.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgment:
* "This product includes software developed by the pfSense Project
* for use in the pfSense® software distribution. (http://www.pfsense.org/).
*
* 4. The names "pfSense" and "pfSense Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* coreteam@pfsense.org.
*
* 5. Products derived from this software may not be called "pfSense"
* nor may "pfSense" appear in their names without prior written
* permission of the Electric Sheep Fencing, LLC.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
*
* "This product includes software developed by the pfSense Project
* for use in the pfSense software distribution (http://www.pfsense.org/).
*
* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
##|+PRIV
##|*IDENT=page-firewall-rules
##|*NAME=Firewall: Rules
##|*DESCR=Allow access to the 'Firewall: Rules' page.
##|*MATCH=firewall_rules.php*
##|-PRIV
require_once("guiconfig.inc");
require_once("functions.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("shaper.inc");
$XmoveTitle = gettext("Move checked rules above this one. Shift+Click to move checked rules below.");
$ShXmoveTitle = gettext("Move checked rules below this one. Release shift to move checked rules above.");
$pgtitle = array(gettext("Firewall"), gettext("Rules"));
$shortcut_section = "firewall";
function get_pf_rules($rules, $tracker) {
if ($rules == NULL || !is_array($rules))
return (NULL);
$arr = array();
foreach ($rules as $rule) {
if ($rule['tracker'] === $tracker) {
$arr[] = $rule;
}
}
if (count($arr) == 0)
return (NULL);
return ($arr);
}
function print_states($tracker) {
global $rulescnt;
$rulesid = "";
$bytes = 0;
$states = 0;
$packets = 0;
$evaluations = 0;
$stcreations = 0;
$rules = get_pf_rules($rulescnt, $tracker);
if (is_array($rules)) {
foreach ($rules as $rule) {
$bytes += $rule['bytes'];
$states += $rule['states'];
$packets += $rule['packets'];
$evaluations += $rule['evaluations'];
$stcreations += $rule['state creations'];
if (strlen($rulesid) > 0) {
$rulesid .= ",";
}
$rulesid .= "{$rule['id']}";
}
}
printf("packets: %s
bytes: %s
states: %s
state creations: %s\" data-html=\"true\">",
format_number($evaluations), format_number($packets), format_bytes($bytes),
format_number($states), format_number($stcreations));
printf("%d/%s
", format_number($states), format_bytes($bytes));
}
function delete_nat_association($id) {
global $config;
if (!$id || !is_array($config['nat']['rule'])) {
return;
}
$a_nat = &$config['nat']['rule'];
foreach ($a_nat as &$natent) {
if ($natent['associated-rule-id'] == $id) {
$natent['associated-rule-id'] = '';
}
}
}
if (!is_array($config['filter']['rule'])) {
$config['filter']['rule'] = array();
}
filter_rules_sort();
$a_filter = &$config['filter']['rule'];
$if = $_GET['if'];
if ($_POST['if']) {
$if = $_POST['if'];
}
$ifdescs = get_configured_interface_with_descr();
/* add group interfaces */
if (is_array($config['ifgroups']['ifgroupentry'])) {
foreach ($config['ifgroups']['ifgroupentry'] as $ifgen) {
if (have_ruleint_access($ifgen['ifname'])) {
$iflist[$ifgen['ifname']] = $ifgen['ifname'];
}
}
}
foreach ($ifdescs as $ifent => $ifdesc) {
if (have_ruleint_access($ifent)) {
$iflist[$ifent] = $ifdesc;
}
}
if ($config['l2tp']['mode'] == "server") {
if (have_ruleint_access("l2tp")) {
$iflist['l2tp'] = gettext("L2TP VPN");
}
}
if (is_array($config['pppoes']['pppoe'])) {
foreach ($config['pppoes']['pppoe'] as $pppoes) {
if (($pppoes['mode'] == 'server') && have_ruleint_access("pppoe")) {
$iflist['pppoe'] = gettext("PPPoE Server");
}
}
}
/* add ipsec interfaces */
if (ipsec_enabled() && have_ruleint_access("enc0")) {
$iflist["enc0"] = gettext("IPsec");
}
/* add openvpn/tun interfaces */
if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) {
$iflist["openvpn"] = gettext("OpenVPN");
}
if (!$if || !isset($iflist[$if])) {
if ("any" == $if) {
$if = "FloatingRules";
} else if ("FloatingRules" != $if) {
if (isset($iflist['wan'])) {
$if = "wan";
} else {
$if = "FloatingRules";
}
}
}
if ($_POST) {
$pconfig = $_POST;
if ($_POST['apply']) {
$retval = 0;
$retval = filter_configure();
clear_subsystem_dirty('filter');
$savemsg = sprintf(gettext("The settings have been applied. The firewall rules are now reloading in the background.
%s Monitor %s the reload progress."),
"", "");
}
}
if ($_GET['act'] == "del") {
if ($a_filter[$_GET['id']]) {
if (!empty($a_filter[$_GET['id']]['associated-rule-id'])) {
delete_nat_association($a_filter[$_GET['id']]['associated-rule-id']);
}
unset($a_filter[$_GET['id']]);
// Update the separators
$a_separators = &$config['filter']['separator'][strtolower($if)];
$ridx = ifridx($if, $_GET['id']); // get rule index within interface
$mvnrows = -1;
move_separators($a_separators, $ridx, $mvnrows);
if (write_config()) {
mark_subsystem_dirty('filter');
}
header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
exit;
}
}
// Handle save msg if defined
if ($_REQUEST['savemsg']) {
$savemsg = htmlentities($_REQUEST['savemsg']);
}
if (isset($_POST['del_x'])) {
/* delete selected rules */
$deleted = false;
if (is_array($_POST['rule']) && count($_POST['rule'])) {
$a_separators = &$config['filter']['separator'][strtolower($if)];
foreach ($_POST['rule'] as $rulei) {
delete_nat_association($a_filter[$rulei]['associated-rule-id']);
unset($a_filter[$rulei]);
$deleted = true;
// Update the separators
$ridx = ifridx($if, $rulei); // get rule index within interface
$mvnrows = -1;
move_separators($a_separators, $ridx, $mvnrows);
}
if ($deleted) {
if (write_config()) {
mark_subsystem_dirty('filter');
}
}
header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
exit;
}
} else if ($_GET['act'] == "toggle") {
if ($a_filter[$_GET['id']]) {
if (isset($a_filter[$_GET['id']]['disabled'])) {
unset($a_filter[$_GET['id']]['disabled']);
} else {
$a_filter[$_GET['id']]['disabled'] = true;
}
if (write_config()) {
mark_subsystem_dirty('filter');
}
header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
exit;
}
} else if ($_POST['order-store']) {
/* update rule order, POST[rule] is an array of ordered IDs */
if (is_array($_POST['rule']) && !empty($_POST['rule'])) {
$a_filter_new = array();
// Include the rules of other interfaces listed in config before this (the selected) interface.
foreach ($a_filter as $filteri_before => $filterent) {
if (($filterent['interface'] == $if && !isset($filterent['floating'])) || (isset($filterent['floating']) && "FloatingRules" == $if)) {
break;
} else {
$a_filter_new[] = $filterent;
}
}
// Include the rules of this (the selected) interface.
// If a rule is not in POST[rule], it has been deleted by the user
foreach ($_POST['rule'] as $id) {
$a_filter_new[] = $a_filter[$id];
}
// Include the rules of other interfaces listed in config after this (the selected) interface.
foreach ($a_filter as $filteri_after => $filterent) {
if ($filteri_before > $filteri_after) {
continue;
}
if (($filterent['interface'] == $if && !isset($filterent['floating'])) || (isset($filterent['floating']) && "FloatingRules" == $if)) {
continue;
} else {
$a_filter_new[] = $filterent;
}
}
$a_filter = $a_filter_new;
$config['filter']['separator'][strtolower($if)] = "";
if ($_POST['separator']) {
$idx = 0;
foreach ($_POST['separator'] as $separator) {
$config['filter']['separator'][strtolower($separator['if'])]['sep' . $idx++] = $separator;
}
}
if (write_config()) {
mark_subsystem_dirty('filter');
}
header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
exit;
}
}
$tab_array = array(array(gettext("Floating"), ("FloatingRules" == $if), "firewall_rules.php?if=FloatingRules"));
foreach ($iflist as $ifent => $ifname) {
$tab_array[] = array($ifname, ($ifent == $if), "firewall_rules.php?if={$ifent}");
}
foreach ($tab_array as $dtab) {
if ($dtab[1]) {
$bctab = $dtab[0];
break;
}
}
$pgtitle = array(gettext("Firewall"), gettext("Rules"), $bctab);
$shortcut_section = "firewall";
include("head.inc");
$nrules = 0;
if ($savemsg) {
print_info_box($savemsg, 'success');
}
if (is_subsystem_dirty('filter')) {
print_apply_box(gettext("The firewall rule configuration has been changed.") . "
" . gettext("The changes must be applied for them to take effect."));
}
display_top_tabs($tab_array);
$showantilockout = false;
$showprivate = false;
$showblockbogons = false;
if (!isset($config['system']['webgui']['noantilockout']) &&
(((count($config['interfaces']) > 1) && ($if == 'lan')) ||
((count($config['interfaces']) == 1) && ($if == 'wan')))) {
$showantilockout = true;
}
if (isset($config['interfaces'][$if]['blockpriv'])) {
$showprivate = true;
}
if (isset($config['interfaces'][$if]['blockbogons'])) {
$showblockbogons = true;
}
/* Load the counter data of each pf rule. */
$rulescnt = pfSense_get_pf_rules();
// Update this if you add or remove columns!
$columns_in_table = 13;
?>