diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2008-01-31 06:19:51 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2008-01-31 06:19:51 +0000 |
commit | 008da4cf1dfde46a9a1da0b1149ded8670282b85 (patch) | |
tree | b4163cae8fa53fb0e423395746a0fd796c597bc2 | |
parent | 2eaa947d175f5c6738a4836854ee028bf144b04b (diff) | |
download | pfsense-008da4cf1dfde46a9a1da0b1149ded8670282b85.zip pfsense-008da4cf1dfde46a9a1da0b1149ded8670282b85.tar.gz |
Do not pass traffic on user proxy which can cause deadlocks in freebsd
-rw-r--r-- | etc/inc/filter.inc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 855b3fe..e5c7cd4 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2853,7 +2853,7 @@ EOD; pass in quick on $lanif inet proto tcp from any to \$loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on $lanif inet proto tcp from any to \$loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" -pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" +pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" EOD; @@ -2879,7 +2879,7 @@ EOD; # be sourced from the command port - 1 (typically port 20) # This workaround doesn't expose us to any extra risk as we'll still only allow # connections to the firewall on a port that ftp-proxy is listening on -pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" +pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" EODEOD; @@ -2887,7 +2887,7 @@ EODEOD; generate_optcfg_array($optcfg); foreach($optcfg as $oc) { if($oc['gateway'] <> "") - $ipfrules .= "pass in quick on {$oc['if']} inet proto tcp from any to ({$oc['if']}) port > 49000 user proxy flags S/SA keep state label \"FTP PROXY: RFC959 violation workaround\" \n"; + $ipfrules .= "pass in quick on {$oc['if']} inet proto tcp from any to ({$oc['if']}) port > 49000 flags S/SA keep state label \"FTP PROXY: RFC959 violation workaround\" \n"; } } } |