diff options
-rw-r--r-- | conf.default/config.xml | 1 | ||||
-rw-r--r-- | etc/inc/config.inc | 97 | ||||
-rw-r--r-- | etc/inc/filter.inc | 157 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 3 | ||||
-rw-r--r-- | etc/inc/shaper.inc | 31 | ||||
-rw-r--r-- | etc/phpshellsessions/restartftphelper | 16 | ||||
-rwxr-xr-x | etc/rc.bootup | 5 | ||||
-rwxr-xr-x | sbin/dhclient-script | 3 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat.php | 7 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_1to1_edit.php | 31 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 39 | ||||
-rwxr-xr-x | usr/local/www/interfaces.php | 22 | ||||
-rw-r--r-- | usr/local/www/system_advanced_firewall.php | 12 |
13 files changed, 7 insertions, 417 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 68ce2e1..adcb5e5 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -199,7 +199,6 @@ <gateway></gateway> <blockpriv/> <blockbogons/> - <disableftpproxy/> <dhcphostname></dhcphostname> <media></media> <mediaopt></mediaopt> diff --git a/etc/inc/config.inc b/etc/inc/config.inc index eb2daaa..c3cef03 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -1181,101 +1181,6 @@ EOD; } } -function system_start_ftp_helpers() { - require_once("interfaces.inc"); - global $config, $g; - - mwexec("/usr/bin/killall ftpsesame", true); - - /* if list */ - $iflist = get_configured_interface_list(); - - /* loop through all interfaces and handle ftp-proxy */ - $interface_counter = 0; - foreach ($iflist as $ifent => $ifname) { - - if(interface_has_gateway($ifname)) { - $interface_counter++; - continue; - } - /* if the ftp proxy is disabled for this interface then kill ftp-proxy - * instance and continue. note that the helpers for port forwards are - * launched in a different sequence so we are filtering them out - * here by not including -c {$port} -g 8021 first. - */ - - /* Get the ftp queue for this interface */ - if (isset($config['shaper'][$ifname]['ftpqueue'])) - $shaper_queue = $config['interfaces'][$ifname]['ftpqueue']; - - $port = 8021 + $interface_counter; - if(isset($config['interfaces'][$ifname]['disableftpproxy'])) { - /* item is disabled. lets ++ the interface counter and - * keep processing interfaces. kill ftp-proxy if already - * running for this instance. - */ - if($g['debug']) - log_error("Config: FTP proxy disabled for interface {$ifent}"); - - $helpers = array(); - exec("/bin/ps awwux | /usr/bin/grep \"[/]ftp-proxy\" | /usr/bin/grep \"{$port}\" | /usr/bin/awk '{ print $2 }'", $helpers); - if(count($helpers > 0)) { - mwexec("/bin/kill {$helpers[0]}"); - } - $interface_counter++; - } else { - /* grab the current interface IP address */ - $int = convert_friendly_interface_to_real_interface_name($ifname); - $ip = find_interface_ip($int); - /* are we in routed mode? no source nat rules and not a outside interface? */ - /* If we have advanced outbound nat we skip the FTP proxy, we use ftpsesame */ - if((isset($config['nat']['advancedoutbound']['enable'])) && (! interface_has_gateway($ifname))) { - $sourcenat = 0; - /* we are using advanced outbound nat, are we in routing mode? */ - /* if the interface address lies within a outbound NAT source network we should skip */ - if(! empty($config['nat']['advancedoutbound']['rule'])) { - foreach($config['nat']['advancedoutbound']['rule'] as $natnetwork) { - if(ip_in_subnet($ip, $natnetwork['source']['network'])) { - /* if the interface address is matched in the AON Rule we need the ftp proxy */ - if(is_ipaddr($natnetwork['target']) && ($natnetwork['interface'] == "wan")) { - $pftpxsourceaddr = "-a {$natnetwork['target']}"; - if($g['debug']) - log_error("Config: AON: using the external ip source {$pftpxsourceaddr} for the ftp proxy"); - } - $sourcenat++; - } - } - } - if($sourcenat == 0) { - if($g['debug']) - log_error("Config: No AON rule matched for interface {$ifname} - not using FTP proxy"); - mwexec("/usr/local/sbin/ftpsesame -i $int"); - $interface_counter++; - continue; - } else { - if($g['debug']) - log_error("Config: AON rule matched for interface {$ifname} - using FTP proxy"); - } - } - /* if ftp-proxy is already running then do not launch it again */ - if($g['debug']) { - log_error("Config: FTP proxy port ($port) enabled for interface {$ifname}"); - } - $helpers = array(); - exec("/bin/ps awwux | /usr/bin/grep \"[/]ftp-proxy\" | /usr/bin/grep \"{$port}\" | /usr/bin/grep \"{$pftpxsourceaddr}\" | /usr/bin/awk '{ print $2 }'", $helpers); - if(!$helpers && $ip) - mwexec("/usr/local/sbin/ftp-proxy {$shaper_queue} -p {$port} {$pftpxsourceaddr} {$ip} -T PFFTPPROXY"); - if(!$ip) - mwexec("/usr/local/sbin/ftpsesame {$shaper_queue} -i $int"); - $interface_counter++; - } - } - /* support bridged interfaces. even they need ftp mojo */ - if (is_array($config['bridges']['bridged'])) - foreach($config['bridges']['bridged'] as $bridge) - mwexec("/usr/local/sbin/ftpsesame {$shaper_queue} -i {$bridge['bridgeif']}"); -} - function cleanup_backupcache($revisions = 30) { global $g; $i = false; @@ -1463,4 +1368,4 @@ function set_device_perms() { if($g['booting']) echo "."; $config = parse_config(); -?>
\ No newline at end of file +?> diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 4159321..95f7824 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -242,7 +242,6 @@ function filter_configure_sync() { run_plugins("/usr/local/pkg/pf/"); update_filter_reload_status("Plugins completed."); } - system_start_ftp_helpers(); /* if time based rules are enabled then swap in the set */ if($time_based_rules == true) { tdr_install_cron(true); @@ -396,7 +395,6 @@ function generate_optcfg_array() $oic['descr'] = $ifdetail; $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']); $oic['nonat'] = $oc['nonat']; - $oic['ftpproxy'] = !isset($oc['disableftpproxy']); $oic['alias-address'] = $oc['alias-address']; $oic['alias-subnet'] = $oc['alias-subnet']; $oic['gateway'] = $oc['gateway']; @@ -531,69 +529,13 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " return $natrule; } -function is_one_to_one_or_server_nat_rule($iptocheck) -{ - global $config, $target; - if(isset($config['system']['developerspew'])) { - $mt = microtime(); - echo "is_one_to_one_or_server_nat_rule() being called $mt\n"; - } - if($config['nat']['onetoone'] <> "") - foreach($config['nat']['onetoone'] as $onetoone) { - if(ip_in_subnet($iptocheck,$onetoone['internal']."/".$onetoone['subnet']) == true) - return true; - if($onetoone['internal'] == $target) - return true; - } - if($config['nat']['servernat'] <> "") - foreach($config['nat']['servernat'] as $onetoone) { - $int = explode("/", $onetoone['ipaddr']); - if(ip_in_subnet($iptocheck,$onetoone['ipaddr']."/".$onetoone['subnet']) == true) - return true; - if($onetoone['ipaddr'] == $target) - return true; - } - if($config['nat']['rule'] <> "") - foreach($config['nat']['rule'] as $onetoone) { - $int = explode("/", $onetoone['target']); - if(ip_in_subnet($iptocheck,$onetoone['target']."/".$onetoone['subnet']) == true) - return true; - if($onetoone['target'] == $target) - return true; - } - return FALSE; -} - function filter_nat_rules_generate() { global $config, $g, $after_filter_configure_run, $FilterIflist; - $natrules .= "nat-anchor \"ftp-proxy/*\"\n"; $natrules .= "nat-anchor \"natearly/*\"\n"; $natrules .= "nat-anchor \"natrules/*\"\n\n"; update_filter_reload_status("Creating 1:1 rules..."); - /* Traverse looking for 1:1 rules that have useftphelper enabled - * This will prevent NAT from occurring and ftp-proxy should pick up the rest. - */ - if (is_array($config['nat']['onetoone'])) - foreach($config['nat']['onetoone'] as $one) { - if($one['useftphelper']) { - $int = $FilterIflist[$one['interface']]['if']; - $external_address = $one['external']; - $internal_address = $one['internal']; - if($int && $external_address && $internal_address) { - $natrules .= "# FTP Helper binat\n"; - $natrules .= "no binat on {$int} proto tcp from any to {$external_address} port 21\n"; - $helpers = exec("/bin/ps awux | /usr/bin/grep \"p 21 -R {$internal_address} -b {$external_address}\" | /usr/bin/grep -v grep"); - if(!$helpers) { - /* Get the ftp queue for this interface */ - if (isset($config['interfaces'][$rule['interface']]['ftpqueue'])) - $shaper_queue = "-q " . $config['interfaces'][$rule['interface']]['ftpqueue']; - /* else default queue configured on shaper will get this */ - $after_filter_configure_run[] = "/usr/local/sbin/ftp-proxy -p 21 -R {$internal_address} -b {$external_address} -T PFFTPPROXY {$shaper_queue}"; - } - } - } - } + /* any 1:1 mappings? */ if (is_array($config['nat']['onetoone'])) { foreach ($config['nat']['onetoone'] as $natent) { @@ -743,85 +685,17 @@ function filter_nat_rules_generate() $natrules .= "\n# Load balancing anchor\n"; $natrules .= "rdr-anchor \"relayd/*\"\n"; - update_filter_reload_status("Setting up FTP helper"); - $natrules .= "# FTP proxy\n"; - $natrules .= "rdr-anchor \"ftp-proxy/*\"\n"; + update_filter_reload_status("Setting up TFTP helper"); + $natrules .= "# TFTP proxy\n"; $natrules .= "rdr-anchor \"tftp-proxy/*\"\n"; - $natrules .= "\n"; $interface_counter = 0; $vpns_list = get_vpns_list(); $direct_networks_list = get_direct_networks_list(); - /* prevent 1:1 ips from ftp-proxy, they will be handled by ftp-sesame */ - if($config['nat']['onetoone']) - foreach ($config['nat']['onetoone'] as $vipent) - $onetoone_list .= "{$vipent['internal']} "; - if($onetoone_list) - $natrules .= "table <onetoonelist> { $onetoone_list }\n"; if($vpns_list) $natrules .= "table <vpns> { $vpns_list }\n"; if($direct_networks_list) $natrules .= "table <direct_networks> { $direct_networks_list }\n"; - /* loop through all interfaces and handle ftp-proxy redirections */ - foreach ($FilterIflist as $ifent => $ifcfg) { - if ($ifcfg['ftpproxy'] == false) { - if($g['debug']) - log_error("Filter: FTP proxy disabled for interface {$ifcfg['descr']} - ignoring."); - $interface_counter++; - continue; - } - $realif = $ifcfg['if']; - $int_ip = $ifcfg['ip']; - if (!is_ipaddr($int_ip)) - continue; - - /* are we in routed mode? no source nat rules and not a outside interface? */ - /* If advanced outbound nat enabled skip FTP proxy, we use ftpsesame */ - if ((isset($config['nat']['advancedoutbound']['enable'])) && - (! interface_has_gateway($ifent))) { - $sourcenat = 0; - /* we are using advanced outbound nat, are we in routing mode? */ - /* if the interface address lies within a outbound NAT source network we should skip */ - if (! empty($config['nat']['advancedoutbound']['rule'])) { - /* if interface address is matched in the AON Rule we need the ftp proxy */ - foreach($config['nat']['advancedoutbound']['rule'] as $natnetwork) - if(ip_in_subnet($int_ip, $natnetwork['source']['network'])) - $sourcenat++; - } - if($sourcenat == 0) { - if($g['debug']) - log_error("Filter: No AON rule matched for interface {$ifcfg['descr']} - not using the FTP proxy"); - $interface_counter++; - continue; - } else { - if($g['debug']) - log_error("Filter: AON Rule matched for interface {$ifcfg['descr']} - using FTP proxy"); - } - } - - /* if the user has defined, include the alias so that we do not redirect ftp - * connections across the tunnels to ftp-proxy - * - * if interface lacks an ip, dont setup a rdr for ftp. - * they are most likely on a bridged interface - */ - if($vpns_list) { - $natrules .= "no rdr on $realif proto tcp from any to <vpns> port 21\n"; - $natrules .= "no rdr on $realif proto {tcp,udp} from any to <vpns> port tftp\n"; - if($onetoone_list) { - $natrules .= "no rdr on $realif proto tcp from <onetoonelist> to any port 21\n"; - $natrules .= "no rdr on $realif proto udp from <onetoonelist> to any port tftp\n"; - } - } - $tmp_port = 8021 + $interface_counter; - if($g['debug']) - log_error("Filter: FTP proxy port ($tmp_port) enabled for interface {$ifcfg['descr']}"); - - $natrules .= "rdr on $realif proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port {$tmp_port}\n"; - $natrules .= "rdr on $realif proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969\n"; - $interface_counter++; - } - $natrules .= "\n"; /* DIAG: add ipv6 NAT, if requested */ if (isset($config['diag']['ipv6nat']['enable']) && @@ -1751,8 +1625,6 @@ function filter_rules_generate() if(is_ipaddr($cp_interface_ip) and $cp_interface_real) $ipfrules .= "pass in quick on {$cp_interface_real} proto tcp from any to {$cp_interface_ip} port { 8000 8001 } keep state\n"; } - /* ftp-sesame */ - $ipfrules .= "anchor \"ftpsesame/*\" \n"; /* relayd */ $ipfrules .= "anchor \"relayd/*\"\n"; # BEGIN OF firewall rules @@ -2005,29 +1877,6 @@ anchor "packagelate" EOD; - $ipfrules .= "\nanchor \"ftp-proxy/*\"\n"; - if(!isset($config['system']['disableftpproxy'])) { - $ipfrules .= "\n# enable ftp-proxy\n"; - $ipfrules .= "pass in inet proto tcp tagged PFFTPPROXY flags S/SA keep state label \"FTP PROXY: Allow traffic to localhost\"\n"; - - if (isset($config['system']['rfc959workaround'])) { - $ipfrules .= <<<EODEOD -# Fix sites that violate RFC 959 which specifies that the data connection -# be sourced from the command port - 1 (typically port 20) -# This workaround doesn't expose us to any extra risk as we'll still only allow -# connections to the firewall on a port that ftp-proxy is listening on - -EODEOD; - foreach ($FilterIflist as $ftpif => $ftpifcfg) { - if ($ftpifcfg['ftpproxy'] == true) - $ipfrules .= <<<EOD -pass in quick on {$ftpifcfg['if']} inet proto tcp from port 20 to ({$ftpifcfg['if']}) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" - -EOD; - } - } - } - if (isset($config['filter']['rule'])) { $load_ipfw_module = false; /* Pre-cache all our rules so we only have to generate them once */ diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 66cca75..188df75 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2695,9 +2695,6 @@ function reload_all_sync() { /* start the NTP client */ system_ntp_configure(); - /* start ftp proxy helpers if they are enabled */ - system_start_ftp_helpers(); - /* start the captive portal */ captiveportal_configure(); diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 57ec851..a2456b3 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -200,12 +200,6 @@ function cleanup_queue_from_rules($queue) if ($rule['ackqueue'] == $queue) unset($rule['ackqueue']); } - foreach ($config['interfaces'] as $if => $ifdata) { - if ($ifdata['ftpqueue'] == $queue) { - unset($config['interfaces'][$if]['ftpqueue']); - break; - } - } } function cleanup_dnqueue_from_rules($queue) @@ -957,8 +951,6 @@ function GetEcn() { $this->SetQPriority($q['priority']); if (isset($q['description']) && $q['description'] != "") $this->SetDescription($q['description']); - if (isset($q['ftpqueue']) && $q['ftpqueue'] <> "") - set_is_ftp_queue($this->GetInterface(), $this->GetQname()); $this->SetRed($q['red']); $this->SetRio($q['rio']); $this->SetEcn($q['ecn']); @@ -1071,12 +1063,6 @@ function GetEcn() { $form .= "<input type=\"checkbox\" id=\"default\" name=\"default\""; $form .= "> Default queue<br>"; } - /* XXX: TODO Add check to disable this if it has been set on another queue on this interface. */ - $form .= "<input type=\"checkbox\" id=\"ftpqueue\" name=\"ftpqueue\" "; - if (get_is_ftp_queue($this->GetInterface(), $this->GetQname())) - $form .= " CHECKED"; - $form .= ">Use this queue for the ftp proxy<br>"; - /* XXX: TODO */ $form .= "<input type=\"checkbox\" id=\"red\" name=\"red\""; if($this->GetRed()) $form .= " CHECKED"; @@ -3544,23 +3530,6 @@ function &get_unique_dnqueue_list() { return $qlist; } -function get_is_ftp_queue($interface, $qname) { - global $config; - - if (isset($config['interfaces'][$interface]['ftpqueue']) && - $config['interfaces'][$interface]['ftpqueue'] == $qname) - return true; - return false; -} - -function set_is_ftp_queue($interface, $qname) { - global $config; - - if (!is_array($config['interfaces'][$interface]['ftpqueue'])) - $config['interfaces'][$interface]['ftpqueue'] = array(); - $config['interfaces'][$interface]['ftpqueue'] = $qname; -} - function ref_on_altq_queue_list($parent, $qname) { if (isset($GLOBALS['queue_list'][$qname])) $GLOBALS['queue_list'][$qname]++; diff --git a/etc/phpshellsessions/restartftphelper b/etc/phpshellsessions/restartftphelper deleted file mode 100644 index 61c8803..0000000 --- a/etc/phpshellsessions/restartftphelper +++ /dev/null @@ -1,16 +0,0 @@ -! echo "===> Beginning restartftphelper." -! echo "Killing ftp-proxy if started..." -= killall ftp-proxy -! echo "Killing pftpx if started..." -= killall pftpx -! echo "Killing ftpsesame if started..." -= killall ftpsesame -! echo "Running php function system_start_ftp_helpers()..." -system_start_ftp_helpers(); -! echo "Checking if ftp-proxy is running..." -= ps awux | grep "ftp-proxy" -! echo "Checking if pftpx is running..." -= ps awux | grep "pftpx" -! echo "Checking if ftpsesame is running..." -= ps awux | grep "ftpsesame" -! echo "===> End of restartftphelper." diff --git a/etc/rc.bootup b/etc/rc.bootup index 53bcf1f..b19bf41 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -225,11 +225,6 @@ /* start IPsec tunnels */ vpn_ipsec_configure(); - /* start ftp proxy helpers if they are enabled */ - echo "Starting FTP helpers..."; - system_start_ftp_helpers(); - echo "done.\n"; - /* start SNMP service */ services_snmpd_configure(); diff --git a/sbin/dhclient-script b/sbin/dhclient-script index 0ad09f7..4a0659a 100755 --- a/sbin/dhclient-script +++ b/sbin/dhclient-script @@ -66,9 +66,6 @@ add_new_address() { $LOGGER "Starting add_new_address()" - # Kill off old pftpx process. - kill `ps awux | grep "pftpx -b" | grep -v grep | grep $old_ip_address | cut -d" " -f5` - $LOGGER "ifconfig $interface inet $new_ip_address netmask $new_subnet_mask broadcast $new_broadcast_address $medium" $IFCONFIG $interface \ diff --git a/usr/local/www/firewall_nat.php b/usr/local/www/firewall_nat.php index a11fd8e..9bcc2e6 100755 --- a/usr/local/www/firewall_nat.php +++ b/usr/local/www/firewall_nat.php @@ -82,12 +82,7 @@ if (isset($_POST['del_x'])) { /* delete selected rules */ if (is_array($_POST['rule']) && count($_POST['rule'])) { foreach ($_POST['rule'] as $rulei) { - $target = $rule['target']; - $helpers = exec("/bin/ps awwux | grep pftpx | grep \"{$target}\" | grep -v grep | awk '{ print \$2 }'"); - if($helpers) { - /* kill ftp proxy helper */ - mwexec("/bin/kill {$helpers}"); - } + $target = $rule['target']; unset($a_nat[$rulei]); } write_config(); diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index cec2cad..116ca79 100755 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -60,7 +60,6 @@ if (isset($id) && $a_1to1[$id]) { else $pconfig['subnet'] = $a_1to1[$id]['subnet']; $pconfig['descr'] = $a_1to1[$id]['descr']; - $pconfig['useftphelper'] = $a_1to1[$id]['useftphelper']; } else { $pconfig['subnet'] = 32; $pconfig['interface'] = "wan"; @@ -118,20 +117,10 @@ if ($_POST) { if (!$input_errors) { $natent = array(); - /* Is there a ftp-proxy process running? Kill it off if the items IP is changing. */ - if($a_1to1[$id]['useftphelper']) { - if($a_1to1[$id]['external'] != $_POST['external'] or - $a_1to1[$id]['internal'] != $_POST['internal'] or !$_POST['useftphelper']) { - $helpers = `/bin/ps awux | /usr/bin/grep "p 21 -R {$a_1to1[$id]['internal']} -b {$a_1to1[$id]['external']}" | /usr/bin/grep -v grep | /usr/bin/awk '{ print $2 }'`; - if($helpers) - exec("kill $helpers"); - } - } $natent['external'] = $_POST['external']; $natent['internal'] = $_POST['internal']; $natent['subnet'] = $_POST['subnet']; $natent['descr'] = $_POST['descr']; - $natent['useftphelper'] = $_POST['useftphelper']; $natent['interface'] = $_POST['interface']; if (isset($id) && $a_1to1[$id]) @@ -181,7 +170,7 @@ include("head.inc"); <td width="22%" valign="top" class="vncellreq">External subnet</td> <td width="78%" class="vtable"> <input name="external" type="text" class="formfld unknown" id="external" size="20" value="<?=htmlspecialchars($pconfig['external']);?>"> - <select name="subnet" class="formselect" id="subnet" onChange="hideshow_ftphelper();"> + <select name="subnet" class="formselect" id="subnet" > <?php for ($i = 32; $i >= 0; $i--): ?> <option value="<?=$i;?>" <?php if ($i == $pconfig['subnet']) echo "selected"; ?>> <?=$i;?> @@ -198,12 +187,6 @@ include("head.inc"); <br> <span class="vexpl">Enter the internal (LAN) subnet for the 1:1 mapping. The subnet size specified for the external subnet also applies to the internal subnet (they have to be the same).</span></td> </tr> - <tr id="ftphelperrow"> - <td width="22%" valign="top" class="vncell">Use FTP-Helper</td> - <td width="78%" class="vtable"> - <input name="useftphelper" type="checkbox" class="formfld unknown" id="useftphelper" <?php if($pconfig['useftphelper']) echo " CHECKED";?> > - <br><span class="vexpl">Checking this will launch a FTP Helper to assist in PASV NAT rewriting for the FTP protocol.</span></td> - </tr> <tr> <td width="22%" valign="top" class="vncell">Description</td> <td width="78%" class="vtable"> @@ -221,18 +204,6 @@ include("head.inc"); </td> </tr> </table> -<script type="text/javascript"> - function hideshow_ftphelper() { - if($('subnet').value == '32') { - $('ftphelperrow').show(); - } else { - $('ftphelperrow').hide(); - $('useftphelper').checked = false; - } - - } - hideshow_ftphelper(); -</script> </form> <?php include("fend.inc"); ?> </body> diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 5fe8fd2..b7a65e4 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -224,45 +224,6 @@ if ($_POST) { $config['filter']['rule'][] = $filterent; - /* auto add rule to external port 21 as well since we are using - * pftpx to help open up ports automatically - */ - if($_POST['endport'] == "21") { - $filterent = array(); - $filterent['interface'] = $_POST['interface']; - $filterent['protocol'] = $_POST['proto']; - $filterent['source']['any'] = ""; - - if($_POST['extaddr'] == "") { - $filterent['destination']['network'] = "wanip"; - } else { - $filterent['destination']['address'] = $_POST['extaddr']; - } - - $dstpfrom = $_POST['localbeginport']; - $dstpto = $dstpfrom + $_POST['endport'] - $_POST['beginport']; - - if ($dstpfrom == $dstpto) - $filterent['destination']['port'] = $dstpfrom; - else - $filterent['destination']['port'] = $dstpfrom . "-" . $dstpto; - - $filterent['descr'] = "NAT " . $_POST['descr']; - /* See comment above */ - $filterent['descr'] = substr("NAT " . $_POST['descr'], 0, 63); - - $config['filter']['rule'][] = $filterent; - - touch($d_filterconfdirty_path); - - write_config(); - - header("Location: firewall_nat.php?savemsg=The%20changes%20have%20been%20saved.%20%20Please%20note%20that%20we%20have%20added%20an%20additional%20rule%20for%20the%20FTP%20helper."); - - exit; - - } - touch($d_filterconfdirty_path); } diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 5f9f2ed..8145ffa 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -136,8 +136,6 @@ $pconfig['pptp_remote'] = $wancfg['remote']; $pconfig['pptp_dialondemand'] = isset($wancfg['ondemand']); $pconfig['pptp_idletimeout'] = $wancfg['timeout']; -$pconfig['disableftpproxy'] = isset($wancfg['disableftpproxy']); - $pconfig['dhcphostname'] = $wancfg['dhcphostname']; $pconfig['alias-address'] = $wancfg['alias-address']; $pconfig['alias-subnet'] = $wancfg['alias-subnet']; @@ -237,7 +235,6 @@ if ($_POST['apply']) { unlink_if_exists("{$g['tmp_path']}/config.cache"); unlink_if_exists("{$d_landirty_path}"); interface_configure($if); - system_start_ftp_helpers(); reset_carp(); /* restart snmp so that it binds to correct address */ services_snmpd_configure(); @@ -421,10 +418,7 @@ if ($_POST) { unset($wancfg['local']); unset($wancfg['subnet']); unset($wancfg['remote']); - unset($wancfg['disableftpproxy']); - /* per interface pftpx helper */ - if ($_POST['disableftpproxy'] == "yes") - $wancfg['disableftpproxy'] = true; + $wancfg['descr'] = remove_bad_chars($_POST['descr']); if ($if == "wan" || $if == "lan") $wancfg['enable'] = true; @@ -1396,20 +1390,6 @@ $types = array("none" => "None", "static" => "Static", "dhcp" => "DHCP", "pppoe" <td colspan="2" valign="top" height="16"></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic">Other</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">FTP Helper</td> - <td width="78%" class="vtable"> - <input name="disableftpproxy" type="checkbox" id="disableftpproxy" value="yes" <?php if ($pconfig['disableftpproxy']) echo "checked"; ?> /> - <strong>Disable the userland FTP-Proxy application</strong> - <br /> - </td> - </tr> - <tr> - <td colspan="2" valign="top" height="16"></td> - </tr> - <tr> <td colspan="2" valign="top" class="listtopic">Private networks</td> </tr> <tr> diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php index 0843bc7..770634e 100644 --- a/usr/local/www/system_advanced_firewall.php +++ b/usr/local/www/system_advanced_firewall.php @@ -191,18 +191,6 @@ function update_description(itemnum) { <td colspan="2" valign="top" class="listtopic">Firewall Advanced</td> </tr> <tr> - <td width="22%" valign="top" class="vncell">FTP server compatibility</td> - <td width="78%" class="vtable"> - <input name="rfc959workaround" type="checkbox" id="rfc959workaround" value="yes" <?php if (isset($config['system']['rfc959workaround'])) echo "checked"; ?> /> - <strong>Allow data connections from the FTP command port</strong><br/> - This allows for communication with ftp servers that violate - RFC 959 by opening data connections from the command port (21). - These should be opened on the data port(20). This option should - not expose you to any extra risk as the firewall will still only - allow connections on a port that ftp-proxy listens on. - </td> - </tr> - <tr> <td width="22%" valign="top" class="vncell">IP Do-Not-Fragment compatibility</td> <td width="78%" class="vtable"> <input name="scrubnodf" type="checkbox" id="scrubnodf" value="yes" <?php if (isset($config['system']['scrubnodf'])) echo "checked"; ?> /> |