summaryrefslogtreecommitdiffstats
path: root/usr/local/www/firewall_rules_edit.php
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'master-br' of https://github.com/ayvis/pfsense into ↵Renato Botelho2014-03-171-23/+23
|\ | | | | | | ayvis-master-br
| * xhtml Complianceayvis2014-03-141-23/+23
| | | | | | replaced <br>, <br/> and </br> with <br />
* | standardize on www.pfsense.org and HTTPS, point package URLs toChris Buechler2014-03-141-1/+1
|/ | | | packages.pfsense.org
* Improve checks for params 'id', 'dup' and other similar ones to make sure ↵Renato Botelho2014-03-121-10/+11
| | | | they are numeric integer, also, pass them through htmlspecialchars() before print
* Validate rule Advanced Options numeric entriesPhil Davis2014-03-111-7/+35
| | | | | | | | This makes sure the user puts in ordinary positive integers like "1" and "42" in these advanced options fields. It prevents everything else, including dodgy-looking possibilities like "007" which might actually work OK, but it is safer to allow just plain "7". Note 1: The tests in function is_aoadv_used($rule_config) had to be changed back from using empty() to use $var != "" because if the user enters "0" in one of those fields and presses save, they get an error message, but the Advanced Options block on the GUI is closed (the "0" was considered empty()). That seemed rather confusing - the user would have had to click on the Advanced Options "Advanced" button again to open up that block and see the "0" they had entered. Note 2: I have prohibited 2 things that "pf" allows into the ruleset without generating an error: (max 0) (tcp.established 0) Both of these seem (IMHO) to have no valid use case. They would prevent states from ever happening, and so would effectively be block rules, which could be implemented easily as block rules.
* Merge pull request #997 from phil-davis/masterRenato Botelho2014-03-071-2/+19
|\ | | | | Make Firewall Rules Advanced Options open if used
| * Refine check for existence of rule advanced optionsPhil Davis2014-03-061-9/+10
| |
| * Make Firewall Rules Advanced Options open if usedPhil Davis2014-03-041-2/+18
| | | | | | | | Currently, if there are some settings defined in Firewall Rules Edit, Advanced Features, Advanced Options, the Advanced Options section is left minimized when the Firewall Edit screen is displayed. This makes it easy for a user to not notice that there are some Advanced Options settings. This change makes the Advanced Options section be displayed if any of the settings are defined, in the same way it is done for all the other Advanced Features sections.
* | Merge pull request #984 from phil-davis/masterRenato Botelho2014-03-041-18/+12
|\ \ | |/ | | Return GWG IP protocol (version) when no gateway IP
| * Tidy up GWG dropdown selection testsPhil Davis2014-02-281-11/+7
| | | | | | Tested this making a new rule, and editing existing IPv4, IPv6 and IPv4+Ipv6 rules, and switching the IP version on an existing rule. Seems to work!
| * Tidy "gateway name - IP" in dropdown listPhil Davis2014-02-281-1/+2
| | | | | | While I notice this also, for a plain gateway, the current IP address is also listed in the dropdown list text, like "WAN_DHCP - 10.42.11.1". If there is no IP address currently, it might say "WAN_DHCP - dynamic". But for some DHCP gateways that have not had any non-default manual settings done, it can say "OPT1_DHCP -". This gets rid of the silly-looking "-"
| * Use return_gateway_groups_array() to build correct GWG listPhil Davis2014-02-271-10/+7
| | | | | | Now return_gateway_groups_array() always returns at least the IP version 'ipprotocol' of each GWG, even if all its members are down at present. It is better to use this to check what IP version the GWG is. The previous check was using the IP address of the first member of the GWG to deduce 'ipprotocol'. That would fail if the WAN was DHCP and was down.
* | Validate if src OR dst have IP address set when protocol is IPv4+v6. Fixes #3499Renato Botelho2014-03-031-3/+3
|/
* Port dropdowns: Put port no. after descripstilez2014-02-251-4/+4
| | | | | At the moment, even if a port number is entered, it's re-displayed only as a port name when editing. Users who don't have port names -> numbers lookup memorised can't easily confirm when editing a rule, that the port is as intended. Then, when they return to firewall_rules.php the same rules have ports displayed as numbers not names (inconsistent). This small UI edit changes the port dropdowns from just the name "NetBIOS-NS" to "NetBIOS-NS (137)" and shows the very well known port number, for ease of use.
* Update firewall_rules_edit.phpWild Stray2014-02-221-1/+1
| | | PIM protocol for firewall rules.
* Change string to "Maximum new connections per host / per second(s)"Daniel Aleksandersen2014-02-131-4/+4
| | | | | | | Clarifying the setting's meaning. As suggested by forum member "Senser" on https://forum.pfsense.org/index.php/topic,65472.msg356024.html#msg356024
* Standardise LAN net displayPhil Davis2014-02-071-2/+2
| | | On the main firewall rules multi-rule display it shows "LAN net" "WAN net" etc. But on the edit screen it shows "LAN subnet" "WAN subnet" etc. Make the edit screen have the same text as the main screen - this has ben a source of enough little questions/queries on the forum.
* added input hidden with tracker valuebruno2014-01-161-4/+6
|
* Generate a tracker id for the filter rules for now. Maybe for nat rules as well?Ermal2013-12-311-0/+4
|
* Add an option to set no-sync on rules to keep states from being synced via ↵Renato Botelho2013-11-121-3/+16
| | | | pfsync. Fix #2501
* Remove call-time pass by reference for do_input_validation, helps ticket #2565Renato Botelho2013-09-121-1/+1
|
* s/require/require_once/g for filter.inc to avoid redeclaration errors in ↵jim-p2013-08-281-1/+1
| | | | some rare cases.
* Relax advanced options firewall rules testsPhil Davis2013-08-141-12/+3
| | | | Various advanced options are now possible for any protocol since https://github.com/pfsense/pfsense/commit/653bde345e8f960de5bc745fe74e64d8ef3fd2d3 So allow these through the front-end GUI validation also.
* Allow advanced options state-related parameters to be used for TCP, UDP and ICMPPhil Davis2013-07-241-13/+16
| | | Allows the state-related parameters to be specified for UDP and ICMP as well as TCP. Discussed in forum http://forum.pfsense.org/index.php/topic,64653.0.html
* Validate firewall rule advanced options requirementsPhil Davis2013-07-221-0/+45
| | | | | Checks that the user has selected a TCP Pass rule etc when using the state-related advanced options. Validates as per the checks that are applied in filter.inc when generating the actual pf rules. Forum discussion: http://forum.pfsense.org/index.php/topic,64653.15.html Bug report #3098
* Implement URL Table aliases for ports instead of IP addressesRenato Botelho2013-07-081-1/+1
|
* Add support for protocol 41 in rules. Fixes #3007.Daniel Becker2013-07-071-1/+1
|
* Add a new alias type, URLs containing PortsRenato Botelho2013-07-041-1/+1
|
* Fix whitespace and indentRenato Botelho2013-04-231-91/+90
|
* Fixed 802.1p duplicating values for vlanprio and vlanpriosettimdufrane2013-04-111-1/+13
| | | For real this time. Friggin' github.
* Clean inconsistent "none" and empty conventions for advanced fields - ↵timdufrane2013-04-111-24/+24
| | | | removes residual "none" entries on save
* Fix none where should be empty string for 802.1ptimdufrane2013-04-101-1/+1
|
* Tidy up "firewall_rules_edit.php" XHTMLColin Fleming2013-04-091-139/+135
| | | | | | | Close INPUT, BR and IMG tags and add ALT to IMG tags Update HTML boolean operators Add missing closing P tags Remove NAME paramenter from TR and DIV tags, invalid HTML
* Track user/time a firewall rule was created and last updated, and show this ↵jim-p2013-03-201-0/+40
| | | | information at the bottom of the page when viewing the firewall rule. Have various places in the system that create rules add a proper entry to indicate their origin.
* Set (src|dst)mask to 128 for single IPv6 addresses. Fixes #2451Renato Botelho2013-02-161-2/+8
|
* Deal correct with bitmask for ipv6 on destination, same we did for src. If ↵Renato Botelho2013-02-131-1/+7
| | | | fixes #2451
* Refine the test for Ticket #2451 to check for aliases as wellErmal2013-02-131-5/+7
|
* Warn users that nosync option won't prevent it to be overwritten on carp ↵Renato Botelho2013-02-131-1/+1
| | | | slave members
* Deal correct with /32 subnet mask for ipv6 addresses. If fixes #2451Renato Botelho2013-02-131-1/+5
|
* Display gateways with matching IP protocol in Gateways listPhil Davis2013-01-081-2/+2
| | | | Some gateways do not have traditional addresses hard-coded into them - e.g. for OpenVPN dynamic gateways are created in software on-the-fly (they are not actually entries in the config). So traditional tests like is_ipaddrv4 are not useful to determine if the gateway is IPv4 or IPv6. return_gateways_array() fills in an "ipprotocol" entry for each returned gateway ("inet" or "inet6"), as well as the "gateway" address field. This can be used to determine if the gateway is for IPv4 or IPv6.
* Fixes #1575. Allow Match option to be used with limiters as well. The ↵Ermal2012-11-271-4/+1
| | | | support is there in kernel so allow rules to be configured on this.
* To allow limiters to work correctly on mutliwan for now enforce selecting a ↵Ermal2012-11-161-0/+2
| | | | gateway on outgoing
* Encode the interface parameter before using it in a redirectjim-p2012-10-311-1/+1
|
* Fix warning when no gateway groupsPhil Davis2012-10-241-15/+17
| | | If there are no gateway groups defined, and you save a rule that has an ordinary gateway selected in "Advanced Features - Gateway", then a warning is emitted when trying to traverse an empty gateway groups array at line 214.
* Refine saving/applying on more pages - don't show apply or take an action ↵jim-p2012-10-091-2/+1
| | | | unless the user is allowed to do that.
* Don't offer to apply changes if no changes actually happened.jim-p2012-10-091-2/+3
|
* remove bunk input validationChris Buechler2012-09-091-3/+0
|
* Activate new shortcuts/status in the rest of the areas that are currently setup.jim-p2012-08-101-2/+1
|
* Fixes #2428. Reference limiters in rules by name to avoid issues. Also put ↵Ermal2012-06-011-13/+13
| | | | upgrade code for existing configs. The same fix is necessary for 2.0.x though not sure how this should be committed there.
* Add a inet46 filter type on the firewall rules page. I have locked down a ↵smos2012-05-311-1/+23
| | | | | | | few of the most common limitations. Still arguing if we should lock this down even further to aliases only. Redmine ticket #2466
OpenPOWER on IntegriCloud