. * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ ##|+PRIV ##|*IDENT=page-firewall-rules ##|*NAME=Firewall: Rules ##|*DESCR=Allow access to the 'Firewall: Rules' page. ##|*MATCH=firewall_rules.php* ##|-PRIV require_once("guiconfig.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("ipsec.inc"); require_once("shaper.inc"); $XmoveTitle = gettext("Move checked rules above this one. Shift+Click to move checked rules below."); $ShXmoveTitle = gettext("Move checked rules below this one. Release shift to move checked rules above."); $shortcut_section = "firewall"; function get_pf_rules($rules, $tracker) { if ($rules == NULL || !is_array($rules)) return (NULL); $arr = array(); foreach ($rules as $rule) { if ($rule['tracker'] === $tracker) { $arr[] = $rule; } } if (count($arr) == 0) return (NULL); return ($arr); } function print_states($tracker) { global $rulescnt; $rulesid = ""; $bytes = 0; $states = 0; $packets = 0; $evaluations = 0; $stcreations = 0; $rules = get_pf_rules($rulescnt, $tracker); if (is_array($rules)) { foreach ($rules as $rule) { $bytes += $rule['bytes']; $states += $rule['states']; $packets += $rule['packets']; $evaluations += $rule['evaluations']; $stcreations += $rule['state creations']; if (strlen($rulesid) > 0) { $rulesid .= ","; } $rulesid .= "{$rule['id']}"; } } printf("packets: %s
bytes: %s
states: %s
state creations: %s\" data-html=\"true\" usepost>", format_number($evaluations), format_number($packets), format_bytes($bytes), format_number($states), format_number($stcreations)); printf("%s/%s
", format_number($states), format_bytes($bytes)); } function delete_nat_association($id) { global $config; if (!$id || !is_array($config['nat']['rule'])) { return; } $a_nat = &$config['nat']['rule']; foreach ($a_nat as &$natent) { if ($natent['associated-rule-id'] == $id) { $natent['associated-rule-id'] = ''; } } } if (!is_array($config['filter']['rule'])) { $config['filter']['rule'] = array(); } filter_rules_sort(); $a_filter = &$config['filter']['rule']; if ($_REQUEST['if']) { $if = $_REQUEST['if']; } $ifdescs = get_configured_interface_with_descr(); /* add group interfaces */ if (is_array($config['ifgroups']['ifgroupentry'])) { foreach ($config['ifgroups']['ifgroupentry'] as $ifgen) { if (have_ruleint_access($ifgen['ifname'])) { $iflist[$ifgen['ifname']] = $ifgen['ifname']; } } } foreach ($ifdescs as $ifent => $ifdesc) { if (have_ruleint_access($ifent)) { $iflist[$ifent] = $ifdesc; } } if ($config['l2tp']['mode'] == "server") { if (have_ruleint_access("l2tp")) { $iflist['l2tp'] = gettext("L2TP VPN"); } } if (is_array($config['pppoes']['pppoe'])) { foreach ($config['pppoes']['pppoe'] as $pppoes) { if (($pppoes['mode'] == 'server') && have_ruleint_access("pppoe")) { $iflist['pppoe'] = gettext("PPPoE Server"); } } } /* add ipsec interfaces */ if (ipsec_enabled() && have_ruleint_access("enc0")) { $iflist["enc0"] = gettext("IPsec"); } /* add openvpn/tun interfaces */ if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) { $iflist["openvpn"] = gettext("OpenVPN"); } if (!$if || !isset($iflist[$if])) { if ($if != "any" && $if != "FloatingRules" && isset($iflist['wan'])) { $if = "wan"; } else { $if = "FloatingRules"; } } if ($_POST['apply']) { $retval = 0; $retval |= filter_configure(); clear_subsystem_dirty('filter'); } if ($_POST['act'] == "del") { if ($a_filter[$_POST['id']]) { if (!empty($a_filter[$_POST['id']]['associated-rule-id'])) { delete_nat_association($a_filter[$_POST['id']]['associated-rule-id']); } unset($a_filter[$_POST['id']]); // Update the separators $a_separators = &$config['filter']['separator'][strtolower($if)]; $ridx = ifridx($if, $_POST['id']); // get rule index within interface $mvnrows = -1; move_separators($a_separators, $ridx, $mvnrows); if (write_config()) { mark_subsystem_dirty('filter'); } header("Location: firewall_rules.php?if=" . htmlspecialchars($if)); exit; } } // Handle save msg if defined if ($_REQUEST['savemsg']) { $savemsg = htmlentities($_REQUEST['savemsg']); } if (isset($_POST['del_x'])) { /* delete selected rules */ $deleted = false; if (is_array($_POST['rule']) && count($_POST['rule'])) { $a_separators = &$config['filter']['separator'][strtolower($if)]; $num_deleted = 0; foreach ($_POST['rule'] as $rulei) { delete_nat_association($a_filter[$rulei]['associated-rule-id']); unset($a_filter[$rulei]); $deleted = true; // Update the separators // As rules are deleted, $ridx has to be decremented or separator position will break $ridx = ifridx($if, $rulei) - $num_deleted; // get rule index within interface $mvnrows = -1; move_separators($a_separators, $ridx, $mvnrows); $num_deleted++; } if ($deleted) { if (write_config()) { mark_subsystem_dirty('filter'); } } header("Location: firewall_rules.php?if=" . htmlspecialchars($if)); exit; } } else if ($_POST['act'] == "toggle") { if ($a_filter[$_POST['id']]) { if (isset($a_filter[$_POST['id']]['disabled'])) { unset($a_filter[$_POST['id']]['disabled']); } else { $a_filter[$_POST['id']]['disabled'] = true; } if (write_config()) { mark_subsystem_dirty('filter'); } header("Location: firewall_rules.php?if=" . htmlspecialchars($if)); exit; } } else if ($_POST['order-store']) { /* update rule order, POST[rule] is an array of ordered IDs */ if (is_array($_POST['rule']) && !empty($_POST['rule'])) { $a_filter_new = array(); // Include the rules of other interfaces listed in config before this (the selected) interface. foreach ($a_filter as $filteri_before => $filterent) { if (($filterent['interface'] == $if && !isset($filterent['floating'])) || (isset($filterent['floating']) && "FloatingRules" == $if)) { break; } else { $a_filter_new[] = $filterent; } } // Include the rules of this (the selected) interface. // If a rule is not in POST[rule], it has been deleted by the user foreach ($_POST['rule'] as $id) { $a_filter_new[] = $a_filter[$id]; } // Include the rules of other interfaces listed in config after this (the selected) interface. foreach ($a_filter as $filteri_after => $filterent) { if ($filteri_before > $filteri_after) { continue; } if (($filterent['interface'] == $if && !isset($filterent['floating'])) || (isset($filterent['floating']) && "FloatingRules" == $if)) { continue; } else { $a_filter_new[] = $filterent; } } $a_filter = $a_filter_new; $config['filter']['separator'][strtolower($if)] = ""; if ($_POST['separator']) { $idx = 0; foreach ($_POST['separator'] as $separator) { $config['filter']['separator'][strtolower($separator['if'])]['sep' . $idx++] = $separator; } } if (write_config()) { mark_subsystem_dirty('filter'); } header("Location: firewall_rules.php?if=" . htmlspecialchars($if)); exit; } } $tab_array = array(array(gettext("Floating"), ("FloatingRules" == $if), "firewall_rules.php?if=FloatingRules")); foreach ($iflist as $ifent => $ifname) { $tab_array[] = array($ifname, ($ifent == $if), "firewall_rules.php?if={$ifent}"); } foreach ($tab_array as $dtab) { if ($dtab[1]) { $bctab = $dtab[0]; break; } } $pgtitle = array(gettext("Firewall"), gettext("Rules"), $bctab); $pglinks = array("", "firewall_rules.php", "@self"); $shortcut_section = "firewall"; include("head.inc"); $nrules = 0; if ($savemsg) { print_info_box($savemsg, 'success'); } if ($_POST['apply']) { print_apply_result_box($retval); } if (is_subsystem_dirty('filter')) { print_apply_box(gettext("The firewall rule configuration has been changed.") . "
" . gettext("The changes must be applied for them to take effect.")); } display_top_tabs($tab_array, false, 'pills', "usepost"); $showantilockout = false; $showprivate = false; $showblockbogons = false; if (!isset($config['system']['webgui']['noantilockout']) && (((count($config['interfaces']) > 1) && ($if == 'lan')) || ((count($config['interfaces']) == 1) && ($if == 'wan')))) { $showantilockout = true; } if (isset($config['interfaces'][$if]['blockpriv'])) { $showprivate = true; } if (isset($config['interfaces'][$if]['blockbogons'])) { $showblockbogons = true; } /* Load the counter data of each pf rule. */ $rulescnt = pfSense_get_pf_rules(); // Update this if you add or remove columns! $columns_in_table = 13; ?>

1, or WAN with an if count of 1. if ($showantilockout): $alports = implode('
', filter_get_antilockout_ports(true)); ?> $filterent): if (($filterent['interface'] == $if && !isset($filterent['floating'])) || (isset($filterent['floating']) && "FloatingRules" == $if)) { // Display separator(s) for section beginning at rule n if ($seprows[$nrules]) { display_separator($separators, $nrules, $columns_in_table); } ?> > "; } } #FIXME $sched_caption_escaped = str_replace("'", "\'", $schedule['descr']); $schedule_span_begin = ''; $schedule_span_end = ""; } $idx++; } } $printicon = false; $alttext = ""; $image = ""; if (!isset($filterent['disabled'])) { if ($schedstatus) { if ($filterent['type'] == "block" || $filterent['type'] == "reject") { $image = "times-circle"; $dispcolor = "text-danger"; $alttext = gettext("Traffic matching this rule is currently being denied"); } else { $image = "play-circle"; $dispcolor = "text-success"; $alttext = gettext("Traffic matching this rule is currently being allowed"); } $printicon = true; } else if ($filterent['sched']) { if ($filterent['type'] == "block" || $filterent['type'] == "reject") { $image = "times-circle"; } else { $image = "play-circle"; } $alttext = gettext("This rule is not currently active because its period has expired"); $dispcolor = "text-warning"; $printicon = true; } } ?>


	">		*	*	*	Address		*	*			">
	">		*		*	*	*	*	*			" usepost>
	">		*	");?>	*	*	*	*	*			" usepost>
	'; } $isadvset = firewall_check_for_advanced_options($filterent); if ($isadvset) { print ''; } if (isset($filterent['log'])) { print ''; } ?>		%s ', gettext('ICMP subtypes'), chr(13), $t, str_replace(',', ', ',$filterent['icmptype'])); } } else { echo " *"; } ?>	', htmlspecialchars(pprint_address($filterent['source'])))?>	', htmlspecialchars(pprint_port($filterent['source']['port'])))?>	', htmlspecialchars(pprint_address($filterent['destination'])))?>	', htmlspecialchars(pprint_port($filterent['destination']['port'])))?>	', htmlspecialchars($config['interfaces'][$filterent['gateway']]['descr']))?>	{$desc}"; $desc = str_replace('_', '_', $filterent['defaultqueue']); echo "/{$desc}"; } else if (isset($filterent['defaultqueue'])) { $desc = str_replace('_', '_', $filterent['defaultqueue']); echo "{$desc}"; } else { echo gettext("none"); } ?>	', htmlspecialchars($filterent['sched']));?>

' . gettext("This means that if block rules are used, it is important to pay attention " . "to the rule order. Everything that isn't explicitly passed is blocked " . "by default. ")); } else { print(gettext("Floating rules are evaluated on a first-match basis (i.e. " . "the action of the first rule to match a packet will be executed) only " . "if the 'quick' option is checked on a rule. Otherwise they will only match if no " . "other rules match. Pay close attention to the rule order and options " . "chosen. If no rule here matches, the per-interface or default rules are used. ")); } printf(gettext('%1$sClick the anchor icon %2$s to move checked rules before the clicked row. Hold down ' . 'the shift key and click to move the rules after the clicked row.'), '

', '') ?>