diff options
author | Bill Marquette <billm@pfsense.org> | 2005-03-04 16:44:03 +0000 |
---|---|---|
committer | Bill Marquette <billm@pfsense.org> | 2005-03-04 16:44:03 +0000 |
commit | 38560a2579ca902dfcf6a27f0f0ec2c59cf21972 (patch) | |
tree | 50d965ae6246de8a8e1d7341fc8d5c82e57482db /etc/inc | |
parent | 7fbc79b1f90d8f05ac58c74727f36bff855343c7 (diff) | |
download | pfsense-38560a2579ca902dfcf6a27f0f0ec2c59cf21972.zip pfsense-38560a2579ca902dfcf6a27f0f0ec2c59cf21972.tar.gz |
Make RFC959 data port workaround configurable - default to disabled
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/filter.inc | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 68c2de1..13b80be 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -980,15 +980,33 @@ anchor "packageearly" # carp anchor "carp" +EOD; + + if(!isset($config['system']['disableftpproxy'])) { + $ipfrules .= <<<EOD + # enable ftp-proxy anchor "ftpproxy" pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" + +EOD; + + + if(isset($config['system']['rfc959workaround'])) { + $ipfrules .= <<<EOD + # Fix sites that violate RFC 959 which specifies that the data connection # be sourced from the command port - 1 (typicaly port 20) # This workaround doesn't expose us to any extra risk as we'll still only allow # connections to the firewall on a port that ftp-proxy is listening on pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" +EOD; + } + } + + $ipfrules .= <<<EOD + # allow access to DHCP server on LAN anchor "dhcpserverlan" pass in quick on $lanif proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN" |