|
1
|
<?php
|
|
2
|
/* $Id$ */
|
|
3
|
/*
|
|
4
|
firewall_rules_edit.php
|
|
5
|
part of pfSense (http://www.pfsense.com)
|
|
6
|
Copyright (C) 2005 Scott Ullrich (sullrich@gmail.com)
|
|
7
|
|
|
8
|
originally part of m0n0wall (http://m0n0.ch/wall)
|
|
9
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
|
10
|
All rights reserved.
|
|
11
|
|
|
12
|
Redistribution and use in source and binary forms, with or without
|
|
13
|
modification, are permitted provided that the following conditions are met:
|
|
14
|
|
|
15
|
1. Redistributions of source code must retain the above copyright notice,
|
|
16
|
this list of conditions and the following disclaimer.
|
|
17
|
|
|
18
|
2. Redistributions in binary form must reproduce the above copyright
|
|
19
|
notice, this list of conditions and the following disclaimer in the
|
|
20
|
documentation and/or other materials provided with the distribution.
|
|
21
|
|
|
22
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
23
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
24
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
25
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
26
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
27
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
28
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
29
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
30
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
31
|
POSSIBILITY OF SUCH DAMAGE.
|
|
32
|
*/
|
|
33
|
/*
|
|
34
|
pfSense_MODULE: filter
|
|
35
|
*/
|
|
36
|
|
|
37
|
##|+PRIV
|
|
38
|
##|*IDENT=page-firewall-rules-edit
|
|
39
|
##|*NAME=Firewall: Rules: Edit page
|
|
40
|
##|*DESCR=Allow access to the 'Firewall: Rules: Edit' page.
|
|
41
|
##|*MATCH=firewall_rules_edit.php*
|
|
42
|
##|-PRIV
|
|
43
|
|
|
44
|
require("guiconfig.inc");
|
|
45
|
require("filter.inc");
|
|
46
|
require("shaper.inc");
|
|
47
|
|
|
48
|
$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn");
|
|
49
|
$ifdisp = get_configured_interface_with_descr();
|
|
50
|
foreach ($ifdisp as $kif => $kdescr) {
|
|
51
|
$specialsrcdst[] = "{$kif}";
|
|
52
|
$specialsrcdst[] = "{$kif}ip";
|
|
53
|
}
|
|
54
|
|
|
55
|
if (!is_array($config['filter']['rule'])) {
|
|
56
|
$config['filter']['rule'] = array();
|
|
57
|
}
|
|
58
|
filter_rules_sort();
|
|
59
|
$a_filter = &$config['filter']['rule'];
|
|
60
|
|
|
61
|
$id = $_GET['id'];
|
|
62
|
if (is_numeric($_POST['id']))
|
|
63
|
$id = $_POST['id'];
|
|
64
|
|
|
65
|
$after = $_GET['after'];
|
|
66
|
|
|
67
|
if (isset($_POST['after']))
|
|
68
|
$after = $_POST['after'];
|
|
69
|
|
|
70
|
if (isset($_GET['dup'])) {
|
|
71
|
$id = $_GET['dup'];
|
|
72
|
$after = $_GET['dup'];
|
|
73
|
}
|
|
74
|
|
|
75
|
if (isset($id) && $a_filter[$id]) {
|
|
76
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
|
77
|
|
|
78
|
if (isset($a_filter[$id]['id']))
|
|
79
|
$pconfig['ruleid'] = $a_filter[$id]['id'];
|
|
80
|
|
|
81
|
if (!isset($a_filter[$id]['type']))
|
|
82
|
$pconfig['type'] = "pass";
|
|
83
|
else
|
|
84
|
$pconfig['type'] = $a_filter[$id]['type'];
|
|
85
|
|
|
86
|
if (isset($a_filter[$id]['floating']) || $if == "FloatingRules") {
|
|
87
|
$pconfig['floating'] = $a_filter[$id]['floating'];
|
|
88
|
if (isset($a_filter[$id]['interface']) && $a_filter[$id]['interface'] <> "")
|
|
89
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
|
90
|
}
|
|
91
|
|
|
92
|
if (isset($a_filter['floating']))
|
|
93
|
$pconfig['floating'] = "yes";
|
|
94
|
|
|
95
|
if (isset($a_filter[$id]['direction']))
|
|
96
|
$pconfig['direction'] = $a_filter[$id]['direction'];
|
|
97
|
|
|
98
|
if (isset($a_filter[$id]['protocol']))
|
|
99
|
$pconfig['proto'] = $a_filter[$id]['protocol'];
|
|
100
|
else
|
|
101
|
$pconfig['proto'] = "any";
|
|
102
|
|
|
103
|
if ($a_filter[$id]['protocol'] == "icmp")
|
|
104
|
$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
|
|
105
|
|
|
106
|
address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
|
|
107
|
$pconfig['srcmask'], $pconfig['srcnot'],
|
|
108
|
$pconfig['srcbeginport'], $pconfig['srcendport']);
|
|
109
|
|
|
110
|
if($a_filter[$id]['os'] <> "")
|
|
111
|
$pconfig['os'] = $a_filter[$id]['os'];
|
|
112
|
|
|
113
|
address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
|
|
114
|
$pconfig['dstmask'], $pconfig['dstnot'],
|
|
115
|
$pconfig['dstbeginport'], $pconfig['dstendport']);
|
|
116
|
|
|
117
|
if ($a_filter[$id]['dscp'] <> "")
|
|
118
|
$pconfig['dscp'] = $a_filter[$id]['dscp'];
|
|
119
|
|
|
120
|
$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
|
|
121
|
$pconfig['log'] = isset($a_filter[$id]['log']);
|
|
122
|
$pconfig['descr'] = $a_filter[$id]['descr'];
|
|
123
|
|
|
124
|
if (isset($a_filter[$id]['tag']) && $a_filter[$id]['tag'] <> "")
|
|
125
|
$pconfig['tag'] = $a_filter[$id]['tag'];
|
|
126
|
if (isset($a_filter[$id]['tagged']) && $a_filter[$id]['tagged'] <> "")
|
|
127
|
$pconfig['tagged'] = $a_filter[$id]['tagged'];
|
|
128
|
if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick'])
|
|
129
|
$pconfig['quick'] = $a_filter[$id]['quick'];
|
|
130
|
if (isset($a_filter[$id]['allowopts']))
|
|
131
|
$pconfig['allowopts'] = true;
|
|
132
|
|
|
133
|
/* advanced */
|
|
134
|
$pconfig['max'] = $a_filter[$id]['max'];
|
|
135
|
$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
|
|
136
|
$pconfig['max-src-conn'] = $a_filter[$id]['max-src-conn'];
|
|
137
|
$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
|
|
138
|
$pconfig['statetype'] = $a_filter[$id]['statetype'];
|
|
139
|
$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
|
|
140
|
|
|
141
|
/* advanced - nosync */
|
|
142
|
$pconfig['nosync'] = isset($a_filter[$id]['nosync']);
|
|
143
|
|
|
144
|
/* advanced - new connection per second banning*/
|
|
145
|
$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
|
|
146
|
$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
|
|
147
|
|
|
148
|
/* Multi-WAN next-hop support */
|
|
149
|
$pconfig['gateway'] = $a_filter[$id]['gateway'];
|
|
150
|
|
|
151
|
/* Shaper support */
|
|
152
|
$pconfig['defaultqueue'] = $a_filter[$id]['defaultqueue'];
|
|
153
|
$pconfig['ackqueue'] = $a_filter[$id]['ackqueue'];
|
|
154
|
$pconfig['dnpipe'] = $a_filter[$id]['dnpipe'];
|
|
155
|
$pconfig['pdnpipe'] = $a_filter[$id]['pdnpipe'];
|
|
156
|
$pconfig['l7container'] = $a_filter[$id]['l7container'];
|
|
157
|
|
|
158
|
//schedule support
|
|
159
|
$pconfig['sched'] = $a_filter[$id]['sched'];
|
|
160
|
$pconfig['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id'];
|
|
161
|
|
|
162
|
} else {
|
|
163
|
/* defaults */
|
|
164
|
if ($_GET['if'])
|
|
165
|
$pconfig['interface'] = $_GET['if'];
|
|
166
|
$pconfig['type'] = "pass";
|
|
167
|
$pconfig['src'] = "any";
|
|
168
|
$pconfig['dst'] = "any";
|
|
169
|
}
|
|
170
|
/* Allow the FlotingRules to work */
|
|
171
|
$if = $pconfig['interface'];
|
|
172
|
|
|
173
|
if (isset($_GET['dup']))
|
|
174
|
unset($id);
|
|
175
|
|
|
176
|
if ($_POST) {
|
|
177
|
|
|
178
|
if ($_POST['type'] == "reject" && $_POST['proto'] <> "tcp")
|
|
179
|
$input_errors[] = "Reject type rules only works when the protocol is set to TCP.";
|
|
180
|
|
|
181
|
if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
|
|
182
|
$_POST['srcbeginport'] = 0;
|
|
183
|
$_POST['srcendport'] = 0;
|
|
184
|
$_POST['dstbeginport'] = 0;
|
|
185
|
$_POST['dstendport'] = 0;
|
|
186
|
} else {
|
|
187
|
|
|
188
|
if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
|
|
189
|
$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
|
|
190
|
if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
|
|
191
|
$_POST['srcendport'] = $_POST['srcendport_cust'];
|
|
192
|
|
|
193
|
if ($_POST['srcbeginport'] == "any") {
|
|
194
|
$_POST['srcbeginport'] = 0;
|
|
195
|
$_POST['srcendport'] = 0;
|
|
196
|
} else {
|
|
197
|
if (!$_POST['srcendport'])
|
|
198
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
199
|
}
|
|
200
|
if ($_POST['srcendport'] == "any")
|
|
201
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
202
|
|
|
203
|
if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
|
|
204
|
$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
|
|
205
|
if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
|
|
206
|
$_POST['dstendport'] = $_POST['dstendport_cust'];
|
|
207
|
|
|
208
|
if ($_POST['dstbeginport'] == "any") {
|
|
209
|
$_POST['dstbeginport'] = 0;
|
|
210
|
$_POST['dstendport'] = 0;
|
|
211
|
} else {
|
|
212
|
if (!$_POST['dstendport'])
|
|
213
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
214
|
}
|
|
215
|
if ($_POST['dstendport'] == "any")
|
|
216
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
217
|
}
|
|
218
|
|
|
219
|
if (is_specialnet($_POST['srctype'])) {
|
|
220
|
$_POST['src'] = $_POST['srctype'];
|
|
221
|
$_POST['srcmask'] = 0;
|
|
222
|
} else if ($_POST['srctype'] == "single") {
|
|
223
|
$_POST['srcmask'] = 32;
|
|
224
|
}
|
|
225
|
if (is_specialnet($_POST['dsttype'])) {
|
|
226
|
$_POST['dst'] = $_POST['dsttype'];
|
|
227
|
$_POST['dstmask'] = 0;
|
|
228
|
} else if ($_POST['dsttype'] == "single") {
|
|
229
|
$_POST['dstmask'] = 32;
|
|
230
|
}
|
|
231
|
|
|
232
|
unset($input_errors);
|
|
233
|
$pconfig = $_POST;
|
|
234
|
|
|
235
|
/* run through $_POST items encoding HTML entties so that the user
|
|
236
|
* cannot think he is slick and perform a XSS attack on the unwilling
|
|
237
|
*/
|
|
238
|
foreach ($_POST as $key => $value) {
|
|
239
|
$temp = $value;
|
|
240
|
if (isset($_POST['floating']) && $key == "interface")
|
|
241
|
continue;
|
|
242
|
$newpost = htmlentities($temp);
|
|
243
|
if($newpost <> $temp)
|
|
244
|
$input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again.";
|
|
245
|
}
|
|
246
|
|
|
247
|
/* input validation */
|
|
248
|
$reqdfields = explode(" ", "type proto src");
|
|
249
|
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false )
|
|
250
|
$redqfields[] = "dst";
|
|
251
|
$reqdfieldsn = explode(",", "Type,Protocol,Source");
|
|
252
|
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false )
|
|
253
|
$reqdfieldsn[] = "Destination";
|
|
254
|
|
|
255
|
if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
|
|
256
|
if( $_POST['proto'] != "tcp" )
|
|
257
|
$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
|
|
258
|
if(($_POST['statetype'] == "synproxy state") && ($_POST['gateway'] != ""))
|
|
259
|
$input_errors[] = "{$_POST['statetype']} is only valid if the gateway is set to 'default'.";
|
|
260
|
}
|
|
261
|
|
|
262
|
if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
|
|
263
|
$reqdfields[] = "srcmask";
|
|
264
|
$reqdfieldsn[] = "Source bit count";
|
|
265
|
}
|
|
266
|
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false &&
|
|
267
|
(!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) ) {
|
|
268
|
$reqdfields[] = "dstmask";
|
|
269
|
$reqdfieldsn[] = "Destination bit count";
|
|
270
|
}
|
|
271
|
|
|
272
|
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
|
|
273
|
|
|
274
|
if (!$_POST['srcbeginport']) {
|
|
275
|
$_POST['srcbeginport'] = 0;
|
|
276
|
$_POST['srcendport'] = 0;
|
|
277
|
}
|
|
278
|
if (!$_POST['dstbeginport']) {
|
|
279
|
$_POST['dstbeginport'] = 0;
|
|
280
|
$_POST['dstendport'] = 0;
|
|
281
|
}
|
|
282
|
|
|
283
|
if ($_POST['srcbeginport'] && !is_portoralias($_POST['srcbeginport']))
|
|
284
|
$input_errors[] = "{$_POST['srcbeginport']} is not a valid start source port. It must be a port alias or integer between 1 and 65535.";
|
|
285
|
if ($_POST['srcendport'] && !is_portoralias($_POST['srcendport']))
|
|
286
|
$input_errors[] = "{$_POST['srcendport']} is not a valid end source port. It must be a port alias or integer between 1 and 65535.";
|
|
287
|
if ($_POST['dstbeginport'] && !is_portoralias($_POST['dstbeginport']))
|
|
288
|
$input_errors[] = "{$_POST['dstbeginport']} is not a valid start destination port. It must be a port alias or integer between 1 and 65535.";
|
|
289
|
if ($_POST['dstendport'] && !is_portoralias($_POST['dstendport']))
|
|
290
|
$input_errors[] = "{$_POST['dstendport']} is not a valid end destination port. It must be a port alias or integer between 1 and 65535.";
|
|
291
|
|
|
292
|
/* if user enters an alias and selects "network" then disallow. */
|
|
293
|
if($_POST['srctype'] == "network") {
|
|
294
|
if(is_alias($_POST['src']))
|
|
295
|
$input_errors[] = "You must specify single host or alias for alias entries.";
|
|
296
|
}
|
|
297
|
if($_POST['dsttype'] == "network") {
|
|
298
|
if(is_alias($_POST['dst']))
|
|
299
|
$input_errors[] = "You must specify single host or alias for alias entries.";
|
|
300
|
}
|
|
301
|
|
|
302
|
if (!is_specialnet($_POST['srctype'])) {
|
|
303
|
if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) {
|
|
304
|
$input_errors[] = "{$_POST['src']} is not a valid source IP address or alias.";
|
|
305
|
}
|
|
306
|
if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
|
|
307
|
$input_errors[] = "A valid source bit count must be specified.";
|
|
308
|
}
|
|
309
|
}
|
|
310
|
if (!is_specialnet($_POST['dsttype'])) {
|
|
311
|
if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) {
|
|
312
|
$input_errors[] = "{$_POST['dst']} is not a valid destination IP address or alias.";
|
|
313
|
}
|
|
314
|
if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
|
|
315
|
$input_errors[] = "A valid destination bit count must be specified.";
|
|
316
|
}
|
|
317
|
}
|
|
318
|
|
|
319
|
if ($_POST['srcbeginport'] > $_POST['srcendport']) {
|
|
320
|
/* swap */
|
|
321
|
$tmp = $_POST['srcendport'];
|
|
322
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
323
|
$_POST['srcbeginport'] = $tmp;
|
|
324
|
}
|
|
325
|
if ($_POST['dstbeginport'] > $_POST['dstendport']) {
|
|
326
|
/* swap */
|
|
327
|
$tmp = $_POST['dstendport'];
|
|
328
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
329
|
$_POST['dstbeginport'] = $tmp;
|
|
330
|
}
|
|
331
|
if ($_POST['os'])
|
|
332
|
if( $_POST['proto'] != "tcp" )
|
|
333
|
$input_errors[] = "OS detection is only valid with protocol tcp.";
|
|
334
|
|
|
335
|
if ($_POST['ackqueue'] && $_POST['ackqueue'] != "none") {
|
|
336
|
if ($_POST['defaultqueue'] == "none" )
|
|
337
|
$input_errors[] = "You have to select a queue when you select an acknowledge queue too.";
|
|
338
|
else if ($_POST['ackqueue'] == $_POST['defaultqueue'])
|
|
339
|
$input_errors[] = "Acknowledge queue and Queue cannot be the same.";
|
|
340
|
}
|
|
341
|
if ($_POST['pdnpipe'] && $_POST['pdnpipe'] != "none") {
|
|
342
|
if ($_POST['dnpipe'] == "none" )
|
|
343
|
$input_errors[] = "You must select a queue for the In direction before selecting one for Out too.";
|
|
344
|
else if ($_POST['pdnpipe'] == $_POST['dnpipe'])
|
|
345
|
$input_errors[] = "In and Out Queue cannot be the same.";
|
|
346
|
else if ($pdnpipe[0] == "?" && $dnpipe[0] <> "?")
|
|
347
|
$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
|
|
348
|
else if ($dnpipe[0] == "?" && $pdnpipe[0] <> "?")
|
|
349
|
$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
|
|
350
|
}
|
|
351
|
if( !empty($_POST['ruleid']) && !ctype_digit($_POST['ruleid']))
|
|
352
|
$input_errors[] = 'ID must be an integer';
|
|
353
|
if($_POST['l7container'] && $_POST['l7container'] != "none") {
|
|
354
|
if(!($_POST['proto'] == "tcp" || $_POST['proto'] == "udp" || $_POST['proto'] == "tcp/udp"))
|
|
355
|
$input_errors[] = "You can only select a layer7 container for tcp and/or udp protocols";
|
|
356
|
if ($_POST['type'] <> "pass")
|
|
357
|
$input_errors[] = "You can only select a layer7 container for Pass type rules.";
|
|
358
|
}
|
|
359
|
|
|
360
|
if (!$input_errors) {
|
|
361
|
$filterent = array();
|
|
362
|
$filterent['id'] = $_POST['ruleid']>0?$_POST['ruleid']:'';
|
|
363
|
$filterent['type'] = $_POST['type'];
|
|
364
|
if (isset($_POST['interface'] ))
|
|
365
|
$filterent['interface'] = $_POST['interface'];
|
|
366
|
|
|
367
|
if ($if == "FloatingRules" || isset($_POST['floating'])) {
|
|
368
|
if (isset($_POST['tag']))
|
|
369
|
$filterent['tag'] = $_POST['tag'];
|
|
370
|
if (isset($_POST['tagged']))
|
|
371
|
$filterent['tagged'] = $_POST['tagged'];
|
|
372
|
$filterent['direction'] = $_POST['direction'];
|
|
373
|
if (isset($_POST['quick']) && $_POST['quick'] <> "")
|
|
374
|
$filterent['quick'] = $_POST['quick'];
|
|
375
|
$filterent['floating'] = "yes";
|
|
376
|
if (isset($_POST['interface']) && count($_POST['interface']) > 0) {
|
|
377
|
$filterent['interface'] = implode(",", $_POST['interface']);
|
|
378
|
}
|
|
379
|
}
|
|
380
|
|
|
381
|
/* Advanced options */
|
|
382
|
if ($_POST['allowopts'] == "yes")
|
|
383
|
$filterent['allowopts'] = true;
|
|
384
|
else
|
|
385
|
unset($filterent['allowopts']);
|
|
386
|
$filterent['max'] = $_POST['max'];
|
|
387
|
$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
|
|
388
|
$filterent['max-src-conn'] = $_POST['max-src-conn'];
|
|
389
|
$filterent['max-src-states'] = $_POST['max-src-states'];
|
|
390
|
$filterent['statetimeout'] = $_POST['statetimeout'];
|
|
391
|
$filterent['statetype'] = $_POST['statetype'];
|
|
392
|
$filterent['os'] = $_POST['os'];
|
|
393
|
|
|
394
|
/* Nosync directive - do not xmlrpc sync this item */
|
|
395
|
if($_POST['nosync'] <> "")
|
|
396
|
$filterent['nosync'] = true;
|
|
397
|
else
|
|
398
|
unset($filterent['nosync']);
|
|
399
|
|
|
400
|
/* unless both values are provided, unset the values - ticket #650 */
|
|
401
|
if($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] <> "") {
|
|
402
|
$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
|
|
403
|
$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
|
|
404
|
} else {
|
|
405
|
unset($filterent['max-src-conn-rate']);
|
|
406
|
unset($filterent['max-src-conn-rates']);
|
|
407
|
}
|
|
408
|
|
|
409
|
if ($_POST['proto'] != "any")
|
|
410
|
$filterent['protocol'] = $_POST['proto'];
|
|
411
|
else
|
|
412
|
unset($filterent['protocol']);
|
|
413
|
|
|
414
|
if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
|
|
415
|
$filterent['icmptype'] = $_POST['icmptype'];
|
|
416
|
else
|
|
417
|
unset($filterent['icmptype']);
|
|
418
|
|
|
419
|
pconfig_to_address($filterent['source'], $_POST['src'],
|
|
420
|
$_POST['srcmask'], $_POST['srcnot'],
|
|
421
|
$_POST['srcbeginport'], $_POST['srcendport']);
|
|
422
|
|
|
423
|
pconfig_to_address($filterent['destination'], $_POST['dst'],
|
|
424
|
$_POST['dstmask'], $_POST['dstnot'],
|
|
425
|
$_POST['dstbeginport'], $_POST['dstendport']);
|
|
426
|
|
|
427
|
if ($_POST['disabled'])
|
|
428
|
$filterent['disabled'] = true;
|
|
429
|
else
|
|
430
|
unset($filterent['disabled']);
|
|
431
|
|
|
432
|
if ($_POST['dscp'])
|
|
433
|
$filterent['dscp'] = $_POST['dscp'];
|
|
434
|
|
|
435
|
if ($_POST['log'])
|
|
436
|
$filterent['log'] = true;
|
|
437
|
else
|
|
438
|
unset($filterent['log']);
|
|
439
|
strncpy($filterent['descr'], $_POST['descr'], 52);
|
|
440
|
|
|
441
|
if ($_POST['gateway'] != "") {
|
|
442
|
$filterent['gateway'] = $_POST['gateway'];
|
|
443
|
}
|
|
444
|
|
|
445
|
if (isset($_POST['defaultqueue']) && $_POST['defaultqueue'] != "none") {
|
|
446
|
$filterent['defaultqueue'] = $_POST['defaultqueue'];
|
|
447
|
if (isset($_POST['ackqueue']) && $_POST['ackqueue'] != "none")
|
|
448
|
$filterent['ackqueue'] = $_POST['ackqueue'];
|
|
449
|
}
|
|
450
|
|
|
451
|
if (isset($_POST['dnpipe']) && $_POST['dnpipe'] != "none") {
|
|
452
|
$filterent['dnpipe'] = $_POST['dnpipe'];
|
|
453
|
if (isset($_POST['pdnpipe']) && $_POST['pdnpipe'] != "none")
|
|
454
|
$filterent['pdnpipe'] = $_POST['pdnpipe'];
|
|
455
|
}
|
|
456
|
|
|
457
|
if (isset($_POST['l7container']) && $_POST['l7container'] != "none") {
|
|
458
|
$filterent['l7container'] = $_POST['l7container'];
|
|
459
|
}
|
|
460
|
|
|
461
|
if ($_POST['sched'] != "") {
|
|
462
|
$filterent['sched'] = $_POST['sched'];
|
|
463
|
}
|
|
464
|
|
|
465
|
// If we have an associated nat rule, make sure the destination doesn't change
|
|
466
|
if( isset($a_filter[$id]['associated-nat-rule-id']) ) {
|
|
467
|
$filterent['destination'] = $a_filter[$id]['destination'];
|
|
468
|
$filterent['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id'];
|
|
469
|
}
|
|
470
|
|
|
471
|
if (isset($id) && $a_filter[$id])
|
|
472
|
$a_filter[$id] = $filterent;
|
|
473
|
else {
|
|
474
|
if (is_numeric($after))
|
|
475
|
array_splice($a_filter, $after+1, 0, array($filterent));
|
|
476
|
else
|
|
477
|
$a_filter[] = $filterent;
|
|
478
|
}
|
|
479
|
|
|
480
|
write_config();
|
|
481
|
mark_subsystem_dirty('filter');
|
|
482
|
|
|
483
|
if (isset($_POST['floating']))
|
|
484
|
header("Location: firewall_rules.php?if=FloatingRules");
|
|
485
|
else
|
|
486
|
header("Location: firewall_rules.php?if=" . $_POST['interface']);
|
|
487
|
exit;
|
|
488
|
}
|
|
489
|
}
|
|
490
|
|
|
491
|
read_altq_config(); /* XXX: */
|
|
492
|
$qlist =& get_unique_queue_list();
|
|
493
|
read_dummynet_config(); /* XXX: */
|
|
494
|
$dnqlist =& get_unique_dnqueue_list();
|
|
495
|
read_layer7_config();
|
|
496
|
$l7clist =& get_l7_unique_list();
|
|
497
|
|
|
498
|
$pgtitle = array("Firewall","Rules","Edit");
|
|
499
|
$closehead = false;
|
|
500
|
|
|
501
|
$page_filename = "firewall_rules_edit.php";
|
|
502
|
include("head.inc");
|
|
503
|
|
|
504
|
?>
|
|
505
|
|
|
506
|
</head>
|
|
507
|
|
|
508
|
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
|
|
509
|
<?php include("fbegin.inc"); ?>
|
|
510
|
<?php if ($input_errors) print_input_errors($input_errors); ?>
|
|
511
|
|
|
512
|
<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
|
|
513
|
<input type='hidden' name="ruleid" value="<?=(isset($pconfig['ruleid'])&&$pconfig['ruleid']>0)?htmlspecialchars($pconfig['ruleid']):''?>">
|
|
514
|
|
|
515
|
<table width="100%" border="0" cellpadding="6" cellspacing="0">
|
|
516
|
<tr>
|
|
517
|
<td colspan="2" valign="top" class="listtopic">Edit Firewall rule</td>
|
|
518
|
</tr>
|
|
519
|
<tr>
|
|
520
|
<td width="22%" valign="top" class="vncellreq">Action</td>
|
|
521
|
<td width="78%" class="vtable">
|
|
522
|
<select name="type" class="formselect">
|
|
523
|
<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
|
|
524
|
<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
|
|
525
|
<?=htmlspecialchars($type);?>
|
|
526
|
</option>
|
|
527
|
<?php endforeach; ?>
|
|
528
|
</select>
|
|
529
|
<br/>
|
|
530
|
<span class="vexpl">
|
|
531
|
Choose what to do with packets that match the criteria specified below. <br/>
|
|
532
|
Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
|
|
533
|
</span>
|
|
534
|
</td>
|
|
535
|
</tr>
|
|
536
|
<tr>
|
|
537
|
<td width="22%" valign="top" class="vncellreq">Disabled</td>
|
|
538
|
<td width="78%" class="vtable">
|
|
539
|
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
|
|
540
|
<strong>Disable this rule</strong><br />
|
|
541
|
<span class="vexpl">Set this option to disable this rule without removing it from the list.</span>
|
|
542
|
</td>
|
|
543
|
</tr>
|
|
544
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
|
545
|
<tr>
|
|
546
|
<td width="22%" valign="top" class="vncellreq">
|
|
547
|
<?=gettext("Quick");?>
|
|
548
|
</td>
|
|
549
|
<td width="78%" class="vtable">
|
|
550
|
<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
|
|
551
|
<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
|
|
552
|
<span class="vexpl"><?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?></span>
|
|
553
|
</td>
|
|
554
|
</tr>
|
|
555
|
<? endif; ?>
|
|
556
|
<tr>
|
|
557
|
<td width="22%" valign="top" class="vncellreq">Interface</td>
|
|
558
|
<td width="78%" class="vtable">
|
|
559
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
|
560
|
<select name="interface[]" multiple="true" class="formselect" size="3">
|
|
561
|
<? else: ?>
|
|
562
|
<select name="interface" class="formselect">
|
|
563
|
<?php
|
|
564
|
endif;
|
|
565
|
/* add group interfaces */
|
|
566
|
if (is_array($config['ifgroups']['ifgroupentry']))
|
|
567
|
foreach($config['ifgroups']['ifgroupentry'] as $ifgen)
|
|
568
|
if (have_ruleint_access($ifgen['ifname']))
|
|
569
|
$interfaces[$ifgen['ifname']] = $ifgen['ifname'];
|
|
570
|
$ifdescs = get_configured_interface_with_descr();
|
|
571
|
foreach ($ifdescs as $ifent => $ifdesc)
|
|
572
|
if(have_ruleint_access($ifent))
|
|
573
|
$interfaces[$ifent] = $ifdesc;
|
|
574
|
if ($config['l2tp']['mode'] == "server")
|
|
575
|
if(have_ruleint_access("l2tp"))
|
|
576
|
$interfaces['l2tp'] = "L2TP VPN";
|
|
577
|
if ($config['pptpd']['mode'] == "server")
|
|
578
|
if(have_ruleint_access("pptp"))
|
|
579
|
$interfaces['pptp'] = "PPTP VPN";
|
|
580
|
|
|
581
|
if ($config['pppoe']['mode'] == "server")
|
|
582
|
if(have_ruleint_access("pppoe"))
|
|
583
|
$interfaces['pppoe'] = "PPPoE VPN";
|
|
584
|
/* add ipsec interfaces */
|
|
585
|
if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable']))
|
|
586
|
if(have_ruleint_access("enc0"))
|
|
587
|
$interfaces["enc0"] = "IPsec";
|
|
588
|
/* add openvpn/tun interfaces */
|
|
589
|
if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"])
|
|
590
|
$interfaces["openvpn"] = "OpenVPN";
|
|
591
|
foreach ($interfaces as $iface => $ifacename): ?>
|
|
592
|
<option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option>
|
|
593
|
<?php endforeach; ?>
|
|
594
|
</select>
|
|
595
|
<br />
|
|
596
|
<span class="vexpl">Choose on which interface packets must come in to match this rule.</span>
|
|
597
|
</td>
|
|
598
|
</tr>
|
|
599
|
<?php if ($if == "FloatingRules" || isset($pconfig['floating'])): ?>
|
|
600
|
<tr>
|
|
601
|
<td width="22%" valign="top" class="vncellreq">
|
|
602
|
<?=gettext("Direction");?>
|
|
603
|
</td>
|
|
604
|
<td width="78%" class="vtable">
|
|
605
|
<select name="direction" class="formselect">
|
|
606
|
<?php $directions = array('any', 'in', 'out');
|
|
607
|
foreach ($directions as $direction): ?>
|
|
608
|
<option value="<?=$direction;?>"
|
|
609
|
<?php if ($direction == $pconfig['direction']): ?>
|
|
610
|
selected="selected"
|
|
611
|
<?php endif; ?>
|
|
612
|
><?=$direction;?></option>
|
|
613
|
<?php endforeach; ?>
|
|
614
|
</select>
|
|
615
|
<input type="hidden" id="floating" name="floating" value="floating">
|
|
616
|
</td>
|
|
617
|
<tr>
|
|
618
|
<?php endif; ?>
|
|
619
|
<tr>
|
|
620
|
<td width="22%" valign="top" class="vncellreq">Protocol</td>
|
|
621
|
<td width="78%" class="vtable">
|
|
622
|
<select name="proto" class="formselect" onchange="proto_change()">
|
|
623
|
<?php
|
|
624
|
$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP any carp pfsync");
|
|
625
|
foreach ($protocols as $proto): ?>
|
|
626
|
<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
|
|
627
|
<?php endforeach; ?>
|
|
628
|
</select>
|
|
629
|
<br />
|
|
630
|
<span class="vexpl">Choose which IP protocol this rule should match. <br /> Hint: in most cases, you should specify <em>TCP</em> here.</span>
|
|
631
|
</td>
|
|
632
|
</tr>
|
|
633
|
<tr id="icmpbox" name="icmpbox">
|
|
634
|
<td valign="top" class="vncell">ICMP type</td>
|
|
635
|
<td class="vtable">
|
|
636
|
<select name="icmptype" class="formselect">
|
|
637
|
<?php
|
|
638
|
$icmptypes = array(
|
|
639
|
"" => "any",
|
|
640
|
"echorep" => "Echo reply",
|
|
641
|
"unreach" => "Destination unreachable",
|
|
642
|
"squench" => "Source quench",
|
|
643
|
"redir" => "Redirect",
|
|
644
|
"althost" => "Alternate Host",
|
|
645
|
"echoreq" => "Echo",
|
|
646
|
"routeradv" => "Router advertisement",
|
|
647
|
"routersol" => "Router solicitation",
|
|
648
|
"timex" => "Time exceeded",
|
|
649
|
"paramprob" => "Invalid IP header",
|
|
650
|
"timereq" => "Timestamp",
|
|
651
|
"timerep" => "Timestamp reply",
|
|
652
|
"inforeq" => "Information request",
|
|
653
|
"inforep" => "Information reply",
|
|
654
|
"maskreq" => "Address mask request",
|
|
655
|
"maskrep" => "Address mask reply"
|
|
656
|
);
|
|
657
|
|
|
658
|
foreach ($icmptypes as $icmptype => $descr): ?>
|
|
659
|
<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
|
|
660
|
<?php endforeach; ?>
|
|
661
|
</select>
|
|
662
|
<br />
|
|
663
|
<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span>
|
|
664
|
</td>
|
|
665
|
</tr>
|
|
666
|
<tr>
|
|
667
|
<td width="22%" valign="top" class="vncellreq">Source</td>
|
|
668
|
<td width="78%" class="vtable">
|
|
669
|
<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
|
|
670
|
<strong>not</strong>
|
|
671
|
<br />
|
|
672
|
Use this option to invert the sense of the match.
|
|
673
|
<br />
|
|
674
|
<br />
|
|
675
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
676
|
<tr>
|
|
677
|
<td>Type: </td>
|
|
678
|
<td>
|
|
679
|
<select name="srctype" class="formselect" onChange="typesel_change()">
|
|
680
|
<?php
|
|
681
|
$sel = is_specialnet($pconfig['src']); ?>
|
|
682
|
<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option>
|
|
683
|
<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
|
|
684
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
|
|
685
|
<?php if(have_ruleint_access("pptp")): ?>
|
|
686
|
<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
|
|
687
|
<?php endif; ?>
|
|
688
|
<?php if(have_ruleint_access("pppoe")): ?>
|
|
689
|
<option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
|
|
690
|
<?php endif; ?>
|
|
691
|
<?php if(have_ruleint_access("l2tp")): ?>
|
|
692
|
<option value="l2tp" <?php if ($pconfig['src'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
|
|
693
|
<?php endif; ?>
|
|
694
|
<?php
|
|
695
|
foreach ($ifdisp as $ifent => $ifdesc): ?>
|
|
696
|
<?php if(have_ruleint_access($ifent)): ?>
|
|
697
|
<option value="<?=$ifent;?>" <?php if ($pconfig['src'] == $ifent) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
|
|
698
|
<option value="<?=$ifent;?>ip"<?php if ($pconfig['src'] == $ifent . "ip") { echo "selected"; } ?>>
|
|
699
|
<?=$ifdesc?> address
|
|
700
|
</option>
|
|
701
|
<?php endif; ?>
|
|
702
|
<?php endforeach; ?>
|
|
703
|
</select>
|
|
704
|
</td>
|
|
705
|
</tr>
|
|
706
|
<tr>
|
|
707
|
<td>Address: </td>
|
|
708
|
<td>
|
|
709
|
<input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> /
|
|
710
|
<select name="srcmask" class="formselect" id="srcmask">
|
|
711
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
|
712
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
|
|
713
|
<?php endfor; ?>
|
|
714
|
</select>
|
|
715
|
</td>
|
|
716
|
</tr>
|
|
717
|
</table>
|
|
718
|
<div id="showadvancedboxspr">
|
|
719
|
<p>
|
|
720
|
<input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>
|
|
721
|
</div>
|
|
722
|
</td>
|
|
723
|
</tr>
|
|
724
|
<tr style="display:none" id="sprtable" name="sprtable">
|
|
725
|
<td width="22%" valign="top" class="vncellreq">Source port range</td>
|
|
726
|
<td width="78%" class="vtable">
|
|
727
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
728
|
<tr>
|
|
729
|
<td>from: </td>
|
|
730
|
<td>
|
|
731
|
<select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()">
|
|
732
|
<option value="">(other)</option>
|
|
733
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
734
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
735
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
736
|
<?php endforeach; ?>
|
|
737
|
</select>
|
|
738
|
<input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>">
|
|
739
|
</td>
|
|
740
|
</tr>
|
|
741
|
<tr>
|
|
742
|
<td>to:</td>
|
|
743
|
<td>
|
|
744
|
<select name="srcendport" class="formselect" onchange="ext_change()">
|
|
745
|
<option value="">(other)</option>
|
|
746
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
747
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
748
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
749
|
<?php endforeach; ?>
|
|
750
|
</select>
|
|
751
|
<input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>">
|
|
752
|
</td>
|
|
753
|
</tr>
|
|
754
|
</table>
|
|
755
|
<br />
|
|
756
|
<span class="vexpl">Specify the source port or port range for this rule. <b>This is almost never equal to the destination port range (and is usually "any")</b>. <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/>
|
|
757
|
</td>
|
|
758
|
</tr>
|
|
759
|
<tr>
|
|
760
|
<td width="22%" valign="top" class="vncellreq">Destination</td>
|
|
761
|
<td width="78%" class="vtable">
|
|
762
|
<?php $dst_disabled=false; ?>
|
|
763
|
<?php if( isset($pconfig['associated-nat-rule-id']) ): ?>
|
|
764
|
<span class="red"><strong>NOTE: </strong></span> This is associated to a NAT rule.<br />
|
|
765
|
You cannot edit the destination of associated filter rules.<br />
|
|
766
|
<br />
|
|
767
|
<a href="firewall_nat_edit.php?id=<?=$pconfig['associated-nat-rule-id'];?>">View the NAT rule</a><br />
|
|
768
|
<br />
|
|
769
|
<?php $dst_disabled=true; ?>
|
|
770
|
<script type="text/javascript">
|
|
771
|
dstenabled = 0;
|
|
772
|
</script>
|
|
773
|
<?php endif; ?>
|
|
774
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
|
|
775
|
<strong>not</strong>
|
|
776
|
<br />
|
|
777
|
Use this option to invert the sense of the match.
|
|
778
|
<br />
|
|
779
|
<br />
|
|
780
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
781
|
<tr>
|
|
782
|
<td>Type: </td>
|
|
783
|
<td>
|
|
784
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dsttype" class="formselect" onChange="typesel_change()">
|
|
785
|
<?php
|
|
786
|
$sel = is_specialnet($pconfig['dst']); ?>
|
|
787
|
<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
|
|
788
|
<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
|
|
789
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
|
|
790
|
<?php if(have_ruleint_access("pptp")): ?>
|
|
791
|
<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
|
|
792
|
<?php endif; ?>
|
|
793
|
<?php if(have_ruleint_access("pppoe")): ?>
|
|
794
|
<option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
|
|
795
|
<?php endif; ?>
|
|
796
|
<?php if(have_ruleint_access("l2tp")): ?>
|
|
797
|
<option value="l2tp" <?php if ($pconfig['dst'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
|
|
798
|
<?php endif; ?>
|
|
799
|
|
|
800
|
<?php foreach ($ifdisp as $if => $ifdesc): ?>
|
|
801
|
<?php if(have_ruleint_access($if)): ?>
|
|
802
|
<option value="<?=$if;?>" <?php if ($pconfig['dst'] == $if) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
|
|
803
|
<option value="<?=$if;?>ip"<?php if ($pconfig['dst'] == $if . "ip") { echo "selected"; } ?>>
|
|
804
|
<?=$ifdesc;?> address
|
|
805
|
</option>
|
|
806
|
<?php endif; ?>
|
|
807
|
<?php endforeach; ?>
|
|
808
|
</select>
|
|
809
|
</td>
|
|
810
|
</tr>
|
|
811
|
<tr>
|
|
812
|
<td>Address: </td>
|
|
813
|
<td>
|
|
814
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
|
|
815
|
/
|
|
816
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstmask" class="formselect" id="dstmask">
|
|
817
|
<?php
|
|
818
|
for ($i = 31; $i > 0; $i--): ?>
|
|
819
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
|
|
820
|
<?php endfor; ?>
|
|
821
|
</select>
|
|
822
|
</td>
|
|
823
|
</tr>
|
|
824
|
</table>
|
|
825
|
</td>
|
|
826
|
</tr>
|
|
827
|
<tr id="dprtr" name="dprtr">
|
|
828
|
<td width="22%" valign="top" class="vncellreq">Destination port range </td>
|
|
829
|
<td width="78%" class="vtable">
|
|
830
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
831
|
<tr>
|
|
832
|
<td>from: </td>
|
|
833
|
<td>
|
|
834
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
|
|
835
|
<option value="">(other)</option>
|
|
836
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
837
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
838
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
839
|
<?php endforeach; ?>
|
|
840
|
</select>
|
|
841
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
|
|
842
|
</td>
|
|
843
|
</tr>
|
|
844
|
<tr>
|
|
845
|
<td>to:</td>
|
|
846
|
<td>
|
|
847
|
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstendport" class="formselect" onchange="ext_change()">
|
|
848
|
<option value="">(other)</option>
|
|
849
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
850
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
851
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
|
852
|
<?php endforeach; ?>
|
|
853
|
</select>
|
|
854
|
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
|
|
855
|
</td>
|
|
856
|
</tr>
|
|
857
|
</table>
|
|
858
|
<br />
|
|
859
|
<span class="vexpl">
|
|
860
|
Specify the port or port range for the destination of the packet for this rule.
|
|
861
|
<br />
|
|
862
|
Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port
|
|
863
|
</span>
|
|
864
|
</td>
|
|
865
|
</tr>
|
|
866
|
<tr>
|
|
867
|
<td width="22%" valign="top" class="vncellreq">Log</td>
|
|
868
|
<td width="78%" class="vtable">
|
|
869
|
<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
|
|
870
|
<strong>Log packets that are handled by this rule</strong>
|
|
871
|
<br />
|
|
872
|
<span class="vexpl">Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the <a href="diag_logs_settings.php">Diagnostics: System logs: Settings</a> page).</span>
|
|
873
|
</td>
|
|
874
|
</tr>
|
|
875
|
<tr>
|
|
876
|
<td width="22%" valign="top" class="vncell">Description</td>
|
|
877
|
<td width="78%" class="vtable">
|
|
878
|
<input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>">
|
|
879
|
<br />
|
|
880
|
<span class="vexpl">You may enter a description here for your reference.</span>
|
|
881
|
</td>
|
|
882
|
</tr>
|
|
883
|
<tr>
|
|
884
|
<td width="22%" valign="top"> </td>
|
|
885
|
<td width="78%">
|
|
886
|
<br>
|
|
887
|
<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
|
|
888
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
|
889
|
<input name="id" type="hidden" value="<?=$id;?>">
|
|
890
|
<?php endif; ?>
|
|
891
|
<input name="after" type="hidden" value="<?=$after;?>">
|
|
892
|
</td>
|
|
893
|
</tr>
|
|
894
|
<tr>
|
|
895
|
<td> </td>
|
|
896
|
</tr>
|
|
897
|
<tr>
|
|
898
|
<td colspan="2" valign="top" class="listtopic">Advanced features</td>
|
|
899
|
</tr>
|
|
900
|
<tr>
|
|
901
|
<td width="22%" valign="top" class="vncell">Source OS</td>
|
|
902
|
<td width="78%" class="vtable">
|
|
903
|
<div id="showadvsourceosbox">
|
|
904
|
<input type="button" onClick="show_advanced_sourceos()" value="Advanced"></input> - Show advanced option</a>
|
|
905
|
</div>
|
|
906
|
<div id="showsourceosadv" style="display:none">
|
|
907
|
OS Type:
|
|
908
|
<select name="os" id="os" class="formselect">
|
|
909
|
<?php
|
|
910
|
$ostypes = array(
|
|
911
|
"" => "any",
|
|
912
|
"AIX" => "AIX",
|
|
913
|
"Linux" => "Linux",
|
|
914
|
"FreeBSD" => "FreeBSD",
|
|
915
|
"NetBSD" => "NetBSD",
|
|
916
|
"OpenBSD" => "OpenBSD",
|
|
917
|
"Solaris" => "Solaris",
|
|
918
|
"MacOS" => "MacOS",
|
|
919
|
"Windows" => "Windows",
|
|
920
|
"Novell" => "Novell",
|
|
921
|
"NMAP" => "NMAP"
|
|
922
|
);
|
|
923
|
foreach ($ostypes as $ostype => $descr): ?>
|
|
924
|
<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
|
|
925
|
<?php
|
|
926
|
endforeach;
|
|
927
|
?>
|
|
928
|
</select>
|
|
929
|
<br />
|
|
930
|
Note: this only works for TCP rules
|
|
931
|
</div>
|
|
932
|
</td>
|
|
933
|
</tr>
|
|
934
|
<tr>
|
|
935
|
<td width="22%" valign="top" class="vncell">Diffserv Code Point</td>
|
|
936
|
<td width="78%" class="vtable">
|
|
937
|
<div id="dsadv" name="dsadv">
|
|
938
|
<input type="button" onClick="show_dsdiv();" value="Advanced"> - Show advanced option
|
|
939
|
</div>
|
|
940
|
<div id="dsdivmain" name="dsdivmain" style="display:none">
|
|
941
|
<select name="dscp" id="dscp">
|
|
942
|
<option value=""></option>
|
|
943
|
<?php foreach($firewall_rules_dscp_types as $frdt): ?>
|
|
944
|
<option value="<?=$frdt?>"<?php if($pconfig['dscp'] == $frdt) echo " SELECTED"; ?>><?=$frdt?></option>
|
|
945
|
<?php endforeach; ?>
|
|
946
|
</select>
|
|
947
|
</div>
|
|
948
|
</td>
|
|
949
|
</tr>
|
|
950
|
<tr>
|
|
951
|
<td width="22%" valign="top" class="vncell">Advanced Options</td>
|
|
952
|
<td width="78%" class="vtable">
|
|
953
|
<div id="aoadv" name="aoadv">
|
|
954
|
<input type="button" onClick="show_aodiv();" value="Advanced"> - Show advanced option
|
|
955
|
</div>
|
|
956
|
<div id="aodivmain" name="aodivmain" style="display:none">
|
|
957
|
<input type="checkbox" id="allowopts" value="yes" name="allowopts"<?php if($pconfig['allowopts'] == true) echo " checked"; ?>>
|
|
958
|
<br/><span class="vexpl"><?=gettext("This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.");?>
|
|
959
|
</span><p>
|
|
960
|
<input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>">
|
|
961
|
<br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and use this mark to match on other NAT/filter rules. It is called <b>Policy filtering</b>");?>
|
|
962
|
</span><p>
|
|
963
|
<input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>">
|
|
964
|
<br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before on another rule.")?>
|
|
965
|
</span> <p>
|
|
966
|
<input name="max" id="max" value="<?php echo $pconfig['max'] ?>"><br> Maximum state entries this rule can create<p>
|
|
967
|
<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Maximum number of unique source host<p>
|
|
968
|
<input name="max-src-conn" id="max-src-conn" value="<?php echo $pconfig['max-src-conn'] ?>"><br> Maximum number of established TCP connections per host<p>
|
|
969
|
<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
|
|
970
|
<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
|
|
971
|
<select name="max-src-conn-rates" id="max-src-conn-rates">
|
|
972
|
<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
|
|
973
|
<?php for($x=1; $x<255; $x++) {
|
|
974
|
if($x == $pconfig['max-src-conn-rates']) $selected = " selected"; else $selected = "";
|
|
975
|
echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
|
|
976
|
} ?>
|
|
977
|
</select><br />
|
|
978
|
Maximum new connections / per second
|
|
979
|
<p>
|
|
980
|
|
|
981
|
<input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br>
|
|
982
|
State Timeout in seconds
|
|
983
|
<p />
|
|
984
|
|
|
985
|
<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
|
|
986
|
</div>
|
|
987
|
</td>
|
|
988
|
</tr>
|
|
989
|
<tr>
|
|
990
|
<td width="22%" valign="top" class="vncell">State Type</td>
|
|
991
|
<td width="78%" class="vtable">
|
|
992
|
<div id="showadvstatebox">
|
|
993
|
<input type="button" onClick="show_advanced_state()" value="Advanced"></input> - Show advanced option</a>
|
|
994
|
</div>
|
|
995
|
<div id="showstateadv" style="display:none">
|
|
996
|
<select name="statetype">
|
|
997
|
<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
|
|
998
|
<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
|
|
999
|
<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
|
|
1000
|
</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
|
|
1001
|
<p>
|
|
1002
|
<table width="90%">
|
|
1003
|
<tr><td width="25%"><ul><li>keep state</li></td><td>Works with all IP protocols.</ul></td></tr>
|
|
1004
|
<tr><td width="25%"><ul><li>synproxy state</li></td><td>Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</ul></td></tr>
|
|
1005
|
<tr><td width="25%"><ul><li>none</li></td><td>Do not use state mechanisms to keep track. This is only useful if you're doing advanced queueing in certain situations. Please check the documentation.</ul></td></tr>
|
|
1006
|
</table>
|
|
1007
|
</p>
|
|
1008
|
</div>
|
|
1009
|
</td>
|
|
1010
|
</tr>
|
|
1011
|
<tr>
|
|
1012
|
<td width="22%" valign="top" class="vncell">No XMLRPC Sync</td>
|
|
1013
|
<td width="78%" class="vtable">
|
|
1014
|
<div id="showadvnoxmlrpcsyncbox">
|
|
1015
|
<input type="button" onClick="show_advanced_noxmlrpc()" value="Advanced"></input> - Show advanced option</a>
|
|
1016
|
</div>
|
|
1017
|
<div id="shownoxmlrpcadv" style="display:none">
|
|
1018
|
<input type="checkbox" name="nosync"<?php if($pconfig['nosync']) echo " CHECKED"; ?>><br>
|
|
1019
|
HINT: This prevents the rule from automatically syncing to other CARP members.
|
|
1020
|
</div>
|
|
1021
|
</td>
|
|
1022
|
</tr>
|
|
1023
|
<?php
|
|
1024
|
//build list of schedules
|
|
1025
|
$schedules = array();
|
|
1026
|
$schedules[] = "none";//leave none to leave rule enabled all the time
|
|
1027
|
if(is_array($config['schedules']['schedule'])) {
|
|
1028
|
foreach ($config['schedules']['schedule'] as $schedule) {
|
|
1029
|
if ($schedule['name'] <> "")
|
|
1030
|
$schedules[] = $schedule['name'];
|
|
1031
|
}
|
|
1032
|
}
|
|
1033
|
?>
|
|
1034
|
<tr>
|
|
1035
|
<td width="22%" valign="top" class="vncell">Schedule</td>
|
|
1036
|
<td width="78%" class="vtable">
|
|
1037
|
<div id="showadvschedulebox">
|
|
1038
|
<input type="button" onClick="show_advanced_schedule()" value="Advanced"></input> - Show advanced option</a>
|
|
1039
|
</div>
|
|
1040
|
<div id="showscheduleadv" style="display:none">
|
|
1041
|
<select name='sched'>
|
|
1042
|
<?php
|
|
1043
|
foreach($schedules as $schedule) {
|
|
1044
|
if($schedule == $pconfig['sched']) {
|
|
1045
|
$selected = " SELECTED";
|
|
1046
|
} else {
|
|
1047
|
$selected = "";
|
|
1048
|
}
|
|
1049
|
if ($schedule == "none") {
|
|
1050
|
echo "<option value=\"\" {$selected}>{$schedule}</option>\n";
|
|
1051
|
} else {
|
|
1052
|
echo "<option value=\"{$schedule}\" {$selected}>{$schedule}</option>\n";
|
|
1053
|
}
|
|
1054
|
}
|
|
1055
|
?>
|
|
1056
|
</select>
|
|
1057
|
<p>Leave as 'none' to leave the rule enabled all the time.</p>
|
|
1058
|
</div>
|
|
1059
|
</td>
|
|
1060
|
</tr>
|
|
1061
|
|
|
1062
|
<?php
|
|
1063
|
/* build a list of gateways */
|
|
1064
|
$gateways = array();
|
|
1065
|
$gateways[] = "default"; // default to don't use this feature :)
|
|
1066
|
if (is_array($config['gateways']['gateway_item'])) {
|
|
1067
|
foreach($config['gateways']['gateway_item'] as $gw_item) {
|
|
1068
|
if($gw_item['gateway'] <> "")
|
|
1069
|
$gateways[] = $gw_item['name'];
|
|
1070
|
}
|
|
1071
|
}
|
|
1072
|
|
|
1073
|
?>
|
|
1074
|
<tr>
|
|
1075
|
<td width="22%" valign="top" class="vncell">Gateway</td>
|
|
1076
|
<td width="78%" class="vtable">
|
|
1077
|
<div id="showadvgatewaybox">
|
|
1078
|
<input type="button" onClick="show_advanced_gateway()" value="Advanced"></input> - Show advanced option</a>
|
|
1079
|
</div>
|
|
1080
|
<div id="showgatewayadv" style="display:none">
|
|
1081
|
<select name='gateway'>
|
|
1082
|
<?php
|
|
1083
|
foreach($gateways as $gw) {
|
|
1084
|
if($gw == "")
|
|
1085
|
continue;
|
|
1086
|
if($gw == $pconfig['gateway']) {
|
|
1087
|
$selected = " SELECTED";
|
|
1088
|
} else {
|
|
1089
|
$selected = "";
|
|
1090
|
}
|
|
1091
|
if ($gw == "default") {
|
|
1092
|
echo "<option value=\"\" {$selected}>{$gw}</option>\n";
|
|
1093
|
} else {
|
|
1094
|
$gwip = lookup_gateway_ip_by_name($gw);
|
|
1095
|
echo "<option value=\"{$gw}\" {$selected}>{$gw} - {$gwip}</option>\n";
|
|
1096
|
}
|
|
1097
|
}
|
|
1098
|
/* add gateway groups to the list */
|
|
1099
|
if (is_array($config['gateways']['gateway_group'])) {
|
|
1100
|
foreach($config['gateways']['gateway_group'] as $gw_group) {
|
|
1101
|
if($gw_group['name'] == "")
|
|
1102
|
continue;
|
|
1103
|
if($pconfig['gateway'] == $gw_group['name']) {
|
|
1104
|
echo "<option value=\"{$gw_group['name']}\" SELECTED>{$gw_group['name']}</option>\n";
|
|
1105
|
} else {
|
|
1106
|
echo "<option value=\"{$gw_group['name']}\">{$gw_group['name']}</option>\n";
|
|
1107
|
}
|
|
1108
|
}
|
|
1109
|
}
|
|
1110
|
$iflist = get_configured_interface_with_descr();
|
|
1111
|
foreach ($iflist as $ifent => $ifdesc) {
|
|
1112
|
if (in_array($config['interfaces'][$ifent]['ipaddr'],
|
|
1113
|
array("dhcp", "pppoe", "pptp"))) {
|
|
1114
|
if ($pconfig['gateway'] == $ifent) {
|
|
1115
|
$selected = " SELECTED";
|
|
1116
|
} else {
|
|
1117
|
$selected = "";
|
|
1118
|
}
|
|
1119
|
if($ifdesc <> "")
|
|
1120
|
echo "<option value=\"{$ifent}\" {$selected}>".strtoupper($if)." - {$ifdesc}</option>\n";
|
|
1121
|
}
|
|
1122
|
}
|
|
1123
|
?>
|
|
1124
|
</select>
|
|
1125
|
<p><strong>Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.</strong></p>
|
|
1126
|
</div>
|
|
1127
|
</td>
|
|
1128
|
</tr>
|
|
1129
|
<tr>
|
|
1130
|
<td width="22%" valign="top" class="vncell">In/Out</td>
|
|
1131
|
<td width="78%" class="vtable">
|
|
1132
|
<div id="showadvinoutbox">
|
|
1133
|
<input type="button" onClick="show_advanced_inout()" value="Advanced"></input> - Show advanced option</a>
|
|
1134
|
</div>
|
|
1135
|
<div id="showinoutadv" style="display:none">
|
|
1136
|
<select name="dnpipe">
|
|
1137
|
<?php
|
|
1138
|
if (!is_array($dnqlist))
|
|
1139
|
$dnqlist = array();
|
|
1140
|
echo "<option value=\"none\"";
|
|
1141
|
if (!$dnqselected) echo " SELECTED";
|
|
1142
|
echo " >none</option>";
|
|
1143
|
foreach ($dnqlist as $dnq => $dnqkey) {
|
|
1144
|
if($dnq == "")
|
|
1145
|
continue;
|
|
1146
|
echo "<option value=\"$dnqkey\"";
|
|
1147
|
if ($dnqkey == $pconfig['dnpipe']) {
|
|
1148
|
$dnqselected = 1;
|
|
1149
|
echo " SELECTED";
|
|
1150
|
}
|
|
1151
|
echo ">{$dnq}</option>";
|
|
1152
|
}
|
|
1153
|
?>
|
|
1154
|
</select> /
|
|
1155
|
<select name="pdnpipe">
|
|
1156
|
<?php
|
|
1157
|
$dnqselected = 0;
|
|
1158
|
echo "<option value=\"none\"";
|
|
1159
|
if (!$dnqselected) echo " SELECTED";
|
|
1160
|
echo " >none</option>";
|
|
1161
|
foreach ($dnqlist as $dnq => $dnqkey) {
|
|
1162
|
if($dnq == "")
|
|
1163
|
continue;
|
|
1164
|
echo "<option value=\"$dnqkey\"";
|
|
1165
|
if ($dnqkey == $pconfig['pdnpipe']) {
|
|
1166
|
$dnqselected = 1;
|
|
1167
|
echo " SELECTED";
|
|
1168
|
}
|
|
1169
|
echo ">{$dnq}</option>";
|
|
1170
|
}
|
|
1171
|
?>
|
|
1172
|
</select>
|
|
1173
|
<br />
|
|
1174
|
<span class="vexpl">Choose the Out queue/Virtual interface only if you have selected In too. <br/> The Out selection is applied to traffic going out the interface the rule is created, In is the incoming one. <br/> If you are creating a rule on the Floating tab if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing and if you do not select any direction use only the In since the Out selection does not make sense in there to prevent oddities.</span>
|
|
1175
|
</div>
|
|
1176
|
</td>
|
|
1177
|
</tr>
|
|
1178
|
|
|
1179
|
<tr>
|
|
1180
|
<td width="22%" valign="top" class="vncell">Ackqueue/Queue</td>
|
|
1181
|
<td width="78%" class="vtable">
|
|
1182
|
<div id="showadvackqueuebox">
|
|
1183
|
<input type="button" onClick="show_advanced_ackqueue()" value="Advanced"></input> - Show advanced option</a>
|
|
1184
|
</div>
|
|
1185
|
<div id="showackqueueadv" style="display:none">
|
|
1186
|
<select name="ackqueue">
|
|
1187
|
<?php
|
|
1188
|
if (!is_array($qlist))
|
|
1189
|
$qlist = array();
|
|
1190
|
echo "<option value=\"none\"";
|
|
1191
|
if (!$qselected) echo " SELECTED";
|
|
1192
|
echo " >none</option>";
|
|
1193
|
foreach ($qlist as $q => $qkey) {
|
|
1194
|
if($q == "")
|
|
1195
|
continue;
|
|
1196
|
echo "<option value=\"$q\"";
|
|
1197
|
if ($q == $pconfig['ackqueue']) {
|
|
1198
|
$qselected = 1;
|
|
1199
|
echo " SELECTED";
|
|
1200
|
}
|
|
1201
|
echo ">{$q}</option>";
|
|
1202
|
}
|
|
1203
|
?>
|
|
1204
|
</select> /
|
|
1205
|
<select name="defaultqueue">
|
|
1206
|
<?php
|
|
1207
|
$qselected = 0;
|
|
1208
|
echo "<option value=\"none\"";
|
|
1209
|
if (!$qselected) echo " SELECTED";
|
|
1210
|
echo " >none</option>";
|
|
1211
|
foreach ($qlist as $q => $qkey) {
|
|
1212
|
if($q == "")
|
|
1213
|
continue;
|
|
1214
|
echo "<option value=\"$q\"";
|
|
1215
|
if ($q == $pconfig['defaultqueue']) {
|
|
1216
|
$qselected = 1;
|
|
1217
|
echo " SELECTED";
|
|
1218
|
}
|
|
1219
|
echo ">{$q}</option>";
|
|
1220
|
}
|
|
1221
|
?>
|
|
1222
|
</select>
|
|
1223
|
<br />
|
|
1224
|
<span class="vexpl">Choose the Acknowledge Queue only if you have selected Queue.</span>
|
|
1225
|
</td>
|
|
1226
|
</tr>
|
|
1227
|
<tr>
|
|
1228
|
<td width="22%" valign="top" class="vncell">Layer7</td>
|
|
1229
|
<td width="78%" class="vtable">
|
|
1230
|
<div id="showadvlayer7box">
|
|
1231
|
<input type="button" onClick="show_advanced_layer7()" value="Advanced"></input> - Show advanced option</a>
|
|
1232
|
</div>
|
|
1233
|
<div id="showlayer7adv" style="display:none">
|
|
1234
|
<select name="l7container">
|
|
1235
|
<?php
|
|
1236
|
if (!is_array($l7clist))
|
|
1237
|
$dnqlist = array();
|
|
1238
|
echo "<option value=\"none\"";
|
|
1239
|
echo " >none</option>";
|
|
1240
|
foreach ($l7clist as $l7ckey) {
|
|
1241
|
echo "<option value=\"{$l7ckey}\"";
|
|
1242
|
if ($l7ckey == $pconfig['l7container']) {
|
|
1243
|
echo " SELECTED";
|
|
1244
|
}
|
|
1245
|
echo ">{$l7ckey}</option>";
|
|
1246
|
}
|
|
1247
|
?>
|
|
1248
|
</select>
|
|
1249
|
<br/>
|
|
1250
|
<span class="vexpl">
|
|
1251
|
Choose a Layer7 container to apply application protocol inspection rules.
|
|
1252
|
These are valid for TCP and UDP protocols only.
|
|
1253
|
</span>
|
|
1254
|
</div>
|
|
1255
|
</td>
|
|
1256
|
</tr>
|
|
1257
|
<tr>
|
|
1258
|
<td width="22%" valign="top"> </td>
|
|
1259
|
<td width="78%">
|
|
1260
|
<br>
|
|
1261
|
<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
|
|
1262
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
|
1263
|
<input name="id" type="hidden" value="<?=$id;?>">
|
|
1264
|
<?php endif; ?>
|
|
1265
|
<input name="after" type="hidden" value="<?=$after;?>">
|
|
1266
|
</td>
|
|
1267
|
</tr>
|
|
1268
|
</table>
|
|
1269
|
</form>
|
|
1270
|
<script language="JavaScript">
|
|
1271
|
<!--
|
|
1272
|
ext_change();
|
|
1273
|
typesel_change();
|
|
1274
|
proto_change();
|
|
1275
|
|
|
1276
|
<?php
|
|
1277
|
$isfirst = 0;
|
|
1278
|
$aliases = "";
|
|
1279
|
$addrisfirst = 0;
|
|
1280
|
$aliasesaddr = "";
|
|
1281
|
if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
|
|
1282
|
foreach($config['aliases']['alias'] as $alias_name) {
|
|
1283
|
switch ($alias_name['type']) {
|
|
1284
|
case "port":
|
|
1285
|
if($isfirst == 1) $portaliases .= ",";
|
|
1286
|
$portaliases .= "'" . $alias_name['name'] . "'";
|
|
1287
|
$isfirst = 1;
|
|
1288
|
break;
|
|
1289
|
case "host":
|
|
1290
|
case "network":
|
|
1291
|
case "openvpn":
|
|
1292
|
if($addrisfirst == 1) $aliasesaddr .= ",";
|
|
1293
|
$aliasesaddr .= "'" . $alias_name['name'] . "'";
|
|
1294
|
$addrisfirst = 1;
|
|
1295
|
break;
|
|
1296
|
default:
|
|
1297
|
break;
|
|
1298
|
}
|
|
1299
|
}
|
|
1300
|
?>
|
|
1301
|
|
|
1302
|
var addressarray=new Array(<?php echo $aliasesaddr; ?>);
|
|
1303
|
var customarray=new Array(<?php echo $portaliases; ?>);
|
|
1304
|
|
|
1305
|
var oTextbox1 = new AutoSuggestControl(document.getElementById("src"), new StateSuggestions(addressarray));
|
|
1306
|
var oTextbox2 = new AutoSuggestControl(document.getElementById("srcbeginport_cust"), new StateSuggestions(customarray));
|
|
1307
|
var oTextbox3 = new AutoSuggestControl(document.getElementById("srcendport_cust"), new StateSuggestions(customarray));
|
|
1308
|
var oTextbox4 = new AutoSuggestControl(document.getElementById("dst"), new StateSuggestions(addressarray));
|
|
1309
|
var oTextbox5 = new AutoSuggestControl(document.getElementById("dstbeginport_cust"), new StateSuggestions(customarray));
|
|
1310
|
var oTextbox6 = new AutoSuggestControl(document.getElementById("dstendport_cust"), new StateSuggestions(customarray));
|
|
1311
|
//-->
|
|
1312
|
</script>
|
|
1313
|
<?php include("fend.inc"); ?>
|
|
1314
|
</body>
|
|
1315
|
</html>
|
