diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2016-01-28 04:58:18 -0600 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2016-01-28 05:12:47 -0600 |
commit | cc2cff0b9be33eaea6c947f1fffc746895fd24fe (patch) | |
tree | b2d1aa4bc51af8d0587b3217cfaa7dc323d6fa2a /src/etc | |
parent | 7ffd90780c83615d6619a5f558634ad153c9218e (diff) | |
download | pfsense-cc2cff0b9be33eaea6c947f1fffc746895fd24fe.zip pfsense-cc2cff0b9be33eaea6c947f1fffc746895fd24fe.tar.gz |
Show rule state details in firewall rules.
Inspired by pull request #1901 from marcelloc/hitcount_23_02.
State visualization and kill will be committed in a subsequent commit.
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/filter.inc | 36 | ||||
-rw-r--r-- | src/etc/inc/util.inc | 13 |
2 files changed, 38 insertions, 11 deletions
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 611425e..18c4cc3 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -136,8 +136,19 @@ $icmp6types = array( "mtrace" => gettext("mtrace messages") ); -global $tracker; -global $negate_tracker; +/* + * Fixed tracker values (used to group and track usage in GUI): + * + * bogons rules: 10000 + * anti-lockout rules: 11000 + * RFC1918 rules: 12000 + * + */ + +define("ANTILOCKOUT_TRACKER", 10000); +define("BOGONS_TRACKER", 11000); +define("RFC1918_TRACKER", 12000); + $tracker = 1000000000; $negate_tracker = 10000000; @@ -3271,10 +3282,11 @@ EOD; } if (isset($config['interfaces'][$on]['blockbogons'])) { + $bogons_tracker = BOGONS_TRACKER; $ipfrules .= <<<EOD # block bogon networks (IPv4) # http://www.cymru.com/Documents/bogon-bn-nonagg.txt -block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" +block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker $bogons_tracker label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" EOD; @@ -3282,7 +3294,7 @@ EOD; $ipfrules .= <<<EOD # block bogon networks (IPv6) # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt -block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" +block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker $bogons_tracker label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" EOD; } @@ -3317,13 +3329,14 @@ EOD; if (isset($config['interfaces'][$on]['blockpriv'])) { if ($isbridged == false) { + $rfc1918_tracker = RFC1918_TRACKER; $ipfrules .= <<<EOD # block anything from private networks on interfaces with the option set -block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" -block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" -block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}" -block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}" -block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}" +block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" +block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" +block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}" +block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}" +block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}" EOD; } @@ -3533,6 +3546,7 @@ EOD; if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) { $alports = filter_get_antilockout_ports(); + $lockout_tracker = ANTILOCKOUT_TRACKER; if (count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) { /* if antilockout is enabled, LAN exists and has * an IP and subnet mask assigned @@ -3540,7 +3554,7 @@ EOD; $lanif = $FilterIflist['lan']['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" +pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker $lockout_tracker keep state label "anti-lockout rule" EOD; } else if (count($config['interfaces']) == 1) { @@ -3548,7 +3562,7 @@ EOD; $wanif = $FilterIflist["wan"]['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" +pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker $lockout_tracker keep state label "anti-lockout rule" EOD; } diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index c767f25..347219e 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -1724,6 +1724,19 @@ function format_bytes($bytes) { } } +function format_number($num, $precision = 3) { + $units = array('', 'K', 'M', 'G', 'T'); + + $i = 0; + while ($num > 1000 && $i < count($units)) { + $num /= 1000; + $i++; + } + round($num, $precision); + + return ("$num {$units[$i]}"); +} + function update_filter_reload_status($text) { global $g; |