Commit 5a94936b authored by Ad Schellevis's avatar Ad Schellevis

(filter) refactor antilockout

parent cc36edc9
......@@ -1730,7 +1730,7 @@ function filter_nat_rules_generate(&$FilterIflist)
// prevent redirection on ports with "lock out" protection
if (!isset($config['system']['webgui']['noantilockout'])) {
$alports = filter_get_antilockout_ports();
$alports = implode(" ", filter_core_antilockout_ports());
if ( !empty($FilterIflist['lan']['if']) ) {
$alintrf = $FilterIflist['lan']['if'];
} elseif ( !empty($FilterIflist['wan']['if']) ) {
......@@ -2568,33 +2568,6 @@ function filter_rules_generate(&$FilterIflist)
}
}
if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) {
$alports = filter_get_antilockout_ports();
if (count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) {
/* if antilockout is enabled, LAN exists and has
* an IP and subnet mask assigned
*/
$lanif = $FilterIflist['lan']['if'];
$ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule"
EOD;
} elseif (count($config['interfaces']) == 1 && !empty($FilterIflist['wan']['if'])) {
/* single-interface deployment, add to WAN */
$wanif = $FilterIflist["wan"]['if'];
$ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule"
EOD;
}
unset($alports);
}
if (isset($pptpdcfg['mode']) && $pptpdcfg['mode'] == 'server' && !isset($config['system']['disablevpnrules'])) {
if ($pptpdcfg['mode'] == "server") {
$pptpdtarget = get_interface_ip();
......@@ -3011,28 +2984,6 @@ EOD;
return($ipfrules);
}
function filter_get_antilockout_ports($wantarray = false) {
global $config;
$lockoutports = array();
$guiport = ($config['system']['webgui']['protocol'] == "https") ? "443" : "80";
$guiport = empty($config['system']['webgui']['port']) ? $guiport : $config['system']['webgui']['port'];
$lockoutports[] = $guiport;
if (($config['system']['webgui']['protocol'] == "https") && !isset($config['system']['webgui']['disablehttpredirect']) && ($guiport != "80")) {
$lockoutports[] = "80";
}
if (isset($config['system']['ssh']['enabled'])) {
$lockoutports[] = empty($config['system']['ssh']['port']) ? "22" : $config['system']['ssh']['port'];
}
if ($wantarray) {
return $lockoutports;
} else {
return implode(" ", $lockoutports);
}
}
function default_state_size()
{
/* get system memory amount */
......
......@@ -38,6 +38,26 @@ function filter_core_bootstrap($fw)
filter_core_rules_system($fw, $filter_rule_defaults);
}
function filter_core_antilockout_ports()
{
global $config;
$lockout_ports = array();
if (!isset($config['system']['webgui']['noantilockout'])) {
if (empty($config['system']['webgui']['port'])) {
$lockout_ports[] = $config['system']['webgui']['protocol'] == "https" ? "443" : "80";
} else {
$lockout_ports[] = $config['system']['webgui']['port'];
}
if ($config['system']['webgui']['protocol'] == "https" && !isset($config['system']['webgui']['disablehttpredirect'])) {
$lockout_ports[] = "80";
}
if (isset($config['system']['ssh']['enabled'])) {
$lockout_ports[] = empty($config['system']['ssh']['port']) ? "22" : $config['system']['ssh']['port'];
}
}
return $lockout_ports;
}
/**
* core system rules
*/
......@@ -301,5 +321,22 @@ function filter_core_rules_system($fw, $defaults)
$defaults['pass']
);
}
// anti-lockout
$lockoutprts = filter_core_antilockout_ports();
if (count($lockoutprts) > 0) {
$lockoutif = null;
if (count($config['interfaces']) > 1 && !empty($config['interfaces']['lan']['if'])) {
$lockoutif = 'lan';
} elseif (count($config['interfaces']) == 1 && !empty($config['interfaces']['wan']['if'])) {
$lockoutif = 'wan';
}
if (!empty($lockoutif)) {
$fw->registerFilterRule(5,
array('direction' => 'in', 'interface' => $lockoutif, 'statetype' => 'keep',
'protocol' => 'tcp', 'to' => '(self)', 'to_port' => implode(' ', $lockoutprts),
'label' =>'anti-lockout rule'),
$defaults['pass']
);
}
}
}
......@@ -281,7 +281,7 @@ $( document ).ready(function() {
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm"><?=$lockout_intf_name?> <?=gettext("address");?></td>
<td class="hidden-xs hidden-sm"><?=implode('<br />', filter_get_antilockout_ports(true));?></td>
<td class="hidden-xs hidden-sm"><?=implode('<br />', filter_core_antilockout_ports());?></td>
<td>*</td>
<td>*</td>
<td><?=gettext("Anti-Lockout Rule");?></td>
......
......@@ -320,7 +320,7 @@ $( document ).ready(function() {
if (!isset($config['system']['webgui']['noantilockout']) &&
(((count($config['interfaces']) > 1) && ($selected_if == 'lan'))
|| ((count($config['interfaces']) == 1) && ($selected_if == 'wan')))):
$alports = implode('<br />', filter_get_antilockout_ports(true));
$alports = implode('<br />', filter_core_antilockout_ports());
?>
<tr valign="top">
<td>&nbsp;</td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment