From 7bc5bf4d1f6de653c2129ad29a31f83dc50b1b97 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 31 Oct 2016 21:38:54 +0100
Subject: [PATCH] (filter) move some more static rules

---
 src/etc/inc/filter.inc                        | 26 -------------------
 src/etc/inc/filter.lib.inc                    | 15 +++++++++++
 .../library/OPNsense/Firewall/FilterRule.php  |  6 ++++-
 3 files changed, 20 insertions(+), 27 deletions(-)

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index b7dcc01e8..8d861d661 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2502,19 +2502,6 @@ function filter_rules_generate(&$FilterIflist)
     $log['block'] = !isset($config['syslog']['nologdefaultblock']) ? "log" : "";
     $log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : "";
 
-    $ipfrules .= <<<EOD
-# We use the mighty pf, we cannot be fooled.
-block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any
-block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0
-block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any
-block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0
-
-EOD;
-
-
-    $ipfrules .= filter_process_carp_rules($log);
-
-
     $ipfrules .= "\n# SSH lockout\n";
     if (!empty($config['system']['ssh']['port'])) {
         $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port ";
@@ -3111,19 +3098,6 @@ function filter_setup_logging_interfaces(&$FilterIflist)
     return $rules;
 }
 
-function filter_process_carp_rules($log)
-{
-    global $config;
-
-    $lines = '';
-    /* return if there are no carp configured items */
-    if (!empty($config['hasync']) || !empty($config['virtualip']['vip'])) {
-        $lines .= "block in {$log['block']} quick proto carp from (self) to any \n";
-        $lines .= "pass {$log['pass']} quick proto carp \n";
-    }
-    return $lines;
-}
-
 /* Generate IPsec Filter Items */
 function filter_generate_ipsec_rules(&$FilterIflist, $log = array())
 {
diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index ca6853c35..4bcd8f8f7 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -88,5 +88,20 @@ function filter_core_rules_system($fw, $defaults)
             'to' => 'fe80::/10', 'direction' => 'in' ),
       $defaults['pass']
     );
+    // block all targetting port 0
+    foreach (array('from_port', 'to_port') as $target) {
+        $fw->registerFilterRule(1,
+          array('ipprotocol'=>'inet46', 'protocol' => 'tcp/udp', $target => '0'),
+          $defaults['block']
+        );
+    }
+    // CARP defaults
+    $carp_disabled = empty($config['hasync']) && empty($config['virtualip']['vip']);
+    $fw->registerFilterRule(1,
+      array('protocol' => 'carp', 'from' => '(self)', 'direction' => 'in', 'disabled' => $carp_disabled),
+      $defaults['block']
+    );
+    $fw->registerFilterRule(1,array('protocol' => 'carp'),$defaults['pass']);
+
 
 }
diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
index 35a866efa..da26ae00c 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -48,7 +48,9 @@ class FilterRule
         'ipprotocol' => 'parsePlain',
         'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
         'from' => 'parsePlain,from {,}',
+        'from_port' => 'parsePlain, port {,}',
         'to' => 'parsePlain,to {,}',
+        'to_port' => 'parsePlain, port {,}',
         'icmp6-type' => 'parsePlain,icmp6-type {,}',
         'state' => 'parseState',
         'label' => 'parsePlain,label ","'
@@ -71,7 +73,7 @@ class FilterRule
      */
     private function parsePlain($value, $prefix="", $suffix="")
     {
-        return empty($value) ? "" : $prefix . $value . $suffix . " ";
+        return $value == '' ? "" : $prefix . $value . $suffix . " ";
     }
 
     /**
@@ -183,6 +185,8 @@ class FilterRule
                 $tmp = $this->rule;
                 $tmp['interface'] = $interface;
                 $tmp['ipprotocol'] = $ipproto;
+                $tmp['from'] = empty($tmp['from']) ? "any" : $tmp['from'];
+                $tmp['to'] = empty($tmp['to']) ? "any" : $tmp['to'];
                 // disable rule when interface not found
                 if (!empty($interface) && empty($this->interfaceMapping[$interface]['if'])) {
                     $tmp['disabled'] = true;