|
1
|
<?php
|
|
2
|
/* $Id$ */
|
|
3
|
/*
|
|
4
|
firewall_rules_edit.php
|
|
5
|
part of pfSense (http://www.pfsense.com)
|
|
6
|
Copyright (C) 2005 Scott Ullrich (sullrich@gmail.com)
|
|
7
|
|
|
8
|
originally part of m0n0wall (http://m0n0.ch/wall)
|
|
9
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
|
10
|
All rights reserved.
|
|
11
|
|
|
12
|
Redistribution and use in source and binary forms, with or without
|
|
13
|
modification, are permitted provided that the following conditions are met:
|
|
14
|
|
|
15
|
1. Redistributions of source code must retain the above copyright notice,
|
|
16
|
this list of conditions and the following disclaimer.
|
|
17
|
|
|
18
|
2. Redistributions in binary form must reproduce the above copyright
|
|
19
|
notice, this list of conditions and the following disclaimer in the
|
|
20
|
documentation and/or other materials provided with the distribution.
|
|
21
|
|
|
22
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
23
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
24
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
25
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
26
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
27
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
28
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
29
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
30
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
31
|
POSSIBILITY OF SUCH DAMAGE.
|
|
32
|
*/
|
|
33
|
|
|
34
|
##|+PRIV
|
|
35
|
##|*IDENT=page-firewall-rules-edit
|
|
36
|
##|*NAME=Firewall: Rules: Edit page
|
|
37
|
##|*DESCR=Allow access to the 'Firewall: Rules: Edit' page.
|
|
38
|
##|*MATCH=firewall_rules_edit.php*
|
|
39
|
##|-PRIV
|
|
40
|
|
|
41
|
|
|
42
|
require("guiconfig.inc");
|
|
43
|
|
|
44
|
$specialsrcdst = explode(" ", "any pptp pppoe l2tp");
|
|
45
|
$ifdisp = get_configured_interface_with_descr();
|
|
46
|
foreach ($ifdisp as $kif => $kdescr) {
|
|
47
|
$specialsrcdst[] = "{$kif}";
|
|
48
|
$specialsrcdst[] = "{$kif}ip";
|
|
49
|
}
|
|
50
|
|
|
51
|
if (!is_array($config['filter']['rule'])) {
|
|
52
|
$config['filter']['rule'] = array();
|
|
53
|
}
|
|
54
|
filter_rules_sort();
|
|
55
|
$a_filter = &$config['filter']['rule'];
|
|
56
|
|
|
57
|
$id = $_GET['id'];
|
|
58
|
if (is_numeric($_POST['id']))
|
|
59
|
$id = $_POST['id'];
|
|
60
|
|
|
61
|
$after = $_GET['after'];
|
|
62
|
|
|
63
|
if (isset($_POST['after']))
|
|
64
|
$after = $_POST['after'];
|
|
65
|
|
|
66
|
if (isset($_GET['dup'])) {
|
|
67
|
$id = $_GET['dup'];
|
|
68
|
$after = $_GET['dup'];
|
|
69
|
}
|
|
70
|
|
|
71
|
if (isset($id) && $a_filter[$id]) {
|
|
72
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
|
73
|
|
|
74
|
if (!isset($a_filter[$id]['type']))
|
|
75
|
$pconfig['type'] = "pass";
|
|
76
|
else
|
|
77
|
$pconfig['type'] = $a_filter[$id]['type'];
|
|
78
|
|
|
79
|
if (isset($a_filter[$id]['floating']) || $if == "FloatingRules") {
|
|
80
|
$pconfig['floating'] = $a_filter[$id]['floating'];
|
|
81
|
if (isset($a_filter[$id]['interface']) && $a_filter[$id]['interface'] <> "")
|
|
82
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
|
83
|
}
|
|
84
|
|
|
85
|
if (isset($a_filter['floating']))
|
|
86
|
$pconfig['floating'] = "yes";
|
|
87
|
|
|
88
|
if (isset($a_filter[$id]['direction']))
|
|
89
|
$pconfig['direction'] = $a_filter[$id]['direction'];
|
|
90
|
|
|
91
|
if (isset($a_filter[$id]['protocol']))
|
|
92
|
$pconfig['proto'] = $a_filter[$id]['protocol'];
|
|
93
|
else
|
|
94
|
$pconfig['proto'] = "any";
|
|
95
|
|
|
96
|
if ($a_filter[$id]['protocol'] == "icmp")
|
|
97
|
$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
|
|
98
|
|
|
99
|
address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
|
|
100
|
$pconfig['srcmask'], $pconfig['srcnot'],
|
|
101
|
$pconfig['srcbeginport'], $pconfig['srcendport']);
|
|
102
|
|
|
103
|
if($a_filter[$id]['os'] <> "")
|
|
104
|
$pconfig['os'] = $a_filter[$id]['os'];
|
|
105
|
|
|
106
|
address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
|
|
107
|
$pconfig['dstmask'], $pconfig['dstnot'],
|
|
108
|
$pconfig['dstbeginport'], $pconfig['dstendport']);
|
|
109
|
|
|
110
|
if ($a_filter[$id]['dscp'] <> "")
|
|
111
|
$pconfig['dscp'] = $a_filter[$id]['dscp'];
|
|
112
|
|
|
113
|
$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
|
|
114
|
$pconfig['log'] = isset($a_filter[$id]['log']);
|
|
115
|
$pconfig['descr'] = $a_filter[$id]['descr'];
|
|
116
|
|
|
117
|
if (isset($a_filter[$id]['tag']) && $a_filter[$id]['tag'] <> "")
|
|
118
|
$pconfig['tag'] = $a_filter[$id]['tag'];
|
|
119
|
if (isset($a_filter[$id]['tagged']) && $a_filter[$id]['tag'] <> "")
|
|
120
|
$pconfig['tagged'] = $a_filter[$id]['tagged'];
|
|
121
|
if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick'])
|
|
122
|
$pconfig['quick'] = $a_filter[$id]['quick'];
|
|
123
|
if (isset($a_filter[$id]['allowopts']))
|
|
124
|
$pconfig['allowopts'] = true;
|
|
125
|
|
|
126
|
/* advanced */
|
|
127
|
$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
|
|
128
|
$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
|
|
129
|
$pconfig['statetype'] = $a_filter[$id]['statetype'];
|
|
130
|
$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
|
|
131
|
|
|
132
|
$pconfig['nosync'] = isset($a_filter[$id]['nosync']);
|
|
133
|
|
|
134
|
/* advanced - new connection per second banning*/
|
|
135
|
$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
|
|
136
|
$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
|
|
137
|
|
|
138
|
/* Multi-WAN next-hop support */
|
|
139
|
$pconfig['gateway'] = $a_filter[$id]['gateway'];
|
|
140
|
|
|
141
|
/* Shaper support */
|
|
142
|
$pconfig['defaultqueue'] = $a_filter[$id]['defaultqueue'];
|
|
143
|
$pconfig['ackqueue'] = $a_filter[$id]['ackqueue'];
|
|
144
|
$pconfig['dnpipe'] = $a_filter[$id]['dnpipe'];
|
|
145
|
$pconfig['pdnpipe'] = $a_filter[$id]['pdnpipe'];
|
|
146
|
$pconfig['l7container'] = $a_filter[$id]['l7container'];
|
|
147
|
|
|
148
|
//schedule support
|
|
149
|
$pconfig['sched'] = $a_filter[$id]['sched'];
|
|
150
|
|
|
151
|
} else {
|
|
152
|
/* defaults */
|
|
153
|
if ($_GET['if'])
|
|
154
|
$pconfig['interface'] = $_GET['if'];
|
|
155
|
$pconfig['type'] = "pass";
|
|
156
|
$pconfig['src'] = "any";
|
|
157
|
$pconfig['dst'] = "any";
|
|
158
|
}
|
|
159
|
/* Allow the FlotingRules to work */
|
|
160
|
$if = $pconfig['interface'];
|
|
161
|
|
|
162
|
if (isset($_GET['dup']))
|
|
163
|
unset($id);
|
|
164
|
|
|
165
|
if ($_POST) {
|
|
166
|
|
|
167
|
if ($_POST['type'] == "reject" && $_POST['proto'] <> "tcp")
|
|
168
|
$input_errors[] = "Reject type rules only works when the protocol is set to TCP.";
|
|
169
|
|
|
170
|
if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
|
|
171
|
$_POST['srcbeginport'] = 0;
|
|
172
|
$_POST['srcendport'] = 0;
|
|
173
|
$_POST['dstbeginport'] = 0;
|
|
174
|
$_POST['dstendport'] = 0;
|
|
175
|
} else {
|
|
176
|
|
|
177
|
if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
|
|
178
|
$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
|
|
179
|
if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
|
|
180
|
$_POST['srcendport'] = $_POST['srcendport_cust'];
|
|
181
|
|
|
182
|
if ($_POST['srcbeginport'] == "any") {
|
|
183
|
$_POST['srcbeginport'] = 0;
|
|
184
|
$_POST['srcendport'] = 0;
|
|
185
|
} else {
|
|
186
|
if (!$_POST['srcendport'])
|
|
187
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
188
|
}
|
|
189
|
if ($_POST['srcendport'] == "any")
|
|
190
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
191
|
|
|
192
|
if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
|
|
193
|
$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
|
|
194
|
if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
|
|
195
|
$_POST['dstendport'] = $_POST['dstendport_cust'];
|
|
196
|
|
|
197
|
if ($_POST['dstbeginport'] == "any") {
|
|
198
|
$_POST['dstbeginport'] = 0;
|
|
199
|
$_POST['dstendport'] = 0;
|
|
200
|
} else {
|
|
201
|
if (!$_POST['dstendport'])
|
|
202
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
203
|
}
|
|
204
|
if ($_POST['dstendport'] == "any")
|
|
205
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
206
|
}
|
|
207
|
|
|
208
|
if (is_specialnet($_POST['srctype'])) {
|
|
209
|
$_POST['src'] = $_POST['srctype'];
|
|
210
|
$_POST['srcmask'] = 0;
|
|
211
|
} else if ($_POST['srctype'] == "single") {
|
|
212
|
$_POST['srcmask'] = 32;
|
|
213
|
}
|
|
214
|
if (is_specialnet($_POST['dsttype'])) {
|
|
215
|
$_POST['dst'] = $_POST['dsttype'];
|
|
216
|
$_POST['dstmask'] = 0;
|
|
217
|
} else if ($_POST['dsttype'] == "single") {
|
|
218
|
$_POST['dstmask'] = 32;
|
|
219
|
}
|
|
220
|
|
|
221
|
unset($input_errors);
|
|
222
|
$pconfig = $_POST;
|
|
223
|
|
|
224
|
/* run through $_POST items encoding HTML entties so that the user
|
|
225
|
* cannot think he is slick and perform a XSS attack on the unwilling
|
|
226
|
*/
|
|
227
|
foreach ($_POST as $key => $value) {
|
|
228
|
$temp = $value;
|
|
229
|
if (isset($_POST['floating']) && $key == "interface")
|
|
230
|
continue;
|
|
231
|
$newpost = htmlentities($temp);
|
|
232
|
if($newpost <> $temp)
|
|
233
|
$input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again.";
|
|
234
|
}
|
|
235
|
|
|
236
|
/* input validation */
|
|
237
|
$reqdfields = explode(" ", "type proto src dst");
|
|
238
|
$reqdfieldsn = explode(",", "Type,Protocol,Source,Destination");
|
|
239
|
|
|
240
|
if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
|
|
241
|
if( $_POST['proto'] != "tcp" )
|
|
242
|
$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
|
|
243
|
if(($_POST['statetype'] == "synproxy state") && ($_POST['gateway'] != ""))
|
|
244
|
$input_errors[] = "{$_POST['statetype']} is only valid if the gateway is set to 'default'.";
|
|
245
|
}
|
|
246
|
|
|
247
|
if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
|
|
248
|
$reqdfields[] = "srcmask";
|
|
249
|
$reqdfieldsn[] = "Source bit count";
|
|
250
|
}
|
|
251
|
if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) {
|
|
252
|
$reqdfields[] = "dstmask";
|
|
253
|
$reqdfieldsn[] = "Destination bit count";
|
|
254
|
}
|
|
255
|
|
|
256
|
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
|
|
257
|
|
|
258
|
if (!$_POST['srcbeginport']) {
|
|
259
|
$_POST['srcbeginport'] = 0;
|
|
260
|
$_POST['srcendport'] = 0;
|
|
261
|
}
|
|
262
|
if (!$_POST['dstbeginport']) {
|
|
263
|
$_POST['dstbeginport'] = 0;
|
|
264
|
$_POST['dstendport'] = 0;
|
|
265
|
}
|
|
266
|
|
|
267
|
if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) {
|
|
268
|
$input_errors[] = "The start source port must be an alias or integer between 1 and 65535.";
|
|
269
|
}
|
|
270
|
if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) {
|
|
271
|
$input_errors[] = "The end source port must be an alias or integer between 1 and 65535.";
|
|
272
|
}
|
|
273
|
if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) {
|
|
274
|
$input_errors[] = "The start destination port must be an alias or integer between 1 and 65535.";
|
|
275
|
}
|
|
276
|
if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) {
|
|
277
|
$input_errors[] = "The end destination port must be an alias or integer between 1 and 65535.";
|
|
278
|
}
|
|
279
|
|
|
280
|
/* if user enters an alias and selects "network" then disallow. */
|
|
281
|
if($_POST['srctype'] == "network") {
|
|
282
|
if(is_alias($_POST['src']))
|
|
283
|
$input_errors[] = "You must specify single host or alias for alias entries.";
|
|
284
|
}
|
|
285
|
if($_POST['dsttype'] == "network") {
|
|
286
|
if(is_alias($_POST['dst']))
|
|
287
|
$input_errors[] = "You must specify single host or alias for alias entries.";
|
|
288
|
}
|
|
289
|
|
|
290
|
if (!is_specialnet($_POST['srctype'])) {
|
|
291
|
if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
|
|
292
|
$input_errors[] = "A valid source IP address or alias must be specified.";
|
|
293
|
}
|
|
294
|
if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
|
|
295
|
$input_errors[] = "A valid source bit count must be specified.";
|
|
296
|
}
|
|
297
|
}
|
|
298
|
if (!is_specialnet($_POST['dsttype'])) {
|
|
299
|
if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
|
|
300
|
$input_errors[] = "A valid destination IP address or alias must be specified.";
|
|
301
|
}
|
|
302
|
if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
|
|
303
|
$input_errors[] = "A valid destination bit count must be specified.";
|
|
304
|
}
|
|
305
|
}
|
|
306
|
|
|
307
|
if ($_POST['srcbeginport'] > $_POST['srcendport']) {
|
|
308
|
/* swap */
|
|
309
|
$tmp = $_POST['srcendport'];
|
|
310
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
311
|
$_POST['srcbeginport'] = $tmp;
|
|
312
|
}
|
|
313
|
if ($_POST['dstbeginport'] > $_POST['dstendport']) {
|
|
314
|
/* swap */
|
|
315
|
$tmp = $_POST['dstendport'];
|
|
316
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
317
|
$_POST['dstbeginport'] = $tmp;
|
|
318
|
}
|
|
319
|
if ($_POST['os'])
|
|
320
|
if( $_POST['proto'] != "tcp" )
|
|
321
|
$input_errors[] = "OS detection is only valid with protocol tcp.";
|
|
322
|
|
|
323
|
if ($_POST['ackqueue'] && $_POST['ackqueue'] != "none") {
|
|
324
|
if ($_POST['defaultqueue'] == "none" )
|
|
325
|
$input_errors[] = "You have to select a queue when you select an acknowledge queue too.";
|
|
326
|
else if ($_POST['ackqueue'] == $_POST['defaultqueue'])
|
|
327
|
$input_errors[] = "Acknowledge queue and Queue cannot be the same.";
|
|
328
|
}
|
|
329
|
if ($_POST['pdnpipe'] && $_POST['pdnpipe'] != "none") {
|
|
330
|
if ($_POST['dnpipe'] == "none" )
|
|
331
|
$input_errors[] = "You must select a queue for the In direction before selecting one for Out too.";
|
|
332
|
else if ($_POST['pdnpipe'] == $_POST['dnpipe'])
|
|
333
|
$input_errors[] = "In and Out Queue cannot be the same.";
|
|
334
|
else if ($pdnpipe[0] == "?" && $dnpipe[0] <> "?")
|
|
335
|
$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
|
|
336
|
else if ($dnpipe[0] == "?" && $pdnpipe[0] <> "?")
|
|
337
|
$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
|
|
338
|
}
|
|
339
|
if($_POST['l7container'] && $_POST['l7container'] != "none") {
|
|
340
|
if(!($_POST['proto'] == "tcp" || $_POST['proto'] == "udp" || $_POST['proto'] == "tcp/udp"))
|
|
341
|
$input_errors[] = "You can only select a layer7 container for tcp and/or udp protocols";
|
|
342
|
if ($_POST['type'] <> "pass")
|
|
343
|
$input_errors[] = "You can only select a layer7 container for Pass type rules.";
|
|
344
|
}
|
|
345
|
|
|
346
|
if (!$input_errors) {
|
|
347
|
$filterent = array();
|
|
348
|
$filterent['type'] = $_POST['type'];
|
|
349
|
if (isset($_POST['interface'] ))
|
|
350
|
$filterent['interface'] = $_POST['interface'];
|
|
351
|
|
|
352
|
if ($if == "FloatingRules" || isset($_POST['floating'])) {
|
|
353
|
if (isset($_POST['tag']))
|
|
354
|
$filterent['tag'] = $_POST['tag'];
|
|
355
|
if (isset($_POST['tagged']))
|
|
356
|
$filterent['tagged'] = $_POST['tagged'];
|
|
357
|
$filterent['direction'] = $_POST['direction'];
|
|
358
|
if (isset($_POST['quick']) && $_POST['quick'] <> "")
|
|
359
|
$filterent['quick'] = $_POST['quick'];
|
|
360
|
$filterent['floating'] = "yes";
|
|
361
|
if (isset($_POST['interface']) && count($_POST['interface']) > 0) {
|
|
362
|
$filterent['interface'] = implode(",", $_POST['interface']);
|
|
363
|
}
|
|
364
|
}
|
|
365
|
|
|
366
|
/* Advanced options */
|
|
367
|
if ($_POST['allowopts'] == "yes")
|
|
368
|
$filterent['allowopts'] = true;
|
|
369
|
else
|
|
370
|
unset($filterent['allowopts']);
|
|
371
|
$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
|
|
372
|
$filterent['max-src-states'] = $_POST['max-src-states'];
|
|
373
|
$filterent['statetimeout'] = $_POST['statetimeout'];
|
|
374
|
$filterent['statetype'] = $_POST['statetype'];
|
|
375
|
$filterent['os'] = $_POST['os'];
|
|
376
|
|
|
377
|
/* Nosync directive - do not xmlrpc sync this item */
|
|
378
|
if($_POST['nosync'] <> "")
|
|
379
|
$filterent['nosync'] = true;
|
|
380
|
else
|
|
381
|
unset($filterent['nosync']);
|
|
382
|
|
|
383
|
/* unless both values are provided, unset the values - ticket #650 */
|
|
384
|
if($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] <> "") {
|
|
385
|
$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
|
|
386
|
$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
|
|
387
|
} else {
|
|
388
|
unset($filterent['max-src-conn-rate']);
|
|
389
|
unset($filterent['max-src-conn-rates']);
|
|
390
|
}
|
|
391
|
|
|
392
|
if ($_POST['proto'] != "any")
|
|
393
|
$filterent['protocol'] = $_POST['proto'];
|
|
394
|
else
|
|
395
|
unset($filterent['protocol']);
|
|
396
|
|
|
397
|
if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
|
|
398
|
$filterent['icmptype'] = $_POST['icmptype'];
|
|
399
|
else
|
|
400
|
unset($filterent['icmptype']);
|
|
401
|
|
|
402
|
pconfig_to_address($filterent['source'], $_POST['src'],
|
|
403
|
$_POST['srcmask'], $_POST['srcnot'],
|
|
404
|
$_POST['srcbeginport'], $_POST['srcendport']);
|
|
405
|
|
|
406
|
pconfig_to_address($filterent['destination'], $_POST['dst'],
|
|
407
|
$_POST['dstmask'], $_POST['dstnot'],
|
|
408
|
$_POST['dstbeginport'], $_POST['dstendport']);
|
|
409
|
|
|
410
|
if ($_POST['disabled'])
|
|
411
|
$filterent['disabled'] = true;
|
|
412
|
else
|
|
413
|
unset($filterent['disabled']);
|
|
414
|
|
|
415
|
if ($_POST['dscp'])
|
|
416
|
$filterent['dscp'] = $_POST['dscp'];
|
|
417
|
|
|
418
|
if ($_POST['log'])
|
|
419
|
$filterent['log'] = true;
|
|
420
|
else
|
|
421
|
unset($filterent['log']);
|
|
422
|
strncpy($filterent['descr'], $_POST['descr'], 52);
|
|
423
|
|
|
424
|
if ($_POST['gateway'] != "") {
|
|
425
|
$filterent['gateway'] = $_POST['gateway'];
|
|
426
|
}
|
|
427
|
|
|
428
|
if (isset($_POST['defaultqueue']) && $_POST['defaultqueue'] != "none") {
|
|
429
|
$filterent['defaultqueue'] = $_POST['defaultqueue'];
|
|
430
|
if (isset($_POST['ackqueue']) && $_POST['ackqueue'] != "none")
|
|
431
|
$filterent['ackqueue'] = $_POST['ackqueue'];
|
|
432
|
}
|
|
433
|
|
|
434
|
if (isset($_POST['dnpipe']) && $_POST['dnpipe'] != "none") {
|
|
435
|
$filterent['dnpipe'] = $_POST['dnpipe'];
|
|
436
|
if (isset($_POST['pdnpipe']) && $_POST['pdnpipe'] != "none")
|
|
437
|
$filterent['pdnpipe'] = $_POST['pdnpipe'];
|
|
438
|
}
|
|
439
|
|
|
440
|
if (isset($_POST['l7container']) && $_POST['l7container'] != "none") {
|
|
441
|
$filterent['l7container'] = $_POST['l7container'];
|
|
442
|
}
|
|
443
|
|
|
444
|
if ($_POST['sched'] != "") {
|
|
445
|
$filterent['sched'] = $_POST['sched'];
|
|
446
|
}
|
|
447
|
|
|
448
|
if (isset($id) && $a_filter[$id])
|
|
449
|
$a_filter[$id] = $filterent;
|
|
450
|
else {
|
|
451
|
if (is_numeric($after))
|
|
452
|
array_splice($a_filter, $after+1, 0, array($filterent));
|
|
453
|
else
|
|
454
|
$a_filter[] = $filterent;
|
|
455
|
}
|
|
456
|
|
|
457
|
write_config();
|
|
458
|
mark_subsystem_dirty('filter');
|
|
459
|
|
|
460
|
if (isset($_POST['floating']))
|
|
461
|
header("Location: firewall_rules.php?if=FloatingRules");
|
|
462
|
else
|
|
463
|
header("Location: firewall_rules.php?if=" . $_POST['interface']);
|
|
464
|
exit;
|
|
465
|
}
|
|
466
|
}
|
|
467
|
|
|
468
|
read_altq_config(); /* XXX: */
|
|
469
|
$qlist =& get_unique_queue_list();
|
|
470
|
read_dummynet_config(); /* XXX: */
|
|
471
|
$dnqlist =& get_unique_dnqueue_list();
|
|
472
|
read_layer7_config();
|
|
473
|
$l7clist =& get_l7_unique_list();
|
|
474
|
|
|
475
|
$pgtitle = array("Firewall","Rules","Edit");
|
|
476
|
$closehead = false;
|
|
477
|
|
|
478
|
$page_filename = "firewall_rules_edit.php";
|
|
479
|
include("head.inc");
|
|
480
|
|
|
481
|
?>
|
|
482
|
|
|
483
|
</head>
|
|
484
|
|
|
485
|
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
|
|
486
|
<?php include("fbegin.inc"); ?>
|
|
487
|
<?php if ($input_errors) print_input_errors($input_errors); ?>
|
|
488
|
|
|
489
|
<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
|
|
490
|
<table width="100%" border="0" cellpadding="6" cellspacing="0">
|
|
491
|
<tr>
|
|
492
|
<td colspan="2" valign="top" class="listtopic">Edit Firewall rule</td>
|
|
493
|
</tr>
|
|
494
|
<tr>
|
|
495
|
<td width="22%" valign="top" class="vncellreq">Action</td>
|
|
496
|
<td width="78%" class="vtable">
|
|
497
|
<select name="type" class="formselect">
|
|
498
|
<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
|
|
499
|
<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
|
|
500
|
<?=htmlspecialchars($type);?>
|
|
501
|
</option>
|
|
502
|
<?php endforeach; ?>
|
|
503
|
</select>
|
|
504
|
<br/>
|
|
505
|
<span class="vexpl">
|
|
506
|
Choose what to do with packets that match the criteria specified below. <br/>
|
|
507
|
Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
|
|
508
|
</span>
|
|
509
|
</td>
|
|
510
|
</tr>
|
|
511
|
<tr>
|
|
512
|
<td width="22%" valign="top" class="vncellreq">Disabled</td>
|
|
513
|
<td width="78%" class="vtable">
|
|
514
|
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
|
|
515
|
<strong>Disable this rule</strong><br />
|
|
516
|
<span class="vexpl">Set this option to disable this rule without removing it from the list.</span>
|
|
517
|
</td>
|
|
518
|
</tr>
|
|
519
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
|
520
|
<tr>
|
|
521
|
<td width="22%" valign="top" class="vncellreq"><?=gettext("Quick");?></td>
|
|
522
|
<td width="78%" class="vtable">
|
|
523
|
<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
|
|
524
|
<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
|
|
525
|
<span class="vexpl"><?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?></span>
|
|
526
|
</td>
|
|
527
|
</tr>
|
|
528
|
<? endif; ?>
|
|
529
|
<tr>
|
|
530
|
<td width="22%" valign="top" class="vncellreq">Interface</td>
|
|
531
|
<td width="78%" class="vtable">
|
|
532
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
|
533
|
<select name="interface[]" multiple="true" class="formselect" size="3">
|
|
534
|
<? else: ?>
|
|
535
|
<select name="interface" class="formselect">
|
|
536
|
<?php
|
|
537
|
endif;
|
|
538
|
/* add group interfaces */
|
|
539
|
if (is_array($config['ifgroups']['ifgroupentry']))
|
|
540
|
foreach($config['ifgroups']['ifgroupentry'] as $ifgen)
|
|
541
|
if (have_ruleint_access($ifgen['ifname']))
|
|
542
|
$interfaces[$ifgen['ifname']] = $ifgen['ifname'];
|
|
543
|
|
|
544
|
$ifdescs = get_configured_interface_with_descr();
|
|
545
|
|
|
546
|
foreach ($ifdescs as $ifent => $ifdesc)
|
|
547
|
if(have_ruleint_access($ifent))
|
|
548
|
$interfaces[$ifent] = $ifdesc;
|
|
549
|
|
|
550
|
if ($config['l2tp']['mode'] == "server")
|
|
551
|
if(have_ruleint_access("l2tp"))
|
|
552
|
$interfaces['l2tp'] = "L2TP VPN";
|
|
553
|
|
|
554
|
if ($config['pptpd']['mode'] == "server")
|
|
555
|
if(have_ruleint_access("pptp"))
|
|
556
|
$interfaces['pptp'] = "PPTP VPN";
|
|
557
|
|
|
558
|
if ($config['pppoe']['mode'] == "server")
|
|
559
|
if(have_ruleint_access("pppoe"))
|
|
560
|
$interfaces['pppoe'] = "PPPoE VPN";
|
|
561
|
|
|
562
|
/* add ipsec interfaces */
|
|
563
|
if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable']))
|
|
564
|
if(have_ruleint_access("enc0"))
|
|
565
|
$interfaces["enc0"] = "IPsec";
|
|
566
|
|
|
567
|
/* add openvpn/tun interfaces */
|
|
568
|
if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"])
|
|
569
|
$interfaces["openvpn"] = "OpenVPN";
|
|
570
|
|
|
571
|
foreach ($interfaces as $iface => $ifacename): ?>
|
|
572
|
<option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option>
|
|
573
|
<?php endforeach; ?>
|
|
574
|
</select>
|
|
575
|
<br />
|
|
576
|
<span class="vexpl">Choose on which interface packets must come in to match this rule.</span>
|
|
577
|
</td>
|
|
578
|
</tr>
|
|
579
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
|
580
|
<tr>
|
|
581
|
<td width="22%" valign="top" class="vncellreq"><?=gettext("Direction");?></td>
|
|
582
|
<td width="78%" class="vtable">
|
|
583
|
<select name="direction" class="formselect">
|
|
584
|
<?php $directions = array('any', 'in', 'out');
|
|
585
|
foreach ($directions as $direction): ?>
|
|
586
|
<option value="<?=$direction;?>"
|
|
587
|
<?php if ($direction == $pconfig['direction']): ?>
|
|
588
|
selected="selected"
|
|
589
|
<?php endif; ?>
|
|
590
|
><?=$direction;?></option>
|
|
591
|
<?php endforeach; ?>
|
|
592
|
</select>
|
|
593
|
<input type="hidden" id="floating" name="floating" value="floating">
|
|
594
|
</td>
|
|
595
|
<tr>
|
|
596
|
<?php endif; ?>
|
|
597
|
<tr>
|
|
598
|
<td width="22%" valign="top" class="vncellreq">Protocol</td>
|
|
599
|
<td width="78%" class="vtable">
|
|
600
|
<select name="proto" class="formselect" onchange="proto_change()">
|
|
601
|
<?php
|
|
602
|
$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP any carp pfsync");
|
|
603
|
foreach ($protocols as $proto): ?>
|
|
604
|
<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
|
|
605
|
<?php endforeach; ?>
|
|
606
|
</select>
|
|
607
|
<br />
|
|
608
|
<span class="vexpl">Choose which IP protocol this rule should match. <br /> Hint: in most cases, you should specify <em>TCP</em> here.</span>
|
|
609
|
</td>
|
|
610
|
</tr>
|
|
611
|
<tr id="icmpbox" name="icmpbox">
|
|
612
|
<td valign="top" class="vncell">ICMP type</td>
|
|
613
|
<td class="vtable">
|
|
614
|
<select name="icmptype" class="formselect">
|
|
615
|
<?php
|
|
616
|
$icmptypes = array(
|
|
617
|
"" => "any",
|
|
618
|
"echorep" => "Echo reply",
|
|
619
|
"unreach" => "Destination unreachable",
|
|
620
|
"squench" => "Source quench",
|
|
621
|
"redir" => "Redirect",
|
|
622
|
"althost" => "Alternate Host",
|
|
623
|
"echoreq" => "Echo",
|
|
624
|
"routeradv" => "Router advertisement",
|
|
625
|
"routersol" => "Router solicitation",
|
|
626
|
"timex" => "Time exceeded",
|
|
627
|
"paramprob" => "Invalid IP header",
|
|
628
|
"timereq" => "Timestamp",
|
|
629
|
"timerep" => "Timestamp reply",
|
|
630
|
"inforeq" => "Information request",
|
|
631
|
"inforep" => "Information reply",
|
|
632
|
"maskreq" => "Address mask request",
|
|
633
|
"maskrep" => "Address mask reply"
|
|
634
|
);
|
|
635
|
|
|
636
|
foreach ($icmptypes as $icmptype => $descr): ?>
|
|
637
|
<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
|
|
638
|
<?php endforeach; ?>
|
|
639
|
</select>
|
|
640
|
<br />
|
|
641
|
<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span>
|
|
642
|
</td>
|
|
643
|
</tr>
|
|
644
|
<tr>
|
|
645
|
<td width="22%" valign="top" class="vncellreq">Source</td>
|
|
646
|
<td width="78%" class="vtable">
|
|
647
|
<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
|
|
648
|
<strong>not</strong>
|
|
649
|
<br />
|
|
650
|
Use this option to invert the sense of the match.
|
|
651
|
<br />
|
|
652
|
<br />
|
|
653
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
654
|
<tr>
|
|
655
|
<td>Type: </td>
|
|
656
|
<td>
|
|
657
|
<select name="srctype" class="formselect" onChange="typesel_change()">
|
|
658
|
<?php
|
|
659
|
$sel = is_specialnet($pconfig['src']); ?>
|
|
660
|
<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option>
|
|
661
|
<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
|
|
662
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
|
|
663
|
<?php if(have_ruleint_access("pptp")): ?>
|
|
664
|
<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
|
|
665
|
<?php endif; ?>
|
|
666
|
<?php if(have_ruleint_access("pppoe")): ?>
|
|
667
|
<option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
|
|
668
|
<?php endif; ?>
|
|
669
|
<?php if(have_ruleint_access("l2tp")): ?>
|
|
670
|
<option value="l2tp" <?php if ($pconfig['src'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
|
|
671
|
<?php endif; ?>
|
|
672
|
<?php
|
|
673
|
foreach ($ifdisp as $ifent => $ifdesc): ?>
|
|
674
|
<?php if(have_ruleint_access($ifent)): ?>
|
|
675
|
<option value="<?=$ifent;?>" <?php if ($pconfig['src'] == $ifent) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
|
|
676
|
<option value="<?=$ifent;?>ip"<?php if ($pconfig['src'] == $ifent . "ip") { echo "selected"; } ?>>
|
|
677
|
<?=$ifdesc?> address
|
|
678
|
</option>
|
|
679
|
<?php endif; ?>
|
|
680
|
<?php endforeach; ?>
|
|
681
|
</select>
|
|
682
|
</td>
|
|
683
|
</tr>
|
|
684
|
<tr>
|
|
685
|
<td>Address: </td>
|
|
686
|
<td>
|
|
687
|
<input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> /
|
|
688
|
<select name="srcmask" class="formselect" id="srcmask">
|
|
689
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
|
690
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
|
|
691
|
<?php endfor; ?>
|
|
692
|
</select>
|
|
693
|
</td>
|
|
694
|
</tr>
|
|
695
|
</table>
|
|
696
|
<div id="showadvancedboxspr">
|
|
697
|
<p>
|
|
698
|
<input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>
|
|
699
|
</div>
|
|
700
|
</td>
|
|
701
|
</tr>
|
|
702
|
<tr style="display:none" id="sprtable" name="sprtable">
|
|
703
|
<td width="22%" valign="top" class="vncellreq">Source port range</td>
|
|
704
|
<td width="78%" class="vtable">
|
|
705
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
706
|
<tr>
|
|
707
|
<td>from: </td>
|
|
708
|
<td>
|
|
709
|
<select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()">
|
|
710
|
<option value="">(other)</option>
|
|
711
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
712
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
713
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
714
|
<?php endforeach; ?>
|
|
715
|
</select>
|
|
716
|
<input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>">
|
|
717
|
</td>
|
|
718
|
</tr>
|
|
719
|
<tr>
|
|
720
|
<td>to:</td>
|
|
721
|
<td>
|
|
722
|
<select name="srcendport" class="formselect" onchange="ext_change()">
|
|
723
|
<option value="">(other)</option>
|
|
724
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
725
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
726
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
727
|
<?php endforeach; ?>
|
|
728
|
</select>
|
|
729
|
<input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>">
|
|
730
|
</td>
|
|
731
|
</tr>
|
|
732
|
</table>
|
|
733
|
<br />
|
|
734
|
<span class="vexpl">Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/>
|
|
735
|
<span class="vexpl"><B>NOTE:</B> You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!</span>
|
|
736
|
</td>
|
|
737
|
</tr>
|
|
738
|
<tr>
|
|
739
|
<td width="22%" valign="top" class="vncell">Source OS</td>
|
|
740
|
<td width="78%" class="vtable">OS Type:
|
|
741
|
<select name="os" id="os" class="formselect">
|
|
742
|
<?php
|
|
743
|
$ostypes = array(
|
|
744
|
"" => "any",
|
|
745
|
"AIX" => "AIX",
|
|
746
|
"Linux" => "Linux",
|
|
747
|
"FreeBSD" => "FreeBSD",
|
|
748
|
"NetBSD" => "NetBSD",
|
|
749
|
"OpenBSD" => "OpenBSD",
|
|
750
|
"Solaris" => "Solaris",
|
|
751
|
"MacOS" => "MacOS",
|
|
752
|
"Windows" => "Windows",
|
|
753
|
"Novell" => "Novell",
|
|
754
|
"NMAP" => "NMAP"
|
|
755
|
);
|
|
756
|
|
|
757
|
foreach ($ostypes as $ostype => $descr): ?>
|
|
758
|
<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
|
|
759
|
<?php endforeach; ?>
|
|
760
|
</select>
|
|
761
|
<br />
|
|
762
|
Note: this only works for TCP rules
|
|
763
|
</td>
|
|
764
|
</tr>
|
|
765
|
<tr>
|
|
766
|
<td width="22%" valign="top" class="vncellreq">Destination</td>
|
|
767
|
<td width="78%" class="vtable">
|
|
768
|
<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
|
|
769
|
<strong>not</strong>
|
|
770
|
<br />
|
|
771
|
Use this option to invert the sense of the match.
|
|
772
|
<br />
|
|
773
|
<br />
|
|
774
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
775
|
<tr>
|
|
776
|
<td>Type: </td>
|
|
777
|
<td>
|
|
778
|
<select name="dsttype" class="formselect" onChange="typesel_change()">
|
|
779
|
<?php
|
|
780
|
$sel = is_specialnet($pconfig['dst']); ?>
|
|
781
|
<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
|
|
782
|
<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
|
|
783
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
|
|
784
|
<?php if(have_ruleint_access("pptp")): ?>
|
|
785
|
<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
|
|
786
|
<?php endif; ?>
|
|
787
|
<?php if(have_ruleint_access("pppoe")): ?>
|
|
788
|
<option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
|
|
789
|
<?php endif; ?>
|
|
790
|
<?php if(have_ruleint_access("l2tp")): ?>
|
|
791
|
<option value="l2tp" <?php if ($pconfig['dst'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
|
|
792
|
<?php endif; ?>
|
|
793
|
|
|
794
|
<?php foreach ($ifdisp as $if => $ifdesc): ?>
|
|
795
|
<?php if(have_ruleint_access($if)): ?>
|
|
796
|
<option value="<?=$if;?>" <?php if ($pconfig['dst'] == $if) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
|
|
797
|
<option value="<?=$if;?>ip"<?php if ($pconfig['dst'] == $if . "ip") { echo "selected"; } ?>>
|
|
798
|
<?=$ifdesc;?> address
|
|
799
|
</option>
|
|
800
|
<?php endif; ?>
|
|
801
|
<?php endforeach; ?>
|
|
802
|
</select>
|
|
803
|
</td>
|
|
804
|
</tr>
|
|
805
|
<tr>
|
|
806
|
<td>Address: </td>
|
|
807
|
<td>
|
|
808
|
<input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
|
|
809
|
/
|
|
810
|
<select name="dstmask" class="formselect" id="dstmask">
|
|
811
|
<?php
|
|
812
|
for ($i = 31; $i > 0; $i--): ?>
|
|
813
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
|
|
814
|
<?php endfor; ?>
|
|
815
|
</select>
|
|
816
|
</td>
|
|
817
|
</tr>
|
|
818
|
</table>
|
|
819
|
|
|
820
|
</td>
|
|
821
|
</tr>
|
|
822
|
<tr id="dprtr" name="dprtr">
|
|
823
|
<td width="22%" valign="top" class="vncellreq">Destination port range </td>
|
|
824
|
<td width="78%" class="vtable">
|
|
825
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
826
|
<tr>
|
|
827
|
<td>from: </td>
|
|
828
|
<td>
|
|
829
|
<select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
|
|
830
|
<option value="">(other)</option>
|
|
831
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
832
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
833
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
834
|
<?php endforeach; ?>
|
|
835
|
</select>
|
|
836
|
<input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
|
|
837
|
</td>
|
|
838
|
</tr>
|
|
839
|
<tr>
|
|
840
|
<td>to:</td>
|
|
841
|
<td>
|
|
842
|
<select name="dstendport" class="formselect" onchange="ext_change()">
|
|
843
|
<option value="">(other)</option>
|
|
844
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
845
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
846
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
847
|
<?php endforeach; ?>
|
|
848
|
</select>
|
|
849
|
<input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
|
|
850
|
</td>
|
|
851
|
</tr>
|
|
852
|
</table>
|
|
853
|
<br />
|
|
854
|
<span class="vexpl">
|
|
855
|
Specify the port or port range for the destination of the packet for this rule.
|
|
856
|
<br />
|
|
857
|
Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port
|
|
858
|
</span>
|
|
859
|
</td>
|
|
860
|
</tr>
|
|
861
|
<tr>
|
|
862
|
<td width="22%" valign="top" class="vncellreq">Diffserv Code Point</td>
|
|
863
|
<td width="78%" class="vtable">
|
|
864
|
<input name="dscp" id="dscp" value="<?=htmlspecialchars($pconfig['dscp']);?>">
|
|
865
|
<br />
|
|
866
|
<span class="vexpl">Valid values are: af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, EF, 1-64, 0x04-0xfc.</span>
|
|
867
|
</td>
|
|
868
|
</tr>
|
|
869
|
<tr>
|
|
870
|
<td width="22%" valign="top" class="vncellreq">Log</td>
|
|
871
|
<td width="78%" class="vtable">
|
|
872
|
<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
|
|
873
|
<strong>Log packets that are handled by this rule</strong>
|
|
874
|
<br />
|
|
875
|
<span class="vexpl">Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the <a href="diag_logs_settings.php">Diagnostics: System logs: Settings</a> page).</span>
|
|
876
|
</td>
|
|
877
|
</tr>
|
|
878
|
<tr>
|
|
879
|
<td width="22%" valign="top" class="vncell">Advanced Options</td>
|
|
880
|
<td width="78%" class="vtable">
|
|
881
|
<div id="aoadv" name="aoadv">
|
|
882
|
<input type="button" onClick="show_aodiv();" value="Advanced"> - Show advanced options
|
|
883
|
</div>
|
|
884
|
<div id="aodivmain" name="aodivmain" style="display:none">
|
|
885
|
|
|
886
|
<input type="checkbox" id="allowopts" value="yes" name="allowopts"<?php if($pconfig['allowopts'] == true) echo " checked"; ?>>
|
|
887
|
<br/><span class="vexpl"><?=gettext("This allows packets with ip options to pass otherwise they are blocked by default i.e. with multicast routing/proxing.");?>
|
|
888
|
</span><p>
|
|
889
|
<input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>">
|
|
890
|
<br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and use this mark to match on other nat/filter rules. It is called <b>Policy filtering</b>");?>
|
|
891
|
</span><p>
|
|
892
|
<input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>">
|
|
893
|
<br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before on another rule.")?>
|
|
894
|
</span> <p>
|
|
895
|
<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Simultaneous client connection limit<p>
|
|
896
|
<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
|
|
897
|
<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
|
|
898
|
<select name="max-src-conn-rates" id="max-src-conn-rates">
|
|
899
|
<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
|
|
900
|
<?php for($x=1; $x<255; $x++) {
|
|
901
|
if($x == $pconfig['max-src-conn-rates']) $selected = " selected"; else $selected = "";
|
|
902
|
echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
|
|
903
|
} ?>
|
|
904
|
</select><br />
|
|
905
|
Maximum new connections / per second
|
|
906
|
<p>
|
|
907
|
|
|
908
|
<input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br>
|
|
909
|
State Timeout in seconds
|
|
910
|
<p />
|
|
911
|
|
|
912
|
<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
|
|
913
|
</div>
|
|
914
|
</td>
|
|
915
|
</tr>
|
|
916
|
<tr>
|
|
917
|
<td width="22%" valign="top" class="vncell">State Type</td>
|
|
918
|
<td width="78%" class="vtable">
|
|
919
|
<div id="showadvstatebox">
|
|
920
|
<input type="button" onClick="show_advanced_state()" value="Advanced"></input> - Show state</a>
|
|
921
|
</div>
|
|
922
|
<div id="showstateadv" style="display:none">
|
|
923
|
<select name="statetype">
|
|
924
|
<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
|
|
925
|
<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
|
|
926
|
<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
|
|
927
|
</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
|
|
928
|
<p>
|
|
929
|
<table width="90%">
|
|
930
|
<tr><td width="25%"><ul><li>keep state</li></td><td>Works with all IP protocols.</ul></td></tr>
|
|
931
|
<tr><td width="25%"><ul><li>synproxy state</li></td><td>Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</ul></td></tr>
|
|
932
|
<tr><td width="25%"><ul><li>none</li></td><td>Do not use state mechanisms to keep track. This is only useful if you're doing advanced queueing in certain situations. Please check the documentation.</ul></td></tr>
|
|
933
|
</table>
|
|
934
|
</p>
|
|
935
|
</div>
|
|
936
|
</td>
|
|
937
|
</tr>
|
|
938
|
<tr>
|
|
939
|
<td width="22%" valign="top" class="vncell">No XMLRPC Sync</td>
|
|
940
|
<td width="78%" class="vtable">
|
|
941
|
<input type="checkbox" name="nosync"<?php if($pconfig['nosync']) echo " CHECKED"; ?>><br>
|
|
942
|
HINT: This prevents the rule from automatically syncing to other carp members.
|
|
943
|
</td>
|
|
944
|
</tr>
|
|
945
|
<?php
|
|
946
|
//build list of schedules
|
|
947
|
$schedules = array();
|
|
948
|
$schedules[] = "none";//leave none to leave rule enabled all the time
|
|
949
|
if(is_array($config['schedules']['schedule'])) {
|
|
950
|
foreach ($config['schedules']['schedule'] as $schedule) {
|
|
951
|
if ($schedule['name'] <> "")
|
|
952
|
$schedules[] = $schedule['name'];
|
|
953
|
}
|
|
954
|
}
|
|
955
|
?>
|
|
956
|
<tr>
|
|
957
|
<td width="22%" valign="top" class="vncell">Schedule</td>
|
|
958
|
<td width="78%" class="vtable">
|
|
959
|
<select name='sched'>
|
|
960
|
<?php
|
|
961
|
foreach($schedules as $schedule) {
|
|
962
|
if($schedule == $pconfig['sched']) {
|
|
963
|
$selected = " SELECTED";
|
|
964
|
} else {
|
|
965
|
$selected = "";
|
|
966
|
}
|
|
967
|
if ($schedule == "none") {
|
|
968
|
echo "<option value=\"\" {$selected}>{$schedule}</option>\n";
|
|
969
|
} else {
|
|
970
|
echo "<option value=\"{$schedule}\" {$selected}>{$schedule}</option>\n";
|
|
971
|
}
|
|
972
|
}?>
|
|
973
|
</select>
|
|
974
|
<p>Leave as 'none' to leave the rule enabled all the time.</p>
|
|
975
|
</td>
|
|
976
|
</tr>
|
|
977
|
|
|
978
|
<?php
|
|
979
|
/* build a list of gateways */
|
|
980
|
$gateways = array();
|
|
981
|
$gateways[] = "default"; // default to don't use this feature :)
|
|
982
|
if (is_array($config['gateways']['gateway_item'])) {
|
|
983
|
foreach($config['gateways']['gateway_item'] as $gw_item) {
|
|
984
|
if($gw_item['gateway'] <> "")
|
|
985
|
$gateways[] = $gw_item['name'];
|
|
986
|
}
|
|
987
|
}
|
|
988
|
|
|
989
|
?>
|
|
990
|
<tr>
|
|
991
|
<td width="22%" valign="top" class="vncell">Gateway</td>
|
|
992
|
<td width="78%" class="vtable">
|
|
993
|
<select name='gateway'>
|
|
994
|
<?php
|
|
995
|
foreach($gateways as $gw) {
|
|
996
|
if($gw == "")
|
|
997
|
continue;
|
|
998
|
if($gw == $pconfig['gateway']) {
|
|
999
|
$selected = " SELECTED";
|
|
1000
|
} else {
|
|
1001
|
$selected = "";
|
|
1002
|
}
|
|
1003
|
if ($gw == "default") {
|
|
1004
|
echo "<option value=\"\" {$selected}>{$gw}</option>\n";
|
|
1005
|
} else {
|
|
1006
|
$gwip = lookup_gateway_ip_by_name($gw);
|
|
1007
|
echo "<option value=\"{$gw}\" {$selected}>{$gw} - {$gwip}</option>\n";
|
|
1008
|
}
|
|
1009
|
}
|
|
1010
|
/* add gateway groups to the list */
|
|
1011
|
if (is_array($config['gateways']['gateway_group'])) {
|
|
1012
|
foreach($config['gateways']['gateway_group'] as $gw_group) {
|
|
1013
|
if($gw_group['name'] == "")
|
|
1014
|
continue;
|
|
1015
|
if($pconfig['gateway'] == $gw_group['name']) {
|
|
1016
|
echo "<option value=\"{$gw_group['name']}\" SELECTED>{$gw_group['name']}</option>\n";
|
|
1017
|
} else {
|
|
1018
|
echo "<option value=\"{$gw_group['name']}\">{$gw_group['name']}</option>\n";
|
|
1019
|
}
|
|
1020
|
}
|
|
1021
|
}
|
|
1022
|
$iflist = get_configured_interface_with_descr();
|
|
1023
|
foreach ($iflist as $ifent => $ifdesc) {
|
|
1024
|
if (in_array($config['interfaces'][$ifent]['ipaddr'],
|
|
1025
|
array("dhcp", "pppoe", "pptp"))) {
|
|
1026
|
if ($pconfig['gateway'] == $ifent) {
|
|
1027
|
$selected = " SELECTED";
|
|
1028
|
} else {
|
|
1029
|
$selected = "";
|
|
1030
|
}
|
|
1031
|
if($ifdesc <> "")
|
|
1032
|
echo "<option value=\"{$ifent}\" {$selected}>".strtoupper($if)." - {$ifdesc}</option>\n";
|
|
1033
|
}
|
|
1034
|
}
|
|
1035
|
?>
|
|
1036
|
</select>
|
|
1037
|
<p><strong>Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.</strong></p>
|
|
1038
|
</td>
|
|
1039
|
</tr>
|
|
1040
|
<tr>
|
|
1041
|
<td width="22%" valign="top" class="vncell">In/Out</td>
|
|
1042
|
<td width="78%" class="vtable">
|
|
1043
|
<select name="dnpipe">
|
|
1044
|
<?php
|
|
1045
|
if (!is_array($dnqlist))
|
|
1046
|
$dnqlist = array();
|
|
1047
|
echo "<option value=\"none\"";
|
|
1048
|
if (!$dnqselected) echo " SELECTED";
|
|
1049
|
echo " >none</option>";
|
|
1050
|
foreach ($dnqlist as $dnq => $dnqkey) {
|
|
1051
|
if($dnq == "")
|
|
1052
|
continue;
|
|
1053
|
echo "<option value=\"$dnqkey\"";
|
|
1054
|
if ($dnqkey == $pconfig['dnpipe']) {
|
|
1055
|
$dnqselected = 1;
|
|
1056
|
echo " SELECTED";
|
|
1057
|
}
|
|
1058
|
echo ">{$dnq}</option>";
|
|
1059
|
}
|
|
1060
|
?>
|
|
1061
|
</select> /
|
|
1062
|
<select name="pdnpipe">
|
|
1063
|
<?php
|
|
1064
|
$dnqselected = 0;
|
|
1065
|
echo "<option value=\"none\"";
|
|
1066
|
if (!$dnqselected) echo " SELECTED";
|
|
1067
|
echo " >none</option>";
|
|
1068
|
foreach ($dnqlist as $dnq => $dnqkey) {
|
|
1069
|
if($dnq == "")
|
|
1070
|
continue;
|
|
1071
|
echo "<option value=\"$dnqkey\"";
|
|
1072
|
if ($dnqkey == $pconfig['pdnpipe']) {
|
|
1073
|
$dnqselected = 1;
|
|
1074
|
echo " SELECTED";
|
|
1075
|
}
|
|
1076
|
echo ">{$dnq}</option>";
|
|
1077
|
}
|
|
1078
|
?>
|
|
1079
|
</select>
|
|
1080
|
<br />
|
|
1081
|
<span class="vexpl">Choose the Out queue/Virtual interface only if you have selected In too. <br/> The Out selection is applied to traffic going out the interface the rule is created, In is the incoming one. <br/> If you are creating a rule on the Floating tab if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing and if you do not select any direction use only the In since the Out selection does not make sense in there to prevent oddities.</span>
|
|
1082
|
</td>
|
|
1083
|
</tr>
|
|
1084
|
|
|
1085
|
<tr>
|
|
1086
|
<td width="22%" valign="top" class="vncell">Ackqueue/Queue</td>
|
|
1087
|
<td width="78%" class="vtable">
|
|
1088
|
<select name="ackqueue">
|
|
1089
|
<?php
|
|
1090
|
if (!is_array($qlist))
|
|
1091
|
$qlist = array();
|
|
1092
|
echo "<option value=\"none\"";
|
|
1093
|
if (!$qselected) echo " SELECTED";
|
|
1094
|
echo " >none</option>";
|
|
1095
|
foreach ($qlist as $q => $qkey) {
|
|
1096
|
if($q == "")
|
|
1097
|
continue;
|
|
1098
|
echo "<option value=\"$q\"";
|
|
1099
|
if ($q == $pconfig['ackqueue']) {
|
|
1100
|
$qselected = 1;
|
|
1101
|
echo " SELECTED";
|
|
1102
|
}
|
|
1103
|
echo ">{$q}</option>";
|
|
1104
|
}
|
|
1105
|
?>
|
|
1106
|
</select> /
|
|
1107
|
<select name="defaultqueue">
|
|
1108
|
<?php
|
|
1109
|
$qselected = 0;
|
|
1110
|
echo "<option value=\"none\"";
|
|
1111
|
if (!$qselected) echo " SELECTED";
|
|
1112
|
echo " >none</option>";
|
|
1113
|
foreach ($qlist as $q => $qkey) {
|
|
1114
|
if($q == "")
|
|
1115
|
continue;
|
|
1116
|
echo "<option value=\"$q\"";
|
|
1117
|
if ($q == $pconfig['defaultqueue']) {
|
|
1118
|
$qselected = 1;
|
|
1119
|
echo " SELECTED";
|
|
1120
|
}
|
|
1121
|
echo ">{$q}</option>";
|
|
1122
|
}
|
|
1123
|
?>
|
|
1124
|
</select>
|
|
1125
|
<br />
|
|
1126
|
<span class="vexpl">Choose the Acknowledge Queue only if you have selected Queue.</span>
|
|
1127
|
</td>
|
|
1128
|
</tr>
|
|
1129
|
<tr>
|
|
1130
|
<td width="22%" valign="top" class="vncell">Layer7</td>
|
|
1131
|
<td width="78%" class="vtable">
|
|
1132
|
<select name="l7container">
|
|
1133
|
<?php
|
|
1134
|
if (!is_array($l7clist))
|
|
1135
|
$dnqlist = array();
|
|
1136
|
echo "<option value=\"none\"";
|
|
1137
|
echo " >none</option>";
|
|
1138
|
foreach ($l7clist as $l7ckey) {
|
|
1139
|
echo "<option value=\"{$l7ckey}\"";
|
|
1140
|
if ($l7ckey == $pconfig['l7container']) {
|
|
1141
|
echo " SELECTED";
|
|
1142
|
}
|
|
1143
|
echo ">{$l7ckey}</option>";
|
|
1144
|
}
|
|
1145
|
?>
|
|
1146
|
</select>
|
|
1147
|
<br/>
|
|
1148
|
<span class="vexpl">Choose a Layer7 container to apply application protocol inspection rules.
|
|
1149
|
This rule are valid for tcp and udp protocols for now.</span>
|
|
1150
|
</td>
|
|
1151
|
</tr>
|
|
1152
|
<tr>
|
|
1153
|
<td width="22%" valign="top" class="vncell">Description</td>
|
|
1154
|
<td width="78%" class="vtable">
|
|
1155
|
<input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>">
|
|
1156
|
<br />
|
|
1157
|
<span class="vexpl">You may enter a description here for your reference.</span>
|
|
1158
|
</td>
|
|
1159
|
</tr>
|
|
1160
|
<tr>
|
|
1161
|
<td width="22%" valign="top"> </td>
|
|
1162
|
<td width="78%">
|
|
1163
|
<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
|
|
1164
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
|
1165
|
<input name="id" type="hidden" value="<?=$id;?>">
|
|
1166
|
<?php endif; ?>
|
|
1167
|
<input name="after" type="hidden" value="<?=$after;?>">
|
|
1168
|
</td>
|
|
1169
|
</tr>
|
|
1170
|
</table>
|
|
1171
|
</form>
|
|
1172
|
<script language="JavaScript">
|
|
1173
|
<!--
|
|
1174
|
ext_change();
|
|
1175
|
typesel_change();
|
|
1176
|
proto_change();
|
|
1177
|
|
|
1178
|
<?php
|
|
1179
|
$isfirst = 0;
|
|
1180
|
$aliases = "";
|
|
1181
|
$addrisfirst = 0;
|
|
1182
|
$aliasesaddr = "";
|
|
1183
|
if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
|
|
1184
|
foreach($config['aliases']['alias'] as $alias_name) {
|
|
1185
|
if(!stristr($alias_name['address'], ".")) {
|
|
1186
|
if($isfirst == 1) $aliases .= ",";
|
|
1187
|
$aliases .= "'" . $alias_name['name'] . "'";
|
|
1188
|
$isfirst = 1;
|
|
1189
|
} else {
|
|
1190
|
if($addrisfirst == 1) $aliasesaddr .= ",";
|
|
1191
|
$aliasesaddr .= "'" . $alias_name['name'] . "'";
|
|
1192
|
$addrisfirst = 1;
|
|
1193
|
}
|
|
1194
|
}
|
|
1195
|
?>
|
|
1196
|
|
|
1197
|
var addressarray=new Array(<?php echo $aliasesaddr; ?>);
|
|
1198
|
var customarray=new Array(<?php echo $aliases; ?>);
|
|
1199
|
|
|
1200
|
//-->
|
|
1201
|
</script>
|
|
1202
|
|
|
1203
|
|
|
1204
|
<?php include("fend.inc"); ?>
|
|
1205
|
</body>
|
|
1206
|
</html>
|
|
1207
|
|