/usr/local/www/system_advanced.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/system_advanced.php @ 594aeaf7

1	13128695	Scott Ullrich	<?php
2	b46bfcf5	Bill Marquette	/* $Id$ */
3	5b237745	Scott Ullrich	/*
4	aa9e7aaa	Scott Ullrich	system_advanced.php
5	416ed28d	Scott Ullrich	part of pfSense
6	aa9e7aaa	Scott Ullrich	Copyright (C) 2005-2007 Scott Ullrich
7	13128695	Scott Ullrich
8	416ed28d	Scott Ullrich	originally part of m0n0wall (http://m0n0.ch/wall)
9	5b237745	Scott Ullrich	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
10			All rights reserved.
11	13128695	Scott Ullrich
12	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14	13128695	Scott Ullrich
15	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17	13128695	Scott Ullrich
18	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21	13128695	Scott Ullrich
22	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32			*/
33
34			require("guiconfig.inc");
35
36	35284e50	Scott Ullrich	$pconfig['disablefilter'] = $config['system']['disablefilter'];
37	38560a25	Bill Marquette	$pconfig['rfc959workaround'] = $config['system']['rfc959workaround'];
38	8f498445	Scott Ullrich	$pconfig['scrubnodf'] = $config['system']['scrubnodf'];
39	5b237745	Scott Ullrich	$pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']);
40			$pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr'];
41	4bc0961e	Chris Buechler	$pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
42	5b237745	Scott Ullrich	$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']);
43			$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']);
44			$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
45	c11e337b	Scott Ullrich	$pconfig['harddiskstandby'] = $config['system']['harddiskstandby'];
46	5b237745	Scott Ullrich	$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
47	3962b070	Scott Ullrich	$pconfig['filteringbridge_enable'] = isset($config['bridge']['filteringbridge']);
48	5b237745	Scott Ullrich	$pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout'];
49	351217ed	Scott Ullrich	$pconfig['maximumstates'] = $config['system']['maximumstates'];
50	68bf6021	Scott Ullrich	$pconfig['disablerendevouz'] = $config['system']['disablerendevouz'];
51	2f810bc1	Scott Ullrich	$pconfig['enableserial'] = $config['system']['enableserial'];
52	5c50ae40	Scott Ullrich	$pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']);
53	d5967a9a	Scott Ullrich	$pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
54	59d09874	Scott Ullrich	$pconfig['enablesshd'] = $config['system']['enablesshd'];
55	74806cee	Seth Mos	$pconfig['sshport'] = $config['system']['ssh']['port'];
56	9c51b6f6	Timo Boettcher	$pconfig['sshdkeyonly'] = $config['system']['ssh']['sshdkeyonly'];
57			$pconfig['authorizedkeys'] = base64_decode($config['system']['ssh']['authorizedkeys']);
58	243aa7b9	Scott Ullrich	$pconfig['sharednet'] = $config['system']['sharednet'];
59	8d36fd1d	Scott Ullrich	$pconfig['polling_enable'] = isset($config['system']['polling']);
60	bdac13de	Scott Ullrich	$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
61	a9b19d7f	Scott Ullrich	$pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
62	1c5ca2e9	Scott Ullrich	$pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksumoffloading']);
63	ff091d96	Scott Ullrich	$pconfig['disablescrub'] = isset($config['system']['disablescrub']);
64	81a6f5ea	Scott Ullrich	$pconfig['shapertype'] = $config['system']['shapertype'];
65	ab0d0394	Scott Ullrich	$pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']);
66	f031a007	Chris Buechler	$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
67	a9b19d7f	Scott Ullrich
68	5b237745	Scott Ullrich	if ($_POST) {
69
70			unset($input_errors);
71			$pconfig = $_POST;
72
73			/* input validation */
74			if ($_POST['ipv6nat_enable'] && !is_ipaddr($_POST['ipv6nat_ipaddr'])) {
75			$input_errors[] = "You must specify an IP address to NAT IPv6 packets.";
76			}
77	351217ed	Scott Ullrich	if ($_POST['maximumstates'] && !is_numericint($_POST['maximumstates'])) {
78			$input_errors[] = "The Firewall Maximum States value must be an integer.";
79			}
80	5b237745	Scott Ullrich	if ($_POST['tcpidletimeout'] && !is_numericint($_POST['tcpidletimeout'])) {
81			$input_errors[] = "The TCP idle timeout must be an integer.";
82			}
83			if (($_POST['cert'] && !$_POST['key']) \|\| ($_POST['key'] && !$_POST['cert'])) {
84			$input_errors[] = "Certificate and key must always be specified together.";
85			} else if ($_POST['cert'] && $_POST['key']) {
86			if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") \|\| !strstr($_POST['cert'], "END CERTIFICATE"))
87			$input_errors[] = "This certificate does not appear to be valid.";
88			if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") \|\| !strstr($_POST['key'], "END RSA PRIVATE KEY"))
89			$input_errors[] = "This key does not appear to be valid.";
90	a509ff63	Bill Marquette	if ($_POST['altfirmwareurl'])
91			if ($_POST['firmwareurl'] == "" \|\| $_POST['firmwarename'] == "")
92			$input_errors[] = "You must specify a base URL and a filename for the alternate firmware.";
93	66f481cc	Colin Smith	if ($_POST['altpkgconfigurl'])
94			if ($_POST['pkgconfig_base_url'] == "" \|\| $_POST['pkgconfig_filename'] == "")
95			$input_errors[] = "You must specifiy and base URL and a filename before using an alternate pkg_config.xml.";
96	5b237745	Scott Ullrich	}
97	e52f293f	Scott Ullrich	if ($_POST['maximumstates'] <> "") {
98			if ($_POST['maximumstates'] < 1000)
99			$input_errors[] = "States must be above 1000 and below 100000000";
100			if ($_POST['maximumstates'] > 100000000)
101			$input_errors[] = "States must be above 1000 and below 100000000";
102			}
103	74806cee	Seth Mos	if ($_POST['sshport'] <> "") {
104			if( ! is_port($_POST['sshport'])) {
105			$input_errors[] = "You must specify a valid port number";
106			}
107			}
108	9c51b6f6	Timo Boettcher	if($_POST['sshdkeyonly'] == "yes") {
109			$config['system']['ssh']['sshdkeyonly'] = "enabled";
110			} else {
111			unset($config['system']['ssh']['sshdkeyonly']);
112			}
113			$config['system']['ssh']['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
114	74806cee	Seth Mos
115	5b237745	Scott Ullrich	}
116	b63695db	Scott Ullrich
117	aa9e7aaa	Scott Ullrich	if ($_POST) {
118			ob_flush();
119			flush();
120			if (!$input_errors) {
121			if($_POST['disablefilter'] == "yes") {
122			$config['system']['disablefilter'] = "enabled";
123			} else {
124			unset($config['system']['disablefilter']);
125			}
126	f031a007	Chris Buechler	if($_POST['disablevpnrules'] == "yes") {
127			$config['system']['disablevpnrules'] = true;
128			} else {
129			unset($config['system']['disablevpnrules']);
130			}
131	aa9e7aaa	Scott Ullrich	if($_POST['enablesshd'] == "yes") {
132			$config['system']['enablesshd'] = "enabled";
133			touch("{$g['tmp_path']}/start_sshd");
134			} else {
135			unset($config['system']['enablesshd']);
136			mwexec("/usr/bin/killall sshd");
137			}
138			$oldsshport = $config['system']['ssh']['port'];
139			$config['system']['ssh']['port'] = $_POST['sshport'];
140
141			if($_POST['polling_enable'] == "yes") {
142			$config['system']['polling'] = true;
143			setup_polling();
144			} else {
145			unset($config['system']['polling']);
146			setup_polling();
147			}
148
149	8619963c	Chris Buechler	if($_POST['lb_use_sticky'] == "yes") {
150	ab0d0394	Scott Ullrich	$config['system']['lb_use_sticky'] = true;
151	8619963c	Chris Buechler	touch("/var/etc/use_pf_pool__stickyaddr");
152			} else {
153	ab0d0394	Scott Ullrich	unset($config['system']['lb_use_sticky']);
154	8619963c	Chris Buechler	unlink_if_exists("/var/etc/use_pf_pool__stickyaddr");
155			}
156	ab0d0394	Scott Ullrich
157	5c973509	Scott Ullrich	if($config['interfaces']['wan']['ipaddr'] == "pppoe")
158	5d8a6134	Scott Ullrich	unset($config['system']['lb_use_sticky']);
159
160	aa9e7aaa	Scott Ullrich	if($_POST['sharednet'] == "yes") {
161			$config['system']['sharednet'] = true;
162			system_disable_arp_wrong_if();
163			} else {
164			unset($config['system']['sharednet']);
165			system_enable_arp_wrong_if();
166			}
167
168			if($_POST['scrubnodf'] == "yes")
169			$config['system']['scrubnodf'] = "enabled";
170			else
171			unset($config['system']['scrubnodf']);
172
173			if($_POST['rfc959workaround'] == "yes")
174			$config['system']['rfc959workaround'] = "enabled";
175			else
176			unset($config['system']['rfc959workaround']);
177
178			if($_POST['ipv6nat_enable'] == "yes") {
179			$config['diag']['ipv6nat']['enable'] = true;
180			$config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr'];
181			} else {
182			unset($config['diag']['ipv6nat']['enable']);
183			unset($config['diag']['ipv6nat']['ipaddr']);
184			}
185	4bc0961e	Chris Buechler	if($_POST['ipv6allow'] == "yes") {
186			$config['system']['ipv6allow'] = true;
187			} else {
188			unset($config['system']['ipv6allow']);
189			}
190	aa9e7aaa	Scott Ullrich	$oldcert = $config['system']['webgui']['certificate'];
191			$oldkey = $config['system']['webgui']['private-key'];
192			$config['system']['webgui']['certificate'] = base64_encode($_POST['cert']);
193			$config['system']['webgui']['private-key'] = base64_encode($_POST['key']);
194			if($_POST['disableconsolemenu'] == "yes") {
195			$config['system']['disableconsolemenu'] = true;
196			auto_login(true);
197			} else {
198			unset($config['system']['disableconsolemenu']);
199			auto_login(false);
200			}
201			unset($config['system']['webgui']['expanddiags']);
202			$config['system']['optimization'] = $_POST['optimization'];
203
204			if($_POST['disablefirmwarecheck'] == "yes")
205			$config['system']['disablefirmwarecheck'] = true;
206			else
207			unset($config['system']['disablefirmwarecheck']);
208
209			if ($_POST['enableserial'] == "yes")
210			$config['system']['enableserial'] = true;
211			else
212			unset($config['system']['enableserial']);
213
214			if($_POST['harddiskstandby'] <> "") {
215			$config['system']['harddiskstandby'] = $_POST['harddiskstandby'];
216			system_set_harddisk_standby();
217			} else
218			unset($config['system']['harddiskstandby']);
219
220			if ($_POST['noantilockout'] == "yes")
221			$config['system']['webgui']['noantilockout'] = true;
222			else
223			unset($config['system']['webgui']['noantilockout']);
224
225			/* Firewall and ALTQ options */
226			$config['system']['maximumstates'] = $_POST['maximumstates'];
227
228			if($_POST['enablesshd'] == "yes") {
229			$config['system']['enablesshd'] = $_POST['enablesshd'];
230			} else {
231			unset($config['system']['enablesshd']);
232			}
233
234			if($_POST['disablechecksumoffloading'] == "yes") {
235			$config['system']['disablechecksumoffloading'] = $_POST['disablechecksumoffloading'];
236	a4d71dc1	Chris Buechler	setup_microcode();
237	aa9e7aaa	Scott Ullrich	} else {
238			unset($config['system']['disablechecksumoffloading']);
239	a4d71dc1	Chris Buechler	setup_microcode();
240	aa9e7aaa	Scott Ullrich	}
241
242	ff091d96	Scott Ullrich	if($_POST['disablescrub'] == "yes") {
243			$config['system']['disablescrub'] = $_POST['disablescrub'];
244			} else {
245			unset($config['system']['disablescrub']);
246			}
247
248	aa9e7aaa	Scott Ullrich	if($_POST['disablenatreflection'] == "yes") {
249			$config['system']['disablenatreflection'] = $_POST['disablenatreflection'];
250			} else {
251			unset($config['system']['disablenatreflection']);
252			}
253
254	81a6f5ea	Scott Ullrich	// Traffic shaper
255			$config['system']['shapertype'] = $_POST['shapertype'];
256
257	aa9e7aaa	Scott Ullrich	$config['ipsec']['preferoldsa'] = $_POST['preferoldsa_enable'] ? true : false;
258			$config['bridge']['filteringbridge'] = $_POST['filteringbridge_enable'] ? true : false;
259			$config['filter']['bypassstaticroutes'] = $_POST['bypassstaticroutes'] ? true : false;
260
261			write_config();
262
263			$retval = 0;
264			config_lock();
265			$retval = filter_configure();
266			if(stristr($retval, "error") <> true)
267			$savemsg = get_std_save_message($retval);
268			else
269			$savemsg = $retval;
270
271			config_unlock();
272
273			conf_mount_rw();
274
275			setup_serial_port();
276
277			conf_mount_ro();
278
279
280			}
281			}
282
283	b63695db	Scott Ullrich	$pgtitle = "System: Advanced functions";
284			include("head.inc");
285
286	5b237745	Scott Ullrich	?>
287	b63695db	Scott Ullrich
288	5b237745	Scott Ullrich	<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
289	9ecd6ab7	Erik Kristensen
290	5b237745	Scott Ullrich	<?php include("fbegin.inc"); ?>
291	74f446e8	Bill Marquette	<p class="pgtitle"><?=$pgtitle?></p>
292	9ecd6ab7	Erik Kristensen	<form action="system_advanced.php" method="post" name="iform" id="iform">
293			<?php if ($input_errors) print_input_errors($input_errors); ?>
294			<?php if ($savemsg) print_info_box($savemsg); ?>
295			<p><span class="vexpl"><span class="red"><strong>Note: </strong></span>the options on this page are intended for use by advanced users only.</span></p>
296			<br />
297	416ed28d	Scott Ullrich
298	9ecd6ab7	Erik Kristensen	<table width="100%" border="0" cellpadding="6" cellspacing="0">
299			<tbody>
300	dbb0b7d6	Holger Bauer	<?php if($g['platform'] == "pfSense" \|\| $g['platform'] == "cdrom"): ?>
301	9ecd6ab7	Erik Kristensen	<tr>
302			<td colspan="2" valign="top" class="listtopic">Enable Serial Console</td>
303			</tr>
304			<tr>
305			<td width="22%" valign="top" class="vncell"> </td>
306			<td width="78%" class="vtable">
307			<input name="enableserial" type="checkbox" id="enableserial" value="yes" <?php if (isset($pconfig['enableserial'])) echo "checked"; ?> onclick="enable_change(false)" />
308			<strong>This will enable the first serial port with 9600/8/N/1</strong>
309	b8467d8e	Scott Ullrich	<br>
310	3446ca38	Scott Ullrich	<span class="vexpl">Note: This will disable the internal video card/keyboard</span>
311	9ecd6ab7	Erik Kristensen	</td>
312			</tr>
313			<tr>
314			<td width="22%" valign="top"> </td>
315			<td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td>
316			</tr>
317			</tr>
318			<tr>
319			<td colspan="2" class="list" height="12"></td>
320	48ce54d0	Scott Ullrich	</tr>
321	0831bc86	Scott Ullrich	<?php endif; ?>
322	9ecd6ab7	Erik Kristensen	<tr>
323			<td colspan="2" valign="top" class="listtopic">Secure Shell</td>
324			</tr>
325			<tr>
326			<td width="22%" valign="top" class="vncell"> </td>
327			<td width="78%" class="vtable">
328			<input name="enablesshd" type="checkbox" id="enablesshd" value="yes" <?php if (isset($pconfig['enablesshd'])) echo "checked"; ?> onclick="enable_change(false)" />
329			<strong>Enable Secure Shell</strong>
330			</td>
331			</tr>
332	9c51b6f6	Timo Boettcher	<tr>
333			<td width="22%" valign="top" class="vncell"> </td>
334			<td width="78%" class="vtable">
335			<input name="sshdkeyonly" type="checkbox" id="sshdkeyonly" value="yes" <?php if (isset($pconfig['sshdkeyonly'])) echo "checked"; ?> onclick="enable_change(false)" />
336	83666df9	Scott Ullrich	<strong>Disable Password login for Secure Shell (KEY only)</strong>
337	9c51b6f6	Timo Boettcher	</td>
338			</tr>
339	74806cee	Seth Mos	<tr>
340			<td width="22%" valign="top" class="vncell">SSH port</td>
341			<td width="78%" class="vtable">
342			<input name="sshport" type="text" id="sshport" value="<?php echo $pconfig['sshport']; ?>" onclick="enable_change(false)" />
343			<br />
344			<span class="vexpl">Note: Leave this blank for the default of 22</span>
345			</td>
346			</tr>
347	9c51b6f6	Timo Boettcher	<tr>
348			<td width="22%" valign="top" class="vncell"><?=gettext("Authorizedkeys");?></td>
349			<td width="78%" class="vtable">
350			<textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea>
351			<br />
352			Paste an authorized keys file here.
353			</td>
354			</tr>
355	9ecd6ab7	Erik Kristensen	<tr>
356			<td width="22%" valign="top"> </td>
357			<td width="78%">
358			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
359			</td>
360			</tr>
361			<tr>
362			<td colspan="2" class="list" height="12"> </td>
363	9c51b6f6	Timo Boettcher	</tr>
364	9ecd6ab7	Erik Kristensen	<tr>
365			<td colspan="2" valign="top" class="listtopic">Shared Physical Network</td>
366			</tr>
367			<tr>
368			<td width="22%" valign="top" class="vncell"> </td>
369			<td width="78%" class="vtable">
370			<input name="sharednet" type="checkbox" id="sharednet" value="yes" <?php if (isset($pconfig['sharednet'])) echo "checked"; ?> onclick="enable_change(false)" />
371	3d0d1aa8	Colin Smith	<strong>This will suppress ARP messages when interfaces share the same physical network</strong>
372	9ecd6ab7	Erik Kristensen	</td>
373			</tr>
374			<tr>
375			<td width="22%" valign="top"> </td>
376			<td width="78%">
377			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
378			</td>
379			</tr>
380			<tr>
381			<td colspan="2" class="list" height="12"> </td>
382			</tr>
383			<tr>
384	4bc0961e	Chris Buechler	<td colspan="2" valign="top" class="listtopic">IPv6</td>
385			</tr>
386			<tr>
387			<td width="22%" valign="top" class="vncell">Allow IPv6</td>
388			<td width="78%" class="vtable">
389			<input name="ipv6allow" type="checkbox" id="ipv6allow" value="yes" <?php if ($pconfig['ipv6allow']) echo "checked"; ?> onclick="enable_change(false)" />
390			<strong>Allow IPv6 traffic</strong>
391			<br /> <br />
392			All IPv6 traffic will be blocked unless this box is checked.
393			</td>
394	9ecd6ab7	Erik Kristensen	</tr>
395			<tr>
396	4bc0961e	Chris Buechler	<td width="22%" valign="top" class="vncell">IPv6 tunneling</td>
397	9ecd6ab7	Erik Kristensen	<td width="78%" class="vtable">
398			<input name="ipv6nat_enable" type="checkbox" id="ipv6nat_enable" value="yes" <?php if ($pconfig['ipv6nat_enable']) echo "checked"; ?> onclick="enable_change(false)" />
399			<strong>NAT encapsulated IPv6 packets (IP protocol 41/RFC2893) to:</strong>
400			<br /> <br />
401			<input name="ipv6nat_ipaddr" type="text" class="formfld" id="ipv6nat_ipaddr" size="20" value="<?=htmlspecialchars($pconfig['ipv6nat_ipaddr']);?>" />
402	0c361483	Scott Ullrich	(IP address)
403	9ecd6ab7	Erik Kristensen	</td>
404			</tr>
405	4bc0961e	Chris Buechler	<tr>
406			<td width="22%" valign="top"> </td>
407			<td width="78%">
408			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
409			</td>
410			</tr>
411	b0703b01	Scott Ullrich	<tr>
412			<td colspan="2" class="list" height="12"> </td>
413	48ce54d0	Scott Ullrich	</tr>
414	02f0c58f	Scott Ullrich	<tr>
415			<td colspan="2" valign="top" class="listtopic">Filtering Bridge</td>
416			</tr>
417	48ce54d0	Scott Ullrich	<tr>
418	3962b070	Scott Ullrich	<td width="22%" valign="top" class="vncell"> </td>
419	48ce54d0	Scott Ullrich	<td width="78%" class="vtable">
420	3962b070	Scott Ullrich	<strong>Enable filtering bridge</strong><span class="vexpl"><br>
421	e59771e7	Chris Buechler	This setting no longer exists as it is unnecessary. Filtering
422			occurs on the member interfaces of the bridge and cannot be
423			disabled. </span></td>
424	48ce54d0	Scott Ullrich	</tr>
425	9ecd6ab7	Erik Kristensen	<tr>
426			<td width="22%" valign="top"> </td>
427			<td width="78%">
428			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
429			</td>
430			</tr>
431			<tr>
432			<td colspan="2" class="list" height="12"> </td>
433			</tr>
434			<tr>
435			<td colspan="2" valign="top" class="listtopic">webGUI SSL certificate/key</td>
436			</tr>
437			<tr>
438			<td width="22%" valign="top" class="vncell">Certificate</td>
439			<td width="78%" class="vtable">
440			<textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea>
441			<br />
442			Paste a signed certificate in X.509 PEM format here. <a href="javascript:if(openwindow('system_advanced_create_certs.php') == false) alert('Popup blocker detected. Action aborted.');" >Create</a> certificates automatically.
443			</td>
444			</tr>
445			<tr>
446			<td width="22%" valign="top" class="vncell">Key</td>
447			<td width="78%" class="vtable">
448			<textarea name="key" cols="65" rows="7" id="key" class="formpre"><?=htmlspecialchars($pconfig['key']);?></textarea>
449			<br />
450			Paste an RSA private key in PEM format here.
451			</td>
452			</tr>
453			<tr>
454			<td width="22%" valign="top"> </td>
455			<td width="78%">
456			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
457			</td>
458			</tr>
459			<tr>
460			<td colspan="2" class="list" height="12"> </td>
461			</tr>
462	ab0d0394	Scott Ullrich	<tr>
463			<td colspan="2" valign="top" class="listtopic">Load Balancing</td>
464			</tr>
465			<tr>
466			<td width="22%" valign="top" class="vncell">Load Balancing</td>
467			<td width="78%" class="vtable">
468	e379259c	Scott Ullrich	<?php if($config['interfaces']['wan']['ipaddr'] == "pppoe"): ?>
469	d7848c81	Scott Ullrich	Sticky connections are disabled due to PPPoE being enabled.
470			<?php else: ?>
471			<input name="lb_use_sticky" type="checkbox" id="lb_use_sticky" value="yes" <?php if ($pconfig['lb_use_sticky']) echo "checked=\"checked\""; ?> />
472			<?php endif; ?>
473	ab0d0394	Scott Ullrich	<strong>Use sticky connections</strong>
474			<br />
475			<span class="vexpl">
476	4b87b18b	Chris Buechler	Successive connections will be redirected to the servers in a round-robin manner with connections from the same source being sent to the same web server. This "sticky connection" will exist as long as there are states that refer to this connection. Once the states expire, so will the sticky connection. Further connections from that host will be redirected to the next web server in the round robin.
477	ab0d0394	Scott Ullrich	</span>
478			</td>
479			</tr>
480			<tr>
481			<td width="22%" valign="top"> </td>
482			<td width="78%">
483			<input type="submit" class="formbtn" value="<?=gettext("Save");?>" onclick="enable_change(true)" />
484			</td>
485			</tr>
486			<tr>
487			<td colspan="2" class="list" height="12"> </td>
488			</tr>
489	9ecd6ab7	Erik Kristensen	<tr>
490			<td colspan="2" valign="top" class="listtopic">Miscellaneous</td>
491			</tr>
492	8d36fd1d	Scott Ullrich
493			<tr>
494			<td width="22%" valign="top" class="vncell">Device polling</td>
495			<td width="78%" class="vtable">
496			<input name="polling_enable" type="checkbox" id="polling_enable" value="yes" <?php if ($pconfig['polling_enable']) echo "checked"; ?>>
497			<strong>Use device polling</strong><br>
498	eee6bcda	Scott Ullrich	Device polling is a technique that lets the system periodically poll network devices for new data instead of relying on interrupts. This prevents your webGUI, SSH, etc. from being inaccessible due to interrupt floods when under extreme load. Generally this is not recommended.
499	e9bb7c19	Chris Buechler	Not all NICs support polling; see the <?=$g['product_name'];?> homepage for a list of supported cards.
500	8d36fd1d	Scott Ullrich	</td>
501			</tr>
502	48ce54d0	Scott Ullrich
503	9ecd6ab7	Erik Kristensen	<tr>
504			<td width="22%" valign="top" class="vncell">Console menu </td>
505			<td width="78%" class="vtable">
506			<input name="disableconsolemenu" type="checkbox" id="disableconsolemenu" value="yes" <?php if ($pconfig['disableconsolemenu']) echo "checked"; ?> />
507	a5558110	Seth Mos	<strong>Password protect the console menu</strong>
508	9ecd6ab7	Erik Kristensen	<br />
509			<span class="vexpl">Changes to this option will take effect after a reboot.</span>
510			</td>
511			</tr>
512	48ce54d0	Scott Ullrich	<?php if($g['platform'] == "pfSenseDISABLED"): ?>
513	a509ff63	Bill Marquette	<tr>
514	9ecd6ab7	Erik Kristensen	<td width="22%" valign="top" class="vncell">Hard disk standby time </td>
515			<td width="78%" class="vtable">
516			<select name="harddiskstandby" class="formfld">
517			<?php
518			## Values from ATA-2 http://www.t13.org/project/d0948r3-ATA-2.pdf (Page 66)
519			$sbvals = explode(" ", "0.5,6 1,12 2,24 3,36 4,48 5,60 7.5,90 10,120 15,180 20,240 30,241 60,242");
520			?>
521			<option value="" <?php if(!$pconfig['harddiskstandby']) echo('selected');?>>Always on</option>
522			<?php
523	5b237745	Scott Ullrich	foreach ($sbvals as $sbval):
524			list($min,$val) = explode(",", $sbval); ?>
525	9ecd6ab7	Erik Kristensen	<option value="<?=$val;?>" <?php if($pconfig['harddiskstandby'] == $val) echo('selected');?>><?=$min;?> minutes</option>
526			<?php endforeach; ?>
527			</select>
528			<br />
529			Puts the hard disk into standby mode when the selected amount of time after the last
530			access has elapsed. <em>Do not set this for CF cards.</em>
531			</td>
532			</tr>
533	48ce54d0	Scott Ullrich	<?php endif; ?>
534	9ecd6ab7	Erik Kristensen	<tr>
535			<td width="22%" valign="top" class="vncell">webGUI anti-lockout</td>
536			<td width="78%" class="vtable">
537			<input name="noantilockout" type="checkbox" id="noantilockout" value="yes" <?php if ($pconfig['noantilockout']) echo "checked"; ?> />
538			<strong>Disable webGUI anti-lockout rule</strong>
539			<br />
540	48ce54d0	Scott Ullrich	By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter
541			rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you
542	9ecd6ab7	Erik Kristensen	in, or you will lock yourself out!).
543			<br />
544			Hint: the "set LAN IP address" option in the console menu resets this setting as well.
545			</td>
546			</tr>
547	bdac13de	Scott Ullrich	<tr>
548			<td width="22%" valign="top" class="vncell">Static route filtering</td>
549			<td width="78%" class="vtable">
550			<input name="bypassstaticroutes" type="checkbox" id="bypassstaticroutes" value="yes" <?php if ($pconfig['bypassstaticroutes']) echo "checked"; ?> />
551			<strong>Bypass firewall rules for traffic on the same interface</strong>
552			<br />
553	48ce54d0	Scott Ullrich	This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and
554			leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where
555	bdac13de	Scott Ullrich	multiple subnets are connected to the same interface.
556			<br />
557			</td>
558			</tr>
559	9ecd6ab7	Erik Kristensen	<tr>
560			<td width="22%" valign="top" class="vncell">IPsec SA preferral</td>
561			<td width="78%" class="vtable">
562			<input name="preferoldsa_enable" type="checkbox" id="preferoldsa_enable" value="yes" <?php if ($pconfig['preferoldsa_enable']) echo "checked"; ?> />
563			<strong>Prefer old IPsec SAs</strong>
564			<br />
565			By default, if several SAs match, the newest one is preferred if it's at least 30 seconds old.Select this option to always prefer old SAs over new ones.
566			</td>
567	48ce54d0	Scott Ullrich	</tr>
568	9ecd6ab7	Erik Kristensen	<tr>
569			<td width="22%" valign="top"> </td>
570			<td width="78%">
571			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
572			</td>
573			</tr>
574			<tr>
575			<td colspan="2" class="list" height="12"> </td>
576			</tr>
577			<tr>
578			<td colspan="2" valign="top" class="listtopic">Traffic Shaper and Firewall Advanced</td>
579			</tr>
580	073abaa6	Scott Ullrich	<?php
581			/*
582	81a6f5ea	Scott Ullrich	<tr>
583			<td width="22%" valign="top" class="vncell">Traffic shaper type</td>
584			<td width="78%" class="vtable">
585			<select name="shapertype" class="formselect">
586			<option value="pfSense"<?php if($pconfig['shapertype'] == 'pfSense') echo " selected"; ?>><?= $g['product_name'] ?> (ALTQ)</option>
587			<option value="m0n0"<?php if($pconfig['shapertype'] == 'm0n0') echo " selected"; ?>>M0n0wall (dummynet)</option>
588			</select>
589			</td>
590			</tr>
591	073abaa6	Scott Ullrich	*/
592			?>
593	9ecd6ab7	Erik Kristensen	<tr>
594			<td width="22%" valign="top" class="vncell">FTP RFC 959 data port violation workaround</td>
595			<td width="78%" class="vtable">
596			<input name="rfc959workaround" type="checkbox" id="rfc959workaround" value="yes" <?php if (isset($config['system']['rfc959workaround'])) echo "checked"; ?> onclick="enable_change(false)" />
597			<strong class="vexpl">Workaround for sites that violate RFC 959 which specifies that the data connection be sourced from the command port - 1 (typically port 20). This workaround doesn't expose you to any extra risk as the firewall will still only allow connections on a port that the ftp-proxy is listening on.</strong>
598			<br />
599			</td>
600			</tr>
601	8f498445	Scott Ullrich	<tr>
602			<td width="22%" valign="top" class="vncell">Clear DF bit instead of dropping</td>
603			<td width="78%" class="vtable">
604			<input name="scrubnodf" type="checkbox" id="scrubnodf" value="yes" <?php if (isset($config['system']['scrubnodf'])) echo "checked"; ?> onclick="enable_change(false)" />
605			<strong class="vexpl">Workaround for operating systems that generate fragmented packets with the don't fragment (DF) bit set. Linux NFS is known to do this. This will cause the filter to not drop such packets but instead clear the don't fragment bit. The filter will also randomize the IP identification field of outgoing packets with this option on, to compensate for operating systems that set the DF bit but set a zero IP identification header field.</strong>
606			<br />
607			</td>
608			</tr>
609	9ecd6ab7	Erik Kristensen	<tr>
610			<td width="22%" valign="top" class="vncell">Firewall Optimization Options</td>
611			<td width="78%" class="vtable">
612			<select onChange="update_description(this.selectedIndex);" name="optimization" id="optimization">
613			<option value="normal"<?php if($config['system']['optimization']=="normal") echo " selected"; ?>>normal</option>
614			<option value="high-latency"<?php if($config['system']['optimization']=="high-latency") echo " selected"; ?>>high-latency</option>
615			<option value="aggressive"<?php if($config['system']['optimization']=="aggressive") echo " selected"; ?>>aggressive</option>
616			<option value="conservative"<?php if($config['system']['optimization']=="conservative") echo " selected"; ?>>conservative</option>
617			</select>
618			<br />
619	d4fddf14	Scott Ullrich	<textarea cols="60" rows="2" id="info" name="info"style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea>
620	9ecd6ab7	Erik Kristensen	<script language="javascript" type="text/javascript">
621			update_description(document.forms[0].optimization.selectedIndex);
622			</script>
623			<br />
624			<span class="vexpl"><b>Select which type of state table optimization your would like to use</b></span>
625			</td>
626			</tr>
627			<tr>
628			<td width="22%" valign="top" class="vncell">Disable Firewall</td>
629			<td width="78%" class="vtable">
630			<input name="disablefilter" type="checkbox" id="disablefilter" value="yes" <?php if (isset($config['system']['disablefilter'])) echo "checked"; ?> onclick="enable_change(false)" />
631	6c13d551	Chris Buechler	<strong>Disable all packet filtering.</strong>
632	9ecd6ab7	Erik Kristensen	<br />
633	e9bb7c19	Chris Buechler	<span class="vexpl">Note: This converts <?=$g['product_name'];?> into a routing only platform!<br>
634	8d0abf6b	Scott Ullrich	Note: This will turn off NAT!
635			</span>
636	9ecd6ab7	Erik Kristensen	</td>
637			</tr>
638	ff091d96	Scott Ullrich	<tr>
639			<td width="22%" valign="top" class="vncell">Disable Firewall Scrub</td>
640			<td width="78%" class="vtable">
641			<input name="disablescrub" type="checkbox" id="disablescrub" value="yes" <?php if (isset($config['system']['disablescrub'])) echo "checked"; ?> onclick="enable_change(false)" />
642			<strong>Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.</strong>
643			<br/>
644			Click <a href='http://www.openbsd.org/faq/pf/scrub.html' target='_new'>here</a> for more information.
645			</td>
646			</tr>
647	9ecd6ab7	Erik Kristensen	<tr>
648			<td width="22%" valign="top" class="vncell">Firewall Maximum States</td>
649			<td width="78%" class="vtable">
650			<input name="maximumstates" type="text" id="maximumstates" value="<?php echo $pconfig['maximumstates']; ?>" onclick="enable_change(false)" />
651			<br />
652			<strong>Maximum number of connections to hold in the firewall state table.</strong>
653			<br />
654			<span class="vexpl">Note: Leave this blank for the default of 10000</span>
655			</td>
656			</tr>
657	f031a007	Chris Buechler	<tr>
658			<td width="22%" valign="top" class="vncell">Disable Auto-added VPN rules</td>
659			<td width="78%" class="vtable">
660			<input name="disablevpnrules" type="checkbox" id="disablevpnrules" value="yes" <?php if (isset($config['system']['disablevpnrules'])) echo "checked"; ?> onclick="enable_change(false)" />
661			<strong>Disable all auto-added VPN rules.</strong>
662			<br />
663			<span class="vexpl">Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN.
664			</span>
665			</td>
666			</tr>
667	a9b19d7f	Scott Ullrich	<tr>
668	b5675af6	Scott Ullrich	<td width="22%" valign="top"> </td>
669			<td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td>
670	a9b19d7f	Scott Ullrich	</tr>
671	b5675af6	Scott Ullrich	<tr>
672			<td colspan="2" class="list" height="12"> </td>
673	48ce54d0	Scott Ullrich	</tr>
674	a9b19d7f	Scott Ullrich	<tr>
675			<td colspan="2" valign="top" class="listtopic">Network Address Translation</td>
676			</tr>
677			<tr>
678	1b45d566	Scott Ullrich	<td width="22%" valign="top" class="vncell">Disable NAT Reflection</td>
679	a9b19d7f	Scott Ullrich	<td width="78%" class="vtable">
680			<input name="disablenatreflection" type="checkbox" id="disablenatreflection" value="yes" <?php if (isset($config['system']['disablenatreflection'])) echo "checked"; ?> onclick="enable_change(false)" />
681	3a9ba28f	Scott Ullrich	<strong>Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.</strong>
682	a9b19d7f	Scott Ullrich	</td>
683			</tr>
684	d2eb5def	Scott Ullrich	<tr>
685			<td width="22%" valign="top"> </td>
686			<td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td>
687			</tr>
688			<tr>
689			<td colspan="2" class="list" height="12"> </td>
690			</tr>
691			<tr>
692			<td colspan="2" valign="top" class="listtopic">Hardware Checksum Offloading</td>
693			</tr>
694			<tr>
695			<td width="22%" valign="top" class="vncell">Disable Hardware Checksum Offloading</td>
696			<td width="78%" class="vtable">
697			<input name="disablechecksumoffloading" type="checkbox" id="disablechecksumoffloading" value="yes" <?php if (isset($config['system']['disablechecksumoffloading'])) echo "checked"; ?> onclick="enable_change(false)" />
698	a4d71dc1	Chris Buechler	<strong>Checking this option will disable hardware checksum offloading. Checksum offloading is broken in some hardware, particularly some Realtek cards. Rarely, drivers may have problems with checksum offloading and some specific NICs.</strong>
699	d2eb5def	Scott Ullrich	</td>
700			</tr>
701	9ecd6ab7	Erik Kristensen	<tr>
702			<td width="22%" valign="top"> </td>
703			<td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td>
704			</tr>
705			<tr>
706			<td colspan="2" class="list" height="12"> </td>
707			</tr>
708			</tbody>
709			</table>
710	5b237745	Scott Ullrich	</form>
711	9ecd6ab7	Erik Kristensen
712			<script language="JavaScript" type="text/javascript">
713	5b237745	Scott Ullrich	<!--
714	9ecd6ab7	Erik Kristensen	enable_change(false);
715	5b237745	Scott Ullrich	//-->
716			</script>
717	9ecd6ab7	Erik Kristensen
718	5b237745	Scott Ullrich	<?php include("fend.inc"); ?>
719	9ecd6ab7	Erik Kristensen
720	a6318c60	Scott Ullrich	</body>
721			</html>
722
723	8affb1da	Scott Ullrich	<?php
724
725	d6f67691	Scott Ullrich	if($_POST['cert'] \|\| $_POST['key']) {
726			if (($config['system']['webgui']['certificate'] != $oldcert)
727			\|\| ($config['system']['webgui']['private-key'] != $oldkey)) {
728			ob_flush();
729			flush();
730			log_error("webConfigurator certificates have changed. Restarting webConfigurator.");
731			sleep(1);
732			touch("/tmp/restart_webgui");
733			}
734	04257637	Scott Ullrich	}
735
736	4b87b18b	Chris Buechler	?>

Project

General

Profile

pfSense