Project

General

Profile

Actions
Copy link

Bug #3429

closed

Modify anti-lockout pf rule to use "no state"

Added by Tobias Wigand about 10 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
02/02/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
All

Description

When flushing states one gets kicked out of pfSense management (HTTP/SSH).
I would suggest to modify the anti-lockout rule in filter.inc like this, using the "no state" feature of pf:

# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } no state label "anti-lockout rule"
pass out quick on {$lanif} proto tcp from ({$lanif}) port { {$alports} } to any no state label "anti-lockout rule"

This way you can keep on using your ssh/gui uniterrupted even if all states get flushed. Also the gui feature "Reset States" would profit from that. We could get rid of:
"NOTE: If you reset the firewall state table, the browser session may appear to be hung after clicking "Reset". Simply refresh the page to continue."

Actions
Copy link
 #1

Updated by Bipin Chandra about 10 years ago

+1

Actions
Copy link
 #2

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Rejected

not a good idea.

Actions
Copy link
 #3

Updated by Tobias Wigand about 10 years ago

May I ask why? I have been running those filter rules (for SSH) for several years on an OpenBSD gateway without any problems.

Actions
Copy link
 #4

Updated by Chris Buechler over 8 years ago

  • Target version deleted (2.1.1)
Actions
Copy link

Also available in: Atom PDF