Adding filtering for TCP flags (E)CE and C(W)R



  • There seems to be no way to include TCP flags ECE and CWR to filter rules. I'm curious as to why they were left out and–barring any objections--would like to submit patches* for inclusion.

    *My PHP-fu is weak as I've picked up the language only recently while reviewing the pfSense sources.

    --- /etc/inc/globals.inc Tue Sep 18 23:56:11 2012
    +++ /etc/inc/globals.inc Tue Sep 18 23:56:02 2012
    @@ -102,3 +102,3 @@
    /* TCP flags */
    -$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg");
    +$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

    --- /etc/inc/filter.inc Wed Sep 19 00:13:36 2012
    +++ /etc/inc/filter.inc Wed Sep 19 00:13:33 2012
    @@ -2201,13 +2201,19 @@
    if (!empty($rule['tcpflags1'])) {
    $flags1 = explode(",", $rule['tcpflags1']);
    foreach ($flags1 as $flag1)

    • $aline['flags'] .= strtoupper($flag1[0]);
    • if($flag1[0] == "c")
    • $aline['flags'] .= "W";
    • else
    • $aline['flags'] .= strtoupper($flag1[0]);
      }
      $aline['flags'] .= "/";
      if (!empty($rule['tcpflags2'])) {
      $flags2 = explode(",", $rule['tcpflags2']);
      foreach ($flags2 as $flag2)
    • $aline['flags'] .= strtoupper($flag2[0]);
    • if($flag2[0] == "c")
    • $aline['flags'] .= "W";
    • else
    • $aline['flags'] .= strtoupper($flag2[0]);
      }
      $aline['flags'] .= " ";
      } else

    –- /usr/local/www/guiconfig.inc Wed Sep 19 00:27:47 2012
    +++ /usr/local/www/guiconfig.new.txt Wed Sep 19 00:28:58 2012
    @@ -221,3 +221,3 @@
    /* TCP flags */
    -$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
    +$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

    ...haven't tested it yet but that seems to cover it. It's late here so I'm going to turn in. I'll take a look at this in the morning and test it out. For now I figure it's worth posting what I have so far in case--for whatever reason--this functionality was deliberately left out and there is no desire for its inclusion.



  • Is this supported by pf(4) ?



  • @ermal:

    Is this supported by pf(4) ?

    Indeed!

    http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5

    flags < a > / < b > | / < b > | any
      This rule only applies to TCP packets that have the flags <a>set
      out of set < b >.  Flags not specified in < b > are ignored.  For
      stateful connections, the default is flags S/SA.  To indicate that
      flags should not be checked at all, specify flags any.  The flags
      are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.</a>



  • I'm wondering if there was any specific reason the order of the tcpflags was rearranged in guiconfig.inc as compared to globals.inc and the pf.conf man page. If so I guess the appropriate patch would be:

    –- /usr/local/www/guiconfig.inc   Wed Sep 19 00:27:47 2012
    +++ /usr/local/www/guiconfig.new.txt   Wed Sep 19 00:28:58 2012
    @@ -221,3 +221,3 @@
    /* TCP flags */
    -$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
    +$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg", "ece", "cwr");



  • I made this patch into a pull request on github.
    https://github.com/bsdperimeter/pfsense/pull/233



  • I am need this .

    because  I wan to try crack Country Firewall block.

    http://www.certmag.com/read.php?start=0&in=3906


Log in to reply