• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Adding filtering for TCP flags (E)CE and C(W)R

Scheduled Pinned Locked Moved Development
6 Posts 4 Posters 5.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    al1x
    last edited by Sep 19, 2012, 5:37 AM Sep 19, 2012, 5:35 AM

    There seems to be no way to include TCP flags ECE and CWR to filter rules. I'm curious as to why they were left out and–barring any objections--would like to submit patches* for inclusion.

    *My PHP-fu is weak as I've picked up the language only recently while reviewing the pfSense sources.

    --- /etc/inc/globals.inc Tue Sep 18 23:56:11 2012
    +++ /etc/inc/globals.inc Tue Sep 18 23:56:02 2012
    @@ -102,3 +102,3 @@
    /* TCP flags */
    -$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg");
    +$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

    --- /etc/inc/filter.inc Wed Sep 19 00:13:36 2012
    +++ /etc/inc/filter.inc Wed Sep 19 00:13:33 2012
    @@ -2201,13 +2201,19 @@
    if (!empty($rule['tcpflags1'])) {
    $flags1 = explode(",", $rule['tcpflags1']);
    foreach ($flags1 as $flag1)

    • $aline['flags'] .= strtoupper($flag1[0]);
    • if($flag1[0] == "c")
    • $aline['flags'] .= "W";
    • else
    • $aline['flags'] .= strtoupper($flag1[0]);
      }
      $aline['flags'] .= "/";
      if (!empty($rule['tcpflags2'])) {
      $flags2 = explode(",", $rule['tcpflags2']);
      foreach ($flags2 as $flag2)
    • $aline['flags'] .= strtoupper($flag2[0]);
    • if($flag2[0] == "c")
    • $aline['flags'] .= "W";
    • else
    • $aline['flags'] .= strtoupper($flag2[0]);
      }
      $aline['flags'] .= " ";
      } else

    –- /usr/local/www/guiconfig.inc Wed Sep 19 00:27:47 2012
    +++ /usr/local/www/guiconfig.new.txt Wed Sep 19 00:28:58 2012
    @@ -221,3 +221,3 @@
    /* TCP flags */
    -$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
    +$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

    ...haven't tested it yet but that seems to cover it. It's late here so I'm going to turn in. I'll take a look at this in the morning and test it out. For now I figure it's worth posting what I have so far in case--for whatever reason--this functionality was deliberately left out and there is no desire for its inclusion.

    1 Reply Last reply Reply Quote 0
    • E
      eri--
      last edited by Sep 20, 2012, 8:24 AM

      Is this supported by pf(4) ?

      1 Reply Last reply Reply Quote 0
      • A
        al1x
        last edited by Sep 21, 2012, 8:41 PM Sep 21, 2012, 4:49 PM

        @ermal:

        Is this supported by pf(4) ?

        Indeed!

        http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5

        flags < a > / < b > | / < b > | any
          This rule only applies to TCP packets that have the flags <a>set
          out of set < b >.  Flags not specified in < b > are ignored.  For
          stateful connections, the default is flags S/SA.  To indicate that
          flags should not be checked at all, specify flags any.  The flags
          are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.</a>

        1 Reply Last reply Reply Quote 0
        • A
          al1x
          last edited by Sep 28, 2012, 7:29 PM

          I'm wondering if there was any specific reason the order of the tcpflags was rearranged in guiconfig.inc as compared to globals.inc and the pf.conf man page. If so I guess the appropriate patch would be:

          –- /usr/local/www/guiconfig.inc   Wed Sep 19 00:27:47 2012
          +++ /usr/local/www/guiconfig.new.txt   Wed Sep 19 00:28:58 2012
          @@ -221,3 +221,3 @@
          /* TCP flags */
          -$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
          +$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg", "ece", "cwr");

          1 Reply Last reply Reply Quote 0
          • B
            bardelot
            last edited by Oct 1, 2012, 1:07 PM

            I made this patch into a pull request on github.
            https://github.com/bsdperimeter/pfsense/pull/233

            1 Reply Last reply Reply Quote 0
            • Y
              yon
              last edited by Nov 6, 2012, 2:48 AM

              I am need this .

              because  I wan to try crack Country Firewall block.

              http://www.certmag.com/read.php?start=0&in=3906

              If you are interested in free peering for clearnet and dn42,contact me !

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                [[user:consent.lead]]
                [[user:consent.not_received]]