diff options
-rw-r--r-- | etc/inc/filter.inc | 26 | ||||
-rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 17 |
2 files changed, 36 insertions, 7 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f41e18e..238986a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -945,10 +945,30 @@ EOD; if( isset($rule['source-track']) or isset($rule['max-src-nodes']) or isset($rule['max-src-states']) ) $line .= "flags S/SA "; - if( !isset($rule['statetype'] ) + /* + # keep state + works with TCP, UDP, and ICMP. + # modulate state + works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) + for packets matching this rule. + # synproxy state + proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. + This option includes the functionality of keep state and modulate state combined. + # none + do not use state mechanisms to keep track. this is only useful if your doing advanced + queueing in certain situations. please check the faq. + */ + if( !isset($rule['statetype'] ) ) { $line .= "keep state "; - else - $line .= $rule['statetype'] . " "; + } else { + if($rule['statetype'] == "modulate state" or $rule['statetype'] == "synproxy state") { + if($rule['protocol'] == "tcp") + $line .= $rule['statetype'] ; + } else { + if(!$rule['statetype'] == "none") + $line .= $rule['statetype'] ; + } + } if( isset($rule['source-track']) or isset($rule['max-src-nodes']) or isset($rule['max-src-states'] ) ) { $line .= "( "; diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 1cb3b69..b9ea446 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -117,6 +117,7 @@ function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) if (isset($id) && $a_filter[$id]) { $pconfig['interface'] = $a_filter[$id]['interface']; + $pconfig['statetype'] = $a_filter[$id]['statetype']; if (!isset($a_filter[$id]['type'])) $pconfig['type'] = "pass"; @@ -146,7 +147,6 @@ if (isset($id) && $a_filter[$id]) { $pconfig['log'] = isset($a_filter[$id]['log']); $pconfig['frags'] = isset($a_filter[$id]['frags']); $pconfig['descr'] = $a_filter[$id]['descr']; - $pconfig['statetype'] = $a_filter[$id]['statetype']; } else { @@ -239,6 +239,15 @@ if ($_POST) { $_POST['dstendport'] = 0; } + //echo "<br>\n\n\nProtocol " . $_POST['protocol']; + //echo "<br>\nState type " . $_POST['statetype']; + //echo "<br>\n\n"; + if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") { + if( $_POST['proto'] == "udp" or $_POST['proto'] == "tcp/udp" or $_POST['proto'] == "icmp") { + $input_errors[] = "You cannot select udp or icmp when using modulate state or synproxy state."; + } + } + if (($_POST['srcbeginport'] && !is_port($_POST['srcbeginport']))) { $input_errors[] = "The start source port must be an integer between 1 and 65535."; } @@ -288,6 +297,8 @@ if ($_POST) { $filterent['interface'] = $_POST['interface']; $filterent['creategif'] = $_POST['creategif']; + $filterent['statetype'] = $_POST['statetype']; + if ($_POST['proto'] != "any") $filterent['protocol'] = $_POST['proto']; else @@ -328,8 +339,6 @@ if ($_POST) { $filterent['max-src-nodes'] = $_POST['max-src-nodes']; $filterent['max-src-states'] = $_POST['max-src-states']; - $filterent['statetype'] = $_POST['statetype']; - write_config(); touch($d_filterconfdirty_path); @@ -793,7 +802,7 @@ Hint: the difference between block and reject is that with reject, a packet (TCP <tr> <td width="22%" valign="top" class="vncell">State Type</td> <td width="78%" class="vtable"> - <select name"statetype"> + <select name="statetype"> <option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option> <option value="modulate state" <?php if($pconfig['statetype'] == "modulate state") echo "selected"; ?>>modulate state</option> <option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option> |