* Originally part of pfSense (https://www.pfsense.org) * * Redistribution and use in source and binary forms, with or without modification, * are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgment: * "This product includes software developed by the pfSense Project * for use in the pfSense software distribution. (http://www.pfsense.org/). * * 4. The names "pfSense" and "pfSense Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * coreteam@pfsense.org. * * 5. Products derived from this software may not be called "pfSense" * nor may "pfSense" appear in their names without prior written * permission of the Electric Sheep Fencing, LLC. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * * "This product includes software developed by the pfSense Project * for use in the pfSense software distribution (http://www.pfsense.org/). * * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * * ==================================================================== * */ /* pfSense_MODULE: filter */ ##|+PRIV ##|*IDENT=page-firewall-rules ##|*NAME=Firewall: Rules page ##|*DESCR=Allow access to the 'Firewall: Rules' page. ##|*MATCH=firewall_rules.php* ##|-PRIV require("guiconfig.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("shaper.inc"); $pgtitle = array(gettext("Firewall"), gettext("Rules")); $shortcut_section = "firewall"; function delete_nat_association($id) { global $config; if (!$id || !is_array($config['nat']['rule'])) { return; } $a_nat = &$config['nat']['rule']; foreach ($a_nat as &$natent) { if ($natent['associated-rule-id'] == $id) { $natent['associated-rule-id'] = ''; } } } if (!is_array($config['filter']['rule'])) { $config['filter']['rule'] = array(); } filter_rules_sort(); $a_filter = &$config['filter']['rule']; $if = $_GET['if']; if ($_POST['if']) { $if = $_POST['if']; } $ifdescs = get_configured_interface_with_descr(); /* add group interfaces */ if (is_array($config['ifgroups']['ifgroupentry'])) { foreach ($config['ifgroups']['ifgroupentry'] as $ifgen) { if (have_ruleint_access($ifgen['ifname'])) { $iflist[$ifgen['ifname']] = $ifgen['ifname']; } } } foreach ($ifdescs as $ifent => $ifdesc) { if (have_ruleint_access($ifent)) { $iflist[$ifent] = $ifdesc; } } if ($config['l2tp']['mode'] == "server") { if (have_ruleint_access("l2tp")) { $iflist['l2tp'] = "L2TP VPN"; } } if ($config['pptpd']['mode'] == "server") { if (have_ruleint_access("pptp")) { $iflist['pptp'] = "PPTP VPN"; } } if (is_array($config['pppoes']['pppoe'])) { foreach ($config['pppoes']['pppoe'] as $pppoes) { if (($pppoes['mode'] == 'server') && have_ruleint_access("pppoe")) { $iflist['pppoe'] = "PPPoE Server"; } } } /* add ipsec interfaces */ if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { if (have_ruleint_access("enc0")) { $iflist["enc0"] = "IPsec"; } } /* add openvpn/tun interfaces */ if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) { $iflist["openvpn"] = "OpenVPN"; } if (!$if || !isset($iflist[$if])) { if ("any" == $if) { $if = "FloatingRules"; } else if ("FloatingRules" != $if) { if (isset($iflist['wan'])) { $if = "wan"; } else { $if = "FloatingRules"; } } } if ($_POST) { $pconfig = $_POST; if ($_POST['apply']) { $retval = 0; $retval = filter_configure(); clear_subsystem_dirty('filter'); $savemsg = sprintf(gettext("The settings have been applied. The firewall rules are now reloading in the background.
You can also %s monitor %s the reload progress"),"",""); } } if ($_GET['act'] == "del") { if ($a_filter[$_GET['id']]) { if (!empty($a_filter[$_GET['id']]['associated-rule-id'])) { delete_nat_association($a_filter[$_GET['id']]['associated-rule-id']); } unset($a_filter[$_GET['id']]); if (write_config()) { mark_subsystem_dirty('filter'); } header("Location: firewall_rules.php?if=" . htmlspecialchars($if)); exit; } } // Handle save msg if defined if ($_REQUEST['savemsg']) { $savemsg = htmlentities($_REQUEST['savemsg']); } if ($_GET['act'] == "toggle") { if ($a_filter[$_GET['id']]) { if (isset($a_filter[$_GET['id']]['disabled'])) { unset($a_filter[$_GET['id']]['disabled']); } else { $a_filter[$_GET['id']]['disabled'] = true; } if (write_config()) { mark_subsystem_dirty('filter'); } header("Location: firewall_rules.php?if=" . htmlspecialchars($if)); exit; } } else { /* update rule order, POST[rule] is an array of ordered IDs */ if (is_array($_POST['rule']) && !empty($_POST['rule'])) { $a_filter_new = array(); // if a rule is not in POST[rule], it has been deleted by the user foreach ($_POST['rule'] as $id) $a_filter_new[] = $a_filter[$id]; $a_filter = $a_filter_new; if (write_config()) { mark_subsystem_dirty('filter'); } header("Location: firewall_rules.php?if=" . htmlspecialchars($if)); exit; } } include("head.inc"); $nrules = 0; if ($savemsg) print_info_box($savemsg, 'success'); if (is_subsystem_dirty('filter')) print_info_box_np(gettext("The firewall rule configuration has been changed.") . "
" . gettext("You must apply the changes in order for them to take effect."), "apply", "", true); $tab_array = array(array(gettext("Floating"), ("FloatingRules" == $if), "firewall_rules.php?if=FloatingRules")); foreach ($iflist as $ifent => $ifname) $tab_array[] = array($ifname, ($ifent == $if), "firewall_rules.php?if={$ifent}"); display_top_tabs($tab_array); ?>
1, or WAN with an if count of 1. if (!isset($config['system']['webgui']['noantilockout']) && (((count($config['interfaces']) > 1) && ($if == 'lan')) || ((count($config['interfaces']) == 1) && ($if == 'wan')))): $alports = implode('
', filter_get_antilockout_ports(true)); ?> > "; } } #FIXME $sched_caption_escaped = str_replace("'", "\'", $schedule['descr']); $schedule_span_begin = "{$sched_caption_escaped}

{$sched_content}

', 'trail', true, 'delay', 0, 'fade', 'both', 'fadeMax', 93, 'styleClass', 'niceTitle');\" onmouseout=\"this.style.color = ''; domTT_mouseout(this, event);\">"; $schedule_span_end = "
"; } } } $printicon = false; $alttext = ""; $image = ""; if (!isset($filterent['disabled'])) { if ($schedstatus) { if ($iconfn == "block" || $iconfn == "reject") { $image = "icon_block"; $alttext = gettext("Traffic matching this rule is currently being denied"); } else { $image = "icon_pass"; $alttext = gettext("Traffic matching this rule is currently being allowed"); } $printicon = true; } else if ($filterent['sched']) { if ($iconfn == "block" || $iconfn == "reject") $image = "icon_block_d"; else $image = "icon_block"; $alttext = gettext("This rule is not currently active because its period has expired"); $printicon = true; } } ?>
"> * * * Address * * edit
"> * * * * * * ">edit
"> * * * * * * * edit
"> '; if (isset($filterent['log'])) print ''; ?> '; echo $filterent['icmptype']; echo ''; } } else echo "*"; ?> {$desc}"; $desc = $filterent['defaultqueue']; echo "/{$desc}"; } else if (isset($filterent['defaultqueue'])) { $desc = $filterent['defaultqueue']; echo "{$desc}"; } else echo gettext("none"); ?> icon   edit copy delete
' . gettext("This means that if you use block rules, you'll have to pay attention " . "to the rule order. Everything that isn't explicitly passed is blocked " . "by default. ")); else print_info_box(gettext("Floating rules are evaluated on a first-match basis (i.e. " . "the action of the first rule to match a packet will be executed) only " . "if the 'quick' option is checked on a rule. Otherwise they will only apply if no " . "other rules match. Pay close attention to the rule order and options " . "chosen. If no rule here matches, the per-interface or default rules are used. ")); ?>