Skip to content

O
OpnSense
Commit c0602162 authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(filter) move lockout rules

parent 3e9f7344
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 34 deletions
src/etc/inc/filter.inc
View file @ c0602162
...@@ -2502,40 +2502,6 @@ function filter_rules_generate(&$FilterIflist) ...@@ -2502,40 +2502,6 @@ function filter_rules_generate(&$FilterIflist)
$log['block'] = !isset($config['syslog']['nologdefaultblock']) ? "log" : ""; $log['block'] = !isset($config['syslog']['nologdefaultblock']) ? "log" : "";
$log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : ""; $log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : "";
$ipfrules .= "\n# SSH lockout\n";
if (!empty($config['system']['ssh']['port'])) {
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port ";
$ipfrules .= $config['system']['ssh']['port'];
$ipfrules .= " label \"sshlockout\"\n";
} else {
if (!empty($config['system']['ssh']['port'])) {
$sshport = $config['system']['ssh']['port'];
} else {
$sshport = 22;
}
$ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port {$sshport} label \"sshlockout\"\n";
}
$ipfrules .= "\n# webConfigurator lockout\n";
if (!$config['system']['webgui']['port']) {
if ($config['system']['webgui']['protocol'] == "http") {
$webConfiguratorlockoutport = "80";
} else {
$webConfiguratorlockoutport = "443";
}
} else {
$webConfiguratorlockoutport = $config['system']['webgui']['port'];
}
if ($webConfiguratorlockoutport) {
$ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} label \"webConfiguratorlockout\"\n";
}
/*
* Support for allow limiting of TCP connections by establishment rate
* Useful for protecting against sudden outburts, etc.
*/
$ipfrules .= "block in {$log['block']} quick from <virusprot> to any label \"virusprot overload table\"\n";
foreach ($FilterIflist as $on => $oc) { foreach ($FilterIflist as $on => $oc) {
/* /*
......
src/etc/inc/filter.lib.inc
View file @ c0602162
...@@ -103,5 +103,25 @@ function filter_core_rules_system($fw, $defaults) ...@@ -103,5 +103,25 @@ function filter_core_rules_system($fw, $defaults)
); );
$fw->registerFilterRule(1,array('protocol' => 'carp'),$defaults['pass']); $fw->registerFilterRule(1,array('protocol' => 'carp'),$defaults['pass']);
// Lockout rules
$fw->registerFilterRule(1,
array('protocol' => 'tcp', 'from' => '<sshlockout>', 'to' => '(self)' , 'label' => 'sshlockout', 'direction' => 'in',
'to_port' => !empty($config['system']['ssh']['port']) ? $config['system']['ssh']['port'] : 22),
$defaults['block']
);
$webport = '443';
if (!empty($config['system']['webgui']['port'])) {
$webport = $config['system']['webgui']['port'];
} elseif ($config['system']['webgui']['protocol'] == 'http') {
$webport = '80';
}
$fw->registerFilterRule(1,
array('protocol' => 'tcp', 'from' => '<webConfiguratorlockout>', 'to' => '(self)' , 'label' => 'webConfiguratorlockout',
'direction' => 'in','to_port' => $webport),
$defaults['block']
);
// block all in alias <virusprot>
$fw->registerFilterRule(1,array('from' => '<virusprot>', 'label' => 'virusprot overload table'),$defaults['block']);
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023