|
1
|
#!/usr/local/bin/php
|
|
2
|
<?php
|
|
3
|
/*
|
|
4
|
firewall_rules_edit.php
|
|
5
|
Copyright (C) 2004 Scott Ullrich
|
|
6
|
All rights reserved.
|
|
7
|
|
|
8
|
originally part of m0n0wall (http://m0n0.ch/wall)
|
|
9
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
|
10
|
All rights reserved.
|
|
11
|
|
|
12
|
Redistribution and use in source and binary forms, with or without
|
|
13
|
modification, are permitted provided that the following conditions are met:
|
|
14
|
|
|
15
|
1. Redistributions of source code must retain the above copyright notice,
|
|
16
|
this list of conditions and the following disclaimer.
|
|
17
|
|
|
18
|
2. Redistributions in binary form must reproduce the above copyright
|
|
19
|
notice, this list of conditions and the following disclaimer in the
|
|
20
|
documentation and/or other materials provided with the distribution.
|
|
21
|
|
|
22
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
23
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
24
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
25
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
26
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
27
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
28
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
29
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
30
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
31
|
POSSIBILITY OF SUCH DAMAGE.
|
|
32
|
*/
|
|
33
|
|
|
34
|
require("guiconfig.inc");
|
|
35
|
|
|
36
|
$specialsrcdst = explode(" ", "any lan pptp");
|
|
37
|
|
|
38
|
if (!is_array($config['filter']['rule'])) {
|
|
39
|
$config['filter']['rule'] = array();
|
|
40
|
}
|
|
41
|
filter_rules_sort();
|
|
42
|
$a_filter = &$config['filter']['rule'];
|
|
43
|
|
|
44
|
$id = $_GET['id'];
|
|
45
|
if (is_numeric($_POST['id']))
|
|
46
|
$id = $_POST['id'];
|
|
47
|
|
|
48
|
$after = $_GET['after'];
|
|
49
|
|
|
50
|
if (isset($_POST['after']))
|
|
51
|
$after = $_POST['after'];
|
|
52
|
|
|
53
|
if (isset($_GET['dup'])) {
|
|
54
|
$id = $_GET['dup'];
|
|
55
|
$after = $_GET['dup'];
|
|
56
|
}
|
|
57
|
|
|
58
|
function is_specialnet($net) {
|
|
59
|
global $specialsrcdst;
|
|
60
|
|
|
61
|
if (in_array($net, $specialsrcdst) || strstr($net, "opt"))
|
|
62
|
return true;
|
|
63
|
else
|
|
64
|
return false;
|
|
65
|
}
|
|
66
|
|
|
67
|
function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) {
|
|
68
|
|
|
69
|
if (isset($adr['any']))
|
|
70
|
$padr = "any";
|
|
71
|
else if ($adr['network'])
|
|
72
|
$padr = $adr['network'];
|
|
73
|
else if ($adr['address']) {
|
|
74
|
list($padr, $pmask) = explode("/", $adr['address']);
|
|
75
|
if (!$pmask)
|
|
76
|
$pmask = 32;
|
|
77
|
}
|
|
78
|
|
|
79
|
if (isset($adr['not']))
|
|
80
|
$pnot = 1;
|
|
81
|
else
|
|
82
|
$pnot = 0;
|
|
83
|
|
|
84
|
if ($adr['port']) {
|
|
85
|
list($pbeginport, $pendport) = explode("-", $adr['port']);
|
|
86
|
if (!$pendport)
|
|
87
|
$pendport = $pbeginport;
|
|
88
|
} else {
|
|
89
|
$pbeginport = "any";
|
|
90
|
$pendport = "any";
|
|
91
|
}
|
|
92
|
}
|
|
93
|
|
|
94
|
function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) {
|
|
95
|
|
|
96
|
$adr = array();
|
|
97
|
|
|
98
|
if ($padr == "any")
|
|
99
|
$adr['any'] = true;
|
|
100
|
else if (is_specialnet($padr))
|
|
101
|
$adr['network'] = $padr;
|
|
102
|
else {
|
|
103
|
$adr['address'] = $padr;
|
|
104
|
if ($pmask != 32)
|
|
105
|
$adr['address'] .= "/" . $pmask;
|
|
106
|
}
|
|
107
|
|
|
108
|
$adr['not'] = $pnot ? true : false;
|
|
109
|
|
|
110
|
if (($pbeginport != 0) && ($pbeginport != "any")) {
|
|
111
|
if ($pbeginport != $pendport)
|
|
112
|
$adr['port'] = $pbeginport . "-" . $pendport;
|
|
113
|
else
|
|
114
|
$adr['port'] = $pbeginport;
|
|
115
|
}
|
|
116
|
}
|
|
117
|
|
|
118
|
if (isset($id) && $a_filter[$id]) {
|
|
119
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
|
120
|
|
|
121
|
if (!isset($a_filter[$id]['type']))
|
|
122
|
$pconfig['type'] = "pass";
|
|
123
|
else
|
|
124
|
$pconfig['type'] = $a_filter[$id]['type'];
|
|
125
|
|
|
126
|
if (isset($a_filter[$id]['protocol']))
|
|
127
|
$pconfig['proto'] = $a_filter[$id]['protocol'];
|
|
128
|
else
|
|
129
|
$pconfig['proto'] = "any";
|
|
130
|
|
|
131
|
if ($a_filter[$id]['protocol'] == "icmp")
|
|
132
|
$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
|
|
133
|
|
|
134
|
address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
|
|
135
|
$pconfig['srcmask'], $pconfig['srcnot'],
|
|
136
|
$pconfig['srcbeginport'], $pconfig['srcendport']);
|
|
137
|
|
|
138
|
address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
|
|
139
|
$pconfig['dstmask'], $pconfig['dstnot'],
|
|
140
|
$pconfig['dstbeginport'], $pconfig['dstendport']);
|
|
141
|
|
|
142
|
$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
|
|
143
|
$pconfig['log'] = isset($a_filter[$id]['log']);
|
|
144
|
$pconfig['frags'] = isset($a_filter[$id]['frags']);
|
|
145
|
$pconfig['descr'] = $a_filter[$id]['descr'];
|
|
146
|
|
|
147
|
|
|
148
|
} else {
|
|
149
|
/* defaults */
|
|
150
|
$pconfig['type'] = "pass";
|
|
151
|
$pconfig['src'] = "any";
|
|
152
|
$pconfig['dst'] = "any";
|
|
153
|
}
|
|
154
|
|
|
155
|
if (isset($_GET['dup']))
|
|
156
|
unset($id);
|
|
157
|
|
|
158
|
if ($_POST) {
|
|
159
|
|
|
160
|
if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
|
|
161
|
$_POST['srcbeginport'] = 0;
|
|
162
|
$_POST['srcendport'] = 0;
|
|
163
|
$_POST['dstbeginport'] = 0;
|
|
164
|
$_POST['dstendport'] = 0;
|
|
165
|
} else {
|
|
166
|
|
|
167
|
if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
|
|
168
|
$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
|
|
169
|
if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
|
|
170
|
$_POST['srcendport'] = $_POST['srcendport_cust'];
|
|
171
|
|
|
172
|
if ($_POST['srcbeginport'] == "any") {
|
|
173
|
$_POST['srcbeginport'] = 0;
|
|
174
|
$_POST['srcendport'] = 0;
|
|
175
|
} else {
|
|
176
|
if (!$_POST['srcendport'])
|
|
177
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
178
|
}
|
|
179
|
if ($_POST['srcendport'] == "any")
|
|
180
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
181
|
|
|
182
|
if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
|
|
183
|
$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
|
|
184
|
if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
|
|
185
|
$_POST['dstendport'] = $_POST['dstendport_cust'];
|
|
186
|
|
|
187
|
if ($_POST['dstbeginport'] == "any") {
|
|
188
|
$_POST['dstbeginport'] = 0;
|
|
189
|
$_POST['dstendport'] = 0;
|
|
190
|
} else {
|
|
191
|
if (!$_POST['dstendport'])
|
|
192
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
193
|
}
|
|
194
|
if ($_POST['dstendport'] == "any")
|
|
195
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
196
|
}
|
|
197
|
|
|
198
|
if (is_specialnet($_POST['srctype'])) {
|
|
199
|
$_POST['src'] = $_POST['srctype'];
|
|
200
|
$_POST['srcmask'] = 0;
|
|
201
|
} else if ($_POST['srctype'] == "single") {
|
|
202
|
$_POST['srcmask'] = 32;
|
|
203
|
}
|
|
204
|
if (is_specialnet($_POST['dsttype'])) {
|
|
205
|
$_POST['dst'] = $_POST['dsttype'];
|
|
206
|
$_POST['dstmask'] = 0;
|
|
207
|
} else if ($_POST['dsttype'] == "single") {
|
|
208
|
$_POST['dstmask'] = 32;
|
|
209
|
}
|
|
210
|
|
|
211
|
unset($input_errors);
|
|
212
|
$pconfig = $_POST;
|
|
213
|
|
|
214
|
/* input validation */
|
|
215
|
$reqdfields = explode(" ", "type interface proto src dst");
|
|
216
|
$reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination");
|
|
217
|
|
|
218
|
if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
|
|
219
|
$reqdfields[] = "srcmask";
|
|
220
|
$reqdfieldsn[] = "Source bit count";
|
|
221
|
}
|
|
222
|
if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) {
|
|
223
|
$reqdfields[] = "dstmask";
|
|
224
|
$reqdfieldsn[] = "Destination bit count";
|
|
225
|
}
|
|
226
|
|
|
227
|
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
|
|
228
|
|
|
229
|
if (!$_POST['srcbeginport']) {
|
|
230
|
$_POST['srcbeginport'] = 0;
|
|
231
|
$_POST['srcendport'] = 0;
|
|
232
|
}
|
|
233
|
if (!$_POST['dstbeginport']) {
|
|
234
|
$_POST['dstbeginport'] = 0;
|
|
235
|
$_POST['dstendport'] = 0;
|
|
236
|
}
|
|
237
|
|
|
238
|
if (($_POST['srcbeginport'] && !is_port($_POST['srcbeginport']))) {
|
|
239
|
$input_errors[] = "The start source port must be an integer between 1 and 65535.";
|
|
240
|
}
|
|
241
|
if (($_POST['srcendport'] && !is_port($_POST['srcendport']))) {
|
|
242
|
$input_errors[] = "The end source port must be an integer between 1 and 65535.";
|
|
243
|
}
|
|
244
|
if (($_POST['dstbeginport'] && !is_port($_POST['dstbeginport']))) {
|
|
245
|
$input_errors[] = "The start destination port must be an integer between 1 and 65535.";
|
|
246
|
}
|
|
247
|
if (($_POST['dstendport'] && !is_port($_POST['dstendport']))) {
|
|
248
|
$input_errors[] = "The end destination port must be an integer between 1 and 65535.";
|
|
249
|
}
|
|
250
|
|
|
251
|
if (!is_specialnet($_POST['srctype'])) {
|
|
252
|
if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
|
|
253
|
$input_errors[] = "A valid source IP address or alias must be specified.";
|
|
254
|
}
|
|
255
|
if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
|
|
256
|
$input_errors[] = "A valid source bit count must be specified.";
|
|
257
|
}
|
|
258
|
}
|
|
259
|
if (!is_specialnet($_POST['dsttype'])) {
|
|
260
|
if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
|
|
261
|
$input_errors[] = "A valid destination IP address or alias must be specified.";
|
|
262
|
}
|
|
263
|
if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
|
|
264
|
$input_errors[] = "A valid destination bit count must be specified.";
|
|
265
|
}
|
|
266
|
}
|
|
267
|
|
|
268
|
if ($_POST['srcbeginport'] > $_POST['srcendport']) {
|
|
269
|
/* swap */
|
|
270
|
$tmp = $_POST['srcendport'];
|
|
271
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
272
|
$_POST['srcbeginport'] = $tmp;
|
|
273
|
}
|
|
274
|
if ($_POST['dstbeginport'] > $_POST['dstendport']) {
|
|
275
|
/* swap */
|
|
276
|
$tmp = $_POST['dstendport'];
|
|
277
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
278
|
$_POST['dstbeginport'] = $tmp;
|
|
279
|
}
|
|
280
|
|
|
281
|
if (!$input_errors) {
|
|
282
|
$filterent = array();
|
|
283
|
$filterent['type'] = $_POST['type'];
|
|
284
|
$filterent['interface'] = $_POST['interface'];
|
|
285
|
$filterent['creategif'] = $_POST['creategif'];
|
|
286
|
|
|
287
|
if ($_POST['proto'] != "any")
|
|
288
|
$filterent['protocol'] = $_POST['proto'];
|
|
289
|
else
|
|
290
|
unset($filterent['protocol']);
|
|
291
|
|
|
292
|
if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
|
|
293
|
$filterent['icmptype'] = $_POST['icmptype'];
|
|
294
|
else
|
|
295
|
unset($filterent['icmptype']);
|
|
296
|
|
|
297
|
pconfig_to_address($filterent['source'], $_POST['src'],
|
|
298
|
$_POST['srcmask'], $_POST['srcnot'],
|
|
299
|
$_POST['srcbeginport'], $_POST['srcendport']);
|
|
300
|
|
|
301
|
pconfig_to_address($filterent['destination'], $_POST['dst'],
|
|
302
|
$_POST['dstmask'], $_POST['dstnot'],
|
|
303
|
$_POST['dstbeginport'], $_POST['dstendport']);
|
|
304
|
|
|
305
|
$filterent['disabled'] = $_POST['disabled'] ? true : false;
|
|
306
|
$filterent['log'] = $_POST['log'] ? true : false;
|
|
307
|
$filterent['frags'] = $_POST['frags'] ? true : false;
|
|
308
|
$filterent['descr'] = $_POST['descr'];
|
|
309
|
|
|
310
|
if (isset($id) && $a_filter[$id])
|
|
311
|
$a_filter[$id] = $filterent;
|
|
312
|
else {
|
|
313
|
if (is_numeric($after))
|
|
314
|
array_splice($a_filter, $after+1, 0, array($filterent));
|
|
315
|
else
|
|
316
|
$a_filter[] = $filterent;
|
|
317
|
}
|
|
318
|
|
|
319
|
/* ALTQ */
|
|
320
|
$filterent['direction'] = $_POST['direction'];
|
|
321
|
$filterent['queue'] = $_POST['queue'];
|
|
322
|
|
|
323
|
write_config();
|
|
324
|
touch($d_filterconfdirty_path);
|
|
325
|
|
|
326
|
header("Location: firewall_rules.php");
|
|
327
|
exit;
|
|
328
|
}
|
|
329
|
}
|
|
330
|
?>
|
|
331
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
332
|
<html>
|
|
333
|
<head>
|
|
334
|
<title><?=gentitle("Firewall: Rules: Edit");?></title>
|
|
335
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
|
|
336
|
<link href="gui.css" rel="stylesheet" type="text/css">
|
|
337
|
<script language="JavaScript">
|
|
338
|
<!--
|
|
339
|
var portsenabled = 1;
|
|
340
|
var goingtofire = 1;
|
|
341
|
function ext_change() {
|
|
342
|
if ((document.iform.srcbeginport.selectedIndex == 0) && portsenabled) {
|
|
343
|
document.iform.srcbeginport_cust.disabled = 0;
|
|
344
|
} else {
|
|
345
|
document.iform.srcbeginport_cust.value = "";
|
|
346
|
document.iform.srcbeginport_cust.disabled = 1;
|
|
347
|
}
|
|
348
|
if ((document.iform.srcendport.selectedIndex == 0) && portsenabled) {
|
|
349
|
document.iform.srcendport_cust.disabled = 0;
|
|
350
|
} else {
|
|
351
|
document.iform.srcendport_cust.value = "";
|
|
352
|
document.iform.srcendport_cust.disabled = 1;
|
|
353
|
}
|
|
354
|
if ((document.iform.dstbeginport.selectedIndex == 0) && portsenabled) {
|
|
355
|
document.iform.dstbeginport_cust.disabled = 0;
|
|
356
|
} else {
|
|
357
|
document.iform.dstbeginport_cust.value = "";
|
|
358
|
document.iform.dstbeginport_cust.disabled = 1;
|
|
359
|
}
|
|
360
|
if ((document.iform.dstendport.selectedIndex == 0) && portsenabled) {
|
|
361
|
document.iform.dstendport_cust.disabled = 0;
|
|
362
|
} else {
|
|
363
|
document.iform.dstendport_cust.value = "";
|
|
364
|
document.iform.dstendport_cust.disabled = 1;
|
|
365
|
}
|
|
366
|
|
|
367
|
if (!portsenabled) {
|
|
368
|
document.iform.srcbeginport.disabled = 1;
|
|
369
|
document.iform.srcendport.disabled = 1;
|
|
370
|
document.iform.dstbeginport.disabled = 1;
|
|
371
|
document.iform.dstendport.disabled = 1;
|
|
372
|
} else {
|
|
373
|
document.iform.srcbeginport.disabled = 0;
|
|
374
|
document.iform.srcendport.disabled = 0;
|
|
375
|
document.iform.dstbeginport.disabled = 0;
|
|
376
|
document.iform.dstendport.disabled = 0;
|
|
377
|
}
|
|
378
|
}
|
|
379
|
|
|
380
|
function typesel_change(dstype) {
|
|
381
|
if(goingtofire != 0) return;
|
|
382
|
goingtofire = 1;
|
|
383
|
switch (document.iform.srctype.selectedIndex) {
|
|
384
|
case 1: /* single */
|
|
385
|
document.iform.src.disabled = 0;
|
|
386
|
document.iform.srcmask.value = "";
|
|
387
|
document.iform.srcmask.disabled = 1;
|
|
388
|
break;
|
|
389
|
case 2: /* network */
|
|
390
|
document.iform.src.disabled = 0;
|
|
391
|
document.iform.srcmask.disabled = 0;
|
|
392
|
break;
|
|
393
|
default:
|
|
394
|
document.iform.src.value = "";
|
|
395
|
document.iform.src.disabled = 1;
|
|
396
|
document.iform.srcmask.value = "";
|
|
397
|
document.iform.srcmask.disabled = 1;
|
|
398
|
break;
|
|
399
|
}
|
|
400
|
switch (document.iform.dsttype.selectedIndex) {
|
|
401
|
case 1: /* single */
|
|
402
|
document.iform.dst.disabled = 0;
|
|
403
|
document.iform.dstmask.value = "";
|
|
404
|
document.iform.dstmask.disabled = 1;
|
|
405
|
break;
|
|
406
|
case 2: /* network */
|
|
407
|
document.iform.dst.disabled = 0;
|
|
408
|
document.iform.dstmask.disabled = 0;
|
|
409
|
break;
|
|
410
|
default:
|
|
411
|
document.iform.dst.value = "";
|
|
412
|
document.iform.dst.disabled = 1;
|
|
413
|
document.iform.dstmask.value = "";
|
|
414
|
document.iform.dstmask.disabled = 1;
|
|
415
|
break;
|
|
416
|
}
|
|
417
|
if(dstype == "src") {
|
|
418
|
var selected = document.iform.srctype.selectedIndex;
|
|
419
|
var selectedtext = document.iform.srctype.options[selected].value;
|
|
420
|
document.iform.src.value = selectedtext;
|
|
421
|
document.iform.srctype.options[1].selected = true;
|
|
422
|
} else {
|
|
423
|
var selected = document.iform.dsttype.selectedIndex;
|
|
424
|
var selectedtext = document.iform.dsttype.options[selected].value;
|
|
425
|
document.iform.dst.value = selectedtext;
|
|
426
|
document.iform.dsttype.options[1].selected = true;
|
|
427
|
}
|
|
428
|
goingtofire = 0;
|
|
429
|
}
|
|
430
|
|
|
431
|
function proto_change() {
|
|
432
|
if (document.iform.proto.selectedIndex < 3) {
|
|
433
|
portsenabled = 1;
|
|
434
|
} else {
|
|
435
|
portsenabled = 0;
|
|
436
|
}
|
|
437
|
|
|
438
|
if (document.iform.proto.selectedIndex == 3) {
|
|
439
|
document.iform.icmptype.disabled = 0;
|
|
440
|
} else {
|
|
441
|
document.iform.icmptype.disabled = 1;
|
|
442
|
}
|
|
443
|
|
|
444
|
ext_change();
|
|
445
|
}
|
|
446
|
|
|
447
|
function src_rep_change() {
|
|
448
|
document.iform.srcendport.selectedIndex = document.iform.srcbeginport.selectedIndex;
|
|
449
|
}
|
|
450
|
function dst_rep_change() {
|
|
451
|
document.iform.dstendport.selectedIndex = document.iform.dstbeginport.selectedIndex;
|
|
452
|
}
|
|
453
|
//-->
|
|
454
|
</script>
|
|
455
|
</head>
|
|
456
|
|
|
457
|
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
|
|
458
|
<?php include("fbegin.inc"); ?>
|
|
459
|
<p class="pgtitle">Firewall: Rules: Edit</p>
|
|
460
|
<?php if ($input_errors) print_input_errors($input_errors); ?>
|
|
461
|
<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
|
|
462
|
<table width="100%" border="0" cellpadding="6" cellspacing="0">
|
|
463
|
<tr>
|
|
464
|
<td width="22%" valign="top" class="vncellreq">Action</td>
|
|
465
|
<td width="78%" class="vtable">
|
|
466
|
<select name="type" class="formfld">
|
|
467
|
<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
|
|
468
|
<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
|
|
469
|
<?=htmlspecialchars($type);?>
|
|
470
|
</option>
|
|
471
|
<?php endforeach; ?>
|
|
472
|
</select> <br>
|
|
473
|
<span class="vexpl">Choose what to do with packets that match
|
|
474
|
the criteria specified below.<br>
|
|
475
|
Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.</span></td>
|
|
476
|
</tr>
|
|
477
|
<tr>
|
|
478
|
<td width="22%" valign="top" class="vncellreq">Disabled</td>
|
|
479
|
<td width="78%" class="vtable">
|
|
480
|
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
|
|
481
|
<strong>Disable this rule</strong><br>
|
|
482
|
<span class="vexpl">Set this option to disable this rule without
|
|
483
|
removing it from the list.</span></td>
|
|
484
|
</tr>
|
|
485
|
<tr>
|
|
486
|
<td width="22%" valign="top" class="vncellreq">Interface</td>
|
|
487
|
<td width="78%" class="vtable">
|
|
488
|
<select name="interface" class="formfld">
|
|
489
|
<?php $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP');
|
|
490
|
for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
|
|
491
|
$interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr'];
|
|
492
|
}
|
|
493
|
foreach ($interfaces as $iface => $ifacename): ?>
|
|
494
|
<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
|
|
495
|
<?=htmlspecialchars($ifacename);?>
|
|
496
|
</option>
|
|
497
|
<?php endforeach; ?>
|
|
498
|
</select> <br>
|
|
499
|
<span class="vexpl">Choose on which interface packets must
|
|
500
|
come in to match this rule.</span></td>
|
|
501
|
</tr>
|
|
502
|
<tr>
|
|
503
|
<td width="22%" valign="top" class="vncellreq">Protocol</td>
|
|
504
|
<td width="78%" class="vtable">
|
|
505
|
<select name="proto" class="formfld" onchange="proto_change()">
|
|
506
|
<?php $protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IPv6 IGMP any"); foreach ($protocols as $proto): ?>
|
|
507
|
<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>>
|
|
508
|
<?=htmlspecialchars($proto);?>
|
|
509
|
</option>
|
|
510
|
<?php endforeach; ?>
|
|
511
|
</select> <br>
|
|
512
|
<span class="vexpl">Choose which IP protocol this rule should
|
|
513
|
match.<br>
|
|
514
|
Hint: in most cases, you should specify <em>TCP</em> here.</span></td>
|
|
515
|
</tr>
|
|
516
|
<tr>
|
|
517
|
<td valign="top" class="vncell">ICMP type</td>
|
|
518
|
<td class="vtable">
|
|
519
|
<select name="icmptype" class="formfld">
|
|
520
|
<?php
|
|
521
|
|
|
522
|
$icmptypes = array(
|
|
523
|
"" => "any",
|
|
524
|
"unreach" => "Destination unreachable",
|
|
525
|
"echo" => "Echo",
|
|
526
|
"echorep" => "Echo reply",
|
|
527
|
"squench" => "Source quench",
|
|
528
|
"redir" => "Redirect",
|
|
529
|
"timex" => "Time exceeded",
|
|
530
|
"paramprob" => "Parameter problem",
|
|
531
|
"timest" => "Timestamp",
|
|
532
|
"timestrep" => "Timestamp reply",
|
|
533
|
"inforeq" => "Information request",
|
|
534
|
"inforep" => "Information reply",
|
|
535
|
"maskreq" => "Address mask request",
|
|
536
|
"maskrep" => "Address mask reply"
|
|
537
|
);
|
|
538
|
|
|
539
|
foreach ($icmptypes as $icmptype => $descr): ?>
|
|
540
|
<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>>
|
|
541
|
<?=htmlspecialchars($descr);?>
|
|
542
|
</option>
|
|
543
|
<?php endforeach; ?>
|
|
544
|
</select>
|
|
545
|
<br>
|
|
546
|
<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span></td>
|
|
547
|
</tr>
|
|
548
|
<tr>
|
|
549
|
<td width="22%" valign="top" class="vncellreq">Source</td>
|
|
550
|
<td width="78%" class="vtable">
|
|
551
|
<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
|
|
552
|
<strong>not</strong><br>
|
|
553
|
Use this option to invert the sense of the match.<br>
|
|
554
|
<br>
|
|
555
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
556
|
<tr>
|
|
557
|
<td>Type: </td>
|
|
558
|
<td><select id="srctype" name="srctype" class="formfld" onChange="typesel_change('src');">
|
|
559
|
<?php $sel = is_specialnet($pconfig['src']); ?>
|
|
560
|
<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>
|
|
561
|
any</option>
|
|
562
|
<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>
|
|
563
|
Single host or alias</option>
|
|
564
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>
|
|
565
|
Network</option>
|
|
566
|
<option value="lan" <?php if ($pconfig['src'] == "lan") { echo "selected"; } ?>>
|
|
567
|
LAN subnet</option>
|
|
568
|
<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>
|
|
569
|
PPTP clients</option>
|
|
570
|
<?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
|
|
571
|
<option value="opt<?=$i;?>" <?php if ($pconfig['src'] == "opt" . $i) { echo "selected"; } ?>>
|
|
572
|
<?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
|
|
573
|
<?php endfor; ?>
|
|
574
|
<?php
|
|
575
|
foreach ($config['aliases']['alias'] as $alias) {
|
|
576
|
echo "<option value=\"" . $alias['name'] . "\">alias:" . $alias['name'] . "</option>\n";
|
|
577
|
}
|
|
578
|
?>
|
|
579
|
</select></td>
|
|
580
|
</tr>
|
|
581
|
<tr>
|
|
582
|
<td>Address: </td>
|
|
583
|
<td><input name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>">
|
|
584
|
/
|
|
585
|
<select name="srcmask" class="formfld" id="srcmask">
|
|
586
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
|
587
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
|
|
588
|
<?php endfor; ?>
|
|
589
|
</select>
|
|
590
|
</td>
|
|
591
|
</tr>
|
|
592
|
</table></td>
|
|
593
|
</tr>
|
|
594
|
<tr>
|
|
595
|
<td width="22%" valign="top" class="vncellreq">Source port range
|
|
596
|
</td>
|
|
597
|
<td width="78%" class="vtable">
|
|
598
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
599
|
<tr>
|
|
600
|
<td>from: </td>
|
|
601
|
<td><select name="srcbeginport" class="formfld" onchange="src_rep_change();ext_change()">
|
|
602
|
<option value="">(other)</option>
|
|
603
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
604
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
605
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) {
|
|
606
|
echo "selected";
|
|
607
|
$bfound = 1;
|
|
608
|
}?>>
|
|
609
|
<?=htmlspecialchars($wkportdesc);?>
|
|
610
|
</option>
|
|
611
|
<?php endforeach; ?>
|
|
612
|
</select> <input name="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>"></td>
|
|
613
|
</tr>
|
|
614
|
<tr>
|
|
615
|
<td>to:</td>
|
|
616
|
<td><select name="srcendport" class="formfld" onchange="ext_change()">
|
|
617
|
<option value="">(other)</option>
|
|
618
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
619
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
620
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) {
|
|
621
|
echo "selected";
|
|
622
|
$bfound = 1;
|
|
623
|
}?>>
|
|
624
|
<?=htmlspecialchars($wkportdesc);?>
|
|
625
|
</option>
|
|
626
|
<?php endforeach; ?>
|
|
627
|
</select> <input name="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>"></td>
|
|
628
|
</tr>
|
|
629
|
</table>
|
|
630
|
<br> <span class="vexpl">Specify the port or port range for
|
|
631
|
the source of the packet for this rule.<br>
|
|
632
|
Hint: you can leave the <em>'to'</em> field empty if you only
|
|
633
|
want to filter a single port</span></td>
|
|
634
|
<tr>
|
|
635
|
<td width="22%" valign="top" class="vncellreq">Destination</td>
|
|
636
|
<td width="78%" class="vtable">
|
|
637
|
<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
|
|
638
|
<strong>not</strong><br>
|
|
639
|
Use this option to invert the sense of the match.<br>
|
|
640
|
<br>
|
|
641
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
642
|
<tr>
|
|
643
|
<td>Type: </td>
|
|
644
|
<td><select id="dsttype" name="dsttype" class="formfld" onChange="typesel_change('dst');">
|
|
645
|
<?php $sel = is_specialnet($pconfig['dst']); ?>
|
|
646
|
<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>
|
|
647
|
any</option>
|
|
648
|
<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>
|
|
649
|
Single host or alias</option>
|
|
650
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>
|
|
651
|
Network</option>
|
|
652
|
<option value="lan" <?php if ($pconfig['dst'] == "lan") { echo "selected"; } ?>>
|
|
653
|
LAN subnet</option>
|
|
654
|
<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>
|
|
655
|
PPTP clients</option>
|
|
656
|
<?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
|
|
657
|
<option value="opt<?=$i;?>" <?php if ($pconfig['dst'] == "opt" . $i) { echo "selected"; } ?>>
|
|
658
|
<?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
|
|
659
|
<?php endfor; ?>
|
|
660
|
<?php
|
|
661
|
foreach ($config['aliases']['alias'] as $alias) {
|
|
662
|
echo "<option value=\"" . $alias['name'] . "\">alias:" . $alias['name'] . "</option>\n";
|
|
663
|
}
|
|
664
|
?>
|
|
665
|
</select></td>
|
|
666
|
</tr>
|
|
667
|
<tr>
|
|
668
|
<td>Address: </td>
|
|
669
|
<td><input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
|
|
670
|
/
|
|
671
|
<select name="dstmask" class="formfld" id="dstmask";>
|
|
672
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
|
673
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
|
|
674
|
<?php endfor; ?>
|
|
675
|
</select>
|
|
676
|
</td>
|
|
677
|
</tr>
|
|
678
|
</table></td>
|
|
679
|
</tr>
|
|
680
|
<tr>
|
|
681
|
<td width="22%" valign="top" class="vncellreq">Destination port
|
|
682
|
range </td>
|
|
683
|
<td width="78%" class="vtable">
|
|
684
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
685
|
<tr>
|
|
686
|
<td>from: </td>
|
|
687
|
<td><select name="dstbeginport" class="formfld" onchange="dst_rep_change();ext_change()">
|
|
688
|
<option value="">(other)</option>
|
|
689
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
690
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
691
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) {
|
|
692
|
echo "selected";
|
|
693
|
$bfound = 1;
|
|
694
|
}?>>
|
|
695
|
<?=htmlspecialchars($wkportdesc);?>
|
|
696
|
</option>
|
|
697
|
<?php endforeach; ?>
|
|
698
|
</select> <input name="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"></td>
|
|
699
|
</tr>
|
|
700
|
<tr>
|
|
701
|
<td>to:</td>
|
|
702
|
<td><select name="dstendport" class="formfld" onchange="ext_change()">
|
|
703
|
<option value="">(other)</option>
|
|
704
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
705
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
706
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) {
|
|
707
|
echo "selected";
|
|
708
|
$bfound = 1;
|
|
709
|
}?>>
|
|
710
|
<?=htmlspecialchars($wkportdesc);?>
|
|
711
|
</option>
|
|
712
|
<?php endforeach; ?>
|
|
713
|
</select> <input name="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"></td>
|
|
714
|
</tr>
|
|
715
|
</table>
|
|
716
|
<br> <span class="vexpl">Specify the port or port range for
|
|
717
|
the destination of the packet for this rule.<br>
|
|
718
|
Hint: you can leave the <em>'to'</em> field empty if you only
|
|
719
|
want to filter a single port</span></td>
|
|
720
|
|
|
721
|
<tr>
|
|
722
|
<td width="22%" valign="top" class="vncellreq">Fragments</td>
|
|
723
|
<td width="78%" class="vtable">
|
|
724
|
<input name="frags" type="checkbox" id="frags" value="yes" <?php if ($pconfig['frags']) echo "checked"; ?>>
|
|
725
|
<strong>Allow fragmented packets</strong><br>
|
|
726
|
<span class="vexpl">Hint: this option puts additional load
|
|
727
|
on the firewall and may make it vulnerable to DoS attacks.
|
|
728
|
In most cases, it is not needed. Try enabling it if you have
|
|
729
|
troubles connecting to certain sites.</span></td>
|
|
730
|
</tr>
|
|
731
|
<tr>
|
|
732
|
<td width="22%" valign="top" class="vncellreq">Log</td>
|
|
733
|
<td width="78%" class="vtable">
|
|
734
|
<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
|
|
735
|
<strong>Log packets that are handled by this rule</strong><br>
|
|
736
|
<span class="vexpl">Hint: the firewall has limited local log
|
|
737
|
space. Don't turn on logging for everything. If you want to
|
|
738
|
do a lot of logging, consider using a remote syslog server
|
|
739
|
(see the <a href="diag_logs_settings.php">Diagnostics: System
|
|
740
|
logs: Settings</a> page).</span></td>
|
|
741
|
</tr>
|
|
742
|
<tr>
|
|
743
|
<td width="22%" valign="top" class="vncell">Description</td>
|
|
744
|
<td width="78%" class="vtable">
|
|
745
|
<input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
|
|
746
|
<br> <span class="vexpl">You may enter a description here
|
|
747
|
for your reference (not parsed).</span></td>
|
|
748
|
</tr>
|
|
749
|
|
|
750
|
|
|
751
|
<tr>
|
|
752
|
<td width="22%" valign="top" class="vncell">Traffic Queuing / Shaping</td>
|
|
753
|
<td width="78%" class="vtable">
|
|
754
|
Direction: <select name="direction">
|
|
755
|
<?php if($pconfig['direction'] <> "")
|
|
756
|
echo "<option value=\"" . htmlspecialchars($pconfig['direction']) . "\">" . htmlspecialchars($pconfig['direction']) . "</option>";
|
|
757
|
?>
|
|
758
|
<option value="">DONT CARE</option>
|
|
759
|
<option value="in">IN</option>
|
|
760
|
<option value="out">OUT</option>
|
|
761
|
</select>
|
|
762
|
<br> <span class="vexpl">If you need fine grained control on direction, select an option here.
|
|
763
|
<p><span class="vexpl"><input type="checkbox" name="autocreatequeue"> Automatically create a new queue for this rule.</span>
|
|
764
|
</td>
|
|
765
|
</tr>
|
|
766
|
|
|
767
|
<tr>
|
|
768
|
<td width="22%" valign="top"> </td>
|
|
769
|
<td width="78%">
|
|
770
|
<input name="Submit" type="submit" class="formbtn" value="Save">
|
|
771
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
|
772
|
<input name="id" type="hidden" value="<?=$id;?>">
|
|
773
|
<?php endif; ?>
|
|
774
|
<input name="after" type="hidden" value="<?=$after;?>">
|
|
775
|
</td>
|
|
776
|
</tr>
|
|
777
|
|
|
778
|
</table>
|
|
779
|
</form>
|
|
780
|
<script language="JavaScript">
|
|
781
|
<!--
|
|
782
|
ext_change();
|
|
783
|
typesel_change();
|
|
784
|
proto_change();
|
|
785
|
goingtofire = 0;
|
|
786
|
//-->
|
|
787
|
</script>
|
|
788
|
<?php include("fend.inc"); ?>
|
|
789
|
</body>
|
|
790
|
</html>
|