From f49a10ca332206c5ae4fc3feeba2467ac57ea65d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Sat, 9 Feb 2019 09:21:02 +0100 Subject: [PATCH 1/7] Allow access to this hosts configured VIPs --- .../service/templates/OPNsense/IPFW/ipfw.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf index 8432a3c3e..913a1e277 100644 --- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf @@ -111,6 +111,19 @@ add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or {{ {% endif %} {% endfor %} +#====================================================================================== +# Allow traffic to this hosts VIPs +#====================================================================================== +{% for item in virtualip.vip %} +{% if ':' not in item.subnet %} +add {{loop.index + 2000}} skipto 60000 udp from any to {{ item.subnet }} dst-port 53 keep-state +add {{loop.index + 2000}} skipto 60000 ip from any to { 255.255.255.255 or {{item.subnet}} } in +add {{loop.index + 2000}} skipto 60000 ip from { 255.255.255.255 or {{item.subnet}} } to any out +add {{loop.index + 2000}} skipto 60000 icmp from { 255.255.255.255 or {{item.subnet}} } to any out icmptypes 0 +add {{loop.index + 2000}} skipto 60000 icmp from any to { 255.255.255.255 or {{item.subnet}} } in icmptypes 8 +{% endif %} +{% endfor %} + {% for item in cp_interface_list %} #=================================================================================== # zone {{item.zone}} ({{item.zoneid}}) / {{item.if}} configuration From 54b9fb4874e7909a339065c3027d8a6fe387e754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Sun, 10 Feb 2019 07:50:55 +0100 Subject: [PATCH 2/7] ipfw: Only allow for VIPs on cp interfaces Create a helper attribute 'interfaces' split on ',' later, this due to the captiveportal zones being applicable to more than one if, separated by ',' in the configuration. --- src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf index 913a1e277..17b890e38 100644 --- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf @@ -10,7 +10,7 @@ {% for cp_intf in cp_item.interfaces.split(',') %} {% if intf_key == cp_intf %} {% if cp_item.enabled|default('0') == '1' %} -{% do cp_interface_list.append({'zone':cp_item.description, 'zoneid':cp_item.zoneid,'if':interface.if, 'obj':cp_item}) %} +{% do cp_interface_list.append({'zone':cp_item.description, 'zoneid':cp_item.zoneid,'if':interface.if,'interfaces':cp_item.interfaces.split(','),'obj':cp_item}) %} {% do is_cp.append(1) %} {% endif %} {% endif %} @@ -115,7 +115,7 @@ add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or {{ # Allow traffic to this hosts VIPs #====================================================================================== {% for item in virtualip.vip %} -{% if ':' not in item.subnet %} +{% if item.interface in cp_interface_list|sum(attribute="interfaces", start=[]) and ':' not in item.subnet %} add {{loop.index + 2000}} skipto 60000 udp from any to {{ item.subnet }} dst-port 53 keep-state add {{loop.index + 2000}} skipto 60000 ip from any to { 255.255.255.255 or {{item.subnet}} } in add {{loop.index + 2000}} skipto 60000 ip from { 255.255.255.255 or {{item.subnet}} } to any out From 11ea61423ea3630536dbbae6e5f35118d707d18e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Mon, 11 Feb 2019 13:04:10 +0100 Subject: [PATCH 3/7] Check for ':' is redundant Captive portal supports only ipv4, checking for ':' (ipv6) is therefore redundant --- src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf index 17b890e38..913269179 100644 --- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf @@ -115,7 +115,7 @@ add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or {{ # Allow traffic to this hosts VIPs #====================================================================================== {% for item in virtualip.vip %} -{% if item.interface in cp_interface_list|sum(attribute="interfaces", start=[]) and ':' not in item.subnet %} +{% if item.interface in cp_interface_list|sum(attribute="interfaces", start=[]) %} add {{loop.index + 2000}} skipto 60000 udp from any to {{ item.subnet }} dst-port 53 keep-state add {{loop.index + 2000}} skipto 60000 ip from any to { 255.255.255.255 or {{item.subnet}} } in add {{loop.index + 2000}} skipto 60000 ip from { 255.255.255.255 or {{item.subnet}} } to any out From e8af5bee77c9d30b11321ac8338c7eec02924d28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Thu, 14 Feb 2019 15:31:46 +0100 Subject: [PATCH 4/7] ipfw: Remove VIP loop / Add explicit "to me" for DNS There's no need to explicitly loop around VIPs. We can get away with simply allowing DNS "to me" via the captive portal interfaces. Removed unneccessary attribute in cp_interface_list --- .../service/templates/OPNsense/IPFW/ipfw.conf | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf index 913269179..27bcb2e3b 100644 --- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf @@ -10,7 +10,7 @@ {% for cp_intf in cp_item.interfaces.split(',') %} {% if intf_key == cp_intf %} {% if cp_item.enabled|default('0') == '1' %} -{% do cp_interface_list.append({'zone':cp_item.description, 'zoneid':cp_item.zoneid,'if':interface.if,'interfaces':cp_item.interfaces.split(','),'obj':cp_item}) %} +{% do cp_interface_list.append({'zone':cp_item.description, 'zoneid':cp_item.zoneid,'if':interface.if,'obj':cp_item}) %} {% do is_cp.append(1) %} {% endif %} {% endif %} @@ -103,7 +103,6 @@ add 203 skipto 60000 ipv4 from any to 127.0.0.0/8 #====================================================================================== {% for intf_key,interface in interfaces.iteritems() %} {% if intf_key != "wan" and interface.ipaddr not in ["dhcp", "ppp", "pppoe", "l2tp", "pptp"] and interface.ipaddr|default("") != "" %} -add {{loop.index + 1000}} skipto 60000 udp from any to {{ interface.ipaddr }} dst-port 53 keep-state add {{loop.index + 1000}} skipto 60000 ip from any to { 255.255.255.255 or {{interface.ipaddr}} } in add {{loop.index + 1000}} skipto 60000 ip from { 255.255.255.255 or {{interface.ipaddr}} } to any out add {{loop.index + 1000}} skipto 60000 icmp from { 255.255.255.255 or {{interface.ipaddr}} } to any out icmptypes 0 @@ -112,16 +111,10 @@ add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or {{ {% endfor %} #====================================================================================== -# Allow traffic to this hosts VIPs +# Allow DNS to this host #====================================================================================== -{% for item in virtualip.vip %} -{% if item.interface in cp_interface_list|sum(attribute="interfaces", start=[]) %} -add {{loop.index + 2000}} skipto 60000 udp from any to {{ item.subnet }} dst-port 53 keep-state -add {{loop.index + 2000}} skipto 60000 ip from any to { 255.255.255.255 or {{item.subnet}} } in -add {{loop.index + 2000}} skipto 60000 ip from { 255.255.255.255 or {{item.subnet}} } to any out -add {{loop.index + 2000}} skipto 60000 icmp from { 255.255.255.255 or {{item.subnet}} } to any out icmptypes 0 -add {{loop.index + 2000}} skipto 60000 icmp from any to { 255.255.255.255 or {{item.subnet}} } in icmptypes 8 -{% endif %} +{% for item in cp_interface_list %} +add {{loop.index + 2000}} skipto 60000 udp from any to me dst-port 53 via {{item.if}} keep-state {% endfor %} {% for item in cp_interface_list %} From f2da545261c049fa0daa1dd37d266e9288f7c4fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Fri, 15 Feb 2019 08:09:05 +0100 Subject: [PATCH 5/7] ipfw: only allow traffic to/from me via cp_interfaces --- .../service/templates/OPNsense/IPFW/ipfw.conf | 20 ++++++------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf index 27bcb2e3b..b6db1197d 100644 --- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf @@ -99,22 +99,14 @@ add 202 skipto 60000 ipv6 from any to ::1 add 203 skipto 60000 ipv4 from any to 127.0.0.0/8 #====================================================================================== -# Allow traffic to this hosts static ip's -#====================================================================================== -{% for intf_key,interface in interfaces.iteritems() %} -{% if intf_key != "wan" and interface.ipaddr not in ["dhcp", "ppp", "pppoe", "l2tp", "pptp"] and interface.ipaddr|default("") != "" %} -add {{loop.index + 1000}} skipto 60000 ip from any to { 255.255.255.255 or {{interface.ipaddr}} } in -add {{loop.index + 1000}} skipto 60000 ip from { 255.255.255.255 or {{interface.ipaddr}} } to any out -add {{loop.index + 1000}} skipto 60000 icmp from { 255.255.255.255 or {{interface.ipaddr}} } to any out icmptypes 0 -add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or {{interface.ipaddr}} } in icmptypes 8 -{% endif %} -{% endfor %} - -#====================================================================================== -# Allow DNS to this host +# Allow traffic to this host #====================================================================================== {% for item in cp_interface_list %} -add {{loop.index + 2000}} skipto 60000 udp from any to me dst-port 53 via {{item.if}} keep-state +add {{loop.index + 1000}} skipto 60000 udp from any to me dst-port 53 via {{item.if}} keep-state +add {{loop.index + 1000}} skipto 60000 ip from any to { 255.255.255.255 or me } in via {{item.if}} +add {{loop.index + 1000}} skipto 60000 ip from { 255.255.255.255 or me } to any out via {{item.if}} +add {{loop.index + 1000}} skipto 60000 icmp from { 255.255.255.255 or me } to any out via {{item.if}} icmptypes 0 +add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or me } in via {{item.if}} icmptypes 8 {% endfor %} {% for item in cp_interface_list %} From 6178310af241221faf94e9515235b002a12dfbdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Fri, 15 Feb 2019 08:15:00 +0100 Subject: [PATCH 6/7] ipfw: there's no need to loop over cp_interfaces We can allow traffic to this host via all. --- .../service/templates/OPNsense/IPFW/ipfw.conf | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf index b6db1197d..759a90f55 100644 --- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf @@ -101,13 +101,11 @@ add 203 skipto 60000 ipv4 from any to 127.0.0.0/8 #====================================================================================== # Allow traffic to this host #====================================================================================== -{% for item in cp_interface_list %} -add {{loop.index + 1000}} skipto 60000 udp from any to me dst-port 53 via {{item.if}} keep-state -add {{loop.index + 1000}} skipto 60000 ip from any to { 255.255.255.255 or me } in via {{item.if}} -add {{loop.index + 1000}} skipto 60000 ip from { 255.255.255.255 or me } to any out via {{item.if}} -add {{loop.index + 1000}} skipto 60000 icmp from { 255.255.255.255 or me } to any out via {{item.if}} icmptypes 0 -add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or me } in via {{item.if}} icmptypes 8 -{% endfor %} +add 1001 skipto 60000 udp from any to me dst-port 53 keep-state +add 1002 skipto 60000 ip from any to { 255.255.255.255 or me } in +add 1003 skipto 60000 ip from { 255.255.255.255 or me } to any out +add 1004 skipto 60000 icmp from { 255.255.255.255 or me } to any out icmptypes 0 +add 1005 skipto 60000 icmp from any to { 255.255.255.255 or me } in icmptypes 8 {% for item in cp_interface_list %} #=================================================================================== From 6c263d4349e3220c3e6b448f3026825fce9b4cc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Fri, 15 Feb 2019 08:27:36 +0100 Subject: [PATCH 7/7] Revert "ipfw: there's no need to loop over cp_interfaces" This reverts commit 6178310af241221faf94e9515235b002a12dfbdf. Don't want to risk opening 53 on wan --- .../service/templates/OPNsense/IPFW/ipfw.conf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf index 759a90f55..b6db1197d 100644 --- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf @@ -101,11 +101,13 @@ add 203 skipto 60000 ipv4 from any to 127.0.0.0/8 #====================================================================================== # Allow traffic to this host #====================================================================================== -add 1001 skipto 60000 udp from any to me dst-port 53 keep-state -add 1002 skipto 60000 ip from any to { 255.255.255.255 or me } in -add 1003 skipto 60000 ip from { 255.255.255.255 or me } to any out -add 1004 skipto 60000 icmp from { 255.255.255.255 or me } to any out icmptypes 0 -add 1005 skipto 60000 icmp from any to { 255.255.255.255 or me } in icmptypes 8 +{% for item in cp_interface_list %} +add {{loop.index + 1000}} skipto 60000 udp from any to me dst-port 53 via {{item.if}} keep-state +add {{loop.index + 1000}} skipto 60000 ip from any to { 255.255.255.255 or me } in via {{item.if}} +add {{loop.index + 1000}} skipto 60000 ip from { 255.255.255.255 or me } to any out via {{item.if}} +add {{loop.index + 1000}} skipto 60000 icmp from { 255.255.255.255 or me } to any out via {{item.if}} icmptypes 0 +add {{loop.index + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or me } in via {{item.if}} icmptypes 8 +{% endfor %} {% for item in cp_interface_list %} #===================================================================================