */ /* Generate IPsec Filter Items */
function filter_generate_ipsec_rules($log = array()) function filter_generate_ipsec_rules($log = array())
{ {
global $config, $g, $FilterIflist, $tracker; global $config, $g, $FilterIflist;
if (isset($config['system']['disablevpnrules'])) { if (isset($config['system']['disablevpnrules'])) {
return "\n# VPN Rules not added disabled in System->Advanced.\n"; return "\n# VPN Rules not added disabled in System->Advanced.\n";
} }
$increment_tracker = 'filter_rule_tracker';
$ipfrules = "\n# VPN Rules\n"; $ipfrules = "\n# VPN Rules\n";
/* Is IP Compression enabled? */ /* Is IP Compression enabled? */
...@@ -3533,7 +3469,6 @@ function filter_generate_ipsec_rules($log = array()) ...@@ -3533,7 +3469,6 @@ function filter_generate_ipsec_rules($log = array())
is_array($config['ipsec']['phase1'])) { is_array($config['ipsec']['phase1'])) {
/* step through all phase1 entries */ /* step through all phase1 entries */
foreach ($config['ipsec']['phase1'] as $ph1ent) { foreach ($config['ipsec']['phase1'] as $ph1ent) {
$tracker += 10;
if(isset ($ph1ent['disabled'])) if(isset ($ph1ent['disabled']))
continue; continue;
...@@ -3607,30 +3542,30 @@ function filter_generate_ipsec_rules($log = array()) ...@@ -3607,30 +3542,30 @@ function filter_generate_ipsec_rules($log = array())
/* Add rules to allow IKE to pass */ /* Add rules to allow IKE to pass */
$shorttunneldescr = substr($descr, 0, 35); $shorttunneldescr = substr($descr, 0, 35);
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
EOD; EOD;
/* If NAT-T is enabled, add additional rules */ /* If NAT-T is enabled, add additional rules */
if($ph1ent['nat_traversal'] != "off" ) { if($ph1ent['nat_traversal'] != "off" ) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
EOD; EOD;
} }
/* Add rules to allow the protocols in use */ /* Add rules to allow the protocols in use */
if($prot_used_esp == true) { if($prot_used_esp == true) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
EOD; EOD;
} }
if($prot_used_ah == true) { if($prot_used_ah == true) {
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any tracker {$increment_tracker($tracker)} keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
EOD; EOD;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023