From 237c652e4f9e7cbb185e064c9cbd3ac44400dcaa Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 1 Nov 2016 21:11:46 +0100
Subject: [PATCH] (filter) move block bogons and private nets

---
 src/etc/inc/filter.inc     | 52 --------------------------------------
 src/etc/inc/filter.lib.inc | 25 ++++++++++++++++++
 2 files changed, 25 insertions(+), 52 deletions(-)

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index e6307d560..13a9f9e56 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2504,28 +2504,7 @@ function filter_rules_generate(&$FilterIflist)
 
 
     foreach ($FilterIflist as $on => $oc) {
-      /*
-       * Block bogon networks via the following list.  Note that "bogons"
-       * are excluding the four private address ranges for one reason or
-       * another.  They exist in the upstream files but are stripped during
-       * the upgrade stage.
-       *
-       * http://www.cymru.com/Documents/bogon-bn-nonagg.txt
-       */
-      if (!isset($config['syslog']['nologbogons'])) {
-          $bogonlog = 'log';
-      } else {
-          $bogonlog = '';
-      }
 
-      if (isset($config['interfaces'][$on]['blockbogons'])) {
-        $ipfrules .= <<<EOD
-# block bogon networks (IPv4)
-# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
-block in {$bogonlog} quick on \${$oc['descr']} from <bogons> to any  label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"
-
-EOD;
-    }
 
       if (isset($config['system']['ipv6allow']) && isset($oc['type6']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) {
           $ipfrules .= <<<EOD
@@ -2537,16 +2516,6 @@ pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546
 EOD;
     }
 
-      if (isset($config['interfaces'][$on]['blockbogons'])) {
-          if (isset($config['system']['ipv6allow'])) {
-              $ipfrules .= <<<EOD
-# block bogon networks (IPv6)
-# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
-block in {$bogonlog} quick on \${$oc['descr']} from <bogonsv6> to any label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
-
-EOD;
-          }
-      }
 
       $isbridged = false;
       if (isset($config['bridges']['bridged'])) {
@@ -2562,27 +2531,6 @@ EOD;
           $ipfrules .= "antispoof {$log['block']} for \${$oc['descr']} \n";
       }
 
-      /* block private networks ? */
-      if (!isset($config['syslog']['nologprivatenets'])) {
-          $privnetlog = "log";
-      } else {
-          $privnetlog = "";
-      }
-
-      if (isset($config['interfaces'][$on]['blockpriv'])) {
-          if ($isbridged == false) {
-              $ipfrules .= <<<EOD
-# block anything from private networks on interfaces with the option set
-block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
-block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
-block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}"
-block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
-block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
-block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"
-
-EOD;
-          }
-      }
 
       switch (isset($oc['type']) ? $oc['type'] : null) {
         case "pptp":
diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index 2e5ffa955..21aa68a50 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -124,4 +124,29 @@ function filter_core_rules_system($fw, $defaults)
     // block all in alias <virusprot>
     $fw->registerFilterRule(1,array('from' => '<virusprot>', 'label' => 'virusprot overload table'),$defaults['block']);
 
+    // block bogons and private nets
+    $bogontmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologbogons']));
+    $privtmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologprivatenets']),
+      'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7');
+    foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) {
+        $fw->registerFilterRule(1,
+          array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf,
+            'label' => "block bogon IPv4 networks from ".$intfinfo['descr'],
+            'disabled' => !isset($intfinfo['blockbogons'])),
+          $bogontmpl
+        );
+        $fw->registerFilterRule(1,
+          array('from' => "<bogonsv6>", 'direction' => 'in', 'interface' => $intf,
+            'disabled' => !isset($config['system']['ipv6allow']) || !isset($intfinfo['blockbogons']),
+            'label' => "block bogon IPv6 networks from ".$intfinfo['descr']),
+          $bogontmpl
+        );
+        $fw->registerFilterRule(1,
+          array('direction' => 'in', 'interface' => $intf,
+            'label' => "Block private networks from ".$intfinfo['descr'],
+            'disabled' => !isset($intfinfo['blockbogons'])),
+          $privtmpl
+        );
+    }
+
 }