[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  Lasse =?iso-8859-1?Q?=D6sterberg?= <lasse at blirp dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bug or Feature request.....
 Date:  Sun, 8 Feb 2004 13:57:57 +0100
Hi Lasse!

First of all, thanks for debugging!


> When adding the "high" port range (1024-65535) to a firewall rule it would
> be nice to have it available in the dropdown list as "High ports".
Would be nice, but IMHO low prio.

> If you type in the range 1024-65535 as source ports and apply the changes
> the rule doesn't get added to ipf and you don't get a error message that
> says that the rule parser failed, still the rule looks OK in the webgui.
Confirmed.

> This because ipf don't like ports higher than 65535 and when you type
> 65535 in the webgui the parser tries to build a rule with port < 65536
> witch doesn't work. This is easy to get past as I can type 65534 as the
> upper source port. (Now that I know this...)
No good idea, because you won't filter port 65535 (only ports less
than 65535).

> It would also be nice if there where some kind of validation of the ports
> field or even the rule set, because I can type 99999 as a port nr and click
> save, apply changes and don't get any kind of indications that I've done
> something wrong.
Yes, an error page should be presented as long as the WebGUI will
show this entry as accepted! Really bad behavior (no problem for a profi,
but this isn't m0n0wall was build for).

In the meanwhile, here is a little patch for the first problem. Now it
is possible to define high ports as 1024-65535 and a correct rule will
be build. I don't think having time enough to write the validation
and/or feature (high-ports through WebGUI) code. Maybe Manuel or any
other can write a patch for this?

Ciao ...
	... PIT ...

---------------------------------------------------------------------------
 copyleft(c) by |   _-_     <Stealth> How do I bind a computer to an NIS
 Peter Allgeyer | 0(o_o)0   server? <Joey> Use a rope?  -- Seen on #Debian
---------------oOO--(_)--OOo-----------------------------------------------
--- filter.inc.orig	2004-02-08 00:56:43.000000000 +0100
+++ filter.inc	2004-02-08 13:13:30.000000000 +0100
@@ -608,6 +608,13 @@
 					
 					if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
 						$line .= "port = {$srcport[0]} ";
+					/* be aware that srcport has to be between 1 and 65535 included */
+					} else if (($srcport[0]) && ($srcport[1] == 65535)) {
+						/* bugfix for portrange /w $srcport[1] == 65535 */
+						$line .= "port >= {$srcport[0]} "; 
+					} else if (($srcport[0] == 1) && ($srcport[1])) {
+						/* bugfix for portrange /w $srcport[0] == 1 */
+						$line .= "port <= {$srcport[1]} "; 
 					} else {
 						$srcport[0]--;
 						$srcport[1]++;