* Originally part of pfSense (https://www.pfsense.org)
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgment:
* "This product includes software developed by the pfSense Project
* for use in the pfSense software distribution. (http://www.pfsense.org/).
*
* 4. The names "pfSense" and "pfSense Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* coreteam@pfsense.org.
*
* 5. Products derived from this software may not be called "pfSense"
* nor may "pfSense" appear in their names without prior written
* permission of the Electric Sheep Fencing, LLC.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
*
* "This product includes software developed by the pfSense Project
* for use in the pfSense software distribution (http://www.pfsense.org/).
*
* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
* ====================================================================
*
*/
/*
pfSense_MODULE: filter
*/
##|+PRIV
##|*IDENT=page-firewall-rules
##|*NAME=Firewall: Rules page
##|*DESCR=Allow access to the 'Firewall: Rules' page.
##|*MATCH=firewall_rules.php*
##|-PRIV
require("guiconfig.inc");
require_once("functions.inc");
require_once("filter.inc");
require_once("shaper.inc");
$pgtitle = array(gettext("Firewall"), gettext("Rules"));
$shortcut_section = "firewall";
function delete_nat_association($id) {
global $config;
if (!$id || !is_array($config['nat']['rule'])) {
return;
}
$a_nat = &$config['nat']['rule'];
foreach ($a_nat as &$natent) {
if ($natent['associated-rule-id'] == $id) {
$natent['associated-rule-id'] = '';
}
}
}
if (!is_array($config['filter']['rule'])) {
$config['filter']['rule'] = array();
}
filter_rules_sort();
$a_filter = &$config['filter']['rule'];
$if = $_GET['if'];
if ($_POST['if']) {
$if = $_POST['if'];
}
$ifdescs = get_configured_interface_with_descr();
/* add group interfaces */
if (is_array($config['ifgroups']['ifgroupentry'])) {
foreach ($config['ifgroups']['ifgroupentry'] as $ifgen) {
if (have_ruleint_access($ifgen['ifname'])) {
$iflist[$ifgen['ifname']] = $ifgen['ifname'];
}
}
}
foreach ($ifdescs as $ifent => $ifdesc) {
if (have_ruleint_access($ifent)) {
$iflist[$ifent] = $ifdesc;
}
}
if ($config['l2tp']['mode'] == "server") {
if (have_ruleint_access("l2tp")) {
$iflist['l2tp'] = "L2TP VPN";
}
}
if ($config['pptpd']['mode'] == "server") {
if (have_ruleint_access("pptp")) {
$iflist['pptp'] = "PPTP VPN";
}
}
if (is_array($config['pppoes']['pppoe'])) {
foreach ($config['pppoes']['pppoe'] as $pppoes) {
if (($pppoes['mode'] == 'server') && have_ruleint_access("pppoe")) {
$iflist['pppoe'] = "PPPoE Server";
}
}
}
/* add ipsec interfaces */
if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) {
if (have_ruleint_access("enc0")) {
$iflist["enc0"] = "IPsec";
}
}
/* add openvpn/tun interfaces */
if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) {
$iflist["openvpn"] = "OpenVPN";
}
if (!$if || !isset($iflist[$if])) {
if ("any" == $if) {
$if = "FloatingRules";
} else if ("FloatingRules" != $if) {
if (isset($iflist['wan'])) {
$if = "wan";
} else {
$if = "FloatingRules";
}
}
}
if ($_POST) {
$pconfig = $_POST;
if ($_POST['apply']) {
$retval = 0;
$retval = filter_configure();
clear_subsystem_dirty('filter');
$savemsg = sprintf(gettext("The settings have been applied. The firewall rules are now reloading in the background. You can also %s monitor %s the reload progress"),"","");
}
}
if ($_GET['act'] == "del") {
if ($a_filter[$_GET['id']]) {
if (!empty($a_filter[$_GET['id']]['associated-rule-id'])) {
delete_nat_association($a_filter[$_GET['id']]['associated-rule-id']);
}
unset($a_filter[$_GET['id']]);
if (write_config()) {
mark_subsystem_dirty('filter');
}
header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
exit;
}
}
// Handle save msg if defined
if ($_REQUEST['savemsg']) {
$savemsg = htmlentities($_REQUEST['savemsg']);
}
if ($_GET['act'] == "toggle") {
if ($a_filter[$_GET['id']]) {
if (isset($a_filter[$_GET['id']]['disabled'])) {
unset($a_filter[$_GET['id']]['disabled']);
} else {
$a_filter[$_GET['id']]['disabled'] = true;
}
if (write_config()) {
mark_subsystem_dirty('filter');
}
header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
exit;
}
} else {
/* update rule order, POST[rule] is an array of ordered IDs */
if (is_array($_POST['rule']) && !empty($_POST['rule'])) {
$a_filter_new = array();
// if a rule is not in POST[rule], it has been deleted by the user
foreach ($_POST['rule'] as $id)
$a_filter_new[] = $a_filter[$id];
$a_filter = $a_filter_new;
if (write_config()) {
mark_subsystem_dirty('filter');
}
header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
exit;
}
}
include("head.inc");
$nrules = 0;
if ($savemsg)
print_info_box($savemsg, 'success');
if (is_subsystem_dirty('filter'))
print_info_box_np(gettext("The firewall rule configuration has been changed.") . " " . gettext("You must apply the changes in order for them to take effect."), "apply", "", true);
$tab_array = array(array(gettext("Floating"), ("FloatingRules" == $if), "firewall_rules.php?if=FloatingRules"));
foreach ($iflist as $ifent => $ifname)
$tab_array[] = array($ifname, ($ifent == $if), "firewall_rules.php?if={$ifent}");
display_top_tabs($tab_array);
?>
' .
gettext("This means that if you use block rules, you'll have to pay attention " .
"to the rule order. Everything that isn't explicitly passed is blocked " .
"by default. "));
else
print_info_box(gettext("Floating rules are evaluated on a first-match basis (i.e. " .
"the action of the first rule to match a packet will be executed) only " .
"if the 'quick' option is checked on a rule. Otherwise they will only apply if no " .
"other rules match. Pay close attention to the rule order and options " .
"chosen. If no rule here matches, the per-interface or default rules are used. "));
?>