diff options
| -rw-r--r-- | etc/inc/filter.inc | 21 | ||||
| -rw-r--r-- | usr/local/www/system_advanced_firewall.php | 20 |
2 files changed, 17 insertions, 24 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 5b0ff4a..52bbe31 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -521,8 +521,10 @@ function filter_generate_aliases() { $aliases .= "table <sshlockout> persist\n"; $aliases .= "table <webConfiguratorlockout> persist\n"; - $aliases .= "#Snort2C table\n"; + $aliases .= "#pfSnortSam tables\n"; $aliases .= "table <snort2c>\n"; + $aliases .= "table <pfSnortSamout>\n"; + $aliases .= "table <pfSnortSamin>\n"; $aliases .= "\ntable <virusprot>\n"; @@ -1738,7 +1740,7 @@ function filter_generate_user_rule($rule) { update_filter_reload_status("Setting up pass/block rules {$rule['descr']}"); /* do not process reply-to for gateway'd rules */ - if($rule['gateway'] == "" && $aline['direction'] <> "" && interface_has_gateway($rule['interface']) && !isset($config['system']['disablereplyto'])) { + if($rule['gateway'] == "" && $aline['direction'] <> "" && interface_has_gateway($rule['interface']) && !isset($rule['disablereplyto'])) { $rg = get_interface_gateway($rule['interface']); if(is_ipaddr($rg)) { $aline['reply'] = "reply-to ( {$ifcfg['if']} {$rg} ) "; @@ -1754,7 +1756,7 @@ function filter_generate_user_rule($rule) { /* Add the load balanced gateways */ $aline['route'] = " \$GW{$rule['gateway']} "; else - log_error("The gateway: {$rule['gateway']} is invalid/unkown not using it."); + log_error("The gateway: {$rule['gateway']} is invalid or unknown, not using it."); } if(isset($rule['protocol'])) { @@ -2016,9 +2018,11 @@ EOD; $ipfrules .= <<<EOD -# snort2c +# pfSnortSam block quick from <snort2c> to any label "Block snort2c hosts" block quick from any to <snort2c> label "Block snort2c hosts" +block quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts" +block quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts" EOD; @@ -2167,6 +2171,15 @@ pass in on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 6 pass out on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server" EOD; + if($config['dhcpd'][$on]['failover_peerip'] <> "") { + $ipfrules .= <<<EOD +# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']} +pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover" +pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover" + +EOD; + } + } break; } diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php index d87bb64..38d12c1 100644 --- a/usr/local/www/system_advanced_firewall.php +++ b/usr/local/www/system_advanced_firewall.php @@ -56,7 +56,6 @@ $pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout']; $pconfig['optimization'] = $config['filter']['optimization']; $pconfig['maximumstates'] = $config['system']['maximumstates']; $pconfig['maximumtableentries'] = $config['system']['maximumtableentries']; -$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']); $pconfig['disablenatreflection'] = $config['system']['disablenatreflection']; if (!isset($config['system']['enablebinatreflection'])) $pconfig['disablebinatreflection'] = "yes"; @@ -125,13 +124,6 @@ if ($_POST) { else $config['system']['enablebinatreflection'] = "yes"; - if($_POST['disablereplyto'] == "yes") { - $config['system']['disablereplyto'] = $_POST['disablereplyto']; - } else { - unset($config['system']['disablereplyto']); - } - - if($_POST['enablenatreflectionhelper'] == "yes") $config['system']['enablenatreflectionhelper'] = "yes"; else @@ -333,18 +325,6 @@ function update_description(itemnum) { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Disable reply-to</td> - <td width="78%" class="vtable"> - <input name="disablereplyto" type="checkbox" id="disablereplyto" value="yes" <?php if ($pconfig['disablereplyto']) echo "checked"; ?> /> - <strong><?=gettext("Disable reply-to on WAN rules");?></strong> - <br /> - <?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default." . - "When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?> - <br /> - </td> - </tr> - - <tr> <td colspan="2" class="list" height="12"> </td> </tr> <?php if(count($config['interfaces']) > 1): ?> |
