1 |
df81417f
|
Matthew Grooms
|
<?php
|
2 |
|
|
/* $Id$ */
|
3 |
|
|
/*
|
4 |
|
|
system_advanced_firewall.php
|
5 |
|
|
part of pfSense
|
6 |
|
|
Copyright (C) 2005-2007 Scott Ullrich
|
7 |
|
|
|
8 |
|
|
Copyright (C) 2008 Shrew Soft Inc
|
9 |
|
|
|
10 |
|
|
originally part of m0n0wall (http://m0n0.ch/wall)
|
11 |
|
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
12 |
|
|
All rights reserved.
|
13 |
|
|
|
14 |
|
|
Redistribution and use in source and binary forms, with or without
|
15 |
|
|
modification, are permitted provided that the following conditions are met:
|
16 |
|
|
|
17 |
|
|
1. Redistributions of source code must retain the above copyright notice,
|
18 |
|
|
this list of conditions and the following disclaimer.
|
19 |
|
|
|
20 |
|
|
2. Redistributions in binary form must reproduce the above copyright
|
21 |
|
|
notice, this list of conditions and the following disclaimer in the
|
22 |
|
|
documentation and/or other materials provided with the distribution.
|
23 |
|
|
|
24 |
|
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
25 |
|
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
26 |
|
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
27 |
|
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
28 |
|
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
29 |
|
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
30 |
|
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
31 |
|
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
32 |
|
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
33 |
|
|
POSSIBILITY OF SUCH DAMAGE.
|
34 |
|
|
*/
|
35 |
1d333258
|
Scott Ullrich
|
/*
|
36 |
|
|
pfSense_MODULE: system
|
37 |
|
|
*/
|
38 |
df81417f
|
Matthew Grooms
|
|
39 |
|
|
##|+PRIV
|
40 |
|
|
##|*IDENT=page-system-advanced-firewall
|
41 |
|
|
##|*NAME=System: Advanced: Firewall and NAT page
|
42 |
|
|
##|*DESCR=Allow access to the 'System: Advanced: Firewall and NAT' page.
|
43 |
|
|
##|*MATCH=system_advanced.php*
|
44 |
|
|
##|-PRIV
|
45 |
|
|
|
46 |
|
|
require("guiconfig.inc");
|
47 |
7a927e67
|
Scott Ullrich
|
require_once("functions.inc");
|
48 |
|
|
require_once("filter.inc");
|
49 |
|
|
require_once("shaper.inc");
|
50 |
df81417f
|
Matthew Grooms
|
|
51 |
|
|
$pconfig['disablefilter'] = $config['system']['disablefilter'];
|
52 |
|
|
$pconfig['rfc959workaround'] = $config['system']['rfc959workaround'];
|
53 |
|
|
$pconfig['scrubnodf'] = $config['system']['scrubnodf'];
|
54 |
2867fa7b
|
Ermal Luçi
|
$pconfig['scrubrnid'] = $config['system']['scrubrnid'];
|
55 |
df81417f
|
Matthew Grooms
|
$pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout'];
|
56 |
|
|
$pconfig['optimization'] = $config['filter']['optimization'];
|
57 |
|
|
$pconfig['maximumstates'] = $config['system']['maximumstates'];
|
58 |
fb586a16
|
jim-p
|
$pconfig['maximumtableentries'] = $config['system']['maximumtableentries'];
|
59 |
f1beeba5
|
lgcosta
|
$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']);
|
60 |
df81417f
|
Matthew Grooms
|
$pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
|
61 |
9fc22c6f
|
Erik Fonnesbeck
|
if (!isset($config['system']['enablebinatreflection']))
|
62 |
|
|
$pconfig['disablebinatreflection'] = "yes";
|
63 |
|
|
else
|
64 |
|
|
$pconfig['disablebinatreflection'] = "";
|
65 |
bff94015
|
Erik Fonnesbeck
|
$pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout'];
|
66 |
df81417f
|
Matthew Grooms
|
$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
|
67 |
|
|
$pconfig['disablescrub'] = isset($config['system']['disablescrub']);
|
68 |
1beafceb
|
Erik Fonnesbeck
|
$pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']);
|
69 |
9a36dc9d
|
Ermal
|
$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
|
70 |
df81417f
|
Matthew Grooms
|
|
71 |
|
|
if ($_POST) {
|
72 |
|
|
|
73 |
|
|
unset($input_errors);
|
74 |
|
|
$pconfig = $_POST;
|
75 |
|
|
|
76 |
|
|
/* input validation */
|
77 |
|
|
if ($_POST['maximumstates'] && !is_numericint($_POST['maximumstates'])) {
|
78 |
ca23c2f8
|
Renato Botelho
|
$input_errors[] = gettext("The Firewall Maximum States value must be an integer.");
|
79 |
df81417f
|
Matthew Grooms
|
}
|
80 |
fb586a16
|
jim-p
|
if ($_POST['maximumtableentries'] && !is_numericint($_POST['maximumtableentries'])) {
|
81 |
|
|
$input_errors[] = gettext("The Firewall Maximum Table Entries value must be an integer.");
|
82 |
|
|
}
|
83 |
df81417f
|
Matthew Grooms
|
if ($_POST['tcpidletimeout'] && !is_numericint($_POST['tcpidletimeout'])) {
|
84 |
ca23c2f8
|
Renato Botelho
|
$input_errors[] = gettext("The TCP idle timeout must be an integer.");
|
85 |
df81417f
|
Matthew Grooms
|
}
|
86 |
bff94015
|
Erik Fonnesbeck
|
if ($_POST['reflectiontimeout'] && !is_numericint($_POST['reflectiontimeout'])) {
|
87 |
|
|
$input_errors[] = gettext("The Reflection timeout must be an integer.");
|
88 |
|
|
}
|
89 |
df81417f
|
Matthew Grooms
|
|
90 |
|
|
ob_flush();
|
91 |
|
|
flush();
|
92 |
|
|
|
93 |
|
|
if (!$input_errors) {
|
94 |
|
|
|
95 |
|
|
if($_POST['disablefilter'] == "yes")
|
96 |
|
|
$config['system']['disablefilter'] = "enabled";
|
97 |
|
|
else
|
98 |
|
|
unset($config['system']['disablefilter']);
|
99 |
|
|
|
100 |
9a36dc9d
|
Ermal
|
if($_POST['disablevpnrules'] == "yes")
|
101 |
|
|
$config['system']['disablevpnrules'] = true;
|
102 |
|
|
else
|
103 |
|
|
unset($config['system']['disablevpnrules']);
|
104 |
df81417f
|
Matthew Grooms
|
if($_POST['rfc959workaround'] == "yes")
|
105 |
|
|
$config['system']['rfc959workaround'] = "enabled";
|
106 |
|
|
else
|
107 |
|
|
unset($config['system']['rfc959workaround']);
|
108 |
|
|
|
109 |
|
|
if($_POST['scrubnodf'] == "yes")
|
110 |
|
|
$config['system']['scrubnodf'] = "enabled";
|
111 |
|
|
else
|
112 |
|
|
unset($config['system']['scrubnodf']);
|
113 |
|
|
|
114 |
2867fa7b
|
Ermal Luçi
|
if($_POST['scrubrnid'] == "yes")
|
115 |
|
|
$config['system']['scrubrnid'] = "enabled";
|
116 |
|
|
else
|
117 |
|
|
unset($config['system']['scrubrnid']);
|
118 |
|
|
|
119 |
df81417f
|
Matthew Grooms
|
$config['system']['optimization'] = $_POST['optimization'];
|
120 |
|
|
$config['system']['maximumstates'] = $_POST['maximumstates'];
|
121 |
fb586a16
|
jim-p
|
$config['system']['maximumtableentries'] = $_POST['maximumtableentries'];
|
122 |
df81417f
|
Matthew Grooms
|
|
123 |
|
|
if($_POST['disablenatreflection'] == "yes")
|
124 |
|
|
$config['system']['disablenatreflection'] = $_POST['disablenatreflection'];
|
125 |
|
|
else
|
126 |
|
|
unset($config['system']['disablenatreflection']);
|
127 |
9fc22c6f
|
Erik Fonnesbeck
|
|
128 |
|
|
if($_POST['disablebinatreflection'] == "yes")
|
129 |
|
|
unset($config['system']['enablebinatreflection']);
|
130 |
|
|
else
|
131 |
|
|
$config['system']['enablebinatreflection'] = "yes";
|
132 |
df81417f
|
Matthew Grooms
|
|
133 |
f1beeba5
|
lgcosta
|
if($_POST['disablereplyto'] == "yes")
|
134 |
|
|
$config['system']['disablereplyto'] = $_POST['disablereplyto'];
|
135 |
|
|
else
|
136 |
|
|
unset($config['system']['disablereplyto']);
|
137 |
|
|
|
138 |
a2b6c52f
|
Erik Fonnesbeck
|
if($_POST['enablenatreflectionhelper'] == "yes")
|
139 |
|
|
$config['system']['enablenatreflectionhelper'] = "yes";
|
140 |
|
|
else
|
141 |
|
|
unset($config['system']['enablenatreflectionhelper']);
|
142 |
|
|
|
143 |
bff94015
|
Erik Fonnesbeck
|
$config['system']['reflectiontimeout'] = $_POST['reflectiontimeout'];
|
144 |
|
|
|
145 |
df81417f
|
Matthew Grooms
|
if($_POST['bypassstaticroutes'] == "yes")
|
146 |
668c4990
|
Seth Mos
|
$config['filter']['bypassstaticroutes'] = $_POST['bypassstaticroutes'];
|
147 |
d2903c0c
|
jim-p
|
elseif(isset($config['filter']['bypassstaticroutes']))
|
148 |
668c4990
|
Seth Mos
|
unset($config['filter']['bypassstaticroutes']);
|
149 |
df81417f
|
Matthew Grooms
|
|
150 |
|
|
if($_POST['disablescrub'] == "yes")
|
151 |
|
|
$config['system']['disablescrub'] = $_POST['disablescrub'];
|
152 |
|
|
else
|
153 |
|
|
unset($config['system']['disablescrub']);
|
154 |
|
|
|
155 |
cfdce2ad
|
Ermal
|
if ($_POST['tftpinterface'])
|
156 |
|
|
$config['system']['tftpinterface'] = implode(",", $_POST['tftpinterface']);
|
157 |
|
|
else
|
158 |
|
|
unset($config['system']['tftpinterface']);
|
159 |
|
|
|
160 |
df81417f
|
Matthew Grooms
|
write_config();
|
161 |
|
|
|
162 |
bd448e7f
|
Ermal Lu?i
|
/*
|
163 |
|
|
* XXX: This is a kludge here but its the better place than on every filter reload.
|
164 |
|
|
* NOTE: This is only for setting the ipfw state limits.
|
165 |
|
|
*/
|
166 |
|
|
if ($_POST['maximumstates'] && is_numeric($_POST['maximumstates']) && is_module_loaded("ipfw.ko"))
|
167 |
|
|
filter_load_ipfw();
|
168 |
|
|
|
169 |
df81417f
|
Matthew Grooms
|
$retval = 0;
|
170 |
|
|
$retval = filter_configure();
|
171 |
|
|
if(stristr($retval, "error") <> true)
|
172 |
|
|
$savemsg = get_std_save_message($retval);
|
173 |
|
|
else
|
174 |
|
|
$savemsg = $retval;
|
175 |
|
|
}
|
176 |
|
|
}
|
177 |
|
|
|
178 |
ca23c2f8
|
Renato Botelho
|
$pgtitle = array(gettext("System"),gettext("Advanced: Firewall and NAT"));
|
179 |
df81417f
|
Matthew Grooms
|
include("head.inc");
|
180 |
|
|
|
181 |
|
|
?>
|
182 |
|
|
|
183 |
|
|
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
|
184 |
|
|
<?php include("fbegin.inc"); ?>
|
185 |
|
|
|
186 |
|
|
<script language="JavaScript">
|
187 |
|
|
<!--
|
188 |
|
|
|
189 |
|
|
var descs=new Array(5);
|
190 |
ca23c2f8
|
Renato Botelho
|
descs[0]="<?=gettext("as the name says, it's the normal optimization algorithm");?>";
|
191 |
|
|
descs[1]="<?=gettext("used for high latency links, such as satellite links. Expires idle connections later than default");?>";
|
192 |
|
|
descs[2]="<?=gettext("expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate connections");?>";
|
193 |
|
|
descs[3]="<?=gettext("tries to avoid dropping any legitimate connections at the expense of increased memory usage and CPU utilization.");?>";
|
194 |
df81417f
|
Matthew Grooms
|
|
195 |
|
|
function update_description(itemnum) {
|
196 |
|
|
document.forms[0].info.value=descs[itemnum];
|
197 |
|
|
|
198 |
|
|
}
|
199 |
|
|
|
200 |
|
|
//-->
|
201 |
|
|
</script>
|
202 |
|
|
|
203 |
|
|
<?php
|
204 |
|
|
if ($input_errors)
|
205 |
|
|
print_input_errors($input_errors);
|
206 |
|
|
if ($savemsg)
|
207 |
|
|
print_info_box($savemsg);
|
208 |
|
|
?>
|
209 |
ab3c8553
|
Matthew Grooms
|
<form action="system_advanced_firewall.php" method="post" name="iform" id="iform">
|
210 |
|
|
<table width="100%" border="0" cellpadding="0" cellspacing="0">
|
211 |
|
|
<tr>
|
212 |
|
|
<td class="tabnavtbl">
|
213 |
|
|
<?php
|
214 |
|
|
$tab_array = array();
|
215 |
ca23c2f8
|
Renato Botelho
|
$tab_array[] = array(gettext("Admin Access"), false, "system_advanced_admin.php");
|
216 |
|
|
$tab_array[] = array(gettext("Firewall / NAT"), true, "system_advanced_firewall.php");
|
217 |
|
|
$tab_array[] = array(gettext("Networking"), false, "system_advanced_network.php");
|
218 |
|
|
$tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php");
|
219 |
|
|
$tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php");
|
220 |
|
|
$tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php");
|
221 |
ab3c8553
|
Matthew Grooms
|
display_top_tabs($tab_array);
|
222 |
|
|
?>
|
223 |
df81417f
|
Matthew Grooms
|
</ul>
|
224 |
ab3c8553
|
Matthew Grooms
|
</td>
|
225 |
|
|
</tr>
|
226 |
|
|
<tr>
|
227 |
2ff19bfd
|
Matthew Grooms
|
<td id="mainarea">
|
228 |
|
|
<div class="tabcont">
|
229 |
|
|
<span class="vexpl">
|
230 |
|
|
<span class="red">
|
231 |
ea53e38f
|
Renato Botelho
|
<strong><?=gettext("NOTE:");?> </strong>
|
232 |
2ff19bfd
|
Matthew Grooms
|
</span>
|
233 |
ca23c2f8
|
Renato Botelho
|
<?=gettext("The options on this page are intended for use by advanced users only.");?>
|
234 |
2ff19bfd
|
Matthew Grooms
|
<br/>
|
235 |
|
|
</span>
|
236 |
|
|
<br/>
|
237 |
|
|
<table width="100%" border="0" cellpadding="6" cellspacing="0">
|
238 |
ab3c8553
|
Matthew Grooms
|
<tr>
|
239 |
ca23c2f8
|
Renato Botelho
|
<td colspan="2" valign="top" class="listtopic"><?=gettext("Firewall Advanced");?></td>
|
240 |
ab3c8553
|
Matthew Grooms
|
</tr>
|
241 |
|
|
<tr>
|
242 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("IP Do-Not-Fragment compatibility");?></td>
|
243 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
244 |
|
|
<input name="scrubnodf" type="checkbox" id="scrubnodf" value="yes" <?php if (isset($config['system']['scrubnodf'])) echo "checked"; ?> />
|
245 |
ca23c2f8
|
Renato Botelho
|
<strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong><br/>
|
246 |
f0d1af93
|
Carlos Eduardo Ramos
|
<?=gettext("This allows for communications with hosts that generate fragmented " .
|
247 |
|
|
"packets with the don't fragment (DF) bit set. Linux NFS is known to " .
|
248 |
|
|
"do this. This will cause the filter to not drop such packets but " .
|
249 |
|
|
"instead clear the don't fragment bit.");?>
|
250 |
2867fa7b
|
Ermal Luçi
|
</td>
|
251 |
|
|
</tr>
|
252 |
|
|
<tr>
|
253 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("IP Random id generation");?></td>
|
254 |
2867fa7b
|
Ermal Luçi
|
<td width="78%" class="vtable">
|
255 |
|
|
<input name="scrubrnid" type="checkbox" id="scrubnodf" value="yes" <?php if (isset($config['system']['scrubrnid'])) echo "checked"; ?> />
|
256 |
ca23c2f8
|
Renato Botelho
|
<strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong><br/>
|
257 |
f0d1af93
|
Carlos Eduardo Ramos
|
<?=gettext("Replaces the IP identification field of packets with random values to " .
|
258 |
|
|
"compensate for operating systems that use predicatable values. " .
|
259 |
|
|
"This option only applies to packets that are not fragmented after the " .
|
260 |
|
|
"optional packet reassembly.");?>
|
261 |
ab3c8553
|
Matthew Grooms
|
</td>
|
262 |
|
|
</tr>
|
263 |
|
|
<tr>
|
264 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("Firewall Optimization Options");?></td>
|
265 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
266 |
|
|
<select onChange="update_description(this.selectedIndex);" name="optimization" id="optimization">
|
267 |
ca23c2f8
|
Renato Botelho
|
<option value="normal"<?php if($config['system']['optimization']=="normal") echo " selected"; ?>><?=gettext("normal");?></option>
|
268 |
|
|
<option value="high-latency"<?php if($config['system']['optimization']=="high-latency") echo " selected"; ?>><?=gettext("high-latency");?></option>
|
269 |
|
|
<option value="aggressive"<?php if($config['system']['optimization']=="aggressive") echo " selected"; ?>><?=gettext("aggressive");?></option>
|
270 |
|
|
<option value="conservative"<?php if($config['system']['optimization']=="conservative") echo " selected"; ?>><?=gettext("conservative");?></option>
|
271 |
ab3c8553
|
Matthew Grooms
|
</select>
|
272 |
|
|
<br/>
|
273 |
dc4f649e
|
Scott Ullrich
|
<textarea readonly="yes" cols="60" rows="2" id="info" name="info"style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea>
|
274 |
ab3c8553
|
Matthew Grooms
|
<script language="javascript" type="text/javascript">
|
275 |
|
|
update_description(document.forms[0].optimization.selectedIndex);
|
276 |
|
|
</script>
|
277 |
|
|
<br/>
|
278 |
ca23c2f8
|
Renato Botelho
|
<?=gettext("Select the type of state table optimization to use");?>
|
279 |
ab3c8553
|
Matthew Grooms
|
</td>
|
280 |
|
|
</tr>
|
281 |
|
|
<tr>
|
282 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("Disable Firewall");?></td>
|
283 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
284 |
|
|
<input name="disablefilter" type="checkbox" id="disablefilter" value="yes" <?php if (isset($config['system']['disablefilter'])) echo "checked"; ?> />
|
285 |
ca23c2f8
|
Renato Botelho
|
<strong><?=gettext("Disable all packet filtering.");?></strong>
|
286 |
ab3c8553
|
Matthew Grooms
|
<br/>
|
287 |
ca23c2f8
|
Renato Botelho
|
<span class="vexpl"><?php printf(gettext("Note: This converts %s into a routing only platform!"), $g['product_name']);?><br>
|
288 |
|
|
<?=gettext("Note: This will turn off NAT!");?>
|
289 |
ab3c8553
|
Matthew Grooms
|
</span>
|
290 |
|
|
</td>
|
291 |
|
|
</tr>
|
292 |
|
|
<tr>
|
293 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("Disable Firewall Scrub");?></td>
|
294 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
295 |
|
|
<input name="disablescrub" type="checkbox" id="disablescrub" value="yes" <?php if (isset($config['system']['disablescrub'])) echo "checked"; ?> />
|
296 |
ca23c2f8
|
Renato Botelho
|
<strong><?=gettext("Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.");?></strong>
|
297 |
ab3c8553
|
Matthew Grooms
|
<br/>
|
298 |
ca23c2f8
|
Renato Botelho
|
<?=gettext("Click")?> <a href='http://www.openbsd.org/faq/pf/scrub.html' target='_new'><?=gettext("here");?></a> <?=gettext("for more information.");?>
|
299 |
ab3c8553
|
Matthew Grooms
|
</td>
|
300 |
|
|
</tr>
|
301 |
|
|
<tr>
|
302 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("Firewall Maximum States");?></td>
|
303 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
304 |
|
|
<input name="maximumstates" type="text" id="maximumstates" value="<?php echo $pconfig['maximumstates']; ?>" />
|
305 |
|
|
<br/>
|
306 |
ca23c2f8
|
Renato Botelho
|
<strong><?=gettext("Maximum number of connections to hold in the firewall state table.");?></strong>
|
307 |
ab3c8553
|
Matthew Grooms
|
<br/>
|
308 |
ea53e38f
|
Renato Botelho
|
<span class="vexpl"><?=gettext("Note: Leave this blank for the default. On your system the default size is:");?> <?= pfsense_default_state_size() ?></span>
|
309 |
ab3c8553
|
Matthew Grooms
|
</td>
|
310 |
|
|
</tr>
|
311 |
fb586a16
|
jim-p
|
<tr>
|
312 |
|
|
<td width="22%" valign="top" class="vncell"><?=gettext("Firewall Maximum Table Entries");?></td>
|
313 |
|
|
<td width="78%" class="vtable">
|
314 |
|
|
<input name="maximumtableentries" type="text" id="maximumtableentries" value="<?php echo $pconfig['maximumtableentries']; ?>" />
|
315 |
|
|
<br/>
|
316 |
|
|
<strong><?=gettext("Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.");?></strong>
|
317 |
|
|
<br/>
|
318 |
|
|
<span class="vexpl">
|
319 |
|
|
<?=gettext("Note: Leave this blank for the default.");?>
|
320 |
|
|
<?php if (empty($pconfig['maximumtableentries'])): ?>
|
321 |
ea53e38f
|
Renato Botelho
|
<?= gettext("On your system the default size is:");?> <?= pfsense_default_table_entries_size(); ?>
|
322 |
fb586a16
|
jim-p
|
<?php endif; ?>
|
323 |
|
|
</span>
|
324 |
|
|
</td>
|
325 |
|
|
</tr>
|
326 |
ab3c8553
|
Matthew Grooms
|
<tr>
|
327 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("Static route filtering");?></td>
|
328 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
329 |
|
|
<input name="bypassstaticroutes" type="checkbox" id="bypassstaticroutes" value="yes" <?php if ($pconfig['bypassstaticroutes']) echo "checked"; ?> />
|
330 |
ca23c2f8
|
Renato Botelho
|
<strong><?=gettext("Bypass firewall rules for traffic on the same interface");?></strong>
|
331 |
ab3c8553
|
Matthew Grooms
|
<br/>
|
332 |
f0d1af93
|
Carlos Eduardo Ramos
|
<?=gettext("This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and " .
|
333 |
|
|
"leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where " .
|
334 |
|
|
"multiple subnets are connected to the same interface.");?>
|
335 |
ab3c8553
|
Matthew Grooms
|
<br/>
|
336 |
|
|
</td>
|
337 |
|
|
</tr>
|
338 |
9a36dc9d
|
Ermal
|
<tr>
|
339 |
|
|
<td width="22%" valign="top" class="vncell">Disable Auto-added VPN rules</td>
|
340 |
|
|
<td width="78%" class="vtable">
|
341 |
|
|
<input name="disablevpnrules" type="checkbox" id="disablevpnrules" value="yes" <?php if (isset($config['system']['disablevpnrules'])) echo "checked"; ?> />
|
342 |
|
|
<strong><?=gettext("Disable all auto-added VPN rules.");?></strong>
|
343 |
|
|
<br />
|
344 |
87bb66af
|
Ermal
|
<span class="vexpl"><?=gettext("Note: This disables automatically added rules for IPsec, PPTP.");?>
|
345 |
9a36dc9d
|
Ermal
|
</span>
|
346 |
|
|
</td>
|
347 |
|
|
</tr>
|
348 |
8b19f4a7
|
Erik Fonnesbeck
|
<tr>
|
349 |
|
|
<td width="22%" valign="top" class="vncell">Disable reply-to</td>
|
350 |
|
|
<td width="78%" class="vtable">
|
351 |
|
|
<input name="disablereplyto" type="checkbox" id="disablereplyto" value="yes" <?php if ($pconfig['disablereplyto']) echo "checked"; ?> />
|
352 |
|
|
<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
|
353 |
|
|
<br />
|
354 |
|
|
<?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. " .
|
355 |
|
|
"When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?>
|
356 |
|
|
<br />
|
357 |
|
|
</td>
|
358 |
|
|
</tr>
|
359 |
ab3c8553
|
Matthew Grooms
|
<tr>
|
360 |
|
|
<td colspan="2" class="list" height="12"> </td>
|
361 |
|
|
</tr>
|
362 |
f691243d
|
Ermal
|
<?php if(count($config['interfaces']) > 1): ?>
|
363 |
ab3c8553
|
Matthew Grooms
|
<tr>
|
364 |
ca23c2f8
|
Renato Botelho
|
<td colspan="2" valign="top" class="listtopic"><?=gettext("Network Address Translation");?></td>
|
365 |
ab3c8553
|
Matthew Grooms
|
</tr>
|
366 |
|
|
<tr>
|
367 |
129bc052
|
Erik Fonnesbeck
|
<td width="22%" valign="top" class="vncell"><?=gettext("Disable NAT Reflection for port forwards");?></td>
|
368 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
369 |
|
|
<input name="disablenatreflection" type="checkbox" id="disablenatreflection" value="yes" <?php if (isset($config['system']['disablenatreflection'])) echo "checked"; ?> />
|
370 |
bff94015
|
Erik Fonnesbeck
|
<strong><?=gettext("Disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks. Note: Reflection for port forward entries is skipped for ranges larger than 500 ports.");?></strong>
|
371 |
|
|
</td>
|
372 |
|
|
</tr>
|
373 |
|
|
<tr>
|
374 |
|
|
<td width="22%" valign="top" class="vncell"><?=gettext("Reflection Timeout");?></td>
|
375 |
|
|
<td width="78%" class="vtable">
|
376 |
|
|
<input name="reflectiontimeout" id="reflectiontimeout" value="<?php echo $config['system']['reflectiontimeout']; ?>" /><br/>
|
377 |
ed69be7a
|
Erik Fonnesbeck
|
<strong><?=gettext("Enter value for Reflection timeout in seconds. Note: Only applies to Reflection on port forwards.");?></strong>
|
378 |
ab3c8553
|
Matthew Grooms
|
</td>
|
379 |
|
|
</tr>
|
380 |
|
|
<tr>
|
381 |
129bc052
|
Erik Fonnesbeck
|
<td width="22%" valign="top" class="vncell"><?=gettext("Disable NAT Reflection for 1:1 NAT");?></td>
|
382 |
ab3c8553
|
Matthew Grooms
|
<td width="78%" class="vtable">
|
383 |
9fc22c6f
|
Erik Fonnesbeck
|
<input name="disablebinatreflection" type="checkbox" id="disablebinatreflection" value="yes" <?php if (!isset($config['system']['enablebinatreflection'])) echo "checked"; ?> />
|
384 |
bff94015
|
Erik Fonnesbeck
|
<strong><?=gettext("Disables the automatic creation of additional NAT 1:1 mappings for access to 1:1 mappings of your external IP addresses from within your internal networks. Note: Reflection for 1:1 NAT might not fully work in certain complex routing scenarios.");?></strong>
|
385 |
ab3c8553
|
Matthew Grooms
|
</td>
|
386 |
|
|
</tr>
|
387 |
a2b6c52f
|
Erik Fonnesbeck
|
<tr>
|
388 |
|
|
<td width="22%" valign="top" class="vncell"> </td>
|
389 |
|
|
<td width="78%" class="vtable">
|
390 |
|
|
<input name="enablenatreflectionhelper" type="checkbox" id="enablenatreflectionhelper" value="yes" <?php if (isset($config['system']['enablenatreflectionhelper'])) echo "checked"; ?> />
|
391 |
|
|
<strong><?=gettext("Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.");?></strong>
|
392 |
|
|
<br/>
|
393 |
|
|
<?=gettext("Currently only applies to 1:1 NAT rules. Required for full functionality of NAT Reflection for 1:1 NAT.");?>
|
394 |
|
|
</td>
|
395 |
|
|
</tr>
|
396 |
cfdce2ad
|
Ermal
|
<tr>
|
397 |
ca23c2f8
|
Renato Botelho
|
<td width="22%" valign="top" class="vncell"><?=gettext("TFTP Proxy");?></td>
|
398 |
cfdce2ad
|
Ermal
|
<td width="78%" class="vtable">
|
399 |
|
|
<select name="tftpinterface[]" multiple="true" class="formselect" size="3">
|
400 |
|
|
<?php
|
401 |
ca23c2f8
|
Renato Botelho
|
$ifdescs = get_configured_interface_with_descr();
|
402 |
|
|
foreach ($ifdescs as $ifent => $ifdesc):
|
403 |
cfdce2ad
|
Ermal
|
?>
|
404 |
1beafceb
|
Erik Fonnesbeck
|
<option value="<?=$ifent;?>" <?php if (in_array($ifent, $pconfig['tftpinterface'])) echo "selected"; ?>><?=gettext($ifdesc);?></option>
|
405 |
ca23c2f8
|
Renato Botelho
|
<?php endforeach; ?>
|
406 |
|
|
</select>
|
407 |
c3c2fd20
|
Erik Fonnesbeck
|
<strong><?=gettext("Choose the interfaces where you want TFTP proxy helper to be enabled.");?></strong>
|
408 |
cfdce2ad
|
Ermal
|
</td>
|
409 |
|
|
</tr>
|
410 |
ab3c8553
|
Matthew Grooms
|
<tr>
|
411 |
|
|
<td colspan="2" class="list" height="12"> </td>
|
412 |
|
|
</tr>
|
413 |
|
|
<?php endif; ?>
|
414 |
|
|
<tr>
|
415 |
|
|
<td width="22%" valign="top"> </td>
|
416 |
cf9331b3
|
Renato Botelho
|
<td width="78%"><input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /></td>
|
417 |
ab3c8553
|
Matthew Grooms
|
</tr>
|
418 |
|
|
</table>
|
419 |
|
|
</td>
|
420 |
|
|
</tr>
|
421 |
|
|
</div>
|
422 |
|
|
</table>
|
423 |
|
|
</form>
|
424 |
df81417f
|
Matthew Grooms
|
|
425 |
|
|
<?php include("fend.inc"); ?>
|
426 |
|
|
</body>
|
427 |
|
|
</html>
|