diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2004-11-24 19:46:36 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2004-11-24 19:46:36 +0000 |
commit | 3849b3236ba4d482eeb7547f629644e38b8198c2 (patch) | |
tree | a119aa769e08da2d6c9d1c55a9a754f306dc85e0 | |
parent | ced6bc9a160a59ab901071dd401a71c1c520bff6 (diff) | |
download | pfsense-3849b3236ba4d482eeb7547f629644e38b8198c2.zip pfsense-3849b3236ba4d482eeb7547f629644e38b8198c2.tar.gz |
Allow rules to be assigned different state mechanisms such as: keep state, modulate state, synproxy state and none.
-rw-r--r-- | etc/inc/filter.inc | 5 | ||||
-rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 21 |
2 files changed, 25 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 9beacb6..f41e18e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -945,7 +945,10 @@ EOD; if( isset($rule['source-track']) or isset($rule['max-src-nodes']) or isset($rule['max-src-states']) ) $line .= "flags S/SA "; - $line .= "keep state "; + if( !isset($rule['statetype'] ) + $line .= "keep state "; + else + $line .= $rule['statetype'] . " "; if( isset($rule['source-track']) or isset($rule['max-src-nodes']) or isset($rule['max-src-states'] ) ) { $line .= "( "; diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 1257de3..1cb3b69 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -146,6 +146,7 @@ if (isset($id) && $a_filter[$id]) { $pconfig['log'] = isset($a_filter[$id]['log']); $pconfig['frags'] = isset($a_filter[$id]['frags']); $pconfig['descr'] = $a_filter[$id]['descr']; + $pconfig['statetype'] = $a_filter[$id]['statetype']; } else { @@ -327,6 +328,8 @@ if ($_POST) { $filterent['max-src-nodes'] = $_POST['max-src-nodes']; $filterent['max-src-states'] = $_POST['max-src-states']; + $filterent['statetype'] = $_POST['statetype']; + write_config(); touch($d_filterconfdirty_path); @@ -787,6 +790,24 @@ Hint: the difference between block and reject is that with reject, a packet (TCP </td> </tr> + <tr> + <td width="22%" valign="top" class="vncell">State Type</td> + <td width="78%" class="vtable"> + <select name"statetype"> + <option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option> + <option value="modulate state" <?php if($pconfig['statetype'] == "modulate state") echo "selected"; ?>>modulate state</option> + <option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option> + <option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option> + </select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state. + <p><strong> + <table> + <tr><td><li>keep state</li></td><td>works with TCP, UDP, and ICMP.</td></tr> + <tr><td><li>modulate state</li></td><td>works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) for packets matching this rule.</li></td></tr> + <tr><td><li>synproxy state</li></td><td>proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</td></tr> + <tr><td><li>none</li></td><td>do not use state mechanisms to keep track. this is only useful if your doing advanced queueing in certain situations. please check the faq.</td></tr> + </strong> + </td> + </tr> <tr> <td width="22%" valign="top"> </td> |