?>
<div id="container"><?php
$form = new Form();
$section = new Form_Section('Firewall Advanced');
$section->addInput(new Form_Checkbox('scrubnodf', 'IP Do-Not-Fragment compatibility', 'Clear invalid DF bits instead of dropping the packets', isset($config['system']['scrubnodf'])))->setHelp('This allows for communications with hosts that generate fragmented ' . 'packets with the don\'t fragment (DF) bit set. Linux NFS is known to do this. ' . 'This will cause the filter to not drop such packets but instead clear the don\'t ' . 'fragment bit.');
$section->addInput(new Form_Checkbox('scrubrnid', 'IP Random id generation', 'Insert a stronger ID into IP header of packets passing through the filter.', isset($config['system']['scrubrnid'])))->setHelp('Replaces the IP identification field of packets with random values to ' . 'compensate for operating systems that use predictable values. This option only ' . 'applies to packets that are not fragmented after the optional packet ' . 'reassembly.');
$section->addInput($input = new Form_Select('optimization', 'Firewall Optimization Options', $config['system']['optimization'], array('normal' => 'Normal', 'high-latency' => gettext('High-latency'), 'aggressive' => gettext('Aggressive'), 'conservative' => gettext('Conservative'))))->setHelp('Select the type of state table optimization to use');
$section->addInput(new Form_Checkbox('disablefilter', 'Disable Firewall', 'Disable all packet filtering.', isset($config['system']['disablefilter'])))->setHelp('Note: This converts %s into a routing only platform!<br/>' . 'Note: This will also turn off NAT! To only disable NAT, ' . 'and not firewall rules, visit the <a href="firewall_nat_out.php">Outbound ' . 'NAT</a> page.', [$g["product_name"]]);
$section->addInput(new Form_Checkbox('disablescrub', 'Disable Firewall Scrub', 'Disables the PF scrubbing option which can sometimes interfere with NFS traffic.', isset($config['system']['disablescrub'])));
$group = new Form_Group('Firewall Adaptive Timeouts');
$group->add(new Form_Input('adaptivestart', 'Adaptive start', 'number', $pconfig['adaptivestart'], ['min' => 1]))->setHelp('When the number of state entries exceeds this value, adaptive ' . 'scaling begins. All timeout values are scaled linearly with factor ' . '(adaptive.end - number of states) / (adaptive.end - adaptive.start).');
$group->add(new Form_Input('adaptiveend', 'Adaptive end', 'number', $pconfig['adaptiveend'], ['min' => 1]))->setHelp('When reaching this number of state entries, all timeout values ' . 'become zero, effectively purging all state entries immediately. This ' . 'value is used to define the scale factor, it should not actually be ' . 'reached (set a lower state limit, see below).');
$group->setHelp('Timeouts for states can be scaled adaptively as the number of ' . 'state table entries grows. Leave blank for the default (0)');
$section->add($group);
$section->addInput(new Form_Input('maximumstates', 'Firewall Maximum States', 'number', $pconfig['maximumstates'], ['min' => 1, 'placeholder' => pfsense_default_state_size()]))->setHelp('Maximum number of connections to hold in the firewall state table. ' . '<br/>Note: Leave this blank for the default. On this system the default ' . 'size is: %d', [pfsense_default_state_size()]);
$section->addInput(new Form_Input('maximumtableentries', 'Firewall Maximum Table Entries', 'text', $pconfig['maximumtableentries'], ['placeholder' => pfsense_default_table_entries_size()]))->setHelp('Maximum number of table entries for systems such as aliases, ' . 'sshlockout, snort, etc, combined.<br/>Note: Leave this blank for the ' . 'default. On this system the default size is: %d', [pfsense_default_table_entries_size()]);
$section->addInput(new Form_Input('maximumfrags', 'Firewall Maximum Fragment Entries', 'text', $pconfig['maximumfrags']))->setHelp('Maximum number of packet fragments to hold for reassembly by scrub rules. Leave this blank for the default (5000)');
$section->addInput(new Form_Checkbox('bypassstaticroutes', 'Static route filtering', 'Bypass firewall rules for traffic on the same interface', $pconfig['bypassstaticroutes']))->setHelp('This option only applies if one or more static routes have been defined. ' . 'If it is enabled, traffic that enters and leaves through the same ' . 'interface will not be checked by the firewall. This may be desirable in some ' . 'situations where multiple subnets are connected to the same interface.');
$section->addInput(new Form_Checkbox('disablevpnrules', 'Disable Auto-added VPN rules', 'Disable all auto-added VPN rules.', isset($config['system']['disablevpnrules'])))->setHelp('Note: This disables automatically added rules for IPsec.');
$section->addInput(new Form_Checkbox('disablereplyto', 'Disable reply-to', 'Disable reply-to on WAN rules', $pconfig['disablereplyto']))->setHelp('With Multi-WAN it is generally desired to ensure traffic leaves the same ' . 'interface it arrives on, hence reply-to is added automatically by default. When ' . 'using bridging, this behavior must be disabled if the WAN gateway IP is ' . 'different from the gateway IP of the hosts behind the bridged interface.');
$section->addInput(new Form_Checkbox('disablenegate', 'Disable Negate rules', 'Disable Negate rule on policy routing rules', $pconfig['disablenegate']))->setHelp('With Multi-WAN it is generally desired to ensure traffic reaches directly ' . 'connected networks and VPN networks when using policy routing. This can be disabled ' . 'for special purposes but it requires manually creating rules for these networks.');
$section->addInput(new Form_Input('aliasesresolveinterval', 'Aliases Hostnames Resolve Interval', 'text', $pconfig['aliasesresolveinterval'], ['placeholder' => '300']))->setHelp('Interval, in seconds, that will be used to resolve hostnames ' . 'configured on aliases. <br/>Note: Leave this blank for the default ' . '(300s).');
$section->addInput(new Form_Checkbox('checkaliasesurlcert', 'Check certificate of aliases URLs', 'Verify HTTPS certificates when downloading alias URLs', $pconfig['checkaliasesurlcert']))->setHelp('Make sure the certificate is valid for all HTTPS addresses on ' . 'aliases. If it\'s not valid or is revoked, do not download it.');
$form->add($section);
$section = new Form_Section('Bogon Networks');
$section->addInput(new Form_Select('bogonsinterval', 'Update Frequency', empty($pconfig['bogonsinterval']) ? 'monthly' : $pconfig['bogonsinterval'], array('monthly' => gettext('Monthly'), 'weekly' => gettext('Weekly'), 'daily' => gettext('Daily'))))->setHelp('The frequency of updating the lists of IP addresses that are ' . 'reserved (but not RFC 1918) or not yet assigned by IANA.');
$form->add($section);
if (count($config['interfaces']) > 1) {
$section = new Form_Section('Network Address Translation');
if (isset($config['system']['disablenatreflection'])) {
$value = 'disable';
echo gettext("Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.");
?>
</strong>
<br />
<span class="vexpl">
<?php
echo gettext("Note: Leave this blank for the default.");
?>
<?php
if (empty($pconfig['maximumtableentries'])) {
?>
<?php
echo gettext("On your system the default size is:");
?>
<?php
echo pfsense_default_table_entries_size();
?>
<?php
}
?>
</span>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php
echo gettext("Static route filtering");
?>
</td>
<td width="78%" class="vtable">
<input name="bypassstaticroutes" type="checkbox" id="bypassstaticroutes" value="yes" <?php
if ($pconfig['bypassstaticroutes']) {
