/usr/local/www/firewall_rules_edit.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/firewall_rules_edit.php @ 9c9fd516

1	5ba18897	Scott Ullrich	<?php
2	b46bfcf5	Bill Marquette	/* $Id$ */
3	5b237745	Scott Ullrich	/*
4	bdb7d6e7	Scott Ullrich	firewall_rules_edit.php
5	e4cabb75	Scott Ullrich	part of pfSense (http://www.pfsense.com)
6			Copyright (C) 2005 Scott Ullrich (sullrich@gmail.com)
7	5ba18897	Scott Ullrich
8	e4cabb75	Scott Ullrich	originally part of m0n0wall (http://m0n0.ch/wall)
9	bdb7d6e7	Scott Ullrich	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
10			All rights reserved.
11	5ba18897	Scott Ullrich
12	bdb7d6e7	Scott Ullrich	Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14	5ba18897	Scott Ullrich
15	bdb7d6e7	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17	5ba18897	Scott Ullrich
18	bdb7d6e7	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21	5ba18897	Scott Ullrich
22	bdb7d6e7	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32	5b237745	Scott Ullrich	*/
33
34			require("guiconfig.inc");
35
36	e825920f	Scott Ullrich	$specialsrcdst = explode(" ", "any wanip lanip lan pptp pppoe");
37	5b237745	Scott Ullrich
38			if (!is_array($config['filter']['rule'])) {
39			$config['filter']['rule'] = array();
40			}
41			filter_rules_sort();
42			$a_filter = &$config['filter']['rule'];
43
44			$id = $_GET['id'];
45			if (is_numeric($_POST['id']))
46			$id = $_POST['id'];
47	5ba18897	Scott Ullrich
48	5b237745	Scott Ullrich	$after = $_GET['after'];
49
50			if (isset($_POST['after']))
51			$after = $_POST['after'];
52
53			if (isset($_GET['dup'])) {
54			$id = $_GET['dup'];
55			$after = $_GET['dup'];
56			}
57
58	ce0a5816	Scott Ullrich	if($id > -1) {
59	cd0e6d73	Scott Ullrich	$if = $a_filter[$id]['interface'];
60			$security_url = "firewall_rules_edit.php?if=". strtolower($if);
61			if (!isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
62	ce0a5816	Scott Ullrich	log_error("Checking for {$security_url}");
63	cd0e6d73	Scott Ullrich	if(!in_array($security_url, $allowed)) {
64			// User does not have access
65			// echo "displaying error {$security_url}"; print_r($allowed);
66			echo display_error_form("401", "Unauthorized. You do not have access to edit rules on the interface {$if}");
67			exit;
68			}
69			}
70			}
71
72	5b237745	Scott Ullrich	if (isset($id) && $a_filter[$id]) {
73			$pconfig['interface'] = $a_filter[$id]['interface'];
74	5ba18897	Scott Ullrich
75	5b237745	Scott Ullrich	if (!isset($a_filter[$id]['type']))
76			$pconfig['type'] = "pass";
77			else
78			$pconfig['type'] = $a_filter[$id]['type'];
79	5ba18897	Scott Ullrich
80	4633edc2	Ermal Luçi	if (isset($a_filter[$id]['floating']) \|\| $if == "FloatingRules") {
81	661aed33	Ermal Luçi	$pconfig['floating'] = $a_filter[$id]['floating'];
82			if (isset($a_filter[$id]['interface']) && $a_filter[$id]['interface'] <> "")
83			$pconfig['interface'] = $a_filter[$id]['interface'];
84			}
85
86			if (isset($a_filter['floating']))
87			$pconfig['floating'] = "yes";
88
89			if (isset($a_filter[$id]['direction']))
90			$pconfig['direction'] = $a_filter[$id]['direction'];
91
92	5b237745	Scott Ullrich	if (isset($a_filter[$id]['protocol']))
93			$pconfig['proto'] = $a_filter[$id]['protocol'];
94			else
95			$pconfig['proto'] = "any";
96	5ba18897	Scott Ullrich
97	5b237745	Scott Ullrich	if ($a_filter[$id]['protocol'] == "icmp")
98			$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
99	5ba18897	Scott Ullrich
100	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
101			$pconfig['srcmask'], $pconfig['srcnot'],
102			$pconfig['srcbeginport'], $pconfig['srcendport']);
103	5ba18897	Scott Ullrich
104	8be60f21	Scott Ullrich	if($a_filter[$id]['os'] <> "")
105			$pconfig['os'] = $a_filter[$id]['os'];
106	e33c8694	Bill Marquette
107	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
108			$pconfig['dstmask'], $pconfig['dstnot'],
109			$pconfig['dstbeginport'], $pconfig['dstendport']);
110
111			$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
112			$pconfig['log'] = isset($a_filter[$id]['log']);
113			$pconfig['descr'] = $a_filter[$id]['descr'];
114	8c84fe43	Scott Ullrich
115	5c1f5584	Ermal Luçi	if (isset($a_filter[$id]['tag']) && $a_filter[$id]['tag'] <> "")
116	661aed33	Ermal Luçi	$pconfig['tag'] = $a_filter[$id]['tag'];
117	5c1f5584	Ermal Luçi	if (isset($a_filter[$id]['tagged']) && $a_filter[$id]['tag'] <> "")
118	661aed33	Ermal Luçi	$pconfig['tagged'] = $a_filter[$id]['tagged'];
119			if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick'])
120			$pconfig['quick'] = $a_filter[$id]['quick'];
121
122	ed08ef3e	Scott Ullrich	/* advanced */
123	fa9af164	Scott Ullrich	$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
124			$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
125			$pconfig['statetype'] = $a_filter[$id]['statetype'];
126	5ba18897	Scott Ullrich	$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
127	8c84fe43	Scott Ullrich
128			$pconfig['nosync'] = isset($a_filter[$id]['nosync']);
129	10f21e70	Scott Ullrich
130	ed08ef3e	Scott Ullrich	/* advanced - new connection per second banning*/
131			$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
132			$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
133	5ba18897	Scott Ullrich
134	e5980370	Scott Ullrich	/* Multi-WAN next-hop support */
135	c98ddde2	Bill Marquette	$pconfig['gateway'] = $a_filter[$id]['gateway'];
136	615b27bc	Scott Dale
137	197bfe96	Ermal Luçi	/* Shaper support */
138			$pconfig['defaultqueue'] = $a_filter[$id]['defaultqueue'];
139			$pconfig['ackqueue'] = $a_filter[$id]['ackqueue'];
140
141	615b27bc	Scott Dale	//schedule support
142			$pconfig['sched'] = $a_filter[$id]['sched'];
143	c98ddde2	Bill Marquette
144	5b237745	Scott Ullrich	} else {
145			/* defaults */
146	a23d7248	Scott Ullrich	if ($_GET['if'])
147			$pconfig['interface'] = $_GET['if'];
148	5b237745	Scott Ullrich	$pconfig['type'] = "pass";
149			$pconfig['src'] = "any";
150			$pconfig['dst'] = "any";
151			}
152
153			if (isset($_GET['dup']))
154			unset($id);
155
156			if ($_POST) {
157
158	28f9e493	Scott Ullrich	if ($_POST['type'] == "reject" && $_POST['proto'] <> "tcp")
159			$input_errors[] = "Reject type rules only works when the protocol is set to TCP.";
160
161	5b237745	Scott Ullrich	if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
162			$_POST['srcbeginport'] = 0;
163			$_POST['srcendport'] = 0;
164			$_POST['dstbeginport'] = 0;
165			$_POST['dstendport'] = 0;
166			} else {
167	5ba18897	Scott Ullrich
168	5b237745	Scott Ullrich	if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
169			$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
170			if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
171			$_POST['srcendport'] = $_POST['srcendport_cust'];
172	5ba18897	Scott Ullrich
173	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] == "any") {
174			$_POST['srcbeginport'] = 0;
175			$_POST['srcendport'] = 0;
176	5ba18897	Scott Ullrich	} else {
177	5b237745	Scott Ullrich	if (!$_POST['srcendport'])
178			$_POST['srcendport'] = $_POST['srcbeginport'];
179			}
180			if ($_POST['srcendport'] == "any")
181			$_POST['srcendport'] = $_POST['srcbeginport'];
182	5ba18897	Scott Ullrich
183	5b237745	Scott Ullrich	if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
184			$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
185			if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
186			$_POST['dstendport'] = $_POST['dstendport_cust'];
187	5ba18897	Scott Ullrich
188	5b237745	Scott Ullrich	if ($_POST['dstbeginport'] == "any") {
189			$_POST['dstbeginport'] = 0;
190			$_POST['dstendport'] = 0;
191	5ba18897	Scott Ullrich	} else {
192	5b237745	Scott Ullrich	if (!$_POST['dstendport'])
193			$_POST['dstendport'] = $_POST['dstbeginport'];
194			}
195			if ($_POST['dstendport'] == "any")
196	5ba18897	Scott Ullrich	$_POST['dstendport'] = $_POST['dstbeginport'];
197	5b237745	Scott Ullrich	}
198	5ba18897	Scott Ullrich
199	5b237745	Scott Ullrich	if (is_specialnet($_POST['srctype'])) {
200			$_POST['src'] = $_POST['srctype'];
201			$_POST['srcmask'] = 0;
202			} else if ($_POST['srctype'] == "single") {
203			$_POST['srcmask'] = 32;
204			}
205			if (is_specialnet($_POST['dsttype'])) {
206			$_POST['dst'] = $_POST['dsttype'];
207			$_POST['dstmask'] = 0;
208			} else if ($_POST['dsttype'] == "single") {
209			$_POST['dstmask'] = 32;
210			}
211	5ba18897	Scott Ullrich
212	5b237745	Scott Ullrich	unset($input_errors);
213			$pconfig = $_POST;
214
215	ef2a753c	Scott Ullrich	/* run through $_POST items encoding HTML entties so that the user
216			* cannot think he is slick and perform a XSS attack on the unwilling
217			*/
218	21eff66f	Scott Ullrich	foreach ($_POST as $key => $value) {
219			$temp = $value;
220	661aed33	Ermal Luçi	if (isset($_POST['floating']) && $key == "interface")
221			continue;
222	21eff66f	Scott Ullrich	$newpost = htmlentities($temp);
223			if($newpost <> $temp)
224	f320386c	Scott Ullrich	$input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again.";
225	ef2a753c	Scott Ullrich	}
226
227	5b237745	Scott Ullrich	/* input validation */
228	661aed33	Ermal Luçi	$reqdfields = explode(" ", "type proto src dst");
229			$reqdfieldsn = explode(",", "Type,Protocol,Source,Destination");
230	5b237745	Scott Ullrich
231	bdb7d6e7	Scott Ullrich
232	452ade89	Bill Marquette	if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
233	c22767b1	Bill Marquette	if( $_POST['proto'] != "tcp" )
234			$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
235	452ade89	Bill Marquette	if(($_POST['statetype'] == "synproxy state") && ($_POST['gateway'] != ""))
236			$input_errors[] = "{$_POST['statetype']} is only valid if the gateway is set to 'default'.";
237			}
238	bdb7d6e7	Scott Ullrich
239	5ba18897	Scott Ullrich
240	5b237745	Scott Ullrich	if (!(is_specialnet($_POST['srctype']) \|\| ($_POST['srctype'] == "single"))) {
241			$reqdfields[] = "srcmask";
242			$reqdfieldsn[] = "Source bit count";
243			}
244			if (!(is_specialnet($_POST['dsttype']) \|\| ($_POST['dsttype'] == "single"))) {
245			$reqdfields[] = "dstmask";
246			$reqdfieldsn[] = "Destination bit count";
247			}
248	5ba18897	Scott Ullrich
249	5b237745	Scott Ullrich	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
250	5ba18897	Scott Ullrich
251	5b237745	Scott Ullrich	if (!$_POST['srcbeginport']) {
252			$_POST['srcbeginport'] = 0;
253			$_POST['srcendport'] = 0;
254			}
255			if (!$_POST['dstbeginport']) {
256			$_POST['dstbeginport'] = 0;
257			$_POST['dstendport'] = 0;
258			}
259	5ba18897	Scott Ullrich
260	19757279	Scott Ullrich	if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) {
261	aba8aace	Scott Ullrich	$input_errors[] = "The start source port must be an alias or integer between 1 and 65535.";
262	bdb7d6e7	Scott Ullrich	}
263	19757279	Scott Ullrich	if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) {
264	aba8aace	Scott Ullrich	$input_errors[] = "The end source port must be an alias or integer between 1 and 65535.";
265	bdb7d6e7	Scott Ullrich	}
266	19757279	Scott Ullrich	if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) {
267	aba8aace	Scott Ullrich	$input_errors[] = "The start destination port must be an alias or integer between 1 and 65535.";
268	bdb7d6e7	Scott Ullrich	}
269	19757279	Scott Ullrich	if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) {
270	aba8aace	Scott Ullrich	$input_errors[] = "The end destination port must be an alias or integer between 1 and 65535.";
271	bdb7d6e7	Scott Ullrich	}
272	5ba18897	Scott Ullrich
273	0e5ddcd9	Scott Ullrich	/* if user enters an alias and selects "network" then disallow. */
274			if($_POST['srctype'] == "network") {
275			if(is_alias($_POST['src']))
276			$input_errors[] = "You must specify single host or alias for alias entries.";
277			}
278			if($_POST['dsttype'] == "network") {
279			if(is_alias($_POST['dst']))
280			$input_errors[] = "You must specify single host or alias for alias entries.";
281			}
282
283	5b237745	Scott Ullrich	if (!is_specialnet($_POST['srctype'])) {
284			if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
285			$input_errors[] = "A valid source IP address or alias must be specified.";
286			}
287			if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
288			$input_errors[] = "A valid source bit count must be specified.";
289			}
290			}
291			if (!is_specialnet($_POST['dsttype'])) {
292			if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
293			$input_errors[] = "A valid destination IP address or alias must be specified.";
294			}
295			if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
296			$input_errors[] = "A valid destination bit count must be specified.";
297			}
298			}
299	5ba18897	Scott Ullrich
300	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] > $_POST['srcendport']) {
301			/* swap */
302			$tmp = $_POST['srcendport'];
303			$_POST['srcendport'] = $_POST['srcbeginport'];
304			$_POST['srcbeginport'] = $tmp;
305			}
306			if ($_POST['dstbeginport'] > $_POST['dstendport']) {
307			/* swap */
308			$tmp = $_POST['dstendport'];
309			$_POST['dstendport'] = $_POST['dstbeginport'];
310			$_POST['dstbeginport'] = $tmp;
311			}
312	e33c8694	Bill Marquette	if ($_POST['os'])
313			if( $_POST['proto'] != "tcp" )
314			$input_errors[] = "OS detection is only valid with protocol tcp.";
315	5b237745	Scott Ullrich
316	197bfe96	Ermal Luçi	if ($_POST['ackqueue'] && $_POST['ackqueue'] != "none") {
317			if ($_POST['defaultqueue'] == "none" )
318			$input_errors[] = "You have to select a queue when you select an acknowledge queue too.";
319			else if ($_POST['ackqueue'] == $_POST['defaultqueue'])
320			$input_errors[] = "Acknokledge queue and Queue cannot be the same.";
321			}
322
323	5b237745	Scott Ullrich	if (!$input_errors) {
324			$filterent = array();
325			$filterent['type'] = $_POST['type'];
326	661aed33	Ermal Luçi	if (isset($_POST['interface'] ))
327			$filterent['interface'] = $_POST['interface'];
328
329			if ($if == "FloatingRules" \|\| isset($_POST['floating'])) {
330			if (isset($_POST['tag']))
331			$filterent['tag'] = $_POST['tag'];
332			if (isset($_POST['tagged']))
333			$filterent['tagged'] = $_POST['tagged'];
334			$filterent['direction'] = $_POST['direction'];
335			if (isset($_POST['quick']) && $_POST['quick'] <> "")
336			$filterent['quick'] = $_POST['quick'];
337			$filterent['floating'] = "yes";
338			if (isset($_POST['interface']) && count($_POST['interface']) > 0) {
339			$filterent['interface'] = implode(",", $_POST['interface']);
340			}
341			}
342	d59874c1	Scott Ullrich
343	bdb7d6e7	Scott Ullrich	/* Advanced options */
344			$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
345			$filterent['max-src-states'] = $_POST['max-src-states'];
346	5ba18897	Scott Ullrich	$filterent['statetimeout'] = $_POST['statetimeout'];
347	fa9af164	Scott Ullrich	$filterent['statetype'] = $_POST['statetype'];
348	e33c8694	Bill Marquette	$filterent['os'] = $_POST['os'];
349	10f21e70	Scott Ullrich
350			/* Nosync directive - do not xmlrpc sync this item */
351	8c84fe43	Scott Ullrich	if($_POST['nosync'] <> "")
352	10f21e70	Scott Ullrich	$filterent['nosync'] = true;
353			else
354			unset($filterent['nosync']);
355
356	3f00c1dc	Scott Ullrich	/* unless both values are provided, unset the values - ticket #650 */
357			if($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] <> "") {
358			$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
359			$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
360			} else {
361			unset($filterent['max-src-conn-rate']);
362			unset($filterent['max-src-conn-rates']);
363			}
364	5ba18897	Scott Ullrich
365	5b237745	Scott Ullrich	if ($_POST['proto'] != "any")
366			$filterent['protocol'] = $_POST['proto'];
367			else
368			unset($filterent['protocol']);
369	5ba18897	Scott Ullrich
370	5b237745	Scott Ullrich	if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
371			$filterent['icmptype'] = $_POST['icmptype'];
372			else
373			unset($filterent['icmptype']);
374	5ba18897	Scott Ullrich
375	5b237745	Scott Ullrich	pconfig_to_address($filterent['source'], $_POST['src'],
376			$_POST['srcmask'], $_POST['srcnot'],
377			$_POST['srcbeginport'], $_POST['srcendport']);
378	5ba18897	Scott Ullrich
379	5b237745	Scott Ullrich	pconfig_to_address($filterent['destination'], $_POST['dst'],
380			$_POST['dstmask'], $_POST['dstnot'],
381			$_POST['dstbeginport'], $_POST['dstendport']);
382	5ba18897	Scott Ullrich
383	f87f85c3	Bill Marquette	if ($_POST['disabled'])
384			$filterent['disabled'] = true;
385			else
386			unset($filterent['disabled']);
387			if ($_POST['log'])
388			$filterent['log'] = true;
389			else
390			unset($filterent['log']);
391	c68fc1e7	Bill Marquette	strncpy($filterent['descr'], $_POST['descr'], 52);
392	5ba18897	Scott Ullrich
393	c98ddde2	Bill Marquette	if ($_POST['gateway'] != "") {
394			$filterent['gateway'] = $_POST['gateway'];
395			}
396	197bfe96	Ermal Luçi
397			if (isset($_POST['defaultqueue']) && $_POST['defaultqueue'] != "none") {
398			$filterent['defaultqueue'] = $_POST['defaultqueue'];
399			if (isset($_POST['ackqueue']) && $_POST['ackqueue'] != "none")
400			$filterent['ackqueue'] = $_POST['ackqueue'];
401			}
402	c98ddde2	Bill Marquette
403	615b27bc	Scott Dale	if ($_POST['sched'] != "") {
404			$filterent['sched'] = $_POST['sched'];
405			}
406
407	5b237745	Scott Ullrich	if (isset($id) && $a_filter[$id])
408			$a_filter[$id] = $filterent;
409			else {
410			if (is_numeric($after))
411			array_splice($a_filter, $after+1, 0, array($filterent));
412			else
413			$a_filter[] = $filterent;
414			}
415	f4e2a352	Scott Ullrich
416	5b237745	Scott Ullrich	write_config();
417			touch($d_filterconfdirty_path);
418	5ba18897	Scott Ullrich
419	661aed33	Ermal Luçi	if (isset($_POST['floating']))
420			header("Location: firewall_rules.php?if=FloatingRules");
421			else
422			header("Location: firewall_rules.php?if=" . $_POST['interface']);
423	5b237745	Scott Ullrich	exit;
424			}
425	c60824d2	Scott Ullrich	}
426
427	d88c6a9f	Scott Ullrich	$pgtitle = array("Firewall","Rules","Edit");
428	a1357fe0	Bill Marquette	$closehead = false;
429	8ab3e9ed	Erik Kristensen
430			$page_filename = "firewall_rules_edit.php";
431	da7ae7ef	Bill Marquette	include("head.inc");
432	c60824d2	Scott Ullrich
433	5b237745	Scott Ullrich	?>
434	da7ae7ef	Bill Marquette
435	5b237745	Scott Ullrich	</head>
436
437			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
438			<?php include("fbegin.inc"); ?>
439			<?php if ($input_errors) print_input_errors($input_errors); ?>
440	8ab3e9ed	Erik Kristensen
441			<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
442			<table width="100%" border="0" cellpadding="6" cellspacing="0">
443			<tr>
444			<td width="22%" valign="top" class="vncellreq">Action</td>
445			<td width="78%" class="vtable">
446	b5c78501	Seth Mos	<select name="type" class="formselect">
447	8ab3e9ed	Erik Kristensen	<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
448			<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
449			<?=htmlspecialchars($type);?>
450			</option>
451			<?php endforeach; ?>
452	8c84fe43	Scott Ullrich	</select>
453	8ab3e9ed	Erik Kristensen	<br/>
454			<span class="vexpl">
455			Choose what to do with packets that match the criteria specified below. <br/>
456			Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
457			</span>
458			</td>
459			</tr>
460			<tr>
461			<td width="22%" valign="top" class="vncellreq">Disabled</td>
462			<td width="78%" class="vtable">
463			<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
464			<strong>Disable this rule</strong><br />
465			<span class="vexpl">Set this option to disable this rule without removing it from the list.</span>
466			</td>
467			</tr>
468	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
469			<tr>
470			<td width="22%" valign="top" class="vncellreq"><?=gettext("Quick");?></td>
471			<td width="78%" class="vtable">
472			<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
473			<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
474			<span class="vexpl"><?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?></span>
475			</td>
476			</tr>
477			<? endif; ?>
478	8ab3e9ed	Erik Kristensen	<tr>
479			<td width="22%" valign="top" class="vncellreq">Interface</td>
480			<td width="78%" class="vtable">
481	4633edc2	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
482	661aed33	Ermal Luçi	<select name="interface[]" multiple="true" ="formselect" size="3">
483			<? else: ?>
484	b5c78501	Seth Mos	<select name="interface" class="formselect">
485	8ab3e9ed	Erik Kristensen	<?php
486	661aed33	Ermal Luçi	endif;
487	b6742927	Scott Ullrich
488			$interfaces = array();
489
490			if(have_ruleint_access("lan"))
491			$interfaces['lan'] = "LAN";
492			if(have_ruleint_access("wan"))
493			$interfaces['wan'] = "WAN";
494
495			for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++)
496			if(have_ruleint_access("opt{$i}"))
497			$interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr'];
498
499			if ($config['pptpd']['mode'] == "server")
500			if(have_ruleint_access("pptp"))
501			$interfaces['pptp'] = "PPTP VPN";
502
503			if ($config['pppoe']['mode'] == "server")
504			if(have_ruleint_access("pppoe"))
505			$interfaces['pppoe'] = "PPPoE VPN";
506
507			/* add ipsec interfaces */
508			if (isset($config['ipsec']['enable']) \|\| isset($config['ipsec']['mobileclients']['enable']))
509			if(have_ruleint_access("enc0"))
510	0f266b2e	Chris Buechler	$interfaces["enc0"] = "IPsec";
511	b6742927	Scott Ullrich
512	8ab3e9ed	Erik Kristensen	foreach ($interfaces as $iface => $ifacename): ?>
513	661aed33	Ermal Luçi	<option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option>
514	8ab3e9ed	Erik Kristensen	<?php endforeach; ?>
515	8c84fe43	Scott Ullrich	</select>
516	8ab3e9ed	Erik Kristensen	<br />
517			<span class="vexpl">Choose on which interface packets must come in to match this rule.</span>
518			</td>
519			</tr>
520	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
521			<tr>
522			<td width="22%" valign="top" class="vncellreq"><?=gettext("Direction");?></td>
523			<td width="78%" class="vtable">
524			<select name="direction" class="formselect">
525			<?php $directions = array('any', 'in', 'out');
526			foreach ($directions as $direction): ?>
527			<option value="<?=$direction;?>"
528			<?php if ($direction == $pconfig['direction']): ?>
529			selected="selected"
530			<?php endif; ?>
531			><?=$direction;?></option>
532			<?php endforeach; ?>
533			</select>
534			</td>
535			<tr>
536			<?php endif; ?>
537	8ab3e9ed	Erik Kristensen	<tr>
538			<td width="22%" valign="top" class="vncellreq">Protocol</td>
539			<td width="78%" class="vtable">
540	b5c78501	Seth Mos	<select name="proto" class="formselect" onchange="proto_change()">
541	8ab3e9ed	Erik Kristensen	<?php
542	773861f6	Scott Ullrich	$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP any carp pfsync");
543	8ab3e9ed	Erik Kristensen	foreach ($protocols as $proto): ?>
544			<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
545			<?php endforeach; ?>
546			</select>
547			<br />
548			<span class="vexpl">Choose which IP protocol this rule should match. <br /> Hint: in most cases, you should specify <em>TCP</em>  here.</span>
549			</td>
550			</tr>
551	3de8af0e	Scott Ullrich	<tr id="icmpbox" name="icmpbox">
552	8ab3e9ed	Erik Kristensen	<td valign="top" class="vncell">ICMP type</td>
553			<td class="vtable">
554	b5c78501	Seth Mos	<select name="icmptype" class="formselect">
555	8ab3e9ed	Erik Kristensen	<?php
556			$icmptypes = array(
557			"" => "any",
558			"echorep" => "Echo reply",
559			"unreach" => "Destination unreachable",
560			"squench" => "Source quench",
561			"redir" => "Redirect",
562			"althost" => "Alternate Host",
563			"echoreq" => "Echo",
564			"routeradv" => "Router advertisement",
565			"routersol" => "Router solicitation",
566			"timex" => "Time exceeded",
567			"paramprob" => "Invalid IP header",
568			"timereq" => "Timestamp",
569			"timerep" => "Timestamp reply",
570			"inforeq" => "Information request",
571			"inforep" => "Information reply",
572			"maskreq" => "Address mask request",
573			"maskrep" => "Address mask reply"
574			);
575
576			foreach ($icmptypes as $icmptype => $descr): ?>
577			<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
578			<?php endforeach; ?>
579			</select>
580			<br />
581			<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span>
582			</td>
583			</tr>
584			<tr>
585			<td width="22%" valign="top" class="vncellreq">Source</td>
586			<td width="78%" class="vtable">
587			<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
588			<strong>not</strong>
589			<br />
590			Use this option to invert the sense of the match.
591			<br />
592			<br />
593			<table border="0" cellspacing="0" cellpadding="0">
594			<tr>
595			<td>Type:  </td>
596			<td>
597	b5c78501	Seth Mos	<select name="srctype" class="formselect" onChange="typesel_change()">
598	8ab3e9ed	Erik Kristensen	<?php
599			$sel = is_specialnet($pconfig['src']); ?>
600			<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option>
601			<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
602			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
603	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("wan")): ?>
604	76934b05	Scott Ullrich	<option value="wanip" <?php if ($pconfig['src'] == "wanip") { echo "selected"; } ?>>WAN address</option>
605	99ea4439	Scott Ullrich	<?php endif; ?>
606			<?php if(have_ruleint_access("lan")): ?>
607	acb31d29	Scott Ullrich	<option value="lanip" <?php if ($pconfig['src'] == "lanip") { echo "selected"; } ?>>LAN address</option>
608	99ea4439	Scott Ullrich	<?php endif; ?>
609			<?php if(have_ruleint_access("lan")): ?>
610	8ab3e9ed	Erik Kristensen	<option value="lan" <?php if ($pconfig['src'] == "lan") { echo "selected"; } ?>>LAN subnet</option>
611	99ea4439	Scott Ullrich	<?php endif; ?>
612			<?php if(have_ruleint_access("pptp")): ?>
613	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
614	99ea4439	Scott Ullrich	<?php endif; ?>
615			<?php if(have_ruleint_access("pppoe")): ?>
616	8c84fe43	Scott Ullrich	<option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
617	99ea4439	Scott Ullrich	<?php endif; ?>
618	8ab3e9ed	Erik Kristensen	<?php
619			for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
620	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("opt{$i}")): ?>
621	8ab3e9ed	Erik Kristensen	<option value="opt<?=$i;?>" <?php if ($pconfig['src'] == "opt" . $i) { echo "selected"; } ?>><?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
622	e30a5970	Scott Ullrich	<option value="opt<?=$i;?>ip"<?php if ($pconfig['src'] == "opt" . $i . "ip") { echo "selected"; } ?>>
623			<?=$config['interfaces']['opt' . $i]['descr']?> address
624			</option>
625	99ea4439	Scott Ullrich	<?php endif; ?>
626	8ab3e9ed	Erik Kristensen	<?php endfor; ?>
627			</select>
628			</td>
629			</tr>
630			<tr>
631			<td>Address:  </td>
632			<td>
633			<input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> /
634	b5c78501	Seth Mos	<select name="srcmask" class="formselect" id="srcmask">
635	8ab3e9ed	Erik Kristensen	<?php for ($i = 31; $i > 0; $i--): ?>
636			<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
637			<?php endfor; ?>
638			</select>
639	bdb7d6e7	Scott Ullrich	</td>
640	8ab3e9ed	Erik Kristensen	</tr>
641			</table>
642	22abf2ef	Scott Ullrich	<div id="showadvancedboxspr">
643			<p>
644	be812936	Scott Ullrich	<input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>
645	22abf2ef	Scott Ullrich	</div>
646	8ab3e9ed	Erik Kristensen	</td>
647	e33c8694	Bill Marquette	</tr>
648	3de8af0e	Scott Ullrich	<tr style="display:none" id="sprtable" name="sprtable">
649	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Source port range</td>
650			<td width="78%" class="vtable">
651			<table border="0" cellspacing="0" cellpadding="0">
652			<tr>
653			<td>from:  </td>
654			<td>
655	b5c78501	Seth Mos	<select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()">
656	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
657			<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
658			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
659			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
660			<?php endforeach; ?>
661	8c84fe43	Scott Ullrich	</select>
662	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>">
663			</td>
664			</tr>
665			<tr>
666			<td>to:</td>
667			<td>
668	b5c78501	Seth Mos	<select name="srcendport" class="formselect" onchange="ext_change()">
669	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
670			<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
671			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
672			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
673			<?php endforeach; ?>
674	8c84fe43	Scott Ullrich	</select>
675	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>">
676			</td>
677			</tr>
678			</table>
679			<br />
680	5548a077	Scott Ullrich	<span class="vexpl">Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/>
681	67199e71	Scott Ullrich	<span class="vexpl"><B>NOTE:</B> You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!</span>
682	8ab3e9ed	Erik Kristensen	</td>
683	8c84fe43	Scott Ullrich	</tr>
684	8ab3e9ed	Erik Kristensen	<tr>
685			<td width="22%" valign="top" class="vncellreq">Source OS</td>
686			<td width="78%" class="vtable">OS Type:
687	b5c78501	Seth Mos	<select name="os" id="os" class="formselect">
688	8ab3e9ed	Erik Kristensen	<?php
689			$ostypes = array(
690			"" => "any",
691			"AIX" => "AIX",
692			"Linux" => "Linux",
693			"FreeBSD" => "FreeBSD",
694			"NetBSD" => "NetBSD",
695			"OpenBSD" => "OpenBSD",
696			"Solaris" => "Solaris",
697			"MacOS" => "MacOS",
698			"Windows" => "Windows",
699	59d62b6c	Scott Ullrich	"Novell" => "Novell",
700			"NMAP" => "NMAP"
701	8ab3e9ed	Erik Kristensen	);
702
703			foreach ($ostypes as $ostype => $descr): ?>
704			<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
705			<?php endforeach; ?>
706			</select>
707			<br />
708			Note: this only works for TCP rules
709			</td>
710	5ba18897	Scott Ullrich	</tr>
711	8ab3e9ed	Erik Kristensen	<tr>
712			<td width="22%" valign="top" class="vncellreq">Destination</td>
713			<td width="78%" class="vtable">
714			<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
715			<strong>not</strong>
716			<br />
717			Use this option to invert the sense of the match.
718			<br />
719			<br />
720			<table border="0" cellspacing="0" cellpadding="0">
721			<tr>
722			<td>Type:  </td>
723			<td>
724	b5c78501	Seth Mos	<select name="dsttype" class="formselect" onChange="typesel_change()">
725	8ab3e9ed	Erik Kristensen	<?php
726			$sel = is_specialnet($pconfig['dst']); ?>
727			<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
728			<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
729			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
730	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("wan")): ?>
731	76934b05	Scott Ullrich	<option value="wanip" <?php if ($pconfig['dst'] == "wanip") { echo "selected"; } ?>>WAN address</option>
732	99ea4439	Scott Ullrich	<?php endif; ?>
733			<?php if(have_ruleint_access("lan")): ?>
734	acb31d29	Scott Ullrich	<option value="lanip" <?php if ($pconfig['dst'] == "lanip") { echo "selected"; } ?>>LAN address</option>
735	99ea4439	Scott Ullrich	<?php endif; ?>
736			<?php if(have_ruleint_access("lan")): ?>
737	8ab3e9ed	Erik Kristensen	<option value="lan" <?php if ($pconfig['dst'] == "lan") { echo "selected"; } ?>>LAN subnet</option>
738	99ea4439	Scott Ullrich	<?php endif; ?>
739			<?php if(have_ruleint_access("pptp")): ?>
740	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
741	99ea4439	Scott Ullrich	<?php endif; ?>
742			<?php if(have_ruleint_access("pppoe")): ?>
743	8ab3e9ed	Erik Kristensen	<option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
744	99ea4439	Scott Ullrich	<?php endif; ?>
745
746	8ab3e9ed	Erik Kristensen	<?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
747	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("opt{$i}")): ?>
748	8ab3e9ed	Erik Kristensen	<option value="opt<?=$i;?>" <?php if ($pconfig['dst'] == "opt" . $i) { echo "selected"; } ?>><?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
749	369578b1	Scott Ullrich	<option value="opt<?=$i;?>ip"<?php if ($pconfig['dst'] == "opt" . $i . "ip") { echo "selected"; } ?>>
750	cbff71a1	Scott Ullrich	<?=$config['interfaces']['opt' . $i]['descr']?> address
751			</option>
752	99ea4439	Scott Ullrich	<?php endif; ?>
753	8ab3e9ed	Erik Kristensen	<?php endfor; ?>
754			</select>
755			</td>
756			</tr>
757			<tr>
758			<td>Address:  </td>
759			<td>
760			<input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
761			/
762	b5c78501	Seth Mos	<select name="dstmask" class="formselect" id="dstmask">
763	8ab3e9ed	Erik Kristensen	<?php
764			for ($i = 31; $i > 0; $i--): ?>
765			<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
766			<?php endfor; ?>
767			</select>
768			</td>
769			</tr>
770			</table>
771	5ba18897	Scott Ullrich
772	8ab3e9ed	Erik Kristensen	</td>
773			</tr>
774	3de8af0e	Scott Ullrich	<tr id="dprtr" name="dprtr">
775	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Destination port range </td>
776			<td width="78%" class="vtable">
777			<table border="0" cellspacing="0" cellpadding="0">
778			<tr>
779			<td>from:  </td>
780			<td>
781	b5c78501	Seth Mos	<select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
782	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
783			<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
784			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
785			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
786			<?php endforeach; ?>
787			</select>
788			<input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
789			</td>
790			</tr>
791			<tr>
792			<td>to:</td>
793			<td>
794	b5c78501	Seth Mos	<select name="dstendport" class="formselect" onchange="ext_change()">
795	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
796			<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
797			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
798			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
799			<?php endforeach; ?>
800	8c84fe43	Scott Ullrich	</select>
801	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
802			</td>
803			</tr>
804			</table>
805			<br />
806			<span class="vexpl">
807			Specify the port or port range for the destination of the packet for this rule.
808			<br />
809			Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port
810			</span>
811			</td>
812			</tr>
813			<tr>
814			<td width="22%" valign="top" class="vncellreq">Log</td>
815			<td width="78%" class="vtable">
816			<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
817			<strong>Log packets that are handled by this rule</strong>
818			<br />
819			<span class="vexpl">Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the <a href="diag_logs_settings.php">Diagnostics: System logs: Settings</a> page).</span>
820			</td>
821			</tr>
822	661aed33	Ermal Luçi	<tr>
823			<td width="22%" valign="top" class="vncellreq">Mark options</td>
824			<td width="78%" class="vtable">
825			<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
826			<input type="hidden" id="floating" name="floating" value="floating">
827
828			<input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>">
829			<br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and
830			use this mark to match on other rules. It is called <b>Policy filtering</b>");?>
831			</span><p>
832			<input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>"
833			>
834			<br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before
835			on another rule.")?>
836			</span> <p>
837			<?php endif; ?>
838			</td>
839			</tr>
840	8ab3e9ed	Erik Kristensen	<tr>
841			<td width="22%" valign="top" class="vncell">Advanced Options</td>
842			<td width="78%" class="vtable">
843	197b2a47	Scott Ullrich	<div id="aoadv" name="aoadv">
844	581a46c8	Scott Ullrich	<input type="button" onClick="show_aodiv();" value="Advanced"> - Show advanced options
845	197b2a47	Scott Ullrich	</div>
846			<div id="aodivmain" name="aodivmain" style="display:none">
847	8ab3e9ed	Erik Kristensen	<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Simultaneous client connection limit<p>
848			<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
849			<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
850			<select name="max-src-conn-rates" id="max-src-conn-rates">
851			<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
852			<?php for($x=1; $x<255; $x++) {
853			if($x == $pconfig['max-src-conn-rates']) $selected = " selected"; else $selected = "";
854			echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
855			} ?>
856	47042140	Scott Ullrich	</select><br />
857	8ab3e9ed	Erik Kristensen	Maximum new connections / per second
858	47042140	Scott Ullrich	<p>
859
860			<input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br>
861	3906617b	Scott Ullrich	State Timeout in seconds
862	47042140	Scott Ullrich	<p />
863
864	8ab3e9ed	Erik Kristensen	<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
865	197b2a47	Scott Ullrich	</div>
866	8ab3e9ed	Erik Kristensen	</td>
867			</tr>
868			<tr>
869			<td width="22%" valign="top" class="vncell">State Type</td>
870			<td width="78%" class="vtable">
871	f6970b2f	Scott Ullrich	<div id="showadvstatebox">
872			<input type="button" onClick="show_advanced_state()" value="Advanced"></input> - Show state</a>
873			</div>
874			<div id="showstateadv" style="display:none">
875			<select name="statetype">
876			<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
877			<option value="modulate state" <?php if($pconfig['statetype'] == "modulate state") echo "selected"; ?>>modulate state</option>
878			<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
879			<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
880			</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
881			<p>
882			<table width="90%">
883	c62ff4e7	Chris Buechler	<tr><td width="25%"><ul><li>keep state</li></td><td>Works with all IP protocols.</ul></td></tr>
884	36d0358b	Scott Ullrich	<tr><td width="25%"><ul><li>modulate state</li></td><td>Works only with TCP. {$g['product_name']} will generate strong Initial Sequence Numbers (ISNs) for packets matching this rule.</li></ul></td></tr>
885	8eb08ba7	Chris Buechler	<tr><td width="25%"><ul><li>synproxy state</li></td><td>Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</ul></td></tr>
886			<tr><td width="25%"><ul><li>none</li></td><td>Do not use state mechanisms to keep track. This is only useful if you're doing advanced queueing in certain situations. Please check the documentation.</ul></td></tr>
887	f6970b2f	Scott Ullrich	</table>
888			</p>
889			</div>
890	8ab3e9ed	Erik Kristensen	</td>
891			</tr>
892	10f21e70	Scott Ullrich	<tr>
893			<td width="22%" valign="top" class="vncell">No XMLRPC Sync</td>
894			<td width="78%" class="vtable">
895	c32518fa	Scott Ullrich	<input type="checkbox" name="nosync"<?php if($pconfig['nosync']) echo " CHECKED"; ?>><br>
896	782c65b8	Scott Ullrich	HINT: This prevents the rule from automatically syncing to other carp members.
897	10f21e70	Scott Ullrich	</td>
898	8c84fe43	Scott Ullrich	</tr>
899	615b27bc	Scott Dale	<?php
900			//build list of schedules
901			$schedules = array();
902			$schedules[] = "none";//leave none to leave rule enabled all the time
903	a60fd0cb	Scott Ullrich	if(is_array($config['schedules']['schedule'])) {
904			foreach ($config['schedules']['schedule'] as $schedule) {
905			if ($schedule['name'] <> "")
906			$schedules[] = $schedule['name'];
907			}
908			}
909	615b27bc	Scott Dale	?>
910			<tr>
911			<td width="22%" valign="top" class="vncell">Schedule</td>
912			<td width="78%" class="vtable">
913			<select name='sched'>
914			<?php
915			foreach($schedules as $schedule) {
916			if($schedule == $pconfig['sched']) {
917			$selected = " SELECTED";
918			} else {
919			$selected = "";
920			}
921			if ($schedule == "none") {
922			echo "<option value=\"\" {$selected}>{$schedule}</option>\n";
923			} else {
924			echo "<option value=\"{$schedule}\" {$selected}>{$schedule}</option>\n";
925			}
926			}?>
927			</select>
928	49decb66	Scott Ullrich	<p>Leave as 'none' to leave the rule enabled all the time.</p>
929	4cf2b7fd	Scott Ullrich	<strong>NOTE: schedule logic can be a bit different. Click <a target="_new" href='firewall_rules_schedule_logic.php'>here</a> for more information.</strong>
930	615b27bc	Scott Dale	</td>
931			</tr>
932
933	8ab3e9ed	Erik Kristensen	<?php
934	82628210	Scott Ullrich	/* build a list of gateways */
935			$gateways = array();
936	615b27bc	Scott Dale	$gateways[] = "default"; // default to don't use this feature :)
937	d9720602	Seth Mos	foreach($config['gateways']['gateway_item'] as $gw_item) {
938			if($gw_item['gateway'] <> "")
939			$gateways[] = $gw_item['name'];
940	82628210	Scott Ullrich	}
941	8ab3e9ed	Erik Kristensen	?>
942	82628210	Scott Ullrich	<tr>
943	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncell">Gateway</td>
944			<td width="78%" class="vtable">
945			<select name='gateway'>
946			<?php
947	82628210	Scott Ullrich	foreach($gateways as $gw) {
948	0581660c	Scott Ullrich	if($gw == "")
949			continue;
950	e6c0da7c	Scott Ullrich	if($gw == $pconfig['gateway']) {
951	82628210	Scott Ullrich	$selected = " SELECTED";
952	e6c0da7c	Scott Ullrich	} else {
953	82628210	Scott Ullrich	$selected = "";
954	e6c0da7c	Scott Ullrich	}
955			if ($gw == "default") {
956	8c84fe43	Scott Ullrich	echo "<option value=\"\" {$selected}>{$gw}</option>\n";
957	e6c0da7c	Scott Ullrich	} else {
958	d9720602	Seth Mos	$gwip = lookup_gateway_ip_by_name($gw);
959			echo "<option value=\"{$gw}\" {$selected}>{$gw} - {$gwip}</option>\n";
960	e6c0da7c	Scott Ullrich	}
961			}
962	a68bd38b	Scott Ullrich	if(is_array($config['load_balancer']['lbpool'])) {
963			foreach($config['load_balancer']['lbpool'] as $lb) {
964	0581660c	Scott Ullrich	if($lb['name'] == "")
965			continue;
966	a68bd38b	Scott Ullrich	if($pconfig['gateway'] == $lb['name']) {
967			echo "<option value=\"{$lb['name']}\" SELECTED>{$lb['name']}</option>\n";
968			} else {
969			echo "<option value=\"{$lb['name']}\">{$lb['name']}</option>\n";
970			}
971	8c84fe43	Scott Ullrich	}
972	82628210	Scott Ullrich	}
973	1fda0968	Scott Ullrich	for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
974			if($config['interfaces']['opt' . $i]['ipaddr'] == "dhcp") {
975			$descr = $config['interfaces']['opt' . $i]['descr'];
976	4443d4d6	Scott Ullrich	if ($pconfig['gateway'] == "opt{$i}") {
977			$selected = " SELECTED";
978	1fda0968	Scott Ullrich	} else {
979			$selected = "";
980			}
981	0581660c	Scott Ullrich	if($descr <> "")
982			echo "<option value=\"opt{$i}\" {$selected}>OPT{$i} - {$descr}</option>\n";
983	1fda0968	Scott Ullrich	}
984			}
985	8ab3e9ed	Erik Kristensen	?>
986			</select>
987	58a4eecd	Bill Marquette	<p><strong>Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.</strong></p>
988	8ab3e9ed	Erik Kristensen	</td>
989			</tr>
990	197bfe96	Ermal Luçi	<tr>
991			<td width="22%" valign="top" class="vncell">Ackqueue/Queue</td>
992			<td width="78%" class="vtable">
993			<select name="ackqueue">
994			<?php
995			if (!is_array($altq_list_queues))
996			read_altq_config(); /* XXX: */
997			foreach ($GLOBALS['allqueue_list'] as $q) {
998			echo "<option value=\"$q\"";
999			if ($q == $pconfig['ackqueue']) {
1000			$qselected = 1;
1001			echo " SELECTED";
1002			}
1003			echo ">{$q}</option>";
1004			}
1005			echo "<option value=\"none\"";
1006			if (!$qselected) echo " SELECTED";
1007			echo " >none</option>";
1008			?>
1009			</select> /
1010			<select name="defaultqueue">
1011			<?php
1012			$qselected = 0;
1013			foreach ($GLOBALS['allqueue_list'] as $q) {
1014			echo "<option value=\"$q\"";
1015			if ($q == $pconfig['defaultqueue']) {
1016			$qselected = 1;
1017			echo " SELECTED";
1018			}
1019			echo ">{$q}</option>";
1020			}
1021			echo "<option value=\"none\"";
1022			if (!$qselected) echo " SELECTED";
1023			echo " >none</option>";
1024			?>
1025			</select>
1026			<br />
1027			<span class="vexpl">Choose the Acknowledge Queue only if you have selected Queue.</span>
1028			</td>
1029			</tr>
1030	bca8e0ec	Scott Ullrich	<tr>
1031			<td width="22%" valign="top" class="vncell">Description</td>
1032			<td width="78%" class="vtable">
1033	b5c78501	Seth Mos	<input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>">
1034	bca8e0ec	Scott Ullrich	<br />
1035			<span class="vexpl">You may enter a description here for your reference (not parsed).</span>
1036			</td>
1037			</tr>
1038	8ab3e9ed	Erik Kristensen	<tr>
1039			<td width="22%" valign="top"> </td>
1040			<td width="78%">
1041			<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
1042			<?php if (isset($id) && $a_filter[$id]): ?>
1043			<input name="id" type="hidden" value="<?=$id;?>">
1044			<?php endif; ?>
1045			<input name="after" type="hidden" value="<?=$after;?>">
1046			</td>
1047	82628210	Scott Ullrich	</tr>
1048	8ab3e9ed	Erik Kristensen	</table>
1049	5b237745	Scott Ullrich	</form>
1050			<script language="JavaScript">
1051			<!--
1052	8ab3e9ed	Erik Kristensen	ext_change();
1053			typesel_change();
1054			proto_change();
1055	19757279	Scott Ullrich
1056			<?php
1057	8ab3e9ed	Erik Kristensen	$isfirst = 0;
1058			$aliases = "";
1059			$addrisfirst = 0;
1060			$aliasesaddr = "";
1061			if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
1062			foreach($config['aliases']['alias'] as $alias_name) {
1063			if(!stristr($alias_name['address'], ".")) {
1064			if($isfirst == 1) $aliases .= ",";
1065			$aliases .= "'" . $alias_name['name'] . "'";
1066			$isfirst = 1;
1067			} else {
1068			if($addrisfirst == 1) $aliasesaddr .= ",";
1069			$aliasesaddr .= "'" . $alias_name['name'] . "'";
1070			$addrisfirst = 1;
1071			}
1072	092ac49d	Scott Ullrich	}
1073	19757279	Scott Ullrich	?>
1074
1075	8ab3e9ed	Erik Kristensen	var addressarray=new Array(<?php echo $aliasesaddr; ?>);
1076			var customarray=new Array(<?php echo $aliases; ?>);
1077	19757279	Scott Ullrich
1078	5b237745	Scott Ullrich	//-->
1079			</script>
1080	8ab3e9ed	Erik Kristensen
1081
1082	5b237745	Scott Ullrich	<?php include("fend.inc"); ?>
1083			</body>
1084			</html>

Project

General

Profile

pfSense