diff options
| author | jim-p <jimp@pfsense.org> | 2012-05-25 12:13:25 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2012-05-25 12:14:34 -0400 |
| commit | 31f0ef215e7cc089f9d00f9432a298ffd494be05 (patch) | |
| tree | ea7feccf850bd6883d22782587424568c5eba211 /etc/inc | |
| parent | ac10faad42081ccfe48a37aa9814bc4684ffb701 (diff) | |
| download | pfsense-31f0ef215e7cc089f9d00f9432a298ffd494be05.zip pfsense-31f0ef215e7cc089f9d00f9432a298ffd494be05.tar.gz | |
Switch to a common function to determine anti-lockout ports, and fix a bug that was getting the ports wrong with custom https+redirect on.
Diffstat (limited to 'etc/inc')
| -rw-r--r-- | etc/inc/filter.inc | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index fc44d6d..2f2dc9f 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2691,17 +2691,8 @@ pass out on \$IPsec all keep state label "IPsec internal host to host" EOD; if(!isset($config['system']['webgui']['noantilockout'])) { - $portarg = 80; - if (isset($config['system']['webgui']['port']) && $config['system']['webgui']['port'] <> "") - $portarg = "{$config['system']['webgui']['port']}"; - if ($config['system']['webgui']['protocol'] == "https") - $portarg .= " 443 "; - $sshport = ""; - if (isset($config['system']['enablesshd'])) { - $sshport = 22; - if($config['system']['ssh']['port'] <> "") - $sshport = $config['system']['ssh']['port']; - } + $alports = filter_get_antilockout_ports(); + if(count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) { /* if antilockout is enabled, LAN exists and has * an IP and subnet mask assigned @@ -2709,7 +2700,7 @@ EOD; $lanif = $FilterIflist['lan']['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { $portarg $sshport } keep state label "anti-lockout rule" +pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule" EOD; } else if (count($config['interfaces']) == 1) { @@ -2717,7 +2708,7 @@ EOD; $wanif = $FilterIflist["wan"]['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { $portarg $sshport } keep state label "anti-lockout rule" +pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule" EOD; } @@ -3332,4 +3323,24 @@ function discover_pkg_rules($ruletype) { return $rules; } +function filter_get_antilockout_ports($wantarray = false) { + global $config; + $lockoutports = array(); + $guiport = ($config['system']['webgui']['protocol'] == "https") ? "443" : "80"; + $guiport = empty($config['system']['webgui']['port']) ? $guiport : $config['system']['webgui']['port']; + $lockoutports[] = $guiport; + + if (($config['system']['webgui']['protocol'] == "https") && !isset($config['system']['webgui']['disablehttpredirect']) && ($guiport != "80")) + $lockoutports[] = "80"; + + if (isset($config['system']['enablesshd'])) + $lockoutports[] = empty($config['system']['ssh']['port']) ? "22" : $config['system']['ssh']['port']; + + if ($wantarray) + return $lockoutports; + else + return implode(" ", $lockoutports); + +} + ?> |
