system settings: weave in awesome feedback

Submitted by: Curt Dox

system settings: weave in awesome feedback
Submitted by: Curt Dox
6c49287a · Franco Fichtner · c12bd9a3 · 6c49287a · 6c49287a · 6c49287a
Commit 6c49287a authored Jul 27, 2015 by Franco Fichtner
5 changed files
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
@@ -35,6 +35,48 @@
 			<tunable>net.inet.ip.random_id</tunable>
 			<value>default</value>
 		</item>
+		<item>
+			<descr><![CDATA[
+				Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+				It can also be used to probe for information about your internal networks. These functions come enabled
+				as part of the standard FreeBSD core system.
+			]]></descr>
+			<tunable>net.inet.ip.sourceroute</tunable>
+			<value>default</value>
+		</item>
+		<item>
+			<descr><![CDATA[
+				Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+				It can also be used to probe for information about your internal networks. These functions come enabled
+				as part of the standard FreeBSD core system.
+			]]></descr>
+			<tunable>net.inet.ip.accept_sourceroute</tunable>
+			<value>default</value>
+		</item>
+		<item>
+			<descr><![CDATA[
+				Redirect attacks are the purposeful mass issuing of ICMP type 5 packets. In a normal network, redirects
+				to the end stations should not be required. To defend against this type of attack both the sending and
+				accepting of redirect should be disabled.
+			]]></descr>
+			<tunable>net.inet.icmp.redirect</tunable>
+			<value>default</value>
+		</item>
+		<item>
+			<descr><![CDATA[
+				This option enables the NIC to drop all inbound ICMP redirect packets without returning a response.
+			]]></descr>
+			<tunable>net.inet.icmp.drop_redirect</tunable>
+			<value>default</value>
+		</item>
+		<item>
+			<descr><![CDATA[
+				This option turns off the logging of redirect packets because there is no limit and this could fill
+				up your logs consuming your whole hard drive.
+			]]></descr>
+			<tunable>net.inet.icmp.log_redirect</tunable>
+			<value>default</value>
+		</item>
 		<item>
 			<descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
 			<tunable>net.inet.tcp.drop_synfin</tunable>

--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -373,13 +373,20 @@ endif; ?>
                                            }
                                            ?>
 										</select>
+										<br />
+										<span class="vexpl">
+											<?=sprintf(
+												gettext('The %sSSL certificate manager%s can be used to ' .
+												'create or import certificates if required.'),
+												'<a href="/system_certmanager.php">', '</a>'
+											);?>
+										</span>
 									</td>
 								</tr>
 								<tr>
 									<td valign="top" class="vncell"><?=gettext("TCP port"); ?></td>
 									<td class="vtable">
 										<input name="webguiport" type="text" class="formfld unknown" id="webguiport" size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>" />
-										<br />
 										<span class="vexpl">
 											<?=gettext("Enter a custom port number for the webConfigurator " .
                                            "above if you want to override the default (80 for HTTP, 443 " .
@@ -391,7 +398,6 @@ endif; ?>
 									<td valign="top" class="vncell"><?=gettext("Max Processes"); ?></td>
 									<td class="vtable">
 										<input name="max_procs" type="text" class="formfld unknown" id="max_procs" size="5" value="<?=htmlspecialchars($pconfig['max_procs']);?>" />
-										<br />
 										<span class="vexpl">
 											<?=gettext("Enter the number of webConfigurator processes you " .
                                            "want to run. This defaults to 2. Increasing this will allow more " .
@@ -482,7 +488,6 @@ endif; ?>
 									<td width="22%" valign="top" class="vncell"><?=gettext("Alternate Hostnames"); ?></td>
 									<td width="78%" class="vtable">
 										<input name="althostnames" type="text" class="formfld unknown" id="althostnames" size="75" value="<?=htmlspecialchars($pconfig['althostnames']);?>"/>
-										<br />
 										<strong><?=gettext("Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks"); ?></strong>
 										<br />
 										<?php echo gettext("Here you can specify alternate hostnames by which the router may be queried, to " .

--- a/src/www/system_advanced_firewall.php
+++ b/src/www/system_advanced_firewall.php
@@ -354,11 +354,12 @@ include("head.inc");
 } ?> />
 										<strong><?=gettext("Disable all packet filtering.");?></strong>
 										<br />
-										<span class="vexpl"><?php printf(gettext("Note:  This converts %s into a routing only platform!"), $g['product_name']);?><br />
+										<span class="vexpl"><?php printf(gettext("Warning: This converts %s into a routing only platform!"), $g['product_name']);?><br />
-											<?=gettext("Note:  This will also turn off NAT!");?>
+											<?=gettext("Warning: This will also turn off NAT!");?><br />
-											<br /><?=gettext("If you only want to disable NAT, and not firewall rules, visit the");
+											<?=sprintf(
-?> <a href="firewall_nat_out.php"><?=gettext("Outbound NAT");
+												gettext('If you only want to disable NAT, and not firewall rules, visit the %sOutbound NAT%s page.'),
-?></a> <?=gettext("page");?>.
+												'<a href="/firewall_nat_out.php">', '</a>'
+											)?>
 										</span>
 									</td>
 								</tr>

--- a/src/www/system_advanced_misc.php
+++ b/src/www/system_advanced_misc.php
@@ -312,8 +312,16 @@ include("head.inc");
 									<th colspan="2" valign="top" class="listtopic"><?=gettext("Load Balancing"); ?></th>
 								</tr>
 								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("Load Balancing"); ?></td>
+									<td width="22%" valign="top" class="vncell"></td>
 									<td width="78%" class="vtable">
+										<input name="gw_switch_default" type="checkbox" id="gw_switch_default" value="yes" <?php if ($pconfig['gw_switch_default']) {
+                                            echo "checked=\"checked\"";
+} ?> />
+										<strong><?=gettext("Allow default gateway switching"); ?></strong><br />
+										<?=gettext("If the link where the default gateway resides fails " .
+                                        "switch the default gateway to another available one."); ?>
+										<br />
+										<br />
 										<input name="lb_use_sticky" type="checkbox" id="lb_use_sticky" value="yes" <?php if ($pconfig['lb_use_sticky']) {
                                            echo "checked=\"checked\"";
 } ?> onclick="sticky_checked(this)" />
@@ -326,6 +334,7 @@ include("head.inc");
                                        "the sticky connection. Further connections from that host " .
                                        "will be redirected to the next web server in the round " .
                                        "robin. Changing this option will restart the Load Balancing service."); ?>
+										<br />
 										<br />
 										<input name="srctrack" id="srctrack" type="text" value="<?php if ($pconfig['srctrack'] <> "") {
                                            echo $pconfig['srctrack'];
@@ -335,28 +344,16 @@ include("head.inc");
 } ?>" class="formfld unknown" <?php if ($pconfig['lb_use_sticky'] == false) {
    echo "disabled=\"disabled\"";
 } ?> />
-										<br />
 										<?=gettext("Set the source tracking timeout for sticky connections. " .
                                        "By default this is 0, so source tracking is removed as soon as the state expires. " .
                                        "Setting this timeout higher will cause the source/destination relationship to persist for longer periods of time."); ?>
 									</td>
 								</tr>
-								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("Load Balancing"); ?></td>
-									<td width="78%" class="vtable">
-										<input name="gw_switch_default" type="checkbox" id="gw_switch_default" value="yes" <?php if ($pconfig['gw_switch_default']) {
-                                            echo "checked=\"checked\"";
-} ?> />
-										<strong><?=gettext("Allow default gateway switching"); ?></strong><br />
-										<?=gettext("If the link where the default gateway resides fails " .
-                                        "switch the default gateway to another available one."); ?>
-									</td>
-								</tr>
 								<tr>
 									<th colspan="2" valign="top" class="listtopic"><?=gettext("Power savings"); ?></th>
 								</tr>
 								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("PowerD"); ?></td>
+									<td width="22%" valign="top" class="vncell"></td>
 									<td width="78%" class="vtable">
 										<input name="powerd_enable" type="checkbox" id="powerd_enable" value="yes" <?php if ($pconfig['powerd_enable']) {
                                            echo "checked=\"checked\"";
@@ -422,7 +419,7 @@ include("head.inc");
 									<th colspan="2" valign="top" class="listtopic"><?=gettext("Cryptographic Hardware Acceleration"); ?></th>
 								</tr>
 								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("Cryptographic Hardware"); ?></td>
+									<td width="22%" valign="top" class="vncell"></td>
 									<td width="78%" class="vtable">
 										<select name="crypto_hardware" id="crypto_hardware" class="selectpicker" data-style="btn-default">
 											<option value=""><?php echo gettext("None"); ?></option>
@@ -451,7 +448,7 @@ endforeach; ?>
 									<th colspan="2" valign="top" class="listtopic"><?=gettext("Thermal Sensors"); ?></th>
 								</tr>
 								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("Thermal Sensors"); ?></td>
+									<td width="22%" valign="top" class="vncell"></td>
 									<td width="78%" class="vtable">
 									<select name="thermal_hardware" id="thermal_hardware" class="selectpicker" data-style="btn-default">
 										<option value=""><?php echo gettext("None/ACPI"); ?></option>
@@ -472,24 +469,16 @@ endforeach; ?>
                                        "effect. To unload the selected module, set this option to 'none' and then reboot."); ?>
 									</td>
 								</tr>
-								<tr>
-									<th colspan="2" valign="top" class="listtopic"><?=gettext("IP Security"); ?></th>
-								</tr>
-								<tr>
-									<td width="22%" valign="top" class="vncell">&nbsp;</td>
-									<td width="78%" class="vtable">
-										<?=gettext("These settings have moved to <a href=\"vpn_ipsec_settings.php\">VPN &gt; IPsec on the Advanced Settings tab</a>."); ?>
-									</td>
-								</tr>
 								<tr>
 									<th colspan="2" valign="top" class="listtopic"><?=gettext("Schedules"); ?></th>
 								</tr>
 								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("Schedule States"); ?></td>
+									<td width="22%" valign="top" class="vncell"></td>
 									<td width="78%" class="vtable">
 										<input name="schedule_states" type="checkbox" id="schedule_states" value="yes" <?php if ($pconfig['schedule_states']) {
                                            echo "checked=\"checked\"";
 } ?> />
+										<strong><?=gettext("Schedule States"); ?></strong>
 										<br />
 										<?=gettext("By default schedules clear the states of existing connections when the expiration time has come. ".
                                        "This option overrides that behavior by not clearing states for existing connections."); ?>
@@ -499,21 +488,20 @@ endforeach; ?>
 									<th colspan="2" valign="top" class="listtopic"><?=gettext("Gateway Monitoring"); ?></th>
 								</tr>
 								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("State Killing on Gateway Failure"); ?></td>
+									<td width="22%" valign="top" class="vncell"></td>
 									<td width="78%" class="vtable">
 										<input name="kill_states" type="checkbox" id="kill_states" value="yes" <?php if ($pconfig['kill_states']) {
                                            echo "checked=\"checked\"";
 } ?> />
+										</strong><?=gettext("State Killing on Gateway Failure"); ?></strong>
 										<br />
 										<?=gettext("The monitoring process will flush states for a gateway that goes down if this box is not checked. Check this box to disable this behavior."); ?>
-									</td>
+										<br />
-								</tr>
+										<br />
-								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("Skip rules when gateway is down"); ?></td>
-									<td width="78%" class="vtable">
 										<input name="skip_rules_gw_down" type="checkbox" id="skip_rules_gw_down" value="yes" <?php if ($pconfig['skip_rules_gw_down']) {
                                            echo "checked=\"checked\"";
 } ?> />
+										<strong><?=gettext("Skip rules when gateway is down"); ?></strong>
 										<br />
 										<?=gettext("By default, when a rule has a specific gateway set, and this gateway is down, ".
                                        "rule is created and traffic is sent to default gateway.This option overrides that behavior ".
@@ -537,7 +525,6 @@ endforeach; ?>
 								<tr>
 									<td width="22%" valign="top" class="vncell"><?=gettext("Periodic RRD Backup");?></td>
 									<td width="78%" class="vtable">
-										<?=gettext("Frequency:");?>
 										<select name="rrdbackup" class="selectpicker" data-style="btn-default" id="rrdbackup" <?php if ($pconfig['use_mfs_tmpvar'] == false) {
                                            echo "disabled=\"disabled\"";
 } ?> >
@@ -565,7 +552,6 @@ endforeach; ?>
 								<tr>
 									<td width="22%" valign="top" class="vncell"><?=gettext("Periodic DHCP Leases Backup");?></td>
 									<td width="78%" class="vtable">
-										<?=gettext("Frequency:");?>
 										<select name="dhcpbackup" class="selectpicker" data-style="btn-default" id="dhcpbackup" <?php if ($pconfig['use_mfs_tmpvar'] == false) {
                                            echo "disabled=\"disabled\"";
 } ?> >

--- a/src/www/system_advanced_notifications.php
+++ b/src/www/system_advanced_notifications.php
@@ -279,10 +279,12 @@ include("head.inc");
 								<td width="78%" class="vtable">
 									<input type='checkbox' id='smtpssl' name='smtpssl' <?php if (isset($pconfig['smtpssl'])) {
                                        echo "checked=\"checked\"";
-} ?> />Enable SMTP over SSL/TLS<br />
+} ?> />
+									<strong><?=gettext('Enable SMTP over SSL/TLS');?></strong><br />
 									<input type='checkbox' id='smtptls' name='smtptls' <?php if (isset($pconfig['smtptls'])) {
                                        echo "checked=\"checked\"";
-} ?> />Enable STARTTLS<br />
+} ?> />
+									<strong><?=gettext('Enable STARTTLS');?></strong><br />
 								</td>
 							</tr>
 							<tr>