Correctly negate IPSEC FTP Helper connections and OpenVPN FTP Helper connections.

1 files changed, 5 insertions, 8 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 261ea58..23a9ccf 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -697,6 +697,8 @@ function filter_nat_rules_generate() {
 	for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++)
 		$iflist['opt' . $i] = "opt{$i}";
 	$interface_counter = 0;
+	$vpns_list = get_vpns_list();
+	$natrules .= "table <vpns> { $vpns_list }\n";
 	/* loop through all interfaces and handle pftpx redirections */
 	foreach ($iflist as $ifent => $ifname) {
 		$ifname_lower = convert_friendly_interface_to_friendly_descr(strtolower($ifname));
@@ -710,18 +712,13 @@ function filter_nat_rules_generate() {
 		$vpns = get_vpns_list();
 		/* if the user has defined, include the alias so that we do not redirect ftp
 		   connections across the tunnels to pftpx */
-		$vpns_list = get_vpns_list();
-		if($vpns_list)
-			$vpns = "{ $vpns_list }";
-		else
-			$vpns = "any";
 		$int_ip = find_interface_ip($tmp_interface);
 		/* if interface lacks an ip, dont setup a rdr for ftp.  they are most likely on a bridged interface */
 		if($int_ip)
 			if($ifname_lower) {
-				$natrules .= "no rdr on \${$ifname_lower} proto tcp from any to <$vpns> port 21 -> 127.0.0.1 port {$tmp_port}\n";
-				$natrules .= "no rdr on \${$ifname_lower} proto tcp from <vpns> to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
-				$natrules .= "no rdr on \${$ifname_lower} proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
+				$natrules .= "no rdr on \${$ifname_lower} proto tcp from any to <vpns> port 21\n";
+				$natrules .= "no rdr on \${$ifname_lower} proto tcp from <vpns> to any port 21\n";
+				$natrules .= "rdr on \${$ifname_lower} proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
 			}
 		$interface_counter++;
 	}