function delete_static_route($id)
{
    global $config, $a_routes, $changedesc_prefix;
    if (!isset($a_routes[$id])) {
        return;
    }
    $targets = array();
    if (is_alias($a_routes[$id]['network'])) {
        foreach (filter_expand_alias_array($a_routes[$id]['network']) as $tgt) {
            if (is_ipaddrv4($tgt)) {
                $tgt .= "/32";
            } else {
                if (is_ipaddrv6($tgt)) {
                    $tgt .= "/128";
                }
            }
            if (!is_subnet($tgt)) {
                continue;
            }
            $targets[] = $tgt;
        }
    } else {
        $targets[] = $a_routes[$id]['network'];
    }
    foreach ($targets as $tgt) {
        $family = is_subnetv6($tgt) ? "-inet6" : "-inet";
        mwexec("/sbin/route delete {$family} " . escapeshellarg($tgt));
    }
    unset($targets);
}
        echo gettext("edit alias");
        ?>
" data-toggle="tooltip">
                          <i class="fa fa-list"></i>
                        </a>
<?php 
    } else {
        ?>
                        <?php 
        echo htmlspecialchars(pprint_address($natent['source']));
    }
    ?>
                    </td>
                    <td>
<?php 
    if (isset($natent['destination']['address']) && is_alias($natent['destination']['address'])) {
        ?>
                        <span title="<?php 
        echo htmlspecialchars(get_alias_description($natent['destination']['address']));
        ?>
" data-toggle="tooltip">
                          <?php 
        echo htmlspecialchars(pprint_address($natent['destination']));
        ?>
&nbsp;
                        </span>
                        <a href="/firewall_aliases_edit.php?name=<?php 
        echo htmlspecialchars($natent['destination']['address']);
        ?>
"
                            title="<?php 
     if (is_alias($_POST['ftp_bind_to'])) {
         $engine['bind_to'] = $_POST['ftp_bind_to'];
     } elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") {
         $engine['bind_to'] = "all";
     } else {
         $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
     }
 } else {
     $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank.  Provide a valid Alias or the reserved keyword 'all'.");
 }
 // Validate BOUNCE-TO Alias entries to be sure if one is set, then both are set; since
 // if you define a BOUNCE-TO address, you must also define the BOUNCE-TO port.
 if ($_POST['ftp_client_bounce_to_net'] && !is_alias($_POST['ftp_client_bounce_to_net'])) {
     $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO ADDRESS option.");
 }
 if ($_POST['ftp_client_bounce_to_port'] && !is_alias($_POST['ftp_client_bounce_to_port'])) {
     $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO PORT option.");
 }
 if ($_POST['ftp_client_bounce_to_net'] && empty($_POST['ftp_client_bounce_to_port'])) {
     $input_errors[] = gettext("FTP Protocol BOUNCE-TO PORT cannot be empty when BOUNCE-TO ADDRESS is set.");
 }
 if ($_POST['ftp_client_bounce_to_port'] && empty($_POST['ftp_client_bounce_to_net'])) {
     $input_errors[] = gettext("FTP Protocol BOUNCE-TO ADDRESS cannot be empty when BOUNCE-TO PORT is set.");
 }
 // Validate the BOUNCE-TO Alias entries for correct format of their defined values.  BOUNCE-TO ADDRESS must be
 // a valid single IP, and BOUNCE-TO PORT must be either a single port value or a port range value.  Provide
 // detailed error messages for the user that explain any problems.
 if ($_POST['ftp_client_bounce_to_net'] && $_POST['ftp_client_bounce_to_port']) {
     if (!snort_is_single_addr_alias($_POST['ftp_client_bounce_to_net'])) {
         $net = trim(filter_expand_alias($_POST['ftp_client_bounce_to_net']));
         $net = preg_replace('/\\s+/', ',', $net);
Exemple #4
0
 if ($config['system']['gateway'] != "") {
     $config['interfaces']['wan']['gateway'] = $config['system']['gateway'];
 }
 unset($config['shaper']);
 /* optional if list */
 $ifdescrs = get_configured_interface_list(true, true);
 /* remove special characters from interface descriptions */
 if (is_array($ifdescrs)) {
     foreach ($ifdescrs as $iface) {
         $config['interfaces'][$iface]['descr'] = remove_bad_chars($config['interfaces'][$iface]['descr']);
     }
 }
 /* check for interface names with an alias */
 if (is_array($ifdescrs)) {
     foreach ($ifdescrs as $iface) {
         if (is_alias($config['interfaces'][$iface]['descr'])) {
             // Firewall rules
             $origname = $config['interfaces'][$iface]['descr'];
             $newname = $config['interfaces'][$iface]['descr'] . "Alias";
             update_alias_names_upon_change(array('filter', 'rule'), array('source', 'address'), $newname, $origname);
             update_alias_names_upon_change(array('filter', 'rule'), array('destination', 'address'), $newname, $origname);
             // NAT Rules
             update_alias_names_upon_change(array('nat', 'rule'), array('source', 'address'), $newname, $origname);
             update_alias_names_upon_change(array('nat', 'rule'), array('destination', 'address'), $newname, $origname);
             update_alias_names_upon_change(array('nat', 'rule'), array('target'), $newname, $origname);
             // Alias in an alias
             update_alias_names_upon_change(array('aliases', 'alias'), array('address'), $newname, $origname);
         }
     }
 }
 unlink_if_exists("{$g['tmp_path']}/config.cache");
 /* Ensure that our pool names are unique */
 for ($i = 0; isset($config['load_balancer']['lbpool'][$i]); $i++) {
     if ($_POST['name'] == $config['load_balancer']['lbpool'][$i]['name'] && $i != $id) {
         $input_errors[] = gettext("This pool name has already been used.  Pool names must be unique.");
     }
 }
 if (preg_match('/[ \\/]/', $_POST['name'])) {
     $input_errors[] = gettext("You cannot use spaces or slashes in the 'name' field.");
 }
 if (strlen($_POST['name']) > 16) {
     $input_errors[] = gettext("The 'name' field must be 16 characters or less.");
 }
 if (in_array($_POST['name'], $reserved_table_names)) {
     $input_errors[] = sprintf(gettext("The name '%s' is a reserved word and cannot be used."), $_POST['name']);
 }
 if (is_alias($_POST['name'])) {
     $input_errors[] = sprintf(gettext("Sorry, an alias is already named %s."), $_POST['name']);
 }
 if (!is_portoralias($_POST['port'])) {
     $input_errors[] = gettext("The port must be an integer between 1 and 65535, or a port alias.");
 }
 // May as well use is_port as we want a positive integer and such.
 if (!empty($_POST['retry']) && !is_port($_POST['retry'])) {
     $input_errors[] = gettext("The retry value must be an integer between 1 and 65535.");
 }
 if (is_array($_POST['servers'])) {
     foreach ($pconfig['servers'] as $svrent) {
         if (!is_ipaddr($svrent) && !is_subnetv4($svrent)) {
             $input_errors[] = sprintf(gettext("%s is not a valid IP address or IPv4 subnet (in \"enabled\" list)."), $svrent);
         } else {
             if (is_subnetv4($svrent) && subnet_size($svrent) > 64) {
     if ($_POST['dsttype'] == "single") {
         $_POST['dstmask'] = 32;
     } else {
         if (is_ipaddr($_POST['dsttype'])) {
             $_POST['dst'] = $_POST['dsttype'];
             $_POST['dstmask'] = 32;
             $_POST['dsttype'] = "single";
         }
     }
 }
 /* For external, user can enter only ip's */
 if ($_POST['external'] && !is_ipaddr($_POST['external'])) {
     $input_errors[] = gettext("A valid external subnet must be specified.");
 }
 /* For dst, if user enters an alias and selects "network" then disallow. */
 if ($_POST['dsttype'] == "network" && is_alias($_POST['dst'])) {
     $input_errors[] = gettext("You must specify single host or alias for alias entries.");
 }
 /* For src, user can enter only ip's or networks */
 if (!is_specialnet($_POST['srctype'])) {
     if ($_POST['src'] && !is_ipaddr($_POST['src'])) {
         $input_errors[] = sprintf(gettext("%s is not a valid internal IP address."), $_POST['src']);
     }
     if ($_POST['srcmask'] && !is_numericint($_POST['srcmask'])) {
         $input_errors[] = gettext("A valid internal bit count must be specified.");
     }
 }
 /* For dst, user can enter ip's, networks or aliases */
 if (!is_specialnet($_POST['dsttype'])) {
     if ($_POST['dst'] && !is_ipaddroralias($_POST['dst'])) {
         $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $_POST['dst']);
                 $input_errors[] = sprintf(gettext("URL '%s' is not valid."), $_POST['address' . $x]);
             }
         }
     }
     unset($desc_fmt_err_found);
     if ($_POST['type'] == "url_ports") {
         $address = group_ports($address);
     }
 } else {
     /* item is a normal alias type */
     $wrongaliases = "";
     $desc_fmt_err_found = false;
     for ($x = 0; $x < 4999; $x++) {
         if ($_POST["address{$x}"] != "") {
             $_POST["address{$x}"] = trim($_POST["address{$x}"]);
             if (is_alias($_POST["address{$x}"])) {
                 if (!alias_same_type($_POST["address{$x}"], $_POST['type'])) {
                     // But alias type network can include alias type urltable. Feature#1603.
                     if (!($_POST['type'] == 'network' && preg_match("/urltable/i", alias_get_type($_POST["address{$x}"])))) {
                         $wrongaliases .= " " . $_POST["address{$x}"];
                     }
                 }
             } else {
                 if ($_POST['type'] == "port") {
                     if (!is_port($_POST["address{$x}"]) && !is_portrange($_POST["address{$x}"])) {
                         $input_errors[] = $_POST["address{$x}"] . " " . gettext("is not a valid port or alias.");
                     }
                 } else {
                     if ($_POST['type'] == "host" || $_POST['type'] == "network") {
                         if (is_subnet($_POST["address{$x}"]) || !is_ipaddr($_POST["address{$x}"]) && !is_hostname($_POST["address{$x}"]) && !is_iprange($_POST["address{$x}"])) {
                             $input_errors[] = sprintf(gettext('%1$s is not a valid %2$s alias.'), $_POST["address{$x}"], $_POST['type']);
Exemple #8
0
                    </td>
                    <td class="hidden-xs hidden-sm">
<?php 
    if (isset($natent['nonat'])) {
        $nat_address = '<I>NO NAT</I>';
    } elseif (!$natent['target']) {
        $nat_address = htmlspecialchars(convert_friendly_interface_to_friendly_descr($natent['interface'])) . " address";
    } elseif ($natent['target'] == "other-subnet") {
        $nat_address = $natent['targetip'] . '/' . $natent['targetip_subnet'];
    } else {
        $nat_address = $natent['target'];
    }
    ?>
                      <?php 
    echo htmlspecialchars($nat_address);
    if (isset($natent['target']) && is_alias($natent['target'])) {
        ?>
                        &nbsp;<a href="/firewall_aliases_edit.php?name=<?php 
        echo htmlspecialchars($natent['target']);
        ?>
"><i class="fa fa-list"></i> </a>
<?php 
    }
    ?>
                    </td>
                    <td class="hidden-xs hidden-sm">
                      <?php 
    echo empty($natent['natport']) ? "*" : htmlspecialchars($natent['natport']);
    ?>
                    </td>
                    <td>
Exemple #9
0
function login($pass)
{
    // RETURN VALUE:
    //  0 - OK
    //  1 - unknown user
    //  2 - password doesn't match
    // VARIABLES:
    //  $admin - user has admin privileges (from auth table)
    //  $userid - whatever is used internally (aside from login)
    global $userid, $admin, $login, $conf_system_auth, $conf_ldap_server, $conf_ldap_domain, $posljednji_pristup;
    $q1 = myquery("select id, password, admin, UNIX_TIMESTAMP(posljednji_pristup) from auth where login='******' and aktivan=1");
    if (mysql_num_rows($q1) <= 0) {
        return 1;
    }
    function is_alias($results)
    {
        foreach ($results as $k1 => $v1) {
            if ($k1 === "objectclass") {
                foreach ($v1 as $k2 => $v2) {
                    if ($v2 === "zimbraAlias") {
                        return true;
                    }
                }
            }
        }
        return false;
    }
    if ($conf_system_auth == "ldap") {
        $ds = ldap_connect($conf_ldap_server);
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
        if ($ds) {
            if (ldap_bind($ds)) {
                $i = 0;
                // Probavamo UID
                $login = ldap_escape($login);
                $sr = ldap_search($ds, "", "uid={$login}", array());
                if (!$sr) {
                    niceerror("ldap_search() failed.");
                    exit;
                }
                $results = ldap_get_entries($ds, $sr);
                // Ako ldap_get_entries vrati false, pretpostavićemo da nema rezultata
                // To se dešava rijetko ali se dešava i nije mi jasno zašto
                // Ovaj upit ce vratiti i aliase, koje moramo profiltrirati
                while ($results && is_alias($results[$i]) && $i < $results['count']) {
                    $i++;
                }
                // Probavamo email adresu
                if (!$results || $i == $results['count']) {
                    $sr = ldap_search($ds, "", "mail={$login}", array());
                    if (!$sr) {
                        niceerror("ldap_search() 1 failed.");
                        exit;
                    }
                    $results = ldap_get_entries($ds, $sr);
                    $i = 0;
                    while ($results && is_alias($results[$i]) && $i < $results['count']) {
                        $i++;
                    }
                }
                // Probavamo email adresu + domena
                if (!$results || $i == $results['count']) {
                    $sr = ldap_search($ds, "", "mail={$login}{$conf_ldap_domain}", array());
                    if (!$sr) {
                        niceerror("ldap_search() 2 failed.");
                        exit;
                    }
                    $results = ldap_get_entries($ds, $sr);
                    $i = 0;
                    while ($results && is_alias($results[$i]) && $i < $results['count']) {
                        $i++;
                    }
                }
                if (!$results || $i == $results['count']) {
                    return 1;
                }
                $dn = $results[$i]['dn'];
                if (!@ldap_bind($ds, $dn, $pass)) {
                    // ldap_bind generiše warning svaki put kad je pogrešna šifra :(
                    return 2;
                }
                // ldap_bind succeeded, user is authenticated
            } else {
                niceerror("LDAP anonymous bind failed.");
                exit;
            }
        } else {
            niceerror("Can't contact LDAP server.");
            exit;
        }
    } else {
        if ($conf_system_auth == "table") {
            if ($pass != mysql_result($q1, 0, 1)) {
                return 2;
            }
        }
    }
    $userid = mysql_result($q1, 0, 0);
    $admin = mysql_result($q1, 0, 2);
    $posljednji_pristup = mysql_result($q1, 0, 3);
    $q2 = myquery("update auth set posljednji_pristup=NOW() where id={$userid}");
    // All OK, start session
    session_start();
    //session_regenerate_id(); // prevent session fixation
    $_SESSION['login'] = $login;
    session_write_close();
}
// Check for returned "selected alias" if action is import
if ($_GET['act'] == "import") {
    if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) {
        $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']);
    }
}
if ($_POST['save']) {
    /* Grab all the POST values and save in new temp array */
    $engine = array();
    if ($_POST['frag3_name']) {
        $engine['name'] = trim($_POST['frag3_name']);
    } else {
        $engine['name'] = "default";
    }
    if ($_POST['frag3_bind_to']) {
        if (is_alias($_POST['frag3_bind_to'])) {
            $engine['bind_to'] = $_POST['frag3_bind_to'];
        } elseif (strtolower(trim($_POST['frag3_bind_to'])) == "all") {
            $engine['bind_to'] = "all";
        } else {
            $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
        }
    } else {
        $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank.  Provide a valid Alias or the reserved keyword 'all'.");
    }
    /* Validate the text input fields before saving */
    if (!empty($_POST['frag3_timeout']) || $_POST['frag3_timeout'] == 0) {
        $engine['timeout'] = $_POST['frag3_timeout'];
        if (!is_numeric($_POST['frag3_timeout']) || $_POST['frag3_timeout'] < 1) {
            $input_errors[] = gettext("The value for Timeout must be numeric and greater than zero.");
        }
    if (!empty($suricatacfg["def_{$alias}"]) && is_alias($suricatacfg["def_{$alias}"])) {
        $avalue = trim(filter_expand_alias($suricatacfg["def_{$alias}"]));
        $avalue = preg_replace('/\\s+/', ',', trim($avalue));
    }
    $addr_vars .= "    " . strtoupper($alias) . ": \"{$avalue}\"\n";
}
$addr_vars = trim($addr_vars);
if (is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) {
    $ssh_port = $config['system']['ssh']['port'];
} else {
    $ssh_port = "22";
}
$suricata_ports = array("ftp_ports" => "21", "http_ports" => "80", "oracle_ports" => "1521", "ssh_ports" => $ssh_port, "shellcode_ports" => "!80", "DNP3_PORTS" => "20000", "file_data_ports" => "\$HTTP_PORTS,110,143");
$port_vars = "";
foreach ($suricata_ports as $alias => $avalue) {
    if (!empty($suricatacfg["def_{$alias}"]) && is_alias($suricatacfg["def_{$alias}"])) {
        $avalue = trim(filter_expand_alias($suricatacfg["def_{$alias}"]));
        $avalue = preg_replace('/\\s+/', ',', trim($avalue));
    }
    $port_vars .= "    " . strtoupper($alias) . ": \"{$avalue}\"\n";
}
$port_vars = trim($port_vars);
// Define a Suppress List (Threshold) if one is configured
$suppress = suricata_find_list($suricatacfg['suppresslistname'], 'suppress');
if (!empty($suppress)) {
    $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru']));
    @file_put_contents("{$suricatacfgdir}/threshold.config", $suppress_data);
} else {
    @file_put_contents("{$suricatacfgdir}/threshold.config", "");
}
// Add interface-specific detection engine settings
                </tr>
                <tr>
                    <td><a id="help_for_destination" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?php 
echo gettext("Destination");
?>
</td>
                    <td>
                      <table class="table table-condensed">
                        <tr>
                          <td>
                            <select name="destination" id="destination" class="selectpicker" data-live-search="true" data-size="5" data-width="auto">
                              <option data-other=true value="<?php 
echo $pconfig['destination'];
?>
" <?php 
echo !is_alias($pconfig['destination']) && $pconfig['destination'] != 'any' ? "selected=\"selected\"" : "";
?>
><?php 
echo gettext("Single host or Network");
?>
</option>
                              <option value="any" <?php 
echo $pconfig['destination'] == "any" ? "selected=\"selected\"" : "";
?>
><?php 
echo gettext("any");
?>
</option>
                              <optgroup label="<?php 
echo gettext("Aliases");
?>
 }
 /* check for name conflicts */
 foreach ($a_passlist as $p_list) {
     if (isset($id) && $a_passlist[$id] && $a_passlist[$id] === $p_list) {
         continue;
     }
     if ($p_list['name'] == $_POST['name']) {
         $input_errors[] = gettext("A Pass List file name with this name already exists.");
         break;
     }
 }
 if ($_POST['address']) {
     if (!is_alias($_POST['address'])) {
         $input_errors[] = gettext("A valid alias must be provided");
     }
     if (is_alias($_POST['address']) && trim(filter_expand_alias($_POST['address'])) == "") {
         $input_errors[] = gettext("FQDN aliases are not supported in Suricata.");
     }
 }
 if (!$input_errors) {
     $p_list = array();
     /* post user input */
     $p_list['name'] = $_POST['name'];
     $p_list['uuid'] = $passlist_uuid;
     $p_list['localnets'] = $_POST['localnets'] ? 'yes' : 'no';
     $p_list['wanips'] = $_POST['wanips'] ? 'yes' : 'no';
     $p_list['wangateips'] = $_POST['wangateips'] ? 'yes' : 'no';
     $p_list['wandnsips'] = $_POST['wandnsips'] ? 'yes' : 'no';
     $p_list['vips'] = $_POST['vips'] ? 'yes' : 'no';
     $p_list['vpnips'] = $_POST['vpnips'] ? 'yes' : 'no';
     $p_list['address'] = $_POST['address'];
Exemple #14
0
        ?>
"><i class="fa fa-list"></i> </a>
<?php 
    }
    ?>
                      </td>

                      <td>
<?php 
    $localport = $natent['local-port'];
    if (strpos($natent['destination']['port'], '-') !== false) {
        list($dstbeginport, $dstendport) = explode("-", $natent['destination']['port']);
        $localendport = $natent['local-port'] + $dstendport - $dstbeginport;
        $localport .= '-' . $localendport;
    }
    if (isset($natent['destination']['port']) && is_alias($natent['destination']['port'])) {
        ?>
                          <span title="<?php 
        echo htmlspecialchars(get_alias_description($localport));
        ?>
" data-toggle="tooltip">
                            <?php 
        echo htmlspecialchars(pprint_port($localport));
        ?>
&nbsp;
                          </span>
                          <a href="/firewall_aliases_edit.php?name=<?php 
        echo htmlspecialchars($localport);
        ?>
"
                              title="<?php 
    }
}
if ($_POST['save']) {
    // Clear and close out any session variable we created
    session_start();
    unset($_SESSION['http_inspect_import']);
    session_write_close();
    // Grab all the POST values and save in new temp array
    $engine = array();
    if ($_POST['httpinspect_name']) {
        $engine['name'] = trim($_POST['httpinspect_name']);
    } else {
        $engine['name'] = "default";
    }
    if ($_POST['httpinspect_bind_to']) {
        if (is_alias($_POST['httpinspect_bind_to'])) {
            $engine['bind_to'] = $_POST['httpinspect_bind_to'];
        } elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all") {
            $engine['bind_to'] = "all";
        } else {
            $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
        }
    } else {
        $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank.  Provide a valid Alias or the reserved keyword 'all'.");
    }
    if ($_POST['httpinspect_ports']) {
        $engine['ports'] = trim($_POST['httpinspect_ports']);
    } else {
        $engine['ports'] = "default";
    }
    // Validate the text input fields before saving
ksort($snort_servers);
ksort($snort_ports);
$pconfig = $a_nat[$id];
/* convert fake interfaces to real */
$if_real = get_real_interface($pconfig['interface']);
$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid'];
if ($_POST['save']) {
    $natent = array();
    $natent = $pconfig;
    foreach ($snort_servers as $key => $server) {
        if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) {
            $input_errors[] = "Only aliases are allowed";
        }
    }
    foreach ($snort_ports as $key => $server) {
        if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) {
            $input_errors[] = "Only aliases are allowed";
        }
    }
    /* if no errors write to conf */
    if (!$input_errors) {
        /* post new options */
        foreach ($snort_servers as $key => $server) {
            if ($_POST["def_{$key}"]) {
                $natent["def_{$key}"] = $_POST["def_{$key}"];
            } else {
                unset($natent["def_{$key}"]);
            }
        }
        foreach ($snort_ports as $key => $server) {
            if ($_POST["def_{$key}"]) {
 } else {
     if ($_POST['source_type'] == "(self)") {
         $osn = "(self)";
     } else {
         if (is_alias($_POST['source'])) {
             $osn = $_POST['source'];
         } else {
             $osn = gen_subnet($_POST['source'], $_POST['source_subnet']) . "/" . $_POST['source_subnet'];
         }
     }
 }
 /* check for existing entries */
 if ($_POST['destination_type'] == "any") {
     $ext = "any";
 } else {
     if (is_alias($_POST['destination'])) {
         $ext = $_POST['destination'];
     } else {
         $ext = gen_subnet($_POST['destination'], $_POST['destination_subnet']) . "/" . $_POST['destination_subnet'];
     }
 }
 foreach ($a_out as $natent) {
     if (isset($id) && $a_out[$id] && $a_out[$id] === $natent) {
         continue;
     }
     if (!$natent['interface']) {
         $natent['interface'] = "wan";
     }
 }
 if (!$input_errors) {
     $natent = array();
     } else {
         log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
         continue;
     }
 } else {
     log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
     continue;
 }
 $http_inspect_servers .= $buffer;
 $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n";
 if ($v['no_alerts'] == "on") {
     $http_inspect_servers .= "\tno_alerts \\\n";
 }
 if ($v['ports'] == "default" || empty($v['ports'])) {
     $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
 } elseif (is_alias($v['ports'])) {
     $tmp = trim(filter_expand_alias($v['ports']));
     if (!empty($tmp)) {
         $tmp = preg_replace('/\\s+/', ' ', $tmp);
         $tmp = snort_expand_port_range($tmp, ' ');
         $http_inspect_servers .= "\tports { {$tmp} } \\\n";
     } else {
         log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
         $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
     }
 } else {
     log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
     $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
 }
 $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n";
 $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n";
         if (is_ipaddr($tgt)) {
             $tgt .= "/32";
         }
         if (!is_subnet($tgt)) {
             continue;
         }
         $new_targets[] = $tgt;
     }
 }
 if (!isset($id)) {
     $id = count($a_routes);
 }
 $oroute = $a_routes[$id];
 if (!empty($oroute)) {
     $old_targets = array();
     if (is_alias($oroute['network'])) {
         foreach (filter_expand_alias_array($oroute['network']) as $tgt) {
             if (is_ipaddr($tgt)) {
                 $tgt .= "/32";
             }
             if (!is_subnet($tgt)) {
                 continue;
             }
             $old_targets[] = $tgt;
         }
     } else {
         $old_targets[] = $oroute['network'];
     }
 }
 $overlaps = array_intersect($current_targets, $new_targets);
 $overlaps = array_diff($overlaps, $old_targets);
 if (!empty($pconfig['srcbeginport']) && !is_portoralias($pconfig['srcbeginport']) && $pconfig['srcbeginport'] != 'any') {
     $input_errors[] = sprintf(gettext("%s is not a valid start source port. It must be a port alias or integer between 1 and 65535."), $pconfig['srcbeginport']);
 }
 if (!empty($pconfig['srcendport']) && !is_portoralias($pconfig['srcendport']) && $pconfig['srcendport'] != 'any') {
     $input_errors[] = sprintf(gettext("%s is not a valid end source port. It must be a port alias or integer between 1 and 65535."), $pconfig['srcendport']);
 }
 if (!empty($pconfig['dstbeginport']) && !is_portoralias($pconfig['dstbeginport']) && $pconfig['dstbeginport'] != 'any') {
     $input_errors[] = sprintf(gettext("%s is not a valid start destination port. It must be a port alias or integer between 1 and 65535."), $pconfig['dstbeginport']);
 }
 if (!empty($pconfig['dstendport']) && !is_portoralias($pconfig['dstendport']) && $pconfig['dstendport'] != 'any') {
     $input_errors[] = sprintf(gettext("%s is not a valid end destination port. It must be a port alias or integer between 1 and 65535."), $pconfig['dstendport']);
 }
 if ((is_alias($pconfig['srcbeginport']) || is_alias($pconfig['srcendport'])) && $pconfig['srcbeginport'] != $pconfig['srcendport']) {
     $input_errors[] = gettext('When selecting aliases for source ports, both from and to fields must be the same');
 }
 if ((is_alias($pconfig['dstbeginport']) || is_alias($pconfig['dstendport'])) && $pconfig['dstbeginport'] != $pconfig['dstendport']) {
     $input_errors[] = gettext('When selecting aliases for destination ports, both from and to fields must be the same');
 }
 if (!is_specialnet($pconfig['src'])) {
     if (!is_ipaddroralias($pconfig['src'])) {
         $input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."), $pconfig['src']);
     }
     if (!is_numericint($pconfig['srcmask'])) {
         $input_errors[] = gettext("A valid source bit count must be specified.");
     }
 }
 if (!is_specialnet($pconfig['dst'])) {
     if (!is_ipaddroralias($pconfig['dst'])) {
         $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $pconfig['dst']);
     }
     if (!is_numericint($pconfig['dstmask'])) {
    $eng_enable_uri_include_all = $_POST['enable_uri_include_all'];
    $mode = "add_edit_libhtp_policy";
}
if ($_POST['save_libhtp_policy']) {
    if ($_POST['eng_id'] != "") {
        $eng_id = $_POST['eng_id'];
        // Grab all the POST values and save in new temp array
        $engine = array();
        $policy_name = trim($_POST['policy_name']);
        if ($policy_name) {
            $engine['name'] = $policy_name;
        } else {
            $input_errors[] = gettext("The 'Policy Name' value cannot be blank.");
        }
        if ($_POST['policy_bind_to']) {
            if (is_alias($_POST['policy_bind_to'])) {
                $engine['bind_to'] = $_POST['policy_bind_to'];
            } elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") {
                $engine['bind_to'] = "all";
            } else {
                $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
            }
        } else {
            $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank.  Provide a valid Alias or the reserved keyword 'all'.");
        }
        if ($_POST['personality']) {
            $engine['personality'] = $_POST['personality'];
        } else {
            $engine['personality'] = "bsd";
        }
        if (is_numeric($_POST['req_body_limit']) && $_POST['req_body_limit'] >= 0) {
 }
 if (is_validpasslistname($_POST['name']) == false) {
     $input_errors[] = gettext("Pass List file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset.");
 }
 /* check for name conflicts */
 foreach ($a_passlist as $p_list) {
     if (isset($id) && $a_passlist[$id] && $a_passlist[$id] === $p_list) {
         continue;
     }
     if ($p_list['name'] == $_POST['name']) {
         $input_errors[] = gettext("A Pass List file name with this name already exists.");
         break;
     }
 }
 if ($_POST['address']) {
     if (!is_alias($_POST['address'])) {
         $input_errors[] = gettext("A valid alias must be provided");
     }
 }
 if (!$input_errors) {
     $p_list = array();
     /* post user input */
     $p_list['name'] = $_POST['name'];
     $p_list['uuid'] = $passlist_uuid;
     $p_list['localnets'] = $_POST['localnets'] ? 'yes' : 'no';
     $p_list['wanips'] = $_POST['wanips'] ? 'yes' : 'no';
     $p_list['wangateips'] = $_POST['wangateips'] ? 'yes' : 'no';
     $p_list['wandnsips'] = $_POST['wandnsips'] ? 'yes' : 'no';
     $p_list['vips'] = $_POST['vips'] ? 'yes' : 'no';
     $p_list['vpnips'] = $_POST['vpnips'] ? 'yes' : 'no';
     $p_list['address'] = $_POST['address'];
    $section->addInput(new Form_Input('floating', 'Floating', 'hidden', 'floating'));
}
$section->addInput(new Form_Select('ipprotocol', 'TCP/IP Version', $pconfig['ipprotocol'], array('inet' => 'IPv4', 'inet6' => 'IPv6', 'inet46' => 'IPv4+IPv6')))->setHelp('Select the Internet Protocol version this rule applies to');
$section->addInput(new Form_Select('proto', 'Protocol', $pconfig['proto'], array('tcp' => 'TCP', 'udp' => 'UDP', 'tcp/udp' => 'TCP/UDP', 'icmp' => 'ICMP', 'esp' => 'ESP', 'ah' => 'AH', 'gre' => 'GRE', 'ipv6' => 'IPV6', 'igmp' => 'IGMP', 'pim' => 'PIM', 'ospf' => 'OSPF', 'sctp' => 'SCTP', 'any' => 'any', 'carp' => 'CARP', 'pfsync' => 'PFSYNC')))->setHelp('Choose which IP protocol this rule should match.');
$section->addInput(new Form_Select('icmptype', 'ICMP type', $pconfig['icmptype'], $icmptypes))->setHelp('If you selected ICMP for the protocol above, you may specify an ICMP type here.');
$section->addInput(new Form_Select('icmp6type', 'ICMPv6 type', $pconfig['icmptype'], $icmp6types))->setHelp('If you selected ICMP for the protocol above, you may specify an ICMP type here.');
$form->add($section);
// Source and destination share a lot of logic. Loop over the two
foreach (['src' => 'Source', 'dst' => 'Destination'] as $type => $name) {
    $section = new Form_Section($name);
    $group = new Form_Group($name);
    $group->add(new Form_Checkbox($type . 'not', $name . ' not', 'Invert match.', $pconfig[$type . 'not']))->setWidth(2);
    $ruleType = $pconfig[$type];
    if (is_specialnet($pconfig[$type])) {
        $ruleType = 'network';
    } elseif (is_ipaddrv6($pconfig[$type]) && $pconfig[$type . 'mask'] == 128 || is_ipaddrv4($pconfig[$type]) && $pconfig[$type . 'mask'] == 32 || is_alias($pconfig[$type])) {
        $ruleType = 'single';
    }
    $ruleValues = array('any' => 'any', 'single' => 'Single host or alias', 'network' => 'Network');
    if (isset($a_filter[$id]['floating']) || $if == "FloatingRules") {
        $ruleValues['(self)'] = 'This Firewall (self)';
    }
    if (have_ruleint_access("pppoe")) {
        $ruleValues['pppoe'] = 'PPPoE clients';
    }
    if (have_ruleint_access("l2tp")) {
        $ruleValues['l2tp'] = 'L2TP clients';
    }
    foreach ($ifdisp as $ifent => $ifdesc) {
        if (!have_ruleint_access($ifent)) {
            continue;
     }
     if ($_POST['smtp_email_hdrs_log_depth'] < 0 || $_POST['smtp_email_hdrs_log_depth'] > 20480) {
         $input_errors[] = gettext("The value for SMTP Decoder E-Mail Headers Log Depth must be between 0 and 20,480.");
     }
 }
 // Validate AppID parameter values if AppID Detector is enabled
 if ($_POST['appid_preproc'] == 'on') {
     if ($_POST['sf_appid_mem_cap'] < 32 || $_POST['sf_appid_mem_cap'] > 3000) {
         $input_errors[] = gettext("The value for Application ID Memory Cap must be between 32 and 3000.");
     }
     if ($_POST['sf_appid_stats_period'] < 60 || $_POST['sf_appid_stats_period'] > 3600) {
         $input_errors[] = gettext("The value for Application ID Stats Period must be between 60 and 3600.");
     }
 }
 // Validate Portscan Ignore_Scanners parameter
 if ($_POST['sf_portscan'] == 'on' && is_alias($_POST['pscan_ignore_scanners'])) {
     if (trim(filter_expand_alias($_POST["def_{$key}"])) == "") {
         $input_errors[] = gettext("FQDN aliases are not supported in Snort for the PORTSCAN IGNORE_SCANNERS parameter.");
     }
 }
 /* if no errors write to conf */
 if (!$input_errors) {
     /* post new options */
     if ($_POST['max_attribute_hosts'] != "") {
         $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts'];
     } else {
         $natent['max_attribute_hosts'] = "10000";
     }
     if ($_POST['max_attribute_services_per_host'] != "") {
         $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host'];
     } else {
                         }
                         $final_address_details[] = $detail_text;
                         $alias_address_count++;
                     }
                 }
             }
             if ($alias_address_count > $max_alias_addresses) {
                 $input_errors[] = sprintf(gettext('The maximum number of entries in an alias has been exceeded (%s)'), $max_alias_addresses);
                 break;
             }
         }
     }
 }
 // Validate the input data expanded above.
 foreach ($input_addresses as $idx => $input_address) {
     if (is_alias($input_address)) {
         if (!alias_same_type($input_address, $_POST['type'])) {
             // But alias type network can include alias type urltable. Feature#1603.
             if (!($_POST['type'] == 'network' && preg_match("/urltable/i", alias_get_type($input_address)))) {
                 $wrongaliases .= " " . $input_address;
             }
         }
     } else {
         if ($_POST['type'] == "port") {
             if (!is_port($input_address) && !is_portrange($input_address)) {
                 $input_errors[] = $input_address . " " . gettext("is not a valid port or alias.");
             }
         } else {
             if ($_POST['type'] == "host" || $_POST['type'] == "network") {
                 if (is_subnet($input_address) || !is_ipaddr($input_address) && !is_hostname($input_address)) {
                     $input_errors[] = sprintf(gettext('%1$s is not a valid %2$s address, FQDN or alias.'), $input_address, $_POST['type']);
Exemple #26
0
                      <?php 
        echo htmlspecialchars(pprint_address($filterent['destination']));
        if (isset($filterent['destination']['address']) && is_alias($filterent['destination']['address'])) {
            ?>
                      &nbsp;<a href="/firewall_aliases_edit.php?name=<?php 
            echo htmlspecialchars($filterent['destination']['address']);
            ?>
"><i class="fa fa-list"></i> </a>
<?php 
        }
        ?>
                    </td>
                    <td class="hidden-xs hidden-sm">
                      <?php 
        echo htmlspecialchars(pprint_port(isset($filterent['destination']['port']) ? $filterent['destination']['port'] : null));
        if (isset($filterent['destination']['port']) && is_alias($filterent['destination']['port'])) {
            ?>
                      &nbsp;<a href="/firewall_aliases_edit.php?name=<?php 
            echo htmlspecialchars($filterent['destination']['port']);
            ?>
"><i class="fa fa-list"></i> </a>
<?php 
        }
        ?>
                    </td>
                    <td class="hidden-xs hidden-sm">
<?php 
        if (isset($filterent['gateway'])) {
            ?>
                      <?php 
            echo isset($config['interfaces'][$filterent['gateway']]['descr']) ? htmlspecialchars($config['interfaces'][$filterent['gateway']]['descr']) : htmlspecialchars(pprint_port($filterent['gateway']));
$subnets_help = '<span class="help-block">' . gettext("Subnets are specified in CIDR format.  " . "Select the CIDR mask that pertains to each entry.\t" . "/128 specifies a single IPv6 host; /64 specifies a normal IPv6 network; etc.  " . "If no subnets are specified here, the Router Advertisement (RA) Daemon will advertise to the subnet to which the router's interface is assigned.") . '</span>';
if ($_POST) {
    unset($input_errors);
    $pconfig = $_POST;
    /* input validation */
    $pconfig['subnets'] = array();
    for ($x = 0; $x < 5000; $x += 1) {
        $address = trim($_POST['subnet_address' . $x]);
        if ($address === "") {
            continue;
        }
        $bits = trim($_POST['subnet_bits' . $x]);
        if ($bits === "") {
            $bits = "128";
        }
        if (is_alias($address)) {
            $pconfig['subnets'][] = $address;
        } else {
            $pconfig['subnets'][] = $address . "/" . $bits;
            if (!is_ipaddrv6($address)) {
                $input_errors[] = sprintf(gettext("An invalid subnet or alias was specified. [%s/%s]"), $address, $bits);
            }
        }
    }
    if ($_POST['radns1'] && !is_ipaddrv6($_POST['radns1']) || $_POST['radns2'] && !is_ipaddrv6($_POST['radns2']) || $_POST['radns3'] && !is_ipaddrv6($_POST['radns3'])) {
        $input_errors[] = gettext("A valid IPv6 address must be specified for each of the DNS servers.");
    }
    if ($_POST['radomainsearchlist']) {
        $domain_array = preg_split("/[ ;]+/", $_POST['radomainsearchlist']);
        foreach ($domain_array as $curdomain) {
            if (!is_domain($curdomain)) {
 }
 if ($_POST['ftp_bind_to']) {
     if (is_alias($_POST['ftp_bind_to'])) {
         $engine['bind_to'] = $_POST['ftp_bind_to'];
     } elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") {
         $engine['bind_to'] = "all";
     } else {
         $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
     }
 } else {
     $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank.  Provide a valid Alias or the reserved keyword 'all'.");
 }
 if ($_POST['ftp_ports']) {
     if ($_POST['ftp_ports'] == "default") {
         $engine['ports'] = $_POST['ftp_ports'];
     } elseif (is_alias($_POST['ftp_ports'])) {
         $engine['ports'] = $_POST['ftp_ports'];
     } else {
         $input_errors[] = gettext("The value for Ports must be a valid Alias name or the keyword 'default'.");
     }
 } else {
     $engine['ports'] = 21;
 }
 $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no';
 $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no';
 $engine['ignore_data_chan'] = $_POST['ftp_ignore_data_chan'] ? 'yes' : 'no';
 $engine['def_max_param_len'] = $_POST['ftp_def_max_param_len'];
 /* Can only have one "all" Bind_To address */
 if ($engine['bind_to'] == "all" && $engine['name'] != "default") {
     $input_errors[] = gettext("Only one default ftp Engine can be bound to all addresses.");
     $pconfig = $engine;
 name="dsttype" class="formselect" onchange="typesel_change()">
<?php 
$sel = is_specialnet($pconfig['dst']);
?>
								<option value="any" <?php 
if ($pconfig['dst'] == "any") {
    echo "selected=\"selected\"";
}
?>
><?php 
echo gettext("any");
?>
</option>
								<option value="single"
								<?php 
if (!$sel && (is_ipaddrv6($pconfig['dst']) && $pconfig['dstmask'] == 128 || is_ipaddrv4($pconfig['dst']) && $pconfig['dstmask'] == 32 || is_alias($pconfig['dst']))) {
    echo "selected=\"selected\"";
    $sel = 1;
}
?>
								><?php 
echo gettext("Single host or alias");
?>
</option>
								<option value="network" <?php 
if (!$sel) {
    echo "selected=\"selected\"";
}
?>
><?php 
echo gettext("Network");
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    // initialize form vars
    $pconfig = array("name" => null, "descr" => null, "aliasimport" => null);
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // save form data
    $input_errors = array();
    $pconfig = $_POST;
    // input validation
    $reqdfields = explode(" ", "name aliasimport");
    $reqdfieldsn = array(gettext("Name"), gettext("Aliases"));
    do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
    if (is_validaliasname($pconfig['name']) == false) {
        $input_errors[] = gettext("The alias name may only consist of the characters") . " a-z, A-Z, 0-9, _.";
    }
    /* check for name duplicates */
    if (is_alias($pconfig['name'])) {
        $input_errors[] = gettext("An alias with this name already exists.");
    }
    // Add all Load balance names to reserved_keywords
    if (isset($config['load_balancer']['lbpool'])) {
        foreach ($config['load_balancer']['lbpool'] as $lbpool) {
            $reserved_keywords[] = $lbpool['name'];
        }
    }
    // Keywords not allowed in names
    $reserved_keywords = array("all", "pass", "block", "out", "queue", "max", "min", "pptp", "pppoe", "L2TP", "OpenVPN", "IPsec");
    $reserved_ifs = get_configured_interface_list(false, true);
    $reserved_keywords = array_merge($reserved_keywords, $reserved_ifs, $reserved_table_names);
    /* Check for reserved keyword names */
    foreach ($reserved_keywords as $rk) {
        if ($rk == $pconfig['name']) {