diff options
| author | Chris Buechler <cmb@pfsense.org> | 2008-02-09 05:10:30 +0000 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2008-02-09 05:10:30 +0000 |
| commit | 3afc4db0d81eb2ab8b0e678b02858e49a390252e (patch) | |
| tree | b2fc03f635b3ce3bb57dfd3ea660b52ae51dfea6 | |
| parent | 612bb4f3db8fd261e918470880c457a744384bf5 (diff) | |
| download | pfsense-3afc4db0d81eb2ab8b0e678b02858e49a390252e.zip pfsense-3afc4db0d81eb2ab8b0e678b02858e49a390252e.tar.gz | |
If antilockout is enabled, and there is only one interface, apply the antilockout rules to the WAN rather than LAN.
| -rw-r--r-- | etc/inc/filter.inc | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index dbc6efe..98320d6 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2552,17 +2552,29 @@ EOD; if (!isset($config['system']['webgui']['noantilockout'])) { - if($config['interfaces']['lan']) + if($config['interfaces']['lan']) { if($lansa and $lansn) { + /* if antilockout is enabled, LAN exists and has + an IP and subnet mask assigned */ $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH anchor "anti-lockout" -pass in quick on $lanif from any to $lanip keep state label "anti-lockout web rule" +pass in quick on $lanif from any to $lanip keep state label "anti-lockout rule" EOD; + } + } else { + /* single-interface deployment, add to WAN */ + $ipfrules .= <<<EOD + +# make sure the user cannot lock himself out of the webConfigurator or SSH +anchor "anti-lockout" +pass in quick on $wanif from any to $wanip keep state label "anti-lockout rule" +EOD; + } - } + } /* PPTPd enabled? */ if ($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off")) { |
