| 1 |
5ba18897
|
Scott Ullrich
|
<?php
|
| 2 |
b46bfcf5
|
Bill Marquette
|
/* $Id$ */
|
| 3 |
5b237745
|
Scott Ullrich
|
/*
|
| 4 |
bdb7d6e7
|
Scott Ullrich
|
firewall_rules_edit.php
|
| 5 |
e4cabb75
|
Scott Ullrich
|
part of pfSense (http://www.pfsense.com)
|
| 6 |
|
|
Copyright (C) 2005 Scott Ullrich (sullrich@gmail.com)
|
| 7 |
5ba18897
|
Scott Ullrich
|
|
| 8 |
e4cabb75
|
Scott Ullrich
|
originally part of m0n0wall (http://m0n0.ch/wall)
|
| 9 |
bdb7d6e7
|
Scott Ullrich
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
| 10 |
|
|
All rights reserved.
|
| 11 |
5ba18897
|
Scott Ullrich
|
|
| 12 |
bdb7d6e7
|
Scott Ullrich
|
Redistribution and use in source and binary forms, with or without
|
| 13 |
|
|
modification, are permitted provided that the following conditions are met:
|
| 14 |
5ba18897
|
Scott Ullrich
|
|
| 15 |
bdb7d6e7
|
Scott Ullrich
|
1. Redistributions of source code must retain the above copyright notice,
|
| 16 |
|
|
this list of conditions and the following disclaimer.
|
| 17 |
5ba18897
|
Scott Ullrich
|
|
| 18 |
bdb7d6e7
|
Scott Ullrich
|
2. Redistributions in binary form must reproduce the above copyright
|
| 19 |
|
|
notice, this list of conditions and the following disclaimer in the
|
| 20 |
|
|
documentation and/or other materials provided with the distribution.
|
| 21 |
5ba18897
|
Scott Ullrich
|
|
| 22 |
bdb7d6e7
|
Scott Ullrich
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| 23 |
|
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
| 24 |
|
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
| 25 |
|
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
| 26 |
|
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
| 27 |
|
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
| 28 |
|
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
| 29 |
|
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
| 30 |
|
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
| 31 |
|
|
POSSIBILITY OF SUCH DAMAGE.
|
| 32 |
5b237745
|
Scott Ullrich
|
*/
|
| 33 |
7ac5a4cb
|
Scott Ullrich
|
/*
|
| 34 |
|
|
pfSense_MODULE: filter
|
| 35 |
|
|
*/
|
| 36 |
5b237745
|
Scott Ullrich
|
|
| 37 |
6b07c15a
|
Matthew Grooms
|
##|+PRIV
|
| 38 |
|
|
##|*IDENT=page-firewall-rules-edit
|
| 39 |
|
|
##|*NAME=Firewall: Rules: Edit page
|
| 40 |
|
|
##|*DESCR=Allow access to the 'Firewall: Rules: Edit' page.
|
| 41 |
|
|
##|*MATCH=firewall_rules_edit.php*
|
| 42 |
|
|
##|-PRIV
|
| 43 |
|
|
|
| 44 |
5b237745
|
Scott Ullrich
|
require("guiconfig.inc");
|
| 45 |
1a03cf69
|
Scott Ullrich
|
require("filter.inc");
|
| 46 |
|
|
require("shaper.inc");
|
| 47 |
5b237745
|
Scott Ullrich
|
|
| 48 |
1e578a7f
|
Ermal Lu?i
|
$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn");
|
| 49 |
3331a640
|
Ermal Lu?i
|
$ifdisp = get_configured_interface_with_descr();
|
| 50 |
679d21bb
|
Ermal Lu?i
|
foreach ($ifdisp as $kif => $kdescr) {
|
| 51 |
3331a640
|
Ermal Lu?i
|
$specialsrcdst[] = "{$kif}";
|
| 52 |
|
|
$specialsrcdst[] = "{$kif}ip";
|
| 53 |
679d21bb
|
Ermal Lu?i
|
}
|
| 54 |
5b237745
|
Scott Ullrich
|
|
| 55 |
|
|
if (!is_array($config['filter']['rule'])) {
|
| 56 |
|
|
$config['filter']['rule'] = array();
|
| 57 |
|
|
}
|
| 58 |
|
|
filter_rules_sort();
|
| 59 |
|
|
$a_filter = &$config['filter']['rule'];
|
| 60 |
|
|
|
| 61 |
|
|
$id = $_GET['id'];
|
| 62 |
|
|
if (is_numeric($_POST['id']))
|
| 63 |
|
|
$id = $_POST['id'];
|
| 64 |
5ba18897
|
Scott Ullrich
|
|
| 65 |
5b237745
|
Scott Ullrich
|
$after = $_GET['after'];
|
| 66 |
|
|
|
| 67 |
|
|
if (isset($_POST['after']))
|
| 68 |
|
|
$after = $_POST['after'];
|
| 69 |
|
|
|
| 70 |
|
|
if (isset($_GET['dup'])) {
|
| 71 |
|
|
$id = $_GET['dup'];
|
| 72 |
|
|
$after = $_GET['dup'];
|
| 73 |
|
|
}
|
| 74 |
|
|
|
| 75 |
|
|
if (isset($id) && $a_filter[$id]) {
|
| 76 |
|
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
| 77 |
5ba18897
|
Scott Ullrich
|
|
| 78 |
b9e28d57
|
unknown
|
if (isset($a_filter[$id]['id']))
|
| 79 |
|
|
$pconfig['ruleid'] = $a_filter[$id]['id'];
|
| 80 |
|
|
|
| 81 |
5b237745
|
Scott Ullrich
|
if (!isset($a_filter[$id]['type']))
|
| 82 |
|
|
$pconfig['type'] = "pass";
|
| 83 |
|
|
else
|
| 84 |
|
|
$pconfig['type'] = $a_filter[$id]['type'];
|
| 85 |
5ba18897
|
Scott Ullrich
|
|
| 86 |
4633edc2
|
Ermal Luçi
|
if (isset($a_filter[$id]['floating']) || $if == "FloatingRules") {
|
| 87 |
661aed33
|
Ermal Luçi
|
$pconfig['floating'] = $a_filter[$id]['floating'];
|
| 88 |
|
|
if (isset($a_filter[$id]['interface']) && $a_filter[$id]['interface'] <> "")
|
| 89 |
|
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
| 90 |
|
|
}
|
| 91 |
|
|
|
| 92 |
|
|
if (isset($a_filter['floating']))
|
| 93 |
|
|
$pconfig['floating'] = "yes";
|
| 94 |
|
|
|
| 95 |
|
|
if (isset($a_filter[$id]['direction']))
|
| 96 |
|
|
$pconfig['direction'] = $a_filter[$id]['direction'];
|
| 97 |
|
|
|
| 98 |
5b237745
|
Scott Ullrich
|
if (isset($a_filter[$id]['protocol']))
|
| 99 |
|
|
$pconfig['proto'] = $a_filter[$id]['protocol'];
|
| 100 |
|
|
else
|
| 101 |
|
|
$pconfig['proto'] = "any";
|
| 102 |
5ba18897
|
Scott Ullrich
|
|
| 103 |
5b237745
|
Scott Ullrich
|
if ($a_filter[$id]['protocol'] == "icmp")
|
| 104 |
|
|
$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
|
| 105 |
5ba18897
|
Scott Ullrich
|
|
| 106 |
5b237745
|
Scott Ullrich
|
address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
|
| 107 |
|
|
$pconfig['srcmask'], $pconfig['srcnot'],
|
| 108 |
|
|
$pconfig['srcbeginport'], $pconfig['srcendport']);
|
| 109 |
5ba18897
|
Scott Ullrich
|
|
| 110 |
8be60f21
|
Scott Ullrich
|
if($a_filter[$id]['os'] <> "")
|
| 111 |
|
|
$pconfig['os'] = $a_filter[$id]['os'];
|
| 112 |
e33c8694
|
Bill Marquette
|
|
| 113 |
5b237745
|
Scott Ullrich
|
address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
|
| 114 |
|
|
$pconfig['dstmask'], $pconfig['dstnot'],
|
| 115 |
|
|
$pconfig['dstbeginport'], $pconfig['dstendport']);
|
| 116 |
|
|
|
| 117 |
c5fc1b2e
|
Ermal Luçi
|
if ($a_filter[$id]['dscp'] <> "")
|
| 118 |
|
|
$pconfig['dscp'] = $a_filter[$id]['dscp'];
|
| 119 |
|
|
|
| 120 |
5b237745
|
Scott Ullrich
|
$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
|
| 121 |
|
|
$pconfig['log'] = isset($a_filter[$id]['log']);
|
| 122 |
|
|
$pconfig['descr'] = $a_filter[$id]['descr'];
|
| 123 |
8c84fe43
|
Scott Ullrich
|
|
| 124 |
5c1f5584
|
Ermal Luçi
|
if (isset($a_filter[$id]['tag']) && $a_filter[$id]['tag'] <> "")
|
| 125 |
661aed33
|
Ermal Luçi
|
$pconfig['tag'] = $a_filter[$id]['tag'];
|
| 126 |
b6494651
|
Ermal Lu?i
|
if (isset($a_filter[$id]['tagged']) && $a_filter[$id]['tagged'] <> "")
|
| 127 |
661aed33
|
Ermal Luçi
|
$pconfig['tagged'] = $a_filter[$id]['tagged'];
|
| 128 |
|
|
if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick'])
|
| 129 |
|
|
$pconfig['quick'] = $a_filter[$id]['quick'];
|
| 130 |
775ccea3
|
Ermal Luci
|
if (isset($a_filter[$id]['allowopts']))
|
| 131 |
|
|
$pconfig['allowopts'] = true;
|
| 132 |
661aed33
|
Ermal Luçi
|
|
| 133 |
ed08ef3e
|
Scott Ullrich
|
/* advanced */
|
| 134 |
a56b2fa0
|
pierrepomes
|
$pconfig['max'] = $a_filter[$id]['max'];
|
| 135 |
f1c49ff4
|
Scott Ullrich
|
$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
|
| 136 |
26dd6a54
|
pierrepomes
|
$pconfig['max-src-conn'] = $a_filter[$id]['max-src-conn'];
|
| 137 |
f1c49ff4
|
Scott Ullrich
|
$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
|
| 138 |
|
|
$pconfig['statetype'] = $a_filter[$id]['statetype'];
|
| 139 |
5ba18897
|
Scott Ullrich
|
$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
|
| 140 |
8c84fe43
|
Scott Ullrich
|
|
| 141 |
f1c49ff4
|
Scott Ullrich
|
/* advanced - nosync */
|
| 142 |
8c84fe43
|
Scott Ullrich
|
$pconfig['nosync'] = isset($a_filter[$id]['nosync']);
|
| 143 |
10f21e70
|
Scott Ullrich
|
|
| 144 |
ed08ef3e
|
Scott Ullrich
|
/* advanced - new connection per second banning*/
|
| 145 |
|
|
$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
|
| 146 |
|
|
$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
|
| 147 |
5ba18897
|
Scott Ullrich
|
|
| 148 |
e5980370
|
Scott Ullrich
|
/* Multi-WAN next-hop support */
|
| 149 |
c98ddde2
|
Bill Marquette
|
$pconfig['gateway'] = $a_filter[$id]['gateway'];
|
| 150 |
615b27bc
|
Scott Dale
|
|
| 151 |
197bfe96
|
Ermal Luçi
|
/* Shaper support */
|
| 152 |
|
|
$pconfig['defaultqueue'] = $a_filter[$id]['defaultqueue'];
|
| 153 |
|
|
$pconfig['ackqueue'] = $a_filter[$id]['ackqueue'];
|
| 154 |
a5fd67e1
|
Ermal Luçi
|
$pconfig['dnpipe'] = $a_filter[$id]['dnpipe'];
|
| 155 |
|
|
$pconfig['pdnpipe'] = $a_filter[$id]['pdnpipe'];
|
| 156 |
7e50413c
|
Ermal Luçi
|
$pconfig['l7container'] = $a_filter[$id]['l7container'];
|
| 157 |
197bfe96
|
Ermal Luçi
|
|
| 158 |
615b27bc
|
Scott Dale
|
//schedule support
|
| 159 |
|
|
$pconfig['sched'] = $a_filter[$id]['sched'];
|
| 160 |
473d0ff0
|
pierrepomes
|
$pconfig['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id'];
|
| 161 |
c98ddde2
|
Bill Marquette
|
|
| 162 |
5b237745
|
Scott Ullrich
|
} else {
|
| 163 |
|
|
/* defaults */
|
| 164 |
a23d7248
|
Scott Ullrich
|
if ($_GET['if'])
|
| 165 |
|
|
$pconfig['interface'] = $_GET['if'];
|
| 166 |
5b237745
|
Scott Ullrich
|
$pconfig['type'] = "pass";
|
| 167 |
|
|
$pconfig['src'] = "any";
|
| 168 |
|
|
$pconfig['dst'] = "any";
|
| 169 |
|
|
}
|
| 170 |
72320b88
|
Ermal Luçi
|
/* Allow the FlotingRules to work */
|
| 171 |
|
|
$if = $pconfig['interface'];
|
| 172 |
5b237745
|
Scott Ullrich
|
|
| 173 |
|
|
if (isset($_GET['dup']))
|
| 174 |
|
|
unset($id);
|
| 175 |
|
|
|
| 176 |
|
|
if ($_POST) {
|
| 177 |
87f0be87
|
Chris Buechler
|
|
| 178 |
|
|
if ($_POST['type'] == "reject" && $_POST['proto'] <> "tcp")
|
| 179 |
|
|
$input_errors[] = "Reject type rules only works when the protocol is set to TCP.";
|
| 180 |
28f9e493
|
Scott Ullrich
|
|
| 181 |
5b237745
|
Scott Ullrich
|
if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
|
| 182 |
|
|
$_POST['srcbeginport'] = 0;
|
| 183 |
|
|
$_POST['srcendport'] = 0;
|
| 184 |
|
|
$_POST['dstbeginport'] = 0;
|
| 185 |
|
|
$_POST['dstendport'] = 0;
|
| 186 |
|
|
} else {
|
| 187 |
5ba18897
|
Scott Ullrich
|
|
| 188 |
5b237745
|
Scott Ullrich
|
if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
|
| 189 |
|
|
$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
|
| 190 |
|
|
if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
|
| 191 |
|
|
$_POST['srcendport'] = $_POST['srcendport_cust'];
|
| 192 |
5ba18897
|
Scott Ullrich
|
|
| 193 |
5b237745
|
Scott Ullrich
|
if ($_POST['srcbeginport'] == "any") {
|
| 194 |
|
|
$_POST['srcbeginport'] = 0;
|
| 195 |
|
|
$_POST['srcendport'] = 0;
|
| 196 |
5ba18897
|
Scott Ullrich
|
} else {
|
| 197 |
5b237745
|
Scott Ullrich
|
if (!$_POST['srcendport'])
|
| 198 |
|
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
| 199 |
|
|
}
|
| 200 |
|
|
if ($_POST['srcendport'] == "any")
|
| 201 |
|
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
| 202 |
5ba18897
|
Scott Ullrich
|
|
| 203 |
5b237745
|
Scott Ullrich
|
if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
|
| 204 |
|
|
$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
|
| 205 |
|
|
if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
|
| 206 |
|
|
$_POST['dstendport'] = $_POST['dstendport_cust'];
|
| 207 |
5ba18897
|
Scott Ullrich
|
|
| 208 |
5b237745
|
Scott Ullrich
|
if ($_POST['dstbeginport'] == "any") {
|
| 209 |
|
|
$_POST['dstbeginport'] = 0;
|
| 210 |
|
|
$_POST['dstendport'] = 0;
|
| 211 |
5ba18897
|
Scott Ullrich
|
} else {
|
| 212 |
5b237745
|
Scott Ullrich
|
if (!$_POST['dstendport'])
|
| 213 |
|
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
| 214 |
|
|
}
|
| 215 |
|
|
if ($_POST['dstendport'] == "any")
|
| 216 |
5ba18897
|
Scott Ullrich
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
| 217 |
5b237745
|
Scott Ullrich
|
}
|
| 218 |
5ba18897
|
Scott Ullrich
|
|
| 219 |
5b237745
|
Scott Ullrich
|
if (is_specialnet($_POST['srctype'])) {
|
| 220 |
|
|
$_POST['src'] = $_POST['srctype'];
|
| 221 |
|
|
$_POST['srcmask'] = 0;
|
| 222 |
|
|
} else if ($_POST['srctype'] == "single") {
|
| 223 |
|
|
$_POST['srcmask'] = 32;
|
| 224 |
|
|
}
|
| 225 |
|
|
if (is_specialnet($_POST['dsttype'])) {
|
| 226 |
|
|
$_POST['dst'] = $_POST['dsttype'];
|
| 227 |
|
|
$_POST['dstmask'] = 0;
|
| 228 |
|
|
} else if ($_POST['dsttype'] == "single") {
|
| 229 |
|
|
$_POST['dstmask'] = 32;
|
| 230 |
|
|
}
|
| 231 |
5ba18897
|
Scott Ullrich
|
|
| 232 |
5b237745
|
Scott Ullrich
|
unset($input_errors);
|
| 233 |
|
|
$pconfig = $_POST;
|
| 234 |
|
|
|
| 235 |
ef2a753c
|
Scott Ullrich
|
/* run through $_POST items encoding HTML entties so that the user
|
| 236 |
|
|
* cannot think he is slick and perform a XSS attack on the unwilling
|
| 237 |
|
|
*/
|
| 238 |
21eff66f
|
Scott Ullrich
|
foreach ($_POST as $key => $value) {
|
| 239 |
|
|
$temp = $value;
|
| 240 |
661aed33
|
Ermal Luçi
|
if (isset($_POST['floating']) && $key == "interface")
|
| 241 |
|
|
continue;
|
| 242 |
21eff66f
|
Scott Ullrich
|
$newpost = htmlentities($temp);
|
| 243 |
5157927f
|
Scott Ullrich
|
if($newpost <> $temp)
|
| 244 |
|
|
$input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again.";
|
| 245 |
ef2a753c
|
Scott Ullrich
|
}
|
| 246 |
|
|
|
| 247 |
5b237745
|
Scott Ullrich
|
/* input validation */
|
| 248 |
473d0ff0
|
pierrepomes
|
$reqdfields = explode(" ", "type proto src");
|
| 249 |
|
|
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false )
|
| 250 |
|
|
$redqfields[] = "dst";
|
| 251 |
|
|
$reqdfieldsn = explode(",", "Type,Protocol,Source");
|
| 252 |
|
|
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false )
|
| 253 |
|
|
$reqdfieldsn[] = "Destination";
|
| 254 |
5b237745
|
Scott Ullrich
|
|
| 255 |
452ade89
|
Bill Marquette
|
if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
|
| 256 |
c22767b1
|
Bill Marquette
|
if( $_POST['proto'] != "tcp" )
|
| 257 |
|
|
$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
|
| 258 |
452ade89
|
Bill Marquette
|
if(($_POST['statetype'] == "synproxy state") && ($_POST['gateway'] != ""))
|
| 259 |
|
|
$input_errors[] = "{$_POST['statetype']} is only valid if the gateway is set to 'default'.";
|
| 260 |
|
|
}
|
| 261 |
10f7933f
|
Chris Buechler
|
|
| 262 |
5b237745
|
Scott Ullrich
|
if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
|
| 263 |
|
|
$reqdfields[] = "srcmask";
|
| 264 |
|
|
$reqdfieldsn[] = "Source bit count";
|
| 265 |
|
|
}
|
| 266 |
473d0ff0
|
pierrepomes
|
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false &&
|
| 267 |
|
|
(!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) ) {
|
| 268 |
5b237745
|
Scott Ullrich
|
$reqdfields[] = "dstmask";
|
| 269 |
|
|
$reqdfieldsn[] = "Destination bit count";
|
| 270 |
|
|
}
|
| 271 |
5ba18897
|
Scott Ullrich
|
|
| 272 |
5b237745
|
Scott Ullrich
|
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
|
| 273 |
5ba18897
|
Scott Ullrich
|
|
| 274 |
5b237745
|
Scott Ullrich
|
if (!$_POST['srcbeginport']) {
|
| 275 |
|
|
$_POST['srcbeginport'] = 0;
|
| 276 |
|
|
$_POST['srcendport'] = 0;
|
| 277 |
|
|
}
|
| 278 |
|
|
if (!$_POST['dstbeginport']) {
|
| 279 |
|
|
$_POST['dstbeginport'] = 0;
|
| 280 |
|
|
$_POST['dstendport'] = 0;
|
| 281 |
|
|
}
|
| 282 |
5ba18897
|
Scott Ullrich
|
|
| 283 |
9b45f821
|
Ermal Lu?i
|
if ($_POST['srcbeginport'] && !is_portoralias($_POST['srcbeginport']))
|
| 284 |
|
|
$input_errors[] = "{$_POST['srcbeginport']} is not a valid start source port. It must be a port alias or integer between 1 and 65535.";
|
| 285 |
|
|
if ($_POST['srcendport'] && !is_portoralias($_POST['srcendport']))
|
| 286 |
|
|
$input_errors[] = "{$_POST['srcendport']} is not a valid end source port. It must be a port alias or integer between 1 and 65535.";
|
| 287 |
|
|
if ($_POST['dstbeginport'] && !is_portoralias($_POST['dstbeginport']))
|
| 288 |
|
|
$input_errors[] = "{$_POST['dstbeginport']} is not a valid start destination port. It must be a port alias or integer between 1 and 65535.";
|
| 289 |
|
|
if ($_POST['dstendport'] && !is_portoralias($_POST['dstendport']))
|
| 290 |
|
|
$input_errors[] = "{$_POST['dstendport']} is not a valid end destination port. It must be a port alias or integer between 1 and 65535.";
|
| 291 |
5ba18897
|
Scott Ullrich
|
|
| 292 |
0e5ddcd9
|
Scott Ullrich
|
/* if user enters an alias and selects "network" then disallow. */
|
| 293 |
|
|
if($_POST['srctype'] == "network") {
|
| 294 |
|
|
if(is_alias($_POST['src']))
|
| 295 |
|
|
$input_errors[] = "You must specify single host or alias for alias entries.";
|
| 296 |
|
|
}
|
| 297 |
|
|
if($_POST['dsttype'] == "network") {
|
| 298 |
|
|
if(is_alias($_POST['dst']))
|
| 299 |
|
|
$input_errors[] = "You must specify single host or alias for alias entries.";
|
| 300 |
|
|
}
|
| 301 |
|
|
|
| 302 |
5b237745
|
Scott Ullrich
|
if (!is_specialnet($_POST['srctype'])) {
|
| 303 |
1e578a7f
|
Ermal Lu?i
|
if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) {
|
| 304 |
9b45f821
|
Ermal Lu?i
|
$input_errors[] = "{$_POST['src']} is not a valid source IP address or alias.";
|
| 305 |
5b237745
|
Scott Ullrich
|
}
|
| 306 |
|
|
if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
|
| 307 |
|
|
$input_errors[] = "A valid source bit count must be specified.";
|
| 308 |
|
|
}
|
| 309 |
|
|
}
|
| 310 |
|
|
if (!is_specialnet($_POST['dsttype'])) {
|
| 311 |
1e578a7f
|
Ermal Lu?i
|
if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) {
|
| 312 |
9b45f821
|
Ermal Lu?i
|
$input_errors[] = "{$_POST['dst']} is not a valid destination IP address or alias.";
|
| 313 |
5b237745
|
Scott Ullrich
|
}
|
| 314 |
|
|
if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
|
| 315 |
|
|
$input_errors[] = "A valid destination bit count must be specified.";
|
| 316 |
|
|
}
|
| 317 |
|
|
}
|
| 318 |
5ba18897
|
Scott Ullrich
|
|
| 319 |
5b237745
|
Scott Ullrich
|
if ($_POST['srcbeginport'] > $_POST['srcendport']) {
|
| 320 |
|
|
/* swap */
|
| 321 |
|
|
$tmp = $_POST['srcendport'];
|
| 322 |
|
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
| 323 |
|
|
$_POST['srcbeginport'] = $tmp;
|
| 324 |
|
|
}
|
| 325 |
|
|
if ($_POST['dstbeginport'] > $_POST['dstendport']) {
|
| 326 |
|
|
/* swap */
|
| 327 |
|
|
$tmp = $_POST['dstendport'];
|
| 328 |
|
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
| 329 |
|
|
$_POST['dstbeginport'] = $tmp;
|
| 330 |
|
|
}
|
| 331 |
e33c8694
|
Bill Marquette
|
if ($_POST['os'])
|
| 332 |
|
|
if( $_POST['proto'] != "tcp" )
|
| 333 |
|
|
$input_errors[] = "OS detection is only valid with protocol tcp.";
|
| 334 |
5b237745
|
Scott Ullrich
|
|
| 335 |
197bfe96
|
Ermal Luçi
|
if ($_POST['ackqueue'] && $_POST['ackqueue'] != "none") {
|
| 336 |
|
|
if ($_POST['defaultqueue'] == "none" )
|
| 337 |
|
|
$input_errors[] = "You have to select a queue when you select an acknowledge queue too.";
|
| 338 |
|
|
else if ($_POST['ackqueue'] == $_POST['defaultqueue'])
|
| 339 |
aa8cdf52
|
Scott Ullrich
|
$input_errors[] = "Acknowledge queue and Queue cannot be the same.";
|
| 340 |
197bfe96
|
Ermal Luçi
|
}
|
| 341 |
a5fd67e1
|
Ermal Luçi
|
if ($_POST['pdnpipe'] && $_POST['pdnpipe'] != "none") {
|
| 342 |
|
|
if ($_POST['dnpipe'] == "none" )
|
| 343 |
|
|
$input_errors[] = "You must select a queue for the In direction before selecting one for Out too.";
|
| 344 |
|
|
else if ($_POST['pdnpipe'] == $_POST['dnpipe'])
|
| 345 |
|
|
$input_errors[] = "In and Out Queue cannot be the same.";
|
| 346 |
|
|
else if ($pdnpipe[0] == "?" && $dnpipe[0] <> "?")
|
| 347 |
|
|
$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
|
| 348 |
|
|
else if ($dnpipe[0] == "?" && $pdnpipe[0] <> "?")
|
| 349 |
|
|
$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
|
| 350 |
|
|
}
|
| 351 |
b9e28d57
|
unknown
|
if( !empty($_POST['ruleid']) && !ctype_digit($_POST['ruleid']))
|
| 352 |
|
|
$input_errors[] = 'ID must be an integer';
|
| 353 |
7e50413c
|
Ermal Luçi
|
if($_POST['l7container'] && $_POST['l7container'] != "none") {
|
| 354 |
|
|
if(!($_POST['proto'] == "tcp" || $_POST['proto'] == "udp" || $_POST['proto'] == "tcp/udp"))
|
| 355 |
|
|
$input_errors[] = "You can only select a layer7 container for tcp and/or udp protocols";
|
| 356 |
3b184ca5
|
Ermal Lu?i
|
if ($_POST['type'] <> "pass")
|
| 357 |
|
|
$input_errors[] = "You can only select a layer7 container for Pass type rules.";
|
| 358 |
7e50413c
|
Ermal Luçi
|
}
|
| 359 |
197bfe96
|
Ermal Luçi
|
|
| 360 |
5b237745
|
Scott Ullrich
|
if (!$input_errors) {
|
| 361 |
|
|
$filterent = array();
|
| 362 |
b9e28d57
|
unknown
|
$filterent['id'] = $_POST['ruleid']>0?$_POST['ruleid']:'';
|
| 363 |
5b237745
|
Scott Ullrich
|
$filterent['type'] = $_POST['type'];
|
| 364 |
661aed33
|
Ermal Luçi
|
if (isset($_POST['interface'] ))
|
| 365 |
|
|
$filterent['interface'] = $_POST['interface'];
|
| 366 |
|
|
|
| 367 |
|
|
if ($if == "FloatingRules" || isset($_POST['floating'])) {
|
| 368 |
|
|
if (isset($_POST['tag']))
|
| 369 |
|
|
$filterent['tag'] = $_POST['tag'];
|
| 370 |
|
|
if (isset($_POST['tagged']))
|
| 371 |
f1602cc4
|
sullrich
|
$filterent['tagged'] = $_POST['tagged'];
|
| 372 |
661aed33
|
Ermal Luçi
|
$filterent['direction'] = $_POST['direction'];
|
| 373 |
|
|
if (isset($_POST['quick']) && $_POST['quick'] <> "")
|
| 374 |
|
|
$filterent['quick'] = $_POST['quick'];
|
| 375 |
|
|
$filterent['floating'] = "yes";
|
| 376 |
|
|
if (isset($_POST['interface']) && count($_POST['interface']) > 0) {
|
| 377 |
f1602cc4
|
sullrich
|
$filterent['interface'] = implode(",", $_POST['interface']);
|
| 378 |
661aed33
|
Ermal Luçi
|
}
|
| 379 |
|
|
}
|
| 380 |
d59874c1
|
Scott Ullrich
|
|
| 381 |
bdb7d6e7
|
Scott Ullrich
|
/* Advanced options */
|
| 382 |
775ccea3
|
Ermal Luci
|
if ($_POST['allowopts'] == "yes")
|
| 383 |
|
|
$filterent['allowopts'] = true;
|
| 384 |
|
|
else
|
| 385 |
|
|
unset($filterent['allowopts']);
|
| 386 |
a56b2fa0
|
pierrepomes
|
$filterent['max'] = $_POST['max'];
|
| 387 |
bdb7d6e7
|
Scott Ullrich
|
$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
|
| 388 |
26dd6a54
|
pierrepomes
|
$filterent['max-src-conn'] = $_POST['max-src-conn'];
|
| 389 |
bdb7d6e7
|
Scott Ullrich
|
$filterent['max-src-states'] = $_POST['max-src-states'];
|
| 390 |
5ba18897
|
Scott Ullrich
|
$filterent['statetimeout'] = $_POST['statetimeout'];
|
| 391 |
fa9af164
|
Scott Ullrich
|
$filterent['statetype'] = $_POST['statetype'];
|
| 392 |
e33c8694
|
Bill Marquette
|
$filterent['os'] = $_POST['os'];
|
| 393 |
10f21e70
|
Scott Ullrich
|
|
| 394 |
|
|
/* Nosync directive - do not xmlrpc sync this item */
|
| 395 |
8c84fe43
|
Scott Ullrich
|
if($_POST['nosync'] <> "")
|
| 396 |
10f21e70
|
Scott Ullrich
|
$filterent['nosync'] = true;
|
| 397 |
|
|
else
|
| 398 |
|
|
unset($filterent['nosync']);
|
| 399 |
|
|
|
| 400 |
3f00c1dc
|
Scott Ullrich
|
/* unless both values are provided, unset the values - ticket #650 */
|
| 401 |
|
|
if($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] <> "") {
|
| 402 |
|
|
$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
|
| 403 |
|
|
$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
|
| 404 |
|
|
} else {
|
| 405 |
|
|
unset($filterent['max-src-conn-rate']);
|
| 406 |
|
|
unset($filterent['max-src-conn-rates']);
|
| 407 |
|
|
}
|
| 408 |
5ba18897
|
Scott Ullrich
|
|
| 409 |
5b237745
|
Scott Ullrich
|
if ($_POST['proto'] != "any")
|
| 410 |
|
|
$filterent['protocol'] = $_POST['proto'];
|
| 411 |
|
|
else
|
| 412 |
|
|
unset($filterent['protocol']);
|
| 413 |
5ba18897
|
Scott Ullrich
|
|
| 414 |
5b237745
|
Scott Ullrich
|
if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
|
| 415 |
|
|
$filterent['icmptype'] = $_POST['icmptype'];
|
| 416 |
|
|
else
|
| 417 |
|
|
unset($filterent['icmptype']);
|
| 418 |
5ba18897
|
Scott Ullrich
|
|
| 419 |
5b237745
|
Scott Ullrich
|
pconfig_to_address($filterent['source'], $_POST['src'],
|
| 420 |
|
|
$_POST['srcmask'], $_POST['srcnot'],
|
| 421 |
|
|
$_POST['srcbeginport'], $_POST['srcendport']);
|
| 422 |
5ba18897
|
Scott Ullrich
|
|
| 423 |
5b237745
|
Scott Ullrich
|
pconfig_to_address($filterent['destination'], $_POST['dst'],
|
| 424 |
|
|
$_POST['dstmask'], $_POST['dstnot'],
|
| 425 |
|
|
$_POST['dstbeginport'], $_POST['dstendport']);
|
| 426 |
5ba18897
|
Scott Ullrich
|
|
| 427 |
f1602cc4
|
sullrich
|
if ($_POST['disabled'])
|
| 428 |
|
|
$filterent['disabled'] = true;
|
| 429 |
|
|
else
|
| 430 |
|
|
unset($filterent['disabled']);
|
| 431 |
|
|
|
| 432 |
c5fc1b2e
|
Ermal Luçi
|
if ($_POST['dscp'])
|
| 433 |
|
|
$filterent['dscp'] = $_POST['dscp'];
|
| 434 |
|
|
|
| 435 |
f1602cc4
|
sullrich
|
if ($_POST['log'])
|
| 436 |
|
|
$filterent['log'] = true;
|
| 437 |
|
|
else
|
| 438 |
|
|
unset($filterent['log']);
|
| 439 |
c68fc1e7
|
Bill Marquette
|
strncpy($filterent['descr'], $_POST['descr'], 52);
|
| 440 |
5ba18897
|
Scott Ullrich
|
|
| 441 |
c98ddde2
|
Bill Marquette
|
if ($_POST['gateway'] != "") {
|
| 442 |
|
|
$filterent['gateway'] = $_POST['gateway'];
|
| 443 |
|
|
}
|
| 444 |
197bfe96
|
Ermal Luçi
|
|
| 445 |
|
|
if (isset($_POST['defaultqueue']) && $_POST['defaultqueue'] != "none") {
|
| 446 |
|
|
$filterent['defaultqueue'] = $_POST['defaultqueue'];
|
| 447 |
|
|
if (isset($_POST['ackqueue']) && $_POST['ackqueue'] != "none")
|
| 448 |
|
|
$filterent['ackqueue'] = $_POST['ackqueue'];
|
| 449 |
|
|
}
|
| 450 |
c98ddde2
|
Bill Marquette
|
|
| 451 |
a5fd67e1
|
Ermal Luçi
|
if (isset($_POST['dnpipe']) && $_POST['dnpipe'] != "none") {
|
| 452 |
|
|
$filterent['dnpipe'] = $_POST['dnpipe'];
|
| 453 |
|
|
if (isset($_POST['pdnpipe']) && $_POST['pdnpipe'] != "none")
|
| 454 |
|
|
$filterent['pdnpipe'] = $_POST['pdnpipe'];
|
| 455 |
|
|
}
|
| 456 |
|
|
|
| 457 |
7e50413c
|
Ermal Luçi
|
if (isset($_POST['l7container']) && $_POST['l7container'] != "none") {
|
| 458 |
|
|
$filterent['l7container'] = $_POST['l7container'];
|
| 459 |
|
|
}
|
| 460 |
|
|
|
| 461 |
615b27bc
|
Scott Dale
|
if ($_POST['sched'] != "") {
|
| 462 |
|
|
$filterent['sched'] = $_POST['sched'];
|
| 463 |
|
|
}
|
| 464 |
|
|
|
| 465 |
473d0ff0
|
pierrepomes
|
// If we have an associated nat rule, make sure the destination doesn't change
|
| 466 |
|
|
if( isset($a_filter[$id]['associated-nat-rule-id']) ) {
|
| 467 |
|
|
$filterent['destination'] = $a_filter[$id]['destination'];
|
| 468 |
|
|
$filterent['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id'];
|
| 469 |
|
|
}
|
| 470 |
|
|
|
| 471 |
5b237745
|
Scott Ullrich
|
if (isset($id) && $a_filter[$id])
|
| 472 |
|
|
$a_filter[$id] = $filterent;
|
| 473 |
|
|
else {
|
| 474 |
|
|
if (is_numeric($after))
|
| 475 |
|
|
array_splice($a_filter, $after+1, 0, array($filterent));
|
| 476 |
|
|
else
|
| 477 |
|
|
$a_filter[] = $filterent;
|
| 478 |
|
|
}
|
| 479 |
f4e2a352
|
Scott Ullrich
|
|
| 480 |
5b237745
|
Scott Ullrich
|
write_config();
|
| 481 |
a368a026
|
Ermal Lu?i
|
mark_subsystem_dirty('filter');
|
| 482 |
5ba18897
|
Scott Ullrich
|
|
| 483 |
661aed33
|
Ermal Luçi
|
if (isset($_POST['floating']))
|
| 484 |
|
|
header("Location: firewall_rules.php?if=FloatingRules");
|
| 485 |
|
|
else
|
| 486 |
|
|
header("Location: firewall_rules.php?if=" . $_POST['interface']);
|
| 487 |
5b237745
|
Scott Ullrich
|
exit;
|
| 488 |
|
|
}
|
| 489 |
c60824d2
|
Scott Ullrich
|
}
|
| 490 |
|
|
|
| 491 |
37c53a0d
|
Ermal Lu?i
|
read_altq_config(); /* XXX: */
|
| 492 |
|
|
$qlist =& get_unique_queue_list();
|
| 493 |
|
|
read_dummynet_config(); /* XXX: */
|
| 494 |
|
|
$dnqlist =& get_unique_dnqueue_list();
|
| 495 |
|
|
read_layer7_config();
|
| 496 |
|
|
$l7clist =& get_l7_unique_list();
|
| 497 |
|
|
|
| 498 |
d88c6a9f
|
Scott Ullrich
|
$pgtitle = array("Firewall","Rules","Edit");
|
| 499 |
a1357fe0
|
Bill Marquette
|
$closehead = false;
|
| 500 |
8ab3e9ed
|
Erik Kristensen
|
|
| 501 |
|
|
$page_filename = "firewall_rules_edit.php";
|
| 502 |
da7ae7ef
|
Bill Marquette
|
include("head.inc");
|
| 503 |
c60824d2
|
Scott Ullrich
|
|
| 504 |
5b237745
|
Scott Ullrich
|
?>
|
| 505 |
da7ae7ef
|
Bill Marquette
|
|
| 506 |
5b237745
|
Scott Ullrich
|
</head>
|
| 507 |
|
|
|
| 508 |
|
|
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
|
| 509 |
|
|
<?php include("fbegin.inc"); ?>
|
| 510 |
|
|
<?php if ($input_errors) print_input_errors($input_errors); ?>
|
| 511 |
8ab3e9ed
|
Erik Kristensen
|
|
| 512 |
|
|
<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
|
| 513 |
6eac9b90
|
Scott Ullrich
|
<input type='hidden' name="ruleid" value="<?=(isset($pconfig['ruleid'])&&$pconfig['ruleid']>0)?htmlspecialchars($pconfig['ruleid']):''?>">
|
| 514 |
|
|
|
| 515 |
8ab3e9ed
|
Erik Kristensen
|
<table width="100%" border="0" cellpadding="6" cellspacing="0">
|
| 516 |
e091cb45
|
Scott Ullrich
|
<tr>
|
| 517 |
|
|
<td colspan="2" valign="top" class="listtopic">Edit Firewall rule</td>
|
| 518 |
|
|
</tr>
|
| 519 |
8ab3e9ed
|
Erik Kristensen
|
<tr>
|
| 520 |
|
|
<td width="22%" valign="top" class="vncellreq">Action</td>
|
| 521 |
|
|
<td width="78%" class="vtable">
|
| 522 |
b5c78501
|
Seth Mos
|
<select name="type" class="formselect">
|
| 523 |
8ab3e9ed
|
Erik Kristensen
|
<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
|
| 524 |
|
|
<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
|
| 525 |
|
|
<?=htmlspecialchars($type);?>
|
| 526 |
|
|
</option>
|
| 527 |
|
|
<?php endforeach; ?>
|
| 528 |
8c84fe43
|
Scott Ullrich
|
</select>
|
| 529 |
8ab3e9ed
|
Erik Kristensen
|
<br/>
|
| 530 |
|
|
<span class="vexpl">
|
| 531 |
|
|
Choose what to do with packets that match the criteria specified below. <br/>
|
| 532 |
|
|
Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
|
| 533 |
|
|
</span>
|
| 534 |
|
|
</td>
|
| 535 |
|
|
</tr>
|
| 536 |
|
|
<tr>
|
| 537 |
|
|
<td width="22%" valign="top" class="vncellreq">Disabled</td>
|
| 538 |
|
|
<td width="78%" class="vtable">
|
| 539 |
|
|
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
|
| 540 |
|
|
<strong>Disable this rule</strong><br />
|
| 541 |
|
|
<span class="vexpl">Set this option to disable this rule without removing it from the list.</span>
|
| 542 |
|
|
</td>
|
| 543 |
|
|
</tr>
|
| 544 |
661aed33
|
Ermal Luçi
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
| 545 |
|
|
<tr>
|
| 546 |
f1602cc4
|
sullrich
|
<td width="22%" valign="top" class="vncellreq">
|
| 547 |
|
|
<?=gettext("Quick");?>
|
| 548 |
|
|
</td>
|
| 549 |
|
|
<td width="78%" class="vtable">
|
| 550 |
|
|
<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
|
| 551 |
|
|
<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
|
| 552 |
|
|
<span class="vexpl"><?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?></span>
|
| 553 |
|
|
</td>
|
| 554 |
|
|
</tr>
|
| 555 |
661aed33
|
Ermal Luçi
|
<? endif; ?>
|
| 556 |
8ab3e9ed
|
Erik Kristensen
|
<tr>
|
| 557 |
|
|
<td width="22%" valign="top" class="vncellreq">Interface</td>
|
| 558 |
|
|
<td width="78%" class="vtable">
|
| 559 |
4633edc2
|
Ermal Luçi
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
| 560 |
8e6ac824
|
Ermal Luçi
|
<select name="interface[]" multiple="true" class="formselect" size="3">
|
| 561 |
661aed33
|
Ermal Luçi
|
<? else: ?>
|
| 562 |
b5c78501
|
Seth Mos
|
<select name="interface" class="formselect">
|
| 563 |
8ab3e9ed
|
Erik Kristensen
|
<?php
|
| 564 |
661aed33
|
Ermal Luçi
|
endif;
|
| 565 |
a7782099
|
Ermal Lu?i
|
/* add group interfaces */
|
| 566 |
f1602cc4
|
sullrich
|
if (is_array($config['ifgroups']['ifgroupentry']))
|
| 567 |
a7782099
|
Ermal Lu?i
|
foreach($config['ifgroups']['ifgroupentry'] as $ifgen)
|
| 568 |
|
|
if (have_ruleint_access($ifgen['ifname']))
|
| 569 |
|
|
$interfaces[$ifgen['ifname']] = $ifgen['ifname'];
|
| 570 |
b7391125
|
Ermal Luçi
|
$ifdescs = get_configured_interface_with_descr();
|
| 571 |
5335811d
|
Ermal Luçi
|
foreach ($ifdescs as $ifent => $ifdesc)
|
| 572 |
|
|
if(have_ruleint_access($ifent))
|
| 573 |
f1602cc4
|
sullrich
|
$interfaces[$ifent] = $ifdesc;
|
| 574 |
617f8d25
|
Ermal Lu?i
|
if ($config['l2tp']['mode'] == "server")
|
| 575 |
f1602cc4
|
sullrich
|
if(have_ruleint_access("l2tp"))
|
| 576 |
|
|
$interfaces['l2tp'] = "L2TP VPN";
|
| 577 |
b6742927
|
Scott Ullrich
|
if ($config['pptpd']['mode'] == "server")
|
| 578 |
|
|
if(have_ruleint_access("pptp"))
|
| 579 |
|
|
$interfaces['pptp'] = "PPTP VPN";
|
| 580 |
|
|
|
| 581 |
|
|
if ($config['pppoe']['mode'] == "server")
|
| 582 |
|
|
if(have_ruleint_access("pppoe"))
|
| 583 |
|
|
$interfaces['pppoe'] = "PPPoE VPN";
|
| 584 |
|
|
/* add ipsec interfaces */
|
| 585 |
|
|
if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable']))
|
| 586 |
|
|
if(have_ruleint_access("enc0"))
|
| 587 |
0f266b2e
|
Chris Buechler
|
$interfaces["enc0"] = "IPsec";
|
| 588 |
bfb60ac8
|
Ermal Luçi
|
/* add openvpn/tun interfaces */
|
| 589 |
d799787e
|
Matthew Grooms
|
if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"])
|
| 590 |
|
|
$interfaces["openvpn"] = "OpenVPN";
|
| 591 |
8ab3e9ed
|
Erik Kristensen
|
foreach ($interfaces as $iface => $ifacename): ?>
|
| 592 |
661aed33
|
Ermal Luçi
|
<option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option>
|
| 593 |
8ab3e9ed
|
Erik Kristensen
|
<?php endforeach; ?>
|
| 594 |
8c84fe43
|
Scott Ullrich
|
</select>
|
| 595 |
8ab3e9ed
|
Erik Kristensen
|
<br />
|
| 596 |
|
|
<span class="vexpl">Choose on which interface packets must come in to match this rule.</span>
|
| 597 |
|
|
</td>
|
| 598 |
|
|
</tr>
|
| 599 |
661aed33
|
Ermal Luçi
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
| 600 |
f1602cc4
|
sullrich
|
<tr>
|
| 601 |
|
|
<td width="22%" valign="top" class="vncellreq">
|
| 602 |
|
|
<?=gettext("Direction");?>
|
| 603 |
|
|
</td>
|
| 604 |
|
|
<td width="78%" class="vtable">
|
| 605 |
|
|
<select name="direction" class="formselect">
|
| 606 |
|
|
<?php $directions = array('any', 'in', 'out');
|
| 607 |
|
|
foreach ($directions as $direction): ?>
|
| 608 |
|
|
<option value="<?=$direction;?>"
|
| 609 |
|
|
<?php if ($direction == $pconfig['direction']): ?>
|
| 610 |
|
|
selected="selected"
|
| 611 |
|
|
<?php endif; ?>
|
| 612 |
|
|
><?=$direction;?></option>
|
| 613 |
|
|
<?php endforeach; ?>
|
| 614 |
|
|
</select>
|
| 615 |
|
|
<input type="hidden" id="floating" name="floating" value="floating">
|
| 616 |
|
|
</td>
|
| 617 |
|
|
<tr>
|
| 618 |
661aed33
|
Ermal Luçi
|
<?php endif; ?>
|
| 619 |
8ab3e9ed
|
Erik Kristensen
|
<tr>
|
| 620 |
|
|
<td width="22%" valign="top" class="vncellreq">Protocol</td>
|
| 621 |
|
|
<td width="78%" class="vtable">
|
| 622 |
b5c78501
|
Seth Mos
|
<select name="proto" class="formselect" onchange="proto_change()">
|
| 623 |
8ab3e9ed
|
Erik Kristensen
|
<?php
|
| 624 |
87f0be87
|
Chris Buechler
|
$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP any carp pfsync");
|
| 625 |
8ab3e9ed
|
Erik Kristensen
|
foreach ($protocols as $proto): ?>
|
| 626 |
|
|
<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
|
| 627 |
|
|
<?php endforeach; ?>
|
| 628 |
|
|
</select>
|
| 629 |
|
|
<br />
|
| 630 |
|
|
<span class="vexpl">Choose which IP protocol this rule should match. <br /> Hint: in most cases, you should specify <em>TCP</em> here.</span>
|
| 631 |
|
|
</td>
|
| 632 |
|
|
</tr>
|
| 633 |
3de8af0e
|
Scott Ullrich
|
<tr id="icmpbox" name="icmpbox">
|
| 634 |
8ab3e9ed
|
Erik Kristensen
|
<td valign="top" class="vncell">ICMP type</td>
|
| 635 |
|
|
<td class="vtable">
|
| 636 |
b5c78501
|
Seth Mos
|
<select name="icmptype" class="formselect">
|
| 637 |
8ab3e9ed
|
Erik Kristensen
|
<?php
|
| 638 |
|
|
$icmptypes = array(
|
| 639 |
|
|
"" => "any",
|
| 640 |
|
|
"echorep" => "Echo reply",
|
| 641 |
|
|
"unreach" => "Destination unreachable",
|
| 642 |
|
|
"squench" => "Source quench",
|
| 643 |
|
|
"redir" => "Redirect",
|
| 644 |
|
|
"althost" => "Alternate Host",
|
| 645 |
|
|
"echoreq" => "Echo",
|
| 646 |
|
|
"routeradv" => "Router advertisement",
|
| 647 |
|
|
"routersol" => "Router solicitation",
|
| 648 |
|
|
"timex" => "Time exceeded",
|
| 649 |
|
|
"paramprob" => "Invalid IP header",
|
| 650 |
|
|
"timereq" => "Timestamp",
|
| 651 |
|
|
"timerep" => "Timestamp reply",
|
| 652 |
|
|
"inforeq" => "Information request",
|
| 653 |
|
|
"inforep" => "Information reply",
|
| 654 |
|
|
"maskreq" => "Address mask request",
|
| 655 |
|
|
"maskrep" => "Address mask reply"
|
| 656 |
|
|
);
|
| 657 |
|
|
|
| 658 |
|
|
foreach ($icmptypes as $icmptype => $descr): ?>
|
| 659 |
|
|
<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
|
| 660 |
|
|
<?php endforeach; ?>
|
| 661 |
|
|
</select>
|
| 662 |
|
|
<br />
|
| 663 |
|
|
<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span>
|
| 664 |
|
|
</td>
|
| 665 |
|
|
</tr>
|
| 666 |
|
|
<tr>
|
| 667 |
|
|
<td width="22%" valign="top" class="vncellreq">Source</td>
|
| 668 |
|
|
<td width="78%" class="vtable">
|
| 669 |
|
|
<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
|
| 670 |
|
|
<strong>not</strong>
|
| 671 |
|
|
<br />
|
| 672 |
|
|
Use this option to invert the sense of the match.
|
| 673 |
|
|
<br />
|
| 674 |
|
|
<br />
|
| 675 |
|
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 676 |
|
|
<tr>
|
| 677 |
|
|
<td>Type: </td>
|
| 678 |
|
|
<td>
|
| 679 |
b5c78501
|
Seth Mos
|
<select name="srctype" class="formselect" onChange="typesel_change()">
|
| 680 |
87f0be87
|
Chris Buechler
|
<?php
|
| 681 |
|
|
$sel = is_specialnet($pconfig['src']); ?>
|
| 682 |
8ab3e9ed
|
Erik Kristensen
|
<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option>
|
| 683 |
87f0be87
|
Chris Buechler
|
<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
|
| 684 |
|
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
|
| 685 |
99ea4439
|
Scott Ullrich
|
<?php if(have_ruleint_access("pptp")): ?>
|
| 686 |
8ab3e9ed
|
Erik Kristensen
|
<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
|
| 687 |
99ea4439
|
Scott Ullrich
|
<?php endif; ?>
|
| 688 |
|
|
<?php if(have_ruleint_access("pppoe")): ?>
|
| 689 |
8c84fe43
|
Scott Ullrich
|
<option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
|
| 690 |
99ea4439
|
Scott Ullrich
|
<?php endif; ?>
|
| 691 |
8a6bc505
|
Ermal Lu?i
|
<?php if(have_ruleint_access("l2tp")): ?>
|
| 692 |
|
|
<option value="l2tp" <?php if ($pconfig['src'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
|
| 693 |
|
|
<?php endif; ?>
|
| 694 |
8ab3e9ed
|
Erik Kristensen
|
<?php
|
| 695 |
5335811d
|
Ermal Luçi
|
foreach ($ifdisp as $ifent => $ifdesc): ?>
|
| 696 |
|
|
<?php if(have_ruleint_access($ifent)): ?>
|
| 697 |
|
|
<option value="<?=$ifent;?>" <?php if ($pconfig['src'] == $ifent) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
|
| 698 |
|
|
<option value="<?=$ifent;?>ip"<?php if ($pconfig['src'] == $ifent . "ip") { echo "selected"; } ?>>
|
| 699 |
b7391125
|
Ermal Luçi
|
<?=$ifdesc?> address
|
| 700 |
e30a5970
|
Scott Ullrich
|
</option>
|
| 701 |
99ea4439
|
Scott Ullrich
|
<?php endif; ?>
|
| 702 |
b7391125
|
Ermal Luçi
|
<?php endforeach; ?>
|
| 703 |
8ab3e9ed
|
Erik Kristensen
|
</select>
|
| 704 |
|
|
</td>
|
| 705 |
|
|
</tr>
|
| 706 |
|
|
<tr>
|
| 707 |
|
|
<td>Address: </td>
|
| 708 |
|
|
<td>
|
| 709 |
|
|
<input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> /
|
| 710 |
b5c78501
|
Seth Mos
|
<select name="srcmask" class="formselect" id="srcmask">
|
| 711 |
8ab3e9ed
|
Erik Kristensen
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
| 712 |
|
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
|
| 713 |
|
|
<?php endfor; ?>
|
| 714 |
|
|
</select>
|
| 715 |
bdb7d6e7
|
Scott Ullrich
|
</td>
|
| 716 |
8ab3e9ed
|
Erik Kristensen
|
</tr>
|
| 717 |
|
|
</table>
|
| 718 |
22abf2ef
|
Scott Ullrich
|
<div id="showadvancedboxspr">
|
| 719 |
|
|
<p>
|
| 720 |
be812936
|
Scott Ullrich
|
<input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>
|
| 721 |
22abf2ef
|
Scott Ullrich
|
</div>
|
| 722 |
8ab3e9ed
|
Erik Kristensen
|
</td>
|
| 723 |
e33c8694
|
Bill Marquette
|
</tr>
|
| 724 |
3de8af0e
|
Scott Ullrich
|
<tr style="display:none" id="sprtable" name="sprtable">
|
| 725 |
8ab3e9ed
|
Erik Kristensen
|
<td width="22%" valign="top" class="vncellreq">Source port range</td>
|
| 726 |
|
|
<td width="78%" class="vtable">
|
| 727 |
|
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 728 |
|
|
<tr>
|
| 729 |
|
|
<td>from: </td>
|
| 730 |
|
|
<td>
|
| 731 |
b5c78501
|
Seth Mos
|
<select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()">
|
| 732 |
8ab3e9ed
|
Erik Kristensen
|
<option value="">(other)</option>
|
| 733 |
|
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 734 |
|
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 735 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
| 736 |
|
|
<?php endforeach; ?>
|
| 737 |
8c84fe43
|
Scott Ullrich
|
</select>
|
| 738 |
8ab3e9ed
|
Erik Kristensen
|
<input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>">
|
| 739 |
|
|
</td>
|
| 740 |
|
|
</tr>
|
| 741 |
|
|
<tr>
|
| 742 |
|
|
<td>to:</td>
|
| 743 |
|
|
<td>
|
| 744 |
b5c78501
|
Seth Mos
|
<select name="srcendport" class="formselect" onchange="ext_change()">
|
| 745 |
8ab3e9ed
|
Erik Kristensen
|
<option value="">(other)</option>
|
| 746 |
|
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 747 |
|
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 748 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
| 749 |
|
|
<?php endforeach; ?>
|
| 750 |
8c84fe43
|
Scott Ullrich
|
</select>
|
| 751 |
8ab3e9ed
|
Erik Kristensen
|
<input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>">
|
| 752 |
|
|
</td>
|
| 753 |
|
|
</tr>
|
| 754 |
|
|
</table>
|
| 755 |
|
|
<br />
|
| 756 |
5548a077
|
Scott Ullrich
|
<span class="vexpl">Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/>
|
| 757 |
67199e71
|
Scott Ullrich
|
<span class="vexpl"><B>NOTE:</B> You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!</span>
|
| 758 |
8ab3e9ed
|
Erik Kristensen
|
</td>
|
| 759 |
8c84fe43
|
Scott Ullrich
|
</tr>
|
| 760 |
8ab3e9ed
|
Erik Kristensen
|
<tr>
|
| 761 |
|
|
<td width="22%" valign="top" class="vncellreq">Destination</td>
|
| 762 |
|
|
<td width="78%" class="vtable">
|
| 763 |
473d0ff0
|
pierrepomes
|
<?php $dst_disabled=false; ?>
|
| 764 |
|
|
<?php if( isset($pconfig['associated-nat-rule-id']) ): ?>
|
| 765 |
66772edc
|
Chris Buechler
|
<span class="red"><strong>NOTE: </strong></span> This is associated to a NAT rule.<br />
|
| 766 |
473d0ff0
|
pierrepomes
|
You cannot edit the destination of associated filter rules.<br />
|
| 767 |
|
|
<br />
|
| 768 |
|
|
<a href="firewall_nat_edit.php?id=<?=$pconfig['associated-nat-rule-id'];?>">View the NAT rule</a><br />
|
| 769 |
|
|
<br />
|
| 770 |
|
|
<?php $dst_disabled=true; ?>
|
| 771 |
|
|
<script type="text/javascript">
|
| 772 |
|
|
dstenabled = 0;
|
| 773 |
|
|
</script>
|
| 774 |
|
|
<?php endif; ?>
|
| 775 |
|
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
|
| 776 |
8ab3e9ed
|
Erik Kristensen
|
<strong>not</strong>
|
| 777 |
|
|
<br />
|
| 778 |
|
|
Use this option to invert the sense of the match.
|
| 779 |
|
|
<br />
|
| 780 |
|
|
<br />
|
| 781 |
|
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 782 |
|
|
<tr>
|
| 783 |
|
|
<td>Type: </td>
|
| 784 |
|
|
<td>
|
| 785 |
473d0ff0
|
pierrepomes
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dsttype" class="formselect" onChange="typesel_change()">
|
| 786 |
87f0be87
|
Chris Buechler
|
<?php
|
| 787 |
|
|
$sel = is_specialnet($pconfig['dst']); ?>
|
| 788 |
8ab3e9ed
|
Erik Kristensen
|
<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
|
| 789 |
87f0be87
|
Chris Buechler
|
<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
|
| 790 |
|
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
|
| 791 |
99ea4439
|
Scott Ullrich
|
<?php if(have_ruleint_access("pptp")): ?>
|
| 792 |
8ab3e9ed
|
Erik Kristensen
|
<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
|
| 793 |
99ea4439
|
Scott Ullrich
|
<?php endif; ?>
|
| 794 |
|
|
<?php if(have_ruleint_access("pppoe")): ?>
|
| 795 |
8ab3e9ed
|
Erik Kristensen
|
<option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
|
| 796 |
99ea4439
|
Scott Ullrich
|
<?php endif; ?>
|
| 797 |
3331a640
|
Ermal Lu?i
|
<?php if(have_ruleint_access("l2tp")): ?>
|
| 798 |
|
|
<option value="l2tp" <?php if ($pconfig['dst'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
|
| 799 |
|
|
<?php endif; ?>
|
| 800 |
b7391125
|
Ermal Luçi
|
|
| 801 |
|
|
<?php foreach ($ifdisp as $if => $ifdesc): ?>
|
| 802 |
|
|
<?php if(have_ruleint_access($if)): ?>
|
| 803 |
|
|
<option value="<?=$if;?>" <?php if ($pconfig['dst'] == $if) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
|
| 804 |
|
|
<option value="<?=$if;?>ip"<?php if ($pconfig['dst'] == $if . "ip") { echo "selected"; } ?>>
|
| 805 |
|
|
<?=$ifdesc;?> address
|
| 806 |
cbff71a1
|
Scott Ullrich
|
</option>
|
| 807 |
99ea4439
|
Scott Ullrich
|
<?php endif; ?>
|
| 808 |
b7391125
|
Ermal Luçi
|
<?php endforeach; ?>
|
| 809 |
8ab3e9ed
|
Erik Kristensen
|
</select>
|
| 810 |
|
|
</td>
|
| 811 |
|
|
</tr>
|
| 812 |
|
|
<tr>
|
| 813 |
|
|
<td>Address: </td>
|
| 814 |
|
|
<td>
|
| 815 |
473d0ff0
|
pierrepomes
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
|
| 816 |
8ab3e9ed
|
Erik Kristensen
|
/
|
| 817 |
473d0ff0
|
pierrepomes
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstmask" class="formselect" id="dstmask">
|
| 818 |
8ab3e9ed
|
Erik Kristensen
|
<?php
|
| 819 |
|
|
for ($i = 31; $i > 0; $i--): ?>
|
| 820 |
|
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
|
| 821 |
|
|
<?php endfor; ?>
|
| 822 |
|
|
</select>
|
| 823 |
|
|
</td>
|
| 824 |
|
|
</tr>
|
| 825 |
|
|
</table>
|
| 826 |
|
|
</td>
|
| 827 |
|
|
</tr>
|
| 828 |
3de8af0e
|
Scott Ullrich
|
<tr id="dprtr" name="dprtr">
|
| 829 |
8ab3e9ed
|
Erik Kristensen
|
<td width="22%" valign="top" class="vncellreq">Destination port range </td>
|
| 830 |
|
|
<td width="78%" class="vtable">
|
| 831 |
|
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 832 |
|
|
<tr>
|
| 833 |
|
|
<td>from: </td>
|
| 834 |
|
|
<td>
|
| 835 |
473d0ff0
|
pierrepomes
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
|
| 836 |
8ab3e9ed
|
Erik Kristensen
|
<option value="">(other)</option>
|
| 837 |
|
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 838 |
|
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 839 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
|
| 840 |
|
|
<?php endforeach; ?>
|
| 841 |
|
|
</select>
|
| 842 |
473d0ff0
|
pierrepomes
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
|
| 843 |
8ab3e9ed
|
Erik Kristensen
|
</td>
|
| 844 |
|
|
</tr>
|
| 845 |
|
|
<tr>
|
| 846 |
|
|
<td>to:</td>
|
| 847 |
|
|
<td>
|
| 848 |
473d0ff0
|
pierrepomes
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstendport" class="formselect" onchange="ext_change()">
|
| 849 |
8ab3e9ed
|
Erik Kristensen
|
<option value="">(other)</option>
|
| 850 |
|
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 851 |
|
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 852 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
| 853 |
|
|
<?php endforeach; ?>
|
| 854 |
8c84fe43
|
Scott Ullrich
|
</select>
|
| 855 |
473d0ff0
|
pierrepomes
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
|
| 856 |
8ab3e9ed
|
Erik Kristensen
|
</td>
|
| 857 |
|
|
</tr>
|
| 858 |
|
|
</table>
|
| 859 |
|
|
<br />
|
| 860 |
|
|
<span class="vexpl">
|
| 861 |
|
|
Specify the port or port range for the destination of the packet for this rule.
|
| 862 |
adb633a0
|
sullrich
|
<br />
|
| 863 |
8ab3e9ed
|
Erik Kristensen
|
Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port
|
| 864 |
|
|
</span>
|
| 865 |
|
|
</td>
|
| 866 |
|
|
</tr>
|
| 867 |
|
|
<tr>
|
| 868 |
|
|
<td width="22%" valign="top" class="vncellreq">Log</td>
|
| 869 |
|
|
<td width="78%" class="vtable">
|
| 870 |
|
|
<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
|
| 871 |
|
|
<strong>Log packets that are handled by this rule</strong>
|
| 872 |
adb633a0
|
sullrich
|
<br />
|
| 873 |
8ab3e9ed
|
Erik Kristensen
|
<span class="vexpl">Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the <a href="diag_logs_settings.php">Diagnostics: System logs: Settings</a> page).</span>
|
| 874 |
|
|
</td>
|
| 875 |
|
|
</tr>
|
| 876 |
151eb2a9
|
sullrich
|
<tr>
|
| 877 |
|
|
<td width="22%" valign="top" class="vncell">Description</td>
|
| 878 |
|
|
<td width="78%" class="vtable">
|
| 879 |
|
|
<input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>">
|
| 880 |
|
|
<br />
|
| 881 |
|
|
<span class="vexpl">You may enter a description here for your reference.</span>
|
| 882 |
|
|
</td>
|
| 883 |
|
|
</tr>
|
| 884 |
|
|
<tr>
|
| 885 |
|
|
<td width="22%" valign="top"> </td>
|
| 886 |
|
|
<td width="78%">
|
| 887 |
|
|
<br>
|
| 888 |
|
|
<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
|
| 889 |
|
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
| 890 |
|
|
<input name="id" type="hidden" value="<?=$id;?>">
|
| 891 |
|
|
<?php endif; ?>
|
| 892 |
|
|
<input name="after" type="hidden" value="<?=$after;?>">
|
| 893 |
|
|
</td>
|
| 894 |
|
|
</tr>
|
| 895 |
|
|
<tr>
|
| 896 |
|
|
<td> </td>
|
| 897 |
|
|
</tr>
|
| 898 |
|
|
<tr>
|
| 899 |
|
|
<td colspan="2" valign="top" class="listtopic">Advanced features</td>
|
| 900 |
|
|
</tr>
|
| 901 |
f1602cc4
|
sullrich
|
<tr>
|
| 902 |
|
|
<td width="22%" valign="top" class="vncell">Source OS</td>
|
| 903 |
e265d9f5
|
sullrich
|
<td width="78%" class="vtable">
|
| 904 |
adb633a0
|
sullrich
|
<div id="showadvsourceosbox">
|
| 905 |
|
|
<input type="button" onClick="show_advanced_sourceos()" value="Advanced"></input> - Show advanced option</a>
|
| 906 |
|
|
</div>
|
| 907 |
61c0250d
|
sullrich
|
<div id="showsourceosadv" style="display:none">
|
| 908 |
e265d9f5
|
sullrich
|
OS Type:
|
| 909 |
adb633a0
|
sullrich
|
<select name="os" id="os" class="formselect">
|
| 910 |
f1602cc4
|
sullrich
|
<?php
|
| 911 |
adb633a0
|
sullrich
|
$ostypes = array(
|
| 912 |
|
|
"" => "any",
|
| 913 |
|
|
"AIX" => "AIX",
|
| 914 |
|
|
"Linux" => "Linux",
|
| 915 |
|
|
"FreeBSD" => "FreeBSD",
|
| 916 |
|
|
"NetBSD" => "NetBSD",
|
| 917 |
|
|
"OpenBSD" => "OpenBSD",
|
| 918 |
|
|
"Solaris" => "Solaris",
|
| 919 |
|
|
"MacOS" => "MacOS",
|
| 920 |
|
|
"Windows" => "Windows",
|
| 921 |
|
|
"Novell" => "Novell",
|
| 922 |
|
|
"NMAP" => "NMAP"
|
| 923 |
|
|
);
|
| 924 |
|
|
foreach ($ostypes as $ostype => $descr): ?>
|
| 925 |
|
|
<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
|
| 926 |
|
|
<?php
|
| 927 |
|
|
endforeach;
|
| 928 |
|
|
?>
|
| 929 |
|
|
</select>
|
| 930 |
|
|
<br />
|
| 931 |
|
|
Note: this only works for TCP rules
|
| 932 |
|
|
</div>
|
| 933 |
f1602cc4
|
sullrich
|
</td>
|
| 934 |
|
|
</tr>
|
| 935 |
30c4ae8a
|
sullrich
|
<tr>
|
| 936 |
|
|
<td width="22%" valign="top" class="vncell">Diffserv Code Point</td>
|
| 937 |
|
|
<td width="78%" class="vtable">
|
| 938 |
|
|
<div id="dsadv" name="dsadv">
|
| 939 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_dsdiv();" value="Advanced"> - Show advanced option
|
| 940 |
30c4ae8a
|
sullrich
|
</div>
|
| 941 |
|
|
<div id="dsdivmain" name="dsdivmain" style="display:none">
|
| 942 |
|
|
<select name="dscp" id="dscp">
|
| 943 |
|
|
<option value=""></option>
|
| 944 |
|
|
<?php foreach($firewall_rules_dscp_types as $frdt): ?>
|
| 945 |
|
|
<option value="<?=$frdt?>"<?php if($pconfig['dscp'] == $frdt) echo " SELECTED"; ?>><?=$frdt?></option>
|
| 946 |
|
|
<?php endforeach; ?>
|
| 947 |
|
|
</select>
|
| 948 |
|
|
</div>
|
| 949 |
|
|
</td>
|
| 950 |
|
|
</tr>
|
| 951 |
661aed33
|
Ermal Luçi
|
<tr>
|
| 952 |
e6db3f58
|
Ermal Luçi
|
<td width="22%" valign="top" class="vncell">Advanced Options</td>
|
| 953 |
|
|
<td width="78%" class="vtable">
|
| 954 |
|
|
<div id="aoadv" name="aoadv">
|
| 955 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_aodiv();" value="Advanced"> - Show advanced option
|
| 956 |
e6db3f58
|
Ermal Luçi
|
</div>
|
| 957 |
|
|
<div id="aodivmain" name="aodivmain" style="display:none">
|
| 958 |
f1602cc4
|
sullrich
|
<input type="checkbox" id="allowopts" value="yes" name="allowopts"<?php if($pconfig['allowopts'] == true) echo " checked"; ?>>
|
| 959 |
|
|
<br/><span class="vexpl"><?=gettext("This allows packets with ip options to pass otherwise they are blocked by default i.e. with multicast routing/proxing.");?>
|
| 960 |
|
|
</span><p>
|
| 961 |
|
|
<input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>">
|
| 962 |
|
|
<br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and use this mark to match on other nat/filter rules. It is called <b>Policy filtering</b>");?>
|
| 963 |
775ccea3
|
Ermal Luci
|
</span><p>
|
| 964 |
f1602cc4
|
sullrich
|
<input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>">
|
| 965 |
|
|
<br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before on another rule.")?>
|
| 966 |
|
|
</span> <p>
|
| 967 |
a56b2fa0
|
pierrepomes
|
<input name="max" id="max" value="<?php echo $pconfig['max'] ?>"><br> Maximum state entries this rule can create<p>
|
| 968 |
|
|
<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Maximum number of unique source host<p>
|
| 969 |
|
|
<input name="max-src-conn" id="max-src-conn" value="<?php echo $pconfig['max-src-conn'] ?>"><br> Maximum number of established TCP connections per host<p>
|
| 970 |
8ab3e9ed
|
Erik Kristensen
|
<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
|
| 971 |
|
|
<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
|
| 972 |
|
|
<select name="max-src-conn-rates" id="max-src-conn-rates">
|
| 973 |
|
|
<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
|
| 974 |
|
|
<?php for($x=1; $x<255; $x++) {
|
| 975 |
|
|
if($x == $pconfig['max-src-conn-rates']) $selected = " selected"; else $selected = "";
|
| 976 |
|
|
echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
|
| 977 |
|
|
} ?>
|
| 978 |
47042140
|
Scott Ullrich
|
</select><br />
|
| 979 |
8ab3e9ed
|
Erik Kristensen
|
Maximum new connections / per second
|
| 980 |
47042140
|
Scott Ullrich
|
<p>
|
| 981 |
|
|
|
| 982 |
|
|
<input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br>
|
| 983 |
3906617b
|
Scott Ullrich
|
State Timeout in seconds
|
| 984 |
47042140
|
Scott Ullrich
|
<p />
|
| 985 |
|
|
|
| 986 |
8ab3e9ed
|
Erik Kristensen
|
<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
|
| 987 |
197b2a47
|
Scott Ullrich
|
</div>
|
| 988 |
8ab3e9ed
|
Erik Kristensen
|
</td>
|
| 989 |
|
|
</tr>
|
| 990 |
|
|
<tr>
|
| 991 |
|
|
<td width="22%" valign="top" class="vncell">State Type</td>
|
| 992 |
|
|
<td width="78%" class="vtable">
|
| 993 |
f6970b2f
|
Scott Ullrich
|
<div id="showadvstatebox">
|
| 994 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_advanced_state()" value="Advanced"></input> - Show advanced option</a>
|
| 995 |
f6970b2f
|
Scott Ullrich
|
</div>
|
| 996 |
|
|
<div id="showstateadv" style="display:none">
|
| 997 |
|
|
<select name="statetype">
|
| 998 |
|
|
<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
|
| 999 |
|
|
<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
|
| 1000 |
|
|
<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
|
| 1001 |
|
|
</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
|
| 1002 |
|
|
<p>
|
| 1003 |
|
|
<table width="90%">
|
| 1004 |
c62ff4e7
|
Chris Buechler
|
<tr><td width="25%"><ul><li>keep state</li></td><td>Works with all IP protocols.</ul></td></tr>
|
| 1005 |
8eb08ba7
|
Chris Buechler
|
<tr><td width="25%"><ul><li>synproxy state</li></td><td>Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</ul></td></tr>
|
| 1006 |
|
|
<tr><td width="25%"><ul><li>none</li></td><td>Do not use state mechanisms to keep track. This is only useful if you're doing advanced queueing in certain situations. Please check the documentation.</ul></td></tr>
|
| 1007 |
f6970b2f
|
Scott Ullrich
|
</table>
|
| 1008 |
|
|
</p>
|
| 1009 |
|
|
</div>
|
| 1010 |
8ab3e9ed
|
Erik Kristensen
|
</td>
|
| 1011 |
|
|
</tr>
|
| 1012 |
10f21e70
|
Scott Ullrich
|
<tr>
|
| 1013 |
|
|
<td width="22%" valign="top" class="vncell">No XMLRPC Sync</td>
|
| 1014 |
|
|
<td width="78%" class="vtable">
|
| 1015 |
0239d8ee
|
sullrich
|
<div id="showadvnoxmlrpcsyncbox">
|
| 1016 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_advanced_noxmlrpc()" value="Advanced"></input> - Show advanced option</a>
|
| 1017 |
0239d8ee
|
sullrich
|
</div>
|
| 1018 |
|
|
<div id="shownoxmlrpcadv" style="display:none">
|
| 1019 |
|
|
<input type="checkbox" name="nosync"<?php if($pconfig['nosync']) echo " CHECKED"; ?>><br>
|
| 1020 |
|
|
HINT: This prevents the rule from automatically syncing to other carp members.
|
| 1021 |
|
|
</div>
|
| 1022 |
10f21e70
|
Scott Ullrich
|
</td>
|
| 1023 |
8c84fe43
|
Scott Ullrich
|
</tr>
|
| 1024 |
615b27bc
|
Scott Dale
|
<?php
|
| 1025 |
|
|
//build list of schedules
|
| 1026 |
|
|
$schedules = array();
|
| 1027 |
|
|
$schedules[] = "none";//leave none to leave rule enabled all the time
|
| 1028 |
a60fd0cb
|
Scott Ullrich
|
if(is_array($config['schedules']['schedule'])) {
|
| 1029 |
|
|
foreach ($config['schedules']['schedule'] as $schedule) {
|
| 1030 |
|
|
if ($schedule['name'] <> "")
|
| 1031 |
|
|
$schedules[] = $schedule['name'];
|
| 1032 |
|
|
}
|
| 1033 |
|
|
}
|
| 1034 |
615b27bc
|
Scott Dale
|
?>
|
| 1035 |
|
|
<tr>
|
| 1036 |
|
|
<td width="22%" valign="top" class="vncell">Schedule</td>
|
| 1037 |
|
|
<td width="78%" class="vtable">
|
| 1038 |
0239d8ee
|
sullrich
|
<div id="showadvschedulebox">
|
| 1039 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_advanced_schedule()" value="Advanced"></input> - Show advanced option</a>
|
| 1040 |
0239d8ee
|
sullrich
|
</div>
|
| 1041 |
|
|
<div id="showscheduleadv" style="display:none">
|
| 1042 |
|
|
<select name='sched'>
|
| 1043 |
615b27bc
|
Scott Dale
|
<?php
|
| 1044 |
0239d8ee
|
sullrich
|
foreach($schedules as $schedule) {
|
| 1045 |
|
|
if($schedule == $pconfig['sched']) {
|
| 1046 |
|
|
$selected = " SELECTED";
|
| 1047 |
|
|
} else {
|
| 1048 |
|
|
$selected = "";
|
| 1049 |
|
|
}
|
| 1050 |
|
|
if ($schedule == "none") {
|
| 1051 |
|
|
echo "<option value=\"\" {$selected}>{$schedule}</option>\n";
|
| 1052 |
|
|
} else {
|
| 1053 |
|
|
echo "<option value=\"{$schedule}\" {$selected}>{$schedule}</option>\n";
|
| 1054 |
|
|
}
|
| 1055 |
615b27bc
|
Scott Dale
|
}
|
| 1056 |
0239d8ee
|
sullrich
|
?>
|
| 1057 |
|
|
</select>
|
| 1058 |
|
|
<p>Leave as 'none' to leave the rule enabled all the time.</p>
|
| 1059 |
|
|
</div>
|
| 1060 |
615b27bc
|
Scott Dale
|
</td>
|
| 1061 |
|
|
</tr>
|
| 1062 |
|
|
|
| 1063 |
8ab3e9ed
|
Erik Kristensen
|
<?php
|
| 1064 |
82628210
|
Scott Ullrich
|
/* build a list of gateways */
|
| 1065 |
|
|
$gateways = array();
|
| 1066 |
615b27bc
|
Scott Dale
|
$gateways[] = "default"; // default to don't use this feature :)
|
| 1067 |
3d81372f
|
Chris Buechler
|
if (is_array($config['gateways']['gateway_item'])) {
|
| 1068 |
|
|
foreach($config['gateways']['gateway_item'] as $gw_item) {
|
| 1069 |
|
|
if($gw_item['gateway'] <> "")
|
| 1070 |
|
|
$gateways[] = $gw_item['name'];
|
| 1071 |
|
|
}
|
| 1072 |
82628210
|
Scott Ullrich
|
}
|
| 1073 |
3d81372f
|
Chris Buechler
|
|
| 1074 |
8ab3e9ed
|
Erik Kristensen
|
?>
|
| 1075 |
82628210
|
Scott Ullrich
|
<tr>
|
| 1076 |
8ab3e9ed
|
Erik Kristensen
|
<td width="22%" valign="top" class="vncell">Gateway</td>
|
| 1077 |
|
|
<td width="78%" class="vtable">
|
| 1078 |
0239d8ee
|
sullrich
|
<div id="showadvgatewaybox">
|
| 1079 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_advanced_gateway()" value="Advanced"></input> - Show advanced option</a>
|
| 1080 |
0239d8ee
|
sullrich
|
</div>
|
| 1081 |
|
|
<div id="showgatewayadv" style="display:none">
|
| 1082 |
|
|
<select name='gateway'>
|
| 1083 |
8ab3e9ed
|
Erik Kristensen
|
<?php
|
| 1084 |
0239d8ee
|
sullrich
|
foreach($gateways as $gw) {
|
| 1085 |
|
|
if($gw == "")
|
| 1086 |
0581660c
|
Scott Ullrich
|
continue;
|
| 1087 |
0239d8ee
|
sullrich
|
if($gw == $pconfig['gateway']) {
|
| 1088 |
4443d4d6
|
Scott Ullrich
|
$selected = " SELECTED";
|
| 1089 |
1fda0968
|
Scott Ullrich
|
} else {
|
| 1090 |
|
|
$selected = "";
|
| 1091 |
|
|
}
|
| 1092 |
0239d8ee
|
sullrich
|
if ($gw == "default") {
|
| 1093 |
|
|
echo "<option value=\"\" {$selected}>{$gw}</option>\n";
|
| 1094 |
|
|
} else {
|
| 1095 |
|
|
$gwip = lookup_gateway_ip_by_name($gw);
|
| 1096 |
|
|
echo "<option value=\"{$gw}\" {$selected}>{$gw} - {$gwip}</option>\n";
|
| 1097 |
|
|
}
|
| 1098 |
|
|
}
|
| 1099 |
|
|
/* add gateway groups to the list */
|
| 1100 |
|
|
if (is_array($config['gateways']['gateway_group'])) {
|
| 1101 |
|
|
foreach($config['gateways']['gateway_group'] as $gw_group) {
|
| 1102 |
|
|
if($gw_group['name'] == "")
|
| 1103 |
|
|
continue;
|
| 1104 |
|
|
if($pconfig['gateway'] == $gw_group['name']) {
|
| 1105 |
|
|
echo "<option value=\"{$gw_group['name']}\" SELECTED>{$gw_group['name']}</option>\n";
|
| 1106 |
|
|
} else {
|
| 1107 |
|
|
echo "<option value=\"{$gw_group['name']}\">{$gw_group['name']}</option>\n";
|
| 1108 |
|
|
}
|
| 1109 |
|
|
}
|
| 1110 |
|
|
}
|
| 1111 |
|
|
$iflist = get_configured_interface_with_descr();
|
| 1112 |
|
|
foreach ($iflist as $ifent => $ifdesc) {
|
| 1113 |
|
|
if (in_array($config['interfaces'][$ifent]['ipaddr'],
|
| 1114 |
|
|
array("dhcp", "pppoe", "pptp"))) {
|
| 1115 |
|
|
if ($pconfig['gateway'] == $ifent) {
|
| 1116 |
|
|
$selected = " SELECTED";
|
| 1117 |
|
|
} else {
|
| 1118 |
|
|
$selected = "";
|
| 1119 |
|
|
}
|
| 1120 |
|
|
if($ifdesc <> "")
|
| 1121 |
|
|
echo "<option value=\"{$ifent}\" {$selected}>".strtoupper($if)." - {$ifdesc}</option>\n";
|
| 1122 |
|
|
}
|
| 1123 |
1fda0968
|
Scott Ullrich
|
}
|
| 1124 |
8ab3e9ed
|
Erik Kristensen
|
?>
|
| 1125 |
0239d8ee
|
sullrich
|
</select>
|
| 1126 |
|
|
<p><strong>Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.</strong></p>
|
| 1127 |
|
|
</div>
|
| 1128 |
8ab3e9ed
|
Erik Kristensen
|
</td>
|
| 1129 |
|
|
</tr>
|
| 1130 |
a5fd67e1
|
Ermal Luçi
|
<tr>
|
| 1131 |
|
|
<td width="22%" valign="top" class="vncell">In/Out</td>
|
| 1132 |
|
|
<td width="78%" class="vtable">
|
| 1133 |
4c263f57
|
sullrich
|
<div id="showadvinoutbox">
|
| 1134 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_advanced_inout()" value="Advanced"></input> - Show advanced option</a>
|
| 1135 |
4c263f57
|
sullrich
|
</div>
|
| 1136 |
|
|
<div id="showinoutadv" style="display:none">
|
| 1137 |
|
|
<select name="dnpipe">
|
| 1138 |
a5fd67e1
|
Ermal Luçi
|
<?php
|
| 1139 |
|
|
if (!is_array($dnqlist))
|
| 1140 |
|
|
$dnqlist = array();
|
| 1141 |
|
|
echo "<option value=\"none\"";
|
| 1142 |
|
|
if (!$dnqselected) echo " SELECTED";
|
| 1143 |
|
|
echo " >none</option>";
|
| 1144 |
|
|
foreach ($dnqlist as $dnq => $dnqkey) {
|
| 1145 |
|
|
if($dnq == "")
|
| 1146 |
|
|
continue;
|
| 1147 |
|
|
echo "<option value=\"$dnqkey\"";
|
| 1148 |
|
|
if ($dnqkey == $pconfig['dnpipe']) {
|
| 1149 |
|
|
$dnqselected = 1;
|
| 1150 |
|
|
echo " SELECTED";
|
| 1151 |
|
|
}
|
| 1152 |
|
|
echo ">{$dnq}</option>";
|
| 1153 |
|
|
}
|
| 1154 |
|
|
?>
|
| 1155 |
|
|
</select> /
|
| 1156 |
|
|
<select name="pdnpipe">
|
| 1157 |
|
|
<?php
|
| 1158 |
|
|
$dnqselected = 0;
|
| 1159 |
|
|
echo "<option value=\"none\"";
|
| 1160 |
|
|
if (!$dnqselected) echo " SELECTED";
|
| 1161 |
|
|
echo " >none</option>";
|
| 1162 |
|
|
foreach ($dnqlist as $dnq => $dnqkey) {
|
| 1163 |
|
|
if($dnq == "")
|
| 1164 |
|
|
continue;
|
| 1165 |
|
|
echo "<option value=\"$dnqkey\"";
|
| 1166 |
|
|
if ($dnqkey == $pconfig['pdnpipe']) {
|
| 1167 |
|
|
$dnqselected = 1;
|
| 1168 |
|
|
echo " SELECTED";
|
| 1169 |
|
|
}
|
| 1170 |
|
|
echo ">{$dnq}</option>";
|
| 1171 |
|
|
}
|
| 1172 |
|
|
?>
|
| 1173 |
4c263f57
|
sullrich
|
</select>
|
| 1174 |
a5fd67e1
|
Ermal Luçi
|
<br />
|
| 1175 |
|
|
<span class="vexpl">Choose the Out queue/Virtual interface only if you have selected In too. <br/> The Out selection is applied to traffic going out the interface the rule is created, In is the incoming one. <br/> If you are creating a rule on the Floating tab if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing and if you do not select any direction use only the In since the Out selection does not make sense in there to prevent oddities.</span>
|
| 1176 |
4c263f57
|
sullrich
|
</div>
|
| 1177 |
a5fd67e1
|
Ermal Luçi
|
</td>
|
| 1178 |
|
|
</tr>
|
| 1179 |
|
|
|
| 1180 |
197bfe96
|
Ermal Luçi
|
<tr>
|
| 1181 |
|
|
<td width="22%" valign="top" class="vncell">Ackqueue/Queue</td>
|
| 1182 |
|
|
<td width="78%" class="vtable">
|
| 1183 |
0239d8ee
|
sullrich
|
<div id="showadvackqueuebox">
|
| 1184 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_advanced_ackqueue()" value="Advanced"></input> - Show advanced option</a>
|
| 1185 |
0239d8ee
|
sullrich
|
</div>
|
| 1186 |
|
|
<div id="showackqueueadv" style="display:none">
|
| 1187 |
|
|
<select name="ackqueue">
|
| 1188 |
197bfe96
|
Ermal Luçi
|
<?php
|
| 1189 |
0239d8ee
|
sullrich
|
if (!is_array($qlist))
|
| 1190 |
|
|
$qlist = array();
|
| 1191 |
|
|
echo "<option value=\"none\"";
|
| 1192 |
|
|
if (!$qselected) echo " SELECTED";
|
| 1193 |
|
|
echo " >none</option>";
|
| 1194 |
|
|
foreach ($qlist as $q => $qkey) {
|
| 1195 |
|
|
if($q == "")
|
| 1196 |
|
|
continue;
|
| 1197 |
|
|
echo "<option value=\"$q\"";
|
| 1198 |
|
|
if ($q == $pconfig['ackqueue']) {
|
| 1199 |
|
|
$qselected = 1;
|
| 1200 |
|
|
echo " SELECTED";
|
| 1201 |
|
|
}
|
| 1202 |
|
|
echo ">{$q}</option>";
|
| 1203 |
197bfe96
|
Ermal Luçi
|
}
|
| 1204 |
|
|
?>
|
| 1205 |
0239d8ee
|
sullrich
|
</select> /
|
| 1206 |
|
|
<select name="defaultqueue">
|
| 1207 |
197bfe96
|
Ermal Luçi
|
<?php
|
| 1208 |
0239d8ee
|
sullrich
|
$qselected = 0;
|
| 1209 |
|
|
echo "<option value=\"none\"";
|
| 1210 |
|
|
if (!$qselected) echo " SELECTED";
|
| 1211 |
|
|
echo " >none</option>";
|
| 1212 |
|
|
foreach ($qlist as $q => $qkey) {
|
| 1213 |
|
|
if($q == "")
|
| 1214 |
|
|
continue;
|
| 1215 |
|
|
echo "<option value=\"$q\"";
|
| 1216 |
|
|
if ($q == $pconfig['defaultqueue']) {
|
| 1217 |
|
|
$qselected = 1;
|
| 1218 |
|
|
echo " SELECTED";
|
| 1219 |
|
|
}
|
| 1220 |
|
|
echo ">{$q}</option>";
|
| 1221 |
197bfe96
|
Ermal Luçi
|
}
|
| 1222 |
|
|
?>
|
| 1223 |
0239d8ee
|
sullrich
|
</select>
|
| 1224 |
|
|
<br />
|
| 1225 |
|
|
<span class="vexpl">Choose the Acknowledge Queue only if you have selected Queue.</span>
|
| 1226 |
|
|
</td>
|
| 1227 |
|
|
</tr>
|
| 1228 |
|
|
<tr>
|
| 1229 |
|
|
<td width="22%" valign="top" class="vncell">Layer7</td>
|
| 1230 |
|
|
<td width="78%" class="vtable">
|
| 1231 |
4c263f57
|
sullrich
|
<div id="showadvlayer7box">
|
| 1232 |
75c34cbb
|
sullrich
|
<input type="button" onClick="show_advanced_layer7()" value="Advanced"></input> - Show advanced option</a>
|
| 1233 |
4c263f57
|
sullrich
|
</div>
|
| 1234 |
|
|
<div id="showlayer7adv" style="display:none">
|
| 1235 |
0239d8ee
|
sullrich
|
<select name="l7container">
|
| 1236 |
7e50413c
|
Ermal Luçi
|
<?php
|
| 1237 |
0239d8ee
|
sullrich
|
if (!is_array($l7clist))
|
| 1238 |
|
|
$dnqlist = array();
|
| 1239 |
|
|
echo "<option value=\"none\"";
|
| 1240 |
|
|
echo " >none</option>";
|
| 1241 |
|
|
foreach ($l7clist as $l7ckey) {
|
| 1242 |
|
|
echo "<option value=\"{$l7ckey}\"";
|
| 1243 |
|
|
if ($l7ckey == $pconfig['l7container']) {
|
| 1244 |
|
|
echo " SELECTED";
|
| 1245 |
|
|
}
|
| 1246 |
|
|
echo ">{$l7ckey}</option>";
|
| 1247 |
|
|
}
|
| 1248 |
7e50413c
|
Ermal Luçi
|
?>
|
| 1249 |
0239d8ee
|
sullrich
|
</select>
|
| 1250 |
7e50413c
|
Ermal Luçi
|
<br/>
|
| 1251 |
0239d8ee
|
sullrich
|
<span class="vexpl">
|
| 1252 |
|
|
Choose a Layer7 container to apply application protocol inspection rules.
|
| 1253 |
|
|
This rule are valid for tcp and udp protocols for now.
|
| 1254 |
|
|
</span>
|
| 1255 |
|
|
</div>
|
| 1256 |
7e50413c
|
Ermal Luçi
|
</td>
|
| 1257 |
|
|
</tr>
|
| 1258 |
8ab3e9ed
|
Erik Kristensen
|
<tr>
|
| 1259 |
|
|
<td width="22%" valign="top"> </td>
|
| 1260 |
|
|
<td width="78%">
|
| 1261 |
151eb2a9
|
sullrich
|
<br>
|
| 1262 |
8ab3e9ed
|
Erik Kristensen
|
<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
|
| 1263 |
|
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
| 1264 |
|
|
<input name="id" type="hidden" value="<?=$id;?>">
|
| 1265 |
|
|
<?php endif; ?>
|
| 1266 |
|
|
<input name="after" type="hidden" value="<?=$after;?>">
|
| 1267 |
|
|
</td>
|
| 1268 |
82628210
|
Scott Ullrich
|
</tr>
|
| 1269 |
8ab3e9ed
|
Erik Kristensen
|
</table>
|
| 1270 |
5b237745
|
Scott Ullrich
|
</form>
|
| 1271 |
|
|
<script language="JavaScript">
|
| 1272 |
|
|
<!--
|
| 1273 |
8ab3e9ed
|
Erik Kristensen
|
ext_change();
|
| 1274 |
|
|
typesel_change();
|
| 1275 |
|
|
proto_change();
|
| 1276 |
19757279
|
Scott Ullrich
|
|
| 1277 |
|
|
<?php
|
| 1278 |
8ab3e9ed
|
Erik Kristensen
|
$isfirst = 0;
|
| 1279 |
|
|
$aliases = "";
|
| 1280 |
|
|
$addrisfirst = 0;
|
| 1281 |
|
|
$aliasesaddr = "";
|
| 1282 |
|
|
if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
|
| 1283 |
|
|
foreach($config['aliases']['alias'] as $alias_name) {
|
| 1284 |
72cb5baf
|
Ermal Lu?i
|
switch ($alias_name['type']) {
|
| 1285 |
|
|
case "port":
|
| 1286 |
|
|
if($isfirst == 1) $portaliases .= ",";
|
| 1287 |
|
|
$portaliases .= "'" . $alias_name['name'] . "'";
|
| 1288 |
8ab3e9ed
|
Erik Kristensen
|
$isfirst = 1;
|
| 1289 |
72cb5baf
|
Ermal Lu?i
|
break;
|
| 1290 |
|
|
case "host":
|
| 1291 |
|
|
case "network":
|
| 1292 |
|
|
case "openvpn":
|
| 1293 |
8ab3e9ed
|
Erik Kristensen
|
if($addrisfirst == 1) $aliasesaddr .= ",";
|
| 1294 |
|
|
$aliasesaddr .= "'" . $alias_name['name'] . "'";
|
| 1295 |
|
|
$addrisfirst = 1;
|
| 1296 |
72cb5baf
|
Ermal Lu?i
|
break;
|
| 1297 |
|
|
default:
|
| 1298 |
|
|
break;
|
| 1299 |
8ab3e9ed
|
Erik Kristensen
|
}
|
| 1300 |
092ac49d
|
Scott Ullrich
|
}
|
| 1301 |
19757279
|
Scott Ullrich
|
?>
|
| 1302 |
|
|
|
| 1303 |
8ab3e9ed
|
Erik Kristensen
|
var addressarray=new Array(<?php echo $aliasesaddr; ?>);
|
| 1304 |
72cb5baf
|
Ermal Lu?i
|
var customarray=new Array(<?php echo $portaliases; ?>);
|
| 1305 |
19757279
|
Scott Ullrich
|
|
| 1306 |
9eb60dcc
|
Ermal Lu?i
|
var oTextbox1 = new AutoSuggestControl(document.getElementById("src"), new StateSuggestions(addressarray));
|
| 1307 |
|
|
var oTextbox2 = new AutoSuggestControl(document.getElementById("srcbeginport_cust"), new StateSuggestions(customarray));
|
| 1308 |
|
|
var oTextbox3 = new AutoSuggestControl(document.getElementById("srcendport_cust"), new StateSuggestions(customarray));
|
| 1309 |
|
|
var oTextbox4 = new AutoSuggestControl(document.getElementById("dst"), new StateSuggestions(addressarray));
|
| 1310 |
|
|
var oTextbox5 = new AutoSuggestControl(document.getElementById("dstbeginport_cust"), new StateSuggestions(customarray));
|
| 1311 |
|
|
var oTextbox6 = new AutoSuggestControl(document.getElementById("dstendport_cust"), new StateSuggestions(customarray));
|
| 1312 |
5b237745
|
Scott Ullrich
|
//-->
|
| 1313 |
|
|
</script>
|
| 1314 |
|
|
<?php include("fend.inc"); ?>
|
| 1315 |
|
|
</body>
|
| 1316 |
9b45f821
|
Ermal Lu?i
|
</html>
|