| 1 |
5b237745
|
Scott Ullrich
|
#!/usr/local/bin/php
|
| 2 |
5ba18897
|
Scott Ullrich
|
<?php
|
| 3 |
b46bfcf5
|
Bill Marquette
|
/* $Id$ */
|
| 4 |
5b237745
|
Scott Ullrich
|
/*
|
| 5 |
bdb7d6e7
|
Scott Ullrich
|
firewall_rules_edit.php
|
| 6 |
|
|
part of m0n0wall (http://m0n0.ch/wall)
|
| 7 |
5ba18897
|
Scott Ullrich
|
|
| 8 |
bdb7d6e7
|
Scott Ullrich
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
| 9 |
|
|
All rights reserved.
|
| 10 |
5ba18897
|
Scott Ullrich
|
|
| 11 |
bdb7d6e7
|
Scott Ullrich
|
Redistribution and use in source and binary forms, with or without
|
| 12 |
|
|
modification, are permitted provided that the following conditions are met:
|
| 13 |
5ba18897
|
Scott Ullrich
|
|
| 14 |
bdb7d6e7
|
Scott Ullrich
|
1. Redistributions of source code must retain the above copyright notice,
|
| 15 |
|
|
this list of conditions and the following disclaimer.
|
| 16 |
5ba18897
|
Scott Ullrich
|
|
| 17 |
bdb7d6e7
|
Scott Ullrich
|
2. Redistributions in binary form must reproduce the above copyright
|
| 18 |
|
|
notice, this list of conditions and the following disclaimer in the
|
| 19 |
|
|
documentation and/or other materials provided with the distribution.
|
| 20 |
5ba18897
|
Scott Ullrich
|
|
| 21 |
bdb7d6e7
|
Scott Ullrich
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| 22 |
|
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
| 23 |
|
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
| 24 |
|
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
| 25 |
|
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
| 26 |
|
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
| 27 |
|
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
| 28 |
|
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
| 29 |
|
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
| 30 |
|
|
POSSIBILITY OF SUCH DAMAGE.
|
| 31 |
5b237745
|
Scott Ullrich
|
*/
|
| 32 |
|
|
|
| 33 |
|
|
require("guiconfig.inc");
|
| 34 |
|
|
|
| 35 |
|
|
$specialsrcdst = explode(" ", "any lan pptp");
|
| 36 |
|
|
|
| 37 |
|
|
if (!is_array($config['filter']['rule'])) {
|
| 38 |
|
|
$config['filter']['rule'] = array();
|
| 39 |
|
|
}
|
| 40 |
|
|
filter_rules_sort();
|
| 41 |
|
|
$a_filter = &$config['filter']['rule'];
|
| 42 |
|
|
|
| 43 |
|
|
$id = $_GET['id'];
|
| 44 |
|
|
if (is_numeric($_POST['id']))
|
| 45 |
|
|
$id = $_POST['id'];
|
| 46 |
5ba18897
|
Scott Ullrich
|
|
| 47 |
5b237745
|
Scott Ullrich
|
$after = $_GET['after'];
|
| 48 |
|
|
|
| 49 |
|
|
if (isset($_POST['after']))
|
| 50 |
|
|
$after = $_POST['after'];
|
| 51 |
|
|
|
| 52 |
|
|
if (isset($_GET['dup'])) {
|
| 53 |
|
|
$id = $_GET['dup'];
|
| 54 |
|
|
$after = $_GET['dup'];
|
| 55 |
|
|
}
|
| 56 |
|
|
|
| 57 |
|
|
function is_specialnet($net) {
|
| 58 |
|
|
global $specialsrcdst;
|
| 59 |
5ba18897
|
Scott Ullrich
|
|
| 60 |
5b237745
|
Scott Ullrich
|
if (in_array($net, $specialsrcdst) || strstr($net, "opt"))
|
| 61 |
|
|
return true;
|
| 62 |
|
|
else
|
| 63 |
|
|
return false;
|
| 64 |
|
|
}
|
| 65 |
|
|
|
| 66 |
|
|
function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) {
|
| 67 |
5ba18897
|
Scott Ullrich
|
|
| 68 |
5b237745
|
Scott Ullrich
|
if (isset($adr['any']))
|
| 69 |
|
|
$padr = "any";
|
| 70 |
|
|
else if ($adr['network'])
|
| 71 |
|
|
$padr = $adr['network'];
|
| 72 |
|
|
else if ($adr['address']) {
|
| 73 |
|
|
list($padr, $pmask) = explode("/", $adr['address']);
|
| 74 |
|
|
if (!$pmask)
|
| 75 |
|
|
$pmask = 32;
|
| 76 |
|
|
}
|
| 77 |
5ba18897
|
Scott Ullrich
|
|
| 78 |
5b237745
|
Scott Ullrich
|
if (isset($adr['not']))
|
| 79 |
|
|
$pnot = 1;
|
| 80 |
|
|
else
|
| 81 |
|
|
$pnot = 0;
|
| 82 |
5ba18897
|
Scott Ullrich
|
|
| 83 |
5b237745
|
Scott Ullrich
|
if ($adr['port']) {
|
| 84 |
|
|
list($pbeginport, $pendport) = explode("-", $adr['port']);
|
| 85 |
|
|
if (!$pendport)
|
| 86 |
|
|
$pendport = $pbeginport;
|
| 87 |
|
|
} else {
|
| 88 |
19757279
|
Scott Ullrich
|
if(alias_expand($pbeginport) <> "" || alias_expand($pendport) <> "") {
|
| 89 |
|
|
/* Item is a port alias */
|
| 90 |
|
|
} else {
|
| 91 |
|
|
$pbeginport = "any";
|
| 92 |
|
|
$pendport = "any";
|
| 93 |
|
|
}
|
| 94 |
5b237745
|
Scott Ullrich
|
}
|
| 95 |
|
|
}
|
| 96 |
|
|
|
| 97 |
|
|
function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) {
|
| 98 |
5ba18897
|
Scott Ullrich
|
|
| 99 |
5b237745
|
Scott Ullrich
|
$adr = array();
|
| 100 |
5ba18897
|
Scott Ullrich
|
|
| 101 |
5b237745
|
Scott Ullrich
|
if ($padr == "any")
|
| 102 |
|
|
$adr['any'] = true;
|
| 103 |
|
|
else if (is_specialnet($padr))
|
| 104 |
|
|
$adr['network'] = $padr;
|
| 105 |
|
|
else {
|
| 106 |
|
|
$adr['address'] = $padr;
|
| 107 |
|
|
if ($pmask != 32)
|
| 108 |
|
|
$adr['address'] .= "/" . $pmask;
|
| 109 |
|
|
}
|
| 110 |
5ba18897
|
Scott Ullrich
|
|
| 111 |
5b237745
|
Scott Ullrich
|
$adr['not'] = $pnot ? true : false;
|
| 112 |
5ba18897
|
Scott Ullrich
|
|
| 113 |
5b237745
|
Scott Ullrich
|
if (($pbeginport != 0) && ($pbeginport != "any")) {
|
| 114 |
|
|
if ($pbeginport != $pendport)
|
| 115 |
|
|
$adr['port'] = $pbeginport . "-" . $pendport;
|
| 116 |
|
|
else
|
| 117 |
|
|
$adr['port'] = $pbeginport;
|
| 118 |
|
|
}
|
| 119 |
19757279
|
Scott Ullrich
|
|
| 120 |
|
|
if(alias_expand($pbeginport)) {
|
| 121 |
|
|
$adr['port'] = $pbeginport;
|
| 122 |
|
|
}
|
| 123 |
5b237745
|
Scott Ullrich
|
}
|
| 124 |
|
|
|
| 125 |
|
|
if (isset($id) && $a_filter[$id]) {
|
| 126 |
|
|
$pconfig['interface'] = $a_filter[$id]['interface'];
|
| 127 |
5ba18897
|
Scott Ullrich
|
|
| 128 |
5b237745
|
Scott Ullrich
|
if (!isset($a_filter[$id]['type']))
|
| 129 |
|
|
$pconfig['type'] = "pass";
|
| 130 |
|
|
else
|
| 131 |
|
|
$pconfig['type'] = $a_filter[$id]['type'];
|
| 132 |
5ba18897
|
Scott Ullrich
|
|
| 133 |
5b237745
|
Scott Ullrich
|
if (isset($a_filter[$id]['protocol']))
|
| 134 |
|
|
$pconfig['proto'] = $a_filter[$id]['protocol'];
|
| 135 |
|
|
else
|
| 136 |
|
|
$pconfig['proto'] = "any";
|
| 137 |
5ba18897
|
Scott Ullrich
|
|
| 138 |
5b237745
|
Scott Ullrich
|
if ($a_filter[$id]['protocol'] == "icmp")
|
| 139 |
|
|
$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
|
| 140 |
5ba18897
|
Scott Ullrich
|
|
| 141 |
5b237745
|
Scott Ullrich
|
address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
|
| 142 |
|
|
$pconfig['srcmask'], $pconfig['srcnot'],
|
| 143 |
|
|
$pconfig['srcbeginport'], $pconfig['srcendport']);
|
| 144 |
5ba18897
|
Scott Ullrich
|
|
| 145 |
8be60f21
|
Scott Ullrich
|
if($a_filter[$id]['os'] <> "")
|
| 146 |
|
|
$pconfig['os'] = $a_filter[$id]['os'];
|
| 147 |
e33c8694
|
Bill Marquette
|
|
| 148 |
5b237745
|
Scott Ullrich
|
address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
|
| 149 |
|
|
$pconfig['dstmask'], $pconfig['dstnot'],
|
| 150 |
|
|
$pconfig['dstbeginport'], $pconfig['dstendport']);
|
| 151 |
|
|
|
| 152 |
f38dea08
|
Scott Ullrich
|
$pconfig['returngateway'] = $a_filter[$id]['returngateway'];
|
| 153 |
092ac49d
|
Scott Ullrich
|
$pconfig['returninterface'] = $a_filter[$id]['returninterface'];
|
| 154 |
|
|
|
| 155 |
5b237745
|
Scott Ullrich
|
$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
|
| 156 |
|
|
$pconfig['log'] = isset($a_filter[$id]['log']);
|
| 157 |
|
|
$pconfig['descr'] = $a_filter[$id]['descr'];
|
| 158 |
ed08ef3e
|
Scott Ullrich
|
|
| 159 |
|
|
/* advanced */
|
| 160 |
fa9af164
|
Scott Ullrich
|
$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
|
| 161 |
|
|
$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
|
| 162 |
|
|
$pconfig['statetype'] = $a_filter[$id]['statetype'];
|
| 163 |
5ba18897
|
Scott Ullrich
|
$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
|
| 164 |
ed08ef3e
|
Scott Ullrich
|
|
| 165 |
|
|
/* advanced - new connection per second banning*/
|
| 166 |
|
|
$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
|
| 167 |
|
|
$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
|
| 168 |
5ba18897
|
Scott Ullrich
|
|
| 169 |
5b237745
|
Scott Ullrich
|
} else {
|
| 170 |
|
|
/* defaults */
|
| 171 |
a23d7248
|
Scott Ullrich
|
if ($_GET['if'])
|
| 172 |
|
|
$pconfig['interface'] = $_GET['if'];
|
| 173 |
5b237745
|
Scott Ullrich
|
$pconfig['type'] = "pass";
|
| 174 |
|
|
$pconfig['src'] = "any";
|
| 175 |
|
|
$pconfig['dst'] = "any";
|
| 176 |
|
|
}
|
| 177 |
|
|
|
| 178 |
|
|
if (isset($_GET['dup']))
|
| 179 |
|
|
unset($id);
|
| 180 |
|
|
|
| 181 |
|
|
if ($_POST) {
|
| 182 |
|
|
|
| 183 |
|
|
if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
|
| 184 |
|
|
$_POST['srcbeginport'] = 0;
|
| 185 |
|
|
$_POST['srcendport'] = 0;
|
| 186 |
|
|
$_POST['dstbeginport'] = 0;
|
| 187 |
|
|
$_POST['dstendport'] = 0;
|
| 188 |
|
|
} else {
|
| 189 |
5ba18897
|
Scott Ullrich
|
|
| 190 |
5b237745
|
Scott Ullrich
|
if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
|
| 191 |
|
|
$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
|
| 192 |
|
|
if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
|
| 193 |
|
|
$_POST['srcendport'] = $_POST['srcendport_cust'];
|
| 194 |
5ba18897
|
Scott Ullrich
|
|
| 195 |
5b237745
|
Scott Ullrich
|
if ($_POST['srcbeginport'] == "any") {
|
| 196 |
|
|
$_POST['srcbeginport'] = 0;
|
| 197 |
|
|
$_POST['srcendport'] = 0;
|
| 198 |
5ba18897
|
Scott Ullrich
|
} else {
|
| 199 |
5b237745
|
Scott Ullrich
|
if (!$_POST['srcendport'])
|
| 200 |
|
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
| 201 |
|
|
}
|
| 202 |
|
|
if ($_POST['srcendport'] == "any")
|
| 203 |
|
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
| 204 |
5ba18897
|
Scott Ullrich
|
|
| 205 |
5b237745
|
Scott Ullrich
|
if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
|
| 206 |
|
|
$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
|
| 207 |
|
|
if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
|
| 208 |
|
|
$_POST['dstendport'] = $_POST['dstendport_cust'];
|
| 209 |
5ba18897
|
Scott Ullrich
|
|
| 210 |
5b237745
|
Scott Ullrich
|
if ($_POST['dstbeginport'] == "any") {
|
| 211 |
|
|
$_POST['dstbeginport'] = 0;
|
| 212 |
|
|
$_POST['dstendport'] = 0;
|
| 213 |
5ba18897
|
Scott Ullrich
|
} else {
|
| 214 |
5b237745
|
Scott Ullrich
|
if (!$_POST['dstendport'])
|
| 215 |
|
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
| 216 |
|
|
}
|
| 217 |
|
|
if ($_POST['dstendport'] == "any")
|
| 218 |
5ba18897
|
Scott Ullrich
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
| 219 |
5b237745
|
Scott Ullrich
|
}
|
| 220 |
5ba18897
|
Scott Ullrich
|
|
| 221 |
5b237745
|
Scott Ullrich
|
if (is_specialnet($_POST['srctype'])) {
|
| 222 |
|
|
$_POST['src'] = $_POST['srctype'];
|
| 223 |
|
|
$_POST['srcmask'] = 0;
|
| 224 |
|
|
} else if ($_POST['srctype'] == "single") {
|
| 225 |
|
|
$_POST['srcmask'] = 32;
|
| 226 |
|
|
}
|
| 227 |
|
|
if (is_specialnet($_POST['dsttype'])) {
|
| 228 |
|
|
$_POST['dst'] = $_POST['dsttype'];
|
| 229 |
|
|
$_POST['dstmask'] = 0;
|
| 230 |
|
|
} else if ($_POST['dsttype'] == "single") {
|
| 231 |
|
|
$_POST['dstmask'] = 32;
|
| 232 |
|
|
}
|
| 233 |
5ba18897
|
Scott Ullrich
|
|
| 234 |
5b237745
|
Scott Ullrich
|
unset($input_errors);
|
| 235 |
|
|
$pconfig = $_POST;
|
| 236 |
|
|
|
| 237 |
|
|
/* input validation */
|
| 238 |
|
|
$reqdfields = explode(" ", "type interface proto src dst");
|
| 239 |
|
|
$reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination");
|
| 240 |
|
|
|
| 241 |
bdb7d6e7
|
Scott Ullrich
|
|
| 242 |
|
|
if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state")
|
| 243 |
c22767b1
|
Bill Marquette
|
if( $_POST['proto'] != "tcp" )
|
| 244 |
|
|
$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
|
| 245 |
bdb7d6e7
|
Scott Ullrich
|
|
| 246 |
5ba18897
|
Scott Ullrich
|
|
| 247 |
5b237745
|
Scott Ullrich
|
if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
|
| 248 |
|
|
$reqdfields[] = "srcmask";
|
| 249 |
|
|
$reqdfieldsn[] = "Source bit count";
|
| 250 |
|
|
}
|
| 251 |
|
|
if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) {
|
| 252 |
|
|
$reqdfields[] = "dstmask";
|
| 253 |
|
|
$reqdfieldsn[] = "Destination bit count";
|
| 254 |
|
|
}
|
| 255 |
5ba18897
|
Scott Ullrich
|
|
| 256 |
5b237745
|
Scott Ullrich
|
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
|
| 257 |
5ba18897
|
Scott Ullrich
|
|
| 258 |
5b237745
|
Scott Ullrich
|
if (!$_POST['srcbeginport']) {
|
| 259 |
|
|
$_POST['srcbeginport'] = 0;
|
| 260 |
|
|
$_POST['srcendport'] = 0;
|
| 261 |
|
|
}
|
| 262 |
|
|
if (!$_POST['dstbeginport']) {
|
| 263 |
|
|
$_POST['dstbeginport'] = 0;
|
| 264 |
|
|
$_POST['dstendport'] = 0;
|
| 265 |
|
|
}
|
| 266 |
5ba18897
|
Scott Ullrich
|
|
| 267 |
19757279
|
Scott Ullrich
|
if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) {
|
| 268 |
aba8aace
|
Scott Ullrich
|
$input_errors[] = "The start source port must be an alias or integer between 1 and 65535.";
|
| 269 |
bdb7d6e7
|
Scott Ullrich
|
}
|
| 270 |
19757279
|
Scott Ullrich
|
if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) {
|
| 271 |
aba8aace
|
Scott Ullrich
|
$input_errors[] = "The end source port must be an alias or integer between 1 and 65535.";
|
| 272 |
bdb7d6e7
|
Scott Ullrich
|
}
|
| 273 |
19757279
|
Scott Ullrich
|
if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) {
|
| 274 |
aba8aace
|
Scott Ullrich
|
$input_errors[] = "The start destination port must be an alias or integer between 1 and 65535.";
|
| 275 |
bdb7d6e7
|
Scott Ullrich
|
}
|
| 276 |
19757279
|
Scott Ullrich
|
if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) {
|
| 277 |
aba8aace
|
Scott Ullrich
|
$input_errors[] = "The end destination port must be an alias or integer between 1 and 65535.";
|
| 278 |
bdb7d6e7
|
Scott Ullrich
|
}
|
| 279 |
5ba18897
|
Scott Ullrich
|
|
| 280 |
f38dea08
|
Scott Ullrich
|
if (($_POST['returngateway'] && !is_ipaddroranyalias($_POST['returngateway'])))
|
| 281 |
|
|
$input_errors[] = "A valid return gateway IP address or alias must be specified.";
|
| 282 |
|
|
|
| 283 |
5b237745
|
Scott Ullrich
|
if (!is_specialnet($_POST['srctype'])) {
|
| 284 |
|
|
if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
|
| 285 |
|
|
$input_errors[] = "A valid source IP address or alias must be specified.";
|
| 286 |
|
|
}
|
| 287 |
|
|
if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
|
| 288 |
|
|
$input_errors[] = "A valid source bit count must be specified.";
|
| 289 |
|
|
}
|
| 290 |
|
|
}
|
| 291 |
|
|
if (!is_specialnet($_POST['dsttype'])) {
|
| 292 |
|
|
if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
|
| 293 |
|
|
$input_errors[] = "A valid destination IP address or alias must be specified.";
|
| 294 |
|
|
}
|
| 295 |
|
|
if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
|
| 296 |
|
|
$input_errors[] = "A valid destination bit count must be specified.";
|
| 297 |
|
|
}
|
| 298 |
|
|
}
|
| 299 |
5ba18897
|
Scott Ullrich
|
|
| 300 |
5b237745
|
Scott Ullrich
|
if ($_POST['srcbeginport'] > $_POST['srcendport']) {
|
| 301 |
|
|
/* swap */
|
| 302 |
|
|
$tmp = $_POST['srcendport'];
|
| 303 |
|
|
$_POST['srcendport'] = $_POST['srcbeginport'];
|
| 304 |
|
|
$_POST['srcbeginport'] = $tmp;
|
| 305 |
|
|
}
|
| 306 |
|
|
if ($_POST['dstbeginport'] > $_POST['dstendport']) {
|
| 307 |
|
|
/* swap */
|
| 308 |
|
|
$tmp = $_POST['dstendport'];
|
| 309 |
|
|
$_POST['dstendport'] = $_POST['dstbeginport'];
|
| 310 |
|
|
$_POST['dstbeginport'] = $tmp;
|
| 311 |
|
|
}
|
| 312 |
e33c8694
|
Bill Marquette
|
if ($_POST['os'])
|
| 313 |
|
|
if( $_POST['proto'] != "tcp" )
|
| 314 |
|
|
$input_errors[] = "OS detection is only valid with protocol tcp.";
|
| 315 |
5b237745
|
Scott Ullrich
|
|
| 316 |
|
|
if (!$input_errors) {
|
| 317 |
|
|
$filterent = array();
|
| 318 |
|
|
$filterent['type'] = $_POST['type'];
|
| 319 |
|
|
$filterent['interface'] = $_POST['interface'];
|
| 320 |
d59874c1
|
Scott Ullrich
|
|
| 321 |
bdb7d6e7
|
Scott Ullrich
|
/* Advanced options */
|
| 322 |
|
|
$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
|
| 323 |
|
|
$filterent['max-src-states'] = $_POST['max-src-states'];
|
| 324 |
5ba18897
|
Scott Ullrich
|
$filterent['statetimeout'] = $_POST['statetimeout'];
|
| 325 |
fa9af164
|
Scott Ullrich
|
$filterent['statetype'] = $_POST['statetype'];
|
| 326 |
e33c8694
|
Bill Marquette
|
$filterent['os'] = $_POST['os'];
|
| 327 |
5ba18897
|
Scott Ullrich
|
|
| 328 |
5b237745
|
Scott Ullrich
|
if ($_POST['proto'] != "any")
|
| 329 |
|
|
$filterent['protocol'] = $_POST['proto'];
|
| 330 |
|
|
else
|
| 331 |
|
|
unset($filterent['protocol']);
|
| 332 |
5ba18897
|
Scott Ullrich
|
|
| 333 |
5b237745
|
Scott Ullrich
|
if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
|
| 334 |
|
|
$filterent['icmptype'] = $_POST['icmptype'];
|
| 335 |
|
|
else
|
| 336 |
|
|
unset($filterent['icmptype']);
|
| 337 |
5ba18897
|
Scott Ullrich
|
|
| 338 |
5b237745
|
Scott Ullrich
|
pconfig_to_address($filterent['source'], $_POST['src'],
|
| 339 |
|
|
$_POST['srcmask'], $_POST['srcnot'],
|
| 340 |
|
|
$_POST['srcbeginport'], $_POST['srcendport']);
|
| 341 |
5ba18897
|
Scott Ullrich
|
|
| 342 |
5b237745
|
Scott Ullrich
|
pconfig_to_address($filterent['destination'], $_POST['dst'],
|
| 343 |
|
|
$_POST['dstmask'], $_POST['dstnot'],
|
| 344 |
|
|
$_POST['dstbeginport'], $_POST['dstendport']);
|
| 345 |
5ba18897
|
Scott Ullrich
|
|
| 346 |
5b237745
|
Scott Ullrich
|
$filterent['disabled'] = $_POST['disabled'] ? true : false;
|
| 347 |
|
|
$filterent['log'] = $_POST['log'] ? true : false;
|
| 348 |
|
|
$filterent['descr'] = $_POST['descr'];
|
| 349 |
09a86e31
|
Scott Ullrich
|
$filterent['returngateway'] = $_POST['returngateway'];
|
| 350 |
092ac49d
|
Scott Ullrich
|
$filterent['returninterface'] = $_POST['returninterface'];
|
| 351 |
5ba18897
|
Scott Ullrich
|
|
| 352 |
5b237745
|
Scott Ullrich
|
if (isset($id) && $a_filter[$id])
|
| 353 |
|
|
$a_filter[$id] = $filterent;
|
| 354 |
|
|
else {
|
| 355 |
|
|
if (is_numeric($after))
|
| 356 |
|
|
array_splice($a_filter, $after+1, 0, array($filterent));
|
| 357 |
|
|
else
|
| 358 |
|
|
$a_filter[] = $filterent;
|
| 359 |
|
|
}
|
| 360 |
5ba18897
|
Scott Ullrich
|
|
| 361 |
ed08ef3e
|
Scott Ullrich
|
$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
|
| 362 |
|
|
$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
|
| 363 |
|
|
|
| 364 |
5b237745
|
Scott Ullrich
|
write_config();
|
| 365 |
|
|
touch($d_filterconfdirty_path);
|
| 366 |
5ba18897
|
Scott Ullrich
|
|
| 367 |
a23d7248
|
Scott Ullrich
|
header("Location: firewall_rules.php?if=" . $_POST['interface']);
|
| 368 |
5b237745
|
Scott Ullrich
|
exit;
|
| 369 |
|
|
}
|
| 370 |
|
|
}
|
| 371 |
|
|
?>
|
| 372 |
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
| 373 |
|
|
<html>
|
| 374 |
|
|
<head>
|
| 375 |
|
|
<title><?=gentitle("Firewall: Rules: Edit");?></title>
|
| 376 |
|
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
|
| 377 |
|
|
<link href="gui.css" rel="stylesheet" type="text/css">
|
| 378 |
|
|
<script language="JavaScript">
|
| 379 |
|
|
<!--
|
| 380 |
|
|
var portsenabled = 1;
|
| 381 |
bdb7d6e7
|
Scott Ullrich
|
|
| 382 |
5b237745
|
Scott Ullrich
|
function ext_change() {
|
| 383 |
|
|
if ((document.iform.srcbeginport.selectedIndex == 0) && portsenabled) {
|
| 384 |
|
|
document.iform.srcbeginport_cust.disabled = 0;
|
| 385 |
|
|
} else {
|
| 386 |
|
|
document.iform.srcbeginport_cust.value = "";
|
| 387 |
|
|
document.iform.srcbeginport_cust.disabled = 1;
|
| 388 |
|
|
}
|
| 389 |
|
|
if ((document.iform.srcendport.selectedIndex == 0) && portsenabled) {
|
| 390 |
|
|
document.iform.srcendport_cust.disabled = 0;
|
| 391 |
|
|
} else {
|
| 392 |
|
|
document.iform.srcendport_cust.value = "";
|
| 393 |
|
|
document.iform.srcendport_cust.disabled = 1;
|
| 394 |
|
|
}
|
| 395 |
|
|
if ((document.iform.dstbeginport.selectedIndex == 0) && portsenabled) {
|
| 396 |
|
|
document.iform.dstbeginport_cust.disabled = 0;
|
| 397 |
|
|
} else {
|
| 398 |
|
|
document.iform.dstbeginport_cust.value = "";
|
| 399 |
|
|
document.iform.dstbeginport_cust.disabled = 1;
|
| 400 |
|
|
}
|
| 401 |
|
|
if ((document.iform.dstendport.selectedIndex == 0) && portsenabled) {
|
| 402 |
|
|
document.iform.dstendport_cust.disabled = 0;
|
| 403 |
|
|
} else {
|
| 404 |
|
|
document.iform.dstendport_cust.value = "";
|
| 405 |
|
|
document.iform.dstendport_cust.disabled = 1;
|
| 406 |
|
|
}
|
| 407 |
5ba18897
|
Scott Ullrich
|
|
| 408 |
5b237745
|
Scott Ullrich
|
if (!portsenabled) {
|
| 409 |
|
|
document.iform.srcbeginport.disabled = 1;
|
| 410 |
|
|
document.iform.srcendport.disabled = 1;
|
| 411 |
|
|
document.iform.dstbeginport.disabled = 1;
|
| 412 |
|
|
document.iform.dstendport.disabled = 1;
|
| 413 |
|
|
} else {
|
| 414 |
|
|
document.iform.srcbeginport.disabled = 0;
|
| 415 |
|
|
document.iform.srcendport.disabled = 0;
|
| 416 |
|
|
document.iform.dstbeginport.disabled = 0;
|
| 417 |
|
|
document.iform.dstendport.disabled = 0;
|
| 418 |
|
|
}
|
| 419 |
|
|
}
|
| 420 |
|
|
|
| 421 |
bdb7d6e7
|
Scott Ullrich
|
function typesel_change() {
|
| 422 |
5b237745
|
Scott Ullrich
|
switch (document.iform.srctype.selectedIndex) {
|
| 423 |
|
|
case 1: /* single */
|
| 424 |
|
|
document.iform.src.disabled = 0;
|
| 425 |
|
|
document.iform.srcmask.value = "";
|
| 426 |
|
|
document.iform.srcmask.disabled = 1;
|
| 427 |
|
|
break;
|
| 428 |
|
|
case 2: /* network */
|
| 429 |
|
|
document.iform.src.disabled = 0;
|
| 430 |
|
|
document.iform.srcmask.disabled = 0;
|
| 431 |
|
|
break;
|
| 432 |
|
|
default:
|
| 433 |
|
|
document.iform.src.value = "";
|
| 434 |
|
|
document.iform.src.disabled = 1;
|
| 435 |
|
|
document.iform.srcmask.value = "";
|
| 436 |
|
|
document.iform.srcmask.disabled = 1;
|
| 437 |
|
|
break;
|
| 438 |
|
|
}
|
| 439 |
|
|
switch (document.iform.dsttype.selectedIndex) {
|
| 440 |
|
|
case 1: /* single */
|
| 441 |
|
|
document.iform.dst.disabled = 0;
|
| 442 |
|
|
document.iform.dstmask.value = "";
|
| 443 |
|
|
document.iform.dstmask.disabled = 1;
|
| 444 |
|
|
break;
|
| 445 |
|
|
case 2: /* network */
|
| 446 |
|
|
document.iform.dst.disabled = 0;
|
| 447 |
|
|
document.iform.dstmask.disabled = 0;
|
| 448 |
|
|
break;
|
| 449 |
|
|
default:
|
| 450 |
|
|
document.iform.dst.value = "";
|
| 451 |
|
|
document.iform.dst.disabled = 1;
|
| 452 |
|
|
document.iform.dstmask.value = "";
|
| 453 |
|
|
document.iform.dstmask.disabled = 1;
|
| 454 |
|
|
break;
|
| 455 |
|
|
}
|
| 456 |
|
|
}
|
| 457 |
|
|
|
| 458 |
|
|
function proto_change() {
|
| 459 |
|
|
if (document.iform.proto.selectedIndex < 3) {
|
| 460 |
|
|
portsenabled = 1;
|
| 461 |
|
|
} else {
|
| 462 |
|
|
portsenabled = 0;
|
| 463 |
|
|
}
|
| 464 |
5ba18897
|
Scott Ullrich
|
|
| 465 |
65465a3c
|
Scott Ullrich
|
/* Disable OS knob if the proto is not TCP. */
|
| 466 |
|
|
if (document.iform.proto.selectedIndex < 1) {
|
| 467 |
|
|
document.forms[0].os.disabled = 0;
|
| 468 |
|
|
} else {
|
| 469 |
|
|
document.forms[0].os.disabled = 1;
|
| 470 |
|
|
}
|
| 471 |
|
|
|
| 472 |
5b237745
|
Scott Ullrich
|
if (document.iform.proto.selectedIndex == 3) {
|
| 473 |
|
|
document.iform.icmptype.disabled = 0;
|
| 474 |
|
|
} else {
|
| 475 |
|
|
document.iform.icmptype.disabled = 1;
|
| 476 |
|
|
}
|
| 477 |
5ba18897
|
Scott Ullrich
|
|
| 478 |
5b237745
|
Scott Ullrich
|
ext_change();
|
| 479 |
|
|
}
|
| 480 |
|
|
|
| 481 |
|
|
function src_rep_change() {
|
| 482 |
|
|
document.iform.srcendport.selectedIndex = document.iform.srcbeginport.selectedIndex;
|
| 483 |
|
|
}
|
| 484 |
|
|
function dst_rep_change() {
|
| 485 |
|
|
document.iform.dstendport.selectedIndex = document.iform.dstbeginport.selectedIndex;
|
| 486 |
|
|
}
|
| 487 |
|
|
//-->
|
| 488 |
|
|
</script>
|
| 489 |
|
|
</head>
|
| 490 |
|
|
|
| 491 |
|
|
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
|
| 492 |
|
|
<?php include("fbegin.inc"); ?>
|
| 493 |
|
|
<p class="pgtitle">Firewall: Rules: Edit</p>
|
| 494 |
|
|
<?php if ($input_errors) print_input_errors($input_errors); ?>
|
| 495 |
|
|
<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
|
| 496 |
|
|
<table width="100%" border="0" cellpadding="6" cellspacing="0">
|
| 497 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 498 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncellreq">Action</td>
|
| 499 |
|
|
<td width="78%" class="vtable">
|
| 500 |
bdb7d6e7
|
Scott Ullrich
|
<select name="type" class="formfld">
|
| 501 |
5b237745
|
Scott Ullrich
|
<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
|
| 502 |
|
|
<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
|
| 503 |
|
|
<?=htmlspecialchars($type);?>
|
| 504 |
|
|
</option>
|
| 505 |
|
|
<?php endforeach; ?>
|
| 506 |
|
|
</select> <br>
|
| 507 |
bdb7d6e7
|
Scott Ullrich
|
<span class="vexpl">Choose what to do with packets that match
|
| 508 |
|
|
the criteria specified below.<br>
|
| 509 |
|
|
Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.</span></td>
|
| 510 |
5b237745
|
Scott Ullrich
|
</tr>
|
| 511 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 512 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncellreq">Disabled</td>
|
| 513 |
5ba18897
|
Scott Ullrich
|
<td width="78%" class="vtable">
|
| 514 |
5b237745
|
Scott Ullrich
|
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
|
| 515 |
|
|
<strong>Disable this rule</strong><br>
|
| 516 |
|
|
<span class="vexpl">Set this option to disable this rule without
|
| 517 |
|
|
removing it from the list.</span></td>
|
| 518 |
|
|
</tr>
|
| 519 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 520 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncellreq">Interface</td>
|
| 521 |
|
|
<td width="78%" class="vtable">
|
| 522 |
bdb7d6e7
|
Scott Ullrich
|
<select name="interface" class="formfld">
|
| 523 |
5b237745
|
Scott Ullrich
|
<?php $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP');
|
| 524 |
|
|
for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
|
| 525 |
|
|
$interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr'];
|
| 526 |
|
|
}
|
| 527 |
|
|
foreach ($interfaces as $iface => $ifacename): ?>
|
| 528 |
|
|
<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
|
| 529 |
|
|
<?=htmlspecialchars($ifacename);?>
|
| 530 |
|
|
</option>
|
| 531 |
|
|
<?php endforeach; ?>
|
| 532 |
|
|
</select> <br>
|
| 533 |
5ba18897
|
Scott Ullrich
|
<span class="vexpl">Choose on which interface packets must
|
| 534 |
5b237745
|
Scott Ullrich
|
come in to match this rule.</span></td>
|
| 535 |
|
|
</tr>
|
| 536 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 537 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncellreq">Protocol</td>
|
| 538 |
|
|
<td width="78%" class="vtable">
|
| 539 |
bdb7d6e7
|
Scott Ullrich
|
<select name="proto" class="formfld" onchange="proto_change()">
|
| 540 |
9620d290
|
Scott Ullrich
|
<?php $protocols = explode(" ", "TCP UDP TCP/UDP ICMP ICMP6 ESP AH GRE IPv6 IGMP any carp pfsync"); foreach ($protocols as $proto): ?>
|
| 541 |
5b237745
|
Scott Ullrich
|
<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>>
|
| 542 |
|
|
<?=htmlspecialchars($proto);?>
|
| 543 |
|
|
</option>
|
| 544 |
|
|
<?php endforeach; ?>
|
| 545 |
|
|
</select> <br>
|
| 546 |
5ba18897
|
Scott Ullrich
|
<span class="vexpl">Choose which IP protocol this rule should
|
| 547 |
5b237745
|
Scott Ullrich
|
match.<br>
|
| 548 |
|
|
Hint: in most cases, you should specify <em>TCP</em> here.</span></td>
|
| 549 |
|
|
</tr>
|
| 550 |
|
|
<tr>
|
| 551 |
|
|
<td valign="top" class="vncell">ICMP type</td>
|
| 552 |
|
|
<td class="vtable">
|
| 553 |
|
|
<select name="icmptype" class="formfld">
|
| 554 |
|
|
<?php
|
| 555 |
5ba18897
|
Scott Ullrich
|
|
| 556 |
5b237745
|
Scott Ullrich
|
$icmptypes = array(
|
| 557 |
|
|
"" => "any",
|
| 558 |
|
|
"echorep" => "Echo reply",
|
| 559 |
ec4940b9
|
Bill Marquette
|
"unreach" => "Destination unreachable",
|
| 560 |
5b237745
|
Scott Ullrich
|
"squench" => "Source quench",
|
| 561 |
|
|
"redir" => "Redirect",
|
| 562 |
ec4940b9
|
Bill Marquette
|
"althost" => "Alternate Host",
|
| 563 |
|
|
"echoreq" => "Echo",
|
| 564 |
|
|
"routeradv" => "Router advertisement",
|
| 565 |
|
|
"routersol" => "Router solicitation",
|
| 566 |
5b237745
|
Scott Ullrich
|
"timex" => "Time exceeded",
|
| 567 |
ec4940b9
|
Bill Marquette
|
"paramprob" => "Invalid IP header",
|
| 568 |
|
|
"timereq" => "Timestamp",
|
| 569 |
|
|
"timerep" => "Timestamp reply",
|
| 570 |
5b237745
|
Scott Ullrich
|
"inforeq" => "Information request",
|
| 571 |
|
|
"inforep" => "Information reply",
|
| 572 |
|
|
"maskreq" => "Address mask request",
|
| 573 |
|
|
"maskrep" => "Address mask reply"
|
| 574 |
|
|
);
|
| 575 |
5ba18897
|
Scott Ullrich
|
|
| 576 |
5b237745
|
Scott Ullrich
|
foreach ($icmptypes as $icmptype => $descr): ?>
|
| 577 |
|
|
<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>>
|
| 578 |
|
|
<?=htmlspecialchars($descr);?>
|
| 579 |
|
|
</option>
|
| 580 |
|
|
<?php endforeach; ?>
|
| 581 |
|
|
</select>
|
| 582 |
|
|
<br>
|
| 583 |
|
|
<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span></td>
|
| 584 |
|
|
</tr>
|
| 585 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 586 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncellreq">Source</td>
|
| 587 |
|
|
<td width="78%" class="vtable">
|
| 588 |
bdb7d6e7
|
Scott Ullrich
|
<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
|
| 589 |
5b237745
|
Scott Ullrich
|
<strong>not</strong><br>
|
| 590 |
|
|
Use this option to invert the sense of the match.<br>
|
| 591 |
|
|
<br>
|
| 592 |
|
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 593 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 594 |
5b237745
|
Scott Ullrich
|
<td>Type: </td>
|
| 595 |
bdb7d6e7
|
Scott Ullrich
|
<td><select name="srctype" class="formfld" onChange="typesel_change()">
|
| 596 |
5b237745
|
Scott Ullrich
|
<?php $sel = is_specialnet($pconfig['src']); ?>
|
| 597 |
|
|
<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>
|
| 598 |
|
|
any</option>
|
| 599 |
|
|
<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>
|
| 600 |
|
|
Single host or alias</option>
|
| 601 |
|
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>
|
| 602 |
|
|
Network</option>
|
| 603 |
|
|
<option value="lan" <?php if ($pconfig['src'] == "lan") { echo "selected"; } ?>>
|
| 604 |
|
|
LAN subnet</option>
|
| 605 |
|
|
<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>
|
| 606 |
|
|
PPTP clients</option>
|
| 607 |
|
|
<?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
|
| 608 |
|
|
<option value="opt<?=$i;?>" <?php if ($pconfig['src'] == "opt" . $i) { echo "selected"; } ?>>
|
| 609 |
|
|
<?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
|
| 610 |
|
|
<?php endfor; ?>
|
| 611 |
|
|
</select></td>
|
| 612 |
|
|
</tr>
|
| 613 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 614 |
5b237745
|
Scott Ullrich
|
<td>Address: </td>
|
| 615 |
3d85f6b4
|
Scott Ullrich
|
<td><input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this)' onkeyup='actb_tocomplete(this,event,addressarray);' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>">
|
| 616 |
5b237745
|
Scott Ullrich
|
/
|
| 617 |
bdb7d6e7
|
Scott Ullrich
|
<select name="srcmask" class="formfld" id="srcmask">
|
| 618 |
|
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
| 619 |
|
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
|
| 620 |
|
|
<?php endfor; ?>
|
| 621 |
|
|
</select>
|
| 622 |
|
|
</td>
|
| 623 |
|
|
</tr>
|
| 624 |
5b237745
|
Scott Ullrich
|
</table></td>
|
| 625 |
|
|
</tr>
|
| 626 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 627 |
|
|
<td width="22%" valign="top" class="vncellreq">Source port range
|
| 628 |
5b237745
|
Scott Ullrich
|
</td>
|
| 629 |
5ba18897
|
Scott Ullrich
|
<td width="78%" class="vtable">
|
| 630 |
5b237745
|
Scott Ullrich
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 631 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 632 |
5b237745
|
Scott Ullrich
|
<td>from: </td>
|
| 633 |
|
|
<td><select name="srcbeginport" class="formfld" onchange="src_rep_change();ext_change()">
|
| 634 |
|
|
<option value="">(other)</option>
|
| 635 |
bdb7d6e7
|
Scott Ullrich
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 636 |
5b237745
|
Scott Ullrich
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 637 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) {
|
| 638 |
|
|
echo "selected";
|
| 639 |
|
|
$bfound = 1;
|
| 640 |
|
|
}?>>
|
| 641 |
|
|
<?=htmlspecialchars($wkportdesc);?>
|
| 642 |
|
|
</option>
|
| 643 |
|
|
<?php endforeach; ?>
|
| 644 |
3d85f6b4
|
Scott Ullrich
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>"></td>
|
| 645 |
5b237745
|
Scott Ullrich
|
</tr>
|
| 646 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 647 |
5b237745
|
Scott Ullrich
|
<td>to:</td>
|
| 648 |
|
|
<td><select name="srcendport" class="formfld" onchange="ext_change()">
|
| 649 |
|
|
<option value="">(other)</option>
|
| 650 |
bdb7d6e7
|
Scott Ullrich
|
<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 651 |
5b237745
|
Scott Ullrich
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 652 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) {
|
| 653 |
|
|
echo "selected";
|
| 654 |
|
|
$bfound = 1;
|
| 655 |
|
|
}?>>
|
| 656 |
|
|
<?=htmlspecialchars($wkportdesc);?>
|
| 657 |
|
|
</option>
|
| 658 |
|
|
<?php endforeach; ?>
|
| 659 |
3d85f6b4
|
Scott Ullrich
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>"></td>
|
| 660 |
5b237745
|
Scott Ullrich
|
</tr>
|
| 661 |
|
|
</table>
|
| 662 |
5ba18897
|
Scott Ullrich
|
<br>
|
| 663 |
|
|
<span class="vexpl">Specify the port or port range for
|
| 664 |
bdb7d6e7
|
Scott Ullrich
|
the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br>
|
| 665 |
5ba18897
|
Scott Ullrich
|
Hint: you can leave the <em>'to'</em> field empty if you only
|
| 666 |
5b237745
|
Scott Ullrich
|
want to filter a single port</span></td>
|
| 667 |
e33c8694
|
Bill Marquette
|
|
| 668 |
|
|
<tr>
|
| 669 |
|
|
<td width="22%" valign="top" class="vncellreq">Source OS</td>
|
| 670 |
|
|
<td width="78%" class="vtable">OS Type:
|
| 671 |
65465a3c
|
Scott Ullrich
|
<select name="os" id="os" class="formfld">
|
| 672 |
e33c8694
|
Bill Marquette
|
<?php
|
| 673 |
|
|
$ostypes = array(
|
| 674 |
|
|
"" => "any",
|
| 675 |
|
|
"AIX" => "AIX",
|
| 676 |
|
|
"Linux" => "Linux",
|
| 677 |
|
|
"FreeBSD" => "FreeBSD",
|
| 678 |
|
|
"NetBSD" => "NetBSD",
|
| 679 |
|
|
"OpenBSD" => "OpenBSD",
|
| 680 |
|
|
"Solaris" => "Solaris",
|
| 681 |
|
|
"MacOS" => "MacOS",
|
| 682 |
|
|
"Windows" => "Windows",
|
| 683 |
|
|
"Novell" => "Novell"
|
| 684 |
|
|
);
|
| 685 |
|
|
|
| 686 |
|
|
foreach ($ostypes as $ostype => $descr): ?>
|
| 687 |
|
|
<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>>
|
| 688 |
|
|
<?=htmlspecialchars($descr);?>
|
| 689 |
|
|
</option>
|
| 690 |
|
|
<?php endforeach; ?>
|
| 691 |
|
|
</select><br>
|
| 692 |
|
|
Note: this only works for TCP rules</td>
|
| 693 |
|
|
</tr>
|
| 694 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 695 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncellreq">Destination</td>
|
| 696 |
5ba18897
|
Scott Ullrich
|
<td width="78%" class="vtable">
|
| 697 |
|
|
<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
|
| 698 |
5b237745
|
Scott Ullrich
|
<strong>not</strong><br>
|
| 699 |
|
|
Use this option to invert the sense of the match.<br>
|
| 700 |
|
|
<br>
|
| 701 |
|
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 702 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 703 |
5b237745
|
Scott Ullrich
|
<td>Type: </td>
|
| 704 |
bdb7d6e7
|
Scott Ullrich
|
<td><select name="dsttype" class="formfld" onChange="typesel_change()">
|
| 705 |
5b237745
|
Scott Ullrich
|
<?php $sel = is_specialnet($pconfig['dst']); ?>
|
| 706 |
|
|
<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>
|
| 707 |
|
|
any</option>
|
| 708 |
|
|
<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>
|
| 709 |
|
|
Single host or alias</option>
|
| 710 |
|
|
<option value="network" <?php if (!$sel) echo "selected"; ?>>
|
| 711 |
|
|
Network</option>
|
| 712 |
|
|
<option value="lan" <?php if ($pconfig['dst'] == "lan") { echo "selected"; } ?>>
|
| 713 |
|
|
LAN subnet</option>
|
| 714 |
|
|
<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>
|
| 715 |
|
|
PPTP clients</option>
|
| 716 |
|
|
<?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): ?>
|
| 717 |
|
|
<option value="opt<?=$i;?>" <?php if ($pconfig['dst'] == "opt" . $i) { echo "selected"; } ?>>
|
| 718 |
|
|
<?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?> subnet</option>
|
| 719 |
|
|
<?php endfor; ?>
|
| 720 |
|
|
</select></td>
|
| 721 |
|
|
</tr>
|
| 722 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 723 |
5b237745
|
Scott Ullrich
|
<td>Address: </td>
|
| 724 |
3d85f6b4
|
Scott Ullrich
|
<td><input name="dst" autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,addressarray)' type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
|
| 725 |
5ba18897
|
Scott Ullrich
|
/
|
| 726 |
bdb7d6e7
|
Scott Ullrich
|
<select name="dstmask" class="formfld" id="dstmask">
|
| 727 |
|
|
<?php for ($i = 31; $i > 0; $i--): ?>
|
| 728 |
|
|
<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
|
| 729 |
|
|
<?php endfor; ?>
|
| 730 |
|
|
</select></td>
|
| 731 |
5b237745
|
Scott Ullrich
|
</tr>
|
| 732 |
|
|
</table></td>
|
| 733 |
|
|
</tr>
|
| 734 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 735 |
|
|
<td width="22%" valign="top" class="vncellreq">Destination port
|
| 736 |
5b237745
|
Scott Ullrich
|
range </td>
|
| 737 |
5ba18897
|
Scott Ullrich
|
<td width="78%" class="vtable">
|
| 738 |
5b237745
|
Scott Ullrich
|
<table border="0" cellspacing="0" cellpadding="0">
|
| 739 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 740 |
5b237745
|
Scott Ullrich
|
<td>from: </td>
|
| 741 |
|
|
<td><select name="dstbeginport" class="formfld" onchange="dst_rep_change();ext_change()">
|
| 742 |
|
|
<option value="">(other)</option>
|
| 743 |
|
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 744 |
|
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 745 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) {
|
| 746 |
|
|
echo "selected";
|
| 747 |
|
|
$bfound = 1;
|
| 748 |
|
|
}?>>
|
| 749 |
|
|
<?=htmlspecialchars($wkportdesc);?>
|
| 750 |
|
|
</option>
|
| 751 |
|
|
<?php endforeach; ?>
|
| 752 |
3d85f6b4
|
Scott Ullrich
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"></td>
|
| 753 |
5b237745
|
Scott Ullrich
|
</tr>
|
| 754 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 755 |
5b237745
|
Scott Ullrich
|
<td>to:</td>
|
| 756 |
|
|
<td><select name="dstendport" class="formfld" onchange="ext_change()">
|
| 757 |
|
|
<option value="">(other)</option>
|
| 758 |
|
|
<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 759 |
|
|
<?php foreach ($wkports as $wkport => $wkportdesc): ?>
|
| 760 |
|
|
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) {
|
| 761 |
|
|
echo "selected";
|
| 762 |
|
|
$bfound = 1;
|
| 763 |
|
|
}?>>
|
| 764 |
|
|
<?=htmlspecialchars($wkportdesc);?>
|
| 765 |
|
|
</option>
|
| 766 |
|
|
<?php endforeach; ?>
|
| 767 |
3d85f6b4
|
Scott Ullrich
|
</select> <input autocomplete='off' onblur='actb_removedisp()' onkeypress='return (event.keyCode!=13);' onkeydown='actb_checkkey(event, this);' onkeyup='actb_tocomplete(this,event,customarray)' class="formfldalias" name="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"></td>
|
| 768 |
5b237745
|
Scott Ullrich
|
</tr>
|
| 769 |
|
|
</table>
|
| 770 |
5ba18897
|
Scott Ullrich
|
<br> <span class="vexpl">Specify the port or port range for
|
| 771 |
5b237745
|
Scott Ullrich
|
the destination of the packet for this rule.<br>
|
| 772 |
5ba18897
|
Scott Ullrich
|
Hint: you can leave the <em>'to'</em> field empty if you only
|
| 773 |
5b237745
|
Scott Ullrich
|
want to filter a single port</span></td>
|
| 774 |
bdb7d6e7
|
Scott Ullrich
|
</tr>
|
| 775 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 776 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncellreq">Log</td>
|
| 777 |
5ba18897
|
Scott Ullrich
|
<td width="78%" class="vtable">
|
| 778 |
5b237745
|
Scott Ullrich
|
<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
|
| 779 |
|
|
<strong>Log packets that are handled by this rule</strong><br>
|
| 780 |
5ba18897
|
Scott Ullrich
|
<span class="vexpl">Hint: the firewall has limited local log
|
| 781 |
|
|
space. Don't turn on logging for everything. If you want to
|
| 782 |
|
|
do a lot of logging, consider using a remote syslog server
|
| 783 |
|
|
(see the <a href="diag_logs_settings.php">Diagnostics: System
|
| 784 |
5b237745
|
Scott Ullrich
|
logs: Settings</a> page).</span></td>
|
| 785 |
|
|
</tr>
|
| 786 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 787 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top" class="vncell">Description</td>
|
| 788 |
5ba18897
|
Scott Ullrich
|
<td width="78%" class="vtable">
|
| 789 |
|
|
<input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
|
| 790 |
|
|
<br> <span class="vexpl">You may enter a description here
|
| 791 |
5b237745
|
Scott Ullrich
|
for your reference (not parsed).</span></td>
|
| 792 |
|
|
</tr>
|
| 793 |
a44455c4
|
Scott Ullrich
|
<tr>
|
| 794 |
|
|
<td width="22%" valign="top" class="vncell">Advanced Options</td>
|
| 795 |
|
|
<td width="78%" class="vtable">
|
| 796 |
|
|
<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Simultaneous client connection limit<p>
|
| 797 |
e33c8694
|
Bill Marquette
|
<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
|
| 798 |
ed08ef3e
|
Scott Ullrich
|
<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
|
| 799 |
|
|
<select name="max-src-conn-rates" id="max-src-conn-rates">
|
| 800 |
40b0fe5b
|
Scott Ullrich
|
<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
|
| 801 |
ed08ef3e
|
Scott Ullrich
|
<?php
|
| 802 |
40b0fe5b
|
Scott Ullrich
|
for($x=1; $x<255; $x++) {
|
| 803 |
ed08ef3e
|
Scott Ullrich
|
if($x == $pconfig['max-src-conn-rates'])
|
| 804 |
|
|
$selected = " selected";
|
| 805 |
|
|
else
|
| 806 |
|
|
$selected = "";
|
| 807 |
|
|
echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
|
| 808 |
|
|
}
|
| 809 |
|
|
?>
|
| 810 |
|
|
</select>
|
| 811 |
|
|
<br>
|
| 812 |
40b0fe5b
|
Scott Ullrich
|
Maximum new connections / per second
|
| 813 |
4cc0d94c
|
Scott Ullrich
|
<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
|
| 814 |
a44455c4
|
Scott Ullrich
|
</td>
|
| 815 |
|
|
</tr>
|
| 816 |
3849b323
|
Scott Ullrich
|
<tr>
|
| 817 |
|
|
<td width="22%" valign="top" class="vncell">State Type</td>
|
| 818 |
|
|
<td width="78%" class="vtable">
|
| 819 |
d59874c1
|
Scott Ullrich
|
<select name="statetype">
|
| 820 |
3849b323
|
Scott Ullrich
|
<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
|
| 821 |
|
|
<option value="modulate state" <?php if($pconfig['statetype'] == "modulate state") echo "selected"; ?>>modulate state</option>
|
| 822 |
|
|
<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
|
| 823 |
|
|
<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
|
| 824 |
|
|
</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
|
| 825 |
|
|
<p><strong>
|
| 826 |
|
|
<table>
|
| 827 |
5ba18897
|
Scott Ullrich
|
<tr><td width="25%"><li>keep state</li></td><td>works with TCP, UDP, and ICMP.</td></tr>
|
| 828 |
|
|
<tr><td width="25%"><li>modulate state</li></td><td>works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) for packets matching this rule.</li></td></tr>
|
| 829 |
|
|
<tr><td width="25%"><li>synproxy state</li></td><td>proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</td></tr>
|
| 830 |
|
|
<tr><td width="25%"><li>none</li></td><td>do not use state mechanisms to keep track. this is only useful if your doing advanced queueing in certain situations. please check the faq.</td></tr>
|
| 831 |
|
|
</table>
|
| 832 |
3849b323
|
Scott Ullrich
|
</strong>
|
| 833 |
|
|
</td>
|
| 834 |
|
|
</tr>
|
| 835 |
a44455c4
|
Scott Ullrich
|
|
| 836 |
5ba18897
|
Scott Ullrich
|
<tr>
|
| 837 |
|
|
<td width="22%" valign="top" class="vncell">State Timeout</td>
|
| 838 |
|
|
<td width="78%" class="vtable">
|
| 839 |
|
|
<input name="statetimeout" value="<?php echo $pconfig['frags'] ?>">
|
| 840 |
|
|
<p><strong>Leave blank for default. Amount is in seconds.
|
| 841 |
|
|
</strong>
|
| 842 |
|
|
</td>
|
| 843 |
|
|
</tr>
|
| 844 |
|
|
|
| 845 |
|
|
<tr>
|
| 846 |
5b237745
|
Scott Ullrich
|
<td width="22%" valign="top"> </td>
|
| 847 |
5ba18897
|
Scott Ullrich
|
<td width="78%">
|
| 848 |
fc01e414
|
Scott Ullrich
|
<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
|
| 849 |
5b237745
|
Scott Ullrich
|
<?php if (isset($id) && $a_filter[$id]): ?>
|
| 850 |
5ba18897
|
Scott Ullrich
|
<input name="id" type="hidden" value="<?=$id;?>">
|
| 851 |
5b237745
|
Scott Ullrich
|
<?php endif; ?>
|
| 852 |
5ba18897
|
Scott Ullrich
|
<input name="after" type="hidden" value="<?=$after;?>">
|
| 853 |
5b237745
|
Scott Ullrich
|
</td>
|
| 854 |
|
|
</tr>
|
| 855 |
|
|
</table>
|
| 856 |
|
|
</form>
|
| 857 |
|
|
<script language="JavaScript">
|
| 858 |
|
|
<!--
|
| 859 |
|
|
ext_change();
|
| 860 |
|
|
typesel_change();
|
| 861 |
|
|
proto_change();
|
| 862 |
19757279
|
Scott Ullrich
|
|
| 863 |
|
|
<?php
|
| 864 |
|
|
$isfirst = 0;
|
| 865 |
|
|
$aliases = "";
|
| 866 |
|
|
$addrisfirst = 0;
|
| 867 |
|
|
$aliasesaddr = "";
|
| 868 |
092ac49d
|
Scott Ullrich
|
if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
|
| 869 |
|
|
foreach($config['aliases']['alias'] as $alias_name) {
|
| 870 |
|
|
if(!stristr($alias_name['address'], ".")) {
|
| 871 |
|
|
if($isfirst == 1) $aliases .= ",";
|
| 872 |
|
|
$aliases .= "'" . $alias_name['name'] . "'";
|
| 873 |
|
|
$isfirst = 1;
|
| 874 |
|
|
} else {
|
| 875 |
|
|
if($addrisfirst == 1) $aliasesaddr .= ",";
|
| 876 |
|
|
$aliasesaddr .= "'" . $alias_name['name'] . "'";
|
| 877 |
|
|
$addrisfirst = 1;
|
| 878 |
|
|
}
|
| 879 |
19757279
|
Scott Ullrich
|
}
|
| 880 |
|
|
?>
|
| 881 |
|
|
|
| 882 |
|
|
var addressarray=new Array(<?php echo $aliasesaddr; ?>);
|
| 883 |
|
|
var customarray=new Array(<?php echo $aliases; ?>);
|
| 884 |
|
|
|
| 885 |
5b237745
|
Scott Ullrich
|
//-->
|
| 886 |
|
|
</script>
|
| 887 |
ef8b343d
|
Scott Ullrich
|
<script type="text/javascript" language="javascript" src="auto_complete_helper.js">
|
| 888 |
|
|
</script>
|
| 889 |
5b237745
|
Scott Ullrich
|
<?php include("fend.inc"); ?>
|
| 890 |
|
|
</body>
|
| 891 |
|
|
</html>
|