/usr/local/www/system_advanced_firewall.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/system_advanced_firewall.php @ d4ea38c5

1	df81417f	Matthew Grooms	<?php
2			/* $Id$ */
3			/*
4			system_advanced_firewall.php
5			part of pfSense
6	dd447bde	Jim Thompson	Copyright (C) 2005-2007 Scott Ullrich
7	29aef6c4	Jim Thompson	Copyright (C) 2008 Shrew Soft Inc
8			Copyright (C) 2013-2014 Electric Sheep Fencing, LP
9	df81417f	Matthew Grooms
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14			Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16
17			1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19
20			2. Redistributions in binary form must reproduce the above copyright
21			notice, this list of conditions and the following disclaimer in the
22			documentation and/or other materials provided with the distribution.
23
24			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33			POSSIBILITY OF SUCH DAMAGE.
34			*/
35	1d333258	Scott Ullrich	/*
36			pfSense_MODULE: system
37			*/
38	df81417f	Matthew Grooms
39			##\|+PRIV
40			##\|*IDENT=page-system-advanced-firewall
41			##\|*NAME=System: Advanced: Firewall and NAT page
42			##\|*DESCR=Allow access to the 'System: Advanced: Firewall and NAT' page.
43	7997ed44	Renato Botelho	##\|MATCH=system_advanced_firewall.php
44	df81417f	Matthew Grooms	##\|-PRIV
45
46			require("guiconfig.inc");
47	7a927e67	Scott Ullrich	require_once("functions.inc");
48			require_once("filter.inc");
49			require_once("shaper.inc");
50	df81417f	Matthew Grooms
51			$pconfig['disablefilter'] = $config['system']['disablefilter'];
52			$pconfig['rfc959workaround'] = $config['system']['rfc959workaround'];
53			$pconfig['scrubnodf'] = $config['system']['scrubnodf'];
54	2867fa7b	Ermal Luçi	$pconfig['scrubrnid'] = $config['system']['scrubrnid'];
55	df81417f	Matthew Grooms	$pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout'];
56			$pconfig['optimization'] = $config['filter']['optimization'];
57	11d1d64e	Ermal	$pconfig['adaptivestart'] = $config['system']['adaptivestart'];
58			$pconfig['adaptiveend'] = $config['system']['adaptiveend'];
59	df81417f	Matthew Grooms	$pconfig['maximumstates'] = $config['system']['maximumstates'];
60	ab3ab2ac	Renato Botelho	$pconfig['aliasesresolveinterval'] = $config['system']['aliasesresolveinterval'];
61			$old_aliasesresolveinterval = $config['system']['aliasesresolveinterval'];
62	6fab0f03	Renato Botelho	$pconfig['checkaliasesurlcert'] = isset($config['system']['checkaliasesurlcert']);
63	fb586a16	jim-p	$pconfig['maximumtableentries'] = $config['system']['maximumtableentries'];
64	f1beeba5	lgcosta	$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']);
65	9ae39b01	smos	$pconfig['disablenegate'] = isset($config['system']['disablenegate']);
66	6b4480dc	bcyrill	$pconfig['bogonsinterval'] = $config['system']['bogons']['interval'];
67	df81417f	Matthew Grooms	$pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
68	40fa6dde	Erik Fonnesbeck	$pconfig['enablebinatreflection'] = $config['system']['enablebinatreflection'];
69	bff94015	Erik Fonnesbeck	$pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout'];
70	df81417f	Matthew Grooms	$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
71			$pconfig['disablescrub'] = isset($config['system']['disablescrub']);
72	1beafceb	Erik Fonnesbeck	$pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']);
73	9a36dc9d	Ermal	$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
74	df81417f	Matthew Grooms
75			if ($_POST) {
76
77			unset($input_errors);
78	6a605eec	Renato Botelho	$pconfig = $_POST;
79	df81417f	Matthew Grooms
80			/* input validation */
81	11d1d64e	Ermal	if ((empty($_POST['adaptivestart']) && !empty($_POST['adaptiveend'])) \|\| (!empty($_POST['adaptivestart']) && empty($_POST['adaptiveend'])))
82			$input_errors[] = gettext("The Firewall Adaptive values must be set together.");
83			if (!empty($_POST['adaptivestart']) && !is_numericint($_POST['adaptivestart'])) {
84			$input_errors[] = gettext("The Firewall Adaptive Start value must be an integer.");
85			}
86			if (!empty($_POST['adaptiveend']) && !is_numericint($_POST['adaptiveend'])) {
87			$input_errors[] = gettext("The Firewall Adaptive End value must be an integer.");
88			}
89	df81417f	Matthew Grooms	if ($_POST['maximumstates'] && !is_numericint($_POST['maximumstates'])) {
90	ca23c2f8	Renato Botelho	$input_errors[] = gettext("The Firewall Maximum States value must be an integer.");
91	df81417f	Matthew Grooms	}
92	ab3ab2ac	Renato Botelho	if ($_POST['aliasesresolveinterval'] && !is_numericint($_POST['aliasesresolveinterval'])) {
93			$input_errors[] = gettext("The Aliases Hostname Resolve Interval value must be an integer.");
94			}
95	fb586a16	jim-p	if ($_POST['maximumtableentries'] && !is_numericint($_POST['maximumtableentries'])) {
96			$input_errors[] = gettext("The Firewall Maximum Table Entries value must be an integer.");
97			}
98	df81417f	Matthew Grooms	if ($_POST['tcpidletimeout'] && !is_numericint($_POST['tcpidletimeout'])) {
99	ca23c2f8	Renato Botelho	$input_errors[] = gettext("The TCP idle timeout must be an integer.");
100	df81417f	Matthew Grooms	}
101	bff94015	Erik Fonnesbeck	if ($_POST['reflectiontimeout'] && !is_numericint($_POST['reflectiontimeout'])) {
102			$input_errors[] = gettext("The Reflection timeout must be an integer.");
103			}
104	df81417f	Matthew Grooms
105	db0aa52a	Renato Botelho	ob_flush();
106			flush();
107	df81417f	Matthew Grooms
108			if (!$input_errors) {
109
110			if($_POST['disablefilter'] == "yes")
111			$config['system']['disablefilter'] = "enabled";
112			else
113			unset($config['system']['disablefilter']);
114
115	9a36dc9d	Ermal	if($_POST['disablevpnrules'] == "yes")
116			$config['system']['disablevpnrules'] = true;
117			else
118			unset($config['system']['disablevpnrules']);
119	df81417f	Matthew Grooms	if($_POST['rfc959workaround'] == "yes")
120			$config['system']['rfc959workaround'] = "enabled";
121			else
122			unset($config['system']['rfc959workaround']);
123
124			if($_POST['scrubnodf'] == "yes")
125			$config['system']['scrubnodf'] = "enabled";
126			else
127			unset($config['system']['scrubnodf']);
128
129	2867fa7b	Ermal Luçi	if($_POST['scrubrnid'] == "yes")
130	db0aa52a	Renato Botelho	$config['system']['scrubrnid'] = "enabled";
131			else
132			unset($config['system']['scrubrnid']);
133	2867fa7b	Ermal Luçi
134	11d1d64e	Ermal	if (!empty($_POST['adaptiveend']))
135			$config['system']['adaptiveend'] = $_POST['adaptiveend'];
136	db0aa52a	Renato Botelho	else
137			unset($config['system']['adaptiveend']);
138	11d1d64e	Ermal	if (!empty($_POST['adaptivestart']))
139			$config['system']['adaptivestart'] = $_POST['adaptivestart'];
140	db0aa52a	Renato Botelho	else
141			unset($config['system']['adaptivestart']);
142	11d1d64e	Ermal
143	80dc15eb	Renato Botelho	if ($_POST['checkaliasesurlcert'] == "yes")
144	6fab0f03	Renato Botelho	$config['system']['checkaliasesurlcert'] = true;
145	08b861a8	Renato Botelho	else
146			unset($config['system']['checkaliasesurlcert']);
147
148	df81417f	Matthew Grooms	$config['system']['optimization'] = $_POST['optimization'];
149			$config['system']['maximumstates'] = $_POST['maximumstates'];
150	ab3ab2ac	Renato Botelho	$config['system']['aliasesresolveinterval'] = $_POST['aliasesresolveinterval'];
151	fb586a16	jim-p	$config['system']['maximumtableentries'] = $_POST['maximumtableentries'];
152	df81417f	Matthew Grooms
153	40fa6dde	Erik Fonnesbeck	if($_POST['natreflection'] == "proxy") {
154			unset($config['system']['disablenatreflection']);
155			unset($config['system']['enablenatreflectionpurenat']);
156			} else if($_POST['natreflection'] == "purenat") {
157	df81417f	Matthew Grooms	unset($config['system']['disablenatreflection']);
158	40fa6dde	Erik Fonnesbeck	$config['system']['enablenatreflectionpurenat'] = "yes";
159			} else {
160			$config['system']['disablenatreflection'] = "yes";
161			unset($config['system']['enablenatreflectionpurenat']);
162			}
163	9fc22c6f	Erik Fonnesbeck
164	40fa6dde	Erik Fonnesbeck	if($_POST['enablebinatreflection'] == "yes")
165	9fc22c6f	Erik Fonnesbeck	$config['system']['enablebinatreflection'] = "yes";
166	40fa6dde	Erik Fonnesbeck	else
167			unset($config['system']['enablebinatreflection']);
168	df81417f	Matthew Grooms
169	f1beeba5	lgcosta	if($_POST['disablereplyto'] == "yes")
170	db0aa52a	Renato Botelho	$config['system']['disablereplyto'] = $_POST['disablereplyto'];
171			else
172			unset($config['system']['disablereplyto']);
173	f1beeba5	lgcosta
174	9ae39b01	smos	if($_POST['disablenegate'] == "yes")
175	db0aa52a	Renato Botelho	$config['system']['disablenegate'] = $_POST['disablenegate'];
176			else
177			unset($config['system']['disablenegate']);
178	9ae39b01	smos
179	a2b6c52f	Erik Fonnesbeck	if($_POST['enablenatreflectionhelper'] == "yes")
180			$config['system']['enablenatreflectionhelper'] = "yes";
181			else
182			unset($config['system']['enablenatreflectionhelper']);
183
184	bff94015	Erik Fonnesbeck	$config['system']['reflectiontimeout'] = $_POST['reflectiontimeout'];
185
186	df81417f	Matthew Grooms	if($_POST['bypassstaticroutes'] == "yes")
187	668c4990	Seth Mos	$config['filter']['bypassstaticroutes'] = $_POST['bypassstaticroutes'];
188	d2903c0c	jim-p	elseif(isset($config['filter']['bypassstaticroutes']))
189	668c4990	Seth Mos	unset($config['filter']['bypassstaticroutes']);
190	df81417f	Matthew Grooms
191			if($_POST['disablescrub'] == "yes")
192			$config['system']['disablescrub'] = $_POST['disablescrub'];
193			else
194			unset($config['system']['disablescrub']);
195
196	cfdce2ad	Ermal	if ($_POST['tftpinterface'])
197			$config['system']['tftpinterface'] = implode(",", $_POST['tftpinterface']);
198			else
199			unset($config['system']['tftpinterface']);
200	db0aa52a	Renato Botelho
201	6b4480dc	bcyrill	if ($_POST['bogonsinterval'] != $config['system']['bogons']['interval']) {
202			switch ($_POST['bogonsinterval']) {
203			case 'daily':
204			install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "", "", "*");
205			break;
206			case 'weekly':
207	610f3ff6	Chris Buechler	install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "", "", "0");
208	6b4480dc	bcyrill	break;
209			case 'monthly':
210			// fall through
211			default:
212			install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "1", "", "");
213			}
214			$config['system']['bogons']['interval'] = $_POST['bogonsinterval'];
215			}
216	db0aa52a	Renato Botelho
217	df81417f	Matthew Grooms	write_config();
218
219	ab3ab2ac	Renato Botelho	// Kill filterdns when value changes, filter_configure() will restart it
220			if (($old_aliasesresolveinterval != $config['system']['aliasesresolveinterval']) &&
221			isvalidpid("{$g['varrun_path']}/filterdns.pid"))
222			killbypid("{$g['varrun_path']}/filterdns.pid");
223
224	df81417f	Matthew Grooms	$retval = 0;
225			$retval = filter_configure();
226			if(stristr($retval, "error") <> true)
227	db0aa52a	Renato Botelho	$savemsg = get_std_save_message($retval);
228	df81417f	Matthew Grooms	else
229	db0aa52a	Renato Botelho	$savemsg = $retval;
230	df81417f	Matthew Grooms	}
231			}
232
233	ca23c2f8	Renato Botelho	$pgtitle = array(gettext("System"),gettext("Advanced: Firewall and NAT"));
234	df81417f	Matthew Grooms	include("head.inc");
235
236			?>
237
238			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
239			<?php include("fbegin.inc"); ?>
240
241	8712fab6	Colin Fleming	<script type="text/javascript">
242			//<![CDATA[
243	df81417f	Matthew Grooms
244			var descs=new Array(5);
245	ca23c2f8	Renato Botelho	descs[0]="<?=gettext("as the name says, it's the normal optimization algorithm");?>";
246			descs[1]="<?=gettext("used for high latency links, such as satellite links. Expires idle connections later than default");?>";
247	0d5eff9f	jim-p	descs[2]="<?=gettext("expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate idle connections");?>";
248			descs[3]="<?=gettext("tries to avoid dropping any legitimate idle connections at the expense of increased memory usage and CPU utilization.");?>";
249	df81417f	Matthew Grooms
250			function update_description(itemnum) {
251	db0aa52a	Renato Botelho	document.forms[0].info.value=descs[itemnum];
252	df81417f	Matthew Grooms
253			}
254
255	8712fab6	Colin Fleming	//]]>
256	df81417f	Matthew Grooms	</script>
257
258			<?php
259			if ($input_errors)
260			print_input_errors($input_errors);
261			if ($savemsg)
262			print_info_box($savemsg);
263			?>
264	ab3c8553	Matthew Grooms	<form action="system_advanced_firewall.php" method="post" name="iform" id="iform">
265	8712fab6	Colin Fleming	<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="system advanced firewall/nat">
266	ab3c8553	Matthew Grooms	<tr>
267			<td class="tabnavtbl">
268			<?php
269			$tab_array = array();
270	ca23c2f8	Renato Botelho	$tab_array[] = array(gettext("Admin Access"), false, "system_advanced_admin.php");
271			$tab_array[] = array(gettext("Firewall / NAT"), true, "system_advanced_firewall.php");
272			$tab_array[] = array(gettext("Networking"), false, "system_advanced_network.php");
273			$tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php");
274			$tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php");
275			$tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php");
276	ab3c8553	Matthew Grooms	display_top_tabs($tab_array);
277			?>
278			</td>
279			</tr>
280			<tr>
281	2ff19bfd	Matthew Grooms	<td id="mainarea">
282			<div class="tabcont">
283			<span class="vexpl">
284			<span class="red">
285	8712fab6	Colin Fleming	<strong><?=gettext("NOTE:");?> </strong>
286	2ff19bfd	Matthew Grooms	</span>
287	ca23c2f8	Renato Botelho	<?=gettext("The options on this page are intended for use by advanced users only.");?>
288	8cd558b6	ayvis	<br />
289	2ff19bfd	Matthew Grooms	</span>
290	8cd558b6	ayvis	<br />
291	8712fab6	Colin Fleming	<table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area">
292	ab3c8553	Matthew Grooms	<tr>
293	ca23c2f8	Renato Botelho	<td colspan="2" valign="top" class="listtopic"><?=gettext("Firewall Advanced");?></td>
294	ab3c8553	Matthew Grooms	</tr>
295			<tr>
296	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("IP Do-Not-Fragment compatibility");?></td>
297	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
298	8712fab6	Colin Fleming	<input name="scrubnodf" type="checkbox" id="scrubnodf" value="yes" <?php if (isset($config['system']['scrubnodf'])) echo "checked=\"checked\""; ?> />
299	8cd558b6	ayvis	<strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong><br />
300	f0d1af93	Carlos Eduardo Ramos	<?=gettext("This allows for communications with hosts that generate fragmented " .
301			"packets with the don't fragment (DF) bit set. Linux NFS is known to " .
302			"do this. This will cause the filter to not drop such packets but " .
303			"instead clear the don't fragment bit.");?>
304	2867fa7b	Ermal Luçi	</td>
305			</tr>
306			<tr>
307	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("IP Random id generation");?></td>
308	2867fa7b	Ermal Luçi	<td width="78%" class="vtable">
309	8712fab6	Colin Fleming	<input name="scrubrnid" type="checkbox" id="scrubrnid" value="yes" <?php if (isset($config['system']['scrubrnid'])) echo "checked=\"checked\""; ?> />
310	8cd558b6	ayvis	<strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong><br />
311	f0d1af93	Carlos Eduardo Ramos	<?=gettext("Replaces the IP identification field of packets with random values to " .
312	08847295	jim-p	"compensate for operating systems that use predictable values. " .
313	f0d1af93	Carlos Eduardo Ramos	"This option only applies to packets that are not fragmented after the " .
314			"optional packet reassembly.");?>
315	ab3c8553	Matthew Grooms	</td>
316			</tr>
317			<tr>
318	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("Firewall Optimization Options");?></td>
319	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
320	8712fab6	Colin Fleming	<select onchange="update_description(this.selectedIndex);" name="optimization" id="optimization">
321			<option value="normal"<?php if($config['system']['optimization']=="normal") echo " selected=\"selected\""; ?>><?=gettext("normal");?></option>
322			<option value="high-latency"<?php if($config['system']['optimization']=="high-latency") echo " selected=\"selected\""; ?>><?=gettext("high-latency");?></option>
323			<option value="aggressive"<?php if($config['system']['optimization']=="aggressive") echo " selected=\"selected\""; ?>><?=gettext("aggressive");?></option>
324			<option value="conservative"<?php if($config['system']['optimization']=="conservative") echo " selected=\"selected\""; ?>><?=gettext("conservative");?></option>
325	ab3c8553	Matthew Grooms	</select>
326	8cd558b6	ayvis	<br />
327	b4e9a4da	N0YB	<textarea readonly="readonly" cols="60" rows="2" id="info" name="info" style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea>
328	8712fab6	Colin Fleming	<script type="text/javascript">
329			//<![CDATA[
330	ab3c8553	Matthew Grooms	update_description(document.forms[0].optimization.selectedIndex);
331	8712fab6	Colin Fleming	//]]>
332	ab3c8553	Matthew Grooms	</script>
333	8cd558b6	ayvis	<br />
334	ca23c2f8	Renato Botelho	<?=gettext("Select the type of state table optimization to use");?>
335	ab3c8553	Matthew Grooms	</td>
336			</tr>
337			<tr>
338	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("Disable Firewall");?></td>
339	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
340	8712fab6	Colin Fleming	<input name="disablefilter" type="checkbox" id="disablefilter" value="yes" <?php if (isset($config['system']['disablefilter'])) echo "checked=\"checked\""; ?> />
341	ca23c2f8	Renato Botelho	<strong><?=gettext("Disable all packet filtering.");?></strong>
342	8cd558b6	ayvis	<br />
343	8712fab6	Colin Fleming	<span class="vexpl"><?php printf(gettext("Note: This converts %s into a routing only platform!"), $g['product_name']);?><br />
344	5a8a7545	jim-p	<?=gettext("Note: This will also turn off NAT!");?>
345	8cd558b6	ayvis	<br /><?=gettext("If you only want to disable NAT, and not firewall rules, visit the");?> <a href="firewall_nat_out.php"><?=gettext("Outbound NAT");?></a> <?=gettext("page");?>.
346	ab3c8553	Matthew Grooms	</span>
347			</td>
348			</tr>
349			<tr>
350	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("Disable Firewall Scrub");?></td>
351	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
352	8712fab6	Colin Fleming	<input name="disablescrub" type="checkbox" id="disablescrub" value="yes" <?php if (isset($config['system']['disablescrub'])) echo "checked=\"checked\""; ?> />
353	ca23c2f8	Renato Botelho	<strong><?=gettext("Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.");?></strong>
354	8cd558b6	ayvis	<br />
355	ab3c8553	Matthew Grooms	</td>
356			</tr>
357	11d1d64e	Ermal	<tr>
358			<td width="22%" valign="top" class="vncell"><?=gettext("Firewall Adaptive Timeouts");?></td>
359			<td width="78%" class="vtable">
360			<strong><?=gettext("Timeouts for states can be scaled adaptively as the number of state table entries grows.");?></strong>
361	8cd558b6	ayvis	<br />
362	11d1d64e	Ermal	<input name="adaptivestart" type="text" id="adaptivestart" value="<?php echo $pconfig['adaptivestart']; ?>" />
363	8cd558b6	ayvis	<br /><?=gettext("When the number of state entries exceeds this value, adaptive scaling begins. All timeout values are scaled linearly with factor (adaptive.end - number of states) / (adaptive.end - adaptive.start).");?>
364	db0aa52a	Renato Botelho
365	8cd558b6	ayvis	<br />
366	11d1d64e	Ermal	<input name="adaptiveend" type="text" id="adaptiveend" value="<?php echo $pconfig['adaptiveend']; ?>" />
367	8cd558b6	ayvis	<br /><?=gettext("When reaching this number of state entries, all timeout values become zero, effectively purging all state entries immediately. This value is used to define the scale factor, it should not actually be reached (set a lower state limit, see below).");?>
368			<br />
369	11d1d64e	Ermal	<span class="vexpl"><?=gettext("Note: Leave this blank for the default(0).");?></span>
370			</td>
371			</tr>
372	ab3c8553	Matthew Grooms	<tr>
373	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("Firewall Maximum States");?></td>
374	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
375			<input name="maximumstates" type="text" id="maximumstates" value="<?php echo $pconfig['maximumstates']; ?>" />
376	8cd558b6	ayvis	<br />
377	ca23c2f8	Renato Botelho	<strong><?=gettext("Maximum number of connections to hold in the firewall state table.");?></strong>
378	8cd558b6	ayvis	<br />
379	ea53e38f	Renato Botelho	<span class="vexpl"><?=gettext("Note: Leave this blank for the default. On your system the default size is:");?> <?= pfsense_default_state_size() ?></span>
380	ab3c8553	Matthew Grooms	</td>
381			</tr>
382	fb586a16	jim-p	<tr>
383			<td width="22%" valign="top" class="vncell"><?=gettext("Firewall Maximum Table Entries");?></td>
384			<td width="78%" class="vtable">
385			<input name="maximumtableentries" type="text" id="maximumtableentries" value="<?php echo $pconfig['maximumtableentries']; ?>" />
386	8cd558b6	ayvis	<br />
387	fb586a16	jim-p	<strong><?=gettext("Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.");?></strong>
388	8cd558b6	ayvis	<br />
389	fb586a16	jim-p	<span class="vexpl">
390			<?=gettext("Note: Leave this blank for the default.");?>
391			<?php if (empty($pconfig['maximumtableentries'])): ?>
392	ea53e38f	Renato Botelho	<?= gettext("On your system the default size is:");?> <?= pfsense_default_table_entries_size(); ?>
393	fb586a16	jim-p	<?php endif; ?>
394			</span>
395			</td>
396			</tr>
397	ab3c8553	Matthew Grooms	<tr>
398	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("Static route filtering");?></td>
399	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
400	8712fab6	Colin Fleming	<input name="bypassstaticroutes" type="checkbox" id="bypassstaticroutes" value="yes" <?php if ($pconfig['bypassstaticroutes']) echo "checked=\"checked\""; ?> />
401	ca23c2f8	Renato Botelho	<strong><?=gettext("Bypass firewall rules for traffic on the same interface");?></strong>
402	8cd558b6	ayvis	<br />
403	f0d1af93	Carlos Eduardo Ramos	<?=gettext("This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and " .
404	db0aa52a	Renato Botelho	"leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where " .
405	f0d1af93	Carlos Eduardo Ramos	"multiple subnets are connected to the same interface.");?>
406	8cd558b6	ayvis	<br />
407	ab3c8553	Matthew Grooms	</td>
408			</tr>
409	9a36dc9d	Ermal	<tr>
410			<td width="22%" valign="top" class="vncell">Disable Auto-added VPN rules</td>
411			<td width="78%" class="vtable">
412	8712fab6	Colin Fleming	<input name="disablevpnrules" type="checkbox" id="disablevpnrules" value="yes" <?php if (isset($config['system']['disablevpnrules'])) echo "checked=\"checked\""; ?> />
413	9a36dc9d	Ermal	<strong><?=gettext("Disable all auto-added VPN rules.");?></strong>
414			<br />
415	db0aa52a	Renato Botelho	<span class="vexpl"><?=gettext("Note: This disables automatically added rules for IPsec, PPTP.");?>
416	9a36dc9d	Ermal	</span>
417			</td>
418			</tr>
419	8b19f4a7	Erik Fonnesbeck	<tr>
420			<td width="22%" valign="top" class="vncell">Disable reply-to</td>
421			<td width="78%" class="vtable">
422	8712fab6	Colin Fleming	<input name="disablereplyto" type="checkbox" id="disablereplyto" value="yes" <?php if ($pconfig['disablereplyto']) echo "checked=\"checked\""; ?> />
423	8b19f4a7	Erik Fonnesbeck	<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
424			<br />
425			<?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. " .
426			"When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?>
427			<br />
428			</td>
429			</tr>
430	9ae39b01	smos	<tr>
431	db0aa52a	Renato Botelho	<td width="22%" valign="top" class="vncell">Disable Negate rules</td>
432	9ae39b01	smos	<td width="78%" class="vtable">
433	8712fab6	Colin Fleming	<input name="disablenegate" type="checkbox" id="disablenegate" value="yes" <?php if ($pconfig['disablenegate']) echo "checked=\"checked\""; ?> />
434	9ae39b01	smos	<strong><?=gettext("Disable Negate rule on policy routing rules");?></strong>
435			<br />
436			<?=gettext("With Multi-WAN you generally want to ensure traffic reaches directly connected networks and VPN networks when using policy routing. You can disable this for special purposes but it requires manually creating rules for these networks");?>
437			<br />
438			</td>
439	ab3ab2ac	Renato Botelho	</tr>
440			<tr>
441			<td width="22%" valign="top" class="vncell"><?=gettext("Aliases Hostnames Resolve Interval");?></td>
442			<td width="78%" class="vtable">
443			<input name="aliasesresolveinterval" type="text" id="aliasesresolveinterval" value="<?php echo $pconfig['aliasesresolveinterval']; ?>" />
444	8cd558b6	ayvis	<br />
445	ab3ab2ac	Renato Botelho	<strong><?=gettext("Interval, in seconds, that will be used to resolve hostnames configured on aliases.");?></strong>
446	8cd558b6	ayvis	<br />
447	ab3ab2ac	Renato Botelho	<span class="vexpl"><?=gettext("Note: Leave this blank for the default (300s).");?></span>
448			</td>
449	08b861a8	Renato Botelho	</tr>
450			<tr>
451			<td width="22%" valign="top" class="vncell"><?=gettext("Check certificate of aliases URLs");?></td>
452			<td width="78%" class="vtable">
453			<input name="checkaliasesurlcert" type="checkbox" id="checkaliasesurlcert" value="yes" <?php if ($pconfig['checkaliasesurlcert']) echo "checked=\"checked\""; ?> />
454	e66c4a0f	Chris Buechler	<strong><?=gettext("Verify HTTPS certificates when downloading alias URLs");?></strong>
455	08b861a8	Renato Botelho	<br />
456	e66c4a0f	Chris Buechler	<?=gettext("Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.");?>
457	08b861a8	Renato Botelho	<br />
458			</td>
459	9ae39b01	smos	</tr>
460	ab3c8553	Matthew Grooms	<tr>
461			<td colspan="2" class="list" height="12"> </td>
462			</tr>
463	6b4480dc	bcyrill	<tr>
464			<td colspan="2" valign="top" class="listtopic"><?=gettext("Bogon Networks");?></td>
465	db0aa52a	Renato Botelho	</tr>
466	6b4480dc	bcyrill	<tr>
467			<td width="22%" valign="top" class="vncell"><?=gettext("Update Frequency");?></td>
468			<td width="78%" class="vtable">
469			<select name="bogonsinterval" class="formselect">
470	8712fab6	Colin Fleming	<option value="monthly" <?php if (empty($pconfig['bogonsinterval']) \|\| $pconfig['bogonsinterval'] == 'monthly') echo "selected=\"selected\""; ?>><?=gettext("Monthly"); ?></option>
471			<option value="weekly" <?php if ($pconfig['bogonsinterval'] == 'weekly') echo "selected=\"selected\""; ?>><?=gettext("Weekly"); ?></option>
472			<option value="daily" <?php if ($pconfig['bogonsinterval'] == 'daily') echo "selected=\"selected\""; ?>><?=gettext("Daily"); ?></option>
473	6b4480dc	bcyrill	</select>
474	8cd558b6	ayvis	<br />
475	6b4480dc	bcyrill	<?=gettext("The frequency of updating the lists of IP addresses that are reserved (but not RFC 1918) or not yet assigned by IANA.");?>
476			</td>
477			</tr>
478			<tr>
479			<td colspan="2" class="list" height="12"> </td>
480			</tr>
481	f691243d	Ermal	<?php if(count($config['interfaces']) > 1): ?>
482	ab3c8553	Matthew Grooms	<tr>
483	ca23c2f8	Renato Botelho	<td colspan="2" valign="top" class="listtopic"><?=gettext("Network Address Translation");?></td>
484	db0aa52a	Renato Botelho	</tr>
485	ab3c8553	Matthew Grooms	<tr>
486	40fa6dde	Erik Fonnesbeck	<td width="22%" valign="top" class="vncell"><?=gettext("NAT Reflection mode for port forwards");?></td>
487	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
488	40fa6dde	Erik Fonnesbeck	<select name="natreflection" class="formselect">
489	8712fab6	Colin Fleming	<option value="disable" <?php if (isset($config['system']['disablenatreflection'])) echo "selected=\"selected\""; ?>><?=gettext("Disable"); ?></option>
490			<option value="proxy" <?php if (!isset($config['system']['disablenatreflection']) && !isset($config['system']['enablenatreflectionpurenat'])) echo "selected=\"selected\""; ?>><?=gettext("Enable (NAT + Proxy)"); ?></option>
491			<option value="purenat" <?php if (!isset($config['system']['disablenatreflection']) && isset($config['system']['enablenatreflectionpurenat'])) echo "selected=\"selected\""; ?>><?=gettext("Enable (Pure NAT)"); ?></option>
492	40fa6dde	Erik Fonnesbeck	</select>
493	8cd558b6	ayvis	<br />
494	40fa6dde	Erik Fonnesbeck	<strong><?=gettext("When enabled, this automatically creates additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks.");?></strong>
495	8cd558b6	ayvis	<br /><br />
496	40fa6dde	Erik Fonnesbeck	<?=gettext("The NAT + proxy mode uses a helper program to send packets to the target of the port forward. It is useful in setups where the interface and/or gateway IP used for communication with the target cannot be accurately determined at the time the rules are loaded. Reflection rules are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total between all port forwards. Only TCP and UDP protocols are supported.");?>
497	8cd558b6	ayvis	<br /><br />
498	40fa6dde	Erik Fonnesbeck	<?=gettext("The pure NAT mode uses a set of NAT rules to direct packets to the target of the port forward. It has better scalability, but it must be possible to accurately determine the interface and gateway IP used for communication with the target at the time the rules are loaded. There are no inherent limits to the number of ports other than the limits of the protocols. All protocols available for port forwards are supported.");?>
499	8cd558b6	ayvis	<br /><br />
500	40fa6dde	Erik Fonnesbeck	<?=gettext("Individual rules may be configured to override this system setting on a per-rule basis.");?>
501	bff94015	Erik Fonnesbeck	</td>
502			</tr>
503			<tr>
504			<td width="22%" valign="top" class="vncell"><?=gettext("Reflection Timeout");?></td>
505			<td width="78%" class="vtable">
506	8cd558b6	ayvis	<input name="reflectiontimeout" id="reflectiontimeout" value="<?php echo $config['system']['reflectiontimeout']; ?>" /><br />
507	40fa6dde	Erik Fonnesbeck	<strong><?=gettext("Enter value for Reflection timeout in seconds.");?></strong>
508	8cd558b6	ayvis	<br /><br />
509	40fa6dde	Erik Fonnesbeck	<?=gettext("Note: Only applies to Reflection on port forwards in NAT + proxy mode.");?>
510	ab3c8553	Matthew Grooms	</td>
511			</tr>
512			<tr>
513	40fa6dde	Erik Fonnesbeck	<td width="22%" valign="top" class="vncell"><?=gettext("Enable NAT Reflection for 1:1 NAT");?></td>
514	ab3c8553	Matthew Grooms	<td width="78%" class="vtable">
515	8712fab6	Colin Fleming	<input name="enablebinatreflection" type="checkbox" id="enablebinatreflection" value="yes" <?php if (isset($config['system']['enablebinatreflection'])) echo "checked=\"checked\""; ?> />
516	8c06bd69	Erik Fonnesbeck	<strong><?=gettext("Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks.");?></strong>
517	8cd558b6	ayvis	<br /><br />
518	40fa6dde	Erik Fonnesbeck	<?=gettext("Note: Reflection on 1:1 mappings is only for the inbound component of the 1:1 mappings. This functions the same as the pure NAT mode for port forwards. For more details, refer to the pure NAT mode description above.");?>
519	8cd558b6	ayvis	<br /><br />
520	40fa6dde	Erik Fonnesbeck	<?=gettext("Individual rules may be configured to override this system setting on a per-rule basis.");?>
521	ab3c8553	Matthew Grooms	</td>
522			</tr>
523	a2b6c52f	Erik Fonnesbeck	<tr>
524	40fa6dde	Erik Fonnesbeck	<td width="22%" valign="top" class="vncell"><?=gettext("Enable automatic outbound NAT for Reflection");?></td>
525	a2b6c52f	Erik Fonnesbeck	<td width="78%" class="vtable">
526	8712fab6	Colin Fleming	<input name="enablenatreflectionhelper" type="checkbox" id="enablenatreflectionhelper" value="yes" <?php if (isset($config['system']['enablenatreflectionhelper'])) echo "checked=\"checked\""; ?> />
527	a2b6c52f	Erik Fonnesbeck	<strong><?=gettext("Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.");?></strong>
528	8cd558b6	ayvis	<br />
529	40fa6dde	Erik Fonnesbeck	<?=gettext("Required for full functionality of the pure NAT mode of NAT Reflection for port forwards or NAT Reflection for 1:1 NAT.");?>
530	8cd558b6	ayvis	<br /><br />
531	3f76f90e	Erik Fonnesbeck	<?=gettext("Note: This only works for assigned interfaces. Other interfaces require manually creating the outbound NAT rules that direct the reply packets back through the router.");?>
532	a2b6c52f	Erik Fonnesbeck	</td>
533			</tr>
534	cfdce2ad	Ermal	<tr>
535	ca23c2f8	Renato Botelho	<td width="22%" valign="top" class="vncell"><?=gettext("TFTP Proxy");?></td>
536	cfdce2ad	Ermal	<td width="78%" class="vtable">
537	8712fab6	Colin Fleming	<select name="tftpinterface[]" multiple="multiple" class="formselect" size="3">
538	cfdce2ad	Ermal	<?php
539	ca23c2f8	Renato Botelho	$ifdescs = get_configured_interface_with_descr();
540	2464e353	N0YB	$rowIndex = 0;
541	ca23c2f8	Renato Botelho	foreach ($ifdescs as $ifent => $ifdesc):
542	2464e353	N0YB	$rowIndex++;
543	cfdce2ad	Ermal	?>
544	8712fab6	Colin Fleming	<option value="<?=$ifent;?>" <?php if (in_array($ifent, $pconfig['tftpinterface'])) echo "selected=\"selected\""; ?>><?=gettext($ifdesc);?></option>
545	2464e353	N0YB	<?php endforeach;
546			if ($rowIndex == 0)
547			echo "<option></option>";
548			?>
549	ca23c2f8	Renato Botelho	</select>
550	c3c2fd20	Erik Fonnesbeck	<strong><?=gettext("Choose the interfaces where you want TFTP proxy helper to be enabled.");?></strong>
551	cfdce2ad	Ermal	</td>
552			</tr>
553	ab3c8553	Matthew Grooms	<tr>
554			<td colspan="2" class="list" height="12"> </td>
555			</tr>
556			<?php endif; ?>
557			<tr>
558			<td width="22%" valign="top"> </td>
559	cf9331b3	Renato Botelho	<td width="78%"><input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /></td>
560	ab3c8553	Matthew Grooms	</tr>
561			</table>
562	8712fab6	Colin Fleming	</div>
563			</td>
564			</tr>
565	ab3c8553	Matthew Grooms	</table>
566			</form>
567	df81417f	Matthew Grooms
568			<?php include("fend.inc"); ?>
569			</body>
570			</html>

Project

General

Profile

pfSense