Make RFC959 data port workaround configurable - default to disabled

1 files changed, 18 insertions, 0 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 68c2de1..13b80be 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -980,15 +980,33 @@ anchor "packageearly"
 # carp
 anchor "carp"
 
+EOD;
+
+	if(!isset($config['system']['disableftpproxy'])) {
+	$ipfrules .= <<<EOD
+
 # enable ftp-proxy
 anchor "ftpproxy"
 pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"
+
+EOD;
+
+
+		if(isset($config['system']['rfc959workaround'])) {
+		$ipfrules .= <<<EOD
+
 # Fix sites that violate RFC 959 which specifies that the data connection
 # be sourced from the command port - 1 (typicaly port 20)
 # This workaround doesn't expose us to any extra risk as we'll still only allow
 # connections to the firewall on a port that ftp-proxy is listening on
 pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround"
 
+EOD;
+		}
+	}
+
+	$ipfrules .= <<<EOD
+
 # allow access to DHCP server on LAN
 anchor "dhcpserverlan"
 pass in quick on $lanif proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"