summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--etc/inc/filter.inc26
-rwxr-xr-xusr/local/www/firewall_rules_edit.php17
2 files changed, 36 insertions, 7 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index f41e18e..238986a 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -945,10 +945,30 @@ EOD;
if( isset($rule['source-track']) or isset($rule['max-src-nodes']) or isset($rule['max-src-states']) )
$line .= "flags S/SA ";
- if( !isset($rule['statetype'] )
+ /*
+ # keep state
+ works with TCP, UDP, and ICMP.
+ # modulate state
+ works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs)
+ for packets matching this rule.
+ # synproxy state
+ proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods.
+ This option includes the functionality of keep state and modulate state combined.
+ # none
+ do not use state mechanisms to keep track. this is only useful if your doing advanced
+ queueing in certain situations. please check the faq.
+ */
+ if( !isset($rule['statetype'] ) ) {
$line .= "keep state ";
- else
- $line .= $rule['statetype'] . " ";
+ } else {
+ if($rule['statetype'] == "modulate state" or $rule['statetype'] == "synproxy state") {
+ if($rule['protocol'] == "tcp")
+ $line .= $rule['statetype'] ;
+ } else {
+ if(!$rule['statetype'] == "none")
+ $line .= $rule['statetype'] ;
+ }
+ }
if( isset($rule['source-track']) or isset($rule['max-src-nodes']) or isset($rule['max-src-states'] ) ) {
$line .= "( ";
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php
index 1cb3b69..b9ea446 100755
--- a/usr/local/www/firewall_rules_edit.php
+++ b/usr/local/www/firewall_rules_edit.php
@@ -117,6 +117,7 @@ function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport)
if (isset($id) && $a_filter[$id]) {
$pconfig['interface'] = $a_filter[$id]['interface'];
+ $pconfig['statetype'] = $a_filter[$id]['statetype'];
if (!isset($a_filter[$id]['type']))
$pconfig['type'] = "pass";
@@ -146,7 +147,6 @@ if (isset($id) && $a_filter[$id]) {
$pconfig['log'] = isset($a_filter[$id]['log']);
$pconfig['frags'] = isset($a_filter[$id]['frags']);
$pconfig['descr'] = $a_filter[$id]['descr'];
- $pconfig['statetype'] = $a_filter[$id]['statetype'];
} else {
@@ -239,6 +239,15 @@ if ($_POST) {
$_POST['dstendport'] = 0;
}
+ //echo "<br>\n\n\nProtocol " . $_POST['protocol'];
+ //echo "<br>\nState type " . $_POST['statetype'];
+ //echo "<br>\n\n";
+ if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
+ if( $_POST['proto'] == "udp" or $_POST['proto'] == "tcp/udp" or $_POST['proto'] == "icmp") {
+ $input_errors[] = "You cannot select udp or icmp when using modulate state or synproxy state.";
+ }
+ }
+
if (($_POST['srcbeginport'] && !is_port($_POST['srcbeginport']))) {
$input_errors[] = "The start source port must be an integer between 1 and 65535.";
}
@@ -288,6 +297,8 @@ if ($_POST) {
$filterent['interface'] = $_POST['interface'];
$filterent['creategif'] = $_POST['creategif'];
+ $filterent['statetype'] = $_POST['statetype'];
+
if ($_POST['proto'] != "any")
$filterent['protocol'] = $_POST['proto'];
else
@@ -328,8 +339,6 @@ if ($_POST) {
$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
$filterent['max-src-states'] = $_POST['max-src-states'];
- $filterent['statetype'] = $_POST['statetype'];
-
write_config();
touch($d_filterconfdirty_path);
@@ -793,7 +802,7 @@ Hint: the difference between block and reject is that with reject, a packet (TCP
<tr>
<td width="22%" valign="top" class="vncell">State Type</td>
<td width="78%" class="vtable">
- <select name"statetype">
+ <select name="statetype">
<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
<option value="modulate state" <?php if($pconfig['statetype'] == "modulate state") echo "selected"; ?>>modulate state</option>
<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
OpenPOWER on IntegriCloud