|
1
|
<?php
|
|
2
|
/* $Id$ */
|
|
3
|
/*
|
|
4
|
system_advanced_firewall.php
|
|
5
|
part of pfSense
|
|
6
|
Copyright (C) 2005-2007 Scott Ullrich
|
|
7
|
Copyright (C) 2008 Shrew Soft Inc
|
|
8
|
Copyright (C) 2013-2015 Electric Sheep Fencing, LP
|
|
9
|
|
|
10
|
originally part of m0n0wall (http://m0n0.ch/wall)
|
|
11
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
|
12
|
All rights reserved.
|
|
13
|
|
|
14
|
Redistribution and use in source and binary forms, with or without
|
|
15
|
modification, are permitted provided that the following conditions are met:
|
|
16
|
|
|
17
|
1. Redistributions of source code must retain the above copyright notice,
|
|
18
|
this list of conditions and the following disclaimer.
|
|
19
|
|
|
20
|
2. Redistributions in binary form must reproduce the above copyright
|
|
21
|
notice, this list of conditions and the following disclaimer in the
|
|
22
|
documentation and/or other materials provided with the distribution.
|
|
23
|
|
|
24
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
25
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
26
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
27
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
28
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
29
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
30
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
31
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
32
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
33
|
POSSIBILITY OF SUCH DAMAGE.
|
|
34
|
*/
|
|
35
|
/*
|
|
36
|
pfSense_MODULE: system
|
|
37
|
*/
|
|
38
|
|
|
39
|
##|+PRIV
|
|
40
|
##|*IDENT=page-system-advanced-firewall
|
|
41
|
##|*NAME=System: Advanced: Firewall and NAT page
|
|
42
|
##|*DESCR=Allow access to the 'System: Advanced: Firewall and NAT' page.
|
|
43
|
##|*MATCH=system_advanced_firewall.php*
|
|
44
|
##|-PRIV
|
|
45
|
|
|
46
|
require("guiconfig.inc");
|
|
47
|
require_once("functions.inc");
|
|
48
|
require_once("filter.inc");
|
|
49
|
require_once("shaper.inc");
|
|
50
|
|
|
51
|
$pconfig['disablefilter'] = $config['system']['disablefilter'];
|
|
52
|
$pconfig['scrubnodf'] = $config['system']['scrubnodf'];
|
|
53
|
$pconfig['scrubrnid'] = $config['system']['scrubrnid'];
|
|
54
|
$pconfig['optimization'] = $config['filter']['optimization'];
|
|
55
|
$pconfig['adaptivestart'] = $config['system']['adaptivestart'];
|
|
56
|
$pconfig['adaptiveend'] = $config['system']['adaptiveend'];
|
|
57
|
$pconfig['maximumstates'] = $config['system']['maximumstates'];
|
|
58
|
$pconfig['aliasesresolveinterval'] = $config['system']['aliasesresolveinterval'];
|
|
59
|
$old_aliasesresolveinterval = $config['system']['aliasesresolveinterval'];
|
|
60
|
$pconfig['checkaliasesurlcert'] = isset($config['system']['checkaliasesurlcert']);
|
|
61
|
$pconfig['maximumtableentries'] = $config['system']['maximumtableentries'];
|
|
62
|
$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']);
|
|
63
|
$pconfig['disablenegate'] = isset($config['system']['disablenegate']);
|
|
64
|
$pconfig['bogonsinterval'] = $config['system']['bogons']['interval'];
|
|
65
|
$pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
|
|
66
|
$pconfig['enablebinatreflection'] = $config['system']['enablebinatreflection'];
|
|
67
|
$pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout'];
|
|
68
|
$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
|
|
69
|
$pconfig['disablescrub'] = isset($config['system']['disablescrub']);
|
|
70
|
$pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']);
|
|
71
|
$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
|
|
72
|
$pconfig['tcpfirsttimeout'] = $config['system']['tcpfirsttimeout'];
|
|
73
|
$pconfig['tcpopeningtimeout'] = $config['system']['tcpopeningtimeout'];
|
|
74
|
$pconfig['tcpestablishedtimeout'] = $config['system']['tcpestablishedtimeout'];
|
|
75
|
$pconfig['tcpclosingtimeout'] = $config['system']['tcpclosingtimeout'];
|
|
76
|
$pconfig['tcpfinwaittimeout'] = $config['system']['tcpfinwaittimeout'];
|
|
77
|
$pconfig['tcpclosedtimeout'] = $config['system']['tcpclosedtimeout'];
|
|
78
|
$pconfig['udpfirsttimeout'] = $config['system']['udpfirsttimeout'];
|
|
79
|
$pconfig['udpsingletimeout'] = $config['system']['udpsingletimeout'];
|
|
80
|
$pconfig['udpmultipletimeout'] = $config['system']['udpmultipletimeout'];
|
|
81
|
$pconfig['icmpfirsttimeout'] = $config['system']['icmpfirsttimeout'];
|
|
82
|
$pconfig['icmperrortimeout'] = $config['system']['icmperrortimeout'];
|
|
83
|
$pconfig['otherfirsttimeout'] = $config['system']['otherfirsttimeout'];
|
|
84
|
$pconfig['othersingletimeout'] = $config['system']['othersingletimeout'];
|
|
85
|
$pconfig['othermultipletimeout'] = $config['system']['othermultipletimeout'];
|
|
86
|
|
|
87
|
if ($_POST) {
|
|
88
|
|
|
89
|
unset($input_errors);
|
|
90
|
$pconfig = $_POST;
|
|
91
|
|
|
92
|
/* input validation */
|
|
93
|
if ((empty($_POST['adaptive-start']) && !empty($_POST['adaptive-end'])) || (!empty($_POST['adaptive-start']) && empty($_POST['adaptive-end'])))
|
|
94
|
$input_errors[] = gettext("The Firewall Adaptive values must be set together.");
|
|
95
|
if (!empty($_POST['adaptive-start']) && !is_numericint($_POST['adaptive-start'])) {
|
|
96
|
$input_errors[] = gettext("The Firewall Adaptive Start value must be an integer.");
|
|
97
|
}
|
|
98
|
if (!empty($_POST['adaptive-end']) && !is_numericint($_POST['adaptive-end'])) {
|
|
99
|
$input_errors[] = gettext("The Firewall Adaptive End value must be an integer.");
|
|
100
|
}
|
|
101
|
if ($_POST['firewall-maximum-states'] && !is_numericint($_POST['firewall-maximum-states'])) {
|
|
102
|
$input_errors[] = gettext("The Firewall Maximum States value must be an integer.");
|
|
103
|
}
|
|
104
|
if ($_POST['aliases-hostnames-resolve-interval'] && !is_numericint($_POST['aliases-hostnames-resolve-interval'])) {
|
|
105
|
$input_errors[] = gettext("The Aliases Hostname Resolve Interval value must be an integer.");
|
|
106
|
}
|
|
107
|
if ($_POST['firewall-maximum-table-entries'] && !is_numericint($_POST['firewall-maximum-table-entries'])) {
|
|
108
|
$input_errors[] = gettext("The Firewall Maximum Table Entries value must be an integer.");
|
|
109
|
}
|
|
110
|
if ($_POST['reflection-timeout'] && !is_numericint($_POST['reflection-timeout'])) {
|
|
111
|
$input_errors[] = gettext("The Reflection timeout must be an integer.");
|
|
112
|
}
|
|
113
|
if ($_POST['tcpfirsttimeout'] && !is_numericint($_POST['tcpfirsttimeout'])) {
|
|
114
|
$input_errors[] = gettext("The TCP first timeout value must be an integer.");
|
|
115
|
}
|
|
116
|
if ($_POST['tcpopeningtimeout'] && !is_numericint($_POST['tcpopeningtimeout'])) {
|
|
117
|
$input_errors[] = gettext("The TCP opening timeout value must be an integer.");
|
|
118
|
}
|
|
119
|
if ($_POST['tcpestablishedtimeout'] && !is_numericint($_POST['tcpestablishedtimeout'])) {
|
|
120
|
$input_errors[] = gettext("The TCP established timeout value must be an integer.");
|
|
121
|
}
|
|
122
|
if ($_POST['tcpclosingtimeout'] && !is_numericint($_POST['tcpclosingtimeout'])) {
|
|
123
|
$input_errors[] = gettext("The TCP closing timeout value must be an integer.");
|
|
124
|
}
|
|
125
|
if ($_POST['tcpfinwaittimeout'] && !is_numericint($_POST['tcpfinwaittimeout'])) {
|
|
126
|
$input_errors[] = gettext("The TCP FIN wait timeout value must be an integer.");
|
|
127
|
}
|
|
128
|
if ($_POST['tcpclosedtimeout'] && !is_numericint($_POST['tcpclosedtimeout'])) {
|
|
129
|
$input_errors[] = gettext("The TCP closed timeout value must be an integer.");
|
|
130
|
}
|
|
131
|
if ($_POST['udpfirsttimeout'] && !is_numericint($_POST['udpfirsttimeout'])) {
|
|
132
|
$input_errors[] = gettext("The UDP first timeout value must be an integer.");
|
|
133
|
}
|
|
134
|
if ($_POST['udpsingletimeout'] && !is_numericint($_POST['udpsingletimeout'])) {
|
|
135
|
$input_errors[] = gettext("The UDP single timeout value must be an integer.");
|
|
136
|
}
|
|
137
|
if ($_POST['udpmultipletimeout'] && !is_numericint($_POST['udpmultipletimeout'])) {
|
|
138
|
$input_errors[] = gettext("The UDP multiple timeout value must be an integer.");
|
|
139
|
}
|
|
140
|
if ($_POST['icmpfirsttimeout'] && !is_numericint($_POST['icmpfirsttimeout'])) {
|
|
141
|
$input_errors[] = gettext("The ICMP first timeout value must be an integer.");
|
|
142
|
}
|
|
143
|
if ($_POST['icmperrortimeout'] && !is_numericint($_POST['icmperrortimeout'])) {
|
|
144
|
$input_errors[] = gettext("The ICMP error timeout value must be an integer.");
|
|
145
|
}
|
|
146
|
if ($_POST['otherfirsttimeout'] && !is_numericint($_POST['otherfirsttimeout'])) {
|
|
147
|
$input_errors[] = gettext("The Other first timeout value must be an integer.");
|
|
148
|
}
|
|
149
|
if ($_POST['othersingletimeout'] && !is_numericint($_POST['othersingletimeout'])) {
|
|
150
|
$input_errors[] = gettext("The Other single timeout value must be an integer.");
|
|
151
|
}
|
|
152
|
if ($_POST['othermultipletimeout'] && !is_numericint($_POST['othermultipletimeout'])) {
|
|
153
|
$input_errors[] = gettext("The Other multiple timeout value must be an integer.");
|
|
154
|
}
|
|
155
|
|
|
156
|
ob_flush();
|
|
157
|
flush();
|
|
158
|
|
|
159
|
if (!$input_errors) {
|
|
160
|
|
|
161
|
if($_POST['disable-firewall'] == "yes")
|
|
162
|
$config['system']['disablefilter'] = "enabled";
|
|
163
|
else
|
|
164
|
unset($config['system']['disablefilter']);
|
|
165
|
|
|
166
|
if($_POST['disable-auto-added-vpn-rules'] == "yes")
|
|
167
|
$config['system']['disablevpnrules'] = true;
|
|
168
|
else
|
|
169
|
unset($config['system']['disablevpnrules']);
|
|
170
|
|
|
171
|
if($_POST['ip-do-not-fragment-compatibility'] == "yes")
|
|
172
|
$config['system']['scrubnodf'] = "enabled";
|
|
173
|
else
|
|
174
|
unset($config['system']['scrubnodf']);
|
|
175
|
|
|
176
|
if($_POST['ip-random-id-generation'] == "yes")
|
|
177
|
$config['system']['scrubrnid'] = "enabled";
|
|
178
|
else
|
|
179
|
unset($config['system']['scrubrnid']);
|
|
180
|
|
|
181
|
if (!empty($_POST['adaptive-end']))
|
|
182
|
$config['system']['adaptiveend'] = $_POST['adaptive-end'];
|
|
183
|
else
|
|
184
|
unset($config['system']['adaptiveend']);
|
|
185
|
if (!empty($_POST['adaptive-start']))
|
|
186
|
$config['system']['adaptivestart'] = $_POST['adaptive-start'];
|
|
187
|
else
|
|
188
|
unset($config['system']['adaptive-start']);
|
|
189
|
|
|
190
|
if ($_POST['check-certificate-of-aliases-urls'] == "yes")
|
|
191
|
$config['system']['checkaliasesurlcert'] = true;
|
|
192
|
else
|
|
193
|
unset($config['system']['checkaliasesurlcert']);
|
|
194
|
|
|
195
|
$config['system']['optimization'] = $_POST['firewall-optimization-options'];
|
|
196
|
$config['system']['maximumstates'] = $_POST['firewall-maximum-states'];
|
|
197
|
$config['system']['aliasesresolveinterval'] = $_POST['aliases-hostnames-resolve-interval'];
|
|
198
|
$config['system']['maximumtableentries'] = $_POST['firewall-maximum-table-entries'];
|
|
199
|
|
|
200
|
if (!empty($_POST['tcpfirsttimeout'])) {
|
|
201
|
$config['system']['tcpfirsttimeout'] = $_POST['tcpfirsttimeout'];
|
|
202
|
} else {
|
|
203
|
unset($config['system']['tcpfirsttimeout']);
|
|
204
|
}
|
|
205
|
if (!empty($_POST['tcpopeningtimeout'])) {
|
|
206
|
$config['system']['tcpopeningtimeout'] = $_POST['tcpopeningtimeout'];
|
|
207
|
} else {
|
|
208
|
unset($config['system']['tcpopeningtimeout']);
|
|
209
|
}
|
|
210
|
if (!empty($_POST['tcpestablishedtimeout'])) {
|
|
211
|
$config['system']['tcpestablishedtimeout'] = $_POST['tcpestablishedtimeout'];
|
|
212
|
} else {
|
|
213
|
unset($config['system']['tcpestablishedtimeout']);
|
|
214
|
}
|
|
215
|
if (!empty($_POST['tcpclosingtimeout'])) {
|
|
216
|
$config['system']['tcpclosingtimeout'] = $_POST['tcpclosingtimeout'];
|
|
217
|
} else {
|
|
218
|
unset($config['system']['tcpclosingtimeout']);
|
|
219
|
}
|
|
220
|
if (!empty($_POST['tcpfinwaittimeout'])) {
|
|
221
|
$config['system']['tcpfinwaittimeout'] = $_POST['tcpfinwaittimeout'];
|
|
222
|
} else {
|
|
223
|
unset($config['system']['tcpfinwaittimeout']);
|
|
224
|
}
|
|
225
|
if (!empty($_POST['tcpclosedtimeout'])) {
|
|
226
|
$config['system']['tcpclosedtimeout'] = $_POST['tcpclosedtimeout'];
|
|
227
|
} else {
|
|
228
|
unset($config['system']['tcpclosedtimeout']);
|
|
229
|
}
|
|
230
|
if (!empty($_POST['udpfirsttimeout'])) {
|
|
231
|
$config['system']['udpfirsttimeout'] = $_POST['udpfirsttimeout'];
|
|
232
|
} else {
|
|
233
|
unset($config['system']['udpfirsttimeout']);
|
|
234
|
}
|
|
235
|
if (!empty($_POST['udpsingletimeout'])) {
|
|
236
|
$config['system']['udpsingletimeout'] = $_POST['udpsingletimeout'];
|
|
237
|
} else {
|
|
238
|
unset($config['system']['udpsingletimeout']);
|
|
239
|
}
|
|
240
|
if (!empty($_POST['udpmultipletimeout'])) {
|
|
241
|
$config['system']['udpmultipletimeout'] = $_POST['udpmultipletimeout'];
|
|
242
|
} else {
|
|
243
|
unset($config['system']['udpmultipletimeout']);
|
|
244
|
}
|
|
245
|
if (!empty($_POST['icmpfirsttimeout'])) {
|
|
246
|
$config['system']['icmpfirsttimeout'] = $_POST['icmpfirsttimeout'];
|
|
247
|
} else {
|
|
248
|
unset($config['system']['icmpfirsttimeout']);
|
|
249
|
}
|
|
250
|
if (!empty($_POST['icmperrortimeout'])) {
|
|
251
|
$config['system']['icmperrortimeout'] = $_POST['icmperrortimeout'];
|
|
252
|
} else {
|
|
253
|
unset($config['system']['icmperrortimeout']);
|
|
254
|
}
|
|
255
|
if (!empty($_POST['otherfirsttimeout'])) {
|
|
256
|
$config['system']['otherfirsttimeout'] = $_POST['otherfirsttimeout'];
|
|
257
|
} else {
|
|
258
|
unset($config['system']['otherfirsttimeout']);
|
|
259
|
}
|
|
260
|
if (!empty($_POST['othersingletimeout'])) {
|
|
261
|
$config['system']['othersingletimeout'] = $_POST['othersingletimeout'];
|
|
262
|
} else {
|
|
263
|
unset($config['system']['othersingletimeout']);
|
|
264
|
}
|
|
265
|
if (!empty($_POST['othermultipletimeout'])) {
|
|
266
|
$config['system']['othermultipletimeout'] = $_POST['othermultipletimeout'];
|
|
267
|
} else {
|
|
268
|
unset($config['system']['othermultipletimeout']);
|
|
269
|
}
|
|
270
|
|
|
271
|
if($_POST['natreflection'] == "proxy") {
|
|
272
|
unset($config['system']['disablenatreflection']);
|
|
273
|
unset($config['system']['enablenatreflectionpurenat']);
|
|
274
|
} else if($_POST['nat-reflection-mode-for-port-forwards'] == "purenat") {
|
|
275
|
unset($config['system']['disablenatreflection']);
|
|
276
|
$config['system']['enablenatreflectionpurenat'] = "yes";
|
|
277
|
} else {
|
|
278
|
$config['system']['disablenatreflection'] = "yes";
|
|
279
|
unset($config['system']['enablenatreflectionpurenat']);
|
|
280
|
}
|
|
281
|
|
|
282
|
if($_POST['enable-nat-reflection-for-1-1-nat'] == "yes")
|
|
283
|
$config['system']['enablebinatreflection'] = "yes";
|
|
284
|
else
|
|
285
|
unset($config['system']['enablebinatreflection']);
|
|
286
|
|
|
287
|
if($_POST['disable-reply-to'] == "yes")
|
|
288
|
$config['system']['disablereplyto'] = $_POST['disable-reply-to'];
|
|
289
|
else
|
|
290
|
unset($config['system']['disablereplyto']);
|
|
291
|
|
|
292
|
if($_POST['disable-negate-rules'] == "yes")
|
|
293
|
$config['system']['disablenegate'] = $_POST['disable-negate-rules'];
|
|
294
|
else
|
|
295
|
unset($config['system']['disablenegate']);
|
|
296
|
|
|
297
|
if($_POST['enable-automatic-outbound-nat-for-reflection'] == "yes")
|
|
298
|
$config['system']['enablenatreflectionhelper'] = "yes";
|
|
299
|
else
|
|
300
|
unset($config['system']['enablenatreflectionhelper']);
|
|
301
|
|
|
302
|
$config['system']['reflectiontimeout'] = $_POST['reflection-timeout'];
|
|
303
|
|
|
304
|
if($_POST['static-route-filtering'] == "yes")
|
|
305
|
$config['filter']['bypassstaticroutes'] = $_POST['static-route-filtering'];
|
|
306
|
elseif(isset($config['filter']['bypassstaticroutes']))
|
|
307
|
unset($config['filter']['bypassstaticroutes']);
|
|
308
|
|
|
309
|
if($_POST['disable-firewall-scrub'] == "yes")
|
|
310
|
$config['system']['disablescrub'] = $_POST['disable-firewall-scrub'];
|
|
311
|
else
|
|
312
|
unset($config['system']['disablescrub']);
|
|
313
|
|
|
314
|
if ($_POST['tftp-proxy'])
|
|
315
|
$config['system']['tftpinterface'] = implode(",", $_POST['tftp-proxy']);
|
|
316
|
else
|
|
317
|
unset($config['system']['tftpinterface']);
|
|
318
|
|
|
319
|
if ($_POST['update-frequency'] != $config['system']['bogons']['interval']) {
|
|
320
|
switch ($_POST['update-frequency']) {
|
|
321
|
case 'daily':
|
|
322
|
install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "*", "*", "*");
|
|
323
|
break;
|
|
324
|
case 'weekly':
|
|
325
|
install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "*", "*", "0");
|
|
326
|
break;
|
|
327
|
case 'monthly':
|
|
328
|
// fall through
|
|
329
|
default:
|
|
330
|
install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "1", "*", "*");
|
|
331
|
}
|
|
332
|
$config['system']['bogons']['interval'] = $_POST['update-frequency'];
|
|
333
|
}
|
|
334
|
|
|
335
|
write_config();
|
|
336
|
|
|
337
|
// Kill filterdns when value changes, filter_configure() will restart it
|
|
338
|
if (($old_aliasesresolveinterval != $config['system']['aliasesresolveinterval']) &&
|
|
339
|
isvalidpid("{$g['varrun_path']}/filterdns.pid"))
|
|
340
|
killbypid("{$g['varrun_path']}/filterdns.pid");
|
|
341
|
|
|
342
|
$retval = 0;
|
|
343
|
$retval = filter_configure();
|
|
344
|
if(stristr($retval, "error") <> true)
|
|
345
|
$savemsg = get_std_save_message($retval);
|
|
346
|
else
|
|
347
|
$savemsg = $retval;
|
|
348
|
}
|
|
349
|
}
|
|
350
|
|
|
351
|
$pgtitle = array(gettext("System"),gettext("Advanced: Firewall and NAT"));
|
|
352
|
include("head.inc");
|
|
353
|
|
|
354
|
if ($input_errors)
|
|
355
|
print_input_errors($input_errors);
|
|
356
|
if ($savemsg)
|
|
357
|
print_info_box($savemsg);
|
|
358
|
|
|
359
|
$tab_array = array();
|
|
360
|
$tab_array[] = array(gettext("Admin Access"), false, "system_advanced_admin.php");
|
|
361
|
$tab_array[] = array(gettext("Firewall / NAT"), true, "system_advanced_firewall.php");
|
|
362
|
$tab_array[] = array(gettext("Networking"), false, "system_advanced_network.php");
|
|
363
|
$tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php");
|
|
364
|
$tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php");
|
|
365
|
$tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php");
|
|
366
|
display_top_tabs($tab_array);
|
|
367
|
|
|
368
|
?><div id="container"><?php
|
|
369
|
|
|
370
|
require('classes/Form.class.php');
|
|
371
|
$form = new Form;
|
|
372
|
$section = new Form_Section('Firewall Advanced');
|
|
373
|
|
|
374
|
$section->addInput(new Form_Checkbox(
|
|
375
|
'ip-do-not-fragment-compatibility',
|
|
376
|
'IP Do-Not-Fragment compatibility',
|
|
377
|
'Clear invalid DF bits instead of dropping the packets',
|
|
378
|
isset($config['system']['scrubnodf'])
|
|
379
|
))->setHelp('This allows for communications with hosts that generate fragmented '.
|
|
380
|
'packets with the don"t fragment (DF) bit set. Linux NFS is known to do this. '.
|
|
381
|
'This will cause the filter to not drop such packets but instead clear the don"t '.
|
|
382
|
'fragment bit.');
|
|
383
|
|
|
384
|
$section->addInput(new Form_Checkbox(
|
|
385
|
'ip-random-id-generation',
|
|
386
|
'IP Random id generation',
|
|
387
|
'Insert a stronger id into IP header of packets passing through the filter.',
|
|
388
|
isset($config['system']['scrubrnid'])
|
|
389
|
))->setHelp('Replaces the IP identification field of packets with random values to '.
|
|
390
|
'compensate for operating systems that use predictable values. This option only '.
|
|
391
|
'applies to packets that are not fragmented after the optional packet '.
|
|
392
|
'reassembly.');
|
|
393
|
|
|
394
|
$section->addInput($input = new Form_Select(
|
|
395
|
'firewall-optimization-options',
|
|
396
|
'Firewall Optimization Options',
|
|
397
|
$config['system']['optimization'],
|
|
398
|
array(
|
|
399
|
'normal' => 'normal: the default optimization algorithm',
|
|
400
|
'high-latency' => 'high-latency: used for eg. satellite links. Expires idle connections later than default',
|
|
401
|
'aggressive' => 'aggressive: expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate idle connections',
|
|
402
|
'conservative' => 'conservative: tries to avoid dropping any legitimate idle connections at the expense of increased memory usage and CPU utilization.',
|
|
403
|
)
|
|
404
|
))->setHelp('Select the type of state table optimization to use');
|
|
405
|
|
|
406
|
$section->addInput(new Form_Checkbox(
|
|
407
|
'disable-firewall',
|
|
408
|
'Disable Firewall',
|
|
409
|
'Disable all packet filtering.',
|
|
410
|
isset($config['system']['disablefilter'])
|
|
411
|
))->setHelp('Note: This converts %s into a routing only platform!<br/>'.
|
|
412
|
'Note: This will also turn off NAT! If you only want to disable NAT, '.
|
|
413
|
'and not firewall rules, visit the <a href="firewall_nat_out.php">Outbound '.
|
|
414
|
'NAT</a>page.', [$g["product_name"]]);
|
|
415
|
|
|
416
|
$section->addInput(new Form_Checkbox(
|
|
417
|
'disable-firewall-scrub',
|
|
418
|
'Disable Firewall Scrub',
|
|
419
|
'Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.',
|
|
420
|
isset($config['system']['disablescrub'])
|
|
421
|
));
|
|
422
|
|
|
423
|
$group = new Form_Group('Firewall Adaptive Timeouts');
|
|
424
|
|
|
425
|
$group->add(new Form_Input(
|
|
426
|
'adaptive-start',
|
|
427
|
'Adaptive start',
|
|
428
|
'number',
|
|
429
|
$pconfig['adaptivestart'],
|
|
430
|
['min' => 1]
|
|
431
|
))->setHelp('When the number of state entries exceeds this value, adaptive '.
|
|
432
|
'scaling begins. All timeout values are scaled linearly with factor '.
|
|
433
|
'(adaptive.end - number of states) / (adaptive.end - adaptive.start).');
|
|
434
|
|
|
435
|
$group->add(new Form_Input(
|
|
436
|
'adaptive-end',
|
|
437
|
'Adaptive end',
|
|
438
|
'number',
|
|
439
|
$pconfig['adaptiveend'],
|
|
440
|
['min' => 1]
|
|
441
|
))->setHelp('When reaching this number of state entries, all timeout values '.
|
|
442
|
'become zero, effectively purging all state entries immediately. This '.
|
|
443
|
'value is used to define the scale factor, it should not actually be '.
|
|
444
|
'reached (set a lower state limit, see below).');
|
|
445
|
|
|
446
|
$group->setHelp('Timeouts for states can be scaled adaptively as the number of '.
|
|
447
|
'state table entries grows. Leave blank for the default (0)');
|
|
448
|
|
|
449
|
$section->add($group);
|
|
450
|
|
|
451
|
$section->addInput(new Form_Input(
|
|
452
|
'firewall-maximum-states',
|
|
453
|
'Firewall Maximum States',
|
|
454
|
'number',
|
|
455
|
$pconfig['maximumstates'],
|
|
456
|
['min' => 1, 'placeholder' => pfsense_default_state_size()]
|
|
457
|
))->setHelp('Maximum number of connections to hold in the firewall state table.. '.
|
|
458
|
'<br/>Note: Leave this blank for the default. On your system the default '.
|
|
459
|
'size is: %d', [pfsense_default_state_size()]);
|
|
460
|
|
|
461
|
$section->addInput(new Form_Input(
|
|
462
|
'firewall-maximum-table-entries',
|
|
463
|
'Firewall Maximum Table Entries',
|
|
464
|
'text',
|
|
465
|
$pconfig['maximumtableentries'],
|
|
466
|
['placeholder' => pfsense_default_table_entries_size()]
|
|
467
|
))->setHelp('Maximum number of table entries for systems such as aliases, '.
|
|
468
|
'sshlockout, snort, etc, combined..<br/>Note: Leave this blank for the '.
|
|
469
|
'default. On your system the default size is: %d',
|
|
470
|
[pfsense_default_table_entries_size()]);
|
|
471
|
|
|
472
|
$section->addInput(new Form_Checkbox(
|
|
473
|
'static-route-filtering',
|
|
474
|
'Static route filtering',
|
|
475
|
'Bypass firewall rules for traffic on the same interface',
|
|
476
|
$pconfig['bypassstaticroutes']
|
|
477
|
))->setHelp('This option only applies if you have defined one or more static '.
|
|
478
|
'routes. If it is enabled, traffic that enters and leaves through the same '.
|
|
479
|
'interface will not be checked by the firewall. This may be desirable in some '.
|
|
480
|
'situations where multiple subnets are connected to the same interface.');
|
|
481
|
|
|
482
|
$section->addInput(new Form_Checkbox(
|
|
483
|
'disable-auto-added-vpn-rules',
|
|
484
|
'Disable Auto-added VPN rules',
|
|
485
|
'Disable all auto-added VPN rules.',
|
|
486
|
isset($config['system']['disablevpnrules'])
|
|
487
|
))->setHelp('<span>Note: This disables automatically added rules for IPsec, '.
|
|
488
|
'PPTP.</span>');
|
|
489
|
|
|
490
|
$section->addInput(new Form_Checkbox(
|
|
491
|
'disable-reply-to',
|
|
492
|
'Disable reply-to',
|
|
493
|
'Disable reply-to on WAN rules',
|
|
494
|
$pconfig['disablereplyto']
|
|
495
|
))->setHelp('With Multi-WAN you generally want to ensure traffic leaves the same '.
|
|
496
|
'interface it arrives on, hence reply-to is added automatically by default. When '.
|
|
497
|
'using bridging, you must disable this behavior if the WAN gateway IP is '.
|
|
498
|
'different from the gateway IP of the hosts behind the bridged interface.');
|
|
499
|
|
|
500
|
$section->addInput(new Form_Checkbox(
|
|
501
|
'disable-negate-rules',
|
|
502
|
'Disable Negate rules',
|
|
503
|
'Disable Negate rule on policy routing rules',
|
|
504
|
$pconfig['disablenegate']
|
|
505
|
))->setHelp('With Multi-WAN you generally want to ensure traffic reaches directly '.
|
|
506
|
'connected networks and VPN networks when using policy routing. You can disable '.
|
|
507
|
'this for special purposes but it requires manually creating rules for these '.
|
|
508
|
'networks');
|
|
509
|
|
|
510
|
$section->addInput(new Form_Input(
|
|
511
|
'aliases-hostnames-resolve-interval',
|
|
512
|
'Aliases Hostnames Resolve Interval',
|
|
513
|
'text',
|
|
514
|
$pconfig['aliasesresolveinterval'],
|
|
515
|
['placeholder' => '300']
|
|
516
|
))->setHelp('Interval, in seconds, that will be used to resolve hostnames '.
|
|
517
|
'configured on aliases.. <br/>Note: Leave this blank for the default '.
|
|
518
|
'(300s).');
|
|
519
|
|
|
520
|
$section->addInput(new Form_Checkbox(
|
|
521
|
'check-certificate-of-aliases-urls',
|
|
522
|
'Check certificate of aliases URLs',
|
|
523
|
'Verify HTTPS certificates when downloading alias URLs',
|
|
524
|
$pconfig['checkaliasesurlcert']
|
|
525
|
))->setHelp('Make sure the certificate is valid for all HTTPS addresses on '.
|
|
526
|
'aliases. If it\'s not valid or is revoked, do not download it.');
|
|
527
|
|
|
528
|
$form->add($section);
|
|
529
|
$section = new Form_Section('Bogon Networks');
|
|
530
|
|
|
531
|
$section->addInput(new Form_Select(
|
|
532
|
'update-frequency',
|
|
533
|
'Update Frequency',
|
|
534
|
empty($pconfig['bogonsinterval']) ? 'monthly' : $pconfig['bogonsinterval'],
|
|
535
|
array(
|
|
536
|
'monthly' => 'Monthly',
|
|
537
|
'weekly' => 'Weekly',
|
|
538
|
'daily' => 'Daily',
|
|
539
|
)
|
|
540
|
))->setHelp('The frequency of updating the lists of IP addresses that are '.
|
|
541
|
'reserved (but not RFC 1918) or not yet assigned by IANA.');
|
|
542
|
|
|
543
|
$form->add($section);
|
|
544
|
|
|
545
|
if (count($config['interfaces']) > 1)
|
|
546
|
{
|
|
547
|
$section = new Form_Section('Network Address Translation');
|
|
548
|
|
|
549
|
if (isset($config['system']['disablenatreflection']))
|
|
550
|
$value = 'disable';
|
|
551
|
elseif (!isset($config['system']['enablenatreflectionpurenat']))
|
|
552
|
$value = 'proxy';
|
|
553
|
else
|
|
554
|
$value = 'purenat';
|
|
555
|
|
|
556
|
$section->addInput(new Form_Select(
|
|
557
|
'nat-reflection-mode-for-port-forwards',
|
|
558
|
'NAT Reflection mode for port forwards',
|
|
559
|
$value,
|
|
560
|
array(
|
|
561
|
'disable' => 'disabled',
|
|
562
|
'proxy' => 'NAT + proxy',
|
|
563
|
'purenat' => 'Pure NAT',
|
|
564
|
)
|
|
565
|
))->setHelp('<ul><li>The pure NAT mode uses a set of NAT rules to direct '.
|
|
566
|
'packets to the target of the port forward. It has better scalability, '.
|
|
567
|
'but it must be possible to accurately determine the interface and '.
|
|
568
|
'gateway IP used for communication with the target at the time the '.
|
|
569
|
'rules are loaded. There are no inherent limits to the number of ports '.
|
|
570
|
'other than the limits of the protocols. All protocols available for '.
|
|
571
|
'port forwards are supported.</li><li>The NAT + proxy mode uses a '.
|
|
572
|
'helper program to send packets to the target of the port forward. '.
|
|
573
|
'It is useful in setups where the interface and/or gateway IP used '.
|
|
574
|
'for communication with the target cannot be accurately determined at '.
|
|
575
|
'the time the rules are loaded. Reflection rules are not created for '.
|
|
576
|
'ranges larger than 500 ports and will not be used for more than 1000 '.
|
|
577
|
'ports total between all port forwards. Only TCP and UDP protocols are '.
|
|
578
|
'supported.</li></ul>Individual rules may be configured to override '.
|
|
579
|
'this system setting on a per-rule basis.');
|
|
580
|
|
|
581
|
$section->addInput(new Form_Input(
|
|
582
|
'reflection-timeout',
|
|
583
|
'Reflection Timeout',
|
|
584
|
'number',
|
|
585
|
$config['system']['reflectiontimeout'],
|
|
586
|
['min' => 1]
|
|
587
|
))->setHelp('Enter value for Reflection timeout in seconds.<br/>Note: Only '.
|
|
588
|
'applies to Reflection on port forwards in NAT + proxy mode.');
|
|
589
|
|
|
590
|
$section->addInput(new Form_Checkbox(
|
|
591
|
'enable-nat-reflection-for-1-1-nat',
|
|
592
|
'Enable NAT Reflection for 1:1 NAT',
|
|
593
|
'Automatic creation of additional NAT redirect rules from within your internal networks.',
|
|
594
|
isset($config['system']['enablebinatreflection'])
|
|
595
|
))->setHelp('Note: Reflection on 1:1 mappings is only for the inbound component of '.
|
|
596
|
'the 1:1 mappings. This functions the same as the pure NAT mode for port '.
|
|
597
|
'forwards. For more details, refer to the pure NAT mode description '.
|
|
598
|
'above. Individual rules may be configured to override this system setting on a '.
|
|
599
|
'per-rule basis.');
|
|
600
|
|
|
601
|
$section->addInput(new Form_Checkbox(
|
|
602
|
'enable-automatic-outbound-nat-for-reflection',
|
|
603
|
'Enable automatic outbound NAT for Reflection',
|
|
604
|
'Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from.',
|
|
605
|
isset($config['system']['enablenatreflectionhelper'])
|
|
606
|
))->setHelp('Required for full functionality of the pure NAT mode of NAT '.
|
|
607
|
'Reflection for port forwards or NAT Reflection for 1:1 NAT.Note: This only works '.
|
|
608
|
'for assigned interfaces. Other interfaces require manually creating the '.
|
|
609
|
'outbound NAT rules that direct the reply packets back through the router.');
|
|
610
|
|
|
611
|
$section->addInput(new Form_Select(
|
|
612
|
'tftp-proxy',
|
|
613
|
'TFTP Proxy',
|
|
614
|
$pconfig['tftpinterface'],
|
|
615
|
get_configured_interface_with_descr(),
|
|
616
|
true
|
|
617
|
))->setHelp('Choose the interfaces where you want TFTP proxy helper to be enabled.');
|
|
618
|
|
|
619
|
$form->add($section);
|
|
620
|
}
|
|
621
|
|
|
622
|
$section = new Form_Section('State Timeouts');
|
|
623
|
|
|
624
|
$group = new Form_Group('TCP Timeouts');
|
|
625
|
$tcpTimeouts = array('First', 'Opening', 'Established', 'Closing', 'FIN', 'closed');
|
|
626
|
foreach ($tcpTimeouts as $name)
|
|
627
|
{
|
|
628
|
$group->add(new Form_Input(
|
|
629
|
'tcp'. strtolower($name) .'timeout',
|
|
630
|
'TCP '. $name,
|
|
631
|
'number',
|
|
632
|
$config['system']['tcp'. strtolower($name) .'timeout']
|
|
633
|
))->setHelp('Enter value for TCP '. $name .' timeout in seconds. Leave blank for '.
|
|
634
|
'default (recommended).');
|
|
635
|
}
|
|
636
|
|
|
637
|
$section->add($group);
|
|
638
|
|
|
639
|
$group = new Form_Group('UDP Timeouts');
|
|
640
|
$udpTimeouts = array('First', 'Single', 'Multiple');
|
|
641
|
foreach ($udpTimeouts as $name)
|
|
642
|
{
|
|
643
|
$group->add(new Form_Input(
|
|
644
|
'udp'. strtolower($name) .'timeout',
|
|
645
|
'UDP '. $name,
|
|
646
|
'number',
|
|
647
|
$config['system']['udo'. strtolower($name) .'timeout']
|
|
648
|
))->setHelp('Enter value for UDP '. $name .' timeout in seconds. Leave blank for '.
|
|
649
|
'default (recommended).');
|
|
650
|
}
|
|
651
|
|
|
652
|
$section->add($group);
|
|
653
|
|
|
654
|
$group = new Form_Group('ICMP Timeouts');
|
|
655
|
$udpTimeouts = array('First', 'Error');
|
|
656
|
foreach ($udpTimeouts as $name)
|
|
657
|
{
|
|
658
|
$group->add(new Form_Input(
|
|
659
|
'icmp'. strtolower($name) .'timeout',
|
|
660
|
'UDP '. $name,
|
|
661
|
'number',
|
|
662
|
$config['system']['icmp'. strtolower($name) .'timeout']
|
|
663
|
))->setHelp('Enter value for ICMP '. $name .' timeout in seconds. Leave blank for '.
|
|
664
|
'default (recommended).');
|
|
665
|
}
|
|
666
|
|
|
667
|
$section->add($group);
|
|
668
|
|
|
669
|
$group = new Form_Group('Other Timeouts');
|
|
670
|
foreach ($udpTimeouts as $name)
|
|
671
|
{
|
|
672
|
$group->add(new Form_Input(
|
|
673
|
'other'. strtolower($name) .'timeout',
|
|
674
|
'Other '. $name,
|
|
675
|
'number',
|
|
676
|
$config['system']['other'. strtolower($name) .'timeout']
|
|
677
|
))->setHelp('Enter value for ICMP '. $name .' timeout in seconds. Leave blank for '.
|
|
678
|
'default (recommended).');
|
|
679
|
}
|
|
680
|
|
|
681
|
$section->add($group);
|
|
682
|
|
|
683
|
print $form;
|
|
684
|
include("foot.inc");
|
