diff options
author | jim-p <jimp@pfsense.org> | 2010-07-06 17:29:25 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2010-07-06 17:29:25 -0400 |
commit | f5e74456ce29cee80909a347170e82da6e2dad1e (patch) | |
tree | 120f98972faaf12ba38662dbdf11724624fee64c /etc/inc | |
parent | 86b21903616c360707aaf7cc31868eb2a22e238d (diff) | |
download | pfsense-f5e74456ce29cee80909a347170e82da6e2dad1e.zip pfsense-f5e74456ce29cee80909a347170e82da6e2dad1e.tar.gz |
Check for locally configured IPs in DNS rebind checks, so people who port forward from WAN to the LAN IP can still work.
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/auth.inc | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 75bb08f..d0b261a 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -80,6 +80,20 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ $http_host == $config['system']['hostname']) $found_host = true; + /* Check against locally configured IP addresses, which will catch when someone + port forwards WebGUI access from WAN to an internal IP on the router. */ + if ($found_host == false) { + global $FilterIflist; + if (empty($FilterIflist)) { + require_once('filter.inc'); + require_once('shaper.inc'); + filter_generate_optcfg_array(); + } + foreach ($FilterIflist as $iflist) + if($iflist['ip'] == $http_host) + $found_host = true; + } + if($found_host == false) { display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding"); exit; |