|
1
|
#!/usr/local/bin/php
|
|
2
|
<?php
|
|
3
|
/* $Id$ */
|
|
4
|
/*
|
|
5
|
firewall_rules_edit.php
|
|
6
|
part of m0n0wall (http://m0n0.ch/wall)
|
|
7
|
|
|
8
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
|
9
|
All rights reserved.
|
|
10
|
|
|
11
|
Redistribution and use in source and binary forms, with or without
|
|
12
|
modification, are permitted provided that the following conditions are met:
|
|
13
|
|
|
14
|
1. Redistributions of source code must retain the above copyright notice,
|
|
15
|
this list of conditions and the following disclaimer.
|
|
16
|
|
|
17
|
2. Redistributions in binary form must reproduce the above copyright
|
|
18
|
notice, this list of conditions and the following disclaimer in the
|
|
19
|
documentation and/or other materials provided with the distribution.
|
|
20
|
|
|
21
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
22
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
23
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
24
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
25
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
26
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
27
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
28
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
29
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
30
|
POSSIBILITY OF SUCH DAMAGE.
|
|
31
|
*/
|
|
32
|
|
|
33
|
require("guiconfig.inc");
|
|
34
|
|
|
35
|
$specialsrcdst = explode(" ", "any lan pptp");
|
|
36
|
|
|
37
|
if (!is_array($config['filter']['rule'])) {
|
|
38
|
$config['filter']['rule'] = array();
|
|
39
|
}
|
|
40
|
filter_rules_sort();
|
|
41
|
$a_filter = &$config['filter']['rule'];
|
|
42
|
|
|
43
|
$id = $_GET['id'];
|
|
44
|
if (is_numeric($_POST['id']))
|
|
45
|
$id = $_POST['id'];
|
|
46
|
|
|
47
|
$after = $_GET['after'];
|
|
48
|
|
|
49
|
if (isset($_POST['after']))
|
|
50
|
$after = $_POST['after'];
|
|
51
|
|
|
52
|
if (isset($_GET['dup'])) {
|
|
53
|
$id = $_GET['dup'];
|
|
54
|
$after = $_GET['dup'];
|
|
55
|
}
|
|
56
|
|
|
57
|
function is_specialnet($net) {
|
|
58
|
global $specialsrcdst;
|
|
59
|
|
|
60
|
if (in_array($net, $specialsrcdst) || strstr($net, "opt"))
|
|
61
|
return true;
|
|
62
|
else
|
|
63
|
return false;
|
|
64
|
}
|
|
65
|
|
|
66
|
function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) {
|
|
67
|
|
|
68
|
if (isset($adr['any']))
|
|
69
|
$padr = "any";
|
|
70
|
else if ($adr['network'])
|
|
71
|
$padr = $adr['network'];
|
|
72
|
else if ($adr['address']) {
|
|
73
|
list($padr, $pmask) = explode("/", $adr['address']);
|
|
74
|
if (!$pmask)
|
|
75
|
$pmask = 32;
|
|
76
|
}
|
|
77
|
|
|
78
|
if (isset($adr['not']))
|
|
79
|
$pnot = 1;
|
|
80
|
else
|
|
81
|
$pnot = 0;
|
|
82
|
|
|
83
|
if ($adr['port']) {
|
|
84
|
list($pbeginport, $pendport) = explode("-", $adr['port']);
|
|
85
|
if (!$pendport)
|
|
86
|
$pendport = $pbeginport;
|
|
87
|
} else {
|
|
88
|
if(alias_expand($pbeginport) <> "" || alias_expand($pendport) <> "") {
|
|
89
|
/* Item is a port alias */
|
|
90
|
} else {
|
|
91
|
$pbeginport = "any";
|
|
92
|
$pendport = "any";
|
|
93
|
}
|
|
94
|
}
|
|
95
|
}
|
|
96
|
|
|
97
|
function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) {
|
|
98
|
|
|
99
|
$adr = array();
|
|
100
|
|
|
101
|
if ($padr == "any")
|
|
102
|
$adr['any'] = true;
|
|
103
|
else if (is_specialnet($padr))
|
|
104
|
$adr['network'] = $padr;
|
|
105
|
else {
|
|
106
|
$adr['address'] = $padr;
|
|
107
|
if ($pmask != 32)
|
|
108
|
$adr['address'] .= "/" . $pmask;
|
|
109
|
}
|
|
110
|
|
|
111
|
$adr['not'] = $pnot ? true : false;
|
|
112
|
|
|
113
|
if (($pbeginport != 0) && ($pbeginport != "any")) {
|
|
114
|
if ($pbeginport != $pendport)
|
|
115
|
$adr['port'] = $pbeginport . "-" . $pendport;
|
|
116
|
else
|
|
117
|
$adr['port'] = $pbeginport;
|
|
118
|
}
|
|
119
|
|
|
120
|
if(alias_expand($pbeginport)) {
|
|
121
|
$adr['port'] = $pbeginport;
|
|
122
|
}
|
|
123
|
}
|
|
124
|
|
|
125
|
if (isset($id) && $a_filter[$id]) {
|
|
126
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
|
127
|
|
|
128
|
if (!isset($a_filter[$id]['type']))
|
|
129
|
$pconfig['type'] = "pass";
|
|
130
|
else
|
|
131
|
$pconfig['type'] = $a_filter[$id]['type'];
|
|
132
|
|
|
133
|
if (isset($a_filter[$id]['protocol']))
|
|
134
|
$pconfig['proto'] = $a_filter[$id]['protocol'];
|
|
135
|
else
|
|
136
|
$pconfig['proto'] = "any";
|
|
137
|
|
|
138
|
if ($a_filter[$id]['protocol'] == "icmp")
|
|
139
|
$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
|
|
140
|
|
|
141
|
address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
|
|
142
|
$pconfig['srcmask'], $pconfig['srcnot'],
|
|
143
|
$pconfig['srcbeginport'], $pconfig['srcendport']);
|
|
144
|
|
|
145
|
if($a_filter[$id]['os'] <> "")
|
|
146
|
$pconfig['os'] = $a_filter[$id]['os'];
|
|
147
|
|
|
148
|
address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
|
|
149
|
$pconfig['dstmask'], $pconfig['dstnot'],
|
|
150
|
$pconfig['dstbeginport'], $pconfig['dstendport']);
|
|
151
|
|
|
152
|
$pconfig['returngateway'] = $a_filter[$id]['returngateway'];
|
|
153
|
$pconfig['returninterface'] = $a_filter[$id]['returninterface'];
|
|
154
|
|
|
155
|
$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
|
|
156
|
$pconfig['log'] = isset($a_filter[$id]['log']);
|
|
157
|
$pconfig['frags'] = isset($a_filter[$id]['frags']);
|
|
158
|
$pconfig['descr'] = $a_filter[$id]['descr'];
|
|
159
|
$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
|
|
160
|
$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
|
|
161
|
$pconfig['statetype'] = $a_filter[$id]['statetype'];
|
|
162
|
$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
|
|
163
|
|
|
164
|
} else {
|
|
165
|
/* defaults */
|
|
166
|
if ($_GET['if'])
|
|
167
|
$pconfig['interface'] = $_GET['if'];
|
|
168
|
$pconfig['type'] = "pass";
|
|
169
|
$pconfig['src'] = "any";
|
|
170
|
$pconfig['dst'] = "any";
|
|
171
|
}
|
|
172
|
|
|
173
|
if (isset($_GET['dup']))
|
|
174
|
unset($id);
|
|
175
|
|
|
176
|
if ($_POST) {
|
|
177
|
|
|
178
|
if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
|
|
179
|
$_POST['srcbeginport'] = 0;
|
|
180
|
$_POST['srcendport'] = 0;
|
|
181
|
$_POST['dstbeginport'] = 0;
|
|
182
|
$_POST['dstendport'] = 0;
|
|
183
|
} else {
|
|
184
|
|
|
185
|
if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
|
|
186
|
$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
|
|
187
|
if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
|
|
188
|
$_POST['srcendport'] = $_POST['srcendport_cust'];
|
|
189
|
|
|
190
|
if ($_POST['srcbeginport'] == "any") {
|
|
191
|
$_POST['srcbeginport'] = 0;
|
|
192
|
$_POST['srcendport'] = 0;
|
|
193
|
} else {
|
|
194
|
if (!$_POST['srcendport'])
|
|
195
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
196
|
}
|
|
197
|
if ($_POST['srcendport'] == "any")
|
|
198
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
199
|
|
|
200
|
if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
|
|
201
|
$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
|
|
202
|
if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
|
|
203
|
$_POST['dstendport'] = $_POST['dstendport_cust'];
|
|
204
|
|
|
205
|
if ($_POST['dstbeginport'] == "any") {
|
|
206
|
$_POST['dstbeginport'] = 0;
|
|
207
|
$_POST['dstendport'] = 0;
|
|
208
|
} else {
|
|
209
|
if (!$_POST['dstendport'])
|
|
210
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
211
|
}
|
|
212
|
if ($_POST['dstendport'] == "any")
|
|
213
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
214
|
}
|
|
215
|
|
|
216
|
if (is_specialnet($_POST['srctype'])) {
|
|
217
|
$_POST['src'] = $_POST['srctype'];
|
|
218
|
$_POST['srcmask'] = 0;
|
|
219
|
} else if ($_POST['srctype'] == "single") {
|
|
220
|
$_POST['srcmask'] = 32;
|
|
221
|
}
|
|
222
|
if (is_specialnet($_POST['dsttype'])) {
|
|
223
|
$_POST['dst'] = $_POST['dsttype'];
|
|
224
|
$_POST['dstmask'] = 0;
|
|
225
|
} else if ($_POST['dsttype'] == "single") {
|
|
226
|
$_POST['dstmask'] = 32;
|
|
227
|
}
|
|
228
|
|
|
229
|
unset($input_errors);
|
|
230
|
$pconfig = $_POST;
|
|
231
|
|
|
232
|
/* input validation */
|
|
233
|
$reqdfields = explode(" ", "type interface proto src dst");
|
|
234
|
$reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination");
|
|
235
|
|
|
236
|
|
|
237
|
if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state")
|
|
238
|
if( $_POST['proto'] != "tcp" )
|
|
239
|
$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
|
|
240
|
|
|
241
|
|
|
242
|
if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
|
|
243
|
$reqdfields[] = "srcmask";
|
|
244
|
$reqdfieldsn[] = "Source bit count";
|
|
245
|
}
|
|
246
|
if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) {
|
|
247
|
$reqdfields[] = "dstmask";
|
|
248
|
$reqdfieldsn[] = "Destination bit count";
|
|
249
|
}
|
|
250
|
|
|
251
|
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
|
|
252
|
|
|
253
|
if (!$_POST['srcbeginport']) {
|
|
254
|
$_POST['srcbeginport'] = 0;
|
|
255
|
$_POST['srcendport'] = 0;
|
|
256
|
}
|
|
257
|
if (!$_POST['dstbeginport']) {
|
|
258
|
$_POST['dstbeginport'] = 0;
|
|
259
|
$_POST['dstendport'] = 0;
|
|
260
|
}
|
|
261
|
|
|
262
|
if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) {
|
|
263
|
$input_errors[] = "The start source port must be an alias or integer between 1 and 65535.";
|
|
264
|
}
|
|
265
|
if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) {
|
|
266
|
$input_errors[] = "The end source port must be an alias or integer between 1 and 65535.";
|
|
267
|
}
|
|
268
|
if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) {
|
|
269
|
$input_errors[] = "The start destination port must be an alias or integer between 1 and 65535.";
|
|
270
|
}
|
|
271
|
if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) {
|
|
272
|
$input_errors[] = "The end destination port must be an alias or integer between 1 and 65535.";
|
|
273
|
}
|
|
274
|
|
|
275
|
if (($_POST['returngateway'] && !is_ipaddroranyalias($_POST['returngateway'])))
|
|
276
|
$input_errors[] = "A valid return gateway IP address or alias must be specified.";
|
|
277
|
|
|
278
|
if (!is_specialnet($_POST['srctype'])) {
|
|
279
|
if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
|
|
280
|
$input_errors[] = "A valid source IP address or alias must be specified.";
|
|
281
|
}
|
|
282
|
if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
|
|
283
|
$input_errors[] = "A valid source bit count must be specified.";
|
|
284
|
}
|
|
285
|
}
|
|
286
|
if (!is_specialnet($_POST['dsttype'])) {
|
|
287
|
if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
|
|
288
|
$input_errors[] = "A valid destination IP address or alias must be specified.";
|
|
289
|
}
|
|
290
|
if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
|
|
291
|
$input_errors[] = "A valid destination bit count must be specified.";
|
|
292
|
}
|
|
293
|
}
|
|
294
|
|
|
295
|
if ($_POST['srcbeginport'] > $_POST['srcendport']) {
|
|
296
|
/* swap */
|
|
297
|
$tmp = $_POST['srcendport'];
|
|
298
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
|
299
|
$_POST['srcbeginport'] = $tmp;
|
|
300
|
}
|
|
301
|
if ($_POST['dstbeginport'] > $_POST['dstendport']) {
|
|
302
|
/* swap */
|
|
303
|
$tmp = $_POST['dstendport'];
|
|
304
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
|
305
|
$_POST['dstbeginport'] = $tmp;
|
|
306
|
}
|
|
307
|
if ($_POST['os'])
|
|
308
|
if( $_POST['proto'] != "tcp" )
|
|
309
|
$input_errors[] = "OS detection is only valid with protocol tcp.";
|
|
310
|
|
|
311
|
if (!$input_errors) {
|
|
312
|
$filterent = array();
|
|
313
|
$filterent['type'] = $_POST['type'];
|
|
314
|
$filterent['interface'] = $_POST['interface'];
|
|
315
|
|
|
316
|
/* Advanced options */
|
|
317
|
$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
|
|
318
|
$filterent['max-src-states'] = $_POST['max-src-states'];
|
|
319
|
$filterent['statetimeout'] = $_POST['statetimeout'];
|
|
320
|
$filterent['statetype'] = $_POST['statetype'];
|
|
321
|
$filterent['os'] = $_POST['os'];
|
|
322
|
|
|
323
|
if ($_POST['proto'] != "any")
|
|
324
|
$filterent['protocol'] = $_POST['proto'];
|
|
325
|
else
|
|
326
|
unset($filterent['protocol']);
|
|
327
|
|
|
328
|
if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
|
|
329
|
$filterent['icmptype'] = $_POST['icmptype'];
|
|
330
|
else
|
|
331
|
unset($filterent['icmptype']);
|
|
332
|
|
|
333
|
pconfig_to_address($filterent['source'], $_POST['src'],
|
|
334
|
$_POST['srcmask'], $_POST['srcnot'],
|
|
335
|
$_POST['srcbeginport'], $_POST['srcendport']);
|
|
336
|
|
|
337
|
pconfig_to_address($filterent['destination'], $_POST['dst'],
|
|
338
|
$_POST['dstmask'], $_POST['dstnot'],
|
|
339
|
$_POST['dstbeginport'], $_POST['dstendport']);
|
|
340
|
|
|
341
|
$filterent['disabled'] = $_POST['disabled'] ? true : false;
|
|
342
|
$filterent['log'] = $_POST['log'] ? true : false;
|
|
343
|
$filterent['frags'] = $_POST['frags'] ? true : false;
|
|
344
|
$filterent['descr'] = $_POST['descr'];
|
|
345
|
$filterent['returngateway'] = $_POST['returngateway'];
|
|
346
|
$filterent['returninterface'] = $_POST['returninterface'];
|
|
347
|
|
|
348
|
if (isset($id) && $a_filter[$id])
|
|
349
|
$a_filter[$id] = $filterent;
|
|
350
|
else {
|
|
351
|
if (is_numeric($after))
|
|
352
|
array_splice($a_filter, $after+1, 0, array($filterent));
|
|
353
|
else
|
|
354
|
$a_filter[] = $filterent;
|
|
355
|
}
|
|
356
|
|
|
357
|
write_config();
|
|
358
|
touch($d_filterconfdirty_path);
|
|
359
|
|
|
360
|
header("Location: firewall_rules.php?if=" . $_POST['interface']);
|
|
361
|
exit;
|
|
362
|
}
|
|
363
|
}
|
|
364
|
?>
|
|
365
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
366
|
<html>
|
|
367
|
<head>
|
|
368
|
<title><?=gentitle("Firewall: Rules: Edit");?></title>
|
|
369
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
|
|
370
|
<link href="gui.css" rel="stylesheet" type="text/css">
|
|
371
|
<script language="JavaScript">
|
|
372
|
<!--
|
|
373
|
var portsenabled = 1;
|
|
374
|
|
|
375
|
function ext_change() {
|
|
376
|
if ((document.iform.srcbeginport.selectedIndex == 0) && portsenabled) {
|
|
377
|
document.iform.srcbeginport_cust.disabled = 0;
|
|
378
|
} else {
|
|
379
|
document.iform.srcbeginport_cust.value = "";
|
|
380
|
document.iform.srcbeginport_cust.disabled = 1;
|
|
381
|
}
|
|
382
|
if ((document.iform.srcendport.selectedIndex == 0) && portsenabled) {
|
|
383
|
document.iform.srcendport_cust.disabled = 0;
|
|
384
|
} else {
|
|
385
|
document.iform.srcendport_cust.value = "";
|
|
386
|
document.iform.srcendport_cust.disabled = 1;
|
|
387
|
}
|
|
388
|
if ((document.iform.dstbeginport.selectedIndex == 0) && portsenabled) {
|
|
389
|
document.iform.dstbeginport_cust.disabled = 0;
|
|
390
|
} else {
|
|
391
|
document.iform.dstbeginport_cust.value = "";
|
|
392
|
document.iform.dstbeginport_cust.disabled = 1;
|
|
393
|
}
|
|
394
|
if ((document.iform.dstendport.selectedIndex == 0) && portsenabled) {
|
|
395
|
document.iform.dstendport_cust.disabled = 0;
|
|
396
|
} else {
|
|
397
|
document.iform.dstendport_cust.value = "";
|
|
398
|
document.iform.dstendport_cust.disabled = 1;
|
|
399
|
}
|
|
400
|
|
|
401
|
if (!portsenabled) {
|
|
402
|
document.iform.srcbeginport.disabled = 1;
|
|
403
|
document.iform.srcendport.disabled = 1;
|
|
404
|
document.iform.dstbeginport.disabled = 1;
|
|
405
|
document.iform.dstendport.disabled = 1;
|
|
406
|
} else {
|
|
407
|
document.iform.srcbeginport.disabled = 0;
|
|
408
|
document.iform.srcendport.disabled = 0;
|
|
409
|
document.iform.dstbeginport.disabled = 0;
|
|
410
|
document.iform.dstendport.disabled = 0;
|
|
411
|
}
|
|
412
|
}
|
|
413
|
|
|
414
|
function typesel_change() {
|
|
415
|
switch (document.iform.srctype.selectedIndex) {
|
|
416
|
case 1: /* single */
|
|
417
|
document.iform.src.disabled = 0;
|
|
418
|
document.iform.srcmask.value = "";
|
|
419
|
document.iform.srcmask.disabled = 1;
|
|
420
|
break;
|
|
421
|
case 2: /* network */
|
|
422
|
document.iform.src.disabled = 0;
|
|
423
|
document.iform.srcmask.disabled = 0;
|
|
424
|
break;
|
|
425
|
default:
|
|
426
|
document.iform.src.value = "";
|
|
427
|
document.iform.src.disabled = 1;
|
|
428
|
document.iform.srcmask.value = "";
|
|
429
|
document.iform.srcmask.disabled = 1;
|
|
430
|
break;
|
|
431
|
}
|
|
432
|
switch (document.iform.dsttype.selectedIndex) {
|
|
433
|
case 1: /* single */
|
|
434
|
document.iform.dst.disabled = 0;
|
|
435
|
document.iform.dstmask.value = "";
|
|
436
|
document.iform.dstmask.disabled = 1;
|
|
437
|
break;
|
|
438
|
case 2: /* network */
|
|
439
|
document.iform.dst.disabled = 0;
|
|
440
|
document.iform.dstmask.disabled = 0;
|
|
441
|
break;
|
|
442
|
default:
|
|
443
|
document.iform.dst.value = "";
|
|
444
|
document.iform.dst.disabled = 1;
|
|
445
|
document.iform.dstmask.value = "";
|
|
446
|
document.iform.dstmask.disabled = 1;
|
|
447
|
break;
|
|
448
|
}
|
|
449
|
}
|
|
450
|
|
|
451
|
function proto_change() {
|
|
452
|
if (document.iform.proto.selectedIndex < 3) {
|
|
453
|
portsenabled = 1;
|
|
454
|
} else {
|
|
455
|
portsenabled = 0;
|
|
456
|
}
|
|
457
|
|
|
458
|
/* Disable OS knob if the proto is not TCP. */
|
|
459
|
if (document.iform.proto.selectedIndex < 1) {
|
|
460
|
document.forms[0].os.disabled = 0;
|
|
461
|
} else {
|
|
462
|
document.forms[0].os.disabled = 1;
|
|
463
|
}
|
|
464
|
|
|
465
|
if (document.iform.proto.selectedIndex == 3) {
|
|
466
|
document.iform.icmptype.disabled = 0;
|
|
467
|
} else {
|
|
468
|
document.iform.icmptype.disabled = 1;
|
|
469
|
}
|
|
470
|
|
|
471
|
ext_change();
|
|
472
|
}
|
|
473
|
|
|
474
|
function src_rep_change() {
|
|
475
|
document.iform.srcendport.selectedIndex = document.iform.srcbeginport.selectedIndex;
|
|
476
|
}
|
|
477
|
function dst_rep_change() {
|
|
478
|
document.iform.dstendport.selectedIndex = document.iform.dstbeginport.selectedIndex;
|
|
479
|
}
|
|
480
|
//-->
|
|
481
|
</script>
|
|
482
|
</head>
|
|
483
|
|
|
484
|
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
|
|
485
|
<?php include("fbegin.inc"); ?>
|
|
486
|
<p class="pgtitle">Firewall: Rules: Edit</p>
|
|
487
|
<?php if ($input_errors) print_input_errors($input_errors); ?>
|
|
488
|
<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
|
|
489
|
<table width="100%" border="0" cellpadding="6" cellspacing="0">
|
|
490
|
<tr>
|
|
491
|
<td width="22%" valign="top" class="vncellreq">Action</td>
|
|
492
|
<td width="78%" class="vtable">
|
|
493
|
<select name="type" class="formfld">
|
|
494
|
<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
|
|
495
|
<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
|
|
496
|
<?=htmlspecialchars($type);?>
|
|
497
|
</option>
|
|
498
|
<?php endforeach; ?>
|
|
499
|
</select> <br>
|
|
500
|
<span class="vexpl">Choose what to do with packets that match
|
|
501
|
the criteria specified below.<br>
|
|
502
|
Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.</span></td>
|
|
503
|
</tr>
|
|
504
|
<tr>
|
|
505
|
<td width="22%" valign="top" class="vncellreq">Disabled</td>
|
|
506
|
<td width="78%" class="vtable">
|
|
507
|
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
|
|
508
|
<strong>Disable this rule</strong><br>
|
|
509
|
<span class="vexpl">Set this option to disable this rule without
|
|
510
|
removing it from the list.</span></td>
|
|
511
|
</tr>
|
|
512
|
<tr>
|
|
513
|
<td width="22%" valign="top" class="vncellreq">Interface</td>
|
|
514
|
<td width="78%" class="vtable">
|
|
515
|
<select name="interface" class="formfld">
|
|
516
|
<?php $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP');
|
|
517
|
for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
|
|
518
|
$interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr'];
|
|
519
|
}
|
|
520
|
foreach ($interfaces as $iface => $ifacename): ?>
|
|
521
|
<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
|
|
522
|
<?=htmlspecialchars($ifacename);?>
|
|
523
|
</option>
|
|
524
|
<?php endforeach; ?>
|
|
525
|
</select> <br>
|
|
526
|
<span class="vexpl">Choose on which interface packets must
|
|
527
|
come in to match this rule.</span></td>
|
|
528
|
</tr>
|
|
529
|
<tr>
|
|
530
|
<td width="22%" valign="top" class="vncellreq">Protocol</td>
|
|
531
|
<td width="78%" class="vtable">
|
|
532
|
<select name="proto" class="formfld" onchange="proto_change()">
|
|
533
|
<?php $protocols = explode(" ", "TCP UDP TCP/UDP ICMP ICMP6 ESP AH GRE IPv6 IGMP any carp pfsync"); foreach ($protocols as $proto): ?>
|
|
534
|
<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>>
|
|
535
|
<?=htmlspecialchars($proto);?>
|
|
536
|
</option>
|
|
537
|
<?php endforeach; ?>
|
|
538
|
</select> <br>
|
|
539
|
<span class="vexpl">Choose which IP protocol this rule should
|
|
540
|
match.<br>
|
|
541
|
Hint: in most cases, you should specify <em>TCP</em> here.</span></td>
|
|
542
|
</tr>
|
|
543
|
<tr>
|
|
544
|
<td valign="top" class="vncell">ICMP type</td>
|
|
545
|
<td class="vtable">
|
|
546
|
<select name="icmptype" class="formfld">
|
|
547
|
<?php
|
|
548
|
|
|
549
|
$icmptypes = array(
|
|
550
|
"" => "any",
|
|
551
|
"echorep" => "Echo reply",
|
|
552
|
"unreach" => "Destination unreachable",
|
|
553
|
"squench" => "Source quench",
|
|
554
|
"redir" => "Redirect",
|
|
555
|
"althost" => "Alternate Host",
|
|
556
|
"echoreq" => "Echo",
|
|
557
|
"routeradv" => "Router advertisement",
|
|
558
|
"routersol" => "Router solicitation",
|
|
559
|
"timex" => "Time exceeded",
|
|
560
|
"paramprob" => "Invalid IP header",
|
|
561
|
"timereq" => "Timestamp",
|
|
562
|
"timerep" => "Timestamp reply",
|
|
563
|
"inforeq" => "Information request",
|
|
564
|
"inforep" => "Information reply",
|
|
565
|
"maskreq" => "Address mask request",
|
|
566
|
"maskrep" => "Address mask reply"
|
|
567
|
);
|
|
568
|
|
|
569
|
foreach ($icmptypes as $icmptype => $descr): ?>
|
|
570
|
<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>>
|
|
571
|
<?=htmlspecialchars($descr);?>
|
|
572
|
</option>
|
|
573
|
<?php endforeach; ?>
|
|
574
|
</select>
|
|
575
|
<br>
|
|
576
|
<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span></td>
|
|
577
|
</tr>
|
|
578
|
<tr>
|
|
579
|
<td width="22%" valign="top" class="vncellreq">Source</td>
|
|
580
|
<td width="78%" class="vtable">
|
|
581
|
<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
|
|
582
|
<strong>not</strong><br>
|
|
583
|
Use this option to invert the sense of the match.<br>
|
|
584
|
<br>
|
|
585
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
586
|
<tr>
|
|
587
|
<td>Type: </td>
|
|
588
|
<td><select name="srctype" class="formfld" onChange="typesel_change()">
|
|
589
|
<?php $sel = is_specialnet($pconfig['src']); ?>
|
|
590
|
<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>
|
|
591
|
any</option>
|
|
592
|
<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>
|
|
593
|
Single host or alias</option>
|
|
594
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>
|
|
595
|
Network</option>
|
|
596
|
<option value="lan" <?php if ($pconfig['src'] == "lan") { echo "selected"; } ?>>
|
|
597
|
LAN subnet</option>
|
|
598
|
<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>
|
|
599
|
PPTP clients</option>
|
|
600
|
<?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
|
|
601
|
<option value="opt<?=$i;?>" <?php if ($pconfig['src'] == "opt" . $i) { echo "selected"; } ?>>
|
|
602
|
<?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
|
|
603
|
<?php endfor; ?>
|
|
604
|
</select></td>
|
|
605
|
</tr>
|
|
606
|
<tr>
|
|
607
|
<td>Address: </td>
|
|
608
|
<td><input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this)' onkeyup='actb_tocomplete(this,event,addressarray);' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>">
|
|
609
|
/
|
|
610
|
<select name="srcmask" class="formfld" id="srcmask">
|
|
611
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
|
612
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
|
|
613
|
<?php endfor; ?>
|
|
614
|
</select>
|
|
615
|
</td>
|
|
616
|
</tr>
|
|
617
|
</table></td>
|
|
618
|
</tr>
|
|
619
|
<tr>
|
|
620
|
<td width="22%" valign="top" class="vncellreq">Source port range
|
|
621
|
</td>
|
|
622
|
<td width="78%" class="vtable">
|
|
623
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
624
|
<tr>
|
|
625
|
<td>from: </td>
|
|
626
|
<td><select name="srcbeginport" class="formfld" onchange="src_rep_change();ext_change()">
|
|
627
|
<option value="">(other)</option>
|
|
628
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
629
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
630
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) {
|
|
631
|
echo "selected";
|
|
632
|
$bfound = 1;
|
|
633
|
}?>>
|
|
634
|
<?=htmlspecialchars($wkportdesc);?>
|
|
635
|
</option>
|
|
636
|
<?php endforeach; ?>
|
|
637
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>"></td>
|
|
638
|
</tr>
|
|
639
|
<tr>
|
|
640
|
<td>to:</td>
|
|
641
|
<td><select name="srcendport" class="formfld" onchange="ext_change()">
|
|
642
|
<option value="">(other)</option>
|
|
643
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
644
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
645
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) {
|
|
646
|
echo "selected";
|
|
647
|
$bfound = 1;
|
|
648
|
}?>>
|
|
649
|
<?=htmlspecialchars($wkportdesc);?>
|
|
650
|
</option>
|
|
651
|
<?php endforeach; ?>
|
|
652
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>"></td>
|
|
653
|
</tr>
|
|
654
|
</table>
|
|
655
|
<br>
|
|
656
|
<span class="vexpl">Specify the port or port range for
|
|
657
|
the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br>
|
|
658
|
Hint: you can leave the <em>'to'</em> field empty if you only
|
|
659
|
want to filter a single port</span></td>
|
|
660
|
|
|
661
|
<tr>
|
|
662
|
<td width="22%" valign="top" class="vncellreq">Source OS</td>
|
|
663
|
<td width="78%" class="vtable">OS Type:
|
|
664
|
<select name="os" id="os" class="formfld">
|
|
665
|
<?php
|
|
666
|
$ostypes = array(
|
|
667
|
"" => "any",
|
|
668
|
"AIX" => "AIX",
|
|
669
|
"Linux" => "Linux",
|
|
670
|
"FreeBSD" => "FreeBSD",
|
|
671
|
"NetBSD" => "NetBSD",
|
|
672
|
"OpenBSD" => "OpenBSD",
|
|
673
|
"Solaris" => "Solaris",
|
|
674
|
"MacOS" => "MacOS",
|
|
675
|
"Windows" => "Windows",
|
|
676
|
"Novell" => "Novell"
|
|
677
|
);
|
|
678
|
|
|
679
|
foreach ($ostypes as $ostype => $descr): ?>
|
|
680
|
<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>>
|
|
681
|
<?=htmlspecialchars($descr);?>
|
|
682
|
</option>
|
|
683
|
<?php endforeach; ?>
|
|
684
|
</select><br>
|
|
685
|
Note: this only works for TCP rules</td>
|
|
686
|
</tr>
|
|
687
|
<tr>
|
|
688
|
<td width="22%" valign="top" class="vncellreq">Destination</td>
|
|
689
|
<td width="78%" class="vtable">
|
|
690
|
<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
|
|
691
|
<strong>not</strong><br>
|
|
692
|
Use this option to invert the sense of the match.<br>
|
|
693
|
<br>
|
|
694
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
695
|
<tr>
|
|
696
|
<td>Type: </td>
|
|
697
|
<td><select name="dsttype" class="formfld" onChange="typesel_change()">
|
|
698
|
<?php $sel = is_specialnet($pconfig['dst']); ?>
|
|
699
|
<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>
|
|
700
|
any</option>
|
|
701
|
<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>
|
|
702
|
Single host or alias</option>
|
|
703
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>
|
|
704
|
Network</option>
|
|
705
|
<option value="lan" <?php if ($pconfig['dst'] == "lan") { echo "selected"; } ?>>
|
|
706
|
LAN subnet</option>
|
|
707
|
<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>
|
|
708
|
PPTP clients</option>
|
|
709
|
<?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
|
|
710
|
<option value="opt<?=$i;?>" <?php if ($pconfig['dst'] == "opt" . $i) { echo "selected"; } ?>>
|
|
711
|
<?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
|
|
712
|
<?php endfor; ?>
|
|
713
|
</select></td>
|
|
714
|
</tr>
|
|
715
|
<tr>
|
|
716
|
<td>Address: </td>
|
|
717
|
<td><input name="dst" autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,addressarray)' type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
|
|
718
|
/
|
|
719
|
<select name="dstmask" class="formfld" id="dstmask">
|
|
720
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
|
721
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
|
|
722
|
<?php endfor; ?>
|
|
723
|
</select></td>
|
|
724
|
</tr>
|
|
725
|
</table></td>
|
|
726
|
</tr>
|
|
727
|
<tr>
|
|
728
|
<td width="22%" valign="top" class="vncellreq">Destination port
|
|
729
|
range </td>
|
|
730
|
<td width="78%" class="vtable">
|
|
731
|
<table border="0" cellspacing="0" cellpadding="0">
|
|
732
|
<tr>
|
|
733
|
<td>from: </td>
|
|
734
|
<td><select name="dstbeginport" class="formfld" onchange="dst_rep_change();ext_change()">
|
|
735
|
<option value="">(other)</option>
|
|
736
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
737
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
738
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) {
|
|
739
|
echo "selected";
|
|
740
|
$bfound = 1;
|
|
741
|
}?>>
|
|
742
|
<?=htmlspecialchars($wkportdesc);?>
|
|
743
|
</option>
|
|
744
|
<?php endforeach; ?>
|
|
745
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"></td>
|
|
746
|
</tr>
|
|
747
|
<tr>
|
|
748
|
<td>to:</td>
|
|
749
|
<td><select name="dstendport" class="formfld" onchange="ext_change()">
|
|
750
|
<option value="">(other)</option>
|
|
751
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
|
752
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
|
753
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) {
|
|
754
|
echo "selected";
|
|
755
|
$bfound = 1;
|
|
756
|
}?>>
|
|
757
|
<?=htmlspecialchars($wkportdesc);?>
|
|
758
|
</option>
|
|
759
|
<?php endforeach; ?>
|
|
760
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"></td>
|
|
761
|
</tr>
|
|
762
|
</table>
|
|
763
|
<br> <span class="vexpl">Specify the port or port range for
|
|
764
|
the destination of the packet for this rule.<br>
|
|
765
|
Hint: you can leave the <em>'to'</em> field empty if you only
|
|
766
|
want to filter a single port</span></td>
|
|
767
|
|
|
768
|
<tr>
|
|
769
|
<td width="22%" valign="top" class="vncellreq">Fragments</td>
|
|
770
|
<td width="78%" class="vtable">
|
|
771
|
<input name="frags" type="checkbox" id="frags" value="yes" <?php if ($pconfig['frags']) echo "checked"; ?>>
|
|
772
|
<strong>Allow fragmented packets</strong><br>
|
|
773
|
<span class="vexpl">Hint: this option puts additional load
|
|
774
|
on the firewall and may make it vulnerable to DoS attacks.
|
|
775
|
In most cases, it is not needed. Try enabling it if you have
|
|
776
|
troubles connecting to certain sites.</span></td>
|
|
777
|
</tr>
|
|
778
|
<tr>
|
|
779
|
<td width="22%" valign="top" class="vncellreq">Log</td>
|
|
780
|
<td width="78%" class="vtable">
|
|
781
|
<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
|
|
782
|
<strong>Log packets that are handled by this rule</strong><br>
|
|
783
|
<span class="vexpl">Hint: the firewall has limited local log
|
|
784
|
space. Don't turn on logging for everything. If you want to
|
|
785
|
do a lot of logging, consider using a remote syslog server
|
|
786
|
(see the <a href="diag_logs_settings.php">Diagnostics: System
|
|
787
|
logs: Settings</a> page).</span></td>
|
|
788
|
</tr>
|
|
789
|
<tr>
|
|
790
|
<td width="22%" valign="top" class="vncell">Description</td>
|
|
791
|
<td width="78%" class="vtable">
|
|
792
|
<input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
|
|
793
|
<br> <span class="vexpl">You may enter a description here
|
|
794
|
for your reference (not parsed).</span></td>
|
|
795
|
</tr>
|
|
796
|
|
|
797
|
|
|
798
|
<tr>
|
|
799
|
<td width="22%" valign="top" class="vncell">Advanced Options</td>
|
|
800
|
<td width="78%" class="vtable">
|
|
801
|
<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Simultaneous client connection limit<p>
|
|
802
|
<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
|
|
803
|
|
|
804
|
<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
|
|
805
|
</td>
|
|
806
|
</tr>
|
|
807
|
|
|
808
|
<tr>
|
|
809
|
<td width="22%" valign="top" class="vncell">State Type</td>
|
|
810
|
<td width="78%" class="vtable">
|
|
811
|
<select name="statetype">
|
|
812
|
<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
|
|
813
|
<option value="modulate state" <?php if($pconfig['statetype'] == "modulate state") echo "selected"; ?>>modulate state</option>
|
|
814
|
<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
|
|
815
|
<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
|
|
816
|
</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
|
|
817
|
<p><strong>
|
|
818
|
<table>
|
|
819
|
<tr><td width="25%"><li>keep state</li></td><td>works with TCP, UDP, and ICMP.</td></tr>
|
|
820
|
<tr><td width="25%"><li>modulate state</li></td><td>works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) for packets matching this rule.</li></td></tr>
|
|
821
|
<tr><td width="25%"><li>synproxy state</li></td><td>proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</td></tr>
|
|
822
|
<tr><td width="25%"><li>none</li></td><td>do not use state mechanisms to keep track. this is only useful if your doing advanced queueing in certain situations. please check the faq.</td></tr>
|
|
823
|
</table>
|
|
824
|
</strong>
|
|
825
|
</td>
|
|
826
|
</tr>
|
|
827
|
|
|
828
|
<tr>
|
|
829
|
<td width="22%" valign="top" class="vncell">State Timeout</td>
|
|
830
|
<td width="78%" class="vtable">
|
|
831
|
<input name="statetimeout" value="<?php echo $pconfig['frags'] ?>">
|
|
832
|
<p><strong>Leave blank for default. Amount is in seconds.
|
|
833
|
</strong>
|
|
834
|
</td>
|
|
835
|
</tr>
|
|
836
|
|
|
837
|
<tr>
|
|
838
|
<td width="22%" valign="top"> </td>
|
|
839
|
<td width="78%">
|
|
840
|
<input name="Submit" type="submit" class="formbtn" value="Save">
|
|
841
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
|
842
|
<input name="id" type="hidden" value="<?=$id;?>">
|
|
843
|
<?php endif; ?>
|
|
844
|
<input name="after" type="hidden" value="<?=$after;?>">
|
|
845
|
</td>
|
|
846
|
</tr>
|
|
847
|
</table>
|
|
848
|
</form>
|
|
849
|
<script language="JavaScript">
|
|
850
|
<!--
|
|
851
|
ext_change();
|
|
852
|
typesel_change();
|
|
853
|
proto_change();
|
|
854
|
|
|
855
|
<?php
|
|
856
|
$isfirst = 0;
|
|
857
|
$aliases = "";
|
|
858
|
$addrisfirst = 0;
|
|
859
|
$aliasesaddr = "";
|
|
860
|
if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
|
|
861
|
foreach($config['aliases']['alias'] as $alias_name) {
|
|
862
|
if(!stristr($alias_name['address'], ".")) {
|
|
863
|
if($isfirst == 1) $aliases .= ",";
|
|
864
|
$aliases .= "'" . $alias_name['name'] . "'";
|
|
865
|
$isfirst = 1;
|
|
866
|
} else {
|
|
867
|
if($addrisfirst == 1) $aliasesaddr .= ",";
|
|
868
|
$aliasesaddr .= "'" . $alias_name['name'] . "'";
|
|
869
|
$addrisfirst = 1;
|
|
870
|
}
|
|
871
|
}
|
|
872
|
?>
|
|
873
|
|
|
874
|
var addressarray=new Array(<?php echo $aliasesaddr; ?>);
|
|
875
|
var customarray=new Array(<?php echo $aliases; ?>);
|
|
876
|
|
|
877
|
//-->
|
|
878
|
</script>
|
|
879
|
<script type="text/javascript" language="javascript" src="auto_complete_helper.js">
|
|
880
|
</script>
|
|
881
|
<?php include("fend.inc"); ?>
|
|
882
|
</body>
|
|
883
|
</html>
|