/usr/local/www/system_advanced_firewall.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/system_advanced_firewall.php @ b5249aa3

1	df81417f	Matthew Grooms	<?php
2			/* $Id$ */
3			/*
4			system_advanced_firewall.php
5			part of pfSense
6	dd447bde	Jim Thompson	Copyright (C) 2005-2007 Scott Ullrich
7	29aef6c4	Jim Thompson	Copyright (C) 2008 Shrew Soft Inc
8	ce77a9c4	Phil Davis	Copyright (C) 2013-2015 Electric Sheep Fencing, LP
9	df81417f	Matthew Grooms
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14			Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16
17			1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19
20			2. Redistributions in binary form must reproduce the above copyright
21			notice, this list of conditions and the following disclaimer in the
22			documentation and/or other materials provided with the distribution.
23
24			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33			POSSIBILITY OF SUCH DAMAGE.
34			*/
35	1d333258	Scott Ullrich	/*
36			pfSense_MODULE: system
37			*/
38	df81417f	Matthew Grooms
39			##\|+PRIV
40			##\|*IDENT=page-system-advanced-firewall
41			##\|*NAME=System: Advanced: Firewall and NAT page
42			##\|*DESCR=Allow access to the 'System: Advanced: Firewall and NAT' page.
43	7997ed44	Renato Botelho	##\|MATCH=system_advanced_firewall.php
44	df81417f	Matthew Grooms	##\|-PRIV
45
46			require("guiconfig.inc");
47	7a927e67	Scott Ullrich	require_once("functions.inc");
48			require_once("filter.inc");
49			require_once("shaper.inc");
50	df81417f	Matthew Grooms
51			$pconfig['disablefilter'] = $config['system']['disablefilter'];
52			$pconfig['scrubnodf'] = $config['system']['scrubnodf'];
53	2867fa7b	Ermal Luçi	$pconfig['scrubrnid'] = $config['system']['scrubrnid'];
54	df81417f	Matthew Grooms	$pconfig['optimization'] = $config['filter']['optimization'];
55	11d1d64e	Ermal	$pconfig['adaptivestart'] = $config['system']['adaptivestart'];
56			$pconfig['adaptiveend'] = $config['system']['adaptiveend'];
57	df81417f	Matthew Grooms	$pconfig['maximumstates'] = $config['system']['maximumstates'];
58	ab3ab2ac	Renato Botelho	$pconfig['aliasesresolveinterval'] = $config['system']['aliasesresolveinterval'];
59			$old_aliasesresolveinterval = $config['system']['aliasesresolveinterval'];
60	6fab0f03	Renato Botelho	$pconfig['checkaliasesurlcert'] = isset($config['system']['checkaliasesurlcert']);
61	fb586a16	jim-p	$pconfig['maximumtableentries'] = $config['system']['maximumtableentries'];
62	f1beeba5	lgcosta	$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']);
63	9ae39b01	smos	$pconfig['disablenegate'] = isset($config['system']['disablenegate']);
64	6b4480dc	bcyrill	$pconfig['bogonsinterval'] = $config['system']['bogons']['interval'];
65	df81417f	Matthew Grooms	$pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
66	40fa6dde	Erik Fonnesbeck	$pconfig['enablebinatreflection'] = $config['system']['enablebinatreflection'];
67	bff94015	Erik Fonnesbeck	$pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout'];
68	df81417f	Matthew Grooms	$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
69			$pconfig['disablescrub'] = isset($config['system']['disablescrub']);
70	1beafceb	Erik Fonnesbeck	$pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']);
71	9a36dc9d	Ermal	$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
72	46bb8a0b	Sjon Hortensius	$pconfig['tcpfirsttimeout'] = $config['system']['tcpfirsttimeout'];
73			$pconfig['tcpopeningtimeout'] = $config['system']['tcpopeningtimeout'];
74			$pconfig['tcpestablishedtimeout'] = $config['system']['tcpestablishedtimeout'];
75			$pconfig['tcpclosingtimeout'] = $config['system']['tcpclosingtimeout'];
76			$pconfig['tcpfinwaittimeout'] = $config['system']['tcpfinwaittimeout'];
77			$pconfig['tcpclosedtimeout'] = $config['system']['tcpclosedtimeout'];
78			$pconfig['udpfirsttimeout'] = $config['system']['udpfirsttimeout'];
79			$pconfig['udpsingletimeout'] = $config['system']['udpsingletimeout'];
80			$pconfig['udpmultipletimeout'] = $config['system']['udpmultipletimeout'];
81			$pconfig['icmpfirsttimeout'] = $config['system']['icmpfirsttimeout'];
82			$pconfig['icmperrortimeout'] = $config['system']['icmperrortimeout'];
83			$pconfig['otherfirsttimeout'] = $config['system']['otherfirsttimeout'];
84			$pconfig['othersingletimeout'] = $config['system']['othersingletimeout'];
85			$pconfig['othermultipletimeout'] = $config['system']['othermultipletimeout'];
86	df81417f	Matthew Grooms
87			if ($_POST) {
88
89			unset($input_errors);
90	6a605eec	Renato Botelho	$pconfig = $_POST;
91	df81417f	Matthew Grooms
92			/* input validation */
93	f6546b41	Sjon Hortensius	if ((empty($_POST['adaptive-start']) && !empty($_POST['adaptive-end'])) \|\| (!empty($_POST['adaptive-start']) && empty($_POST['adaptive-end'])))
94	11d1d64e	Ermal	$input_errors[] = gettext("The Firewall Adaptive values must be set together.");
95	f6546b41	Sjon Hortensius	if (!empty($_POST['adaptive-start']) && !is_numericint($_POST['adaptive-start'])) {
96	11d1d64e	Ermal	$input_errors[] = gettext("The Firewall Adaptive Start value must be an integer.");
97			}
98	f6546b41	Sjon Hortensius	if (!empty($_POST['adaptive-end']) && !is_numericint($_POST['adaptive-end'])) {
99	11d1d64e	Ermal	$input_errors[] = gettext("The Firewall Adaptive End value must be an integer.");
100			}
101	f6546b41	Sjon Hortensius	if ($_POST['firewall-maximum-states'] && !is_numericint($_POST['firewall-maximum-states'])) {
102	ca23c2f8	Renato Botelho	$input_errors[] = gettext("The Firewall Maximum States value must be an integer.");
103	df81417f	Matthew Grooms	}
104	f6546b41	Sjon Hortensius	if ($_POST['aliases-hostnames-resolve-interval'] && !is_numericint($_POST['aliases-hostnames-resolve-interval'])) {
105	ab3ab2ac	Renato Botelho	$input_errors[] = gettext("The Aliases Hostname Resolve Interval value must be an integer.");
106			}
107	f6546b41	Sjon Hortensius	if ($_POST['firewall-maximum-table-entries'] && !is_numericint($_POST['firewall-maximum-table-entries'])) {
108	fb586a16	jim-p	$input_errors[] = gettext("The Firewall Maximum Table Entries value must be an integer.");
109			}
110	f6546b41	Sjon Hortensius	if ($_POST['reflection-timeout'] && !is_numericint($_POST['reflection-timeout'])) {
111	bff94015	Erik Fonnesbeck	$input_errors[] = gettext("The Reflection timeout must be an integer.");
112			}
113	46bb8a0b	Sjon Hortensius	if ($_POST['tcpfirsttimeout'] && !is_numericint($_POST['tcpfirsttimeout'])) {
114	24dadbee	Chris Buechler	$input_errors[] = gettext("The TCP first timeout value must be an integer.");
115			}
116	46bb8a0b	Sjon Hortensius	if ($_POST['tcpopeningtimeout'] && !is_numericint($_POST['tcpopeningtimeout'])) {
117			$input_errors[] = gettext("The TCP opening timeout value must be an integer.");
118	24dadbee	Chris Buechler	}
119	46bb8a0b	Sjon Hortensius	if ($_POST['tcpestablishedtimeout'] && !is_numericint($_POST['tcpestablishedtimeout'])) {
120			$input_errors[] = gettext("The TCP established timeout value must be an integer.");
121	24dadbee	Chris Buechler	}
122	46bb8a0b	Sjon Hortensius	if ($_POST['tcpclosingtimeout'] && !is_numericint($_POST['tcpclosingtimeout'])) {
123			$input_errors[] = gettext("The TCP closing timeout value must be an integer.");
124	24dadbee	Chris Buechler	}
125	46bb8a0b	Sjon Hortensius	if ($_POST['tcpfinwaittimeout'] && !is_numericint($_POST['tcpfinwaittimeout'])) {
126			$input_errors[] = gettext("The TCP FIN wait timeout value must be an integer.");
127	24dadbee	Chris Buechler	}
128	46bb8a0b	Sjon Hortensius	if ($_POST['tcpclosedtimeout'] && !is_numericint($_POST['tcpclosedtimeout'])) {
129			$input_errors[] = gettext("The TCP closed timeout value must be an integer.");
130	24dadbee	Chris Buechler	}
131	46bb8a0b	Sjon Hortensius	if ($_POST['udpfirsttimeout'] && !is_numericint($_POST['udpfirsttimeout'])) {
132			$input_errors[] = gettext("The UDP first timeout value must be an integer.");
133	24dadbee	Chris Buechler	}
134	46bb8a0b	Sjon Hortensius	if ($_POST['udpsingletimeout'] && !is_numericint($_POST['udpsingletimeout'])) {
135			$input_errors[] = gettext("The UDP single timeout value must be an integer.");
136	24dadbee	Chris Buechler	}
137	46bb8a0b	Sjon Hortensius	if ($_POST['udpmultipletimeout'] && !is_numericint($_POST['udpmultipletimeout'])) {
138			$input_errors[] = gettext("The UDP multiple timeout value must be an integer.");
139	24dadbee	Chris Buechler	}
140	46bb8a0b	Sjon Hortensius	if ($_POST['icmpfirsttimeout'] && !is_numericint($_POST['icmpfirsttimeout'])) {
141			$input_errors[] = gettext("The ICMP first timeout value must be an integer.");
142	24dadbee	Chris Buechler	}
143	46bb8a0b	Sjon Hortensius	if ($_POST['icmperrortimeout'] && !is_numericint($_POST['icmperrortimeout'])) {
144			$input_errors[] = gettext("The ICMP error timeout value must be an integer.");
145	24dadbee	Chris Buechler	}
146	46bb8a0b	Sjon Hortensius	if ($_POST['otherfirsttimeout'] && !is_numericint($_POST['otherfirsttimeout'])) {
147			$input_errors[] = gettext("The Other first timeout value must be an integer.");
148	24dadbee	Chris Buechler	}
149	46bb8a0b	Sjon Hortensius	if ($_POST['othersingletimeout'] && !is_numericint($_POST['othersingletimeout'])) {
150			$input_errors[] = gettext("The Other single timeout value must be an integer.");
151	24dadbee	Chris Buechler	}
152	46bb8a0b	Sjon Hortensius	if ($_POST['othermultipletimeout'] && !is_numericint($_POST['othermultipletimeout'])) {
153			$input_errors[] = gettext("The Other multiple timeout value must be an integer.");
154	24dadbee	Chris Buechler	}
155	df81417f	Matthew Grooms
156	db0aa52a	Renato Botelho	ob_flush();
157			flush();
158	df81417f	Matthew Grooms
159			if (!$input_errors) {
160
161	f6546b41	Sjon Hortensius	if($_POST['disable-firewall'] == "yes")
162	df81417f	Matthew Grooms	$config['system']['disablefilter'] = "enabled";
163			else
164			unset($config['system']['disablefilter']);
165
166	f6546b41	Sjon Hortensius	if($_POST['disable-auto-added-vpn-rules'] == "yes")
167	9a36dc9d	Ermal	$config['system']['disablevpnrules'] = true;
168			else
169			unset($config['system']['disablevpnrules']);
170	df81417f	Matthew Grooms
171	f6546b41	Sjon Hortensius	if($_POST['ip-do-not-fragment-compatibility'] == "yes")
172	df81417f	Matthew Grooms	$config['system']['scrubnodf'] = "enabled";
173			else
174			unset($config['system']['scrubnodf']);
175
176	f6546b41	Sjon Hortensius	if($_POST['ip-random-id-generation'] == "yes")
177	db0aa52a	Renato Botelho	$config['system']['scrubrnid'] = "enabled";
178			else
179			unset($config['system']['scrubrnid']);
180	2867fa7b	Ermal Luçi
181	f6546b41	Sjon Hortensius	if (!empty($_POST['adaptive-end']))
182			$config['system']['adaptiveend'] = $_POST['adaptive-end'];
183	db0aa52a	Renato Botelho	else
184			unset($config['system']['adaptiveend']);
185	f6546b41	Sjon Hortensius	if (!empty($_POST['adaptive-start']))
186			$config['system']['adaptivestart'] = $_POST['adaptive-start'];
187	db0aa52a	Renato Botelho	else
188	f6546b41	Sjon Hortensius	unset($config['system']['adaptive-start']);
189	11d1d64e	Ermal
190	f6546b41	Sjon Hortensius	if ($_POST['check-certificate-of-aliases-urls'] == "yes")
191	6fab0f03	Renato Botelho	$config['system']['checkaliasesurlcert'] = true;
192	08b861a8	Renato Botelho	else
193			unset($config['system']['checkaliasesurlcert']);
194
195	4b6f8c8d	Sjon Hortensius	$config['system']['optimization'] = $_POST['firewall-optimization-options'];
196	f6546b41	Sjon Hortensius	$config['system']['maximumstates'] = $_POST['firewall-maximum-states'];
197			$config['system']['aliasesresolveinterval'] = $_POST['aliases-hostnames-resolve-interval'];
198			$config['system']['maximumtableentries'] = $_POST['firewall-maximum-table-entries'];
199	df81417f	Matthew Grooms
200	24dadbee	Chris Buechler	if (!empty($_POST['tcpfirsttimeout'])) {
201	46bb8a0b	Sjon Hortensius	$config['system']['tcpfirsttimeout'] = $_POST['tcpfirsttimeout'];
202			} else {
203			unset($config['system']['tcpfirsttimeout']);
204			}
205			if (!empty($_POST['tcpopeningtimeout'])) {
206			$config['system']['tcpopeningtimeout'] = $_POST['tcpopeningtimeout'];
207			} else {
208			unset($config['system']['tcpopeningtimeout']);
209			}
210			if (!empty($_POST['tcpestablishedtimeout'])) {
211			$config['system']['tcpestablishedtimeout'] = $_POST['tcpestablishedtimeout'];
212			} else {
213			unset($config['system']['tcpestablishedtimeout']);
214			}
215			if (!empty($_POST['tcpclosingtimeout'])) {
216			$config['system']['tcpclosingtimeout'] = $_POST['tcpclosingtimeout'];
217			} else {
218			unset($config['system']['tcpclosingtimeout']);
219			}
220			if (!empty($_POST['tcpfinwaittimeout'])) {
221			$config['system']['tcpfinwaittimeout'] = $_POST['tcpfinwaittimeout'];
222			} else {
223			unset($config['system']['tcpfinwaittimeout']);
224			}
225			if (!empty($_POST['tcpclosedtimeout'])) {
226			$config['system']['tcpclosedtimeout'] = $_POST['tcpclosedtimeout'];
227			} else {
228			unset($config['system']['tcpclosedtimeout']);
229			}
230			if (!empty($_POST['udpfirsttimeout'])) {
231			$config['system']['udpfirsttimeout'] = $_POST['udpfirsttimeout'];
232			} else {
233			unset($config['system']['udpfirsttimeout']);
234			}
235			if (!empty($_POST['udpsingletimeout'])) {
236			$config['system']['udpsingletimeout'] = $_POST['udpsingletimeout'];
237			} else {
238			unset($config['system']['udpsingletimeout']);
239			}
240			if (!empty($_POST['udpmultipletimeout'])) {
241			$config['system']['udpmultipletimeout'] = $_POST['udpmultipletimeout'];
242			} else {
243			unset($config['system']['udpmultipletimeout']);
244			}
245			if (!empty($_POST['icmpfirsttimeout'])) {
246			$config['system']['icmpfirsttimeout'] = $_POST['icmpfirsttimeout'];
247			} else {
248			unset($config['system']['icmpfirsttimeout']);
249			}
250			if (!empty($_POST['icmperrortimeout'])) {
251			$config['system']['icmperrortimeout'] = $_POST['icmperrortimeout'];
252			} else {
253			unset($config['system']['icmperrortimeout']);
254			}
255			if (!empty($_POST['otherfirsttimeout'])) {
256			$config['system']['otherfirsttimeout'] = $_POST['otherfirsttimeout'];
257			} else {
258			unset($config['system']['otherfirsttimeout']);
259			}
260			if (!empty($_POST['othersingletimeout'])) {
261			$config['system']['othersingletimeout'] = $_POST['othersingletimeout'];
262			} else {
263			unset($config['system']['othersingletimeout']);
264			}
265			if (!empty($_POST['othermultipletimeout'])) {
266			$config['system']['othermultipletimeout'] = $_POST['othermultipletimeout'];
267			} else {
268			unset($config['system']['othermultipletimeout']);
269			}
270	24dadbee	Chris Buechler
271	40fa6dde	Erik Fonnesbeck	if($_POST['natreflection'] == "proxy") {
272			unset($config['system']['disablenatreflection']);
273			unset($config['system']['enablenatreflectionpurenat']);
274	f6546b41	Sjon Hortensius	} else if($_POST['nat-reflection-mode-for-port-forwards'] == "purenat") {
275	df81417f	Matthew Grooms	unset($config['system']['disablenatreflection']);
276	40fa6dde	Erik Fonnesbeck	$config['system']['enablenatreflectionpurenat'] = "yes";
277			} else {
278			$config['system']['disablenatreflection'] = "yes";
279			unset($config['system']['enablenatreflectionpurenat']);
280			}
281	9fc22c6f	Erik Fonnesbeck
282	f6546b41	Sjon Hortensius	if($_POST['enable-nat-reflection-for-1-1-nat'] == "yes")
283	9fc22c6f	Erik Fonnesbeck	$config['system']['enablebinatreflection'] = "yes";
284	40fa6dde	Erik Fonnesbeck	else
285			unset($config['system']['enablebinatreflection']);
286	df81417f	Matthew Grooms
287	f6546b41	Sjon Hortensius	if($_POST['disable-reply-to'] == "yes")
288			$config['system']['disablereplyto'] = $_POST['disable-reply-to'];
289	db0aa52a	Renato Botelho	else
290			unset($config['system']['disablereplyto']);
291	f1beeba5	lgcosta
292	f6546b41	Sjon Hortensius	if($_POST['disable-negate-rules'] == "yes")
293			$config['system']['disablenegate'] = $_POST['disable-negate-rules'];
294	db0aa52a	Renato Botelho	else
295			unset($config['system']['disablenegate']);
296	9ae39b01	smos
297	f6546b41	Sjon Hortensius	if($_POST['enable-automatic-outbound-nat-for-reflection'] == "yes")
298	a2b6c52f	Erik Fonnesbeck	$config['system']['enablenatreflectionhelper'] = "yes";
299			else
300			unset($config['system']['enablenatreflectionhelper']);
301
302	f6546b41	Sjon Hortensius	$config['system']['reflectiontimeout'] = $_POST['reflection-timeout'];
303	bff94015	Erik Fonnesbeck
304	f6546b41	Sjon Hortensius	if($_POST['static-route-filtering'] == "yes")
305			$config['filter']['bypassstaticroutes'] = $_POST['static-route-filtering'];
306	d2903c0c	jim-p	elseif(isset($config['filter']['bypassstaticroutes']))
307	668c4990	Seth Mos	unset($config['filter']['bypassstaticroutes']);
308	df81417f	Matthew Grooms
309	f6546b41	Sjon Hortensius	if($_POST['disable-firewall-scrub'] == "yes")
310			$config['system']['disablescrub'] = $_POST['disable-firewall-scrub'];
311	df81417f	Matthew Grooms	else
312			unset($config['system']['disablescrub']);
313
314	4b6f8c8d	Sjon Hortensius	if ($_POST['tftp-proxy'])
315			$config['system']['tftpinterface'] = implode(",", $_POST['tftp-proxy']);
316	cfdce2ad	Ermal	else
317			unset($config['system']['tftpinterface']);
318	db0aa52a	Renato Botelho
319	f6546b41	Sjon Hortensius	if ($_POST['update-frequency'] != $config['system']['bogons']['interval']) {
320			switch ($_POST['update-frequency']) {
321	6b4480dc	bcyrill	case 'daily':
322			install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "", "", "*");
323			break;
324			case 'weekly':
325	610f3ff6	Chris Buechler	install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "", "", "0");
326	6b4480dc	bcyrill	break;
327			case 'monthly':
328			// fall through
329			default:
330			install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "1", "", "");
331			}
332	f6546b41	Sjon Hortensius	$config['system']['bogons']['interval'] = $_POST['update-frequency'];
333	6b4480dc	bcyrill	}
334	db0aa52a	Renato Botelho
335	df81417f	Matthew Grooms	write_config();
336
337	ab3ab2ac	Renato Botelho	// Kill filterdns when value changes, filter_configure() will restart it
338			if (($old_aliasesresolveinterval != $config['system']['aliasesresolveinterval']) &&
339	f6546b41	Sjon Hortensius	isvalidpid("{$g['varrun_path']}/filterdns.pid"))
340	ab3ab2ac	Renato Botelho	killbypid("{$g['varrun_path']}/filterdns.pid");
341
342	df81417f	Matthew Grooms	$retval = 0;
343			$retval = filter_configure();
344			if(stristr($retval, "error") <> true)
345	db0aa52a	Renato Botelho	$savemsg = get_std_save_message($retval);
346	df81417f	Matthew Grooms	else
347	db0aa52a	Renato Botelho	$savemsg = $retval;
348	df81417f	Matthew Grooms	}
349			}
350
351	ca23c2f8	Renato Botelho	$pgtitle = array(gettext("System"),gettext("Advanced: Firewall and NAT"));
352	df81417f	Matthew Grooms	include("head.inc");
353
354	f6546b41	Sjon Hortensius	if ($input_errors)
355			print_input_errors($input_errors);
356			if ($savemsg)
357			print_info_box($savemsg);
358
359			$tab_array = array();
360			$tab_array[] = array(gettext("Admin Access"), false, "system_advanced_admin.php");
361			$tab_array[] = array(gettext("Firewall / NAT"), true, "system_advanced_firewall.php");
362			$tab_array[] = array(gettext("Networking"), false, "system_advanced_network.php");
363			$tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php");
364			$tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php");
365			$tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php");
366			display_top_tabs($tab_array);
367
368			?><div id="container"><?php
369
370			require('classes/Form.class.php');
371			$form = new Form;
372			$section = new Form_Section('Firewall Advanced');
373
374			$section->addInput(new Form_Checkbox(
375	f537d085	Sjon Hortensius	'ip-do-not-fragment-compatibility',
376	f6546b41	Sjon Hortensius	'IP Do-Not-Fragment compatibility',
377			'Clear invalid DF bits instead of dropping the packets',
378			isset($config['system']['scrubnodf'])
379			))->setHelp('This allows for communications with hosts that generate fragmented '.
380			'packets with the don"t fragment (DF) bit set. Linux NFS is known to do this. '.
381			'This will cause the filter to not drop such packets but instead clear the don"t '.
382			'fragment bit.');
383
384			$section->addInput(new Form_Checkbox(
385	f537d085	Sjon Hortensius	'ip-random-id-generation',
386	f6546b41	Sjon Hortensius	'IP Random id generation',
387			'Insert a stronger id into IP header of packets passing through the filter.',
388			isset($config['system']['scrubrnid'])
389			))->setHelp('Replaces the IP identification field of packets with random values to '.
390			'compensate for operating systems that use predictable values. This option only '.
391			'applies to packets that are not fragmented after the optional packet '.
392			'reassembly.');
393
394			$section->addInput($input = new Form_Select(
395	f537d085	Sjon Hortensius	'firewall-optimization-options',
396	f6546b41	Sjon Hortensius	'Firewall Optimization Options',
397			$config['system']['optimization'],
398			array(
399			'normal' => 'normal: the default optimization algorithm',
400			'high-latency' => 'high-latency: used for eg. satellite links. Expires idle connections later than default',
401			'aggressive' => 'aggressive: expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate idle connections',
402			'conservative' => 'conservative: tries to avoid dropping any legitimate idle connections at the expense of increased memory usage and CPU utilization.',
403			)
404			))->setHelp('Select the type of state table optimization to use');
405
406			$section->addInput(new Form_Checkbox(
407	f537d085	Sjon Hortensius	'disable-firewall',
408	f6546b41	Sjon Hortensius	'Disable Firewall',
409			'Disable all packet filtering.',
410			isset($config['system']['disablefilter'])
411			))->setHelp('Note: This converts %s into a routing only platform!<br/>'.
412			'Note: This will also turn off NAT! If you only want to disable NAT, '.
413			'and not firewall rules, visit the <a href="firewall_nat_out.php">Outbound '.
414			'NAT</a>page.', [$g["product_name"]]);
415
416			$section->addInput(new Form_Checkbox(
417	f537d085	Sjon Hortensius	'disable-firewall-scrub',
418	f6546b41	Sjon Hortensius	'Disable Firewall Scrub',
419			'Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.',
420			isset($config['system']['disablescrub'])
421			));
422
423			$group = new Form_Group('Firewall Adaptive Timeouts');
424
425			$group->add(new Form_Input(
426	f537d085	Sjon Hortensius	'adaptive-start',
427	f6546b41	Sjon Hortensius	'Adaptive start',
428			'number',
429			$pconfig['adaptivestart'],
430			['min' => 1]
431			))->setHelp('When the number of state entries exceeds this value, adaptive '.
432			'scaling begins. All timeout values are scaled linearly with factor '.
433			'(adaptive.end - number of states) / (adaptive.end - adaptive.start).');
434
435			$group->add(new Form_Input(
436	f537d085	Sjon Hortensius	'adaptive-end',
437	f6546b41	Sjon Hortensius	'Adaptive end',
438			'number',
439			$pconfig['adaptiveend'],
440			['min' => 1]
441			))->setHelp('When reaching this number of state entries, all timeout values '.
442			'become zero, effectively purging all state entries immediately. This '.
443			'value is used to define the scale factor, it should not actually be '.
444			'reached (set a lower state limit, see below).');
445
446			$group->setHelp('Timeouts for states can be scaled adaptively as the number of '.
447			'state table entries grows. Leave blank for the default (0)');
448
449			$section->add($group);
450
451			$section->addInput(new Form_Input(
452	f537d085	Sjon Hortensius	'firewall-maximum-states',
453	f6546b41	Sjon Hortensius	'Firewall Maximum States',
454			'number',
455			$pconfig['maximumstates'],
456			['min' => 1, 'placeholder' => pfsense_default_state_size()]
457			))->setHelp('Maximum number of connections to hold in the firewall state table.. '.
458			'<br/>Note: Leave this blank for the default. On your system the default '.
459			'size is: %d', [pfsense_default_state_size()]);
460
461			$section->addInput(new Form_Input(
462	f537d085	Sjon Hortensius	'firewall-maximum-table-entries',
463	f6546b41	Sjon Hortensius	'Firewall Maximum Table Entries',
464			'text',
465			$pconfig['maximumtableentries'],
466			['placeholder' => pfsense_default_table_entries_size()]
467			))->setHelp('Maximum number of table entries for systems such as aliases, '.
468			'sshlockout, snort, etc, combined..<br/>Note: Leave this blank for the '.
469			'default. On your system the default size is: %d',
470			[pfsense_default_table_entries_size()]);
471
472			$section->addInput(new Form_Checkbox(
473	f537d085	Sjon Hortensius	'static-route-filtering',
474	f6546b41	Sjon Hortensius	'Static route filtering',
475			'Bypass firewall rules for traffic on the same interface',
476			$pconfig['bypassstaticroutes']
477			))->setHelp('This option only applies if you have defined one or more static '.
478			'routes. If it is enabled, traffic that enters and leaves through the same '.
479			'interface will not be checked by the firewall. This may be desirable in some '.
480			'situations where multiple subnets are connected to the same interface.');
481
482			$section->addInput(new Form_Checkbox(
483	f537d085	Sjon Hortensius	'disable-auto-added-vpn-rules',
484	f6546b41	Sjon Hortensius	'Disable Auto-added VPN rules',
485			'Disable all auto-added VPN rules.',
486			isset($config['system']['disablevpnrules'])
487			))->setHelp('<span>Note: This disables automatically added rules for IPsec, '.
488			'PPTP.</span>');
489
490			$section->addInput(new Form_Checkbox(
491	f537d085	Sjon Hortensius	'disable-reply-to',
492	f6546b41	Sjon Hortensius	'Disable reply-to',
493			'Disable reply-to on WAN rules',
494			$pconfig['disablereplyto']
495			))->setHelp('With Multi-WAN you generally want to ensure traffic leaves the same '.
496			'interface it arrives on, hence reply-to is added automatically by default. When '.
497			'using bridging, you must disable this behavior if the WAN gateway IP is '.
498			'different from the gateway IP of the hosts behind the bridged interface.');
499
500			$section->addInput(new Form_Checkbox(
501	f537d085	Sjon Hortensius	'disable-negate-rules',
502	f6546b41	Sjon Hortensius	'Disable Negate rules',
503			'Disable Negate rule on policy routing rules',
504			$pconfig['disablenegate']
505			))->setHelp('With Multi-WAN you generally want to ensure traffic reaches directly '.
506			'connected networks and VPN networks when using policy routing. You can disable '.
507			'this for special purposes but it requires manually creating rules for these '.
508			'networks');
509
510			$section->addInput(new Form_Input(
511	f537d085	Sjon Hortensius	'aliases-hostnames-resolve-interval',
512	f6546b41	Sjon Hortensius	'Aliases Hostnames Resolve Interval',
513			'text',
514			$pconfig['aliasesresolveinterval'],
515			['placeholder' => '300']
516			))->setHelp('Interval, in seconds, that will be used to resolve hostnames '.
517			'configured on aliases.. <br/>Note: Leave this blank for the default '.
518			'(300s).');
519
520			$section->addInput(new Form_Checkbox(
521	f537d085	Sjon Hortensius	'check-certificate-of-aliases-urls',
522	f6546b41	Sjon Hortensius	'Check certificate of aliases URLs',
523			'Verify HTTPS certificates when downloading alias URLs',
524			$pconfig['checkaliasesurlcert']
525			))->setHelp('Make sure the certificate is valid for all HTTPS addresses on '.
526			'aliases. If it\'s not valid or is revoked, do not download it.');
527
528			$form->add($section);
529			$section = new Form_Section('Bogon Networks');
530
531			$section->addInput(new Form_Select(
532	f537d085	Sjon Hortensius	'update-frequency',
533	f6546b41	Sjon Hortensius	'Update Frequency',
534			empty($pconfig['bogonsinterval']) ? 'monthly' : $pconfig['bogonsinterval'],
535			array(
536			'monthly' => 'Monthly',
537			'weekly' => 'Weekly',
538			'daily' => 'Daily',
539			)
540			))->setHelp('The frequency of updating the lists of IP addresses that are '.
541			'reserved (but not RFC 1918) or not yet assigned by IANA.');
542
543			$form->add($section);
544
545			if (count($config['interfaces']) > 1)
546			{
547			$section = new Form_Section('Network Address Translation');
548
549			if (isset($config['system']['disablenatreflection']))
550			$value = 'disable';
551			elseif (!isset($config['system']['enablenatreflectionpurenat']))
552			$value = 'proxy';
553			else
554			$value = 'purenat';
555
556			$section->addInput(new Form_Select(
557	f537d085	Sjon Hortensius	'nat-reflection-mode-for-port-forwards',
558	f6546b41	Sjon Hortensius	'NAT Reflection mode for port forwards',
559			$value,
560			array(
561			'disable' => 'disabled',
562			'proxy' => 'NAT + proxy',
563			'purenat' => 'Pure NAT',
564			)
565			))->setHelp('<ul><li>The pure NAT mode uses a set of NAT rules to direct '.
566			'packets to the target of the port forward. It has better scalability, '.
567			'but it must be possible to accurately determine the interface and '.
568			'gateway IP used for communication with the target at the time the '.
569			'rules are loaded. There are no inherent limits to the number of ports '.
570			'other than the limits of the protocols. All protocols available for '.
571			'port forwards are supported.</li><li>The NAT + proxy mode uses a '.
572			'helper program to send packets to the target of the port forward. '.
573			'It is useful in setups where the interface and/or gateway IP used '.
574			'for communication with the target cannot be accurately determined at '.
575			'the time the rules are loaded. Reflection rules are not created for '.
576			'ranges larger than 500 ports and will not be used for more than 1000 '.
577			'ports total between all port forwards. Only TCP and UDP protocols are '.
578			'supported.</li></ul>Individual rules may be configured to override '.
579			'this system setting on a per-rule basis.');
580
581			$section->addInput(new Form_Input(
582	f537d085	Sjon Hortensius	'reflection-timeout',
583	f6546b41	Sjon Hortensius	'Reflection Timeout',
584			'number',
585			$config['system']['reflectiontimeout'],
586			['min' => 1]
587			))->setHelp('Enter value for Reflection timeout in seconds.<br/>Note: Only '.
588			'applies to Reflection on port forwards in NAT + proxy mode.');
589
590			$section->addInput(new Form_Checkbox(
591	f537d085	Sjon Hortensius	'enable-nat-reflection-for-1-1-nat',
592	f6546b41	Sjon Hortensius	'Enable NAT Reflection for 1:1 NAT',
593			'Automatic creation of additional NAT redirect rules from within your internal networks.',
594			isset($config['system']['enablebinatreflection'])
595			))->setHelp('Note: Reflection on 1:1 mappings is only for the inbound component of '.
596			'the 1:1 mappings. This functions the same as the pure NAT mode for port '.
597			'forwards. For more details, refer to the pure NAT mode description '.
598			'above. Individual rules may be configured to override this system setting on a '.
599			'per-rule basis.');
600
601			$section->addInput(new Form_Checkbox(
602	f537d085	Sjon Hortensius	'enable-automatic-outbound-nat-for-reflection',
603	f6546b41	Sjon Hortensius	'Enable automatic outbound NAT for Reflection',
604			'Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from.',
605			isset($config['system']['enablenatreflectionhelper'])
606			))->setHelp('Required for full functionality of the pure NAT mode of NAT '.
607			'Reflection for port forwards or NAT Reflection for 1:1 NAT.Note: This only works '.
608			'for assigned interfaces. Other interfaces require manually creating the '.
609			'outbound NAT rules that direct the reply packets back through the router.');
610
611			$section->addInput(new Form_Select(
612	f537d085	Sjon Hortensius	'tftp-proxy',
613	f6546b41	Sjon Hortensius	'TFTP Proxy',
614			$pconfig['tftpinterface'],
615			get_configured_interface_with_descr(),
616			true
617			))->setHelp('Choose the interfaces where you want TFTP proxy helper to be enabled.');
618
619			$form->add($section);
620	df81417f	Matthew Grooms	}
621
622	46bb8a0b	Sjon Hortensius	$section = new Form_Section('State Timeouts');
623
624			$group = new Form_Group('TCP Timeouts');
625			$tcpTimeouts = array('First', 'Opening', 'Established', 'Closing', 'FIN', 'closed');
626			foreach ($tcpTimeouts as $name)
627			{
628			$group->add(new Form_Input(
629			'tcp'. strtolower($name) .'timeout',
630			'TCP '. $name,
631			'number',
632			$config['system']['tcp'. strtolower($name) .'timeout']
633			))->setHelp('Enter value for TCP '. $name .' timeout in seconds. Leave blank for '.
634			'default (recommended).');
635			}
636	df81417f	Matthew Grooms
637	46bb8a0b	Sjon Hortensius	$section->add($group);
638
639			$group = new Form_Group('UDP Timeouts');
640			$udpTimeouts = array('First', 'Single', 'Multiple');
641			foreach ($udpTimeouts as $name)
642			{
643			$group->add(new Form_Input(
644			'udp'. strtolower($name) .'timeout',
645			'UDP '. $name,
646			'number',
647			$config['system']['udo'. strtolower($name) .'timeout']
648			))->setHelp('Enter value for UDP '. $name .' timeout in seconds. Leave blank for '.
649			'default (recommended).');
650			}
651	df81417f	Matthew Grooms
652	46bb8a0b	Sjon Hortensius	$section->add($group);
653
654			$group = new Form_Group('ICMP Timeouts');
655			$udpTimeouts = array('First', 'Error');
656			foreach ($udpTimeouts as $name)
657			{
658			$group->add(new Form_Input(
659			'icmp'. strtolower($name) .'timeout',
660			'UDP '. $name,
661			'number',
662			$config['system']['icmp'. strtolower($name) .'timeout']
663			))->setHelp('Enter value for ICMP '. $name .' timeout in seconds. Leave blank for '.
664			'default (recommended).');
665			}
666	df81417f	Matthew Grooms
667	46bb8a0b	Sjon Hortensius	$section->add($group);
668
669			$group = new Form_Group('Other Timeouts');
670			foreach ($udpTimeouts as $name)
671			{
672			$group->add(new Form_Input(
673			'other'. strtolower($name) .'timeout',
674			'Other '. $name,
675			'number',
676			$config['system']['other'. strtolower($name) .'timeout']
677			))->setHelp('Enter value for ICMP '. $name .' timeout in seconds. Leave blank for '.
678			'default (recommended).');
679	df81417f	Matthew Grooms	}
680
681	46bb8a0b	Sjon Hortensius	$section->add($group);
682	df81417f	Matthew Grooms
683	f6546b41	Sjon Hortensius	print $form;
684			include("foot.inc");

Project

General

Profile

pfSense