lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 16:44:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

(firewall, scrub) move relevant scrub options to firewall_scrub.php

Browse Source 
ditch disablescrub option,  fragment reassemble is enabled by default.
This commit is contained in:
Ad Schellevis 2016-05-30 14:11:02 +02:00
parent 8e14008829
commit 23c6d1b766
3 changed files with 101 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/etc/inc/filter.inc
View File

@ -388,37 +388,22 @@ function filter_generate_scrubing(&$FilterIflist)
}
$scrubrules .= "scrub from any to <vpn_networks> max-mss {$maxmss}\n";
}
/* disable scrub option */
/* scrub per interface options */
foreach ($FilterIflist as $scrubif => $scrubcfg) {
if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) {
continue;
} else {
/* set up MSS clamping */
$mssclamp = '';
if (
$scrubcfg['mss'] != '' && is_numeric($scrubcfg['mss']) &&
$scrubcfg['if'] != 'pppoe' && $scrubcfg['if'] != 'pptp' &&
$scrubcfg['if'] != 'l2tp'
) {
if (!empty($scrubcfg['mss']) && is_numeric($scrubcfg['mss']) &&
!in_array($scrubcfg['if'], array('pppoe', 'pptp', 'l2tp'))) {
$mssclamp = "max-mss " . (intval($scrubcfg['mss'] - 40));
}
/* configure no-df for linux nfs and others */
if (!empty($config['system']['scrubnodf'])) {
$scrubnodf = "no-df";
} else {
$scrubnodf = "";
}
if (!empty($config['system']['scrubrnid'])) {
$scrubrnid = "random-id";
} else {
$scrubrnid = "";
}
if (!isset($config['system']['disablescrub'])) {
$scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions
} else if (!empty($mssclamp)) {
$scrubrules .= "scrub on \${$scrubcfg['descr']} {$mssclamp}\n";
$mssclamp = '';
}
$scrubnodf = !empty($config['system']['scrubnodf']) ? "no-df" : "";
$scrubrnid = !empty($config['system']['scrubrnid']) ? "random-id" : "";
$scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp}\n";
}
}

104
src/www/firewall_scrub.php
View File

@ -35,12 +35,34 @@ if (!isset($config['filter']['scrub']['rule'])) {
}
$a_scrub = &$config['filter']['scrub']['rule'];
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
$pconfig['scrubnodf'] = !empty($config['system']['scrubnodf']);
$pconfig['scrubrnid'] = !empty($config['system']['scrubrnid']);
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
$pconfig = $_POST;
if (isset($pconfig['id']) && isset($a_scrub[$pconfig['id']])) {
$id = $pconfig['id'];
}
if (isset($pconfig['apply'])) {
if (isset($pconfig['act']) && $pconfig['act'] == 'edit') {
// update general settings
if (!empty($pconfig['scrubnodf'])) {
$config['system']['scrubnodf'] = "enabled";
} elseif (isset($config['system']['scrubnodf'])) {
unset($config['system']['scrubnodf']);
}
if (!empty($pconfig['scrubrnid'])) {
$config['system']['scrubrnid'] = "enabled";
} elseif (isset($config['system']['scrubrnid'])) {
unset($config['system']['scrubrnid']);
}
if (write_config()) {
mark_subsystem_dirty('filter');
}
header("Location: firewall_scrub.php");
exit;
} elseif (isset($pconfig['apply'])) {
filter_configure();
clear_subsystem_dirty('filter');
$savemsg = sprintf(
@ -163,6 +185,12 @@ $( document ).ready(function() {
$("#iform").submit();
});
$("#save").click(function(event){
event.preventDefault();
$("#action").val("edit");
$("#iform").submit();
});
// watch scroll position and set to last known on page load
watchScrollPosition();
@ -178,14 +206,68 @@ $( document ).ready(function() {
<?php if (is_subsystem_dirty('filter')): ?><p>
<?php print_info_box_apply(gettext("The firewall rule configuration has been changed.<br />You must apply the changes in order for them to take effect."));?>
<?php endif; ?>
<section class="col-xs-12">
<div class="content-box">
<form method="post" name="iform" id="iform">
<input type="hidden" id="id" name="id" value="" />
<input type="hidden" id="action" name="act" value="" />
<form method="post" name="iform" id="iform">
<input type="hidden" id="id" name="id" value="" />
<input type="hidden" id="action" name="act" value="" />
<section class="col-xs-12">
<div class="content-box">
<div class="table-responsive" >
<table class="table table-striped table-hover opnsense_standard_table_form">
<thead>
<tr>
<td width="22%"><strong><?=gettext("General settings");?></strong></td>
<td width="78%" align="right">
<small><?=gettext("full help"); ?> </small>
<i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_page" type="button">&nbsp;</i>
</td>
</tr>
</thead>
<tbody>
<tr>
<td><a id="help_for_scrubnodf" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Do-Not-Fragment");?></td>
<td>
<input name="scrubnodf" type="checkbox" value="yes" <?=!empty($pconfig['scrubnodf']) ? "checked=\"checked\"" : ""; ?>/>
<div class="hidden" for="help_for_scrubnodf">
<?=gettext("This allows for communications with hosts that generate fragmented " .
"packets with the don't fragment (DF) bit set. Linux NFS is known to " .
"do this. This will cause the filter to not drop such packets but " .
"instead clear the don't fragment bit.");?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_scrubrnid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Random id");?></td>
<td>
<input name="scrubrnid" type="checkbox" value="yes" <?= !empty($pconfig['scrubrnid']) ? "checked=\"checked\"" : "";?> />
<div class="hidden" for="help_for_scrubrnid">
<?=gettext("Replaces the IP identification field of packets with random values to " .
"compensate for operating systems that use predictable values. " .
"This option only applies to packets that are not fragmented after the " .
"optional packet reassembly.");?>
</div>
</td>
</tr>
<tr>
<td></td>
<td>
<input name="Submit" id="save" type="submit" class="btn btn-primary" value="<?=gettext("Save");?>" />
</td>
</tr>
</tbody>
</table>
</div>
</div>
</section>
<section class="col-xs-12">
<div class="content-box">
<div class="table-responsive" >
<table class="table table-striped table-hover" id="rules">
<thead>
<tr>
<th colspan="2"><?=gettext("Detailed settings");?></th>
<th colspan="2" class="hidden-xs hidden-sm"> </th>
<th colspan="2"> </th>
</tr>
<tr>
<th>&nbsp;</th>
<th><?=gettext("Interfaces");?></th>
@ -194,7 +276,7 @@ $( document ).ready(function() {
<th><?=gettext("Description");?></th>
<th></th>
</tr>
</thead>
</thead>
<tbody>
<?php
$special_nets = get_specialnets();
@ -293,9 +375,9 @@ $( document ).ready(function() {
</tfoot>
</table>
</div>
</form>
</div>
</section>
</div>
</section>
</form>
</div>
</div>
</section>

56
src/www/system_advanced_firewall.php
View File

@ -44,8 +44,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
$pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
$pconfig['disablefilter'] = !empty($config['system']['disablefilter']);
$pconfig['scrubnodf'] = !empty($config['system']['scrubnodf']);
$pconfig['scrubrnid'] = !empty($config['system']['scrubrnid']);
$pconfig['optimization'] = isset($config['system']['optimization']) ? $config['system']['optimization'] : "normal";
$pconfig['maximumstates'] = isset($config['system']['maximumstates']) ? $config['system']['maximumstates'] : null;
$pconfig['adaptivestart'] = isset($config['system']['adaptivestart']) ? $config['system']['adaptivestart'] : null;
@ -70,7 +68,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['enablenatreflectionhelper'] = isset($config['system']['enablenatreflectionhelper']) ? $config['system']['enablenatreflectionhelper'] : null;
$pconfig['reflectiontimeout'] = !empty($config['system']['reflectiontimeout']) ? $config['system']['reflectiontimeout'] : null;
$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
$pconfig['disablescrub'] = isset($config['system']['disablescrub']);
$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
$pconfig = $_POST;
@ -131,18 +128,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['disablevpnrules']);
}
if (!empty($pconfig['scrubnodf'])) {
$config['system']['scrubnodf'] = "enabled";
} elseif (isset($config['system']['scrubnodf'])) {
unset($config['system']['scrubnodf']);
}
if (!empty($pconfig['scrubrnid'])) {
$config['system']['scrubrnid'] = "enabled";
} elseif (isset($config['system']['scrubrnid'])) {
unset($config['system']['scrubrnid']);
}
if (!empty($pconfig['adaptiveend'])) {
$config['system']['adaptiveend'] = $pconfig['adaptiveend'];
} elseif (isset($config['system']['adaptiveend'])) {
@ -204,12 +189,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['filter']['bypassstaticroutes']);
}
if (!empty($pconfig['disablescrub'])) {
$config['system']['disablescrub'] = $pconfig['disablescrub'];
} elseif (isset($config['system']['disablescrub'])) {
unset($config['system']['disablescrub']);
}
if ($pconfig['bogonsinterval'] != $config['system']['bogons']['interval']) {
$config['system']['bogons']['interval'] = $pconfig['bogonsinterval'];
}
@ -437,32 +416,6 @@ include("head.inc");
<tr>
<th colspan="2" valign="top" class="listtopic"><?=gettext("Miscellaneous");?></th>
</tr>
<tr>
<td><a id="help_for_scrubnodf" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Do-Not-Fragment");?></td>
<td>
<input name="scrubnodf" type="checkbox" value="yes" <?=!empty($pconfig['scrubnodf']) ? "checked=\"checked\"" : ""; ?>/>
<strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong>
<div class="hidden" for="help_for_scrubnodf">
<?=gettext("This allows for communications with hosts that generate fragmented " .
"packets with the don't fragment (DF) bit set. Linux NFS is known to " .
"do this. This will cause the filter to not drop such packets but " .
"instead clear the don't fragment bit.");?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_scrubrnid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Random id");?></td>
<td>
<input name="scrubrnid" type="checkbox" value="yes" <?= !empty($pconfig['scrubrnid']) ? "checked=\"checked\"" : "";?> />
<strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong>
<div class="hidden" for="help_for_scrubrnid">
<?=gettext("Replaces the IP identification field of packets with random values to " .
"compensate for operating systems that use predictable values. " .
"This option only applies to packets that are not fragmented after the " .
"optional packet reassembly.");?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_optimization" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall Optimization");?></td>
<td>
@ -519,15 +472,6 @@ include("head.inc");
</div>
</td>
</tr>
<tr>
<td><a id="help_for_disablescrub" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disable Firewall Scrub");?></td>
<td>
<input name="disablescrub" type="checkbox" value="yes" <?=!empty($pconfig['disablescrub']) ? "checked=\"checked\"" : "";?>/>
<div class="hidden" for="help_for_disablescrub">
<?=gettext("Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.");?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_adaptive" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall Adaptive Timeouts");?></td>
<td>