Revision 3696f576
Added by Scott Ullrich over 18 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 2232 | 2232 |
$ipfrules .= "\n# SSH lockout\n"; |
| 2233 | 2233 |
$ipfrules .= "block in log proto tcp from <sshlockout> to any port 22 label \"sshlockout\"\n\n"; |
| 2234 | 2234 |
|
| 2235 |
$ipfrules .= "anchor \"ftpproxy\"\n"; |
|
| 2236 |
$ipfrules .= "anchor \"pftpx/*\"\n"; |
|
| 2237 |
|
|
| 2235 | 2238 |
if (isset($config['filter']['rule'])) {
|
| 2236 | 2239 |
/* Pre-cache all our rules so we only have to generate them once */ |
| 2237 | 2240 |
$rule_arr = array(); |
| ... | ... | |
| 2417 | 2420 |
} |
| 2418 | 2421 |
$ipfrules .= <<<EOD |
| 2419 | 2422 |
|
| 2420 |
anchor "ftpproxy" |
|
| 2421 |
anchor "pftpx/*" |
|
| 2422 | 2423 |
pass in quick on $lanif inet proto tcp from any to \$loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" |
| 2423 | 2424 |
pass in quick on $lanif inet proto tcp from any to \$loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" |
| 2424 | 2425 |
pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" |
| ... | ... | |
| 2603 | 2604 |
$rule .="pass out quick on tap{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
|
| 2604 | 2605 |
$rule .="pass in quick on tap{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
|
| 2605 | 2606 |
} |
| 2606 |
}
|
|
| 2607 |
} |
|
| 2607 | 2608 |
|
| 2608 | 2609 |
return $rule; |
| 2609 | 2610 |
} |
Also available in: Unified diff
Woops, we need the ftp anchor BEFORE the user rules, and the inital PASS rules AFTER.
This controls the initial port 21 connetion and once that is allowed through the ftp rules installed by pftpx should bypass USER_RULES.