Revision c6467768
Added by Luiz Gustavo S. Costa over 14 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 521 | 521 |
$aliases .= "table <sshlockout> persist\n"; |
| 522 | 522 |
$aliases .= "table <webConfiguratorlockout> persist\n"; |
| 523 | 523 |
|
| 524 |
$aliases .= "#pfSnortSam tables\n";
|
|
| 524 |
$aliases .= "#Snort2C table\n";
|
|
| 525 | 525 |
$aliases .= "table <snort2c>\n"; |
| 526 |
$aliases .= "table <pfSnortSamout>\n"; |
|
| 527 |
$aliases .= "table <pfSnortSamin>\n"; |
|
| 528 | 526 |
|
| 529 | 527 |
$aliases .= "\ntable <virusprot>\n"; |
| 530 | 528 |
|
| ... | ... | |
| 1740 | 1738 |
update_filter_reload_status("Setting up pass/block rules {$rule['descr']}");
|
| 1741 | 1739 |
|
| 1742 | 1740 |
/* do not process reply-to for gateway'd rules */ |
| 1743 |
if($rule['gateway'] == "" && $aline['direction'] <> "" && interface_has_gateway($rule['interface']) && !isset($rule['disablereplyto'])) {
|
|
| 1741 |
if($rule['gateway'] == "" && $aline['direction'] <> "" && interface_has_gateway($rule['interface']) && !isset($config['system']['disablereplyto'])) {
|
|
| 1744 | 1742 |
$rg = get_interface_gateway($rule['interface']); |
| 1745 | 1743 |
if(is_ipaddr($rg)) {
|
| 1746 | 1744 |
$aline['reply'] = "reply-to ( {$ifcfg['if']} {$rg} ) ";
|
| ... | ... | |
| 1756 | 1754 |
/* Add the load balanced gateways */ |
| 1757 | 1755 |
$aline['route'] = " \$GW{$rule['gateway']} ";
|
| 1758 | 1756 |
else |
| 1759 |
log_error("The gateway: {$rule['gateway']} is invalid or unknown, not using it.");
|
|
| 1757 |
log_error("The gateway: {$rule['gateway']} is invalid/unkown not using it.");
|
|
| 1760 | 1758 |
} |
| 1761 | 1759 |
|
| 1762 | 1760 |
if(isset($rule['protocol'])) {
|
| ... | ... | |
| 2018 | 2016 |
|
| 2019 | 2017 |
$ipfrules .= <<<EOD |
| 2020 | 2018 |
|
| 2021 |
# pfSnortSam
|
|
| 2019 |
# snort2c
|
|
| 2022 | 2020 |
block quick from <snort2c> to any label "Block snort2c hosts" |
| 2023 | 2021 |
block quick from any to <snort2c> label "Block snort2c hosts" |
| 2024 |
block quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts" |
|
| 2025 |
block quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts" |
|
| 2026 | 2022 |
|
| 2027 | 2023 |
EOD; |
| 2028 | 2024 |
|
| ... | ... | |
| 2171 | 2167 |
pass out on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server"
|
| 2172 | 2168 |
|
| 2173 | 2169 |
EOD; |
| 2174 |
if($config['dhcpd'][$on]['failover_peerip'] <> "") {
|
|
| 2175 |
$ipfrules .= <<<EOD |
|
| 2176 |
# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
|
|
| 2177 |
pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover"
|
|
| 2178 |
pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover"
|
|
| 2179 |
|
|
| 2180 |
EOD; |
|
| 2181 |
} |
|
| 2182 |
|
|
| 2183 | 2170 |
} |
| 2184 | 2171 |
break; |
| 2185 | 2172 |
} |
| usr/local/www/system_advanced_firewall.php | ||
|---|---|---|
| 56 | 56 |
$pconfig['optimization'] = $config['filter']['optimization']; |
| 57 | 57 |
$pconfig['maximumstates'] = $config['system']['maximumstates']; |
| 58 | 58 |
$pconfig['maximumtableentries'] = $config['system']['maximumtableentries']; |
| 59 |
$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']); |
|
| 59 | 60 |
$pconfig['disablenatreflection'] = $config['system']['disablenatreflection']; |
| 60 | 61 |
if (!isset($config['system']['enablebinatreflection'])) |
| 61 | 62 |
$pconfig['disablebinatreflection'] = "yes"; |
| ... | ... | |
| 124 | 125 |
else |
| 125 | 126 |
$config['system']['enablebinatreflection'] = "yes"; |
| 126 | 127 |
|
| 128 |
if($_POST['disablereplyto'] == "yes") {
|
|
| 129 |
$config['system']['disablereplyto'] = $_POST['disablereplyto']; |
|
| 130 |
} else {
|
|
| 131 |
unset($config['system']['disablereplyto']); |
|
| 132 |
} |
|
| 133 |
|
|
| 134 |
|
|
| 127 | 135 |
if($_POST['enablenatreflectionhelper'] == "yes") |
| 128 | 136 |
$config['system']['enablenatreflectionhelper'] = "yes"; |
| 129 | 137 |
else |
| ... | ... | |
| 324 | 332 |
<br/> |
| 325 | 333 |
</td> |
| 326 | 334 |
</tr> |
| 335 |
<tr> |
|
| 336 |
<td width="22%" valign="top" class="vncell">Disable reply-to</td> |
|
| 337 |
<td width="78%" class="vtable"> |
|
| 338 |
<input name="disablereplyto" type="checkbox" id="disablereplyto" value="yes" <?php if ($pconfig['disablereplyto']) echo "checked"; ?> /> |
|
| 339 |
<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
|
|
| 340 |
<br /> |
|
| 341 |
<?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default." .
|
|
| 342 |
"When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?> |
|
| 343 |
<br /> |
|
| 344 |
</td> |
|
| 345 |
</tr> |
|
| 346 |
|
|
| 327 | 347 |
<tr> |
| 328 | 348 |
<td colspan="2" class="list" height="12"> </td> |
| 329 | 349 |
</tr> |
Also available in: Unified diff
Add Global reply-to disable checkbox, resolves the issue #1137