IPsec: Do not allow 0.0.0.0/0 as remote subnet
authorMichael Tremer <michael.tremer@ipfire.org>
Wed, 5 Dec 2018 17:10:16 +0000 (17:10 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 4 Feb 2019 18:20:36 +0000 (18:20 +0000)
This renders the whole machine inaccessible

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
html/cgi-bin/vpnmain.cgi

index b65838d..f6791c7 100644 (file)
@@ -305,7 +305,7 @@ sub writeipsecfiles {
                } elsif ($interface_mode eq "vti") {
                        print CONF "\tleftsubnet=0.0.0.0/0\n";
                } else {
-                       print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+                       print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
                }
 
                print CONF "\tleftfirewall=yes\n";
@@ -318,7 +318,7 @@ sub writeipsecfiles {
                        } elsif ($interface_mode eq "vti") {
                                print CONF "\trightsubnet=0.0.0.0/0\n";
                        } else {
-                               print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+                               print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
                        }
                }
 
@@ -3345,13 +3345,19 @@ sub make_algos($$$$$) {
        return &array_unique(\@algos);
 }
 
-sub make_subnets($) {
+sub make_subnets($$) {
+       my $direction = shift;
        my $subnets = shift;
 
        my @nets = split(/\|/, $subnets);
        my @cidr_nets = ();
        foreach my $net (@nets) {
                my $cidr_net = &General::ipcidr($net);
+
+               # Skip 0.0.0.0/0 for remote because this renders the
+               # while system inaccessible
+               next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
                push(@cidr_nets, $cidr_net);
        }