/usr/local/www/firewall_rules_edit.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/firewall_rules_edit.php @ 96ae3e86

1	5ba18897	Scott Ullrich	<?php
2	b46bfcf5	Bill Marquette	/* $Id$ */
3	5b237745	Scott Ullrich	/*
4	bdb7d6e7	Scott Ullrich	firewall_rules_edit.php
5	e4cabb75	Scott Ullrich	part of pfSense (http://www.pfsense.com)
6			Copyright (C) 2005 Scott Ullrich (sullrich@gmail.com)
7	5ba18897	Scott Ullrich
8	e4cabb75	Scott Ullrich	originally part of m0n0wall (http://m0n0.ch/wall)
9	bdb7d6e7	Scott Ullrich	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
10			All rights reserved.
11	5ba18897	Scott Ullrich
12	bdb7d6e7	Scott Ullrich	Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14	5ba18897	Scott Ullrich
15	bdb7d6e7	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17	5ba18897	Scott Ullrich
18	bdb7d6e7	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21	5ba18897	Scott Ullrich
22	bdb7d6e7	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32	5b237745	Scott Ullrich	*/
33
34	6b07c15a	Matthew Grooms	##\|+PRIV
35			##\|*IDENT=page-firewall-rules-edit
36			##\|*NAME=Firewall: Rules: Edit page
37			##\|*DESCR=Allow access to the 'Firewall: Rules: Edit' page.
38			##\|MATCH=firewall_rules_edit.php
39			##\|-PRIV
40
41
42	5b237745	Scott Ullrich	require("guiconfig.inc");
43
44	e825920f	Scott Ullrich	$specialsrcdst = explode(" ", "any wanip lanip lan pptp pppoe");
45	5b237745	Scott Ullrich
46			if (!is_array($config['filter']['rule'])) {
47			$config['filter']['rule'] = array();
48			}
49			filter_rules_sort();
50			$a_filter = &$config['filter']['rule'];
51
52			$id = $_GET['id'];
53			if (is_numeric($_POST['id']))
54			$id = $_POST['id'];
55	5ba18897	Scott Ullrich
56	5b237745	Scott Ullrich	$after = $_GET['after'];
57
58			if (isset($_POST['after']))
59			$after = $_POST['after'];
60
61			if (isset($_GET['dup'])) {
62			$id = $_GET['dup'];
63			$after = $_GET['dup'];
64			}
65
66			if (isset($id) && $a_filter[$id]) {
67			$pconfig['interface'] = $a_filter[$id]['interface'];
68	5ba18897	Scott Ullrich
69	5b237745	Scott Ullrich	if (!isset($a_filter[$id]['type']))
70			$pconfig['type'] = "pass";
71			else
72			$pconfig['type'] = $a_filter[$id]['type'];
73	5ba18897	Scott Ullrich
74	4633edc2	Ermal Luçi	if (isset($a_filter[$id]['floating']) \|\| $if == "FloatingRules") {
75	661aed33	Ermal Luçi	$pconfig['floating'] = $a_filter[$id]['floating'];
76			if (isset($a_filter[$id]['interface']) && $a_filter[$id]['interface'] <> "")
77			$pconfig['interface'] = $a_filter[$id]['interface'];
78			}
79
80			if (isset($a_filter['floating']))
81			$pconfig['floating'] = "yes";
82
83			if (isset($a_filter[$id]['direction']))
84			$pconfig['direction'] = $a_filter[$id]['direction'];
85
86	5b237745	Scott Ullrich	if (isset($a_filter[$id]['protocol']))
87			$pconfig['proto'] = $a_filter[$id]['protocol'];
88			else
89			$pconfig['proto'] = "any";
90	5ba18897	Scott Ullrich
91	5b237745	Scott Ullrich	if ($a_filter[$id]['protocol'] == "icmp")
92			$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
93	5ba18897	Scott Ullrich
94	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
95			$pconfig['srcmask'], $pconfig['srcnot'],
96			$pconfig['srcbeginport'], $pconfig['srcendport']);
97	5ba18897	Scott Ullrich
98	8be60f21	Scott Ullrich	if($a_filter[$id]['os'] <> "")
99			$pconfig['os'] = $a_filter[$id]['os'];
100	e33c8694	Bill Marquette
101	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
102			$pconfig['dstmask'], $pconfig['dstnot'],
103			$pconfig['dstbeginport'], $pconfig['dstendport']);
104
105	c5fc1b2e	Ermal Luçi	if ($a_filter[$id]['dscp'] <> "")
106			$pconfig['dscp'] = $a_filter[$id]['dscp'];
107
108	5b237745	Scott Ullrich	$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
109			$pconfig['log'] = isset($a_filter[$id]['log']);
110			$pconfig['descr'] = $a_filter[$id]['descr'];
111	8c84fe43	Scott Ullrich
112	5c1f5584	Ermal Luçi	if (isset($a_filter[$id]['tag']) && $a_filter[$id]['tag'] <> "")
113	661aed33	Ermal Luçi	$pconfig['tag'] = $a_filter[$id]['tag'];
114	5c1f5584	Ermal Luçi	if (isset($a_filter[$id]['tagged']) && $a_filter[$id]['tag'] <> "")
115	661aed33	Ermal Luçi	$pconfig['tagged'] = $a_filter[$id]['tagged'];
116			if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick'])
117			$pconfig['quick'] = $a_filter[$id]['quick'];
118
119	ed08ef3e	Scott Ullrich	/* advanced */
120	fa9af164	Scott Ullrich	$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
121			$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
122			$pconfig['statetype'] = $a_filter[$id]['statetype'];
123	5ba18897	Scott Ullrich	$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
124	8c84fe43	Scott Ullrich
125			$pconfig['nosync'] = isset($a_filter[$id]['nosync']);
126	10f21e70	Scott Ullrich
127	ed08ef3e	Scott Ullrich	/* advanced - new connection per second banning*/
128			$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
129			$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
130	5ba18897	Scott Ullrich
131	e5980370	Scott Ullrich	/* Multi-WAN next-hop support */
132	c98ddde2	Bill Marquette	$pconfig['gateway'] = $a_filter[$id]['gateway'];
133	615b27bc	Scott Dale
134	197bfe96	Ermal Luçi	/* Shaper support */
135			$pconfig['defaultqueue'] = $a_filter[$id]['defaultqueue'];
136			$pconfig['ackqueue'] = $a_filter[$id]['ackqueue'];
137	a5fd67e1	Ermal Luçi	$pconfig['dnpipe'] = $a_filter[$id]['dnpipe'];
138			$pconfig['pdnpipe'] = $a_filter[$id]['pdnpipe'];
139	197bfe96	Ermal Luçi
140	615b27bc	Scott Dale	//schedule support
141			$pconfig['sched'] = $a_filter[$id]['sched'];
142	c98ddde2	Bill Marquette
143	5b237745	Scott Ullrich	} else {
144			/* defaults */
145	a23d7248	Scott Ullrich	if ($_GET['if'])
146			$pconfig['interface'] = $_GET['if'];
147	5b237745	Scott Ullrich	$pconfig['type'] = "pass";
148			$pconfig['src'] = "any";
149			$pconfig['dst'] = "any";
150			}
151	72320b88	Ermal Luçi	/* Allow the FlotingRules to work */
152			$if = $pconfig['interface'];
153	5b237745	Scott Ullrich
154			if (isset($_GET['dup']))
155			unset($id);
156
157			if ($_POST) {
158
159	28f9e493	Scott Ullrich	if ($_POST['type'] == "reject" && $_POST['proto'] <> "tcp")
160			$input_errors[] = "Reject type rules only works when the protocol is set to TCP.";
161
162	5b237745	Scott Ullrich	if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
163			$_POST['srcbeginport'] = 0;
164			$_POST['srcendport'] = 0;
165			$_POST['dstbeginport'] = 0;
166			$_POST['dstendport'] = 0;
167			} else {
168	5ba18897	Scott Ullrich
169	5b237745	Scott Ullrich	if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
170			$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
171			if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
172			$_POST['srcendport'] = $_POST['srcendport_cust'];
173	5ba18897	Scott Ullrich
174	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] == "any") {
175			$_POST['srcbeginport'] = 0;
176			$_POST['srcendport'] = 0;
177	5ba18897	Scott Ullrich	} else {
178	5b237745	Scott Ullrich	if (!$_POST['srcendport'])
179			$_POST['srcendport'] = $_POST['srcbeginport'];
180			}
181			if ($_POST['srcendport'] == "any")
182			$_POST['srcendport'] = $_POST['srcbeginport'];
183	5ba18897	Scott Ullrich
184	5b237745	Scott Ullrich	if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
185			$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
186			if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
187			$_POST['dstendport'] = $_POST['dstendport_cust'];
188	5ba18897	Scott Ullrich
189	5b237745	Scott Ullrich	if ($_POST['dstbeginport'] == "any") {
190			$_POST['dstbeginport'] = 0;
191			$_POST['dstendport'] = 0;
192	5ba18897	Scott Ullrich	} else {
193	5b237745	Scott Ullrich	if (!$_POST['dstendport'])
194			$_POST['dstendport'] = $_POST['dstbeginport'];
195			}
196			if ($_POST['dstendport'] == "any")
197	5ba18897	Scott Ullrich	$_POST['dstendport'] = $_POST['dstbeginport'];
198	5b237745	Scott Ullrich	}
199	5ba18897	Scott Ullrich
200	5b237745	Scott Ullrich	if (is_specialnet($_POST['srctype'])) {
201			$_POST['src'] = $_POST['srctype'];
202			$_POST['srcmask'] = 0;
203			} else if ($_POST['srctype'] == "single") {
204			$_POST['srcmask'] = 32;
205			}
206			if (is_specialnet($_POST['dsttype'])) {
207			$_POST['dst'] = $_POST['dsttype'];
208			$_POST['dstmask'] = 0;
209			} else if ($_POST['dsttype'] == "single") {
210			$_POST['dstmask'] = 32;
211			}
212	5ba18897	Scott Ullrich
213	5b237745	Scott Ullrich	unset($input_errors);
214			$pconfig = $_POST;
215
216	ef2a753c	Scott Ullrich	/* run through $_POST items encoding HTML entties so that the user
217			* cannot think he is slick and perform a XSS attack on the unwilling
218			*/
219	21eff66f	Scott Ullrich	foreach ($_POST as $key => $value) {
220			$temp = $value;
221	661aed33	Ermal Luçi	if (isset($_POST['floating']) && $key == "interface")
222			continue;
223	21eff66f	Scott Ullrich	$newpost = htmlentities($temp);
224	5157927f	Scott Ullrich	if($newpost <> $temp)
225			$input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again.";
226	ef2a753c	Scott Ullrich	}
227
228	5b237745	Scott Ullrich	/* input validation */
229	661aed33	Ermal Luçi	$reqdfields = explode(" ", "type proto src dst");
230			$reqdfieldsn = explode(",", "Type,Protocol,Source,Destination");
231	5b237745	Scott Ullrich
232	452ade89	Bill Marquette	if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
233	c22767b1	Bill Marquette	if( $_POST['proto'] != "tcp" )
234			$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
235	452ade89	Bill Marquette	if(($_POST['statetype'] == "synproxy state") && ($_POST['gateway'] != ""))
236			$input_errors[] = "{$_POST['statetype']} is only valid if the gateway is set to 'default'.";
237			}
238	10f7933f	Chris Buechler
239	5b237745	Scott Ullrich	if (!(is_specialnet($_POST['srctype']) \|\| ($_POST['srctype'] == "single"))) {
240			$reqdfields[] = "srcmask";
241			$reqdfieldsn[] = "Source bit count";
242			}
243			if (!(is_specialnet($_POST['dsttype']) \|\| ($_POST['dsttype'] == "single"))) {
244			$reqdfields[] = "dstmask";
245			$reqdfieldsn[] = "Destination bit count";
246			}
247	5ba18897	Scott Ullrich
248	5b237745	Scott Ullrich	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
249	5ba18897	Scott Ullrich
250	5b237745	Scott Ullrich	if (!$_POST['srcbeginport']) {
251			$_POST['srcbeginport'] = 0;
252			$_POST['srcendport'] = 0;
253			}
254			if (!$_POST['dstbeginport']) {
255			$_POST['dstbeginport'] = 0;
256			$_POST['dstendport'] = 0;
257			}
258	5ba18897	Scott Ullrich
259	19757279	Scott Ullrich	if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) {
260	aba8aace	Scott Ullrich	$input_errors[] = "The start source port must be an alias or integer between 1 and 65535.";
261	bdb7d6e7	Scott Ullrich	}
262	19757279	Scott Ullrich	if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) {
263	aba8aace	Scott Ullrich	$input_errors[] = "The end source port must be an alias or integer between 1 and 65535.";
264	bdb7d6e7	Scott Ullrich	}
265	19757279	Scott Ullrich	if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) {
266	aba8aace	Scott Ullrich	$input_errors[] = "The start destination port must be an alias or integer between 1 and 65535.";
267	bdb7d6e7	Scott Ullrich	}
268	19757279	Scott Ullrich	if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) {
269	aba8aace	Scott Ullrich	$input_errors[] = "The end destination port must be an alias or integer between 1 and 65535.";
270	bdb7d6e7	Scott Ullrich	}
271	5ba18897	Scott Ullrich
272	0e5ddcd9	Scott Ullrich	/* if user enters an alias and selects "network" then disallow. */
273			if($_POST['srctype'] == "network") {
274			if(is_alias($_POST['src']))
275			$input_errors[] = "You must specify single host or alias for alias entries.";
276			}
277			if($_POST['dsttype'] == "network") {
278			if(is_alias($_POST['dst']))
279			$input_errors[] = "You must specify single host or alias for alias entries.";
280			}
281
282	5b237745	Scott Ullrich	if (!is_specialnet($_POST['srctype'])) {
283			if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
284			$input_errors[] = "A valid source IP address or alias must be specified.";
285			}
286			if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
287			$input_errors[] = "A valid source bit count must be specified.";
288			}
289			}
290			if (!is_specialnet($_POST['dsttype'])) {
291			if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
292			$input_errors[] = "A valid destination IP address or alias must be specified.";
293			}
294			if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
295			$input_errors[] = "A valid destination bit count must be specified.";
296			}
297			}
298	5ba18897	Scott Ullrich
299	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] > $_POST['srcendport']) {
300			/* swap */
301			$tmp = $_POST['srcendport'];
302			$_POST['srcendport'] = $_POST['srcbeginport'];
303			$_POST['srcbeginport'] = $tmp;
304			}
305			if ($_POST['dstbeginport'] > $_POST['dstendport']) {
306			/* swap */
307			$tmp = $_POST['dstendport'];
308			$_POST['dstendport'] = $_POST['dstbeginport'];
309			$_POST['dstbeginport'] = $tmp;
310			}
311	e33c8694	Bill Marquette	if ($_POST['os'])
312			if( $_POST['proto'] != "tcp" )
313			$input_errors[] = "OS detection is only valid with protocol tcp.";
314	5b237745	Scott Ullrich
315	197bfe96	Ermal Luçi	if ($_POST['ackqueue'] && $_POST['ackqueue'] != "none") {
316			if ($_POST['defaultqueue'] == "none" )
317			$input_errors[] = "You have to select a queue when you select an acknowledge queue too.";
318			else if ($_POST['ackqueue'] == $_POST['defaultqueue'])
319	aa8cdf52	Scott Ullrich	$input_errors[] = "Acknowledge queue and Queue cannot be the same.";
320	197bfe96	Ermal Luçi	}
321	a5fd67e1	Ermal Luçi	if ($_POST['pdnpipe'] && $_POST['pdnpipe'] != "none") {
322			if ($_POST['dnpipe'] == "none" )
323			$input_errors[] = "You must select a queue for the In direction before selecting one for Out too.";
324			else if ($_POST['pdnpipe'] == $_POST['dnpipe'])
325			$input_errors[] = "In and Out Queue cannot be the same.";
326			else if ($pdnpipe[0] == "?" && $dnpipe[0] <> "?")
327			$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
328			else if ($dnpipe[0] == "?" && $pdnpipe[0] <> "?")
329			$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
330			}
331	197bfe96	Ermal Luçi
332	5b237745	Scott Ullrich	if (!$input_errors) {
333			$filterent = array();
334			$filterent['type'] = $_POST['type'];
335	661aed33	Ermal Luçi	if (isset($_POST['interface'] ))
336			$filterent['interface'] = $_POST['interface'];
337
338			if ($if == "FloatingRules" \|\| isset($_POST['floating'])) {
339			if (isset($_POST['tag']))
340			$filterent['tag'] = $_POST['tag'];
341			if (isset($_POST['tagged']))
342			$filterent['tagged'] = $_POST['tagged'];
343			$filterent['direction'] = $_POST['direction'];
344			if (isset($_POST['quick']) && $_POST['quick'] <> "")
345			$filterent['quick'] = $_POST['quick'];
346			$filterent['floating'] = "yes";
347			if (isset($_POST['interface']) && count($_POST['interface']) > 0) {
348			$filterent['interface'] = implode(",", $_POST['interface']);
349			}
350			}
351	d59874c1	Scott Ullrich
352	bdb7d6e7	Scott Ullrich	/* Advanced options */
353			$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
354			$filterent['max-src-states'] = $_POST['max-src-states'];
355	5ba18897	Scott Ullrich	$filterent['statetimeout'] = $_POST['statetimeout'];
356	fa9af164	Scott Ullrich	$filterent['statetype'] = $_POST['statetype'];
357	e33c8694	Bill Marquette	$filterent['os'] = $_POST['os'];
358	10f21e70	Scott Ullrich
359			/* Nosync directive - do not xmlrpc sync this item */
360	8c84fe43	Scott Ullrich	if($_POST['nosync'] <> "")
361	10f21e70	Scott Ullrich	$filterent['nosync'] = true;
362			else
363			unset($filterent['nosync']);
364
365	3f00c1dc	Scott Ullrich	/* unless both values are provided, unset the values - ticket #650 */
366			if($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] <> "") {
367			$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
368			$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
369			} else {
370			unset($filterent['max-src-conn-rate']);
371			unset($filterent['max-src-conn-rates']);
372			}
373	5ba18897	Scott Ullrich
374	5b237745	Scott Ullrich	if ($_POST['proto'] != "any")
375			$filterent['protocol'] = $_POST['proto'];
376			else
377			unset($filterent['protocol']);
378	5ba18897	Scott Ullrich
379	5b237745	Scott Ullrich	if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
380			$filterent['icmptype'] = $_POST['icmptype'];
381			else
382			unset($filterent['icmptype']);
383	5ba18897	Scott Ullrich
384	5b237745	Scott Ullrich	pconfig_to_address($filterent['source'], $_POST['src'],
385			$_POST['srcmask'], $_POST['srcnot'],
386			$_POST['srcbeginport'], $_POST['srcendport']);
387	5ba18897	Scott Ullrich
388	5b237745	Scott Ullrich	pconfig_to_address($filterent['destination'], $_POST['dst'],
389			$_POST['dstmask'], $_POST['dstnot'],
390			$_POST['dstbeginport'], $_POST['dstendport']);
391	5ba18897	Scott Ullrich
392	f87f85c3	Bill Marquette	if ($_POST['disabled'])
393			$filterent['disabled'] = true;
394			else
395			unset($filterent['disabled']);
396	c5fc1b2e	Ermal Luçi
397			if ($_POST['dscp'])
398			$filterent['dscp'] = $_POST['dscp'];
399
400	f87f85c3	Bill Marquette	if ($_POST['log'])
401			$filterent['log'] = true;
402			else
403			unset($filterent['log']);
404	c68fc1e7	Bill Marquette	strncpy($filterent['descr'], $_POST['descr'], 52);
405	5ba18897	Scott Ullrich
406	c98ddde2	Bill Marquette	if ($_POST['gateway'] != "") {
407			$filterent['gateway'] = $_POST['gateway'];
408			}
409	197bfe96	Ermal Luçi
410			if (isset($_POST['defaultqueue']) && $_POST['defaultqueue'] != "none") {
411			$filterent['defaultqueue'] = $_POST['defaultqueue'];
412			if (isset($_POST['ackqueue']) && $_POST['ackqueue'] != "none")
413			$filterent['ackqueue'] = $_POST['ackqueue'];
414			}
415	c98ddde2	Bill Marquette
416	a5fd67e1	Ermal Luçi	if (isset($_POST['dnpipe']) && $_POST['dnpipe'] != "none") {
417			$filterent['dnpipe'] = $_POST['dnpipe'];
418			if (isset($_POST['pdnpipe']) && $_POST['pdnpipe'] != "none")
419			$filterent['pdnpipe'] = $_POST['pdnpipe'];
420			}
421
422	615b27bc	Scott Dale	if ($_POST['sched'] != "") {
423			$filterent['sched'] = $_POST['sched'];
424			}
425
426	5b237745	Scott Ullrich	if (isset($id) && $a_filter[$id])
427			$a_filter[$id] = $filterent;
428			else {
429			if (is_numeric($after))
430			array_splice($a_filter, $after+1, 0, array($filterent));
431			else
432			$a_filter[] = $filterent;
433			}
434	f4e2a352	Scott Ullrich
435	5b237745	Scott Ullrich	write_config();
436			touch($d_filterconfdirty_path);
437	5ba18897	Scott Ullrich
438	661aed33	Ermal Luçi	if (isset($_POST['floating']))
439			header("Location: firewall_rules.php?if=FloatingRules");
440			else
441			header("Location: firewall_rules.php?if=" . $_POST['interface']);
442	5b237745	Scott Ullrich	exit;
443			}
444	c60824d2	Scott Ullrich	}
445
446	d88c6a9f	Scott Ullrich	$pgtitle = array("Firewall","Rules","Edit");
447	a1357fe0	Bill Marquette	$closehead = false;
448	8ab3e9ed	Erik Kristensen
449			$page_filename = "firewall_rules_edit.php";
450	da7ae7ef	Bill Marquette	include("head.inc");
451	c60824d2	Scott Ullrich
452	5b237745	Scott Ullrich	?>
453	da7ae7ef	Bill Marquette
454	5b237745	Scott Ullrich	</head>
455
456			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
457			<?php include("fbegin.inc"); ?>
458			<?php if ($input_errors) print_input_errors($input_errors); ?>
459	8ab3e9ed	Erik Kristensen
460			<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
461			<table width="100%" border="0" cellpadding="6" cellspacing="0">
462	e091cb45	Scott Ullrich	<tr>
463			<td colspan="2" valign="top" class="listtopic">Edit Firewall rule</td>
464			</tr>
465	8ab3e9ed	Erik Kristensen	<tr>
466			<td width="22%" valign="top" class="vncellreq">Action</td>
467			<td width="78%" class="vtable">
468	b5c78501	Seth Mos	<select name="type" class="formselect">
469	8ab3e9ed	Erik Kristensen	<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
470			<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
471			<?=htmlspecialchars($type);?>
472			</option>
473			<?php endforeach; ?>
474	8c84fe43	Scott Ullrich	</select>
475	8ab3e9ed	Erik Kristensen	<br/>
476			<span class="vexpl">
477			Choose what to do with packets that match the criteria specified below. <br/>
478			Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
479			</span>
480			</td>
481			</tr>
482			<tr>
483			<td width="22%" valign="top" class="vncellreq">Disabled</td>
484			<td width="78%" class="vtable">
485			<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
486			<strong>Disable this rule</strong><br />
487			<span class="vexpl">Set this option to disable this rule without removing it from the list.</span>
488			</td>
489			</tr>
490	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
491			<tr>
492			<td width="22%" valign="top" class="vncellreq"><?=gettext("Quick");?></td>
493			<td width="78%" class="vtable">
494			<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
495			<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
496			<span class="vexpl"><?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?></span>
497			</td>
498			</tr>
499			<? endif; ?>
500	8ab3e9ed	Erik Kristensen	<tr>
501			<td width="22%" valign="top" class="vncellreq">Interface</td>
502			<td width="78%" class="vtable">
503	4633edc2	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
504	8e6ac824	Ermal Luçi	<select name="interface[]" multiple="true" class="formselect" size="3">
505	661aed33	Ermal Luçi	<? else: ?>
506	b5c78501	Seth Mos	<select name="interface" class="formselect">
507	8ab3e9ed	Erik Kristensen	<?php
508	661aed33	Ermal Luçi	endif;
509	b7391125	Ermal Luçi	$ifdescs = get_configured_interface_with_descr();
510
511	5335811d	Ermal Luçi	foreach ($ifdescs as $ifent => $ifdesc)
512			if(have_ruleint_access($ifent))
513			$interfaces[$ifent] = $ifdesc;
514	b6742927	Scott Ullrich
515			if ($config['pptpd']['mode'] == "server")
516			if(have_ruleint_access("pptp"))
517			$interfaces['pptp'] = "PPTP VPN";
518
519			if ($config['pppoe']['mode'] == "server")
520			if(have_ruleint_access("pppoe"))
521			$interfaces['pppoe'] = "PPPoE VPN";
522
523			/* add ipsec interfaces */
524			if (isset($config['ipsec']['enable']) \|\| isset($config['ipsec']['mobileclients']['enable']))
525			if(have_ruleint_access("enc0"))
526	0f266b2e	Chris Buechler	$interfaces["enc0"] = "IPsec";
527	bfb60ac8	Ermal Luçi
528			/* add openvpn/tun interfaces */
529	d799787e	Matthew Grooms	if ($config['openvpn']["openvpn-server"] \|\| $config['openvpn']["openvpn-client"])
530			$interfaces["openvpn"] = "OpenVPN";
531	b6742927	Scott Ullrich
532	8ab3e9ed	Erik Kristensen	foreach ($interfaces as $iface => $ifacename): ?>
533	661aed33	Ermal Luçi	<option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option>
534	8ab3e9ed	Erik Kristensen	<?php endforeach; ?>
535	8c84fe43	Scott Ullrich	</select>
536	8ab3e9ed	Erik Kristensen	<br />
537			<span class="vexpl">Choose on which interface packets must come in to match this rule.</span>
538			</td>
539			</tr>
540	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
541			<tr>
542			<td width="22%" valign="top" class="vncellreq"><?=gettext("Direction");?></td>
543			<td width="78%" class="vtable">
544			<select name="direction" class="formselect">
545			<?php $directions = array('any', 'in', 'out');
546			foreach ($directions as $direction): ?>
547			<option value="<?=$direction;?>"
548			<?php if ($direction == $pconfig['direction']): ?>
549			selected="selected"
550			<?php endif; ?>
551			><?=$direction;?></option>
552			<?php endforeach; ?>
553			</select>
554	0e640f76	Ermal Luçi	<input type="hidden" id="floating" name="floating" value="floating">
555	661aed33	Ermal Luçi	</td>
556			<tr>
557			<?php endif; ?>
558	8ab3e9ed	Erik Kristensen	<tr>
559			<td width="22%" valign="top" class="vncellreq">Protocol</td>
560			<td width="78%" class="vtable">
561	b5c78501	Seth Mos	<select name="proto" class="formselect" onchange="proto_change()">
562	8ab3e9ed	Erik Kristensen	<?php
563	773861f6	Scott Ullrich	$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP any carp pfsync");
564	8ab3e9ed	Erik Kristensen	foreach ($protocols as $proto): ?>
565			<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
566			<?php endforeach; ?>
567			</select>
568			<br />
569			<span class="vexpl">Choose which IP protocol this rule should match. <br /> Hint: in most cases, you should specify <em>TCP</em>  here.</span>
570			</td>
571			</tr>
572	3de8af0e	Scott Ullrich	<tr id="icmpbox" name="icmpbox">
573	8ab3e9ed	Erik Kristensen	<td valign="top" class="vncell">ICMP type</td>
574			<td class="vtable">
575	b5c78501	Seth Mos	<select name="icmptype" class="formselect">
576	8ab3e9ed	Erik Kristensen	<?php
577			$icmptypes = array(
578			"" => "any",
579			"echorep" => "Echo reply",
580			"unreach" => "Destination unreachable",
581			"squench" => "Source quench",
582			"redir" => "Redirect",
583			"althost" => "Alternate Host",
584			"echoreq" => "Echo",
585			"routeradv" => "Router advertisement",
586			"routersol" => "Router solicitation",
587			"timex" => "Time exceeded",
588			"paramprob" => "Invalid IP header",
589			"timereq" => "Timestamp",
590			"timerep" => "Timestamp reply",
591			"inforeq" => "Information request",
592			"inforep" => "Information reply",
593			"maskreq" => "Address mask request",
594			"maskrep" => "Address mask reply"
595			);
596
597			foreach ($icmptypes as $icmptype => $descr): ?>
598			<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
599			<?php endforeach; ?>
600			</select>
601			<br />
602			<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span>
603			</td>
604			</tr>
605			<tr>
606			<td width="22%" valign="top" class="vncellreq">Source</td>
607			<td width="78%" class="vtable">
608			<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
609			<strong>not</strong>
610			<br />
611			Use this option to invert the sense of the match.
612			<br />
613			<br />
614			<table border="0" cellspacing="0" cellpadding="0">
615			<tr>
616			<td>Type:  </td>
617			<td>
618	b5c78501	Seth Mos	<select name="srctype" class="formselect" onChange="typesel_change()">
619	8ab3e9ed	Erik Kristensen	<?php
620			$sel = is_specialnet($pconfig['src']); ?>
621			<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option>
622			<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
623			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
624	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("wan")): ?>
625	76934b05	Scott Ullrich	<option value="wanip" <?php if ($pconfig['src'] == "wanip") { echo "selected"; } ?>>WAN address</option>
626	99ea4439	Scott Ullrich	<?php endif; ?>
627			<?php if(have_ruleint_access("lan")): ?>
628	acb31d29	Scott Ullrich	<option value="lanip" <?php if ($pconfig['src'] == "lanip") { echo "selected"; } ?>>LAN address</option>
629	99ea4439	Scott Ullrich	<?php endif; ?>
630			<?php if(have_ruleint_access("lan")): ?>
631	8ab3e9ed	Erik Kristensen	<option value="lan" <?php if ($pconfig['src'] == "lan") { echo "selected"; } ?>>LAN subnet</option>
632	99ea4439	Scott Ullrich	<?php endif; ?>
633			<?php if(have_ruleint_access("pptp")): ?>
634	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
635	99ea4439	Scott Ullrich	<?php endif; ?>
636			<?php if(have_ruleint_access("pppoe")): ?>
637	8c84fe43	Scott Ullrich	<option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
638	99ea4439	Scott Ullrich	<?php endif; ?>
639	8ab3e9ed	Erik Kristensen	<?php
640	b7391125	Ermal Luçi	$ifdisp = get_configured_interface_with_descr();
641	5335811d	Ermal Luçi	foreach ($ifdisp as $ifent => $ifdesc): ?>
642			<?php if(have_ruleint_access($ifent)): ?>
643			<option value="<?=$ifent;?>" <?php if ($pconfig['src'] == $ifent) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
644			<option value="<?=$ifent;?>ip"<?php if ($pconfig['src'] == $ifent . "ip") { echo "selected"; } ?>>
645	b7391125	Ermal Luçi	<?=$ifdesc?> address
646	e30a5970	Scott Ullrich	</option>
647	99ea4439	Scott Ullrich	<?php endif; ?>
648	b7391125	Ermal Luçi	<?php endforeach; ?>
649	8ab3e9ed	Erik Kristensen	</select>
650			</td>
651			</tr>
652			<tr>
653			<td>Address:  </td>
654			<td>
655			<input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> /
656	b5c78501	Seth Mos	<select name="srcmask" class="formselect" id="srcmask">
657	8ab3e9ed	Erik Kristensen	<?php for ($i = 31; $i > 0; $i--): ?>
658			<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
659			<?php endfor; ?>
660			</select>
661	bdb7d6e7	Scott Ullrich	</td>
662	8ab3e9ed	Erik Kristensen	</tr>
663			</table>
664	22abf2ef	Scott Ullrich	<div id="showadvancedboxspr">
665			<p>
666	be812936	Scott Ullrich	<input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>
667	22abf2ef	Scott Ullrich	</div>
668	8ab3e9ed	Erik Kristensen	</td>
669	e33c8694	Bill Marquette	</tr>
670	3de8af0e	Scott Ullrich	<tr style="display:none" id="sprtable" name="sprtable">
671	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Source port range</td>
672			<td width="78%" class="vtable">
673			<table border="0" cellspacing="0" cellpadding="0">
674			<tr>
675			<td>from:  </td>
676			<td>
677	b5c78501	Seth Mos	<select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()">
678	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
679			<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
680			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
681			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
682			<?php endforeach; ?>
683	8c84fe43	Scott Ullrich	</select>
684	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>">
685			</td>
686			</tr>
687			<tr>
688			<td>to:</td>
689			<td>
690	b5c78501	Seth Mos	<select name="srcendport" class="formselect" onchange="ext_change()">
691	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
692			<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
693			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
694			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
695			<?php endforeach; ?>
696	8c84fe43	Scott Ullrich	</select>
697	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>">
698			</td>
699			</tr>
700			</table>
701			<br />
702	5548a077	Scott Ullrich	<span class="vexpl">Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/>
703	67199e71	Scott Ullrich	<span class="vexpl"><B>NOTE:</B> You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!</span>
704	8ab3e9ed	Erik Kristensen	</td>
705	8c84fe43	Scott Ullrich	</tr>
706	8ab3e9ed	Erik Kristensen	<tr>
707	f281e32e	Chris Buechler	<td width="22%" valign="top" class="vncell">Source OS</td>
708	8ab3e9ed	Erik Kristensen	<td width="78%" class="vtable">OS Type:
709	b5c78501	Seth Mos	<select name="os" id="os" class="formselect">
710	8ab3e9ed	Erik Kristensen	<?php
711			$ostypes = array(
712			"" => "any",
713			"AIX" => "AIX",
714			"Linux" => "Linux",
715			"FreeBSD" => "FreeBSD",
716			"NetBSD" => "NetBSD",
717			"OpenBSD" => "OpenBSD",
718			"Solaris" => "Solaris",
719			"MacOS" => "MacOS",
720			"Windows" => "Windows",
721	59d62b6c	Scott Ullrich	"Novell" => "Novell",
722			"NMAP" => "NMAP"
723	8ab3e9ed	Erik Kristensen	);
724
725			foreach ($ostypes as $ostype => $descr): ?>
726			<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
727			<?php endforeach; ?>
728			</select>
729			<br />
730			Note: this only works for TCP rules
731			</td>
732	5ba18897	Scott Ullrich	</tr>
733	8ab3e9ed	Erik Kristensen	<tr>
734			<td width="22%" valign="top" class="vncellreq">Destination</td>
735			<td width="78%" class="vtable">
736			<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
737			<strong>not</strong>
738			<br />
739			Use this option to invert the sense of the match.
740			<br />
741			<br />
742			<table border="0" cellspacing="0" cellpadding="0">
743			<tr>
744			<td>Type:  </td>
745			<td>
746	b5c78501	Seth Mos	<select name="dsttype" class="formselect" onChange="typesel_change()">
747	8ab3e9ed	Erik Kristensen	<?php
748			$sel = is_specialnet($pconfig['dst']); ?>
749			<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
750			<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
751			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
752	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("wan")): ?>
753	76934b05	Scott Ullrich	<option value="wanip" <?php if ($pconfig['dst'] == "wanip") { echo "selected"; } ?>>WAN address</option>
754	99ea4439	Scott Ullrich	<?php endif; ?>
755			<?php if(have_ruleint_access("lan")): ?>
756	acb31d29	Scott Ullrich	<option value="lanip" <?php if ($pconfig['dst'] == "lanip") { echo "selected"; } ?>>LAN address</option>
757	99ea4439	Scott Ullrich	<?php endif; ?>
758			<?php if(have_ruleint_access("lan")): ?>
759	8ab3e9ed	Erik Kristensen	<option value="lan" <?php if ($pconfig['dst'] == "lan") { echo "selected"; } ?>>LAN subnet</option>
760	99ea4439	Scott Ullrich	<?php endif; ?>
761			<?php if(have_ruleint_access("pptp")): ?>
762	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
763	99ea4439	Scott Ullrich	<?php endif; ?>
764			<?php if(have_ruleint_access("pppoe")): ?>
765	8ab3e9ed	Erik Kristensen	<option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
766	99ea4439	Scott Ullrich	<?php endif; ?>
767
768	b7391125	Ermal Luçi
769			<?php foreach ($ifdisp as $if => $ifdesc): ?>
770			<?php if(have_ruleint_access($if)): ?>
771			<option value="<?=$if;?>" <?php if ($pconfig['dst'] == $if) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
772			<option value="<?=$if;?>ip"<?php if ($pconfig['dst'] == $if . "ip") { echo "selected"; } ?>>
773			<?=$ifdesc;?> address
774	cbff71a1	Scott Ullrich	</option>
775	99ea4439	Scott Ullrich	<?php endif; ?>
776	b7391125	Ermal Luçi	<?php endforeach; ?>
777	8ab3e9ed	Erik Kristensen	</select>
778			</td>
779			</tr>
780			<tr>
781			<td>Address:  </td>
782			<td>
783			<input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
784			/
785	b5c78501	Seth Mos	<select name="dstmask" class="formselect" id="dstmask">
786	8ab3e9ed	Erik Kristensen	<?php
787			for ($i = 31; $i > 0; $i--): ?>
788			<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
789			<?php endfor; ?>
790			</select>
791			</td>
792			</tr>
793			</table>
794	5ba18897	Scott Ullrich
795	8ab3e9ed	Erik Kristensen	</td>
796			</tr>
797	3de8af0e	Scott Ullrich	<tr id="dprtr" name="dprtr">
798	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Destination port range </td>
799			<td width="78%" class="vtable">
800			<table border="0" cellspacing="0" cellpadding="0">
801			<tr>
802			<td>from:  </td>
803			<td>
804	b5c78501	Seth Mos	<select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
805	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
806			<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
807			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
808			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
809			<?php endforeach; ?>
810			</select>
811			<input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
812			</td>
813			</tr>
814			<tr>
815			<td>to:</td>
816			<td>
817	b5c78501	Seth Mos	<select name="dstendport" class="formselect" onchange="ext_change()">
818	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
819			<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
820			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
821			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
822			<?php endforeach; ?>
823	8c84fe43	Scott Ullrich	</select>
824	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
825			</td>
826			</tr>
827			</table>
828			<br />
829			<span class="vexpl">
830			Specify the port or port range for the destination of the packet for this rule.
831			<br />
832			Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port
833			</span>
834			</td>
835			</tr>
836	c5fc1b2e	Ermal Luçi	<tr>
837			<td width="22%" valign="top" class="vncellreq">Diffserv Code Point</td>
838			<td width="78%" class="vtable">
839			<input name="dscp" id="dscp" value="<?=htmlspecialchars($pconfig['dscp']);?>">
840			<br />
841			<span class="vexpl">Valid values are: af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, EF, 1-64, 0x04-0xfc.</span>
842			</td>
843			</tr>
844	8ab3e9ed	Erik Kristensen	<tr>
845			<td width="22%" valign="top" class="vncellreq">Log</td>
846			<td width="78%" class="vtable">
847			<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
848			<strong>Log packets that are handled by this rule</strong>
849			<br />
850			<span class="vexpl">Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the <a href="diag_logs_settings.php">Diagnostics: System logs: Settings</a> page).</span>
851			</td>
852			</tr>
853	661aed33	Ermal Luçi	<tr>
854	e6db3f58	Ermal Luçi	<td width="22%" valign="top" class="vncell">Advanced Options</td>
855			<td width="78%" class="vtable">
856			<div id="aoadv" name="aoadv">
857			<input type="button" onClick="show_aodiv();" value="Advanced"> - Show advanced options
858			</div>
859			<div id="aodivmain" name="aodivmain" style="display:none">
860	661aed33	Ermal Luçi
861			<input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>">
862	ad3979f2	Ermal Luçi	<br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and use this mark to match on other nat/filter rules. It is called <b>Policy filtering</b>");?>
863	661aed33	Ermal Luçi	</span><p>
864	ad3979f2	Ermal Luçi	<input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>">
865			<br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before on another rule.")?>
866	661aed33	Ermal Luçi	</span> <p>
867	8ab3e9ed	Erik Kristensen	<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Simultaneous client connection limit<p>
868			<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
869			<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
870			<select name="max-src-conn-rates" id="max-src-conn-rates">
871			<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
872			<?php for($x=1; $x<255; $x++) {
873			if($x == $pconfig['max-src-conn-rates']) $selected = " selected"; else $selected = "";
874			echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
875			} ?>
876	47042140	Scott Ullrich	</select><br />
877	8ab3e9ed	Erik Kristensen	Maximum new connections / per second
878	47042140	Scott Ullrich	<p>
879
880			<input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br>
881	3906617b	Scott Ullrich	State Timeout in seconds
882	47042140	Scott Ullrich	<p />
883
884	8ab3e9ed	Erik Kristensen	<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
885	197b2a47	Scott Ullrich	</div>
886	8ab3e9ed	Erik Kristensen	</td>
887			</tr>
888			<tr>
889			<td width="22%" valign="top" class="vncell">State Type</td>
890			<td width="78%" class="vtable">
891	f6970b2f	Scott Ullrich	<div id="showadvstatebox">
892			<input type="button" onClick="show_advanced_state()" value="Advanced"></input> - Show state</a>
893			</div>
894			<div id="showstateadv" style="display:none">
895			<select name="statetype">
896			<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
897			<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
898			<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
899			</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
900			<p>
901			<table width="90%">
902	c62ff4e7	Chris Buechler	<tr><td width="25%"><ul><li>keep state</li></td><td>Works with all IP protocols.</ul></td></tr>
903	8eb08ba7	Chris Buechler	<tr><td width="25%"><ul><li>synproxy state</li></td><td>Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</ul></td></tr>
904			<tr><td width="25%"><ul><li>none</li></td><td>Do not use state mechanisms to keep track. This is only useful if you're doing advanced queueing in certain situations. Please check the documentation.</ul></td></tr>
905	f6970b2f	Scott Ullrich	</table>
906			</p>
907			</div>
908	8ab3e9ed	Erik Kristensen	</td>
909			</tr>
910	10f21e70	Scott Ullrich	<tr>
911			<td width="22%" valign="top" class="vncell">No XMLRPC Sync</td>
912			<td width="78%" class="vtable">
913	c32518fa	Scott Ullrich	<input type="checkbox" name="nosync"<?php if($pconfig['nosync']) echo " CHECKED"; ?>><br>
914	782c65b8	Scott Ullrich	HINT: This prevents the rule from automatically syncing to other carp members.
915	10f21e70	Scott Ullrich	</td>
916	8c84fe43	Scott Ullrich	</tr>
917	615b27bc	Scott Dale	<?php
918			//build list of schedules
919			$schedules = array();
920			$schedules[] = "none";//leave none to leave rule enabled all the time
921	a60fd0cb	Scott Ullrich	if(is_array($config['schedules']['schedule'])) {
922			foreach ($config['schedules']['schedule'] as $schedule) {
923			if ($schedule['name'] <> "")
924			$schedules[] = $schedule['name'];
925			}
926			}
927	615b27bc	Scott Dale	?>
928			<tr>
929			<td width="22%" valign="top" class="vncell">Schedule</td>
930			<td width="78%" class="vtable">
931			<select name='sched'>
932			<?php
933			foreach($schedules as $schedule) {
934			if($schedule == $pconfig['sched']) {
935			$selected = " SELECTED";
936			} else {
937			$selected = "";
938			}
939			if ($schedule == "none") {
940			echo "<option value=\"\" {$selected}>{$schedule}</option>\n";
941			} else {
942			echo "<option value=\"{$schedule}\" {$selected}>{$schedule}</option>\n";
943			}
944			}?>
945			</select>
946	49decb66	Scott Ullrich	<p>Leave as 'none' to leave the rule enabled all the time.</p>
947	4cf2b7fd	Scott Ullrich	<strong>NOTE: schedule logic can be a bit different. Click <a target="_new" href='firewall_rules_schedule_logic.php'>here</a> for more information.</strong>
948	615b27bc	Scott Dale	</td>
949			</tr>
950
951	8ab3e9ed	Erik Kristensen	<?php
952	82628210	Scott Ullrich	/* build a list of gateways */
953			$gateways = array();
954	615b27bc	Scott Dale	$gateways[] = "default"; // default to don't use this feature :)
955	3d81372f	Chris Buechler	if (is_array($config['gateways']['gateway_item'])) {
956			foreach($config['gateways']['gateway_item'] as $gw_item) {
957			if($gw_item['gateway'] <> "")
958			$gateways[] = $gw_item['name'];
959			}
960	82628210	Scott Ullrich	}
961	3d81372f	Chris Buechler
962	8ab3e9ed	Erik Kristensen	?>
963	82628210	Scott Ullrich	<tr>
964	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncell">Gateway</td>
965			<td width="78%" class="vtable">
966			<select name='gateway'>
967			<?php
968	82628210	Scott Ullrich	foreach($gateways as $gw) {
969	0581660c	Scott Ullrich	if($gw == "")
970			continue;
971	e6c0da7c	Scott Ullrich	if($gw == $pconfig['gateway']) {
972	82628210	Scott Ullrich	$selected = " SELECTED";
973	e6c0da7c	Scott Ullrich	} else {
974	82628210	Scott Ullrich	$selected = "";
975	e6c0da7c	Scott Ullrich	}
976			if ($gw == "default") {
977	8c84fe43	Scott Ullrich	echo "<option value=\"\" {$selected}>{$gw}</option>\n";
978	e6c0da7c	Scott Ullrich	} else {
979	d9720602	Seth Mos	$gwip = lookup_gateway_ip_by_name($gw);
980			echo "<option value=\"{$gw}\" {$selected}>{$gw} - {$gwip}</option>\n";
981	e6c0da7c	Scott Ullrich	}
982			}
983	e11202d5	Seth Mos	/* add gateway groups to the list */
984			if (is_array($config['gateways']['gateway_group'])) {
985			foreach($config['gateways']['gateway_group'] as $gw_group) {
986			if($gw_group['name'] == "")
987	0581660c	Scott Ullrich	continue;
988	e11202d5	Seth Mos	if($pconfig['gateway'] == $gw_group['name']) {
989			echo "<option value=\"{$gw_group['name']}\" SELECTED>{$gw_group['name']}</option>\n";
990	a68bd38b	Scott Ullrich	} else {
991	e11202d5	Seth Mos	echo "<option value=\"{$gw_group['name']}\">{$gw_group['name']}</option>\n";
992	a68bd38b	Scott Ullrich	}
993	8c84fe43	Scott Ullrich	}
994	82628210	Scott Ullrich	}
995	b7391125	Ermal Luçi	$iflist = get_configured_interface_with_descr();
996	5335811d	Ermal Luçi	foreach ($iflist as $ifent => $ifdesc) {
997	f1f60c92	Ermal Luçi	if (in_array($config['interfaces'][$ifent]['ipaddr'],
998			array("dhcp", "pppoe", "pptp"))) {
999	5335811d	Ermal Luçi	if ($pconfig['gateway'] == $ifent) {
1000	4443d4d6	Scott Ullrich	$selected = " SELECTED";
1001	1fda0968	Scott Ullrich	} else {
1002			$selected = "";
1003			}
1004	b7391125	Ermal Luçi	if($ifdesc <> "")
1005	5335811d	Ermal Luçi	echo "<option value=\"{$ifent}\" {$selected}>".strtoupper($if)." - {$ifdesc}</option>\n";
1006	1fda0968	Scott Ullrich	}
1007			}
1008	8ab3e9ed	Erik Kristensen	?>
1009			</select>
1010	58a4eecd	Bill Marquette	<p><strong>Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.</strong></p>
1011	8ab3e9ed	Erik Kristensen	</td>
1012			</tr>
1013	a5fd67e1	Ermal Luçi	<tr>
1014			<td width="22%" valign="top" class="vncell">In/Out</td>
1015			<td width="78%" class="vtable">
1016			<select name="dnpipe">
1017			<?php
1018			read_dummynet_config(); /* XXX: */
1019			$dnqlist =& get_unique_dnqueue_list();
1020			if (!is_array($dnqlist))
1021			$dnqlist = array();
1022			echo "<option value=\"none\"";
1023			if (!$dnqselected) echo " SELECTED";
1024			echo " >none</option>";
1025			foreach ($dnqlist as $dnq => $dnqkey) {
1026			if($dnq == "")
1027			continue;
1028			echo "<option value=\"$dnqkey\"";
1029			if ($dnqkey == $pconfig['dnpipe']) {
1030			$dnqselected = 1;
1031			echo " SELECTED";
1032			}
1033			echo ">{$dnq}</option>";
1034			}
1035			?>
1036			</select> /
1037			<select name="pdnpipe">
1038			<?php
1039			$dnqselected = 0;
1040			echo "<option value=\"none\"";
1041			if (!$dnqselected) echo " SELECTED";
1042			echo " >none</option>";
1043			foreach ($dnqlist as $dnq => $dnqkey) {
1044			if($dnq == "")
1045			continue;
1046			echo "<option value=\"$dnqkey\"";
1047			if ($dnqkey == $pconfig['pdnpipe']) {
1048			$dnqselected = 1;
1049			echo " SELECTED";
1050			}
1051			echo ">{$dnq}</option>";
1052			}
1053			?>
1054			</select>
1055			<br />
1056			<span class="vexpl">Choose the Out queue/Virtual interface only if you have selected In too. <br/> The Out selection is applied to traffic going out the interface the rule is created, In is the incoming one. <br/> If you are creating a rule on the Floating tab if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing and if you do not select any direction use only the In since the Out selection does not make sense in there to prevent oddities.</span>
1057			</td>
1058			</tr>
1059
1060	197bfe96	Ermal Luçi	<tr>
1061			<td width="22%" valign="top" class="vncell">Ackqueue/Queue</td>
1062			<td width="78%" class="vtable">
1063			<select name="ackqueue">
1064			<?php
1065			read_altq_config(); /* XXX: */
1066	21a0464c	Ermal Luçi	$qlist =& get_unique_queue_list();
1067			if (!is_array($qlist))
1068			$qlist = array();
1069	cca8d74e	Seth Mos	echo "<option value=\"none\"";
1070			if (!$qselected) echo " SELECTED";
1071			echo " >none</option>";
1072	21a0464c	Ermal Luçi	foreach ($qlist as $q => $qkey) {
1073	cca8d74e	Seth Mos	if($q == "")
1074			continue;
1075	197bfe96	Ermal Luçi	echo "<option value=\"$q\"";
1076			if ($q == $pconfig['ackqueue']) {
1077			$qselected = 1;
1078			echo " SELECTED";
1079			}
1080			echo ">{$q}</option>";
1081			}
1082			?>
1083			</select> /
1084			<select name="defaultqueue">
1085			<?php
1086			$qselected = 0;
1087	cca8d74e	Seth Mos	echo "<option value=\"none\"";
1088			if (!$qselected) echo " SELECTED";
1089			echo " >none</option>";
1090	21a0464c	Ermal Luçi	foreach ($qlist as $q => $qkey) {
1091	cca8d74e	Seth Mos	if($q == "")
1092			continue;
1093	197bfe96	Ermal Luçi	echo "<option value=\"$q\"";
1094			if ($q == $pconfig['defaultqueue']) {
1095			$qselected = 1;
1096			echo " SELECTED";
1097			}
1098			echo ">{$q}</option>";
1099			}
1100			?>
1101			</select>
1102			<br />
1103			<span class="vexpl">Choose the Acknowledge Queue only if you have selected Queue.</span>
1104			</td>
1105			</tr>
1106	bca8e0ec	Scott Ullrich	<tr>
1107			<td width="22%" valign="top" class="vncell">Description</td>
1108			<td width="78%" class="vtable">
1109	b5c78501	Seth Mos	<input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>">
1110	bca8e0ec	Scott Ullrich	<br />
1111	586293d1	Scott Ullrich	<span class="vexpl">You may enter a description here for your reference.</span>
1112	bca8e0ec	Scott Ullrich	</td>
1113			</tr>
1114	8ab3e9ed	Erik Kristensen	<tr>
1115			<td width="22%" valign="top"> </td>
1116			<td width="78%">
1117			<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
1118			<?php if (isset($id) && $a_filter[$id]): ?>
1119			<input name="id" type="hidden" value="<?=$id;?>">
1120			<?php endif; ?>
1121			<input name="after" type="hidden" value="<?=$after;?>">
1122			</td>
1123	82628210	Scott Ullrich	</tr>
1124	8ab3e9ed	Erik Kristensen	</table>
1125	5b237745	Scott Ullrich	</form>
1126			<script language="JavaScript">
1127			<!--
1128	8ab3e9ed	Erik Kristensen	ext_change();
1129			typesel_change();
1130			proto_change();
1131	19757279	Scott Ullrich
1132			<?php
1133	8ab3e9ed	Erik Kristensen	$isfirst = 0;
1134			$aliases = "";
1135			$addrisfirst = 0;
1136			$aliasesaddr = "";
1137			if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
1138			foreach($config['aliases']['alias'] as $alias_name) {
1139			if(!stristr($alias_name['address'], ".")) {
1140			if($isfirst == 1) $aliases .= ",";
1141			$aliases .= "'" . $alias_name['name'] . "'";
1142			$isfirst = 1;
1143			} else {
1144			if($addrisfirst == 1) $aliasesaddr .= ",";
1145			$aliasesaddr .= "'" . $alias_name['name'] . "'";
1146			$addrisfirst = 1;
1147			}
1148	092ac49d	Scott Ullrich	}
1149	19757279	Scott Ullrich	?>
1150
1151	8ab3e9ed	Erik Kristensen	var addressarray=new Array(<?php echo $aliasesaddr; ?>);
1152			var customarray=new Array(<?php echo $aliases; ?>);
1153	19757279	Scott Ullrich
1154	5b237745	Scott Ullrich	//-->
1155			</script>
1156	8ab3e9ed	Erik Kristensen
1157
1158	5b237745	Scott Ullrich	<?php include("fend.inc"); ?>
1159			</body>
1160			</html>

Project

General

Profile

pfSense