diff options
| -rw-r--r-- | etc/inc/filter.inc | 18 | ||||
| -rwxr-xr-x | usr/local/www/system_advanced.php | 11 |
2 files changed, 29 insertions, 0 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 68c2de1..13b80be 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -980,15 +980,33 @@ anchor "packageearly" # carp anchor "carp" +EOD; + + if(!isset($config['system']['disableftpproxy'])) { + $ipfrules .= <<<EOD + # enable ftp-proxy anchor "ftpproxy" pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" + +EOD; + + + if(isset($config['system']['rfc959workaround'])) { + $ipfrules .= <<<EOD + # Fix sites that violate RFC 959 which specifies that the data connection # be sourced from the command port - 1 (typicaly port 20) # This workaround doesn't expose us to any extra risk as we'll still only allow # connections to the firewall on a port that ftp-proxy is listening on pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" +EOD; + } + } + + $ipfrules .= <<<EOD + # allow access to DHCP server on LAN anchor "dhcpserverlan" pass in quick on $lanif proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN" diff --git a/usr/local/www/system_advanced.php b/usr/local/www/system_advanced.php index 65bc8ae5..684047d 100755 --- a/usr/local/www/system_advanced.php +++ b/usr/local/www/system_advanced.php @@ -35,6 +35,7 @@ require("guiconfig.inc"); $pconfig['disablefilter'] = $config['system']['disablefilter']; $pconfig['disableftpproxy'] = $config['system']['disableftpproxy']; +$pconfig['rfc959workaround'] = $config['system']['rfc959workaround']; $pconfig['filteringbridge_enable'] = isset($config['bridge']['filteringbridge']); $pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']); $pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr']; @@ -83,9 +84,13 @@ if ($_POST) { } if($_POST['disableftpproxy'] == "yes") { $config['system']['disableftpproxy'] = "enabled"; + unset($config['system']['rfc959workaround']); } else { unset($config['system']['disableftpproxy']); } + if($_POST['rfc959workaround'] == "yes") { + $config['system']['rfc959workaround'] = "enabled"; + } $config['bridge']['filteringbridge'] = $_POST['filteringbridge_enable'] ? true : false; $config['diag']['ipv6nat']['enable'] = $_POST['ipv6nat_enable'] ? true : false; $config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr']; @@ -312,6 +317,12 @@ function enable_change(enable_over) { <input name="disableftpproxy" type="checkbox" id="disableftpproxy" value="yes" <?php if (isset($config['system']['disableftpproxy'])) echo "checked"; ?> onclick="enable_change(false)"> <strong class="vexpl">Disable the userland FTP-Proxy application</strong><br> </tr> + <tr> + <td width="22%" valign="top" class="vncell">FTP RFC 959 data port violation workaround</td> + <td width="78%" class="vtable"> + <input name="rfc959workaround" type="checkbox" id="rfc959workaround" value="yes" <?php if (isset($config['system']['rfc959workaround'])) echo "checked"; ?> onclick="enable_change(false)"> + <strong class="vexpl">Workaround for sites that violate RFC 959 which specifies that the data connection be sourced from the command port - 1 (typicaly port 20). This workaround doesn't expose you to any extra risk as the firewall will still only allow connections on a port that the ftp-proxy is listening on.</strong><br> + </tr> <tr> <td width="22%" valign="top" class="vncell">Traffic Shaper Scheduler</td> |
