summaryrefslogtreecommitdiffstats
path: root/etc/inc
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2012-05-25 12:13:25 -0400
committerjim-p <jimp@pfsense.org>2012-05-25 12:14:34 -0400
commit31f0ef215e7cc089f9d00f9432a298ffd494be05 (patch)
treeea7feccf850bd6883d22782587424568c5eba211 /etc/inc
parentac10faad42081ccfe48a37aa9814bc4684ffb701 (diff)
downloadpfsense-31f0ef215e7cc089f9d00f9432a298ffd494be05.zip
pfsense-31f0ef215e7cc089f9d00f9432a298ffd494be05.tar.gz
Switch to a common function to determine anti-lockout ports, and fix a bug that was getting the ports wrong with custom https+redirect on.
Diffstat (limited to 'etc/inc')
-rw-r--r--etc/inc/filter.inc37
1 files changed, 24 insertions, 13 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index fc44d6d..2f2dc9f 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2691,17 +2691,8 @@ pass out on \$IPsec all keep state label "IPsec internal host to host"
EOD;
if(!isset($config['system']['webgui']['noantilockout'])) {
- $portarg = 80;
- if (isset($config['system']['webgui']['port']) && $config['system']['webgui']['port'] <> "")
- $portarg = "{$config['system']['webgui']['port']}";
- if ($config['system']['webgui']['protocol'] == "https")
- $portarg .= " 443 ";
- $sshport = "";
- if (isset($config['system']['enablesshd'])) {
- $sshport = 22;
- if($config['system']['ssh']['port'] <> "")
- $sshport = $config['system']['ssh']['port'];
- }
+ $alports = filter_get_antilockout_ports();
+
if(count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) {
/* if antilockout is enabled, LAN exists and has
* an IP and subnet mask assigned
@@ -2709,7 +2700,7 @@ EOD;
$lanif = $FilterIflist['lan']['if'];
$ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH
-pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { $portarg $sshport } keep state label "anti-lockout rule"
+pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule"
EOD;
} else if (count($config['interfaces']) == 1) {
@@ -2717,7 +2708,7 @@ EOD;
$wanif = $FilterIflist["wan"]['if'];
$ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH
-pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { $portarg $sshport } keep state label "anti-lockout rule"
+pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule"
EOD;
}
@@ -3332,4 +3323,24 @@ function discover_pkg_rules($ruletype) {
return $rules;
}
+function filter_get_antilockout_ports($wantarray = false) {
+ global $config;
+ $lockoutports = array();
+ $guiport = ($config['system']['webgui']['protocol'] == "https") ? "443" : "80";
+ $guiport = empty($config['system']['webgui']['port']) ? $guiport : $config['system']['webgui']['port'];
+ $lockoutports[] = $guiport;
+
+ if (($config['system']['webgui']['protocol'] == "https") && !isset($config['system']['webgui']['disablehttpredirect']) && ($guiport != "80"))
+ $lockoutports[] = "80";
+
+ if (isset($config['system']['enablesshd']))
+ $lockoutports[] = empty($config['system']['ssh']['port']) ? "22" : $config['system']['ssh']['port'];
+
+ if ($wantarray)
+ return $lockoutports;
+ else
+ return implode(" ", $lockoutports);
+
+}
+
?>
OpenPOWER on IntegriCloud