webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-12 12:15:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

IPsec: Do not allow 0.0.0.0/0 as remote subnet

Browse Source 
This renders the whole machine inaccessible

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2018-12-05 17:10:16 +00:00
parent 68e69b676f
commit f2d45a45ab
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
html/cgi-bin/vpnmain.cgi
View File

@@ -305,7 +305,7 @@ sub writeipsecfiles {
} elsif ($interface_mode eq "vti") {
print CONF "\tleftsubnet=0.0.0.0/0\n";
} else {
print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
}
print CONF "\tleftfirewall=yes\n";
@@ -318,7 +318,7 @@ sub writeipsecfiles {
} elsif ($interface_mode eq "vti") {
print CONF "\trightsubnet=0.0.0.0/0\n";
} else {
print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
}
}
@@ -3345,13 +3345,19 @@ sub make_algos($$$$$) {
return &array_unique(\@algos);
}
sub make_subnets($) {
sub make_subnets($$) {
my $direction = shift;
my $subnets = shift;
my @nets = split(/\|/, $subnets);
my @cidr_nets = ();
foreach my $net (@nets) {
my $cidr_net = &General::ipcidr($net);
# Skip 0.0.0.0/0 for remote because this renders the
# while system inaccessible
next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
push(@cidr_nets, $cidr_net);
}