diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc index 276f07868..0ce4b14a4 100644 --- a/src/etc/inc/filter.lib.inc +++ b/src/etc/inc/filter.lib.inc @@ -147,7 +147,7 @@ function filter_core_get_antilockout() * @return array containing ports * @throws \OPNsense\Base\ModelException */ -function filter_core_get_port_alias($aliasname, $aliases=array()) +function filter_core_get_port_alias($aliasname, $aliases = array()) { $response = array(); $aliases[] = $aliasname; @@ -163,7 +163,7 @@ function filter_core_get_port_alias($aliasname, $aliases=array()) } } } elseif ((is_port($address) || is_portrange($address)) && !in_array($address, $response)) { - $response[] = $address ; + $response[] = $address; } } } @@ -205,70 +205,80 @@ function filter_core_rules_system($fw, $defaults) global $config; // block All IPv6 except loopback traffic - $fw->registerFilterRule(1, - array('interface' => 'loopback', 'ipprotocol'=>'inet6', 'disabled' => isset($config['system']['ipv6allow']), + $fw->registerFilterRule( + 1, + array('interface' => 'loopback', 'ipprotocol'=>'inet6', 'disabled' => isset($config['system']['ipv6allow']), 'descr' => 'Pass all loopback IPv6', '#ref' => 'system_advanced_firewall.php#ipv6allow'), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(1, - array('ipprotocol'=>'inet6','descr' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow']), + $fw->registerFilterRule( + 1, + array('ipprotocol'=>'inet6','descr' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow']), '#ref' => 'system_advanced_firewall.php#ipv6allow'), - $defaults['block'] + $defaults['block'] ); // default Deny rule (when no other rules match) - $fw->registerFilterRule(1, - array('ipprotocol'=>'inet46', 'descr' => 'Default deny rule', 'quick' => false), - $defaults['block'] + $fw->registerFilterRule( + 1, + array('ipprotocol'=>'inet46', 'descr' => 'Default deny rule', 'quick' => false), + $defaults['block'] ); // IPv6 ICMP requirements - $fw->registerFilterRule(1, - array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136', + $fw->registerFilterRule( + 1, + array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)'), - $defaults['pass'] + $defaults['pass'] ); // Allow only bare essential icmpv6 packets - $fw->registerFilterRule(1, - array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '129,133,134,135,136', + $fw->registerFilterRule( + 1, + array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '129,133,134,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)', 'from' => '(self)', 'to' => 'fe80::/10,ff02::/16', 'direction' => 'out' ), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(1, - array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', + $fw->registerFilterRule( + 1, + array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)', 'from' => 'fe80::/10', 'to' => 'fe80::/10,ff02::/16', 'direction' => 'in' ), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(1, - array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', + $fw->registerFilterRule( + 1, + array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)', 'from' => 'ff02::/16', 'to' => 'fe80::/10', 'direction' => 'in' ), - $defaults['pass'] + $defaults['pass'] ); // block all targetting port 0 foreach (array('from_port', 'to_port') as $target) { - $fw->registerFilterRule(1, - array('ipprotocol'=>'inet46', 'protocol' => 'tcp/udp', $target => '0', + $fw->registerFilterRule( + 1, + array('ipprotocol'=>'inet46', 'protocol' => 'tcp/udp', $target => '0', 'descr' => 'block all targetting port 0'), - $defaults['block'] + $defaults['block'] ); } // CARP defaults $carp_disabled = empty($config['hasync']) && empty($config['virtualip']['vip']); - $fw->registerFilterRule(1, - array('protocol' => 'carp', 'descr' => 'CARP defaults', 'ref#' => 'system_hasync.php', + $fw->registerFilterRule( + 1, + array('protocol' => 'carp', 'descr' => 'CARP defaults', 'ref#' => 'system_hasync.php', 'from' => '(self)', 'direction' => 'in', 'disabled' => !$carp_disabled), - $defaults['block'] + $defaults['block'] ); - $fw->registerFilterRule(1,array('protocol' => 'carp'),$defaults['pass']); + $fw->registerFilterRule(1, array('protocol' => 'carp'), $defaults['pass']); // Lockout rules - $fw->registerFilterRule(1, - array('protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'sshlockout', 'direction' => 'in', + $fw->registerFilterRule( + 1, + array('protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'sshlockout', 'direction' => 'in', 'to_port' => !empty($config['system']['ssh']['port']) ? $config['system']['ssh']['port'] : 22), - $defaults['block'] + $defaults['block'] ); $webport = '443'; if (!empty($config['system']['webgui']['port'])) { @@ -276,14 +286,15 @@ function filter_core_rules_system($fw, $defaults) } elseif ($config['system']['webgui']['protocol'] == 'http') { $webport = '80'; } - $fw->registerFilterRule(1, - array('protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'webConfiguratorlockout', + $fw->registerFilterRule( + 1, + array('protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'webConfiguratorlockout', 'direction' => 'in','to_port' => $webport), - $defaults['block'] + $defaults['block'] ); // block all in alias - $fw->registerFilterRule(1,array('from' => '', 'descr' => 'virusprot overload table'),$defaults['block']); + $fw->registerFilterRule(1, array('from' => '', 'descr' => 'virusprot overload table'), $defaults['block']); // block bogons and private nets $bogontmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologbogons']), 'disablereplyto' => 1); @@ -291,33 +302,37 @@ function filter_core_rules_system($fw, $defaults) 'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16', 'disablereplyto' => 1); foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) { - $fw->registerFilterRule(5, - array('from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', + $fw->registerFilterRule( + 5, + array('from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', 'descr' => "Block bogon IPv4 networks from ".$intfinfo['descr'], '#ref' => "interfaces.php?if=" . $intf . "#blockbogons", 'disabled' => !isset($intfinfo['blockbogons'])), - $bogontmpl + $bogontmpl ); - $fw->registerFilterRule(5, - array('from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', + $fw->registerFilterRule( + 5, + array('from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', 'disabled' => !isset($config['system']['ipv6allow']) || !isset($intfinfo['blockbogons']), '#ref' => "interfaces.php?if=" . $intf . "#blockbogons", 'descr' => "Block bogon IPv6 networks from ".$intfinfo['descr']), - $bogontmpl + $bogontmpl ); - $fw->registerFilterRule(5, - array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', + $fw->registerFilterRule( + 5, + array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', '#ref' => "interfaces.php?if=" . $intf . "#blockpriv", 'descr' => "Block private networks from ".$intfinfo['descr'], 'disabled' => !isset($intfinfo['blockpriv'])), - $privtmpl + $privtmpl ); - $fw->registerFilterRule(5, - array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', + $fw->registerFilterRule( + 5, + array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', '#ref' => "interfaces.php?if=" . $intf . "#blockpriv", 'descr' => "Block private networks from ".$intfinfo['descr'], 'from' => 'fc00::/7', 'disabled' => !isset($intfinfo['blockpriv'])), - $privtmpl + $privtmpl ); } @@ -325,17 +340,19 @@ function filter_core_rules_system($fw, $defaults) foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) { // allow DHCPv6 client out, before adding bogons (sequence 1, bogons @ 5) if (isset($config['system']['ipv6allow']) && in_array($intfinfo['ipaddrv6'], array("slaac","dhcp6"))) { - $fw->registerFilterRule(1, - array('protocol' => 'udp', 'from' => 'fe80::/10', 'from_port' => 546, 'to' => 'fe80::/10', + $fw->registerFilterRule( + 1, + array('protocol' => 'udp', 'from' => 'fe80::/10', 'from_port' => 546, 'to' => 'fe80::/10', 'interface' => $intf, 'to_port' => 546, 'descr' =>'allow dhcpv6 client in ' . $intfinfo['descr'], '#ref' => 'system_advanced_firewall.php#ipv6allow'), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(1, - array('protocol' => 'udp', 'from_port' => 547,'to_port' => 546, 'direction' => 'in', + $fw->registerFilterRule( + 1, + array('protocol' => 'udp', 'from_port' => 547,'to_port' => 546, 'direction' => 'in', 'interface' => $intf, 'descr' =>'allow dhcpv6 client in ' . $intfinfo['descr'], '#ref' => 'system_advanced_firewall.php#ipv6allow'), - $defaults['pass'] + $defaults['pass'] ); $dhcpv6_opts = array( 'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'], @@ -354,150 +371,170 @@ function filter_core_rules_system($fw, $defaults) // IPv4 switch (empty($intfinfo['ipaddr']) ? "" : $intfinfo['ipaddr']) { case "pptp": - $fw->registerFilterRule(5, - array('protocol' => 'tcp','to_port' => 1723, 'direction' => 'in', 'statetype' => 'modulate', 'quick' => false, + $fw->registerFilterRule( + 5, + array('protocol' => 'tcp','to_port' => 1723, 'direction' => 'in', 'statetype' => 'modulate', 'quick' => false, '#ref' => "interfaces.php?if=" . $intf . "#type", 'interface' => $intf, 'flags' => 'S/SA', 'descr' =>'allow PPTP client on ' . $intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(5, - array('protocol' => 'gre', 'direction' => 'in', 'statetype' => 'keep', 'quick' => false, + $fw->registerFilterRule( + 5, + array('protocol' => 'gre', 'direction' => 'in', 'statetype' => 'keep', 'quick' => false, '#ref' => "interfaces.php?if=" . $intf . "#type", 'interface' => $intf, 'descr' =>'allow PPTP client on ' . $intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); break; case "dhcp": - $fw->registerFilterRule(5, - array('protocol' => 'udp', 'direction' => 'in', 'quick' => false, 'from_port' => 67, 'to_port' => 68, + $fw->registerFilterRule( + 5, + array('protocol' => 'udp', 'direction' => 'in', 'quick' => false, 'from_port' => 67, 'to_port' => 68, '#ref' => "interfaces.php?if=" . $intf . "#type", 'interface' => $intf, 'descr' =>'allow DHCP client on ' . $intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(5, - array('protocol' => 'udp', 'direction' => 'out', 'quick' => false, 'from_port' => 68, 'to_port' => 67, + $fw->registerFilterRule( + 5, + array('protocol' => 'udp', 'direction' => 'out', 'quick' => false, 'from_port' => 68, 'to_port' => 67, '#ref' => "interfaces.php?if=" . $intf . "#type", 'interface' => $intf, 'descr' =>'allow DHCP client on ' . $intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); break; default: if (isset($config['dhcpd'][$intf]['enable'])) { - $fw->registerFilterRule(5, - array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '255.255.255.255', + $fw->registerFilterRule( + 5, + array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '255.255.255.255', '#ref' => "services_dhcp.php?if=" . $intf . "#enable", 'to_port' => 67, 'interface' => $intf, 'descr' =>'allow access to DHCP server'), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(5, - array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '(self)', + $fw->registerFilterRule( + 5, + array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '(self)', '#ref' => "services_dhcp.php?if=" . $intf . "#enable", 'to_port' => 67, 'interface' => $intf, 'descr' =>'allow access to DHCP server'), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(5, - array('protocol' => 'udp', 'direction' => 'out', 'from_port' => 67, 'from' => '(self)', + $fw->registerFilterRule( + 5, + array('protocol' => 'udp', 'direction' => 'out', 'from_port' => 67, 'from' => '(self)', '#ref' => "services_dhcp.php?if=" . $intf . "#enable", 'to_port' => 68, 'interface' => $intf, 'descr' =>'allow access to DHCP server'), - $defaults['pass'] + $defaults['pass'] ); if (!empty($config['dhcpd'][$intf]['failover_peerip'])) { - $fw->registerFilterRule(5, - array('protocol' => 'tcp/udp', 'direction' => 'in', 'to' => '(self)', 'to_port' => '519,520', + $fw->registerFilterRule( + 5, + array('protocol' => 'tcp/udp', 'direction' => 'in', 'to' => '(self)', 'to_port' => '519,520', '#ref' => "services_dhcp.php?if=" . $intf . "#failover_peerip", 'from' => $config['dhcpd'][$intf]['failover_peerip'], 'interface' => $intf, 'descr' =>'allow access to DHCP failover'), - $defaults['pass'] + $defaults['pass'] ); } } break; } // IPv6 - switch(isset($intfinfo['ipaddrv6']) ? $intfinfo['ipaddrv6'] : null ) { + switch (isset($intfinfo['ipaddrv6']) ? $intfinfo['ipaddrv6'] : null) { case "6rd": - $fw->registerFilterRule(5, - array('protocol' => '41', 'direction' => 'in', 'from' => $config['interfaces'][$intf]['gateway-6rd'], + $fw->registerFilterRule( + 5, + array('protocol' => '41', 'direction' => 'in', 'from' => $config['interfaces'][$intf]['gateway-6rd'], '#ref' => "interfaces.php?if=" . $intf . "#type6", 'quick'=>false, 'interface' => $intf, 'descr' =>'Allow 6in4 traffic in for 6rd on '.$intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(5, - array('protocol' => '41', 'direction' => 'out', 'to' => $config['interfaces'][$intf]['gateway-6rd'], + $fw->registerFilterRule( + 5, + array('protocol' => '41', 'direction' => 'out', 'to' => $config['interfaces'][$intf]['gateway-6rd'], '#ref' => "interfaces.php?if=" . $intf . "#type6", 'quick'=>false, 'interface' => $intf, 'descr' =>'Allow 6in4 traffic out for 6rd on '.$intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); break; case "6to4": - $fw->registerFilterRule(5, - array('protocol' => '41', 'direction' => 'in', 'to' => '(self)','interface' => $intf, + $fw->registerFilterRule( + 5, + array('protocol' => '41', 'direction' => 'in', 'to' => '(self)','interface' => $intf, '#ref' => "interfaces.php?if=" . $intf . "#type6", 'quick'=>false, 'descr' =>'Allow 6in4 traffic in for 6to4 on '.$intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(5, - array('protocol' => '41', 'direction' => 'out', 'from' => '(self)','interface' => $intf, + $fw->registerFilterRule( + 5, + array('protocol' => '41', 'direction' => 'out', 'from' => '(self)','interface' => $intf, '#ref' => "interfaces.php?if=" . $intf . "#type6", 'quick'=>false, 'descr' =>'Allow 6in4 traffic out for 6to4 on '.$intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); break; default: - if (isset($config['dhcpdv6'][$intf]['enable']) || isset($intfinfo['track6-interface']) + if (isset($config['dhcpdv6'][$intf]['enable']) || isset($intfinfo['track6-interface']) || (!empty($config['dhcrelay6']['interface']) && in_array($intf, explode(',', $config['dhcrelay6']['interface'])))) { - $fw->registerFilterRule(1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'fe80::/10,ff02::/16', + $fw->registerFilterRule( + 1, + array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'fe80::/10,ff02::/16', 'to_port' => 546, 'interface' => $intf, 'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'ff02::/16', + $fw->registerFilterRule( + 1, + array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'ff02::/16', 'to_port' => 547, 'interface' => $intf, 'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']), - $defaults['pass'] - ); - $fw->registerFilterRule(1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'ff02::/16', 'to' => 'fe80::/10', + $defaults['pass'] + ); + $fw->registerFilterRule( + 1, + array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'ff02::/16', 'to' => 'fe80::/10', 'to_port' => 547, 'interface' => $intf, 'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']), - $defaults['pass'] - ); - $fw->registerFilterRule(1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => '(self)', + $defaults['pass'] + ); + $fw->registerFilterRule( + 1, + array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => '(self)', 'to_port' => 546, 'interface' => $intf, 'direction' => 'in', 'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']), - $defaults['pass'] - ); - $fw->registerFilterRule(1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => '(self)', 'to' => 'fe80::/10', + $defaults['pass'] + ); + $fw->registerFilterRule( + 1, + array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => '(self)', 'to' => 'fe80::/10', 'from_port' => 547, 'interface' => $intf, 'direction' => 'out', 'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']), - $defaults['pass'] - ); + $defaults['pass'] + ); } break; } } // loopback - $fw->registerFilterRule(5,array('interface' => 'loopback', 'descr' =>'pass loopback'),$defaults['pass']); + $fw->registerFilterRule(5, array('interface' => 'loopback', 'descr' =>'pass loopback'), $defaults['pass']); // out from this Firewall - $fw->registerFilterRule(5,array('direction' => 'out', 'statetype' =>'keep', 'allowopts' => true, - 'quick' => false, "descr" => "let out anything from firewall host itself"), + $fw->registerFilterRule( + 5, + array('direction' => 'out', 'statetype' =>'keep', 'allowopts' => true, + 'quick' => false, "descr" => "let out anything from firewall host itself"), $defaults['pass'] ); // ipsec if (!empty(iterator_to_array($fw->getInterfaceMapping())['enc0'])) { - $fw->registerFilterRule(5, - array('direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0', + $fw->registerFilterRule( + 5, + array('direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0', '#ref' => 'vpn_ipsec.php#enable', 'descr' =>'IPsec internal host to host'), - $defaults['pass'] + $defaults['pass'] ); } - foreach(filter_core_get_antilockout() as $lockoutif => $lockoutprts) { + foreach (filter_core_get_antilockout() as $lockoutif => $lockoutprts) { $fw->registerFilterRule( 5, array( @@ -517,15 +554,17 @@ function filter_core_rules_system($fw, $defaults) // TODO: move to pptpd plugin when filter.lib.inc is part of the standard release $pptpdcfg = $config['pptpd']; if (isset($pptpdcfg['mode']) && $pptpdcfg['mode'] == 'server') { - $fw->registerFilterRule(5, - array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate','protocol' => 'tcp', + $fw->registerFilterRule( + 5, + array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate','protocol' => 'tcp', 'to' => '(self)', 'to_port' => '1723', 'quick' => false, 'descr' =>'allow pptpd'), - $defaults['pass'] + $defaults['pass'] ); - $fw->registerFilterRule(5, - array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate', + $fw->registerFilterRule( + 5, + array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate', 'protocol' => 'gre', 'descr' =>'allow pptpd', 'quick' => false), - $defaults['pass'] + $defaults['pass'] ); } @@ -546,15 +585,16 @@ function filter_core_rules_system($fw, $defaults) // only try to add gateway rules for traffic leaving this interface // when the correct protocol is assigned to the interface if (($gwproto == 'inet' && $intf_has_v4) || ($gwproto == 'inet6' && $intf_has_v6)) { - $fw->registerFilterRule(100000, - array('from' => $ifcfg['if'], 'direction' => 'out', 'gateway' => $gwname, + $fw->registerFilterRule( + 100000, + array('from' => $ifcfg['if'], 'direction' => 'out', 'gateway' => $gwname, 'destination' => array('network'=> $ifdescr, "not" => true), 'statetype' => 'keep', 'allowopts' => true, 'quick' => false, '#ref' => 'system_advanced_firewall.php#pf_disable_force_gw', 'descr' => "let out anything from firewall host itself (force gw)"), - $defaults['pass'] + $defaults['pass'] ); } }