From 8f29ec72fed4467d409a8ea1714eb730483adb06 Mon Sep 17 00:00:00 2001 From: mkasper Date: Wed, 15 Feb 2006 13:41:20 +0000 Subject: [PATCH] Added option to allow IPsec/ESP-encapsulated IP fragments to System: Advanced setup page. git-svn-id: https://svn.m0n0.ch/wall/trunk@92 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- phpconf/config.xml | 1 + phpconf/inc/filter.inc | 10 +++++++--- webgui/system_advanced.php | 9 +++++++++ 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/phpconf/config.xml b/phpconf/config.xml index 5fc84a2..8e9cd57 100644 --- a/phpconf/config.xml +++ b/phpconf/config.xml @@ -344,6 +344,7 @@ + pass Default LAN -> any diff --git a/phpconf/inc/filter.inc b/phpconf/inc/filter.inc index caffe41..ee20ef3 100644 --- a/phpconf/inc/filter.inc +++ b/phpconf/inc/filter.inc @@ -491,6 +491,10 @@ EOD; } } + $out_kf = ""; + if (isset($config['filter']['allowipsecfrags'])) + $out_kf = "keep frags"; + /* XXX - the first section is only needed because ipf refuses to parse rules that have "flags S/SAFR" and proto "tcp/udp" set because UDP does not have flags, but we still want to offer the TCP/UDP protocol @@ -508,7 +512,7 @@ block in $log quick proto tcp all block in $log quick on $lanif all head 100 # let out anything from the firewall host itself and decrypted IPsec traffic -pass out quick on $lanif all keep state +pass out quick on $lanif all keep state $out_kf #--------------------------------------------------------------------------- # group head 200 - WAN interface @@ -516,7 +520,7 @@ pass out quick on $lanif all keep state block in $log quick on $wanif all head 200 # let out anything from the firewall host itself and decrypted IPsec traffic -pass out quick on $wanif all keep state +pass out quick on $wanif all keep state $out_kf EOD; @@ -533,7 +537,7 @@ EOD; block in $log quick on {$oc['if']} all head {$ingroup} # let out anything from the firewall host itself and decrypted IPsec traffic -pass out quick on {$oc['if']} all keep state +pass out quick on {$oc['if']} all keep state $out_kf EOD; diff --git a/webgui/system_advanced.php b/webgui/system_advanced.php index 8ccf987..ffcaef5 100755 --- a/webgui/system_advanced.php +++ b/webgui/system_advanced.php @@ -39,6 +39,7 @@ $pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']); $pconfig['key'] = base64_decode($config['system']['webgui']['private-key']); $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']); +$pconfig['allowipsecfrags'] = isset($config['filter']['allowipsecfrags']); $pconfig['expanddiags'] = isset($config['system']['webgui']['expanddiags']); if ($g['platform'] == "generic-pc") $pconfig['harddiskstandby'] = $config['system']['harddiskstandby']; @@ -83,6 +84,7 @@ if ($_POST) { $config['system']['webgui']['private-key'] = base64_encode($_POST['key']); $config['system']['disableconsolemenu'] = $_POST['disableconsolemenu'] ? true : false; $config['system']['disablefirmwarecheck'] = $_POST['disablefirmwarecheck'] ? true : false; + $config['filter']['allowipsecfrags'] = $_POST['allowipsecfrags'] ? true : false; $config['system']['webgui']['expanddiags'] = $_POST['expanddiags'] ? true : false; if ($g['platform'] == "generic-pc") { $oldharddiskstandby = $config['system']['harddiskstandby']; @@ -237,6 +239,13 @@ function enable_change(enable_over) { This will cause m0n0wall not to check for newer firmware versions when the System: Firmware page is viewed. + IPsec fragmented packets + + > + Allow fragmented IPsec packets
+ This will cause m0n0wall to allow fragmented IP packets that are encapsulated in IPsec ESP packets. + + TCP idle timeout -- 2.25.1