From fb47169a22462ffae1b87bd3c4dc69008dcc848a Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 6 Sep 2006 20:31:53 +0000 Subject: Correctly negate IPSEC FTP Helper connections and OpenVPN FTP Helper connections. --- etc/inc/filter.inc | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 261ea58..23a9ccf 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -697,6 +697,8 @@ function filter_nat_rules_generate() { for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) $iflist['opt' . $i] = "opt{$i}"; $interface_counter = 0; + $vpns_list = get_vpns_list(); + $natrules .= "table { $vpns_list }\n"; /* loop through all interfaces and handle pftpx redirections */ foreach ($iflist as $ifent => $ifname) { $ifname_lower = convert_friendly_interface_to_friendly_descr(strtolower($ifname)); @@ -710,18 +712,13 @@ function filter_nat_rules_generate() { $vpns = get_vpns_list(); /* if the user has defined, include the alias so that we do not redirect ftp connections across the tunnels to pftpx */ - $vpns_list = get_vpns_list(); - if($vpns_list) - $vpns = "{ $vpns_list }"; - else - $vpns = "any"; $int_ip = find_interface_ip($tmp_interface); /* if interface lacks an ip, dont setup a rdr for ftp. they are most likely on a bridged interface */ if($int_ip) if($ifname_lower) { - $natrules .= "no rdr on \${$ifname_lower} proto tcp from any to <$vpns> port 21 -> 127.0.0.1 port {$tmp_port}\n"; - $natrules .= "no rdr on \${$ifname_lower} proto tcp from to any port 21 -> 127.0.0.1 port {$tmp_port}\n"; - $natrules .= "no rdr on \${$ifname_lower} proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n"; + $natrules .= "no rdr on \${$ifname_lower} proto tcp from any to port 21\n"; + $natrules .= "no rdr on \${$ifname_lower} proto tcp from to any port 21\n"; + $natrules .= "rdr on \${$ifname_lower} proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n"; } $interface_counter++; } -- cgit v1.1