From f2da545261c049fa0daa1dd37d266e9288f7c4fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= <fredronn@chalmers.se>
Date: Fri, 15 Feb 2019 08:09:05 +0100
Subject: [PATCH] ipfw: only allow traffic to/from me via cp_interfaces

---
 .../service/templates/OPNsense/IPFW/ipfw.conf | 20 ++++++-------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
index 27bcb2e3b..b6db1197d 100644
--- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
+++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
@@ -99,22 +99,14 @@ add 202 skipto 60000 ipv6 from any to ::1
 add 203 skipto 60000 ipv4 from any to 127.0.0.0/8
 
 #======================================================================================
-# Allow traffic to this hosts static ip's
-#======================================================================================
-{% for intf_key,interface in interfaces.iteritems() %}
-{% if intf_key != "wan" and interface.ipaddr not in ["dhcp", "ppp", "pppoe", "l2tp", "pptp"] and interface.ipaddr|default("") != "" %}
-add {{loop.index  + 1000}} skipto 60000 ip from any to { 255.255.255.255 or {{interface.ipaddr}} } in
-add {{loop.index  + 1000}} skipto 60000 ip from { 255.255.255.255 or {{interface.ipaddr}} } to any out
-add {{loop.index  + 1000}} skipto 60000 icmp from { 255.255.255.255 or {{interface.ipaddr}} } to any out icmptypes 0
-add {{loop.index  + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or {{interface.ipaddr}} } in icmptypes 8
-{% endif %}
-{% endfor %}
-
-#======================================================================================
-# Allow DNS to this host
+# Allow traffic to this host
 #======================================================================================
 {% for item in cp_interface_list %}
-add {{loop.index  + 2000}} skipto 60000 udp from any to me dst-port 53 via {{item.if}} keep-state
+add {{loop.index  + 1000}} skipto 60000 udp from any to me dst-port 53 via {{item.if}} keep-state
+add {{loop.index  + 1000}} skipto 60000 ip from any to { 255.255.255.255 or me } in via {{item.if}}
+add {{loop.index  + 1000}} skipto 60000 ip from { 255.255.255.255 or me } to any out via {{item.if}}
+add {{loop.index  + 1000}} skipto 60000 icmp from { 255.255.255.255 or me } to any out via {{item.if}} icmptypes 0
+add {{loop.index  + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or me } in via {{item.if}} icmptypes 8
 {% endfor %}
 
 {% for item in cp_interface_list %}