diff options
| author | Seth Mos <seth.mos@xs4all.nl> | 2009-09-23 21:26:18 +0200 |
|---|---|---|
| committer | Seth Mos <seth.mos@xs4all.nl> | 2009-09-23 21:26:18 +0200 |
| commit | 941fb7b4a602124599c81cc8ad688f888779c327 (patch) | |
| tree | 53329c43779d59e893b220c00ae1327cb934832e /etc | |
| parent | 92c5013cb7a96b5b05b66972e876d100fe86f404 (diff) | |
| download | pfsense-941fb7b4a602124599c81cc8ad688f888779c327.zip pfsense-941fb7b4a602124599c81cc8ad688f888779c327.tar.gz | |
Only create a rdr for local interfaces which is destined for the actual address we have a portforward for.
This prevents people from ending up in our netcat code for reflection when trying to access other websites.
Should fix Issue #99
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 9504a00..a098915 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -623,13 +623,23 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port) /* do not process interfaces with gateways*/ if (interface_has_gateway($ifent)) continue; - if($extport[1]) + + if($extport[1]) { $range_end = ($extport[1]); - else + } else { $range_end = ($extport[0]); + } $range_end++; + if (alias_expand($rule['external-address'])) { + $extaddr = alias_expand($extaddr); + } else if ($rule['external-address'] <> "") { + $extaddr = $rule['external-address']; + } else { + $extaddr = $FilterIflist[$rule['interface']]['ip']; + } if($rule['local-port']) $lrange_start = $rule['local-port']; + if($range_end - $extport[0] > 500) { $range_end = $extport[0]+1; log_error("Not installing nat reflection rules for a port range > 500"); |
