diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2006-09-24 23:31:03 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2006-09-24 23:31:03 +0000 |
| commit | e9be1e7fb610455e6a8d25f9f1a50a5adb7bbf81 (patch) | |
| tree | d11aba17cc8c027f766fe184e7ac4dfc4fb94205 /etc/inc | |
| parent | d690d2c94e472154fb1e943617242c7caec5e331 (diff) | |
| download | pfsense-e9be1e7fb610455e6a8d25f9f1a50a5adb7bbf81.zip pfsense-e9be1e7fb610455e6a8d25f9f1a50a5adb7bbf81.tar.gz | |
Move FTP helper pass rules after USER defined rules so that the operator can tweak FTP items.
Patch submitted by: Chris Dionissopoulos <chdio@debug.gr> (pfSense commiter)
Diffstat (limited to 'etc/inc')
| -rw-r--r-- | etc/inc/filter.inc | 91 |
1 files changed, 45 insertions, 46 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 0428e20..ccd7d11 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1820,52 +1820,6 @@ anchor "carp" EOD; - if(!isset($config['system']['disableftpproxy'])) { - - $ipfrules .= "# enable ftp-proxy\n"; - - $optcfg = array(); - generate_optcfg_array($optcfg); - $ftp_counter = "8022"; - foreach($optcfg as $oc) { - if(!isset($oc['gateway']) && $oc['if'] <> "") { - $ipfrules .= "pass in quick on " . $oc['if'] . " inet proto tcp from any to \$loopback port {$ftp_counter} keep state label \"FTP PROXY: Allow traffic to localhost\"\n"; - $ipfrules .= "pass in quick on " . $oc['if'] . " inet proto tcp from any to \$loopback port 21 keep state label \"FTP PROXY: Allow traffic to localhost\"\n"; - } - $ftp_counter++; - } - - $ipfrules .= <<<EOD - -anchor "ftpproxy" -anchor "pftpx/*" -pass in quick on $lanif inet proto tcp from any to \$loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" -pass in quick on $lanif inet proto tcp from any to \$loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" -pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" - -EOD; - - - if(isset($config['system']['rfc959workaround'])) { - $ipfrules .= <<<EOD - -# Fix sites that violate RFC 959 which specifies that the data connection -# be sourced from the command port - 1 (typically port 20) -# This workaround doesn't expose us to any extra risk as we'll still only allow -# connections to the firewall on a port that ftp-proxy is listening on -pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" - -EOD; - - $optcfg = array(); - generate_optcfg_array($optcfg); - foreach($optcfg as $oc) { - if($oc['gateway'] <> "") - $ipfrules .= "pass in quick on {$oc['if']} inet proto tcp from any to ({$oc['if']}) port > 49000 user proxy flags S/SA keep state label \"FTP PROXY: RFC959 violation workaround\" \n"; - } - } - } - $ipfrules .= <<<EOD # NAT Reflection rules @@ -2462,6 +2416,51 @@ EOD; # uPnPd anchor "miniupnpd" +anchor "ftpproxy" +anchor "pftpx/*" +pass in quick on $lanif inet proto tcp from any to \$loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" +pass in quick on $lanif inet proto tcp from any to \$loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" +pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" + +EOD; + + if(!isset($config['system']['disableftpproxy'])) { + + $ipfrules .= "# enable ftp-proxy\n"; + + $optcfg = array(); + generate_optcfg_array($optcfg); + $ftp_counter = "8022"; + foreach($optcfg as $oc) { + if(!isset($oc['gateway']) && $oc['if'] <> "") { + $ipfrules .= "pass in quick on " . $oc['if'] . " inet proto tcp from any to \$loopback port {$ftp_counter} keep state label \"FTP PROXY: Allow traffic to localhost\"\n"; + $ipfrules .= "pass in quick on " . $oc['if'] . " inet proto tcp from any to \$loopback port 21 keep state label \"FTP PROXY: Allow traffic to localhost\"\n"; + } + $ftp_counter++; + } + + if(isset($config['system']['rfc959workaround'])) { + $ipfrules .= <<<EODEOD + +# Fix sites that violate RFC 959 which specifies that the data connection +# be sourced from the command port - 1 (typically port 20) +# This workaround doesn't expose us to any extra risk as we'll still only allow +# connections to the firewall on a port that ftp-proxy is listening on +pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" + +EODEOD; + + $optcfg = array(); + generate_optcfg_array($optcfg); + foreach($optcfg as $oc) { + if($oc['gateway'] <> "") + $ipfrules .= "pass in quick on {$oc['if']} inet proto tcp from any to ({$oc['if']}) port > 49000 user proxy flags S/SA keep state label \"FTP PROXY: RFC959 violation workaround\" \n"; + } + } + } + + $ipfrules .= <<<EOD + #--------------------------------------------------------------------------- # default rules (just to be sure) #--------------------------------------------------------------------------- |
