diff options
author | Bill Marquette <billm@pfsense.org> | 2005-03-04 14:54:59 +0000 |
---|---|---|
committer | Bill Marquette <billm@pfsense.org> | 2005-03-04 14:54:59 +0000 |
commit | 28536efd42e0dd96c0bab6035f4b816af053766b (patch) | |
tree | fb0001231536760ec683414285efbb5216574ebc /etc | |
parent | bd4469ce7040095cb7f3c971019264c91dd1bbf9 (diff) | |
download | pfsense-28536efd42e0dd96c0bab6035f4b816af053766b.zip pfsense-28536efd42e0dd96c0bab6035f4b816af053766b.tar.gz |
Fix ftp servers that violate RFC 959 (we aren't Checkpoint, we've got better technology) - this should be a flag under "advanced" though I think
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 39ff5e9..97dbc5c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -982,7 +982,12 @@ anchor "carp" # enable ftp-proxy anchor "ftpproxy" -pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state +pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state "FTP PROXY: PASV mode data connection" +# Fix sites that violate RFC 959 which specifies that the data connection +# be sourced from the command port - 1 (typicaly port 20) +# This workaround doesn't expose us to any extra risk as we'll still only allow +# connections to the firewall on a port that ftp-proxy is listening on +pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" # allow access to DHCP server on LAN anchor "dhcpserverlan" |