/usr/local/www/firewall_rules_edit.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/firewall_rules_edit.php @ a7782099

1	5ba18897	Scott Ullrich	<?php
2	b46bfcf5	Bill Marquette	/* $Id$ */
3	5b237745	Scott Ullrich	/*
4	bdb7d6e7	Scott Ullrich	firewall_rules_edit.php
5	e4cabb75	Scott Ullrich	part of pfSense (http://www.pfsense.com)
6			Copyright (C) 2005 Scott Ullrich (sullrich@gmail.com)
7	5ba18897	Scott Ullrich
8	e4cabb75	Scott Ullrich	originally part of m0n0wall (http://m0n0.ch/wall)
9	bdb7d6e7	Scott Ullrich	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
10			All rights reserved.
11	5ba18897	Scott Ullrich
12	bdb7d6e7	Scott Ullrich	Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14	5ba18897	Scott Ullrich
15	bdb7d6e7	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17	5ba18897	Scott Ullrich
18	bdb7d6e7	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21	5ba18897	Scott Ullrich
22	bdb7d6e7	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32	5b237745	Scott Ullrich	*/
33
34	6b07c15a	Matthew Grooms	##\|+PRIV
35			##\|*IDENT=page-firewall-rules-edit
36			##\|*NAME=Firewall: Rules: Edit page
37			##\|*DESCR=Allow access to the 'Firewall: Rules: Edit' page.
38			##\|MATCH=firewall_rules_edit.php
39			##\|-PRIV
40
41
42	5b237745	Scott Ullrich	require("guiconfig.inc");
43
44	e825920f	Scott Ullrich	$specialsrcdst = explode(" ", "any wanip lanip lan pptp pppoe");
45	5b237745	Scott Ullrich
46			if (!is_array($config['filter']['rule'])) {
47			$config['filter']['rule'] = array();
48			}
49			filter_rules_sort();
50			$a_filter = &$config['filter']['rule'];
51
52			$id = $_GET['id'];
53			if (is_numeric($_POST['id']))
54			$id = $_POST['id'];
55	5ba18897	Scott Ullrich
56	5b237745	Scott Ullrich	$after = $_GET['after'];
57
58			if (isset($_POST['after']))
59			$after = $_POST['after'];
60
61			if (isset($_GET['dup'])) {
62			$id = $_GET['dup'];
63			$after = $_GET['dup'];
64			}
65
66			if (isset($id) && $a_filter[$id]) {
67			$pconfig['interface'] = $a_filter[$id]['interface'];
68	5ba18897	Scott Ullrich
69	5b237745	Scott Ullrich	if (!isset($a_filter[$id]['type']))
70			$pconfig['type'] = "pass";
71			else
72			$pconfig['type'] = $a_filter[$id]['type'];
73	5ba18897	Scott Ullrich
74	4633edc2	Ermal Luçi	if (isset($a_filter[$id]['floating']) \|\| $if == "FloatingRules") {
75	661aed33	Ermal Luçi	$pconfig['floating'] = $a_filter[$id]['floating'];
76			if (isset($a_filter[$id]['interface']) && $a_filter[$id]['interface'] <> "")
77			$pconfig['interface'] = $a_filter[$id]['interface'];
78			}
79
80			if (isset($a_filter['floating']))
81			$pconfig['floating'] = "yes";
82
83			if (isset($a_filter[$id]['direction']))
84			$pconfig['direction'] = $a_filter[$id]['direction'];
85
86	5b237745	Scott Ullrich	if (isset($a_filter[$id]['protocol']))
87			$pconfig['proto'] = $a_filter[$id]['protocol'];
88			else
89			$pconfig['proto'] = "any";
90	5ba18897	Scott Ullrich
91	5b237745	Scott Ullrich	if ($a_filter[$id]['protocol'] == "icmp")
92			$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
93	5ba18897	Scott Ullrich
94	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
95			$pconfig['srcmask'], $pconfig['srcnot'],
96			$pconfig['srcbeginport'], $pconfig['srcendport']);
97	5ba18897	Scott Ullrich
98	8be60f21	Scott Ullrich	if($a_filter[$id]['os'] <> "")
99			$pconfig['os'] = $a_filter[$id]['os'];
100	e33c8694	Bill Marquette
101	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
102			$pconfig['dstmask'], $pconfig['dstnot'],
103			$pconfig['dstbeginport'], $pconfig['dstendport']);
104
105	c5fc1b2e	Ermal Luçi	if ($a_filter[$id]['dscp'] <> "")
106			$pconfig['dscp'] = $a_filter[$id]['dscp'];
107
108	5b237745	Scott Ullrich	$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
109			$pconfig['log'] = isset($a_filter[$id]['log']);
110			$pconfig['descr'] = $a_filter[$id]['descr'];
111	8c84fe43	Scott Ullrich
112	5c1f5584	Ermal Luçi	if (isset($a_filter[$id]['tag']) && $a_filter[$id]['tag'] <> "")
113	661aed33	Ermal Luçi	$pconfig['tag'] = $a_filter[$id]['tag'];
114	5c1f5584	Ermal Luçi	if (isset($a_filter[$id]['tagged']) && $a_filter[$id]['tag'] <> "")
115	661aed33	Ermal Luçi	$pconfig['tagged'] = $a_filter[$id]['tagged'];
116			if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick'])
117			$pconfig['quick'] = $a_filter[$id]['quick'];
118	775ccea3	Ermal Luci	if (isset($a_filter[$id]['allowopts']))
119			$pconfig['allowopts'] = true;
120	661aed33	Ermal Luçi
121	ed08ef3e	Scott Ullrich	/* advanced */
122	fa9af164	Scott Ullrich	$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
123			$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
124			$pconfig['statetype'] = $a_filter[$id]['statetype'];
125	5ba18897	Scott Ullrich	$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
126	8c84fe43	Scott Ullrich
127			$pconfig['nosync'] = isset($a_filter[$id]['nosync']);
128	10f21e70	Scott Ullrich
129	ed08ef3e	Scott Ullrich	/* advanced - new connection per second banning*/
130			$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
131			$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
132	5ba18897	Scott Ullrich
133	e5980370	Scott Ullrich	/* Multi-WAN next-hop support */
134	c98ddde2	Bill Marquette	$pconfig['gateway'] = $a_filter[$id]['gateway'];
135	615b27bc	Scott Dale
136	197bfe96	Ermal Luçi	/* Shaper support */
137			$pconfig['defaultqueue'] = $a_filter[$id]['defaultqueue'];
138			$pconfig['ackqueue'] = $a_filter[$id]['ackqueue'];
139	a5fd67e1	Ermal Luçi	$pconfig['dnpipe'] = $a_filter[$id]['dnpipe'];
140			$pconfig['pdnpipe'] = $a_filter[$id]['pdnpipe'];
141	7e50413c	Ermal Luçi	$pconfig['l7container'] = $a_filter[$id]['l7container'];
142	197bfe96	Ermal Luçi
143	615b27bc	Scott Dale	//schedule support
144			$pconfig['sched'] = $a_filter[$id]['sched'];
145	c98ddde2	Bill Marquette
146	5b237745	Scott Ullrich	} else {
147			/* defaults */
148	a23d7248	Scott Ullrich	if ($_GET['if'])
149			$pconfig['interface'] = $_GET['if'];
150	5b237745	Scott Ullrich	$pconfig['type'] = "pass";
151			$pconfig['src'] = "any";
152			$pconfig['dst'] = "any";
153			}
154	72320b88	Ermal Luçi	/* Allow the FlotingRules to work */
155			$if = $pconfig['interface'];
156	5b237745	Scott Ullrich
157			if (isset($_GET['dup']))
158			unset($id);
159
160			if ($_POST) {
161	87f0be87	Chris Buechler
162			if ($_POST['type'] == "reject" && $_POST['proto'] <> "tcp")
163			$input_errors[] = "Reject type rules only works when the protocol is set to TCP.";
164	28f9e493	Scott Ullrich
165	5b237745	Scott Ullrich	if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
166			$_POST['srcbeginport'] = 0;
167			$_POST['srcendport'] = 0;
168			$_POST['dstbeginport'] = 0;
169			$_POST['dstendport'] = 0;
170			} else {
171	5ba18897	Scott Ullrich
172	5b237745	Scott Ullrich	if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
173			$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
174			if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
175			$_POST['srcendport'] = $_POST['srcendport_cust'];
176	5ba18897	Scott Ullrich
177	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] == "any") {
178			$_POST['srcbeginport'] = 0;
179			$_POST['srcendport'] = 0;
180	5ba18897	Scott Ullrich	} else {
181	5b237745	Scott Ullrich	if (!$_POST['srcendport'])
182			$_POST['srcendport'] = $_POST['srcbeginport'];
183			}
184			if ($_POST['srcendport'] == "any")
185			$_POST['srcendport'] = $_POST['srcbeginport'];
186	5ba18897	Scott Ullrich
187	5b237745	Scott Ullrich	if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
188			$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
189			if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
190			$_POST['dstendport'] = $_POST['dstendport_cust'];
191	5ba18897	Scott Ullrich
192	5b237745	Scott Ullrich	if ($_POST['dstbeginport'] == "any") {
193			$_POST['dstbeginport'] = 0;
194			$_POST['dstendport'] = 0;
195	5ba18897	Scott Ullrich	} else {
196	5b237745	Scott Ullrich	if (!$_POST['dstendport'])
197			$_POST['dstendport'] = $_POST['dstbeginport'];
198			}
199			if ($_POST['dstendport'] == "any")
200	5ba18897	Scott Ullrich	$_POST['dstendport'] = $_POST['dstbeginport'];
201	5b237745	Scott Ullrich	}
202	5ba18897	Scott Ullrich
203	5b237745	Scott Ullrich	if (is_specialnet($_POST['srctype'])) {
204			$_POST['src'] = $_POST['srctype'];
205			$_POST['srcmask'] = 0;
206			} else if ($_POST['srctype'] == "single") {
207			$_POST['srcmask'] = 32;
208			}
209			if (is_specialnet($_POST['dsttype'])) {
210			$_POST['dst'] = $_POST['dsttype'];
211			$_POST['dstmask'] = 0;
212			} else if ($_POST['dsttype'] == "single") {
213			$_POST['dstmask'] = 32;
214			}
215	5ba18897	Scott Ullrich
216	5b237745	Scott Ullrich	unset($input_errors);
217			$pconfig = $_POST;
218
219	ef2a753c	Scott Ullrich	/* run through $_POST items encoding HTML entties so that the user
220			* cannot think he is slick and perform a XSS attack on the unwilling
221			*/
222	21eff66f	Scott Ullrich	foreach ($_POST as $key => $value) {
223			$temp = $value;
224	661aed33	Ermal Luçi	if (isset($_POST['floating']) && $key == "interface")
225			continue;
226	21eff66f	Scott Ullrich	$newpost = htmlentities($temp);
227	5157927f	Scott Ullrich	if($newpost <> $temp)
228			$input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again.";
229	ef2a753c	Scott Ullrich	}
230
231	5b237745	Scott Ullrich	/* input validation */
232	661aed33	Ermal Luçi	$reqdfields = explode(" ", "type proto src dst");
233			$reqdfieldsn = explode(",", "Type,Protocol,Source,Destination");
234	5b237745	Scott Ullrich
235	452ade89	Bill Marquette	if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
236	c22767b1	Bill Marquette	if( $_POST['proto'] != "tcp" )
237			$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
238	452ade89	Bill Marquette	if(($_POST['statetype'] == "synproxy state") && ($_POST['gateway'] != ""))
239			$input_errors[] = "{$_POST['statetype']} is only valid if the gateway is set to 'default'.";
240			}
241	10f7933f	Chris Buechler
242	5b237745	Scott Ullrich	if (!(is_specialnet($_POST['srctype']) \|\| ($_POST['srctype'] == "single"))) {
243			$reqdfields[] = "srcmask";
244			$reqdfieldsn[] = "Source bit count";
245			}
246			if (!(is_specialnet($_POST['dsttype']) \|\| ($_POST['dsttype'] == "single"))) {
247			$reqdfields[] = "dstmask";
248			$reqdfieldsn[] = "Destination bit count";
249			}
250	5ba18897	Scott Ullrich
251	5b237745	Scott Ullrich	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
252	5ba18897	Scott Ullrich
253	5b237745	Scott Ullrich	if (!$_POST['srcbeginport']) {
254			$_POST['srcbeginport'] = 0;
255			$_POST['srcendport'] = 0;
256			}
257			if (!$_POST['dstbeginport']) {
258			$_POST['dstbeginport'] = 0;
259			$_POST['dstendport'] = 0;
260			}
261	5ba18897	Scott Ullrich
262	19757279	Scott Ullrich	if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) {
263	aba8aace	Scott Ullrich	$input_errors[] = "The start source port must be an alias or integer between 1 and 65535.";
264	bdb7d6e7	Scott Ullrich	}
265	19757279	Scott Ullrich	if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) {
266	aba8aace	Scott Ullrich	$input_errors[] = "The end source port must be an alias or integer between 1 and 65535.";
267	bdb7d6e7	Scott Ullrich	}
268	19757279	Scott Ullrich	if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) {
269	aba8aace	Scott Ullrich	$input_errors[] = "The start destination port must be an alias or integer between 1 and 65535.";
270	bdb7d6e7	Scott Ullrich	}
271	19757279	Scott Ullrich	if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) {
272	aba8aace	Scott Ullrich	$input_errors[] = "The end destination port must be an alias or integer between 1 and 65535.";
273	bdb7d6e7	Scott Ullrich	}
274	5ba18897	Scott Ullrich
275	0e5ddcd9	Scott Ullrich	/* if user enters an alias and selects "network" then disallow. */
276			if($_POST['srctype'] == "network") {
277			if(is_alias($_POST['src']))
278			$input_errors[] = "You must specify single host or alias for alias entries.";
279			}
280			if($_POST['dsttype'] == "network") {
281			if(is_alias($_POST['dst']))
282			$input_errors[] = "You must specify single host or alias for alias entries.";
283			}
284
285	5b237745	Scott Ullrich	if (!is_specialnet($_POST['srctype'])) {
286			if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
287	87f0be87	Chris Buechler	$input_errors[] = "A valid source IP address or alias must be specified.";
288	5b237745	Scott Ullrich	}
289			if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
290			$input_errors[] = "A valid source bit count must be specified.";
291			}
292			}
293			if (!is_specialnet($_POST['dsttype'])) {
294			if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
295	87f0be87	Chris Buechler	$input_errors[] = "A valid destination IP address or alias must be specified.";
296	5b237745	Scott Ullrich	}
297			if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
298			$input_errors[] = "A valid destination bit count must be specified.";
299			}
300			}
301	5ba18897	Scott Ullrich
302	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] > $_POST['srcendport']) {
303			/* swap */
304			$tmp = $_POST['srcendport'];
305			$_POST['srcendport'] = $_POST['srcbeginport'];
306			$_POST['srcbeginport'] = $tmp;
307			}
308			if ($_POST['dstbeginport'] > $_POST['dstendport']) {
309			/* swap */
310			$tmp = $_POST['dstendport'];
311			$_POST['dstendport'] = $_POST['dstbeginport'];
312			$_POST['dstbeginport'] = $tmp;
313			}
314	e33c8694	Bill Marquette	if ($_POST['os'])
315			if( $_POST['proto'] != "tcp" )
316			$input_errors[] = "OS detection is only valid with protocol tcp.";
317	5b237745	Scott Ullrich
318	197bfe96	Ermal Luçi	if ($_POST['ackqueue'] && $_POST['ackqueue'] != "none") {
319			if ($_POST['defaultqueue'] == "none" )
320			$input_errors[] = "You have to select a queue when you select an acknowledge queue too.";
321			else if ($_POST['ackqueue'] == $_POST['defaultqueue'])
322	aa8cdf52	Scott Ullrich	$input_errors[] = "Acknowledge queue and Queue cannot be the same.";
323	197bfe96	Ermal Luçi	}
324	a5fd67e1	Ermal Luçi	if ($_POST['pdnpipe'] && $_POST['pdnpipe'] != "none") {
325			if ($_POST['dnpipe'] == "none" )
326			$input_errors[] = "You must select a queue for the In direction before selecting one for Out too.";
327			else if ($_POST['pdnpipe'] == $_POST['dnpipe'])
328			$input_errors[] = "In and Out Queue cannot be the same.";
329			else if ($pdnpipe[0] == "?" && $dnpipe[0] <> "?")
330			$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
331			else if ($dnpipe[0] == "?" && $pdnpipe[0] <> "?")
332			$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
333			}
334	7e50413c	Ermal Luçi	if($_POST['l7container'] && $_POST['l7container'] != "none") {
335			if(!($_POST['proto'] == "tcp" \|\| $_POST['proto'] == "udp" \|\| $_POST['proto'] == "tcp/udp"))
336			$input_errors[] = "You can only select a layer7 container for tcp and/or udp protocols";
337			}
338	197bfe96	Ermal Luçi
339	5b237745	Scott Ullrich	if (!$input_errors) {
340			$filterent = array();
341			$filterent['type'] = $_POST['type'];
342	661aed33	Ermal Luçi	if (isset($_POST['interface'] ))
343			$filterent['interface'] = $_POST['interface'];
344
345			if ($if == "FloatingRules" \|\| isset($_POST['floating'])) {
346			if (isset($_POST['tag']))
347			$filterent['tag'] = $_POST['tag'];
348			if (isset($_POST['tagged']))
349			$filterent['tagged'] = $_POST['tagged'];
350			$filterent['direction'] = $_POST['direction'];
351			if (isset($_POST['quick']) && $_POST['quick'] <> "")
352			$filterent['quick'] = $_POST['quick'];
353			$filterent['floating'] = "yes";
354			if (isset($_POST['interface']) && count($_POST['interface']) > 0) {
355			$filterent['interface'] = implode(",", $_POST['interface']);
356			}
357			}
358	d59874c1	Scott Ullrich
359	bdb7d6e7	Scott Ullrich	/* Advanced options */
360	775ccea3	Ermal Luci	if ($_POST['allowopts'] == "yes")
361			$filterent['allowopts'] = true;
362			else
363			unset($filterent['allowopts']);
364	bdb7d6e7	Scott Ullrich	$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
365			$filterent['max-src-states'] = $_POST['max-src-states'];
366	5ba18897	Scott Ullrich	$filterent['statetimeout'] = $_POST['statetimeout'];
367	fa9af164	Scott Ullrich	$filterent['statetype'] = $_POST['statetype'];
368	e33c8694	Bill Marquette	$filterent['os'] = $_POST['os'];
369	10f21e70	Scott Ullrich
370			/* Nosync directive - do not xmlrpc sync this item */
371	8c84fe43	Scott Ullrich	if($_POST['nosync'] <> "")
372	10f21e70	Scott Ullrich	$filterent['nosync'] = true;
373			else
374			unset($filterent['nosync']);
375
376	3f00c1dc	Scott Ullrich	/* unless both values are provided, unset the values - ticket #650 */
377			if($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] <> "") {
378			$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
379			$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
380			} else {
381			unset($filterent['max-src-conn-rate']);
382			unset($filterent['max-src-conn-rates']);
383			}
384	5ba18897	Scott Ullrich
385	5b237745	Scott Ullrich	if ($_POST['proto'] != "any")
386			$filterent['protocol'] = $_POST['proto'];
387			else
388			unset($filterent['protocol']);
389	5ba18897	Scott Ullrich
390	5b237745	Scott Ullrich	if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
391			$filterent['icmptype'] = $_POST['icmptype'];
392			else
393			unset($filterent['icmptype']);
394	5ba18897	Scott Ullrich
395	5b237745	Scott Ullrich	pconfig_to_address($filterent['source'], $_POST['src'],
396			$_POST['srcmask'], $_POST['srcnot'],
397			$_POST['srcbeginport'], $_POST['srcendport']);
398	5ba18897	Scott Ullrich
399	5b237745	Scott Ullrich	pconfig_to_address($filterent['destination'], $_POST['dst'],
400			$_POST['dstmask'], $_POST['dstnot'],
401			$_POST['dstbeginport'], $_POST['dstendport']);
402	5ba18897	Scott Ullrich
403	f87f85c3	Bill Marquette	if ($_POST['disabled'])
404			$filterent['disabled'] = true;
405			else
406			unset($filterent['disabled']);
407	c5fc1b2e	Ermal Luçi
408			if ($_POST['dscp'])
409			$filterent['dscp'] = $_POST['dscp'];
410
411	f87f85c3	Bill Marquette	if ($_POST['log'])
412			$filterent['log'] = true;
413			else
414			unset($filterent['log']);
415	c68fc1e7	Bill Marquette	strncpy($filterent['descr'], $_POST['descr'], 52);
416	5ba18897	Scott Ullrich
417	c98ddde2	Bill Marquette	if ($_POST['gateway'] != "") {
418			$filterent['gateway'] = $_POST['gateway'];
419			}
420	197bfe96	Ermal Luçi
421			if (isset($_POST['defaultqueue']) && $_POST['defaultqueue'] != "none") {
422			$filterent['defaultqueue'] = $_POST['defaultqueue'];
423			if (isset($_POST['ackqueue']) && $_POST['ackqueue'] != "none")
424			$filterent['ackqueue'] = $_POST['ackqueue'];
425			}
426	c98ddde2	Bill Marquette
427	a5fd67e1	Ermal Luçi	if (isset($_POST['dnpipe']) && $_POST['dnpipe'] != "none") {
428			$filterent['dnpipe'] = $_POST['dnpipe'];
429			if (isset($_POST['pdnpipe']) && $_POST['pdnpipe'] != "none")
430			$filterent['pdnpipe'] = $_POST['pdnpipe'];
431			}
432
433	7e50413c	Ermal Luçi	if (isset($_POST['l7container']) && $_POST['l7container'] != "none") {
434			$filterent['l7container'] = $_POST['l7container'];
435			}
436
437	615b27bc	Scott Dale	if ($_POST['sched'] != "") {
438			$filterent['sched'] = $_POST['sched'];
439			}
440
441	5b237745	Scott Ullrich	if (isset($id) && $a_filter[$id])
442			$a_filter[$id] = $filterent;
443			else {
444			if (is_numeric($after))
445			array_splice($a_filter, $after+1, 0, array($filterent));
446			else
447			$a_filter[] = $filterent;
448			}
449	f4e2a352	Scott Ullrich
450	5b237745	Scott Ullrich	write_config();
451			touch($d_filterconfdirty_path);
452	5ba18897	Scott Ullrich
453	661aed33	Ermal Luçi	if (isset($_POST['floating']))
454			header("Location: firewall_rules.php?if=FloatingRules");
455			else
456			header("Location: firewall_rules.php?if=" . $_POST['interface']);
457	5b237745	Scott Ullrich	exit;
458			}
459	c60824d2	Scott Ullrich	}
460
461	37c53a0d	Ermal Lu?i	read_altq_config(); /* XXX: */
462			$qlist =& get_unique_queue_list();
463			read_dummynet_config(); /* XXX: */
464			$dnqlist =& get_unique_dnqueue_list();
465			read_layer7_config();
466			$l7clist =& get_l7_unique_list();
467
468	d88c6a9f	Scott Ullrich	$pgtitle = array("Firewall","Rules","Edit");
469	a1357fe0	Bill Marquette	$closehead = false;
470	8ab3e9ed	Erik Kristensen
471			$page_filename = "firewall_rules_edit.php";
472	da7ae7ef	Bill Marquette	include("head.inc");
473	c60824d2	Scott Ullrich
474	5b237745	Scott Ullrich	?>
475	da7ae7ef	Bill Marquette
476	5b237745	Scott Ullrich	</head>
477
478			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
479			<?php include("fbegin.inc"); ?>
480			<?php if ($input_errors) print_input_errors($input_errors); ?>
481	8ab3e9ed	Erik Kristensen
482			<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
483			<table width="100%" border="0" cellpadding="6" cellspacing="0">
484	e091cb45	Scott Ullrich	<tr>
485			<td colspan="2" valign="top" class="listtopic">Edit Firewall rule</td>
486			</tr>
487	8ab3e9ed	Erik Kristensen	<tr>
488			<td width="22%" valign="top" class="vncellreq">Action</td>
489			<td width="78%" class="vtable">
490	b5c78501	Seth Mos	<select name="type" class="formselect">
491	8ab3e9ed	Erik Kristensen	<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
492			<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
493			<?=htmlspecialchars($type);?>
494			</option>
495			<?php endforeach; ?>
496	8c84fe43	Scott Ullrich	</select>
497	8ab3e9ed	Erik Kristensen	<br/>
498			<span class="vexpl">
499			Choose what to do with packets that match the criteria specified below. <br/>
500			Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
501			</span>
502			</td>
503			</tr>
504			<tr>
505			<td width="22%" valign="top" class="vncellreq">Disabled</td>
506			<td width="78%" class="vtable">
507			<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
508			<strong>Disable this rule</strong><br />
509			<span class="vexpl">Set this option to disable this rule without removing it from the list.</span>
510			</td>
511			</tr>
512	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
513			<tr>
514			<td width="22%" valign="top" class="vncellreq"><?=gettext("Quick");?></td>
515			<td width="78%" class="vtable">
516			<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
517			<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
518			<span class="vexpl"><?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?></span>
519			</td>
520			</tr>
521			<? endif; ?>
522	8ab3e9ed	Erik Kristensen	<tr>
523			<td width="22%" valign="top" class="vncellreq">Interface</td>
524			<td width="78%" class="vtable">
525	4633edc2	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
526	8e6ac824	Ermal Luçi	<select name="interface[]" multiple="true" class="formselect" size="3">
527	661aed33	Ermal Luçi	<? else: ?>
528	b5c78501	Seth Mos	<select name="interface" class="formselect">
529	8ab3e9ed	Erik Kristensen	<?php
530	661aed33	Ermal Luçi	endif;
531	a7782099	Ermal Lu?i	/* add group interfaces */
532			if (is_array($config['ifgroups']['ifgroupentry']))
533			foreach($config['ifgroups']['ifgroupentry'] as $ifgen)
534			if (have_ruleint_access($ifgen['ifname']))
535			$interfaces[$ifgen['ifname']] = $ifgen['ifname'];
536
537	b7391125	Ermal Luçi	$ifdescs = get_configured_interface_with_descr();
538
539	5335811d	Ermal Luçi	foreach ($ifdescs as $ifent => $ifdesc)
540			if(have_ruleint_access($ifent))
541			$interfaces[$ifent] = $ifdesc;
542	b6742927	Scott Ullrich
543	617f8d25	Ermal Lu?i	if ($config['l2tp']['mode'] == "server")
544			if(have_ruleint_access("l2tp"))
545			$interfaces['l2tp'] = "L2TP VPN";
546
547	b6742927	Scott Ullrich	if ($config['pptpd']['mode'] == "server")
548			if(have_ruleint_access("pptp"))
549			$interfaces['pptp'] = "PPTP VPN";
550
551			if ($config['pppoe']['mode'] == "server")
552			if(have_ruleint_access("pppoe"))
553			$interfaces['pppoe'] = "PPPoE VPN";
554
555			/* add ipsec interfaces */
556			if (isset($config['ipsec']['enable']) \|\| isset($config['ipsec']['mobileclients']['enable']))
557			if(have_ruleint_access("enc0"))
558	0f266b2e	Chris Buechler	$interfaces["enc0"] = "IPsec";
559	bfb60ac8	Ermal Luçi
560			/* add openvpn/tun interfaces */
561	d799787e	Matthew Grooms	if ($config['openvpn']["openvpn-server"] \|\| $config['openvpn']["openvpn-client"])
562			$interfaces["openvpn"] = "OpenVPN";
563	b6742927	Scott Ullrich
564	8ab3e9ed	Erik Kristensen	foreach ($interfaces as $iface => $ifacename): ?>
565	661aed33	Ermal Luçi	<option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option>
566	8ab3e9ed	Erik Kristensen	<?php endforeach; ?>
567	8c84fe43	Scott Ullrich	</select>
568	8ab3e9ed	Erik Kristensen	<br />
569			<span class="vexpl">Choose on which interface packets must come in to match this rule.</span>
570			</td>
571			</tr>
572	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
573			<tr>
574			<td width="22%" valign="top" class="vncellreq"><?=gettext("Direction");?></td>
575			<td width="78%" class="vtable">
576			<select name="direction" class="formselect">
577			<?php $directions = array('any', 'in', 'out');
578			foreach ($directions as $direction): ?>
579			<option value="<?=$direction;?>"
580			<?php if ($direction == $pconfig['direction']): ?>
581			selected="selected"
582			<?php endif; ?>
583			><?=$direction;?></option>
584			<?php endforeach; ?>
585			</select>
586	0e640f76	Ermal Luçi	<input type="hidden" id="floating" name="floating" value="floating">
587	661aed33	Ermal Luçi	</td>
588			<tr>
589			<?php endif; ?>
590	8ab3e9ed	Erik Kristensen	<tr>
591			<td width="22%" valign="top" class="vncellreq">Protocol</td>
592			<td width="78%" class="vtable">
593	b5c78501	Seth Mos	<select name="proto" class="formselect" onchange="proto_change()">
594	8ab3e9ed	Erik Kristensen	<?php
595	87f0be87	Chris Buechler	$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP any carp pfsync");
596	8ab3e9ed	Erik Kristensen	foreach ($protocols as $proto): ?>
597			<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
598			<?php endforeach; ?>
599			</select>
600			<br />
601			<span class="vexpl">Choose which IP protocol this rule should match. <br /> Hint: in most cases, you should specify <em>TCP</em>  here.</span>
602			</td>
603			</tr>
604	3de8af0e	Scott Ullrich	<tr id="icmpbox" name="icmpbox">
605	8ab3e9ed	Erik Kristensen	<td valign="top" class="vncell">ICMP type</td>
606			<td class="vtable">
607	b5c78501	Seth Mos	<select name="icmptype" class="formselect">
608	8ab3e9ed	Erik Kristensen	<?php
609			$icmptypes = array(
610			"" => "any",
611			"echorep" => "Echo reply",
612			"unreach" => "Destination unreachable",
613			"squench" => "Source quench",
614			"redir" => "Redirect",
615			"althost" => "Alternate Host",
616			"echoreq" => "Echo",
617			"routeradv" => "Router advertisement",
618			"routersol" => "Router solicitation",
619			"timex" => "Time exceeded",
620			"paramprob" => "Invalid IP header",
621			"timereq" => "Timestamp",
622			"timerep" => "Timestamp reply",
623			"inforeq" => "Information request",
624			"inforep" => "Information reply",
625			"maskreq" => "Address mask request",
626			"maskrep" => "Address mask reply"
627			);
628
629			foreach ($icmptypes as $icmptype => $descr): ?>
630			<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
631			<?php endforeach; ?>
632			</select>
633			<br />
634			<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span>
635			</td>
636			</tr>
637			<tr>
638			<td width="22%" valign="top" class="vncellreq">Source</td>
639			<td width="78%" class="vtable">
640			<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
641			<strong>not</strong>
642			<br />
643			Use this option to invert the sense of the match.
644			<br />
645			<br />
646			<table border="0" cellspacing="0" cellpadding="0">
647			<tr>
648			<td>Type:  </td>
649			<td>
650	b5c78501	Seth Mos	<select name="srctype" class="formselect" onChange="typesel_change()">
651	87f0be87	Chris Buechler	<?php
652			$sel = is_specialnet($pconfig['src']); ?>
653	8ab3e9ed	Erik Kristensen	<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option>
654	87f0be87	Chris Buechler	<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
655			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
656	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("wan")): ?>
657	76934b05	Scott Ullrich	<option value="wanip" <?php if ($pconfig['src'] == "wanip") { echo "selected"; } ?>>WAN address</option>
658	99ea4439	Scott Ullrich	<?php endif; ?>
659			<?php if(have_ruleint_access("lan")): ?>
660	acb31d29	Scott Ullrich	<option value="lanip" <?php if ($pconfig['src'] == "lanip") { echo "selected"; } ?>>LAN address</option>
661	99ea4439	Scott Ullrich	<?php endif; ?>
662			<?php if(have_ruleint_access("lan")): ?>
663	8ab3e9ed	Erik Kristensen	<option value="lan" <?php if ($pconfig['src'] == "lan") { echo "selected"; } ?>>LAN subnet</option>
664	99ea4439	Scott Ullrich	<?php endif; ?>
665			<?php if(have_ruleint_access("pptp")): ?>
666	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
667	99ea4439	Scott Ullrich	<?php endif; ?>
668			<?php if(have_ruleint_access("pppoe")): ?>
669	8c84fe43	Scott Ullrich	<option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
670	99ea4439	Scott Ullrich	<?php endif; ?>
671	8ab3e9ed	Erik Kristensen	<?php
672	b7391125	Ermal Luçi	$ifdisp = get_configured_interface_with_descr();
673	5335811d	Ermal Luçi	foreach ($ifdisp as $ifent => $ifdesc): ?>
674			<?php if(have_ruleint_access($ifent)): ?>
675			<option value="<?=$ifent;?>" <?php if ($pconfig['src'] == $ifent) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
676			<option value="<?=$ifent;?>ip"<?php if ($pconfig['src'] == $ifent . "ip") { echo "selected"; } ?>>
677	b7391125	Ermal Luçi	<?=$ifdesc?> address
678	e30a5970	Scott Ullrich	</option>
679	99ea4439	Scott Ullrich	<?php endif; ?>
680	b7391125	Ermal Luçi	<?php endforeach; ?>
681	8ab3e9ed	Erik Kristensen	</select>
682			</td>
683			</tr>
684			<tr>
685			<td>Address:  </td>
686			<td>
687			<input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> /
688	b5c78501	Seth Mos	<select name="srcmask" class="formselect" id="srcmask">
689	8ab3e9ed	Erik Kristensen	<?php for ($i = 31; $i > 0; $i--): ?>
690			<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
691			<?php endfor; ?>
692			</select>
693	bdb7d6e7	Scott Ullrich	</td>
694	8ab3e9ed	Erik Kristensen	</tr>
695			</table>
696	22abf2ef	Scott Ullrich	<div id="showadvancedboxspr">
697			<p>
698	be812936	Scott Ullrich	<input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>
699	22abf2ef	Scott Ullrich	</div>
700	8ab3e9ed	Erik Kristensen	</td>
701	e33c8694	Bill Marquette	</tr>
702	3de8af0e	Scott Ullrich	<tr style="display:none" id="sprtable" name="sprtable">
703	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Source port range</td>
704			<td width="78%" class="vtable">
705			<table border="0" cellspacing="0" cellpadding="0">
706			<tr>
707			<td>from:  </td>
708			<td>
709	b5c78501	Seth Mos	<select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()">
710	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
711			<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
712			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
713			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
714			<?php endforeach; ?>
715	8c84fe43	Scott Ullrich	</select>
716	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>">
717			</td>
718			</tr>
719			<tr>
720			<td>to:</td>
721			<td>
722	b5c78501	Seth Mos	<select name="srcendport" class="formselect" onchange="ext_change()">
723	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
724			<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
725			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
726			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
727			<?php endforeach; ?>
728	8c84fe43	Scott Ullrich	</select>
729	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>">
730			</td>
731			</tr>
732			</table>
733			<br />
734	5548a077	Scott Ullrich	<span class="vexpl">Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/>
735	67199e71	Scott Ullrich	<span class="vexpl"><B>NOTE:</B> You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!</span>
736	8ab3e9ed	Erik Kristensen	</td>
737	8c84fe43	Scott Ullrich	</tr>
738	8ab3e9ed	Erik Kristensen	<tr>
739	f281e32e	Chris Buechler	<td width="22%" valign="top" class="vncell">Source OS</td>
740	8ab3e9ed	Erik Kristensen	<td width="78%" class="vtable">OS Type:
741	b5c78501	Seth Mos	<select name="os" id="os" class="formselect">
742	8ab3e9ed	Erik Kristensen	<?php
743			$ostypes = array(
744			"" => "any",
745			"AIX" => "AIX",
746			"Linux" => "Linux",
747			"FreeBSD" => "FreeBSD",
748			"NetBSD" => "NetBSD",
749			"OpenBSD" => "OpenBSD",
750			"Solaris" => "Solaris",
751			"MacOS" => "MacOS",
752			"Windows" => "Windows",
753	59d62b6c	Scott Ullrich	"Novell" => "Novell",
754			"NMAP" => "NMAP"
755	8ab3e9ed	Erik Kristensen	);
756
757			foreach ($ostypes as $ostype => $descr): ?>
758			<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
759			<?php endforeach; ?>
760			</select>
761			<br />
762			Note: this only works for TCP rules
763			</td>
764	5ba18897	Scott Ullrich	</tr>
765	8ab3e9ed	Erik Kristensen	<tr>
766			<td width="22%" valign="top" class="vncellreq">Destination</td>
767			<td width="78%" class="vtable">
768			<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
769			<strong>not</strong>
770			<br />
771			Use this option to invert the sense of the match.
772			<br />
773			<br />
774			<table border="0" cellspacing="0" cellpadding="0">
775			<tr>
776			<td>Type:  </td>
777			<td>
778	b5c78501	Seth Mos	<select name="dsttype" class="formselect" onChange="typesel_change()">
779	87f0be87	Chris Buechler	<?php
780			$sel = is_specialnet($pconfig['dst']); ?>
781	8ab3e9ed	Erik Kristensen	<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
782	87f0be87	Chris Buechler	<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
783			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
784	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("wan")): ?>
785	76934b05	Scott Ullrich	<option value="wanip" <?php if ($pconfig['dst'] == "wanip") { echo "selected"; } ?>>WAN address</option>
786	99ea4439	Scott Ullrich	<?php endif; ?>
787			<?php if(have_ruleint_access("lan")): ?>
788	acb31d29	Scott Ullrich	<option value="lanip" <?php if ($pconfig['dst'] == "lanip") { echo "selected"; } ?>>LAN address</option>
789	99ea4439	Scott Ullrich	<?php endif; ?>
790			<?php if(have_ruleint_access("lan")): ?>
791	8ab3e9ed	Erik Kristensen	<option value="lan" <?php if ($pconfig['dst'] == "lan") { echo "selected"; } ?>>LAN subnet</option>
792	99ea4439	Scott Ullrich	<?php endif; ?>
793			<?php if(have_ruleint_access("pptp")): ?>
794	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
795	99ea4439	Scott Ullrich	<?php endif; ?>
796			<?php if(have_ruleint_access("pppoe")): ?>
797	8ab3e9ed	Erik Kristensen	<option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
798	99ea4439	Scott Ullrich	<?php endif; ?>
799
800	b7391125	Ermal Luçi
801			<?php foreach ($ifdisp as $if => $ifdesc): ?>
802			<?php if(have_ruleint_access($if)): ?>
803			<option value="<?=$if;?>" <?php if ($pconfig['dst'] == $if) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
804			<option value="<?=$if;?>ip"<?php if ($pconfig['dst'] == $if . "ip") { echo "selected"; } ?>>
805			<?=$ifdesc;?> address
806	cbff71a1	Scott Ullrich	</option>
807	99ea4439	Scott Ullrich	<?php endif; ?>
808	b7391125	Ermal Luçi	<?php endforeach; ?>
809	8ab3e9ed	Erik Kristensen	</select>
810			</td>
811			</tr>
812			<tr>
813			<td>Address:  </td>
814			<td>
815			<input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
816			/
817	b5c78501	Seth Mos	<select name="dstmask" class="formselect" id="dstmask">
818	8ab3e9ed	Erik Kristensen	<?php
819			for ($i = 31; $i > 0; $i--): ?>
820			<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
821			<?php endfor; ?>
822			</select>
823			</td>
824			</tr>
825			</table>
826	5ba18897	Scott Ullrich
827	8ab3e9ed	Erik Kristensen	</td>
828			</tr>
829	3de8af0e	Scott Ullrich	<tr id="dprtr" name="dprtr">
830	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Destination port range </td>
831			<td width="78%" class="vtable">
832			<table border="0" cellspacing="0" cellpadding="0">
833			<tr>
834			<td>from:  </td>
835			<td>
836	b5c78501	Seth Mos	<select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
837	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
838			<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
839			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
840			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
841			<?php endforeach; ?>
842			</select>
843			<input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
844			</td>
845			</tr>
846			<tr>
847			<td>to:</td>
848			<td>
849	b5c78501	Seth Mos	<select name="dstendport" class="formselect" onchange="ext_change()">
850	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
851			<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
852			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
853			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
854			<?php endforeach; ?>
855	8c84fe43	Scott Ullrich	</select>
856	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
857			</td>
858			</tr>
859			</table>
860			<br />
861			<span class="vexpl">
862			Specify the port or port range for the destination of the packet for this rule.
863			<br />
864			Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port
865			</span>
866			</td>
867			</tr>
868	c5fc1b2e	Ermal Luçi	<tr>
869			<td width="22%" valign="top" class="vncellreq">Diffserv Code Point</td>
870			<td width="78%" class="vtable">
871			<input name="dscp" id="dscp" value="<?=htmlspecialchars($pconfig['dscp']);?>">
872			<br />
873			<span class="vexpl">Valid values are: af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, EF, 1-64, 0x04-0xfc.</span>
874			</td>
875			</tr>
876	8ab3e9ed	Erik Kristensen	<tr>
877			<td width="22%" valign="top" class="vncellreq">Log</td>
878			<td width="78%" class="vtable">
879			<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
880			<strong>Log packets that are handled by this rule</strong>
881			<br />
882			<span class="vexpl">Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the <a href="diag_logs_settings.php">Diagnostics: System logs: Settings</a> page).</span>
883			</td>
884			</tr>
885	661aed33	Ermal Luçi	<tr>
886	e6db3f58	Ermal Luçi	<td width="22%" valign="top" class="vncell">Advanced Options</td>
887			<td width="78%" class="vtable">
888			<div id="aoadv" name="aoadv">
889			<input type="button" onClick="show_aodiv();" value="Advanced"> - Show advanced options
890			</div>
891			<div id="aodivmain" name="aodivmain" style="display:none">
892	661aed33	Ermal Luçi
893	775ccea3	Ermal Luci	<input type="checkbox" id="allowopts" value="yes" name="allowopts"<?php if($pconfig['allowopts'] == true) echo " checked"; ?>>
894			<br/><span class="vexpl"><?=gettext("This allows packets with ip options to pass otherwise they are blocked by default i.e. with multicast routing/proxing.");?>
895			</span><p>
896	661aed33	Ermal Luçi	<input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>">
897	ad3979f2	Ermal Luçi	<br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and use this mark to match on other nat/filter rules. It is called <b>Policy filtering</b>");?>
898	661aed33	Ermal Luçi	</span><p>
899	ad3979f2	Ermal Luçi	<input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>">
900			<br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before on another rule.")?>
901	661aed33	Ermal Luçi	</span> <p>
902	8ab3e9ed	Erik Kristensen	<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Simultaneous client connection limit<p>
903			<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
904			<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
905			<select name="max-src-conn-rates" id="max-src-conn-rates">
906			<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
907			<?php for($x=1; $x<255; $x++) {
908			if($x == $pconfig['max-src-conn-rates']) $selected = " selected"; else $selected = "";
909			echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
910			} ?>
911	47042140	Scott Ullrich	</select><br />
912	8ab3e9ed	Erik Kristensen	Maximum new connections / per second
913	47042140	Scott Ullrich	<p>
914
915			<input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br>
916	3906617b	Scott Ullrich	State Timeout in seconds
917	47042140	Scott Ullrich	<p />
918
919	8ab3e9ed	Erik Kristensen	<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
920	197b2a47	Scott Ullrich	</div>
921	8ab3e9ed	Erik Kristensen	</td>
922			</tr>
923			<tr>
924			<td width="22%" valign="top" class="vncell">State Type</td>
925			<td width="78%" class="vtable">
926	f6970b2f	Scott Ullrich	<div id="showadvstatebox">
927			<input type="button" onClick="show_advanced_state()" value="Advanced"></input> - Show state</a>
928			</div>
929			<div id="showstateadv" style="display:none">
930			<select name="statetype">
931			<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
932			<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
933			<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
934			</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
935			<p>
936			<table width="90%">
937	c62ff4e7	Chris Buechler	<tr><td width="25%"><ul><li>keep state</li></td><td>Works with all IP protocols.</ul></td></tr>
938	8eb08ba7	Chris Buechler	<tr><td width="25%"><ul><li>synproxy state</li></td><td>Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</ul></td></tr>
939			<tr><td width="25%"><ul><li>none</li></td><td>Do not use state mechanisms to keep track. This is only useful if you're doing advanced queueing in certain situations. Please check the documentation.</ul></td></tr>
940	f6970b2f	Scott Ullrich	</table>
941			</p>
942			</div>
943	8ab3e9ed	Erik Kristensen	</td>
944			</tr>
945	10f21e70	Scott Ullrich	<tr>
946			<td width="22%" valign="top" class="vncell">No XMLRPC Sync</td>
947			<td width="78%" class="vtable">
948	c32518fa	Scott Ullrich	<input type="checkbox" name="nosync"<?php if($pconfig['nosync']) echo " CHECKED"; ?>><br>
949	782c65b8	Scott Ullrich	HINT: This prevents the rule from automatically syncing to other carp members.
950	10f21e70	Scott Ullrich	</td>
951	8c84fe43	Scott Ullrich	</tr>
952	615b27bc	Scott Dale	<?php
953			//build list of schedules
954			$schedules = array();
955			$schedules[] = "none";//leave none to leave rule enabled all the time
956	a60fd0cb	Scott Ullrich	if(is_array($config['schedules']['schedule'])) {
957			foreach ($config['schedules']['schedule'] as $schedule) {
958			if ($schedule['name'] <> "")
959			$schedules[] = $schedule['name'];
960			}
961			}
962	615b27bc	Scott Dale	?>
963			<tr>
964			<td width="22%" valign="top" class="vncell">Schedule</td>
965			<td width="78%" class="vtable">
966			<select name='sched'>
967			<?php
968			foreach($schedules as $schedule) {
969			if($schedule == $pconfig['sched']) {
970			$selected = " SELECTED";
971			} else {
972			$selected = "";
973			}
974			if ($schedule == "none") {
975			echo "<option value=\"\" {$selected}>{$schedule}</option>\n";
976			} else {
977			echo "<option value=\"{$schedule}\" {$selected}>{$schedule}</option>\n";
978			}
979			}?>
980			</select>
981	49decb66	Scott Ullrich	<p>Leave as 'none' to leave the rule enabled all the time.</p>
982	615b27bc	Scott Dale	</td>
983			</tr>
984
985	8ab3e9ed	Erik Kristensen	<?php
986	82628210	Scott Ullrich	/* build a list of gateways */
987			$gateways = array();
988	615b27bc	Scott Dale	$gateways[] = "default"; // default to don't use this feature :)
989	3d81372f	Chris Buechler	if (is_array($config['gateways']['gateway_item'])) {
990			foreach($config['gateways']['gateway_item'] as $gw_item) {
991			if($gw_item['gateway'] <> "")
992			$gateways[] = $gw_item['name'];
993			}
994	82628210	Scott Ullrich	}
995	3d81372f	Chris Buechler
996	8ab3e9ed	Erik Kristensen	?>
997	82628210	Scott Ullrich	<tr>
998	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncell">Gateway</td>
999			<td width="78%" class="vtable">
1000			<select name='gateway'>
1001			<?php
1002	82628210	Scott Ullrich	foreach($gateways as $gw) {
1003	0581660c	Scott Ullrich	if($gw == "")
1004			continue;
1005	e6c0da7c	Scott Ullrich	if($gw == $pconfig['gateway']) {
1006	82628210	Scott Ullrich	$selected = " SELECTED";
1007	e6c0da7c	Scott Ullrich	} else {
1008	82628210	Scott Ullrich	$selected = "";
1009	e6c0da7c	Scott Ullrich	}
1010			if ($gw == "default") {
1011	8c84fe43	Scott Ullrich	echo "<option value=\"\" {$selected}>{$gw}</option>\n";
1012	e6c0da7c	Scott Ullrich	} else {
1013	d9720602	Seth Mos	$gwip = lookup_gateway_ip_by_name($gw);
1014			echo "<option value=\"{$gw}\" {$selected}>{$gw} - {$gwip}</option>\n";
1015	e6c0da7c	Scott Ullrich	}
1016			}
1017	e11202d5	Seth Mos	/* add gateway groups to the list */
1018			if (is_array($config['gateways']['gateway_group'])) {
1019			foreach($config['gateways']['gateway_group'] as $gw_group) {
1020			if($gw_group['name'] == "")
1021	0581660c	Scott Ullrich	continue;
1022	e11202d5	Seth Mos	if($pconfig['gateway'] == $gw_group['name']) {
1023			echo "<option value=\"{$gw_group['name']}\" SELECTED>{$gw_group['name']}</option>\n";
1024	a68bd38b	Scott Ullrich	} else {
1025	e11202d5	Seth Mos	echo "<option value=\"{$gw_group['name']}\">{$gw_group['name']}</option>\n";
1026	a68bd38b	Scott Ullrich	}
1027	8c84fe43	Scott Ullrich	}
1028	82628210	Scott Ullrich	}
1029	b7391125	Ermal Luçi	$iflist = get_configured_interface_with_descr();
1030	5335811d	Ermal Luçi	foreach ($iflist as $ifent => $ifdesc) {
1031	f1f60c92	Ermal Luçi	if (in_array($config['interfaces'][$ifent]['ipaddr'],
1032			array("dhcp", "pppoe", "pptp"))) {
1033	5335811d	Ermal Luçi	if ($pconfig['gateway'] == $ifent) {
1034	4443d4d6	Scott Ullrich	$selected = " SELECTED";
1035	1fda0968	Scott Ullrich	} else {
1036			$selected = "";
1037			}
1038	b7391125	Ermal Luçi	if($ifdesc <> "")
1039	5335811d	Ermal Luçi	echo "<option value=\"{$ifent}\" {$selected}>".strtoupper($if)." - {$ifdesc}</option>\n";
1040	1fda0968	Scott Ullrich	}
1041			}
1042	8ab3e9ed	Erik Kristensen	?>
1043			</select>
1044	58a4eecd	Bill Marquette	<p><strong>Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.</strong></p>
1045	8ab3e9ed	Erik Kristensen	</td>
1046			</tr>
1047	a5fd67e1	Ermal Luçi	<tr>
1048			<td width="22%" valign="top" class="vncell">In/Out</td>
1049			<td width="78%" class="vtable">
1050			<select name="dnpipe">
1051			<?php
1052			if (!is_array($dnqlist))
1053			$dnqlist = array();
1054			echo "<option value=\"none\"";
1055			if (!$dnqselected) echo " SELECTED";
1056			echo " >none</option>";
1057			foreach ($dnqlist as $dnq => $dnqkey) {
1058			if($dnq == "")
1059			continue;
1060			echo "<option value=\"$dnqkey\"";
1061			if ($dnqkey == $pconfig['dnpipe']) {
1062			$dnqselected = 1;
1063			echo " SELECTED";
1064			}
1065			echo ">{$dnq}</option>";
1066			}
1067			?>
1068			</select> /
1069			<select name="pdnpipe">
1070			<?php
1071			$dnqselected = 0;
1072			echo "<option value=\"none\"";
1073			if (!$dnqselected) echo " SELECTED";
1074			echo " >none</option>";
1075			foreach ($dnqlist as $dnq => $dnqkey) {
1076			if($dnq == "")
1077			continue;
1078			echo "<option value=\"$dnqkey\"";
1079			if ($dnqkey == $pconfig['pdnpipe']) {
1080			$dnqselected = 1;
1081			echo " SELECTED";
1082			}
1083			echo ">{$dnq}</option>";
1084			}
1085			?>
1086			</select>
1087			<br />
1088			<span class="vexpl">Choose the Out queue/Virtual interface only if you have selected In too. <br/> The Out selection is applied to traffic going out the interface the rule is created, In is the incoming one. <br/> If you are creating a rule on the Floating tab if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing and if you do not select any direction use only the In since the Out selection does not make sense in there to prevent oddities.</span>
1089			</td>
1090			</tr>
1091
1092	197bfe96	Ermal Luçi	<tr>
1093			<td width="22%" valign="top" class="vncell">Ackqueue/Queue</td>
1094			<td width="78%" class="vtable">
1095			<select name="ackqueue">
1096			<?php
1097	21a0464c	Ermal Luçi	if (!is_array($qlist))
1098			$qlist = array();
1099	cca8d74e	Seth Mos	echo "<option value=\"none\"";
1100			if (!$qselected) echo " SELECTED";
1101			echo " >none</option>";
1102	21a0464c	Ermal Luçi	foreach ($qlist as $q => $qkey) {
1103	cca8d74e	Seth Mos	if($q == "")
1104			continue;
1105	197bfe96	Ermal Luçi	echo "<option value=\"$q\"";
1106			if ($q == $pconfig['ackqueue']) {
1107			$qselected = 1;
1108			echo " SELECTED";
1109			}
1110			echo ">{$q}</option>";
1111			}
1112			?>
1113			</select> /
1114			<select name="defaultqueue">
1115			<?php
1116			$qselected = 0;
1117	cca8d74e	Seth Mos	echo "<option value=\"none\"";
1118			if (!$qselected) echo " SELECTED";
1119			echo " >none</option>";
1120	21a0464c	Ermal Luçi	foreach ($qlist as $q => $qkey) {
1121	cca8d74e	Seth Mos	if($q == "")
1122			continue;
1123	197bfe96	Ermal Luçi	echo "<option value=\"$q\"";
1124			if ($q == $pconfig['defaultqueue']) {
1125			$qselected = 1;
1126			echo " SELECTED";
1127			}
1128			echo ">{$q}</option>";
1129			}
1130			?>
1131			</select>
1132			<br />
1133			<span class="vexpl">Choose the Acknowledge Queue only if you have selected Queue.</span>
1134			</td>
1135			</tr>
1136	7e50413c	Ermal Luçi	<tr>
1137			<td width="22%" valign="top" class="vncell">Layer7</td>
1138			<td width="78%" class="vtable">
1139			<select name="l7container">
1140			<?php
1141			if (!is_array($l7clist))
1142			$dnqlist = array();
1143			echo "<option value=\"none\"";
1144			echo " >none</option>";
1145			foreach ($l7clist as $l7ckey) {
1146			echo "<option value=\"{$l7ckey}\"";
1147			if ($l7ckey == $pconfig['l7container']) {
1148			echo " SELECTED";
1149			}
1150			echo ">{$l7ckey}</option>";
1151			}
1152			?>
1153			</select>
1154			<br/>
1155			<span class="vexpl">Choose a Layer7 container to apply application protocol inspection rules.
1156			This rule are valid for tcp and udp protocols for now.</span>
1157			</td>
1158			</tr>
1159	bca8e0ec	Scott Ullrich	<tr>
1160			<td width="22%" valign="top" class="vncell">Description</td>
1161			<td width="78%" class="vtable">
1162	b5c78501	Seth Mos	<input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>">
1163	bca8e0ec	Scott Ullrich	<br />
1164	586293d1	Scott Ullrich	<span class="vexpl">You may enter a description here for your reference.</span>
1165	bca8e0ec	Scott Ullrich	</td>
1166			</tr>
1167	8ab3e9ed	Erik Kristensen	<tr>
1168			<td width="22%" valign="top"> </td>
1169			<td width="78%">
1170			<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
1171			<?php if (isset($id) && $a_filter[$id]): ?>
1172			<input name="id" type="hidden" value="<?=$id;?>">
1173			<?php endif; ?>
1174			<input name="after" type="hidden" value="<?=$after;?>">
1175			</td>
1176	82628210	Scott Ullrich	</tr>
1177	8ab3e9ed	Erik Kristensen	</table>
1178	5b237745	Scott Ullrich	</form>
1179			<script language="JavaScript">
1180			<!--
1181	8ab3e9ed	Erik Kristensen	ext_change();
1182			typesel_change();
1183			proto_change();
1184	19757279	Scott Ullrich
1185			<?php
1186	8ab3e9ed	Erik Kristensen	$isfirst = 0;
1187			$aliases = "";
1188			$addrisfirst = 0;
1189			$aliasesaddr = "";
1190			if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
1191			foreach($config['aliases']['alias'] as $alias_name) {
1192			if(!stristr($alias_name['address'], ".")) {
1193			if($isfirst == 1) $aliases .= ",";
1194			$aliases .= "'" . $alias_name['name'] . "'";
1195			$isfirst = 1;
1196			} else {
1197			if($addrisfirst == 1) $aliasesaddr .= ",";
1198			$aliasesaddr .= "'" . $alias_name['name'] . "'";
1199			$addrisfirst = 1;
1200			}
1201	092ac49d	Scott Ullrich	}
1202	19757279	Scott Ullrich	?>
1203
1204	8ab3e9ed	Erik Kristensen	var addressarray=new Array(<?php echo $aliasesaddr; ?>);
1205			var customarray=new Array(<?php echo $aliases; ?>);
1206	19757279	Scott Ullrich
1207	5b237745	Scott Ullrich	//-->
1208			</script>
1209	8ab3e9ed	Erik Kristensen
1210
1211	5b237745	Scott Ullrich	<?php include("fend.inc"); ?>
1212			</body>
1213			</html>

Project

General

Profile

pfSense