Adding filtering for TCP flags (E)CE and C(W)R
-
There seems to be no way to include TCP flags ECE and CWR to filter rules. I'm curious as to why they were left out and–barring any objections--would like to submit patches* for inclusion.
*My PHP-fu is weak as I've picked up the language only recently while reviewing the pfSense sources.
--- /etc/inc/globals.inc Tue Sep 18 23:56:11 2012
+++ /etc/inc/globals.inc Tue Sep 18 23:56:02 2012
@@ -102,3 +102,3 @@
/* TCP flags */
-$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg");
+$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");--- /etc/inc/filter.inc Wed Sep 19 00:13:36 2012
+++ /etc/inc/filter.inc Wed Sep 19 00:13:33 2012
@@ -2201,13 +2201,19 @@
if (!empty($rule['tcpflags1'])) {
$flags1 = explode(",", $rule['tcpflags1']);
foreach ($flags1 as $flag1)- $aline['flags'] .= strtoupper($flag1[0]);
- if($flag1[0] == "c")
- $aline['flags'] .= "W";
- else
- $aline['flags'] .= strtoupper($flag1[0]);
}
$aline['flags'] .= "/";
if (!empty($rule['tcpflags2'])) {
$flags2 = explode(",", $rule['tcpflags2']);
foreach ($flags2 as $flag2)
- $aline['flags'] .= strtoupper($flag2[0]);
- if($flag2[0] == "c")
- $aline['flags'] .= "W";
- else
- $aline['flags'] .= strtoupper($flag2[0]);
}
$aline['flags'] .= " ";
} else
–- /usr/local/www/guiconfig.inc Wed Sep 19 00:27:47 2012
+++ /usr/local/www/guiconfig.new.txt Wed Sep 19 00:28:58 2012
@@ -221,3 +221,3 @@
/* TCP flags */
-$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
+$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");...haven't tested it yet but that seems to cover it. It's late here so I'm going to turn in. I'll take a look at this in the morning and test it out. For now I figure it's worth posting what I have so far in case--for whatever reason--this functionality was deliberately left out and there is no desire for its inclusion.
-
Is this supported by pf(4) ?
-
@ermal:
Is this supported by pf(4) ?
Indeed!
http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5
flags < a > / < b > | / < b > | any
This rule only applies to TCP packets that have the flags <a>set
out of set < b >. Flags not specified in < b > are ignored. For
stateful connections, the default is flags S/SA. To indicate that
flags should not be checked at all, specify flags any. The flags
are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.</a> -
I'm wondering if there was any specific reason the order of the tcpflags was rearranged in guiconfig.inc as compared to globals.inc and the pf.conf man page. If so I guess the appropriate patch would be:
–- /usr/local/www/guiconfig.inc Wed Sep 19 00:27:47 2012
+++ /usr/local/www/guiconfig.new.txt Wed Sep 19 00:28:58 2012
@@ -221,3 +221,3 @@
/* TCP flags */
-$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
+$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg", "ece", "cwr"); -
I made this patch into a pull request on github.
https://github.com/bsdperimeter/pfsense/pull/233 -
I am need this .
because I wan to try crack Country Firewall block.
http://www.certmag.com/read.php?start=0&in=3906