summaryrefslogtreecommitdiffstats
path: root/etc/inc/filter.inc
Commit message (Collapse)AuthorAgeFilesLines
* Fixes #610. Do not use the value of mtu blindly test it is set or use 1500 ↵Ermal2010-05-201-1/+1
| | | | as default.
* block carp traffic to hosts self to avoid loops. fixes #598Scott Ullrich2010-05-191-0/+1
|
* get rid of flowtableChris Buechler2010-05-191-1/+3
|
* Simplify/optimize code.Ermal2010-05-131-3/+2
|
* Add a GUI field to let the user configure the maxium table entries size. ↵jim-p2010-05-131-0/+5
| | | | | | Resolves #588 NOTE: Actual tables, not states.
* Using binat for reflection rules created some NAT issues under certain ↵Erik Fonnesbeck2010-05-131-9/+16
| | | | circumstances. Use rdr with the bitmask address pool type instead.
* Don't load the package include files if the packages are out of sync, which ↵jim-p2010-05-111-1/+2
| | | | can lead to the system not booting properly. Should help with ticket #267.
* Comment out the linkage of carp with alias members. As it is it does not ↵Ermal2010-05-101-2/+6
| | | | work and passing 30000 addresses to match is not fun either in some edge cases.
* Do not install reflection rules for port forwards when the destination is ↵Erik Fonnesbeck2010-05-081-0/+2
| | | | invalid.
* Revert changes to reflection for port forwards until finished and approved.Erik Fonnesbeck2010-05-081-69/+196
|
* Merge http://gitweb.pfsense.org/pfsense/efonne-new_nat_reflection into masterErik Fonnesbeck2010-05-081-184/+116
|\
| * Add backend code for NAT reflection on 1:1 NAT mappings.Erik Fonnesbeck2010-05-041-9/+30
| |
| * Removed some redundant/obsolete code that is superceded by the new NAT ↵Erik Fonnesbeck2010-05-041-8/+0
| | | | | | | | reflection code.
| * Add the NAT that goes with the reflection redirects.Erik Fonnesbeck2010-05-041-17/+49
| |
| * Added reflection redirect rule and rearranged some related code that goes ↵Erik Fonnesbeck2010-05-041-57/+49
| | | | | | | | with it.
| * Remove the old reflection implementation and prepare for the new one.Erik Fonnesbeck2010-05-041-116/+11
| |
* | The global reference declaration is needed.Ermal2010-05-071-1/+1
| |
* | Use a global array to prevent errors on rulesets which have invalid ↵Ermal2010-05-071-3/+12
| | | | | | | | gateways. If such are found do not use the gateway at all. Probably the rule should be skipped too?.
* | Move auto generated rule for static routes on same subnet. Use sloppy states ↵Ermal2010-05-071-28/+29
| | | | | | | | to speed things up and use flags any in tcp case so sloppy state does not choke.
* | Fix the regular expression used in filter_generate_address for OPT subnet so ↵Erik Fonnesbeck2010-05-061-1/+1
| | | | | | | | that it only matches the case intended. Ticket #571
* | Ticket #511. Do not penailize other packages if rules of one package are ↵Ermal2010-05-051-4/+8
| | | | | | | | erroneous during package rule generation.
* | Implement tcp flags and sloppy state on the GUI.Ermal2010-05-051-15/+42
|/
* Put all of these lines in the block under this condition and remove the ↵Erik Fonnesbeck2010-05-041-4/+2
| | | | irrelevant comment.
* When 'No RDR' is set, skip some code that does not apply.Erik Fonnesbeck2010-05-041-2/+2
|
* This check is no longer needed here.Erik Fonnesbeck2010-05-041-13/+11
|
* Return if not a supported protocol for reflection.Erik Fonnesbeck2010-05-041-1/+1
|
* 'pass' is not valid with 'no rdr'Erik Fonnesbeck2010-05-041-2/+3
|
* Skip code for generating inetd.conf entries when 'no rdr' is used.Erik Fonnesbeck2010-05-041-17/+21
|
* Modify reflection code to avoid having duplicate rule generation code for ↵Erik Fonnesbeck2010-05-041-16/+19
| | | | when the protocol is different.
* Reflection can have side effects unexpected to the user with rules using any ↵Erik Fonnesbeck2010-05-041-1/+18
| | | | for destination address, so change any to the interface subnet for reflection rules, which should be closer to the desired behavior in most cases but without the side effect.
* Use the same destination address and port in reflection rules as is used in ↵Erik Fonnesbeck2010-05-031-12/+15
| | | | the port forward's main rule.
* In reflection rules, fix the end of the port range in port range forwards.Erik Fonnesbeck2010-05-031-5/+5
|
* Move the reflection enabled check out of filter_generate_reflection, so this ↵Erik Fonnesbeck2010-05-031-5/+8
| | | | function can be used elsewhere regardless of the system setting for it (in preparation for reflection support on 1:1 NAT mappings).
* Various fixes for handling of ports in port forwards.Erik Fonnesbeck2010-05-021-12/+17
| | | | | | | - Removed unused $srcport variable. - Moved setting the $protocol variable to after setting the ports, so it can clear the ports variables when using non-tcp/udp protocols. - Handle a couple extra possible cases for local port.
* Moving reflection's interface listing code to its own function, for use in ↵Erik Fonnesbeck2010-05-021-13/+27
| | | | future NAT reflection improvements.
* Fix a check for "any" in port forwards.Erik Fonnesbeck2010-05-021-1/+1
|
* Ticket #506. Correctly save dynamic gateways extra parameters.Ermal2010-04-301-3/+3
|
* Unbreak this. Seems it needs to be filter for the rules to work.Ermal2010-04-301-1/+1
|
* Make sure package rules are last. As the way they are coded they will null ↵Ermal2010-04-301-2/+2
| | | | out entire rulesets. More work is needed to make them 2.0 comliant but for now this is enough.
* Allow for each gateway a weight to be choosen if the gateway has to be used ↵Ermal2010-04-301-6/+8
| | | | in Gateway groups. This will create that many entries in the route-to statement as the weight says.
* Always generate macros so ruleset does not fail even when the gateway has no ↵Ermal2010-04-291-2/+5
| | | | members.
* Generate gateways as macros and then just substitute them during the rules. ↵Ermal2010-04-291-61/+66
| | | | This allows optimizations and features as repeating the same gateway more than one to be done.
* Improve NAT Port ForwardingRenato Botelho2010-04-291-428/+430
| | | | | | | | | | | | | | New features available are: * Now you can disable a rule * You can define "no rdr" rules * Source type, address and port, with an option "not" for exceptions * Destination type, address and port, with an option "not" for exceptions Implemented by: Carlos Eduardo Ramos <carlos.ramos@bluepex.com> Renato Botelho <renato.botelho@bluepex.com> Vinicius Coque <vinicius.coque@bluepex.com> Reviewed by: cmb and efonne Sponsored by: BluePex Security Solutions
* Resolves #554. Correct path to tftp-proxy.Ermal2010-04-291-1/+1
|
* Well there was a reason for this being returned out. Ticket #539.Ermal2010-04-231-1/+1
|
* Ticket #528. Do not route-to for local connected subnets.Ermal2010-04-221-2/+2
|
* Add a new alias type, urltable, which downloads a file of IP/CIDR addresses ↵jim-p2010-04-211-1/+7
| | | | and loads them into a pf persist table instead of importing the addresses directly into a traditional alias. This allows for using huge tables of addresses that would otherwise break the GUI and/or fail to load into pf. Part of ticket #512
* use 6969 for tftp-proxyChris Buechler2010-04-171-3/+3
|
* Ticket #511. Actually return the rules from all the packages not just the ↵Ermal2010-04-161-2/+1
| | | | first one.
* Ticket #508. Make TFTP proxy configurable by System Advanced->Firewall/NAT ↵Ermal2010-04-161-2/+9
| | | | for several interfaces.
OpenPOWER on IntegriCloud