Adding filtering for TCP flags (E)CE and C(W)R

al1x

There seems to be no way to include TCP flags ECE and CWR to filter rules. I'm curious as to why they were left out and–barring any objections--would like to submit patches* for inclusion.

*My PHP-fu is weak as I've picked up the language only recently while reviewing the pfSense sources.

--- /etc/inc/globals.inc Tue Sep 18 23:56:11 2012
+++ /etc/inc/globals.inc Tue Sep 18 23:56:02 2012
@@ -102,3 +102,3 @@
/* TCP flags */
-$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg");
+$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

--- /etc/inc/filter.inc Wed Sep 19 00:13:36 2012
+++ /etc/inc/filter.inc Wed Sep 19 00:13:33 2012
@@ -2201,13 +2201,19 @@
if (!empty($rule['tcpflags1'])) {
$flags1 = explode(",", $rule['tcpflags1']);
foreach ($flags1 as $flag1)

• $aline['flags'] .= strtoupper($flag1[0]);

• if($flag1[0] == "c")
• $aline['flags'] .= "W";
• else
• $aline['flags'] .= strtoupper($flag1[0]);
  }
  $aline['flags'] .= "/";
  if (!empty($rule['tcpflags2'])) {
  $flags2 = explode(",", $rule['tcpflags2']);
  foreach ($flags2 as $flag2)

• $aline['flags'] .= strtoupper($flag2[0]);

• if($flag2[0] == "c")
• $aline['flags'] .= "W";
• else
• $aline['flags'] .= strtoupper($flag2[0]);
  }
  $aline['flags'] .= " ";
  } else

–- /usr/local/www/guiconfig.inc Wed Sep 19 00:27:47 2012
+++ /usr/local/www/guiconfig.new.txt Wed Sep 19 00:28:58 2012
@@ -221,3 +221,3 @@
/* TCP flags */
-$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
+$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

...haven't tested it yet but that seems to cover it. It's late here so I'm going to turn in. I'll take a look at this in the morning and test it out. For now I figure it's worth posting what I have so far in case--for whatever reason--this functionality was deliberately left out and there is no desire for its inclusion.

eri--

Is this supported by pf(4) ?

al1x

@ermal:

Is this supported by pf(4) ?

Indeed!

http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5

flags < a > / < b > | / < b > | any
  This rule only applies to TCP packets that have the flags <a>set
  out of set < b >.  Flags not specified in < b > are ignored.  For
  stateful connections, the default is flags S/SA.  To indicate that
  flags should not be checked at all, specify flags any.  The flags
  are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.</a>

al1x

I'm wondering if there was any specific reason the order of the tcpflags was rearranged in guiconfig.inc as compared to globals.inc and the pf.conf man page. If so I guess the appropriate patch would be:

–- /usr/local/www/guiconfig.inc   Wed Sep 19 00:27:47 2012
+++ /usr/local/www/guiconfig.new.txt   Wed Sep 19 00:28:58 2012
@@ -221,3 +221,3 @@
/* TCP flags */
-$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
+$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg", "ece", "cwr");

bardelot

I made this patch into a pull request on github.
https://github.com/bsdperimeter/pfsense/pull/233

yon

I am need this .

because  I wan to try crack Country Firewall block.

http://www.certmag.com/read.php?start=0&in=3906