/usr/local/www/firewall_rules_edit.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/firewall_rules_edit.php @ f1c49ff4

1	5ba18897	Scott Ullrich	<?php
2	b46bfcf5	Bill Marquette	/* $Id$ */
3	5b237745	Scott Ullrich	/*
4	bdb7d6e7	Scott Ullrich	firewall_rules_edit.php
5	e4cabb75	Scott Ullrich	part of pfSense (http://www.pfsense.com)
6			Copyright (C) 2005 Scott Ullrich (sullrich@gmail.com)
7	5ba18897	Scott Ullrich
8	e4cabb75	Scott Ullrich	originally part of m0n0wall (http://m0n0.ch/wall)
9	bdb7d6e7	Scott Ullrich	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
10			All rights reserved.
11	5ba18897	Scott Ullrich
12	bdb7d6e7	Scott Ullrich	Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14	5ba18897	Scott Ullrich
15	bdb7d6e7	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17	5ba18897	Scott Ullrich
18	bdb7d6e7	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21	5ba18897	Scott Ullrich
22	bdb7d6e7	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32	5b237745	Scott Ullrich	*/
33
34	6b07c15a	Matthew Grooms	##\|+PRIV
35			##\|*IDENT=page-firewall-rules-edit
36			##\|*NAME=Firewall: Rules: Edit page
37			##\|*DESCR=Allow access to the 'Firewall: Rules: Edit' page.
38			##\|MATCH=firewall_rules_edit.php
39			##\|-PRIV
40
41
42	5b237745	Scott Ullrich	require("guiconfig.inc");
43
44	4d828a9a	Ermal Lu?i	$specialsrcdst = explode(" ", "any pptp pppoe l2tp");
45	3331a640	Ermal Lu?i	$ifdisp = get_configured_interface_with_descr();
46	679d21bb	Ermal Lu?i	foreach ($ifdisp as $kif => $kdescr) {
47	3331a640	Ermal Lu?i	$specialsrcdst[] = "{$kif}";
48			$specialsrcdst[] = "{$kif}ip";
49	679d21bb	Ermal Lu?i	}
50	5b237745	Scott Ullrich
51			if (!is_array($config['filter']['rule'])) {
52			$config['filter']['rule'] = array();
53			}
54			filter_rules_sort();
55			$a_filter = &$config['filter']['rule'];
56
57			$id = $_GET['id'];
58			if (is_numeric($_POST['id']))
59			$id = $_POST['id'];
60	5ba18897	Scott Ullrich
61	5b237745	Scott Ullrich	$after = $_GET['after'];
62
63			if (isset($_POST['after']))
64			$after = $_POST['after'];
65
66			if (isset($_GET['dup'])) {
67			$id = $_GET['dup'];
68			$after = $_GET['dup'];
69			}
70
71			if (isset($id) && $a_filter[$id]) {
72			$pconfig['interface'] = $a_filter[$id]['interface'];
73	5ba18897	Scott Ullrich
74	5b237745	Scott Ullrich	if (!isset($a_filter[$id]['type']))
75			$pconfig['type'] = "pass";
76			else
77			$pconfig['type'] = $a_filter[$id]['type'];
78	5ba18897	Scott Ullrich
79	4633edc2	Ermal Luçi	if (isset($a_filter[$id]['floating']) \|\| $if == "FloatingRules") {
80	661aed33	Ermal Luçi	$pconfig['floating'] = $a_filter[$id]['floating'];
81			if (isset($a_filter[$id]['interface']) && $a_filter[$id]['interface'] <> "")
82			$pconfig['interface'] = $a_filter[$id]['interface'];
83			}
84
85			if (isset($a_filter['floating']))
86			$pconfig['floating'] = "yes";
87
88			if (isset($a_filter[$id]['direction']))
89			$pconfig['direction'] = $a_filter[$id]['direction'];
90
91	5b237745	Scott Ullrich	if (isset($a_filter[$id]['protocol']))
92			$pconfig['proto'] = $a_filter[$id]['protocol'];
93			else
94			$pconfig['proto'] = "any";
95	5ba18897	Scott Ullrich
96	5b237745	Scott Ullrich	if ($a_filter[$id]['protocol'] == "icmp")
97			$pconfig['icmptype'] = $a_filter[$id]['icmptype'];
98	5ba18897	Scott Ullrich
99	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['source'], $pconfig['src'],
100			$pconfig['srcmask'], $pconfig['srcnot'],
101			$pconfig['srcbeginport'], $pconfig['srcendport']);
102	5ba18897	Scott Ullrich
103	8be60f21	Scott Ullrich	if($a_filter[$id]['os'] <> "")
104			$pconfig['os'] = $a_filter[$id]['os'];
105	e33c8694	Bill Marquette
106	5b237745	Scott Ullrich	address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'],
107			$pconfig['dstmask'], $pconfig['dstnot'],
108			$pconfig['dstbeginport'], $pconfig['dstendport']);
109
110	c5fc1b2e	Ermal Luçi	if ($a_filter[$id]['dscp'] <> "")
111			$pconfig['dscp'] = $a_filter[$id]['dscp'];
112
113	5b237745	Scott Ullrich	$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
114			$pconfig['log'] = isset($a_filter[$id]['log']);
115			$pconfig['descr'] = $a_filter[$id]['descr'];
116	8c84fe43	Scott Ullrich
117	5c1f5584	Ermal Luçi	if (isset($a_filter[$id]['tag']) && $a_filter[$id]['tag'] <> "")
118	661aed33	Ermal Luçi	$pconfig['tag'] = $a_filter[$id]['tag'];
119	b6494651	Ermal Lu?i	if (isset($a_filter[$id]['tagged']) && $a_filter[$id]['tagged'] <> "")
120	661aed33	Ermal Luçi	$pconfig['tagged'] = $a_filter[$id]['tagged'];
121			if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick'])
122			$pconfig['quick'] = $a_filter[$id]['quick'];
123	775ccea3	Ermal Luci	if (isset($a_filter[$id]['allowopts']))
124			$pconfig['allowopts'] = true;
125	661aed33	Ermal Luçi
126	ed08ef3e	Scott Ullrich	/* advanced */
127	f1c49ff4	Scott Ullrich	$pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes'];
128			$pconfig['max-src-states'] = $a_filter[$id]['max-src-states'];
129			$pconfig['statetype'] = $a_filter[$id]['statetype'];
130	5ba18897	Scott Ullrich	$pconfig['statetimeout'] = $a_filter[$id]['statetimeout'];
131	8c84fe43	Scott Ullrich
132	f1c49ff4	Scott Ullrich	/* advanced - nosync */
133	8c84fe43	Scott Ullrich	$pconfig['nosync'] = isset($a_filter[$id]['nosync']);
134	10f21e70	Scott Ullrich
135	ed08ef3e	Scott Ullrich	/* advanced - new connection per second banning*/
136			$pconfig['max-src-conn-rate'] = $a_filter[$id]['max-src-conn-rate'];
137			$pconfig['max-src-conn-rates'] = $a_filter[$id]['max-src-conn-rates'];
138	5ba18897	Scott Ullrich
139	e5980370	Scott Ullrich	/* Multi-WAN next-hop support */
140	c98ddde2	Bill Marquette	$pconfig['gateway'] = $a_filter[$id]['gateway'];
141	615b27bc	Scott Dale
142	197bfe96	Ermal Luçi	/* Shaper support */
143			$pconfig['defaultqueue'] = $a_filter[$id]['defaultqueue'];
144			$pconfig['ackqueue'] = $a_filter[$id]['ackqueue'];
145	a5fd67e1	Ermal Luçi	$pconfig['dnpipe'] = $a_filter[$id]['dnpipe'];
146			$pconfig['pdnpipe'] = $a_filter[$id]['pdnpipe'];
147	7e50413c	Ermal Luçi	$pconfig['l7container'] = $a_filter[$id]['l7container'];
148	197bfe96	Ermal Luçi
149	615b27bc	Scott Dale	//schedule support
150			$pconfig['sched'] = $a_filter[$id]['sched'];
151	c98ddde2	Bill Marquette
152	5b237745	Scott Ullrich	} else {
153			/* defaults */
154	a23d7248	Scott Ullrich	if ($_GET['if'])
155			$pconfig['interface'] = $_GET['if'];
156	5b237745	Scott Ullrich	$pconfig['type'] = "pass";
157			$pconfig['src'] = "any";
158			$pconfig['dst'] = "any";
159			}
160	72320b88	Ermal Luçi	/* Allow the FlotingRules to work */
161			$if = $pconfig['interface'];
162	5b237745	Scott Ullrich
163			if (isset($_GET['dup']))
164			unset($id);
165
166			if ($_POST) {
167	87f0be87	Chris Buechler
168			if ($_POST['type'] == "reject" && $_POST['proto'] <> "tcp")
169			$input_errors[] = "Reject type rules only works when the protocol is set to TCP.";
170	28f9e493	Scott Ullrich
171	5b237745	Scott Ullrich	if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) {
172			$_POST['srcbeginport'] = 0;
173			$_POST['srcendport'] = 0;
174			$_POST['dstbeginport'] = 0;
175			$_POST['dstendport'] = 0;
176			} else {
177	5ba18897	Scott Ullrich
178	5b237745	Scott Ullrich	if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport'])
179			$_POST['srcbeginport'] = $_POST['srcbeginport_cust'];
180			if ($_POST['srcendport_cust'] && !$_POST['srcendport'])
181			$_POST['srcendport'] = $_POST['srcendport_cust'];
182	5ba18897	Scott Ullrich
183	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] == "any") {
184			$_POST['srcbeginport'] = 0;
185			$_POST['srcendport'] = 0;
186	5ba18897	Scott Ullrich	} else {
187	5b237745	Scott Ullrich	if (!$_POST['srcendport'])
188			$_POST['srcendport'] = $_POST['srcbeginport'];
189			}
190			if ($_POST['srcendport'] == "any")
191			$_POST['srcendport'] = $_POST['srcbeginport'];
192	5ba18897	Scott Ullrich
193	5b237745	Scott Ullrich	if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport'])
194			$_POST['dstbeginport'] = $_POST['dstbeginport_cust'];
195			if ($_POST['dstendport_cust'] && !$_POST['dstendport'])
196			$_POST['dstendport'] = $_POST['dstendport_cust'];
197	5ba18897	Scott Ullrich
198	5b237745	Scott Ullrich	if ($_POST['dstbeginport'] == "any") {
199			$_POST['dstbeginport'] = 0;
200			$_POST['dstendport'] = 0;
201	5ba18897	Scott Ullrich	} else {
202	5b237745	Scott Ullrich	if (!$_POST['dstendport'])
203			$_POST['dstendport'] = $_POST['dstbeginport'];
204			}
205			if ($_POST['dstendport'] == "any")
206	5ba18897	Scott Ullrich	$_POST['dstendport'] = $_POST['dstbeginport'];
207	5b237745	Scott Ullrich	}
208	5ba18897	Scott Ullrich
209	5b237745	Scott Ullrich	if (is_specialnet($_POST['srctype'])) {
210			$_POST['src'] = $_POST['srctype'];
211			$_POST['srcmask'] = 0;
212			} else if ($_POST['srctype'] == "single") {
213			$_POST['srcmask'] = 32;
214			}
215			if (is_specialnet($_POST['dsttype'])) {
216			$_POST['dst'] = $_POST['dsttype'];
217			$_POST['dstmask'] = 0;
218			} else if ($_POST['dsttype'] == "single") {
219			$_POST['dstmask'] = 32;
220			}
221	5ba18897	Scott Ullrich
222	5b237745	Scott Ullrich	unset($input_errors);
223			$pconfig = $_POST;
224
225	ef2a753c	Scott Ullrich	/* run through $_POST items encoding HTML entties so that the user
226			* cannot think he is slick and perform a XSS attack on the unwilling
227			*/
228	21eff66f	Scott Ullrich	foreach ($_POST as $key => $value) {
229			$temp = $value;
230	661aed33	Ermal Luçi	if (isset($_POST['floating']) && $key == "interface")
231			continue;
232	21eff66f	Scott Ullrich	$newpost = htmlentities($temp);
233	5157927f	Scott Ullrich	if($newpost <> $temp)
234			$input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again.";
235	ef2a753c	Scott Ullrich	}
236
237	5b237745	Scott Ullrich	/* input validation */
238	661aed33	Ermal Luçi	$reqdfields = explode(" ", "type proto src dst");
239			$reqdfieldsn = explode(",", "Type,Protocol,Source,Destination");
240	5b237745	Scott Ullrich
241	452ade89	Bill Marquette	if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
242	c22767b1	Bill Marquette	if( $_POST['proto'] != "tcp" )
243			$input_errors[] = "{$_POST['statetype']} is only valid with protocol tcp.";
244	452ade89	Bill Marquette	if(($_POST['statetype'] == "synproxy state") && ($_POST['gateway'] != ""))
245			$input_errors[] = "{$_POST['statetype']} is only valid if the gateway is set to 'default'.";
246			}
247	10f7933f	Chris Buechler
248	5b237745	Scott Ullrich	if (!(is_specialnet($_POST['srctype']) \|\| ($_POST['srctype'] == "single"))) {
249			$reqdfields[] = "srcmask";
250			$reqdfieldsn[] = "Source bit count";
251			}
252			if (!(is_specialnet($_POST['dsttype']) \|\| ($_POST['dsttype'] == "single"))) {
253			$reqdfields[] = "dstmask";
254			$reqdfieldsn[] = "Destination bit count";
255			}
256	5ba18897	Scott Ullrich
257	5b237745	Scott Ullrich	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
258	5ba18897	Scott Ullrich
259	5b237745	Scott Ullrich	if (!$_POST['srcbeginport']) {
260			$_POST['srcbeginport'] = 0;
261			$_POST['srcendport'] = 0;
262			}
263			if (!$_POST['dstbeginport']) {
264			$_POST['dstbeginport'] = 0;
265			$_POST['dstendport'] = 0;
266			}
267	5ba18897	Scott Ullrich
268	19757279	Scott Ullrich	if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) {
269	aba8aace	Scott Ullrich	$input_errors[] = "The start source port must be an alias or integer between 1 and 65535.";
270	bdb7d6e7	Scott Ullrich	}
271	19757279	Scott Ullrich	if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) {
272	aba8aace	Scott Ullrich	$input_errors[] = "The end source port must be an alias or integer between 1 and 65535.";
273	bdb7d6e7	Scott Ullrich	}
274	19757279	Scott Ullrich	if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) {
275	aba8aace	Scott Ullrich	$input_errors[] = "The start destination port must be an alias or integer between 1 and 65535.";
276	bdb7d6e7	Scott Ullrich	}
277	19757279	Scott Ullrich	if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) {
278	aba8aace	Scott Ullrich	$input_errors[] = "The end destination port must be an alias or integer between 1 and 65535.";
279	bdb7d6e7	Scott Ullrich	}
280	5ba18897	Scott Ullrich
281	0e5ddcd9	Scott Ullrich	/* if user enters an alias and selects "network" then disallow. */
282			if($_POST['srctype'] == "network") {
283			if(is_alias($_POST['src']))
284			$input_errors[] = "You must specify single host or alias for alias entries.";
285			}
286			if($_POST['dsttype'] == "network") {
287			if(is_alias($_POST['dst']))
288			$input_errors[] = "You must specify single host or alias for alias entries.";
289			}
290
291	5b237745	Scott Ullrich	if (!is_specialnet($_POST['srctype'])) {
292			if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) {
293	87f0be87	Chris Buechler	$input_errors[] = "A valid source IP address or alias must be specified.";
294	5b237745	Scott Ullrich	}
295			if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
296			$input_errors[] = "A valid source bit count must be specified.";
297			}
298			}
299			if (!is_specialnet($_POST['dsttype'])) {
300			if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) {
301	87f0be87	Chris Buechler	$input_errors[] = "A valid destination IP address or alias must be specified.";
302	5b237745	Scott Ullrich	}
303			if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
304			$input_errors[] = "A valid destination bit count must be specified.";
305			}
306			}
307	5ba18897	Scott Ullrich
308	5b237745	Scott Ullrich	if ($_POST['srcbeginport'] > $_POST['srcendport']) {
309			/* swap */
310			$tmp = $_POST['srcendport'];
311			$_POST['srcendport'] = $_POST['srcbeginport'];
312			$_POST['srcbeginport'] = $tmp;
313			}
314			if ($_POST['dstbeginport'] > $_POST['dstendport']) {
315			/* swap */
316			$tmp = $_POST['dstendport'];
317			$_POST['dstendport'] = $_POST['dstbeginport'];
318			$_POST['dstbeginport'] = $tmp;
319			}
320	e33c8694	Bill Marquette	if ($_POST['os'])
321			if( $_POST['proto'] != "tcp" )
322			$input_errors[] = "OS detection is only valid with protocol tcp.";
323	5b237745	Scott Ullrich
324	197bfe96	Ermal Luçi	if ($_POST['ackqueue'] && $_POST['ackqueue'] != "none") {
325			if ($_POST['defaultqueue'] == "none" )
326			$input_errors[] = "You have to select a queue when you select an acknowledge queue too.";
327			else if ($_POST['ackqueue'] == $_POST['defaultqueue'])
328	aa8cdf52	Scott Ullrich	$input_errors[] = "Acknowledge queue and Queue cannot be the same.";
329	197bfe96	Ermal Luçi	}
330	a5fd67e1	Ermal Luçi	if ($_POST['pdnpipe'] && $_POST['pdnpipe'] != "none") {
331			if ($_POST['dnpipe'] == "none" )
332			$input_errors[] = "You must select a queue for the In direction before selecting one for Out too.";
333			else if ($_POST['pdnpipe'] == $_POST['dnpipe'])
334			$input_errors[] = "In and Out Queue cannot be the same.";
335			else if ($pdnpipe[0] == "?" && $dnpipe[0] <> "?")
336			$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
337			else if ($dnpipe[0] == "?" && $pdnpipe[0] <> "?")
338			$input_errors[] = "You cannot select one queue and one virtual interface for IN and Out. both must be from the same type.";
339			}
340	7e50413c	Ermal Luçi	if($_POST['l7container'] && $_POST['l7container'] != "none") {
341			if(!($_POST['proto'] == "tcp" \|\| $_POST['proto'] == "udp" \|\| $_POST['proto'] == "tcp/udp"))
342			$input_errors[] = "You can only select a layer7 container for tcp and/or udp protocols";
343	3b184ca5	Ermal Lu?i	if ($_POST['type'] <> "pass")
344			$input_errors[] = "You can only select a layer7 container for Pass type rules.";
345	7e50413c	Ermal Luçi	}
346	197bfe96	Ermal Luçi
347	5b237745	Scott Ullrich	if (!$input_errors) {
348			$filterent = array();
349			$filterent['type'] = $_POST['type'];
350	661aed33	Ermal Luçi	if (isset($_POST['interface'] ))
351			$filterent['interface'] = $_POST['interface'];
352
353			if ($if == "FloatingRules" \|\| isset($_POST['floating'])) {
354			if (isset($_POST['tag']))
355			$filterent['tag'] = $_POST['tag'];
356			if (isset($_POST['tagged']))
357			$filterent['tagged'] = $_POST['tagged'];
358			$filterent['direction'] = $_POST['direction'];
359			if (isset($_POST['quick']) && $_POST['quick'] <> "")
360			$filterent['quick'] = $_POST['quick'];
361			$filterent['floating'] = "yes";
362			if (isset($_POST['interface']) && count($_POST['interface']) > 0) {
363			$filterent['interface'] = implode(",", $_POST['interface']);
364			}
365			}
366	d59874c1	Scott Ullrich
367	bdb7d6e7	Scott Ullrich	/* Advanced options */
368	775ccea3	Ermal Luci	if ($_POST['allowopts'] == "yes")
369			$filterent['allowopts'] = true;
370			else
371			unset($filterent['allowopts']);
372	bdb7d6e7	Scott Ullrich	$filterent['max-src-nodes'] = $_POST['max-src-nodes'];
373			$filterent['max-src-states'] = $_POST['max-src-states'];
374	5ba18897	Scott Ullrich	$filterent['statetimeout'] = $_POST['statetimeout'];
375	fa9af164	Scott Ullrich	$filterent['statetype'] = $_POST['statetype'];
376	e33c8694	Bill Marquette	$filterent['os'] = $_POST['os'];
377	10f21e70	Scott Ullrich
378			/* Nosync directive - do not xmlrpc sync this item */
379	8c84fe43	Scott Ullrich	if($_POST['nosync'] <> "")
380	10f21e70	Scott Ullrich	$filterent['nosync'] = true;
381			else
382			unset($filterent['nosync']);
383
384	3f00c1dc	Scott Ullrich	/* unless both values are provided, unset the values - ticket #650 */
385			if($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] <> "") {
386			$filterent['max-src-conn-rate'] = $_POST['max-src-conn-rate'];
387			$filterent['max-src-conn-rates'] = $_POST['max-src-conn-rates'];
388			} else {
389			unset($filterent['max-src-conn-rate']);
390			unset($filterent['max-src-conn-rates']);
391			}
392	5ba18897	Scott Ullrich
393	5b237745	Scott Ullrich	if ($_POST['proto'] != "any")
394			$filterent['protocol'] = $_POST['proto'];
395			else
396			unset($filterent['protocol']);
397	5ba18897	Scott Ullrich
398	5b237745	Scott Ullrich	if ($_POST['proto'] == "icmp" && $_POST['icmptype'])
399			$filterent['icmptype'] = $_POST['icmptype'];
400			else
401			unset($filterent['icmptype']);
402	5ba18897	Scott Ullrich
403	5b237745	Scott Ullrich	pconfig_to_address($filterent['source'], $_POST['src'],
404			$_POST['srcmask'], $_POST['srcnot'],
405			$_POST['srcbeginport'], $_POST['srcendport']);
406	5ba18897	Scott Ullrich
407	5b237745	Scott Ullrich	pconfig_to_address($filterent['destination'], $_POST['dst'],
408			$_POST['dstmask'], $_POST['dstnot'],
409			$_POST['dstbeginport'], $_POST['dstendport']);
410	5ba18897	Scott Ullrich
411	f87f85c3	Bill Marquette	if ($_POST['disabled'])
412			$filterent['disabled'] = true;
413			else
414			unset($filterent['disabled']);
415	c5fc1b2e	Ermal Luçi
416			if ($_POST['dscp'])
417			$filterent['dscp'] = $_POST['dscp'];
418
419	f87f85c3	Bill Marquette	if ($_POST['log'])
420			$filterent['log'] = true;
421			else
422			unset($filterent['log']);
423	c68fc1e7	Bill Marquette	strncpy($filterent['descr'], $_POST['descr'], 52);
424	5ba18897	Scott Ullrich
425	c98ddde2	Bill Marquette	if ($_POST['gateway'] != "") {
426			$filterent['gateway'] = $_POST['gateway'];
427			}
428	197bfe96	Ermal Luçi
429			if (isset($_POST['defaultqueue']) && $_POST['defaultqueue'] != "none") {
430			$filterent['defaultqueue'] = $_POST['defaultqueue'];
431			if (isset($_POST['ackqueue']) && $_POST['ackqueue'] != "none")
432			$filterent['ackqueue'] = $_POST['ackqueue'];
433			}
434	c98ddde2	Bill Marquette
435	a5fd67e1	Ermal Luçi	if (isset($_POST['dnpipe']) && $_POST['dnpipe'] != "none") {
436			$filterent['dnpipe'] = $_POST['dnpipe'];
437			if (isset($_POST['pdnpipe']) && $_POST['pdnpipe'] != "none")
438			$filterent['pdnpipe'] = $_POST['pdnpipe'];
439			}
440
441	7e50413c	Ermal Luçi	if (isset($_POST['l7container']) && $_POST['l7container'] != "none") {
442			$filterent['l7container'] = $_POST['l7container'];
443			}
444
445	615b27bc	Scott Dale	if ($_POST['sched'] != "") {
446			$filterent['sched'] = $_POST['sched'];
447			}
448
449	5b237745	Scott Ullrich	if (isset($id) && $a_filter[$id])
450			$a_filter[$id] = $filterent;
451			else {
452			if (is_numeric($after))
453			array_splice($a_filter, $after+1, 0, array($filterent));
454			else
455			$a_filter[] = $filterent;
456			}
457	f4e2a352	Scott Ullrich
458	5b237745	Scott Ullrich	write_config();
459	a368a026	Ermal Lu?i	mark_subsystem_dirty('filter');
460	5ba18897	Scott Ullrich
461	661aed33	Ermal Luçi	if (isset($_POST['floating']))
462			header("Location: firewall_rules.php?if=FloatingRules");
463			else
464			header("Location: firewall_rules.php?if=" . $_POST['interface']);
465	5b237745	Scott Ullrich	exit;
466			}
467	c60824d2	Scott Ullrich	}
468
469	37c53a0d	Ermal Lu?i	read_altq_config(); /* XXX: */
470			$qlist =& get_unique_queue_list();
471			read_dummynet_config(); /* XXX: */
472			$dnqlist =& get_unique_dnqueue_list();
473			read_layer7_config();
474			$l7clist =& get_l7_unique_list();
475
476	d88c6a9f	Scott Ullrich	$pgtitle = array("Firewall","Rules","Edit");
477	a1357fe0	Bill Marquette	$closehead = false;
478	8ab3e9ed	Erik Kristensen
479			$page_filename = "firewall_rules_edit.php";
480	da7ae7ef	Bill Marquette	include("head.inc");
481	c60824d2	Scott Ullrich
482	5b237745	Scott Ullrich	?>
483	da7ae7ef	Bill Marquette
484	5b237745	Scott Ullrich	</head>
485
486			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
487			<?php include("fbegin.inc"); ?>
488			<?php if ($input_errors) print_input_errors($input_errors); ?>
489	8ab3e9ed	Erik Kristensen
490			<form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
491			<table width="100%" border="0" cellpadding="6" cellspacing="0">
492	e091cb45	Scott Ullrich	<tr>
493			<td colspan="2" valign="top" class="listtopic">Edit Firewall rule</td>
494			</tr>
495	8ab3e9ed	Erik Kristensen	<tr>
496			<td width="22%" valign="top" class="vncellreq">Action</td>
497			<td width="78%" class="vtable">
498	b5c78501	Seth Mos	<select name="type" class="formselect">
499	8ab3e9ed	Erik Kristensen	<?php $types = explode(" ", "Pass Block Reject"); foreach ($types as $type): ?>
500			<option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>>
501			<?=htmlspecialchars($type);?>
502			</option>
503			<?php endforeach; ?>
504	8c84fe43	Scott Ullrich	</select>
505	8ab3e9ed	Erik Kristensen	<br/>
506			<span class="vexpl">
507			Choose what to do with packets that match the criteria specified below. <br/>
508			Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
509			</span>
510			</td>
511			</tr>
512			<tr>
513			<td width="22%" valign="top" class="vncellreq">Disabled</td>
514			<td width="78%" class="vtable">
515			<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
516			<strong>Disable this rule</strong><br />
517			<span class="vexpl">Set this option to disable this rule without removing it from the list.</span>
518			</td>
519			</tr>
520	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
521			<tr>
522			<td width="22%" valign="top" class="vncellreq"><?=gettext("Quick");?></td>
523			<td width="78%" class="vtable">
524			<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
525			<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
526			<span class="vexpl"><?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?></span>
527			</td>
528			</tr>
529			<? endif; ?>
530	8ab3e9ed	Erik Kristensen	<tr>
531			<td width="22%" valign="top" class="vncellreq">Interface</td>
532			<td width="78%" class="vtable">
533	4633edc2	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
534	8e6ac824	Ermal Luçi	<select name="interface[]" multiple="true" class="formselect" size="3">
535	661aed33	Ermal Luçi	<? else: ?>
536	b5c78501	Seth Mos	<select name="interface" class="formselect">
537	8ab3e9ed	Erik Kristensen	<?php
538	661aed33	Ermal Luçi	endif;
539	a7782099	Ermal Lu?i	/* add group interfaces */
540			if (is_array($config['ifgroups']['ifgroupentry']))
541			foreach($config['ifgroups']['ifgroupentry'] as $ifgen)
542			if (have_ruleint_access($ifgen['ifname']))
543			$interfaces[$ifgen['ifname']] = $ifgen['ifname'];
544
545	b7391125	Ermal Luçi	$ifdescs = get_configured_interface_with_descr();
546
547	5335811d	Ermal Luçi	foreach ($ifdescs as $ifent => $ifdesc)
548			if(have_ruleint_access($ifent))
549			$interfaces[$ifent] = $ifdesc;
550	b6742927	Scott Ullrich
551	617f8d25	Ermal Lu?i	if ($config['l2tp']['mode'] == "server")
552			if(have_ruleint_access("l2tp"))
553			$interfaces['l2tp'] = "L2TP VPN";
554
555	b6742927	Scott Ullrich	if ($config['pptpd']['mode'] == "server")
556			if(have_ruleint_access("pptp"))
557			$interfaces['pptp'] = "PPTP VPN";
558
559			if ($config['pppoe']['mode'] == "server")
560			if(have_ruleint_access("pppoe"))
561			$interfaces['pppoe'] = "PPPoE VPN";
562
563			/* add ipsec interfaces */
564			if (isset($config['ipsec']['enable']) \|\| isset($config['ipsec']['mobileclients']['enable']))
565			if(have_ruleint_access("enc0"))
566	0f266b2e	Chris Buechler	$interfaces["enc0"] = "IPsec";
567	bfb60ac8	Ermal Luçi
568			/* add openvpn/tun interfaces */
569	d799787e	Matthew Grooms	if ($config['openvpn']["openvpn-server"] \|\| $config['openvpn']["openvpn-client"])
570			$interfaces["openvpn"] = "OpenVPN";
571	b6742927	Scott Ullrich
572	8ab3e9ed	Erik Kristensen	foreach ($interfaces as $iface => $ifacename): ?>
573	661aed33	Ermal Luçi	<option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option>
574	8ab3e9ed	Erik Kristensen	<?php endforeach; ?>
575	8c84fe43	Scott Ullrich	</select>
576	8ab3e9ed	Erik Kristensen	<br />
577			<span class="vexpl">Choose on which interface packets must come in to match this rule.</span>
578			</td>
579			</tr>
580	661aed33	Ermal Luçi	<?php if ($if == "FloatingRules" \|\| isset($pconfig['floating'])): ?>
581			<tr>
582			<td width="22%" valign="top" class="vncellreq"><?=gettext("Direction");?></td>
583			<td width="78%" class="vtable">
584			<select name="direction" class="formselect">
585			<?php $directions = array('any', 'in', 'out');
586			foreach ($directions as $direction): ?>
587			<option value="<?=$direction;?>"
588			<?php if ($direction == $pconfig['direction']): ?>
589			selected="selected"
590			<?php endif; ?>
591			><?=$direction;?></option>
592			<?php endforeach; ?>
593			</select>
594	0e640f76	Ermal Luçi	<input type="hidden" id="floating" name="floating" value="floating">
595	661aed33	Ermal Luçi	</td>
596			<tr>
597			<?php endif; ?>
598	8ab3e9ed	Erik Kristensen	<tr>
599			<td width="22%" valign="top" class="vncellreq">Protocol</td>
600			<td width="78%" class="vtable">
601	b5c78501	Seth Mos	<select name="proto" class="formselect" onchange="proto_change()">
602	8ab3e9ed	Erik Kristensen	<?php
603	87f0be87	Chris Buechler	$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP any carp pfsync");
604	8ab3e9ed	Erik Kristensen	foreach ($protocols as $proto): ?>
605			<option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
606			<?php endforeach; ?>
607			</select>
608			<br />
609			<span class="vexpl">Choose which IP protocol this rule should match. <br /> Hint: in most cases, you should specify <em>TCP</em>  here.</span>
610			</td>
611			</tr>
612	3de8af0e	Scott Ullrich	<tr id="icmpbox" name="icmpbox">
613	8ab3e9ed	Erik Kristensen	<td valign="top" class="vncell">ICMP type</td>
614			<td class="vtable">
615	b5c78501	Seth Mos	<select name="icmptype" class="formselect">
616	8ab3e9ed	Erik Kristensen	<?php
617			$icmptypes = array(
618			"" => "any",
619			"echorep" => "Echo reply",
620			"unreach" => "Destination unreachable",
621			"squench" => "Source quench",
622			"redir" => "Redirect",
623			"althost" => "Alternate Host",
624			"echoreq" => "Echo",
625			"routeradv" => "Router advertisement",
626			"routersol" => "Router solicitation",
627			"timex" => "Time exceeded",
628			"paramprob" => "Invalid IP header",
629			"timereq" => "Timestamp",
630			"timerep" => "Timestamp reply",
631			"inforeq" => "Information request",
632			"inforep" => "Information reply",
633			"maskreq" => "Address mask request",
634			"maskrep" => "Address mask reply"
635			);
636
637			foreach ($icmptypes as $icmptype => $descr): ?>
638			<option value="<?=$icmptype;?>" <?php if ($icmptype == $pconfig['icmptype']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
639			<?php endforeach; ?>
640			</select>
641			<br />
642			<span class="vexpl">If you selected ICMP for the protocol above, you may specify an ICMP type here.</span>
643			</td>
644			</tr>
645			<tr>
646			<td width="22%" valign="top" class="vncellreq">Source</td>
647			<td width="78%" class="vtable">
648			<input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>>
649			<strong>not</strong>
650			<br />
651			Use this option to invert the sense of the match.
652			<br />
653			<br />
654			<table border="0" cellspacing="0" cellpadding="0">
655			<tr>
656			<td>Type:  </td>
657			<td>
658	b5c78501	Seth Mos	<select name="srctype" class="formselect" onChange="typesel_change()">
659	87f0be87	Chris Buechler	<?php
660			$sel = is_specialnet($pconfig['src']); ?>
661	8ab3e9ed	Erik Kristensen	<option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option>
662	87f0be87	Chris Buechler	<option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
663			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
664	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("pptp")): ?>
665	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
666	99ea4439	Scott Ullrich	<?php endif; ?>
667			<?php if(have_ruleint_access("pppoe")): ?>
668	8c84fe43	Scott Ullrich	<option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
669	99ea4439	Scott Ullrich	<?php endif; ?>
670	8a6bc505	Ermal Lu?i	<?php if(have_ruleint_access("l2tp")): ?>
671			<option value="l2tp" <?php if ($pconfig['src'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
672			<?php endif; ?>
673	8ab3e9ed	Erik Kristensen	<?php
674	5335811d	Ermal Luçi	foreach ($ifdisp as $ifent => $ifdesc): ?>
675			<?php if(have_ruleint_access($ifent)): ?>
676			<option value="<?=$ifent;?>" <?php if ($pconfig['src'] == $ifent) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
677			<option value="<?=$ifent;?>ip"<?php if ($pconfig['src'] == $ifent . "ip") { echo "selected"; } ?>>
678	b7391125	Ermal Luçi	<?=$ifdesc?> address
679	e30a5970	Scott Ullrich	</option>
680	99ea4439	Scott Ullrich	<?php endif; ?>
681	b7391125	Ermal Luçi	<?php endforeach; ?>
682	8ab3e9ed	Erik Kristensen	</select>
683			</td>
684			</tr>
685			<tr>
686			<td>Address:  </td>
687			<td>
688			<input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> /
689	b5c78501	Seth Mos	<select name="srcmask" class="formselect" id="srcmask">
690	8ab3e9ed	Erik Kristensen	<?php for ($i = 31; $i > 0; $i--): ?>
691			<option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option>
692			<?php endfor; ?>
693			</select>
694	bdb7d6e7	Scott Ullrich	</td>
695	8ab3e9ed	Erik Kristensen	</tr>
696			</table>
697	22abf2ef	Scott Ullrich	<div id="showadvancedboxspr">
698			<p>
699	be812936	Scott Ullrich	<input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>
700	22abf2ef	Scott Ullrich	</div>
701	8ab3e9ed	Erik Kristensen	</td>
702	e33c8694	Bill Marquette	</tr>
703	3de8af0e	Scott Ullrich	<tr style="display:none" id="sprtable" name="sprtable">
704	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Source port range</td>
705			<td width="78%" class="vtable">
706			<table border="0" cellspacing="0" cellpadding="0">
707			<tr>
708			<td>from:  </td>
709			<td>
710	b5c78501	Seth Mos	<select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()">
711	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
712			<option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
713			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
714			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
715			<?php endforeach; ?>
716	8c84fe43	Scott Ullrich	</select>
717	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>">
718			</td>
719			</tr>
720			<tr>
721			<td>to:</td>
722			<td>
723	b5c78501	Seth Mos	<select name="srcendport" class="formselect" onchange="ext_change()">
724	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
725			<option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
726			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
727			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
728			<?php endforeach; ?>
729	8c84fe43	Scott Ullrich	</select>
730	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>">
731			</td>
732			</tr>
733			</table>
734			<br />
735	5548a077	Scott Ullrich	<span class="vexpl">Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any"). <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/>
736	67199e71	Scott Ullrich	<span class="vexpl"><B>NOTE:</B> You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!</span>
737	8ab3e9ed	Erik Kristensen	</td>
738	8c84fe43	Scott Ullrich	</tr>
739	8ab3e9ed	Erik Kristensen	<tr>
740	f281e32e	Chris Buechler	<td width="22%" valign="top" class="vncell">Source OS</td>
741	8ab3e9ed	Erik Kristensen	<td width="78%" class="vtable">OS Type:
742	b5c78501	Seth Mos	<select name="os" id="os" class="formselect">
743	8ab3e9ed	Erik Kristensen	<?php
744			$ostypes = array(
745			"" => "any",
746			"AIX" => "AIX",
747			"Linux" => "Linux",
748			"FreeBSD" => "FreeBSD",
749			"NetBSD" => "NetBSD",
750			"OpenBSD" => "OpenBSD",
751			"Solaris" => "Solaris",
752			"MacOS" => "MacOS",
753			"Windows" => "Windows",
754	59d62b6c	Scott Ullrich	"Novell" => "Novell",
755			"NMAP" => "NMAP"
756	8ab3e9ed	Erik Kristensen	);
757
758			foreach ($ostypes as $ostype => $descr): ?>
759			<option value="<?=$ostype;?>" <?php if ($ostype == $pconfig['os']) echo "selected"; ?>><?=htmlspecialchars($descr);?></option>
760			<?php endforeach; ?>
761			</select>
762			<br />
763			Note: this only works for TCP rules
764			</td>
765	5ba18897	Scott Ullrich	</tr>
766	8ab3e9ed	Erik Kristensen	<tr>
767			<td width="22%" valign="top" class="vncellreq">Destination</td>
768			<td width="78%" class="vtable">
769			<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
770			<strong>not</strong>
771			<br />
772			Use this option to invert the sense of the match.
773			<br />
774			<br />
775			<table border="0" cellspacing="0" cellpadding="0">
776			<tr>
777			<td>Type:  </td>
778			<td>
779	b5c78501	Seth Mos	<select name="dsttype" class="formselect" onChange="typesel_change()">
780	87f0be87	Chris Buechler	<?php
781			$sel = is_specialnet($pconfig['dst']); ?>
782	8ab3e9ed	Erik Kristensen	<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
783	87f0be87	Chris Buechler	<option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option>
784			<option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option>
785	99ea4439	Scott Ullrich	<?php if(have_ruleint_access("pptp")): ?>
786	8ab3e9ed	Erik Kristensen	<option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option>
787	99ea4439	Scott Ullrich	<?php endif; ?>
788			<?php if(have_ruleint_access("pppoe")): ?>
789	8ab3e9ed	Erik Kristensen	<option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option>
790	99ea4439	Scott Ullrich	<?php endif; ?>
791	3331a640	Ermal Lu?i	<?php if(have_ruleint_access("l2tp")): ?>
792			<option value="l2tp" <?php if ($pconfig['dst'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option>
793			<?php endif; ?>
794	b7391125	Ermal Luçi
795			<?php foreach ($ifdisp as $if => $ifdesc): ?>
796			<?php if(have_ruleint_access($if)): ?>
797			<option value="<?=$if;?>" <?php if ($pconfig['dst'] == $if) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option>
798			<option value="<?=$if;?>ip"<?php if ($pconfig['dst'] == $if . "ip") { echo "selected"; } ?>>
799			<?=$ifdesc;?> address
800	cbff71a1	Scott Ullrich	</option>
801	99ea4439	Scott Ullrich	<?php endif; ?>
802	b7391125	Ermal Luçi	<?php endforeach; ?>
803	8ab3e9ed	Erik Kristensen	</select>
804			</td>
805			</tr>
806			<tr>
807			<td>Address:  </td>
808			<td>
809			<input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
810			/
811	b5c78501	Seth Mos	<select name="dstmask" class="formselect" id="dstmask">
812	8ab3e9ed	Erik Kristensen	<?php
813			for ($i = 31; $i > 0; $i--): ?>
814			<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
815			<?php endfor; ?>
816			</select>
817			</td>
818			</tr>
819			</table>
820	5ba18897	Scott Ullrich
821	8ab3e9ed	Erik Kristensen	</td>
822			</tr>
823	3de8af0e	Scott Ullrich	<tr id="dprtr" name="dprtr">
824	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncellreq">Destination port range </td>
825			<td width="78%" class="vtable">
826			<table border="0" cellspacing="0" cellpadding="0">
827			<tr>
828			<td>from:  </td>
829			<td>
830	b5c78501	Seth Mos	<select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
831	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
832			<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
833			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
834			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
835			<?php endforeach; ?>
836			</select>
837			<input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
838			</td>
839			</tr>
840			<tr>
841			<td>to:</td>
842			<td>
843	b5c78501	Seth Mos	<select name="dstendport" class="formselect" onchange="ext_change()">
844	8ab3e9ed	Erik Kristensen	<option value="">(other)</option>
845			<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
846			<?php foreach ($wkports as $wkport => $wkportdesc): ?>
847			<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
848			<?php endforeach; ?>
849	8c84fe43	Scott Ullrich	</select>
850	8ab3e9ed	Erik Kristensen	<input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
851			</td>
852			</tr>
853			</table>
854			<br />
855			<span class="vexpl">
856			Specify the port or port range for the destination of the packet for this rule.
857			<br />
858			Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port
859			</span>
860			</td>
861			</tr>
862	c5fc1b2e	Ermal Luçi	<tr>
863			<td width="22%" valign="top" class="vncellreq">Diffserv Code Point</td>
864			<td width="78%" class="vtable">
865			<input name="dscp" id="dscp" value="<?=htmlspecialchars($pconfig['dscp']);?>">
866			<br />
867			<span class="vexpl">Valid values are: af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, EF, 1-64, 0x04-0xfc.</span>
868			</td>
869			</tr>
870	8ab3e9ed	Erik Kristensen	<tr>
871			<td width="22%" valign="top" class="vncellreq">Log</td>
872			<td width="78%" class="vtable">
873			<input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>>
874			<strong>Log packets that are handled by this rule</strong>
875			<br />
876			<span class="vexpl">Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the <a href="diag_logs_settings.php">Diagnostics: System logs: Settings</a> page).</span>
877			</td>
878			</tr>
879	661aed33	Ermal Luçi	<tr>
880	e6db3f58	Ermal Luçi	<td width="22%" valign="top" class="vncell">Advanced Options</td>
881			<td width="78%" class="vtable">
882			<div id="aoadv" name="aoadv">
883			<input type="button" onClick="show_aodiv();" value="Advanced"> - Show advanced options
884			</div>
885			<div id="aodivmain" name="aodivmain" style="display:none">
886	661aed33	Ermal Luçi
887	775ccea3	Ermal Luci	<input type="checkbox" id="allowopts" value="yes" name="allowopts"<?php if($pconfig['allowopts'] == true) echo " checked"; ?>>
888			<br/><span class="vexpl"><?=gettext("This allows packets with ip options to pass otherwise they are blocked by default i.e. with multicast routing/proxing.");?>
889			</span><p>
890	661aed33	Ermal Luçi	<input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>">
891	ad3979f2	Ermal Luçi	<br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and use this mark to match on other nat/filter rules. It is called <b>Policy filtering</b>");?>
892	661aed33	Ermal Luçi	</span><p>
893	ad3979f2	Ermal Luçi	<input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>">
894			<br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before on another rule.")?>
895	661aed33	Ermal Luçi	</span> <p>
896	8ab3e9ed	Erik Kristensen	<input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br> Simultaneous client connection limit<p>
897			<input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br> Maximum state entries per host<p>
898			<input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> /
899			<select name="max-src-conn-rates" id="max-src-conn-rates">
900			<option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option>
901			<?php for($x=1; $x<255; $x++) {
902			if($x == $pconfig['max-src-conn-rates']) $selected = " selected"; else $selected = "";
903			echo "<option value=\"{$x}\"{$selected}>{$x}</option>\n";
904			} ?>
905	47042140	Scott Ullrich	</select><br />
906	8ab3e9ed	Erik Kristensen	Maximum new connections / per second
907	47042140	Scott Ullrich	<p>
908
909			<input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br>
910	3906617b	Scott Ullrich	State Timeout in seconds
911	47042140	Scott Ullrich	<p />
912
913	8ab3e9ed	Erik Kristensen	<p><strong>NOTE: Leave these fields blank to disable this feature.</strong>
914	197b2a47	Scott Ullrich	</div>
915	8ab3e9ed	Erik Kristensen	</td>
916			</tr>
917			<tr>
918			<td width="22%" valign="top" class="vncell">State Type</td>
919			<td width="78%" class="vtable">
920	f6970b2f	Scott Ullrich	<div id="showadvstatebox">
921			<input type="button" onClick="show_advanced_state()" value="Advanced"></input> - Show state</a>
922			</div>
923			<div id="showstateadv" style="display:none">
924			<select name="statetype">
925			<option value="keep state" <?php if(!isset($pconfig['statetype']) or $pconfig['statetype'] == "keep state") echo "selected"; ?>>keep state</option>
926			<option value="synproxy state"<?php if($pconfig['statetype'] == "synproxy state") echo "selected"; ?>>synproxy state</option>
927			<option value="none"<?php if($pconfig['statetype'] == "none") echo "selected"; ?>>none</option>
928			</select><br>HINT: Select which type of state tracking mechanism you would like to use. If in doubt, use keep state.
929			<p>
930			<table width="90%">
931	c62ff4e7	Chris Buechler	<tr><td width="25%"><ul><li>keep state</li></td><td>Works with all IP protocols.</ul></td></tr>
932	8eb08ba7	Chris Buechler	<tr><td width="25%"><ul><li>synproxy state</li></td><td>Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.</ul></td></tr>
933			<tr><td width="25%"><ul><li>none</li></td><td>Do not use state mechanisms to keep track. This is only useful if you're doing advanced queueing in certain situations. Please check the documentation.</ul></td></tr>
934	f6970b2f	Scott Ullrich	</table>
935			</p>
936			</div>
937	8ab3e9ed	Erik Kristensen	</td>
938			</tr>
939	10f21e70	Scott Ullrich	<tr>
940			<td width="22%" valign="top" class="vncell">No XMLRPC Sync</td>
941			<td width="78%" class="vtable">
942	c32518fa	Scott Ullrich	<input type="checkbox" name="nosync"<?php if($pconfig['nosync']) echo " CHECKED"; ?>><br>
943	782c65b8	Scott Ullrich	HINT: This prevents the rule from automatically syncing to other carp members.
944	10f21e70	Scott Ullrich	</td>
945	8c84fe43	Scott Ullrich	</tr>
946	615b27bc	Scott Dale	<?php
947			//build list of schedules
948			$schedules = array();
949			$schedules[] = "none";//leave none to leave rule enabled all the time
950	a60fd0cb	Scott Ullrich	if(is_array($config['schedules']['schedule'])) {
951			foreach ($config['schedules']['schedule'] as $schedule) {
952			if ($schedule['name'] <> "")
953			$schedules[] = $schedule['name'];
954			}
955			}
956	615b27bc	Scott Dale	?>
957			<tr>
958			<td width="22%" valign="top" class="vncell">Schedule</td>
959			<td width="78%" class="vtable">
960			<select name='sched'>
961			<?php
962			foreach($schedules as $schedule) {
963			if($schedule == $pconfig['sched']) {
964			$selected = " SELECTED";
965			} else {
966			$selected = "";
967			}
968			if ($schedule == "none") {
969			echo "<option value=\"\" {$selected}>{$schedule}</option>\n";
970			} else {
971			echo "<option value=\"{$schedule}\" {$selected}>{$schedule}</option>\n";
972			}
973			}?>
974			</select>
975	49decb66	Scott Ullrich	<p>Leave as 'none' to leave the rule enabled all the time.</p>
976	615b27bc	Scott Dale	</td>
977			</tr>
978
979	8ab3e9ed	Erik Kristensen	<?php
980	82628210	Scott Ullrich	/* build a list of gateways */
981			$gateways = array();
982	615b27bc	Scott Dale	$gateways[] = "default"; // default to don't use this feature :)
983	3d81372f	Chris Buechler	if (is_array($config['gateways']['gateway_item'])) {
984			foreach($config['gateways']['gateway_item'] as $gw_item) {
985			if($gw_item['gateway'] <> "")
986			$gateways[] = $gw_item['name'];
987			}
988	82628210	Scott Ullrich	}
989	3d81372f	Chris Buechler
990	8ab3e9ed	Erik Kristensen	?>
991	82628210	Scott Ullrich	<tr>
992	8ab3e9ed	Erik Kristensen	<td width="22%" valign="top" class="vncell">Gateway</td>
993			<td width="78%" class="vtable">
994			<select name='gateway'>
995			<?php
996	82628210	Scott Ullrich	foreach($gateways as $gw) {
997	0581660c	Scott Ullrich	if($gw == "")
998			continue;
999	e6c0da7c	Scott Ullrich	if($gw == $pconfig['gateway']) {
1000	82628210	Scott Ullrich	$selected = " SELECTED";
1001	e6c0da7c	Scott Ullrich	} else {
1002	82628210	Scott Ullrich	$selected = "";
1003	e6c0da7c	Scott Ullrich	}
1004			if ($gw == "default") {
1005	8c84fe43	Scott Ullrich	echo "<option value=\"\" {$selected}>{$gw}</option>\n";
1006	e6c0da7c	Scott Ullrich	} else {
1007	d9720602	Seth Mos	$gwip = lookup_gateway_ip_by_name($gw);
1008			echo "<option value=\"{$gw}\" {$selected}>{$gw} - {$gwip}</option>\n";
1009	e6c0da7c	Scott Ullrich	}
1010			}
1011	e11202d5	Seth Mos	/* add gateway groups to the list */
1012			if (is_array($config['gateways']['gateway_group'])) {
1013			foreach($config['gateways']['gateway_group'] as $gw_group) {
1014			if($gw_group['name'] == "")
1015	0581660c	Scott Ullrich	continue;
1016	e11202d5	Seth Mos	if($pconfig['gateway'] == $gw_group['name']) {
1017			echo "<option value=\"{$gw_group['name']}\" SELECTED>{$gw_group['name']}</option>\n";
1018	a68bd38b	Scott Ullrich	} else {
1019	e11202d5	Seth Mos	echo "<option value=\"{$gw_group['name']}\">{$gw_group['name']}</option>\n";
1020	a68bd38b	Scott Ullrich	}
1021	8c84fe43	Scott Ullrich	}
1022	82628210	Scott Ullrich	}
1023	b7391125	Ermal Luçi	$iflist = get_configured_interface_with_descr();
1024	5335811d	Ermal Luçi	foreach ($iflist as $ifent => $ifdesc) {
1025	f1f60c92	Ermal Luçi	if (in_array($config['interfaces'][$ifent]['ipaddr'],
1026			array("dhcp", "pppoe", "pptp"))) {
1027	5335811d	Ermal Luçi	if ($pconfig['gateway'] == $ifent) {
1028	4443d4d6	Scott Ullrich	$selected = " SELECTED";
1029	1fda0968	Scott Ullrich	} else {
1030			$selected = "";
1031			}
1032	b7391125	Ermal Luçi	if($ifdesc <> "")
1033	5335811d	Ermal Luçi	echo "<option value=\"{$ifent}\" {$selected}>".strtoupper($if)." - {$ifdesc}</option>\n";
1034	1fda0968	Scott Ullrich	}
1035			}
1036	8ab3e9ed	Erik Kristensen	?>
1037			</select>
1038	58a4eecd	Bill Marquette	<p><strong>Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.</strong></p>
1039	8ab3e9ed	Erik Kristensen	</td>
1040			</tr>
1041	a5fd67e1	Ermal Luçi	<tr>
1042			<td width="22%" valign="top" class="vncell">In/Out</td>
1043			<td width="78%" class="vtable">
1044			<select name="dnpipe">
1045			<?php
1046			if (!is_array($dnqlist))
1047			$dnqlist = array();
1048			echo "<option value=\"none\"";
1049			if (!$dnqselected) echo " SELECTED";
1050			echo " >none</option>";
1051			foreach ($dnqlist as $dnq => $dnqkey) {
1052			if($dnq == "")
1053			continue;
1054			echo "<option value=\"$dnqkey\"";
1055			if ($dnqkey == $pconfig['dnpipe']) {
1056			$dnqselected = 1;
1057			echo " SELECTED";
1058			}
1059			echo ">{$dnq}</option>";
1060			}
1061			?>
1062			</select> /
1063			<select name="pdnpipe">
1064			<?php
1065			$dnqselected = 0;
1066			echo "<option value=\"none\"";
1067			if (!$dnqselected) echo " SELECTED";
1068			echo " >none</option>";
1069			foreach ($dnqlist as $dnq => $dnqkey) {
1070			if($dnq == "")
1071			continue;
1072			echo "<option value=\"$dnqkey\"";
1073			if ($dnqkey == $pconfig['pdnpipe']) {
1074			$dnqselected = 1;
1075			echo " SELECTED";
1076			}
1077			echo ">{$dnq}</option>";
1078			}
1079			?>
1080			</select>
1081			<br />
1082			<span class="vexpl">Choose the Out queue/Virtual interface only if you have selected In too. <br/> The Out selection is applied to traffic going out the interface the rule is created, In is the incoming one. <br/> If you are creating a rule on the Floating tab if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing and if you do not select any direction use only the In since the Out selection does not make sense in there to prevent oddities.</span>
1083			</td>
1084			</tr>
1085
1086	197bfe96	Ermal Luçi	<tr>
1087			<td width="22%" valign="top" class="vncell">Ackqueue/Queue</td>
1088			<td width="78%" class="vtable">
1089			<select name="ackqueue">
1090			<?php
1091	21a0464c	Ermal Luçi	if (!is_array($qlist))
1092			$qlist = array();
1093	cca8d74e	Seth Mos	echo "<option value=\"none\"";
1094			if (!$qselected) echo " SELECTED";
1095			echo " >none</option>";
1096	21a0464c	Ermal Luçi	foreach ($qlist as $q => $qkey) {
1097	cca8d74e	Seth Mos	if($q == "")
1098			continue;
1099	197bfe96	Ermal Luçi	echo "<option value=\"$q\"";
1100			if ($q == $pconfig['ackqueue']) {
1101			$qselected = 1;
1102			echo " SELECTED";
1103			}
1104			echo ">{$q}</option>";
1105			}
1106			?>
1107			</select> /
1108			<select name="defaultqueue">
1109			<?php
1110			$qselected = 0;
1111	cca8d74e	Seth Mos	echo "<option value=\"none\"";
1112			if (!$qselected) echo " SELECTED";
1113			echo " >none</option>";
1114	21a0464c	Ermal Luçi	foreach ($qlist as $q => $qkey) {
1115	cca8d74e	Seth Mos	if($q == "")
1116			continue;
1117	197bfe96	Ermal Luçi	echo "<option value=\"$q\"";
1118			if ($q == $pconfig['defaultqueue']) {
1119			$qselected = 1;
1120			echo " SELECTED";
1121			}
1122			echo ">{$q}</option>";
1123			}
1124			?>
1125			</select>
1126			<br />
1127			<span class="vexpl">Choose the Acknowledge Queue only if you have selected Queue.</span>
1128			</td>
1129			</tr>
1130	7e50413c	Ermal Luçi	<tr>
1131			<td width="22%" valign="top" class="vncell">Layer7</td>
1132			<td width="78%" class="vtable">
1133			<select name="l7container">
1134			<?php
1135			if (!is_array($l7clist))
1136			$dnqlist = array();
1137			echo "<option value=\"none\"";
1138			echo " >none</option>";
1139			foreach ($l7clist as $l7ckey) {
1140			echo "<option value=\"{$l7ckey}\"";
1141			if ($l7ckey == $pconfig['l7container']) {
1142			echo " SELECTED";
1143			}
1144			echo ">{$l7ckey}</option>";
1145			}
1146			?>
1147			</select>
1148			<br/>
1149			<span class="vexpl">Choose a Layer7 container to apply application protocol inspection rules.
1150			This rule are valid for tcp and udp protocols for now.</span>
1151			</td>
1152			</tr>
1153	bca8e0ec	Scott Ullrich	<tr>
1154			<td width="22%" valign="top" class="vncell">Description</td>
1155			<td width="78%" class="vtable">
1156	b5c78501	Seth Mos	<input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>">
1157	bca8e0ec	Scott Ullrich	<br />
1158	586293d1	Scott Ullrich	<span class="vexpl">You may enter a description here for your reference.</span>
1159	bca8e0ec	Scott Ullrich	</td>
1160			</tr>
1161	8ab3e9ed	Erik Kristensen	<tr>
1162			<td width="22%" valign="top"> </td>
1163			<td width="78%">
1164			<input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
1165			<?php if (isset($id) && $a_filter[$id]): ?>
1166			<input name="id" type="hidden" value="<?=$id;?>">
1167			<?php endif; ?>
1168			<input name="after" type="hidden" value="<?=$after;?>">
1169			</td>
1170	82628210	Scott Ullrich	</tr>
1171	8ab3e9ed	Erik Kristensen	</table>
1172	5b237745	Scott Ullrich	</form>
1173			<script language="JavaScript">
1174			<!--
1175	8ab3e9ed	Erik Kristensen	ext_change();
1176			typesel_change();
1177			proto_change();
1178	19757279	Scott Ullrich
1179			<?php
1180	8ab3e9ed	Erik Kristensen	$isfirst = 0;
1181			$aliases = "";
1182			$addrisfirst = 0;
1183			$aliasesaddr = "";
1184			if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias']))
1185			foreach($config['aliases']['alias'] as $alias_name) {
1186			if(!stristr($alias_name['address'], ".")) {
1187			if($isfirst == 1) $aliases .= ",";
1188			$aliases .= "'" . $alias_name['name'] . "'";
1189			$isfirst = 1;
1190			} else {
1191			if($addrisfirst == 1) $aliasesaddr .= ",";
1192			$aliasesaddr .= "'" . $alias_name['name'] . "'";
1193			$addrisfirst = 1;
1194			}
1195	092ac49d	Scott Ullrich	}
1196	19757279	Scott Ullrich	?>
1197
1198	8ab3e9ed	Erik Kristensen	var addressarray=new Array(<?php echo $aliasesaddr; ?>);
1199			var customarray=new Array(<?php echo $aliases; ?>);
1200	19757279	Scott Ullrich
1201	5b237745	Scott Ullrich	//-->
1202			</script>
1203	8ab3e9ed	Erik Kristensen
1204
1205	5b237745	Scott Ullrich	<?php include("fend.inc"); ?>
1206			</body>
1207			</html>

Project

General

Profile

pfSense