Revision 196440c8
Added by Luiz Gustavo S. Costa over 14 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 521 | 521 |
$aliases .= "table <sshlockout> persist\n"; |
| 522 | 522 |
$aliases .= "table <webConfiguratorlockout> persist\n"; |
| 523 | 523 |
|
| 524 |
$aliases .= "#Snort2C table\n";
|
|
| 524 |
$aliases .= "#pfSnortSam tables\n";
|
|
| 525 | 525 |
$aliases .= "table <snort2c>\n"; |
| 526 |
$aliases .= "table <pfSnortSamout>\n"; |
|
| 527 |
$aliases .= "table <pfSnortSamin>\n"; |
|
| 526 | 528 |
|
| 527 | 529 |
$aliases .= "\ntable <virusprot>\n"; |
| 528 | 530 |
|
| ... | ... | |
| 1738 | 1740 |
update_filter_reload_status("Setting up pass/block rules {$rule['descr']}");
|
| 1739 | 1741 |
|
| 1740 | 1742 |
/* do not process reply-to for gateway'd rules */ |
| 1741 |
if($rule['gateway'] == "" && $aline['direction'] <> "" && interface_has_gateway($rule['interface']) && !isset($config['system']['disablereplyto'])) {
|
|
| 1743 |
if($rule['gateway'] == "" && $aline['direction'] <> "" && interface_has_gateway($rule['interface']) && !isset($rule['disablereplyto'])) {
|
|
| 1742 | 1744 |
$rg = get_interface_gateway($rule['interface']); |
| 1743 | 1745 |
if(is_ipaddr($rg)) {
|
| 1744 | 1746 |
$aline['reply'] = "reply-to ( {$ifcfg['if']} {$rg} ) ";
|
| ... | ... | |
| 1754 | 1756 |
/* Add the load balanced gateways */ |
| 1755 | 1757 |
$aline['route'] = " \$GW{$rule['gateway']} ";
|
| 1756 | 1758 |
else |
| 1757 |
log_error("The gateway: {$rule['gateway']} is invalid/unkown not using it.");
|
|
| 1759 |
log_error("The gateway: {$rule['gateway']} is invalid or unknown, not using it.");
|
|
| 1758 | 1760 |
} |
| 1759 | 1761 |
|
| 1760 | 1762 |
if(isset($rule['protocol'])) {
|
| ... | ... | |
| 2016 | 2018 |
|
| 2017 | 2019 |
$ipfrules .= <<<EOD |
| 2018 | 2020 |
|
| 2019 |
# snort2c
|
|
| 2021 |
# pfSnortSam
|
|
| 2020 | 2022 |
block quick from <snort2c> to any label "Block snort2c hosts" |
| 2021 | 2023 |
block quick from any to <snort2c> label "Block snort2c hosts" |
| 2024 |
block quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts" |
|
| 2025 |
block quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts" |
|
| 2022 | 2026 |
|
| 2023 | 2027 |
EOD; |
| 2024 | 2028 |
|
| ... | ... | |
| 2167 | 2171 |
pass out on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server"
|
| 2168 | 2172 |
|
| 2169 | 2173 |
EOD; |
| 2174 |
if($config['dhcpd'][$on]['failover_peerip'] <> "") {
|
|
| 2175 |
$ipfrules .= <<<EOD |
|
| 2176 |
# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
|
|
| 2177 |
pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover"
|
|
| 2178 |
pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover"
|
|
| 2179 |
|
|
| 2180 |
EOD; |
|
| 2181 |
} |
|
| 2182 |
|
|
| 2170 | 2183 |
} |
| 2171 | 2184 |
break; |
| 2172 | 2185 |
} |
| usr/local/www/system_advanced_firewall.php | ||
|---|---|---|
| 56 | 56 |
$pconfig['optimization'] = $config['filter']['optimization']; |
| 57 | 57 |
$pconfig['maximumstates'] = $config['system']['maximumstates']; |
| 58 | 58 |
$pconfig['maximumtableentries'] = $config['system']['maximumtableentries']; |
| 59 |
$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']); |
|
| 60 | 59 |
$pconfig['disablenatreflection'] = $config['system']['disablenatreflection']; |
| 61 | 60 |
if (!isset($config['system']['enablebinatreflection'])) |
| 62 | 61 |
$pconfig['disablebinatreflection'] = "yes"; |
| ... | ... | |
| 125 | 124 |
else |
| 126 | 125 |
$config['system']['enablebinatreflection'] = "yes"; |
| 127 | 126 |
|
| 128 |
if($_POST['disablereplyto'] == "yes") {
|
|
| 129 |
$config['system']['disablereplyto'] = $_POST['disablereplyto']; |
|
| 130 |
} else {
|
|
| 131 |
unset($config['system']['disablereplyto']); |
|
| 132 |
} |
|
| 133 |
|
|
| 134 |
|
|
| 135 | 127 |
if($_POST['enablenatreflectionhelper'] == "yes") |
| 136 | 128 |
$config['system']['enablenatreflectionhelper'] = "yes"; |
| 137 | 129 |
else |
| ... | ... | |
| 332 | 324 |
<br/> |
| 333 | 325 |
</td> |
| 334 | 326 |
</tr> |
| 335 |
<tr> |
|
| 336 |
<td width="22%" valign="top" class="vncell">Disable reply-to</td> |
|
| 337 |
<td width="78%" class="vtable"> |
|
| 338 |
<input name="disablereplyto" type="checkbox" id="disablereplyto" value="yes" <?php if ($pconfig['disablereplyto']) echo "checked"; ?> /> |
|
| 339 |
<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
|
|
| 340 |
<br /> |
|
| 341 |
<?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default." .
|
|
| 342 |
"When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?> |
|
| 343 |
<br /> |
|
| 344 |
</td> |
|
| 345 |
</tr> |
|
| 346 |
|
|
| 347 | 327 |
<tr> |
| 348 | 328 |
<td colspan="2" class="list" height="12"> </td> |
| 349 | 329 |
</tr> |
Also available in: Unified diff
reversal of accidentally deleted files
Revert "Add Global reply-to disable checkbox, resolves the issue #1137"
This reverts commit c646776871dacebcaa4225b083aa0789dc0bfba6.