diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 3fc6b64..efef926 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -188,7 +188,10 @@ function filter_configure_sync() {
if ($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) {
/* User defined maximum states in Advanced menu. */
$rules .= "set limit states {$config['system']['maximumstates']}\n";
- $rules .= "set limit src-nodes {$config['system']['maximumstates']}\n";
+ }
+ if ($config['system']['src-nodes'] <> "" && is_numeric($config['system']['src-nodes'])) {
+ /* User defined maximum hosts in Advanced menu. */
+ $rules .= "set limit src-nodes {$config['system']['src-nodes']}\n";
}
$rules .= "\n";
diff --git a/usr/local/www/system_advanced.php b/usr/local/www/system_advanced.php
index 1832624..03f5956 100755
--- a/usr/local/www/system_advanced.php
+++ b/usr/local/www/system_advanced.php
@@ -47,6 +47,7 @@ $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
$pconfig['filteringbridge_enable'] = isset($config['bridge']['filteringbridge']);
$pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout'];
$pconfig['maximumstates'] = $config['system']['maximumstates'];
+$pconfig['src-nodes'] = $config['system']['src-nodes'];
$pconfig['disablerendevouz'] = $config['system']['disablerendevouz'];
$pconfig['enableserial'] = $config['system']['enableserial'];
$pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']);
@@ -80,6 +81,9 @@ if ($_POST) {
if ($_POST['maximumstates'] && !is_numericint($_POST['maximumstates'])) {
$input_errors[] = "The Firewall Maximum States value must be an integer.";
}
+ if ($_POST['src-nodes'] && !is_numericint($_POST['src-nodes'])) {
+ $input_errors[] = "The Firewall Maximum Hosts value must be an integer.";
+ }
if ($_POST['tcpidletimeout'] && !is_numericint($_POST['tcpidletimeout'])) {
$input_errors[] = "The TCP idle timeout must be an integer.";
}
@@ -103,6 +107,12 @@ if ($_POST) {
if ($_POST['maximumstates'] > 100000000)
$input_errors[] = "States must be above 1000 and below 100000000";
}
+ if ($_POST['src-nodes'] <> "") {
+ if ($_POST['src-nodes'] < 1000)
+ $input_errors[] = "Hosts must be above 1000 and below 100000000";
+ if ($_POST['src-nodes'] > 100000000)
+ $input_errors[] = "Hosts must be above 1000 and below 100000000";
+ }
if ($_POST['sshport'] <> "") {
if( ! is_port($_POST['sshport'])) {
$input_errors[] = "You must specify a valid port number";
@@ -112,7 +122,7 @@ if ($_POST) {
$config['system']['ssh']['sshdkeyonly'] = "enabled";
} else {
unset($config['system']['ssh']['sshdkeyonly']);
- }
+ }
$config['system']['ssh']['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
}
@@ -162,7 +172,7 @@ if ($_POST) {
unlink_if_exists("/var/etc/use_pf_pool__stickyaddr");
}
- if($config['interfaces']['wan']['ipaddr'] == "pppoe")
+ if($config['interfaces']['wan']['ipaddr'] == "pppoe")
unset($config['system']['lb_use_sticky']);
if($_POST['sharednet'] == "yes") {
@@ -194,7 +204,7 @@ if ($_POST) {
$config['system']['ipv6allow'] = true;
} else {
unset($config['system']['ipv6allow']);
- }
+ }
$oldcert = $config['system']['webgui']['certificate'];
$oldkey = $config['system']['webgui']['private-key'];
$config['system']['webgui']['certificate'] = base64_encode($_POST['cert']);
@@ -232,6 +242,7 @@ if ($_POST) {
/* Firewall and ALTQ options */
$config['system']['maximumstates'] = $_POST['maximumstates'];
+ $config['system']['src-nodes'] = $_POST['src-nodes'];
if($_POST['enablesshd'] == "yes") {
$config['system']['enablesshd'] = $_POST['enablesshd'];
@@ -246,7 +257,7 @@ if ($_POST) {
unset($config['system']['disablechecksumoffloading']);
setup_microcode();
}
-
+
if($_POST['disableglxsb'] == "yes") {
$config['system']['disableglxsb'] = $_POST['disableglxsb'];
setup_glxsb();
@@ -266,7 +277,7 @@ if ($_POST) {
} else {
unset($config['system']['disablenatreflection']);
}
-
+
if($_POST['disablereplyto'] == "yes") {
$config['filter']['disablereplyto'] = $_POST['disablereplyto'];
} else {
@@ -275,7 +286,7 @@ if ($_POST) {
// Traffic shaper
$config['system']['shapertype'] = $_POST['shapertype'];
-
+
$config['ipsec']['preferoldsa'] = $_POST['preferoldsa_enable'] ? true : false;
$config['bridge']['filteringbridge'] = $_POST['filteringbridge_enable'] ? true : false;
$config['filter']['bypassstaticroutes'] = $_POST['bypassstaticroutes'] ? true : false;
@@ -296,8 +307,8 @@ if ($_POST) {
setup_serial_port();
- conf_mount_ro();
-
+ conf_mount_ro();
+
}
}
@@ -444,7 +455,7 @@ include("head.inc");
This setting no longer exists as it is unnecessary. Filtering
occurs on the member interfaces of the bridge and cannot be
- disabled.
+ disabled.
@@ -521,7 +532,7 @@ include("head.inc");
/>
Disable webConfigurator DNS Rebinding Checks
- When this is unchecked, access to the webConfigurator
+ When this is unchecked, access to the webConfigurator
is protected against DNS Rebinding attacks
Check this box to disable this protection if you find that it interferes with
webConfigurator access in certain corner cases.
@@ -679,12 +690,22 @@ include("head.inc");
+
Firewall Maximum Hosts
+
+
+
+ Maximum number of hosts to hold in the firewall memory pool.
+
+ Note: Leave this blank for the default of 10000
+
+
+
Disable Auto-added VPN rules
onclick="enable_change(false)" />
Disable all auto-added VPN rules.
- Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN.
+ Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN.
@@ -695,7 +716,7 @@ include("head.inc");
Disable reply-to on WAN rules
With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default.
- When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.
+ When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.