diff options
| author | Chris Buechler <cmb@pfsense.org> | 2016-04-06 19:50:39 -0500 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2016-04-06 19:51:31 -0500 |
| commit | 4422bdca8c090d1a92cbb3cbd62a93f1bf9844f0 (patch) | |
| tree | 0488676f503c96a15c1fb4e81a977a7fc64fe2e5 /src | |
| parent | e3acb913fe8e63ecf800b1cf7213475ea11ebd11 (diff) | |
| download | pfsense-4422bdca8c090d1a92cbb3cbd62a93f1bf9844f0.zip pfsense-4422bdca8c090d1a92cbb3cbd62a93f1bf9844f0.tar.gz | |
Deprecate references to modulate state. Remove rule allowing TCP 1723 inbound when PPTP client is in use, as that's unnecessary.
Diffstat (limited to 'src')
| -rw-r--r-- | src/etc/inc/filter.inc | 5 | ||||
| -rw-r--r-- | src/usr/local/www/firewall_rules_edit.php | 6 |
2 files changed, 4 insertions, 7 deletions
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 6f0bc46..be293cf 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -2903,11 +2903,9 @@ function filter_generate_user_rule($rule) { * # keep state * works with TCP, UDP, and ICMP. * # modulate state - * works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) - * for packets matching this rule. + * deprecated * # synproxy state * proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. - * This option includes the functionality of keep state and modulate state combined. * # none * do not use state mechanisms to keep track. this is only useful if your doing advanced * queueing in certain situations. please check the faq. @@ -3360,7 +3358,6 @@ EOD; case "pptp": $ipfrules .= <<<EOD # allow PPTP client -pass in {$log['pass']} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" EOD; diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index d8f3267..c630435 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -452,7 +452,7 @@ if ($_POST) { $reqdfieldsn[] = gettext("Destination"); } - if ($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") { + if ($_POST['statetype'] == "synproxy state") { if ($_POST['proto'] != "tcp") { $input_errors[] = sprintf(gettext("%s is only valid with protocol TCP."), $_POST['statetype']); } @@ -2026,9 +2026,9 @@ events.push(function() { } else if (val == 'sloppy state') { dispstr += 'Sloppy: works with all IP protocols'; } else if (val == 'synproxy state') { - dispstr += 'Synproxy: proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined'; + dispstr += 'Synproxy: proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods, at the cost of performance (no SACK or window scaling)'; } else if (val == 'none') { - dispstr += 'None: Do not use state mechanisms to keep track. This is only useful for doing advanced queueing in certain situations'; + dispstr += 'None: Do not use state mechanisms to keep track'; } dispstr += '</span>'; |
