diff options
| author | Chris Buechler <cmb@pfsense.org> | 2015-03-11 13:22:17 -0500 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2015-03-11 13:22:17 -0500 |
| commit | 87ca92d03c4a20424c298cd844b53536adff6328 (patch) | |
| tree | f5f44d9814076e77620ed29526c01d021504c27a | |
| parent | cd8ce13c29fb03714d90c4e9599b77aa1faa1a80 (diff) | |
| download | pfsense-87ca92d03c4a20424c298cd844b53536adff6328.zip pfsense-87ca92d03c4a20424c298cd844b53536adff6328.tar.gz | |
add granular control of state timeouts. Ticket #4509
| -rw-r--r-- | etc/inc/filter.inc | 51 | ||||
| -rw-r--r-- | usr/local/www/system_advanced_firewall.php | 198 |
2 files changed, 246 insertions, 3 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 3756ee9..7afd305 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -286,8 +286,57 @@ function filter_configure_sync($delete_states_if_needed = true) { if($config['system']['optimization'] == "conservative") { $limitrules .= "set timeout { udp.first 300, udp.single 150, udp.multiple 900 }\n"; } - } else + } else { $limitrules .= "set optimization normal\n"; + } + + $timeoutlist = ""; + if (isset($config['system']['tcpfirsttimeout']) && is_numericint($config['system']['tcpfirsttimeout'])) { + $timeoutlist .= " tcp.first {$config['system']['tcpfirsttimeout']} "; + } + if (isset($config['system']['tcpopeningtimeout']) && is_numericint($config['system']['tcpopeningtimeout'])) { + $timeoutlist .= " tcp.opening {$config['system']['tcpopeningtimeout']} "; + } + if (isset($config['system']['tcpestablishedtimeout']) && is_numericint($config['system']['tcpestablishedtimeout'])) { + $timeoutlist .= " tcp.established {$config['system']['tcpestablishedtimeout']} "; + } + if (isset($config['system']['tcpclosingtimeout']) && is_numericint($config['system']['tcpclosingtimeout'])) { + $timeoutlist .= " tcp.closing {$config['system']['tcpclosingtimeout']} "; + } + if (isset($config['system']['tcpfinwaittimeout']) && is_numericint($config['system']['tcpfinwaittimeout'])) { + $timeoutlist .= " tcp.finwait {$config['system']['tcpfinwaittimeout']} "; + } + if (isset($config['system']['tcpclosedtimeout']) && is_numericint($config['system']['tcpclosedtimeout'])) { + $timeoutlist .= " tcp.closed {$config['system']['tcpclosedtimeout']} "; + } + if (isset($config['system']['udpfirsttimeout']) && is_numericint($config['system']['udpfirsttimeout'])) { + $timeoutlist .= " udp.first {$config['system']['udpfirsttimeout']} "; + } + if (isset($config['system']['udpsingletimeout']) && is_numericint($config['system']['udpsingletimeout'])) { + $timeoutlist .= " udp.single {$config['system']['udpsingletimeout']} "; + } + if (isset($config['system']['udpmultipletimeout']) && is_numericint($config['system']['udpmultipletimeout'])) { + $timeoutlist .= " udp.multiple {$config['system']['udpmultipletimeout']} "; + } + if (isset($config['system']['icmpfirsttimeout']) && is_numericint($config['system']['icmpfirsttimeout'])) { + $timeoutlist .= " icmp.first {$config['system']['icmpfirsttimeout']} "; + } + if (isset($config['system']['icmperrortimeout']) && is_numericint($config['system']['icmperrortimeout'])) { + $timeoutlist .= " icmp.error {$config['system']['icmperrortimeout']} "; + } + if (isset($config['system']['otherfirsttimeout']) && is_numericint($config['system']['otherfirsttimeout'])) { + $timeoutlist .= " other.first {$config['system']['otherfirsttimeout']} "; + } + if (isset($config['system']['othersingletimeout']) && is_numericint($config['system']['othersingletimeout'])) { + $timeoutlist .= " other.single {$config['system']['othersingletimeout']} "; + } + if (isset($config['system']['othermultipletimeout']) && is_numericint($config['system']['othermultipletimeout'])) { + $timeoutlist .= " other.multiple {$config['system']['othermultipletimeout']} "; + } + + if ($timeoutlist <> "") { + $limitrules .= "set timeout { $timeoutlist }\n"; + } if (!empty($config['system']['adaptivestart']) && !empty($config['system']['adaptiveend'])) $limitrules .= "set timeout { adaptive.start {$config['system']['adaptivestart']}, adaptive.end {$config['system']['adaptiveend']} }\n"; diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php index 43c985e..b24a781 100644 --- a/usr/local/www/system_advanced_firewall.php +++ b/usr/local/www/system_advanced_firewall.php @@ -71,6 +71,20 @@ $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']); $pconfig['disablescrub'] = isset($config['system']['disablescrub']); $pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']); $pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']); +$pconfig['tcpfirsttimeout'] = $config['system']['tcpfirsttimeout']; +$pconfig['tcpopeningtimeout'] = $config['system']['tcpopeningtimeout']; +$pconfig['tcpestablishedtimeout'] = $config['system']['tcpestablishedtimeout']; +$pconfig['tcpclosingtimeout'] = $config['system']['tcpclosingtimeout']; +$pconfig['tcpfinwaittimeout'] = $config['system']['tcpfinwaittimeout']; +$pconfig['tcpclosedtimeout'] = $config['system']['tcpclosedtimeout']; +$pconfig['udpfirsttimeout'] = $config['system']['udpfirsttimeout']; +$pconfig['udpsingletimeout'] = $config['system']['udpsingletimeout']; +$pconfig['udpmultipletimeout'] = $config['system']['udpmultipletimeout']; +$pconfig['icmpfirsttimeout'] = $config['system']['icmpfirsttimeout']; +$pconfig['icmperrortimeout'] = $config['system']['icmperrortimeout']; +$pconfig['otherfirsttimeout'] = $config['system']['otherfirsttimeout']; +$pconfig['othersingletimeout'] = $config['system']['othersingletimeout']; +$pconfig['othermultipletimeout'] = $config['system']['othermultipletimeout']; if ($_POST) { @@ -101,6 +115,48 @@ if ($_POST) { if ($_POST['reflectiontimeout'] && !is_numericint($_POST['reflectiontimeout'])) { $input_errors[] = gettext("The Reflection timeout must be an integer."); } + if ($_POST['tcpfirsttimeout'] && !is_numericint($_POST['tcpfirsttimeout'])) { + $input_errors[] = gettext("The TCP first timeout value must be an integer."); + } + if ($_POST['tcpopeningtimeout'] && !is_numericint($_POST['tcpopeningtimeout'])) { + $input_errors[] = gettext("The TCP opening timeout value must be an integer."); + } + if ($_POST['tcpestablishedtimeout'] && !is_numericint($_POST['tcpestablishedtimeout'])) { + $input_errors[] = gettext("The TCP established timeout value must be an integer."); + } + if ($_POST['tcpclosingtimeout'] && !is_numericint($_POST['tcpclosingtimeout'])) { + $input_errors[] = gettext("The TCP closing timeout value must be an integer."); + } + if ($_POST['tcpfinwaittimeout'] && !is_numericint($_POST['tcpfinwaittimeout'])) { + $input_errors[] = gettext("The TCP FIN wait timeout value must be an integer."); + } + if ($_POST['tcpclosedtimeout'] && !is_numericint($_POST['tcpclosedtimeout'])) { + $input_errors[] = gettext("The TCP closed timeout value must be an integer."); + } + if ($_POST['udpfirsttimeout'] && !is_numericint($_POST['udpfirsttimeout'])) { + $input_errors[] = gettext("The UDP first timeout value must be an integer."); + } + if ($_POST['udpsingletimeout'] && !is_numericint($_POST['udpsingletimeout'])) { + $input_errors[] = gettext("The UDP single timeout value must be an integer."); + } + if ($_POST['udpmultipletimeout'] && !is_numericint($_POST['udpmultipletimeout'])) { + $input_errors[] = gettext("The UDP multiple timeout value must be an integer."); + } + if ($_POST['icmpfirsttimeout'] && !is_numericint($_POST['icmpfirsttimeout'])) { + $input_errors[] = gettext("The ICMP first timeout value must be an integer."); + } + if ($_POST['icmperrortimeout'] && !is_numericint($_POST['icmperrortimeout'])) { + $input_errors[] = gettext("The ICMP error timeout value must be an integer."); + } + if ($_POST['otherfirsttimeout'] && !is_numericint($_POST['otherfirsttimeout'])) { + $input_errors[] = gettext("The Other first timeout value must be an integer."); + } + if ($_POST['othersingletimeout'] && !is_numericint($_POST['othersingletimeout'])) { + $input_errors[] = gettext("The Other single timeout value must be an integer."); + } + if ($_POST['othermultipletimeout'] && !is_numericint($_POST['othermultipletimeout'])) { + $input_errors[] = gettext("The Other multiple timeout value must be an integer."); + } ob_flush(); flush(); @@ -150,6 +206,77 @@ if ($_POST) { $config['system']['aliasesresolveinterval'] = $_POST['aliasesresolveinterval']; $config['system']['maximumtableentries'] = $_POST['maximumtableentries']; + if (!empty($_POST['tcpfirsttimeout'])) { + $config['system']['tcpfirsttimeout'] = $_POST['tcpfirsttimeout']; + } else { + unset($config['system']['tcpfirsttimeout']); + } + if (!empty($_POST['tcpopeningtimeout'])) { + $config['system']['tcpopeningtimeout'] = $_POST['tcpopeningtimeout']; + } else { + unset($config['system']['tcpopeningtimeout']); + } + if (!empty($_POST['tcpestablishedtimeout'])) { + $config['system']['tcpestablishedtimeout'] = $_POST['tcpestablishedtimeout']; + } else { + unset($config['system']['tcpestablishedtimeout']); + } + if (!empty($_POST['tcpclosingtimeout'])) { + $config['system']['tcpclosingtimeout'] = $_POST['tcpclosingtimeout']; + } else { + unset($config['system']['tcpclosingtimeout']); + } + if (!empty($_POST['tcpfinwaittimeout'])) { + $config['system']['tcpfinwaittimeout'] = $_POST['tcpfinwaittimeout']; + } else { + unset($config['system']['tcpfinwaittimeout']); + } + if (!empty($_POST['tcpclosedtimeout'])) { + $config['system']['tcpclosedtimeout'] = $_POST['tcpclosedtimeout']; + } else { + unset($config['system']['tcpclosedtimeout']); + } + if (!empty($_POST['udpfirsttimeout'])) { + $config['system']['udpfirsttimeout'] = $_POST['udpfirsttimeout']; + } else { + unset($config['system']['udpfirsttimeout']); + } + if (!empty($_POST['udpsingletimeout'])) { + $config['system']['udpsingletimeout'] = $_POST['udpsingletimeout']; + } else { + unset($config['system']['udpsingletimeout']); + } + if (!empty($_POST['udpmultipletimeout'])) { + $config['system']['udpmultipletimeout'] = $_POST['udpmultipletimeout']; + } else { + unset($config['system']['udpmultipletimeout']); + } + if (!empty($_POST['icmpfirsttimeout'])) { + $config['system']['icmpfirsttimeout'] = $_POST['icmpfirsttimeout']; + } else { + unset($config['system']['icmpfirsttimeout']); + } + if (!empty($_POST['icmperrortimeout'])) { + $config['system']['icmperrortimeout'] = $_POST['icmperrortimeout']; + } else { + unset($config['system']['icmperrortimeout']); + } + if (!empty($_POST['otherfirsttimeout'])) { + $config['system']['otherfirsttimeout'] = $_POST['otherfirsttimeout']; + } else { + unset($config['system']['otherfirsttimeout']); + } + if (!empty($_POST['othersingletimeout'])) { + $config['system']['othersingletimeout'] = $_POST['othersingletimeout']; + } else { + unset($config['system']['othersingletimeout']); + } + if (!empty($_POST['othermultipletimeout'])) { + $config['system']['othermultipletimeout'] = $_POST['othermultipletimeout']; + } else { + unset($config['system']['othermultipletimeout']); + } + if($_POST['natreflection'] == "proxy") { unset($config['system']['disablenatreflection']); unset($config['system']['enablenatreflectionpurenat']); @@ -547,13 +674,80 @@ function update_description(itemnum) { echo "<option></option>"; ?> </select> - <strong><?=gettext("Choose the interfaces where you want TFTP proxy helper to be enabled.");?></strong> + <br/><strong><?=gettext("Choose the interfaces where you want TFTP proxy helper to be enabled.");?></strong> + </td> + </tr> + <?php endif; ?> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("State Timeouts");?></td> + </tr> + <tr> + <td colspan="2"> + <strong><?=gettext("NOTE: The options below should usually be left at their defaults, as chosen by Firewall Optimization Options above. Click the Help link on this page for information.");?> </strong> + </td> + <br /> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("TCP Timeouts");?></td> + <td width="78%" class="vtable"> + <strong><?=gettext("TCP First: ");?></strong><input name="tcpfirsttimeout" id="tcpfirsttimeout" value="<?php echo $config['system']['tcpfirsttimeout']; ?>" /> <br/> + <?=gettext("Enter value for TCP first timeout in seconds. Leave blank for default (recommended).");?> + <br/><br/> + <strong><?=gettext("TCP Opening: ");?></strong><input name="tcpopeningtimeout" id="tcpopeningtimeout" value="<?php echo $config['system']['tcpopeningtimeout']; ?>" /><br /> + <?=gettext("Enter value for TCP opening timeout in seconds. Leave blank for default (recommended).");?> + <br/><br/> + <strong><?=gettext("TCP Established: ");?></strong><input name="tcpestablishedtimeout" id="tcpestablishedtimeout" value="<?php echo $config['system']['tcpestablishedtimeout']; ?>" /><br /> + <?=gettext("Enter value for TCP established timeout in seconds. Leave blank for default (recommended).");?> + <br/><br/> + <strong><?=gettext("TCP Closing: ");?></strong><input name="tcpclosingtimeout" id="tcpclosingtimeout" value="<?php echo $config['system']['tcpclosingtimeout']; ?>" /><br /> + <?=gettext("Enter value for TCP closing timeout in seconds. Leave blank for default (recommended).");?> + <br/><br/> + <strong><?=gettext("TCP FIN Wait: ");?></strong><input name="tcpfinwaittimeout" id="tcpfinwaittimeout" value="<?php echo $config['system']['tcpfinwaittimeout']; ?>" /><br /> + <?=gettext("Enter value for TCP FIN wait timeout in seconds. Leave blank for default (recommended).");?> + <br/><br/> + <strong><?=gettext("TCP Closed: ");?></strong><input name="tcpclosedtimeout" id="tcpclosedtimeout" value="<?php echo $config['system']['tcpclosedtimeout']; ?>" /><br /> + <?=gettext("Enter value for TCP closed timeout in seconds. Leave blank for default (recommended).");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("UDP Timeouts");?></td> + <td width="78%" class="vtable"> + <strong><?=gettext("UDP First: ");?></strong><input name="udpfirsttimeout" id="udpfirsttimeout" value="<?php echo $config['system']['udpfirsttimeout']; ?>" /><br /> + <?=gettext("Enter value for UDP first timeout in seconds. Leave blank for default (recommended).");?> + <br /><br /> + <strong><?=gettext("UDP Single: ");?></strong><input name="udpsingletimeout" id="udpsingletimeout" value="<?php echo $config['system']['udpsingletimeout']; ?>" /><br /> + <?=gettext("Enter value for UDP single timeout in seconds. Leave blank for default (recommended).");?> + <br /><br /> + <strong><?=gettext("UDP Multiple: ");?></strong><input name="udpmultipletimeout" id="udpmultipletimeout" value="<?php echo $config['system']['udpmultipletimeout']; ?>" /><br /> + <?=gettext("Enter value for UDP multiple timeout in seconds. Leave blank for default (recommended).");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("ICMP Timeouts");?></td> + <td width="78%" class="vtable"> + <strong><?=gettext("ICMP First: ");?></strong><input name="icmpfirsttimeout" id="icmpfirsttimeout" value="<?php echo $config['system']['icmpfirsttimeout']; ?>" /><br /> + <?=gettext("Enter value for ICMP first timeout in seconds. Leave blank for default (recommended).");?> + <br /><br /> + <strong><?=gettext("ICMP Error: ");?></strong><input name="icmperrortimeout" id="icmperrortimeout" value="<?php echo $config['system']['icmperrortimeout']; ?>" /><br /> + <?=gettext("Enter value for ICMP error timeout in seconds. Leave blank for default (recommended).");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Other Timeouts");?></td> + <td width="78%" class="vtable"> + <strong><?=gettext("Other First: ");?></strong><input name="otherfirsttimeout" id="otherfirsttimeout" value="<?php echo $config['system']['otherfirsttimeout']; ?>" /><br /> + <?=gettext("Enter value for Other first timeout in seconds. Leave blank for default (recommended).");?> + <br /><br /> + <strong><?=gettext("Other Single: ");?></strong><input name="othersingletimeout" id="othersingletimeout" value="<?php echo $config['system']['othersingletimeout']; ?>" /><br /> + <?=gettext("Enter value for Other single timeout in seconds. Leave blank for default (recommended).");?> + <br /><br /> + <strong><?=gettext("Other Multiple: ");?></strong><input name="othermultipletimeout" id="othermultipletimeout" value="<?php echo $config['system']['othermultipletimeout']; ?>" /><br /> + <?=gettext("Enter value for Other multiple timeout in seconds. Leave blank for default (recommended).");?> </td> </tr> <tr> <td colspan="2" class="list" height="12"> </td> </tr> - <?php endif; ?> <tr> <td width="22%" valign="top"> </td> <td width="78%"><input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /></td> |
