Skip to content

O
OpnSense
Commit 7bac6923 authored by Franco Fichtner's avatar Franco Fichtner
Browse files
Options

firewall: rework form a little more than expected

parent aeb8d52e
Hide whitespace changes
Inline Side-by-side
Showing with 29 additions and 41 deletions
src/www/system_advanced_firewall.php
View file @ 7bac6923
...@@ -81,20 +81,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -81,20 +81,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext("You must specify an IP address to NAT IPv6 packets."); $input_errors[] = gettext("You must specify an IP address to NAT IPv6 packets.");
} }
if (!empty($pconfig['ipv6nat_enable'])) {
$config['diag']['ipv6nat'] = array();
$config['diag']['ipv6nat']['enable'] = true;
$config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr'];
} elseif (isset($config['diag']['ipv6nat'])) {
unset($config['diag']['ipv6nat']);
}
if (!empty($pconfig['ipv6allow'])) {
$config['system']['ipv6allow'] = true;
} elseif (isset($config['system']['ipv6allow'])) {
unset($config['system']['ipv6allow']);
}
if ((empty($pconfig['adaptivestart']) && !empty($pconfig['adaptiveend'])) || (!empty($pconfig['adaptivestart']) && empty($pconfig['adaptiveend']))) { if ((empty($pconfig['adaptivestart']) && !empty($pconfig['adaptiveend'])) || (!empty($pconfig['adaptivestart']) && empty($pconfig['adaptiveend']))) {
$input_errors[] = gettext("The Firewall Adaptive values must be set together."); $input_errors[] = gettext("The Firewall Adaptive values must be set together.");
} }
...@@ -117,6 +103,20 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -117,6 +103,20 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext("The Reflection timeout must be an integer."); $input_errors[] = gettext("The Reflection timeout must be an integer.");
} }
if (count($input_errors) == 0) { if (count($input_errors) == 0) {
if (!empty($pconfig['ipv6nat_enable'])) {
$config['diag']['ipv6nat'] = array();
$config['diag']['ipv6nat']['enable'] = true;
$config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr'];
} elseif (isset($config['diag']['ipv6nat'])) {
unset($config['diag']['ipv6nat']);
}
if (!empty($pconfig['ipv6allow'])) {
$config['system']['ipv6allow'] = true;
} elseif (isset($config['system']['ipv6allow'])) {
unset($config['system']['ipv6allow']);
}
if (!empty($pconfig['disablefilter'])) { if (!empty($pconfig['disablefilter'])) {
$config['system']['disablefilter'] = "enabled"; $config['system']['disablefilter'] = "enabled";
} elseif (isset($config['system']['disablefilter'])) { } elseif (isset($config['system']['disablefilter'])) {
...@@ -222,7 +222,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -222,7 +222,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
install_cron_job("/usr/local/etc/rc.update_bogons", true, "1", "3", "*", "*", "0"); install_cron_job("/usr/local/etc/rc.update_bogons", true, "1", "3", "*", "*", "0");
break; break;
case 'monthly': case 'monthly':
// fall through
default: default:
install_cron_job("/usr/local/etc/rc.update_bogons", true, "1", "3", "1", "*", "*"); install_cron_job("/usr/local/etc/rc.update_bogons", true, "1", "3", "1", "*", "*");
} }
...@@ -317,18 +316,14 @@ include("head.inc"); ...@@ -317,18 +316,14 @@ include("head.inc");
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="22%"><strong><?=gettext("Firewall Advanced");?></strong></td> <th colspan="2" valign="top" class="listtopic"><?=gettext("Miscellaneous");?></th>
<td width="78%" align="right">
<small><?=gettext("full help"); ?> </small>
<i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_page" type="button"></i>
</td>
</tr> </tr>
<tr> <tr>
<td><a id="help_for_scrubnodf" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Do-Not-Fragment");?></td> <td><a id="help_for_scrubnodf" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Do-Not-Fragment");?></td>
<td> <td>
<input name="scrubnodf" type="checkbox" value="yes" <?=!empty($pconfig['scrubnodf']) ? "checked=\"checked\"" : ""; ?>/> <input name="scrubnodf" type="checkbox" value="yes" <?=!empty($pconfig['scrubnodf']) ? "checked=\"checked\"" : ""; ?>/>
<strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong>
<div class="hidden" for="help_for_scrubnodf"> <div class="hidden" for="help_for_scrubnodf">
<strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong><br />
<?=gettext("This allows for communications with hosts that generate fragmented " . <?=gettext("This allows for communications with hosts that generate fragmented " .
"packets with the don't fragment (DF) bit set. Linux NFS is known to " . "packets with the don't fragment (DF) bit set. Linux NFS is known to " .
"do this. This will cause the filter to not drop such packets but " . "do this. This will cause the filter to not drop such packets but " .
...@@ -340,8 +335,8 @@ include("head.inc"); ...@@ -340,8 +335,8 @@ include("head.inc");
<td><a id="help_for_scrubrnid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Random id");?></td> <td><a id="help_for_scrubrnid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Random id");?></td>
<td> <td>
<input name="scrubrnid" type="checkbox" value="yes" <?= !empty($pconfig['scrubrnid']) ? "checked=\"checked\"" : "";?> /> <input name="scrubrnid" type="checkbox" value="yes" <?= !empty($pconfig['scrubrnid']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong>
<div class="hidden" for="help_for_scrubrnid"> <div class="hidden" for="help_for_scrubrnid">
<strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong><br />
<?=gettext("Replaces the IP identification field of packets with random values to " . <?=gettext("Replaces the IP identification field of packets with random values to " .
"compensate for operating systems that use predictable values. " . "compensate for operating systems that use predictable values. " .
"This option only applies to packets that are not fragmented after the " . "This option only applies to packets that are not fragmented after the " .
...@@ -394,8 +389,8 @@ include("head.inc"); ...@@ -394,8 +389,8 @@ include("head.inc");
<td><a id="help_for_disablefilter" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disable Firewall");?></td> <td><a id="help_for_disablefilter" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disable Firewall");?></td>
<td> <td>
<input name="disablefilter" type="checkbox" value="yes" <?= !empty($pconfig['disablefilter']) ? "checked=\"checked\"" : "";?>/> <input name="disablefilter" type="checkbox" value="yes" <?= !empty($pconfig['disablefilter']) ? "checked=\"checked\"" : "";?>/>
<strong><?=gettext("Disable all packet filtering.");?></strong>
<div class="hidden" for="help_for_disablefilter"> <div class="hidden" for="help_for_disablefilter">
<strong><?=gettext("Disable all packet filtering.");?></strong><br/>
<?php printf(gettext("Warning: This converts %s into a routing only platform!"), $g['product_name']);?> <?php printf(gettext("Warning: This converts %s into a routing only platform!"), $g['product_name']);?>
<?=gettext("Warning: This will also turn off NAT!");?><br /> <?=gettext("Warning: This will also turn off NAT!");?><br />
<?=sprintf( <?=sprintf(
...@@ -478,9 +473,8 @@ include("head.inc"); ...@@ -478,9 +473,8 @@ include("head.inc");
<td><a id="help_for_bypassstaticroutes" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Static route filtering");?></td> <td><a id="help_for_bypassstaticroutes" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Static route filtering");?></td>
<td> <td>
<input name="bypassstaticroutes" type="checkbox" value="yes" <?=!empty($pconfig['bypassstaticroutes']) ? "checked=\"checked\"" : "";?>/> <input name="bypassstaticroutes" type="checkbox" value="yes" <?=!empty($pconfig['bypassstaticroutes']) ? "checked=\"checked\"" : "";?>/>
<strong><?=gettext("Bypass firewall rules for traffic on the same interface");?></strong>
<div class="hidden" for="help_for_bypassstaticroutes"> <div class="hidden" for="help_for_bypassstaticroutes">
<strong><?=gettext("Bypass firewall rules for traffic on the same interface");?></strong>
<br />
<?=gettext("This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and " . <?=gettext("This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and " .
"leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where " . "leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where " .
"multiple subnets are connected to the same interface.");?> "multiple subnets are connected to the same interface.");?>
...@@ -491,9 +485,8 @@ include("head.inc"); ...@@ -491,9 +485,8 @@ include("head.inc");
<td><a id="help_for_disablevpnrules" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable Auto-added VPN rules') ?></td> <td><a id="help_for_disablevpnrules" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable Auto-added VPN rules') ?></td>
<td> <td>
<input name="disablevpnrules" type="checkbox" value="yes" <?=!empty($pconfig['disablevpnrules']) ? "checked=\"checked\"" :"";?> /> <input name="disablevpnrules" type="checkbox" value="yes" <?=!empty($pconfig['disablevpnrules']) ? "checked=\"checked\"" :"";?> />
<strong><?=gettext("Disable all auto-added VPN rules.");?></strong>
<div class="hidden" for="help_for_disablevpnrules"> <div class="hidden" for="help_for_disablevpnrules">
<strong><?=gettext("Disable all auto-added VPN rules.");?></strong>
<br />
<?=gettext("Note: This disables automatically added rules for IPsec, PPTP.");?> <?=gettext("Note: This disables automatically added rules for IPsec, PPTP.");?>
</div> </div>
</td> </td>
...@@ -502,9 +495,8 @@ include("head.inc"); ...@@ -502,9 +495,8 @@ include("head.inc");
<td><a id="help_for_disablereplyto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable reply-to') ?></td> <td><a id="help_for_disablereplyto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable reply-to') ?></td>
<td> <td>
<input name="disablereplyto" type="checkbox" value="yes" <?=!empty($pconfig['disablereplyto']) ? "checked=\"checked\"" : "";?> /> <input name="disablereplyto" type="checkbox" value="yes" <?=!empty($pconfig['disablereplyto']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
<div class="hidden" for="help_for_disablereplyto"> <div class="hidden" for="help_for_disablereplyto">
<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
<br />
<?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. " . <?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. " .
"When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?> "When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?>
</div> </div>
...@@ -514,9 +506,8 @@ include("head.inc"); ...@@ -514,9 +506,8 @@ include("head.inc");
<td><a id="help_for_disablenegate" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable Negate rules') ?></td> <td><a id="help_for_disablenegate" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable Negate rules') ?></td>
<td> <td>
<input name="disablenegate" type="checkbox" value="yes" <?=!empty($pconfig['disablenegate']) ? "checked=\"checked\"" : "";?> /> <input name="disablenegate" type="checkbox" value="yes" <?=!empty($pconfig['disablenegate']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Disable Negate rule on policy routing rules");?></strong>
<div class="hidden" for="help_for_disablenegate"> <div class="hidden" for="help_for_disablenegate">
<strong><?=gettext("Disable Negate rule on policy routing rules");?></strong>
<br />
<?=gettext("With Multi-WAN you generally want to ensure traffic reaches directly connected networks and VPN networks when using policy routing. You can disable this for special purposes but it requires manually creating rules for these networks");?> <?=gettext("With Multi-WAN you generally want to ensure traffic reaches directly connected networks and VPN networks when using policy routing. You can disable this for special purposes but it requires manually creating rules for these networks");?>
</div> </div>
</td> </td>
...@@ -533,12 +524,11 @@ include("head.inc"); ...@@ -533,12 +524,11 @@ include("head.inc");
</td> </td>
</tr> </tr>
<tr> <tr>
<td><a id="help_for_aliasesresolveinterval" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Check certificate of aliases URLs");?></td> <td><a id="help_for_checkaliasesurlcert" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Check certificate of aliases URLs");?></td>
<td> <td>
<input name="checkaliasesurlcert" type="checkbox" value="yes" <?=!empty($pconfig['checkaliasesurlcert']) ? "checked=\"checked\"" : "";?> /> <input name="checkaliasesurlcert" type="checkbox" value="yes" <?=!empty($pconfig['checkaliasesurlcert']) ? "checked=\"checked\"" : "";?> />
<div class="hidden" for="help_for_aliasesresolveinterval"> <strong><?=gettext("Verify HTTPS certificates when downloading alias URLs");?></strong>
<strong><?=gettext("Verify HTTPS certificates when downloading alias URLs");?></strong> <div class="hidden" for="help_for_checkaliasesurlcert">
<br />
<?=gettext("Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.");?> <?=gettext("Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.");?>
</div> </div>
</td> </td>
...@@ -606,12 +596,11 @@ include("head.inc"); ...@@ -606,12 +596,11 @@ include("head.inc");
</td> </td>
</tr> </tr>
<tr> <tr>
<td><a id="help_for_enablebinatreflection" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable Reflection for 1:1");?></td> <td><a id="help_for_enablebinatreflection" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Reflection for 1:1");?></td>
<td> <td>
<input name="enablebinatreflection" type="checkbox" id="enablebinatreflection" value="yes" <?=!empty($pconfig['enablebinatreflection']) ? "checked=\"checked\"" : "";?>/> <input name="enablebinatreflection" type="checkbox" id="enablebinatreflection" value="yes" <?=!empty($pconfig['enablebinatreflection']) ? "checked=\"checked\"" : "";?>/>
<strong><?=gettext("Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks.");?></strong>
<div class="hidden" for="help_for_enablebinatreflection"> <div class="hidden" for="help_for_enablebinatreflection">
<strong><?=gettext("Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks.");?></strong>
<br /><br />
<?=gettext("Note: Reflection on 1:1 mappings is only for the inbound component of the 1:1 mappings. This functions the same as the pure NAT mode for port forwards. For more details, refer to the pure NAT mode description above.");?> <?=gettext("Note: Reflection on 1:1 mappings is only for the inbound component of the 1:1 mappings. This functions the same as the pure NAT mode for port forwards. For more details, refer to the pure NAT mode description above.");?>
<br /><br /> <br /><br />
<?=gettext("Individual rules may be configured to override this system setting on a per-rule basis.");?> <?=gettext("Individual rules may be configured to override this system setting on a per-rule basis.");?>
...@@ -619,12 +608,11 @@ include("head.inc"); ...@@ -619,12 +608,11 @@ include("head.inc");
</td> </td>
</tr> </tr>
<tr> <tr>
<td><a id="help_for_enablenatreflectionhelper" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable automatic outbound NAT for Reflection");?></td> <td><a id="help_for_enablenatreflectionhelper" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Automatic outbound NAT for Reflection");?></td>
<td> <td>
<input name="enablenatreflectionhelper" type="checkbox" id="enablenatreflectionhelper" value="yes" <?=!empty($pconfig['enablenatreflectionhelper']) ? "checked=\"checked\"" : "";?> /> <input name="enablenatreflectionhelper" type="checkbox" id="enablenatreflectionhelper" value="yes" <?=!empty($pconfig['enablenatreflectionhelper']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.");?></strong>
<div class="hidden" for="help_for_enablenatreflectionhelper"> <div class="hidden" for="help_for_enablenatreflectionhelper">
<strong><?=gettext("Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.");?></strong>
<br />
<?=gettext("Required for full functionality of the pure NAT mode of NAT Reflection for port forwards or NAT Reflection for 1:1 NAT.");?> <?=gettext("Required for full functionality of the pure NAT mode of NAT Reflection for port forwards or NAT Reflection for 1:1 NAT.");?>
<br /><br /> <br /><br />
<?=gettext("Note: This only works for assigned interfaces. Other interfaces require manually creating the outbound NAT rules that direct the reply packets back through the router.");?> <?=gettext("Note: This only works for assigned interfaces. Other interfaces require manually creating the outbound NAT rules that direct the reply packets back through the router.");?>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023