Commit 7eb9a897 authored by Franco Fichtner's avatar Franco Fichtner

firewall: rework form a little more than expected

(cherry picked from commit 7bac6923)
parent c4f1e3ca
......@@ -81,20 +81,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext("You must specify an IP address to NAT IPv6 packets.");
}
if (!empty($pconfig['ipv6nat_enable'])) {
$config['diag']['ipv6nat'] = array();
$config['diag']['ipv6nat']['enable'] = true;
$config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr'];
} elseif (isset($config['diag']['ipv6nat'])) {
unset($config['diag']['ipv6nat']);
}
if (!empty($pconfig['ipv6allow'])) {
$config['system']['ipv6allow'] = true;
} elseif (isset($config['system']['ipv6allow'])) {
unset($config['system']['ipv6allow']);
}
if ((empty($pconfig['adaptivestart']) && !empty($pconfig['adaptiveend'])) || (!empty($pconfig['adaptivestart']) && empty($pconfig['adaptiveend']))) {
$input_errors[] = gettext("The Firewall Adaptive values must be set together.");
}
......@@ -117,6 +103,20 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext("The Reflection timeout must be an integer.");
}
if (count($input_errors) == 0) {
if (!empty($pconfig['ipv6nat_enable'])) {
$config['diag']['ipv6nat'] = array();
$config['diag']['ipv6nat']['enable'] = true;
$config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr'];
} elseif (isset($config['diag']['ipv6nat'])) {
unset($config['diag']['ipv6nat']);
}
if (!empty($pconfig['ipv6allow'])) {
$config['system']['ipv6allow'] = true;
} elseif (isset($config['system']['ipv6allow'])) {
unset($config['system']['ipv6allow']);
}
if (!empty($pconfig['disablefilter'])) {
$config['system']['disablefilter'] = "enabled";
} elseif (isset($config['system']['disablefilter'])) {
......@@ -222,7 +222,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
install_cron_job("/usr/local/etc/rc.update_bogons", true, "1", "3", "*", "*", "0");
break;
case 'monthly':
// fall through
default:
install_cron_job("/usr/local/etc/rc.update_bogons", true, "1", "3", "1", "*", "*");
}
......@@ -317,18 +316,14 @@ include("head.inc");
</td>
</tr>
<tr>
<td width="22%"><strong><?=gettext("Firewall Advanced");?></strong></td>
<td width="78%" align="right">
<small><?=gettext("full help"); ?> </small>
<i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_page" type="button"></i>
</td>
<th colspan="2" valign="top" class="listtopic"><?=gettext("Miscellaneous");?></th>
</tr>
<tr>
<td><a id="help_for_scrubnodf" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Do-Not-Fragment");?></td>
<td>
<input name="scrubnodf" type="checkbox" value="yes" <?=!empty($pconfig['scrubnodf']) ? "checked=\"checked\"" : ""; ?>/>
<strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong>
<div class="hidden" for="help_for_scrubnodf">
<strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong><br />
<?=gettext("This allows for communications with hosts that generate fragmented " .
"packets with the don't fragment (DF) bit set. Linux NFS is known to " .
"do this. This will cause the filter to not drop such packets but " .
......@@ -340,8 +335,8 @@ include("head.inc");
<td><a id="help_for_scrubrnid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Random id");?></td>
<td>
<input name="scrubrnid" type="checkbox" value="yes" <?= !empty($pconfig['scrubrnid']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong>
<div class="hidden" for="help_for_scrubrnid">
<strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong><br />
<?=gettext("Replaces the IP identification field of packets with random values to " .
"compensate for operating systems that use predictable values. " .
"This option only applies to packets that are not fragmented after the " .
......@@ -394,8 +389,8 @@ include("head.inc");
<td><a id="help_for_disablefilter" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disable Firewall");?></td>
<td>
<input name="disablefilter" type="checkbox" value="yes" <?= !empty($pconfig['disablefilter']) ? "checked=\"checked\"" : "";?>/>
<strong><?=gettext("Disable all packet filtering.");?></strong>
<div class="hidden" for="help_for_disablefilter">
<strong><?=gettext("Disable all packet filtering.");?></strong><br/>
<?php printf(gettext("Warning: This converts %s into a routing only platform!"), $g['product_name']);?>
<?=gettext("Warning: This will also turn off NAT!");?><br />
<?=sprintf(
......@@ -478,9 +473,8 @@ include("head.inc");
<td><a id="help_for_bypassstaticroutes" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Static route filtering");?></td>
<td>
<input name="bypassstaticroutes" type="checkbox" value="yes" <?=!empty($pconfig['bypassstaticroutes']) ? "checked=\"checked\"" : "";?>/>
<strong><?=gettext("Bypass firewall rules for traffic on the same interface");?></strong>
<div class="hidden" for="help_for_bypassstaticroutes">
<strong><?=gettext("Bypass firewall rules for traffic on the same interface");?></strong>
<br />
<?=gettext("This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and " .
"leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where " .
"multiple subnets are connected to the same interface.");?>
......@@ -491,9 +485,8 @@ include("head.inc");
<td><a id="help_for_disablevpnrules" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable Auto-added VPN rules') ?></td>
<td>
<input name="disablevpnrules" type="checkbox" value="yes" <?=!empty($pconfig['disablevpnrules']) ? "checked=\"checked\"" :"";?> />
<strong><?=gettext("Disable all auto-added VPN rules.");?></strong>
<div class="hidden" for="help_for_disablevpnrules">
<strong><?=gettext("Disable all auto-added VPN rules.");?></strong>
<br />
<?=gettext("Note: This disables automatically added rules for IPsec, PPTP.");?>
</div>
</td>
......@@ -502,9 +495,8 @@ include("head.inc");
<td><a id="help_for_disablereplyto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable reply-to') ?></td>
<td>
<input name="disablereplyto" type="checkbox" value="yes" <?=!empty($pconfig['disablereplyto']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
<div class="hidden" for="help_for_disablereplyto">
<strong><?=gettext("Disable reply-to on WAN rules");?></strong>
<br />
<?=gettext("With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. " .
"When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.");?>
</div>
......@@ -514,9 +506,8 @@ include("head.inc");
<td><a id="help_for_disablenegate" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable Negate rules') ?></td>
<td>
<input name="disablenegate" type="checkbox" value="yes" <?=!empty($pconfig['disablenegate']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Disable Negate rule on policy routing rules");?></strong>
<div class="hidden" for="help_for_disablenegate">
<strong><?=gettext("Disable Negate rule on policy routing rules");?></strong>
<br />
<?=gettext("With Multi-WAN you generally want to ensure traffic reaches directly connected networks and VPN networks when using policy routing. You can disable this for special purposes but it requires manually creating rules for these networks");?>
</div>
</td>
......@@ -533,12 +524,11 @@ include("head.inc");
</td>
</tr>
<tr>
<td><a id="help_for_aliasesresolveinterval" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Check certificate of aliases URLs");?></td>
<td><a id="help_for_checkaliasesurlcert" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Check certificate of aliases URLs");?></td>
<td>
<input name="checkaliasesurlcert" type="checkbox" value="yes" <?=!empty($pconfig['checkaliasesurlcert']) ? "checked=\"checked\"" : "";?> />
<div class="hidden" for="help_for_aliasesresolveinterval">
<strong><?=gettext("Verify HTTPS certificates when downloading alias URLs");?></strong>
<br />
<strong><?=gettext("Verify HTTPS certificates when downloading alias URLs");?></strong>
<div class="hidden" for="help_for_checkaliasesurlcert">
<?=gettext("Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.");?>
</div>
</td>
......@@ -606,12 +596,11 @@ include("head.inc");
</td>
</tr>
<tr>
<td><a id="help_for_enablebinatreflection" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable Reflection for 1:1");?></td>
<td><a id="help_for_enablebinatreflection" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Reflection for 1:1");?></td>
<td>
<input name="enablebinatreflection" type="checkbox" id="enablebinatreflection" value="yes" <?=!empty($pconfig['enablebinatreflection']) ? "checked=\"checked\"" : "";?>/>
<strong><?=gettext("Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks.");?></strong>
<div class="hidden" for="help_for_enablebinatreflection">
<strong><?=gettext("Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks.");?></strong>
<br /><br />
<?=gettext("Note: Reflection on 1:1 mappings is only for the inbound component of the 1:1 mappings. This functions the same as the pure NAT mode for port forwards. For more details, refer to the pure NAT mode description above.");?>
<br /><br />
<?=gettext("Individual rules may be configured to override this system setting on a per-rule basis.");?>
......@@ -619,12 +608,11 @@ include("head.inc");
</td>
</tr>
<tr>
<td><a id="help_for_enablenatreflectionhelper" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable automatic outbound NAT for Reflection");?></td>
<td><a id="help_for_enablenatreflectionhelper" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Automatic outbound NAT for Reflection");?></td>
<td>
<input name="enablenatreflectionhelper" type="checkbox" id="enablenatreflectionhelper" value="yes" <?=!empty($pconfig['enablenatreflectionhelper']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.");?></strong>
<div class="hidden" for="help_for_enablenatreflectionhelper">
<strong><?=gettext("Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.");?></strong>
<br />
<?=gettext("Required for full functionality of the pure NAT mode of NAT Reflection for port forwards or NAT Reflection for 1:1 NAT.");?>
<br /><br />
<?=gettext("Note: This only works for assigned interfaces. Other interfaces require manually creating the outbound NAT rules that direct the reply packets back through the router.");?>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment