/usr/local/www/system_advanced.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/system_advanced.php @ 6be429b2

1	13128695	Scott Ullrich	<?php
2	b46bfcf5	Bill Marquette	/* $Id$ */
3	5b237745	Scott Ullrich	/*
4			system_advanced.php
5	416ed28d	Scott Ullrich	part of pfSense
6			Copyright (C) 2005 Scott Ullrich
7	13128695	Scott Ullrich
8	416ed28d	Scott Ullrich	originally part of m0n0wall (http://m0n0.ch/wall)
9	5b237745	Scott Ullrich	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
10			All rights reserved.
11	13128695	Scott Ullrich
12	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14	13128695	Scott Ullrich
15	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17	13128695	Scott Ullrich
18	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21	13128695	Scott Ullrich
22	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32			*/
33
34			require("guiconfig.inc");
35
36	35284e50	Scott Ullrich	$pconfig['disablefilter'] = $config['system']['disablefilter'];
37	38560a25	Bill Marquette	$pconfig['rfc959workaround'] = $config['system']['rfc959workaround'];
38	8f498445	Scott Ullrich	$pconfig['scrubnodf'] = $config['system']['scrubnodf'];
39	5b237745	Scott Ullrich	$pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']);
40			$pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr'];
41			$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']);
42			$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']);
43			$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
44	c11e337b	Scott Ullrich	$pconfig['harddiskstandby'] = $config['system']['harddiskstandby'];
45	5b237745	Scott Ullrich	$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
46	3962b070	Scott Ullrich	$pconfig['filteringbridge_enable'] = isset($config['bridge']['filteringbridge']);
47	5b237745	Scott Ullrich	$pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout'];
48	351217ed	Scott Ullrich	$pconfig['maximumstates'] = $config['system']['maximumstates'];
49	68bf6021	Scott Ullrich	$pconfig['disablerendevouz'] = $config['system']['disablerendevouz'];
50	2f810bc1	Scott Ullrich	$pconfig['enableserial'] = $config['system']['enableserial'];
51	5c50ae40	Scott Ullrich	$pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']);
52	d5967a9a	Scott Ullrich	$pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
53	59d09874	Scott Ullrich	$pconfig['enablesshd'] = $config['system']['enablesshd'];
54	74806cee	Seth Mos	$pconfig['sshport'] = $config['system']['ssh']['port'];
55	243aa7b9	Scott Ullrich	$pconfig['sharednet'] = $config['system']['sharednet'];
56	8d36fd1d	Scott Ullrich	$pconfig['polling_enable'] = isset($config['system']['polling']);
57	222b5299	Scott Ullrich
58	a9b19d7f	Scott Ullrich	$pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
59
60	5b237745	Scott Ullrich	if ($_POST) {
61
62			unset($input_errors);
63			$pconfig = $_POST;
64
65			/* input validation */
66			if ($_POST['ipv6nat_enable'] && !is_ipaddr($_POST['ipv6nat_ipaddr'])) {
67			$input_errors[] = "You must specify an IP address to NAT IPv6 packets.";
68			}
69	351217ed	Scott Ullrich	if ($_POST['maximumstates'] && !is_numericint($_POST['maximumstates'])) {
70			$input_errors[] = "The Firewall Maximum States value must be an integer.";
71			}
72	5b237745	Scott Ullrich	if ($_POST['tcpidletimeout'] && !is_numericint($_POST['tcpidletimeout'])) {
73			$input_errors[] = "The TCP idle timeout must be an integer.";
74			}
75			if (($_POST['cert'] && !$_POST['key']) \|\| ($_POST['key'] && !$_POST['cert'])) {
76			$input_errors[] = "Certificate and key must always be specified together.";
77			} else if ($_POST['cert'] && $_POST['key']) {
78			if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") \|\| !strstr($_POST['cert'], "END CERTIFICATE"))
79			$input_errors[] = "This certificate does not appear to be valid.";
80			if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") \|\| !strstr($_POST['key'], "END RSA PRIVATE KEY"))
81			$input_errors[] = "This key does not appear to be valid.";
82	a509ff63	Bill Marquette	if ($_POST['altfirmwareurl'])
83			if ($_POST['firmwareurl'] == "" \|\| $_POST['firmwarename'] == "")
84			$input_errors[] = "You must specify a base URL and a filename for the alternate firmware.";
85	66f481cc	Colin Smith	if ($_POST['altpkgconfigurl'])
86			if ($_POST['pkgconfig_base_url'] == "" \|\| $_POST['pkgconfig_filename'] == "")
87			$input_errors[] = "You must specifiy and base URL and a filename before using an alternate pkg_config.xml.";
88	5b237745	Scott Ullrich	}
89	e52f293f	Scott Ullrich	if ($_POST['maximumstates'] <> "") {
90			if ($_POST['maximumstates'] < 1000)
91			$input_errors[] = "States must be above 1000 and below 100000000";
92			if ($_POST['maximumstates'] > 100000000)
93			$input_errors[] = "States must be above 1000 and below 100000000";
94			}
95	74806cee	Seth Mos	if ($_POST['sshport'] <> "") {
96			if( ! is_port($_POST['sshport'])) {
97			$input_errors[] = "You must specify a valid port number";
98			}
99			}
100
101	5b237745	Scott Ullrich	if (!$input_errors) {
102	35284e50	Scott Ullrich	if($_POST['disablefilter'] == "yes") {
103			$config['system']['disablefilter'] = "enabled";
104			} else {
105			unset($config['system']['disablefilter']);
106			}
107	59d09874	Scott Ullrich	if($_POST['enablesshd'] == "yes") {
108			$config['system']['enablesshd'] = "enabled";
109	51579483	Scott Ullrich	touch("{$g['tmp_path']}/start_sshd");
110	36aaefff	Scott Ullrich	} else {
111	59d09874	Scott Ullrich	unset($config['system']['enablesshd']);
112	d7e10506	Scott Ullrich	mwexec("/usr/bin/killall sshd");
113	36aaefff	Scott Ullrich	}
114	74806cee	Seth Mos	$oldsshport = $config['system']['ssh']['port'];
115			$config['system']['ssh']['port'] = $_POST['sshport'];
116	243aa7b9	Scott Ullrich
117	562fca6d	Scott Ullrich	if($_POST['polling_enable'] == "yes") {
118	018ea877	Scott Ullrich	$config['system']['polling'] = true;
119	562fca6d	Scott Ullrich	setup_polling();
120			} else {
121	018ea877	Scott Ullrich	unset($config['system']['polling']);
122	562fca6d	Scott Ullrich	setup_polling();
123			}
124	8d36fd1d	Scott Ullrich
125	243aa7b9	Scott Ullrich	if($_POST['sharednet'] == "yes") {
126			$config['system']['sharednet'] = true;
127			system_disable_arp_wrong_if();
128			} else {
129			unset($config['system']['sharednet']);
130			system_enable_arp_wrong_if();
131			}
132
133	31f93981	Bill Marquette	if($_POST['rfc959workaround'] == "yes")
134	38560a25	Bill Marquette	$config['system']['rfc959workaround'] = "enabled";
135	31f93981	Bill Marquette	else
136			unset($config['system']['rfc959workaround']);
137
138	8f498445	Scott Ullrich	if($_POST['scrubnodf'] == "yes")
139			$config['system']['scrubnodf'] = "enabled";
140			else
141			unset($config['system']['scrubnodf']);
142
143	31f93981	Bill Marquette	if($_POST['ipv6nat_enable'] == "yes") {
144			$config['diag']['ipv6nat']['enable'] = true;
145			$config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr'];
146			} else {
147			unset($config['diag']['ipv6nat']['enable']);
148			unset($config['diag']['ipv6nat']['ipaddr']);
149	38560a25	Bill Marquette	}
150	5b237745	Scott Ullrich	$oldcert = $config['system']['webgui']['certificate'];
151			$oldkey = $config['system']['webgui']['private-key'];
152			$config['system']['webgui']['certificate'] = base64_encode($_POST['cert']);
153			$config['system']['webgui']['private-key'] = base64_encode($_POST['key']);
154	8affb1da	Scott Ullrich	if($_POST['disableconsolemenu'] == "yes") {
155	31f93981	Bill Marquette	$config['system']['disableconsolemenu'] = true;
156	b1ce7649	Scott Ullrich	auto_login(true);
157	8affb1da	Scott Ullrich	} else {
158	31f93981	Bill Marquette	unset($config['system']['disableconsolemenu']);
159	b1ce7649	Scott Ullrich	auto_login(false);
160	8affb1da	Scott Ullrich	}
161	aefb60ce	Scott Ullrich	unset($config['system']['webgui']['expanddiags']);
162	416ed28d	Scott Ullrich	$config['system']['optimization'] = $_POST['optimization'];
163	5c50ae40	Scott Ullrich
164			if($_POST['disablefirmwarecheck'] == "yes")
165			$config['system']['disablefirmwarecheck'] = true;
166			else
167	2629e5d1	Scott Ullrich	unset($config['system']['disablefirmwarecheck']);
168
169	31f93981	Bill Marquette	if ($_POST['enableserial'] == "yes")
170	538bb06f	Bill Marquette	$config['system']['enableserial'] = true;
171	31f93981	Bill Marquette	else
172			unset($config['system']['enableserial']);
173
174	d1975a6a	Scott Ullrich	if($_POST['harddiskstandby'] <> "") {
175	102239f9	Scott Ullrich	$config['system']['harddiskstandby'] = $_POST['harddiskstandby'];
176	31f93981	Bill Marquette	system_set_harddisk_standby();
177			} else
178			unset($config['system']['harddiskstandby']);
179
180			if ($_POST['noantilockout'] == "yes")
181			$config['system']['webgui']['noantilockout'] = true;
182			else
183			unset($config['system']['webgui']['noantilockout']);
184	13128695	Scott Ullrich
185	351217ed	Scott Ullrich	/* Firewall and ALTQ options */
186			$config['system']['maximumstates'] = $_POST['maximumstates'];
187	12bcdc89	Scott Ullrich
188	59d09874	Scott Ullrich	if($_POST['enablesshd'] == "yes") {
189			$config['system']['enablesshd'] = $_POST['enablesshd'];
190	f6efd9a5	Scott Ullrich	} else {
191	59d09874	Scott Ullrich	unset($config['system']['enablesshd']);
192	f6efd9a5	Scott Ullrich	}
193
194	a9b19d7f	Scott Ullrich	if($_POST['disablenatreflection'] == "yes") {
195			$config['system']['disablenatreflection'] = $_POST['disablenatreflection'];
196			} else {
197			unset($config['system']['disablenatreflection']);
198			}
199
200	d5967a9a	Scott Ullrich	$config['ipsec']['preferoldsa'] = $_POST['preferoldsa_enable'] ? true : false;
201	15a87e25	Scott Ullrich
202	3962b070	Scott Ullrich	$config['bridge']['filteringbridge'] = $_POST['filteringbridge_enable'] ? true : false;
203
204	5b237745	Scott Ullrich	write_config();
205	b3d44462	Scott Ullrich
206	5b237745	Scott Ullrich	$retval = 0;
207	7db5e498	Scott Ullrich
208	3851094f	Scott Ullrich	if(stristr($retval, "error") <> true)
209			$savemsg = get_std_save_message($retval);
210			else
211			$savemsg = $retval;
212	7db5e498	Scott Ullrich
213			$retval = filter_configure();
214
215			conf_mount_rw();
216
217	96af3ad5	Scott Ullrich	setup_serial_port();
218	82184ab0	Scott Ullrich
219	3962b070	Scott Ullrich	setup_filter_bridge();
220
221	7db5e498	Scott Ullrich	conf_mount_ro();
222
223	5b237745	Scott Ullrich	}
224			}
225	b63695db	Scott Ullrich
226			$pgtitle = "System: Advanced functions";
227			include("head.inc");
228
229	5b237745	Scott Ullrich	?>
230	b63695db	Scott Ullrich
231	5b237745	Scott Ullrich	<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
232	9ecd6ab7	Erik Kristensen
233	5b237745	Scott Ullrich	<?php include("fbegin.inc"); ?>
234	9ecd6ab7	Erik Kristensen
235	74f446e8	Bill Marquette	<p class="pgtitle"><?=$pgtitle?></p>
236	13128695	Scott Ullrich
237	9ecd6ab7	Erik Kristensen	<form action="system_advanced.php" method="post" name="iform" id="iform">
238			<?php if ($input_errors) print_input_errors($input_errors); ?>
239			<?php if ($savemsg) print_info_box($savemsg); ?>
240			<p><span class="vexpl"><span class="red"><strong>Note: </strong></span>the options on this page are intended for use by advanced users only.</span></p>
241			<br />
242	416ed28d	Scott Ullrich
243	9ecd6ab7	Erik Kristensen	<table width="100%" border="0" cellpadding="6" cellspacing="0">
244			<tbody>
245	dbb0b7d6	Holger Bauer	<?php if($g['platform'] == "pfSense" \|\| $g['platform'] == "cdrom"): ?>
246	9ecd6ab7	Erik Kristensen	<tr>
247			<td colspan="2" valign="top" class="listtopic">Enable Serial Console</td>
248			</tr>
249			<tr>
250			<td width="22%" valign="top" class="vncell"> </td>
251			<td width="78%" class="vtable">
252			<input name="enableserial" type="checkbox" id="enableserial" value="yes" <?php if (isset($pconfig['enableserial'])) echo "checked"; ?> onclick="enable_change(false)" />
253			<strong>This will enable the first serial port with 9600/8/N/1</strong>
254	b8467d8e	Scott Ullrich	<br>
255	3446ca38	Scott Ullrich	<span class="vexpl">Note: This will disable the internal video card/keyboard</span>
256	9ecd6ab7	Erik Kristensen	</td>
257			</tr>
258			<tr>
259			<td width="22%" valign="top"> </td>
260			<td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td>
261			</tr>
262			</tr>
263			<tr>
264			<td colspan="2" class="list" height="12"></td>
265			</tr>
266	0831bc86	Scott Ullrich	<?php endif; ?>
267	9ecd6ab7	Erik Kristensen	<tr>
268			<td colspan="2" valign="top" class="listtopic">Secure Shell</td>
269			</tr>
270			<tr>
271			<td width="22%" valign="top" class="vncell"> </td>
272			<td width="78%" class="vtable">
273			<input name="enablesshd" type="checkbox" id="enablesshd" value="yes" <?php if (isset($pconfig['enablesshd'])) echo "checked"; ?> onclick="enable_change(false)" />
274			<strong>Enable Secure Shell</strong>
275			</td>
276			</tr>
277	74806cee	Seth Mos	<tr>
278			<td width="22%" valign="top" class="vncell">SSH port</td>
279			<td width="78%" class="vtable">
280			<input name="sshport" type="text" id="sshport" value="<?php echo $pconfig['sshport']; ?>" onclick="enable_change(false)" />
281			<br />
282			<span class="vexpl">Note: Leave this blank for the default of 22</span>
283			</td>
284			</tr>
285	9ecd6ab7	Erik Kristensen	<tr>
286			<td width="22%" valign="top"> </td>
287			<td width="78%">
288			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
289			</td>
290			</tr>
291			<tr>
292			<td colspan="2" class="list" height="12"> </td>
293			</tr>
294			<tr>
295			<td colspan="2" valign="top" class="listtopic">Shared Physical Network</td>
296			</tr>
297			<tr>
298			<td width="22%" valign="top" class="vncell"> </td>
299			<td width="78%" class="vtable">
300			<input name="sharednet" type="checkbox" id="sharednet" value="yes" <?php if (isset($pconfig['sharednet'])) echo "checked"; ?> onclick="enable_change(false)" />
301	3d0d1aa8	Colin Smith	<strong>This will suppress ARP messages when interfaces share the same physical network</strong>
302	9ecd6ab7	Erik Kristensen	</td>
303			</tr>
304			<tr>
305			<td width="22%" valign="top"> </td>
306			<td width="78%">
307			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
308			</td>
309			</tr>
310			<tr>
311			<td colspan="2" class="list" height="12"> </td>
312			</tr>
313			<tr>
314			<td colspan="2" valign="top" class="listtopic">IPv6 tunneling</td>
315			</tr>
316			<tr>
317			<td width="22%" valign="top" class="vncell"> </td>
318			<td width="78%" class="vtable">
319			<input name="ipv6nat_enable" type="checkbox" id="ipv6nat_enable" value="yes" <?php if ($pconfig['ipv6nat_enable']) echo "checked"; ?> onclick="enable_change(false)" />
320			<strong>NAT encapsulated IPv6 packets (IP protocol 41/RFC2893) to:</strong>
321			<br /> <br />
322			<input name="ipv6nat_ipaddr" type="text" class="formfld" id="ipv6nat_ipaddr" size="20" value="<?=htmlspecialchars($pconfig['ipv6nat_ipaddr']);?>" />
323			(IP address)<span class="vexpl"><br /> Don't forget to add a firewall rule to permit IPv6 packets!</span>
324			</td>
325			</tr>
326	b0703b01	Scott Ullrich	<tr>
327			<td colspan="2" class="list" height="12"> </td>
328			</tr>
329	02f0c58f	Scott Ullrich	<tr>
330			<td colspan="2" valign="top" class="listtopic">Filtering Bridge</td>
331			</tr>
332	3962b070	Scott Ullrich	<tr>
333			<td width="22%" valign="top" class="vncell"> </td>
334			<td width="78%" class="vtable">
335			<input name="filteringbridge_enable" type="checkbox" id="filteringbridge_enable" value="yes" <?php if ($pconfig['filteringbridge_enable']) echo "checked"; ?>>
336			<strong>Enable filtering bridge</strong><span class="vexpl"><br>
337			This will cause bridged packets to pass through the packet
338			filter in the same way as routed packets do (by default bridged
339			packets are always passed). If you enable this option, you'll
340			have to add filter rules to selectively permit traffic from
341			bridged interfaces.</span></td>
342			</tr>
343	9ecd6ab7	Erik Kristensen	<tr>
344			<td width="22%" valign="top"> </td>
345			<td width="78%">
346			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
347			</td>
348			</tr>
349			<tr>
350			<td colspan="2" class="list" height="12"> </td>
351			</tr>
352			<tr>
353			<td colspan="2" valign="top" class="listtopic">webGUI SSL certificate/key</td>
354			</tr>
355			<tr>
356			<td width="22%" valign="top" class="vncell">Certificate</td>
357			<td width="78%" class="vtable">
358			<textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea>
359			<br />
360			Paste a signed certificate in X.509 PEM format here. <a href="javascript:if(openwindow('system_advanced_create_certs.php') == false) alert('Popup blocker detected. Action aborted.');" >Create</a> certificates automatically.
361			</td>
362			</tr>
363			<tr>
364			<td width="22%" valign="top" class="vncell">Key</td>
365			<td width="78%" class="vtable">
366			<textarea name="key" cols="65" rows="7" id="key" class="formpre"><?=htmlspecialchars($pconfig['key']);?></textarea>
367			<br />
368			Paste an RSA private key in PEM format here.
369			</td>
370			</tr>
371			<tr>
372			<td width="22%" valign="top"> </td>
373			<td width="78%">
374			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
375			</td>
376			</tr>
377			<tr>
378			<td colspan="2" class="list" height="12"> </td>
379			</tr>
380			<tr>
381			<td colspan="2" valign="top" class="listtopic">Miscellaneous</td>
382			</tr>
383	8d36fd1d	Scott Ullrich
384			<tr>
385			<td width="22%" valign="top" class="vncell">Device polling</td>
386			<td width="78%" class="vtable">
387			<input name="polling_enable" type="checkbox" id="polling_enable" value="yes" <?php if ($pconfig['polling_enable']) echo "checked"; ?>>
388			<strong>Use device polling</strong><br>
389			Device polling is a technique that lets the system periodically poll network devices for new
390			data instead of relying on interrupts. This can reduce CPU load and therefore increase
391			throughput, at the expense of a slightly higher forwarding delay (the devices are polled 1000 times
392	dabf1d2d	Scott Ullrich	per second). Not all NICs support polling; see the pfSense homepage for a list of supported cards.
393	8d36fd1d	Scott Ullrich	</td>
394			</tr>
395
396	9ecd6ab7	Erik Kristensen	<tr>
397			<td width="22%" valign="top" class="vncell">Console menu </td>
398			<td width="78%" class="vtable">
399			<input name="disableconsolemenu" type="checkbox" id="disableconsolemenu" value="yes" <?php if ($pconfig['disableconsolemenu']) echo "checked"; ?> />
400			<strong>Disable console menu</strong>
401			<br />
402			<span class="vexpl">Changes to this option will take effect after a reboot.</span>
403			</td>
404			</tr>
405			<tr>
406			<td valign="top" class="vncell">Firmware version check</td>
407			<td class="vtable">
408			<input name="disablefirmwarecheck" type="checkbox" id="disablefirmwarecheck" value="yes" <?php if ($pconfig['disablefirmwarecheck']) echo "checked"; ?> />
409			<strong>Disable firmware version check</strong>
410			<br />
411			<span class="vexpl">This will cause pfSense not to check for newer firmware versions when the <a href="system_firmware.php">System: Firmware</a> page is viewed.</span>
412			</td>
413	abf5a84b	Scott Ullrich	</tr>
414	4c0d4635	Scott Ullrich	<?php if($g['platform'] == "pfSenseDISABLED"): ?>
415	a509ff63	Bill Marquette	<tr>
416	9ecd6ab7	Erik Kristensen	<td width="22%" valign="top" class="vncell">Hard disk standby time </td>
417			<td width="78%" class="vtable">
418			<select name="harddiskstandby" class="formfld">
419			<?php
420			## Values from ATA-2 http://www.t13.org/project/d0948r3-ATA-2.pdf (Page 66)
421			$sbvals = explode(" ", "0.5,6 1,12 2,24 3,36 4,48 5,60 7.5,90 10,120 15,180 20,240 30,241 60,242");
422			?>
423			<option value="" <?php if(!$pconfig['harddiskstandby']) echo('selected');?>>Always on</option>
424			<?php
425	5b237745	Scott Ullrich	foreach ($sbvals as $sbval):
426			list($min,$val) = explode(",", $sbval); ?>
427	9ecd6ab7	Erik Kristensen	<option value="<?=$val;?>" <?php if($pconfig['harddiskstandby'] == $val) echo('selected');?>><?=$min;?> minutes</option>
428			<?php endforeach; ?>
429			</select>
430			<br />
431			Puts the hard disk into standby mode when the selected amount of time after the last
432			access has elapsed. <em>Do not set this for CF cards.</em>
433			</td>
434			</tr>
435	abf5a84b	Scott Ullrich	<?php endif; ?>
436	9ecd6ab7	Erik Kristensen	<tr>
437			<td width="22%" valign="top" class="vncell">webGUI anti-lockout</td>
438			<td width="78%" class="vtable">
439			<input name="noantilockout" type="checkbox" id="noantilockout" value="yes" <?php if ($pconfig['noantilockout']) echo "checked"; ?> />
440			<strong>Disable webGUI anti-lockout rule</strong>
441			<br />
442			By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter
443			rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you
444			in, or you will lock yourself out!).
445			<br />
446			Hint: the "set LAN IP address" option in the console menu resets this setting as well.
447			</td>
448			</tr>
449			<tr>
450			<td width="22%" valign="top" class="vncell">IPsec SA preferral</td>
451			<td width="78%" class="vtable">
452			<input name="preferoldsa_enable" type="checkbox" id="preferoldsa_enable" value="yes" <?php if ($pconfig['preferoldsa_enable']) echo "checked"; ?> />
453			<strong>Prefer old IPsec SAs</strong>
454			<br />
455			By default, if several SAs match, the newest one is preferred if it's at least 30 seconds old.Select this option to always prefer old SAs over new ones.
456			</td>
457			</tr>
458			<tr>
459			<td width="22%" valign="top"> </td>
460			<td width="78%">
461			<input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" />
462			</td>
463			</tr>
464			<tr>
465			<td colspan="2" class="list" height="12"> </td>
466			</tr>
467			<tr>
468			<td colspan="2" valign="top" class="listtopic">Traffic Shaper and Firewall Advanced</td>
469			</tr>
470			<tr>
471			<td width="22%" valign="top" class="vncell">FTP RFC 959 data port violation workaround</td>
472			<td width="78%" class="vtable">
473			<input name="rfc959workaround" type="checkbox" id="rfc959workaround" value="yes" <?php if (isset($config['system']['rfc959workaround'])) echo "checked"; ?> onclick="enable_change(false)" />
474			<strong class="vexpl">Workaround for sites that violate RFC 959 which specifies that the data connection be sourced from the command port - 1 (typically port 20). This workaround doesn't expose you to any extra risk as the firewall will still only allow connections on a port that the ftp-proxy is listening on.</strong>
475			<br />
476			</td>
477			</tr>
478	8f498445	Scott Ullrich	<tr>
479			<td width="22%" valign="top" class="vncell">Clear DF bit instead of dropping</td>
480			<td width="78%" class="vtable">
481			<input name="scrubnodf" type="checkbox" id="scrubnodf" value="yes" <?php if (isset($config['system']['scrubnodf'])) echo "checked"; ?> onclick="enable_change(false)" />
482			<strong class="vexpl">Workaround for operating systems that generate fragmented packets with the don't fragment (DF) bit set. Linux NFS is known to do this. This will cause the filter to not drop such packets but instead clear the don't fragment bit. The filter will also randomize the IP identification field of outgoing packets with this option on, to compensate for operating systems that set the DF bit but set a zero IP identification header field.</strong>
483			<br />
484			</td>
485			</tr>
486	9ecd6ab7	Erik Kristensen	<tr>
487			<td width="22%" valign="top" class="vncell">Firewall Optimization Options</td>
488			<td width="78%" class="vtable">
489			<select onChange="update_description(this.selectedIndex);" name="optimization" id="optimization">
490			<option value="normal"<?php if($config['system']['optimization']=="normal") echo " selected"; ?>>normal</option>
491			<option value="high-latency"<?php if($config['system']['optimization']=="high-latency") echo " selected"; ?>>high-latency</option>
492			<option value="aggressive"<?php if($config['system']['optimization']=="aggressive") echo " selected"; ?>>aggressive</option>
493			<option value="conservative"<?php if($config['system']['optimization']=="conservative") echo " selected"; ?>>conservative</option>
494			</select>
495			<br />
496	d4fddf14	Scott Ullrich	<textarea cols="60" rows="2" id="info" name="info"style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea>
497	9ecd6ab7	Erik Kristensen	<script language="javascript" type="text/javascript">
498			update_description(document.forms[0].optimization.selectedIndex);
499			</script>
500			<br />
501			<span class="vexpl"><b>Select which type of state table optimization your would like to use</b></span>
502			</td>
503			</tr>
504			<tr>
505			<td width="22%" valign="top" class="vncell">Disable Firewall</td>
506			<td width="78%" class="vtable">
507			<input name="disablefilter" type="checkbox" id="disablefilter" value="yes" <?php if (isset($config['system']['disablefilter'])) echo "checked"; ?> onclick="enable_change(false)" />
508			<strong>Disable the firewalls filter altogether.</strong>
509			<br />
510	8d0abf6b	Scott Ullrich	<span class="vexpl">Note: This basically converts pfSense into a routing only platform!<br>
511			Note: This will turn off NAT!
512			</span>
513	9ecd6ab7	Erik Kristensen	</td>
514			</tr>
515			<tr>
516			<td width="22%" valign="top" class="vncell">Firewall Maximum States</td>
517			<td width="78%" class="vtable">
518			<input name="maximumstates" type="text" id="maximumstates" value="<?php echo $pconfig['maximumstates']; ?>" onclick="enable_change(false)" />
519			<br />
520			<strong>Maximum number of connections to hold in the firewall state table.</strong>
521			<br />
522			<span class="vexpl">Note: Leave this blank for the default of 10000</span>
523			</td>
524			</tr>
525	a9b19d7f	Scott Ullrich	<tr>
526	b5675af6	Scott Ullrich	<td width="22%" valign="top"> </td>
527			<td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td>
528	a9b19d7f	Scott Ullrich	</tr>
529	b5675af6	Scott Ullrich	<tr>
530			<td colspan="2" class="list" height="12"> </td>
531			</tr>
532	a9b19d7f	Scott Ullrich	<tr>
533			<td colspan="2" valign="top" class="listtopic">Network Address Translation</td>
534			</tr>
535			<tr>
536	1b45d566	Scott Ullrich	<td width="22%" valign="top" class="vncell">Disable NAT Reflection</td>
537	a9b19d7f	Scott Ullrich	<td width="78%" class="vtable">
538			<input name="disablenatreflection" type="checkbox" id="disablenatreflection" value="yes" <?php if (isset($config['system']['disablenatreflection'])) echo "checked"; ?> onclick="enable_change(false)" />
539	3a9ba28f	Scott Ullrich	<strong>Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.</strong>
540	a9b19d7f	Scott Ullrich	</td>
541			</tr>
542	9ecd6ab7	Erik Kristensen	<tr>
543			<td width="22%" valign="top"> </td>
544			<td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /></td>
545			</tr>
546			<tr>
547			<td colspan="2" class="list" height="12"> </td>
548			</tr>
549			</tbody>
550			</table>
551	5b237745	Scott Ullrich	</form>
552	9ecd6ab7	Erik Kristensen
553			<script language="JavaScript" type="text/javascript">
554	5b237745	Scott Ullrich	<!--
555	9ecd6ab7	Erik Kristensen	enable_change(false);
556	5b237745	Scott Ullrich	//-->
557			</script>
558	9ecd6ab7	Erik Kristensen
559	5b237745	Scott Ullrich	<?php include("fend.inc"); ?>
560	9ecd6ab7	Erik Kristensen
561	a6318c60	Scott Ullrich	</body>
562			</html>
563
564	8affb1da	Scott Ullrich	<?php
565
566	a6318c60	Scott Ullrich	if ($_POST) {
567	1498fba3	Scott Ullrich	ob_flush();
568			flush();
569			sleep(1) ;
570	a6318c60	Scott Ullrich	if (!$input_errors) {
571			if($_POST['disablefilter'] == "yes") {
572			$config['system']['disablefilter'] = "enabled";
573			} else {
574			unset($config['system']['disablefilter']);
575			}
576			if($_POST['enablesshd'] == "yes") {
577			$config['system']['enablesshd'] = "enabled";
578			touch("{$g['tmp_path']}/start_sshd");
579			} else {
580			unset($config['system']['enablesshd']);
581			mwexec("/usr/bin/killall sshd");
582			}
583			$oldsshport = $config['system']['ssh']['port'];
584			$config['system']['ssh']['port'] = $_POST['sshport'];
585
586			if($_POST['polling_enable'] == "yes") {
587			$config['system']['polling'] = true;
588			setup_polling();
589			} else {
590			unset($config['system']['polling']);
591			setup_polling();
592			}
593
594			if($_POST['sharednet'] == "yes") {
595			$config['system']['sharednet'] = true;
596			system_disable_arp_wrong_if();
597			} else {
598			unset($config['system']['sharednet']);
599			system_enable_arp_wrong_if();
600			}
601
602			if($_POST['rfc959workaround'] == "yes")
603			$config['system']['rfc959workaround'] = "enabled";
604			else
605			unset($config['system']['rfc959workaround']);
606
607			if($_POST['ipv6nat_enable'] == "yes") {
608			$config['diag']['ipv6nat']['enable'] = true;
609			$config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr'];
610			} else {
611			unset($config['diag']['ipv6nat']['enable']);
612			unset($config['diag']['ipv6nat']['ipaddr']);
613			}
614			$oldcert = $config['system']['webgui']['certificate'];
615			$oldkey = $config['system']['webgui']['private-key'];
616			$config['system']['webgui']['certificate'] = base64_encode($_POST['cert']);
617			$config['system']['webgui']['private-key'] = base64_encode($_POST['key']);
618			if($_POST['disableconsolemenu'] == "yes") {
619			$config['system']['disableconsolemenu'] = true;
620			auto_login(true);
621			} else {
622			unset($config['system']['disableconsolemenu']);
623			auto_login(false);
624			}
625			unset($config['system']['webgui']['expanddiags']);
626			$config['system']['optimization'] = $_POST['optimization'];
627
628			if($_POST['disablefirmwarecheck'] == "yes")
629			$config['system']['disablefirmwarecheck'] = true;
630			else
631			unset($config['system']['disablefirmwarecheck']);
632
633			if ($_POST['enableserial'] == "yes")
634			$config['system']['enableserial'] = true;
635			else
636			unset($config['system']['enableserial']);
637
638			if($_POST['harddiskstandby'] <> "") {
639			$config['system']['harddiskstandby'] = $_POST['harddiskstandby'];
640			system_set_harddisk_standby();
641			} else
642			unset($config['system']['harddiskstandby']);
643
644			if ($_POST['noantilockout'] == "yes")
645			$config['system']['webgui']['noantilockout'] = true;
646			else
647			unset($config['system']['webgui']['noantilockout']);
648
649			/* Firewall and ALTQ options */
650			$config['system']['maximumstates'] = $_POST['maximumstates'];
651
652			if($_POST['enablesshd'] == "yes") {
653			$config['system']['enablesshd'] = $_POST['enablesshd'];
654			} else {
655			unset($config['system']['enablesshd']);
656			}
657
658			if($_POST['disablenatreflection'] == "yes") {
659			$config['system']['disablenatreflection'] = $_POST['disablenatreflection'];
660			} else {
661			unset($config['system']['disablenatreflection']);
662			}
663
664			$config['ipsec']['preferoldsa'] = $_POST['preferoldsa_enable'] ? true : false;
665
666			$config['bridge']['filteringbridge'] = $_POST['filteringbridge_enable'] ? true : false;
667
668			write_config();
669
670			$retval = 0;
671			config_lock();
672			$retval = filter_configure();
673			if(stristr($retval, "error") <> true)
674			$savemsg = get_std_save_message($retval);
675			else
676			$savemsg = $retval;
677			$retval \|= interfaces_optional_configure();
678			config_unlock();
679
680			setup_serial_port();
681
682			setup_filter_bridge();
683
684			}
685			}
686
687	04257637	Scott Ullrich	if (($config['system']['webgui']['certificate'] != $oldcert)
688			\|\| ($config['system']['webgui']['private-key'] != $oldkey)) {
689	72a58eed	Scott Ullrich	ob_flush();
690	a8b10422	Scott Ullrich	flush();
691			log_error("webConfigurator certificates have changed. Restarting webConfigurator.");
692			sleep(1);
693	04257637	Scott Ullrich	touch("/tmp/restart_webgui");
694			}
695
696	a8b10422	Scott Ullrich	?>

Project

General

Profile

pfSense