diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2007-11-05 19:30:58 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2007-11-05 19:30:58 +0000 |
| commit | 09fa959eaf17d09d34bcae1cc949f5905513fa72 (patch) | |
| tree | a6bc904537a0d32c44cd32601b322c5a56883888 /etc | |
| parent | cbcc5530b657e6a065e7f8a7cc13b39c196d4c66 (diff) | |
| download | pfsense-09fa959eaf17d09d34bcae1cc949f5905513fa72.zip pfsense-09fa959eaf17d09d34bcae1cc949f5905513fa72.tar.gz | |
Automatically permit PFTPX traffic behind the scenes. Without this change multi-wan can break ftp very easily when someone defines rules for the same port range (8020-8029).
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 79d75ec..2701c0b 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -44,6 +44,10 @@ if($config['system']['shapertype'] <> "m0n0") /* holds the items that will be executed *AFTER* the filter is fully loaded */ $after_filter_configure_run = array(); +/* hold the ports being used by pftpx to install the behind the scenes rule that + * forces traffic out the primary wan until multi-wan pftpx is all the rage. + */ +$used_pftpx_ports = array(); function filter_pflog_start() { global $config, $g; @@ -601,7 +605,7 @@ function is_one_to_one_or_server_nat_rule($iptocheck) { } function filter_nat_rules_generate() { - global $config, $g, $after_filter_configure_run; + global $config, $g, $after_filter_configure_run, $used_pftpx_ports; $wancfg = $config['interfaces']['wan']; $lancfg = $config['interfaces']['lan']; @@ -995,6 +999,10 @@ function filter_nat_rules_generate() { } } if($ifname_lower) { + $temp_array_holder_pftpx = array(); + $temp_array_holder_pftpx['port'] = $tmp_port; + $temp_array_holder_pftpx['interface'] = $tmp_interface; + $used_pftpx_ports[] = $temp_array_holder_pftpx; $natrules .= "rdr on $tmp_interface proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n"; $natrules .= "rdr on $tmp_interface proto udp from any to any port tftp -> 127.0.0.1 port 6969\n"; } @@ -2199,7 +2207,7 @@ function generate_user_filter_rule($rule, $ngcounter) { } function filter_rules_generate() { - global $config, $g, $table_cache; + global $config, $g, $table_cache, $used_pftpx_ports; update_filter_reload_status("Creating default rules"); @@ -2314,7 +2322,6 @@ pass out quick on \$loopback all label "pass loopback" # package manager early specific hook anchor "packageearly" - # carp anchor "carp" @@ -2755,8 +2762,6 @@ pass in quick proto udp from any to any port = 5050 keep state label "BigPond he # package manager late specific hook anchor "packagelate" - - EOD; } @@ -2768,6 +2773,12 @@ EOD; $ipfrules .= process_carp_rules(); + $ipfrules .= "\n\n#PFTPX specific\n"; + foreach($used_pftpx_ports as $pftpx) + $ipfrules .= "pass in quick on {$pftpx['interface']} inet proto tcp from any to 127.0.0.1 port {$pftpx['port']} keep state label \"FTP PROXY: Allow traffic to localhost\"\n"; + + $ipfrules .= "\n"; + if (isset($config['filter']['rule'])) { /* Pre-cache all our rules so we only have to generate them once */ $rule_arr = array(); @@ -3397,4 +3408,4 @@ function return_vpn_subnet($adr) { } -?> +?>
\ No newline at end of file |
