?> <div id="container"><?php $form = new Form(); $section = new Form_Section('Firewall Advanced'); $section->addInput(new Form_Checkbox('scrubnodf', 'IP Do-Not-Fragment compatibility', 'Clear invalid DF bits instead of dropping the packets', isset($config['system']['scrubnodf'])))->setHelp('This allows for communications with hosts that generate fragmented ' . 'packets with the don\'t fragment (DF) bit set. Linux NFS is known to do this. ' . 'This will cause the filter to not drop such packets but instead clear the don\'t ' . 'fragment bit.'); $section->addInput(new Form_Checkbox('scrubrnid', 'IP Random id generation', 'Insert a stronger ID into IP header of packets passing through the filter.', isset($config['system']['scrubrnid'])))->setHelp('Replaces the IP identification field of packets with random values to ' . 'compensate for operating systems that use predictable values. This option only ' . 'applies to packets that are not fragmented after the optional packet ' . 'reassembly.'); $section->addInput($input = new Form_Select('optimization', 'Firewall Optimization Options', $config['system']['optimization'], array('normal' => 'Normal', 'high-latency' => gettext('High-latency'), 'aggressive' => gettext('Aggressive'), 'conservative' => gettext('Conservative'))))->setHelp('Select the type of state table optimization to use'); $section->addInput(new Form_Checkbox('disablefilter', 'Disable Firewall', 'Disable all packet filtering.', isset($config['system']['disablefilter'])))->setHelp('Note: This converts %s into a routing only platform!<br/>' . 'Note: This will also turn off NAT! To only disable NAT, ' . 'and not firewall rules, visit the <a href="firewall_nat_out.php">Outbound ' . 'NAT</a> page.', [$g["product_name"]]); $section->addInput(new Form_Checkbox('disablescrub', 'Disable Firewall Scrub', 'Disables the PF scrubbing option which can sometimes interfere with NFS traffic.', isset($config['system']['disablescrub']))); $group = new Form_Group('Firewall Adaptive Timeouts'); $group->add(new Form_Input('adaptivestart', 'Adaptive start', 'number', $pconfig['adaptivestart'], ['min' => 1]))->setHelp('When the number of state entries exceeds this value, adaptive ' . 'scaling begins. All timeout values are scaled linearly with factor ' . '(adaptive.end - number of states) / (adaptive.end - adaptive.start).'); $group->add(new Form_Input('adaptiveend', 'Adaptive end', 'number', $pconfig['adaptiveend'], ['min' => 1]))->setHelp('When reaching this number of state entries, all timeout values ' . 'become zero, effectively purging all state entries immediately. This ' . 'value is used to define the scale factor, it should not actually be ' . 'reached (set a lower state limit, see below).'); $group->setHelp('Timeouts for states can be scaled adaptively as the number of ' . 'state table entries grows. Leave blank for the default (0)'); $section->add($group); $section->addInput(new Form_Input('maximumstates', 'Firewall Maximum States', 'number', $pconfig['maximumstates'], ['min' => 1, 'placeholder' => pfsense_default_state_size()]))->setHelp('Maximum number of connections to hold in the firewall state table. ' . '<br/>Note: Leave this blank for the default. On this system the default ' . 'size is: %d', [pfsense_default_state_size()]); $section->addInput(new Form_Input('maximumtableentries', 'Firewall Maximum Table Entries', 'text', $pconfig['maximumtableentries'], ['placeholder' => pfsense_default_table_entries_size()]))->setHelp('Maximum number of table entries for systems such as aliases, ' . 'sshlockout, snort, etc, combined.<br/>Note: Leave this blank for the ' . 'default. On this system the default size is: %d', [pfsense_default_table_entries_size()]); $section->addInput(new Form_Input('maximumfrags', 'Firewall Maximum Fragment Entries', 'text', $pconfig['maximumfrags']))->setHelp('Maximum number of packet fragments to hold for reassembly by scrub rules. Leave this blank for the default (5000)'); $section->addInput(new Form_Checkbox('bypassstaticroutes', 'Static route filtering', 'Bypass firewall rules for traffic on the same interface', $pconfig['bypassstaticroutes']))->setHelp('This option only applies if one or more static routes have been defined. ' . 'If it is enabled, traffic that enters and leaves through the same ' . 'interface will not be checked by the firewall. This may be desirable in some ' . 'situations where multiple subnets are connected to the same interface.'); $section->addInput(new Form_Checkbox('disablevpnrules', 'Disable Auto-added VPN rules', 'Disable all auto-added VPN rules.', isset($config['system']['disablevpnrules'])))->setHelp('Note: This disables automatically added rules for IPsec.'); $section->addInput(new Form_Checkbox('disablereplyto', 'Disable reply-to', 'Disable reply-to on WAN rules', $pconfig['disablereplyto']))->setHelp('With Multi-WAN it is generally desired to ensure traffic leaves the same ' . 'interface it arrives on, hence reply-to is added automatically by default. When ' . 'using bridging, this behavior must be disabled if the WAN gateway IP is ' . 'different from the gateway IP of the hosts behind the bridged interface.'); $section->addInput(new Form_Checkbox('disablenegate', 'Disable Negate rules', 'Disable Negate rule on policy routing rules', $pconfig['disablenegate']))->setHelp('With Multi-WAN it is generally desired to ensure traffic reaches directly ' . 'connected networks and VPN networks when using policy routing. This can be disabled ' . 'for special purposes but it requires manually creating rules for these networks.'); $section->addInput(new Form_Input('aliasesresolveinterval', 'Aliases Hostnames Resolve Interval', 'text', $pconfig['aliasesresolveinterval'], ['placeholder' => '300']))->setHelp('Interval, in seconds, that will be used to resolve hostnames ' . 'configured on aliases. <br/>Note: Leave this blank for the default ' . '(300s).'); $section->addInput(new Form_Checkbox('checkaliasesurlcert', 'Check certificate of aliases URLs', 'Verify HTTPS certificates when downloading alias URLs', $pconfig['checkaliasesurlcert']))->setHelp('Make sure the certificate is valid for all HTTPS addresses on ' . 'aliases. If it\'s not valid or is revoked, do not download it.'); $form->add($section); $section = new Form_Section('Bogon Networks'); $section->addInput(new Form_Select('bogonsinterval', 'Update Frequency', empty($pconfig['bogonsinterval']) ? 'monthly' : $pconfig['bogonsinterval'], array('monthly' => gettext('Monthly'), 'weekly' => gettext('Weekly'), 'daily' => gettext('Daily'))))->setHelp('The frequency of updating the lists of IP addresses that are ' . 'reserved (but not RFC 1918) or not yet assigned by IANA.'); $form->add($section); if (count($config['interfaces']) > 1) { $section = new Form_Section('Network Address Translation'); if (isset($config['system']['disablenatreflection'])) { $value = 'disable';
echo gettext("Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined."); ?> </strong> <br /> <span class="vexpl"> <?php echo gettext("Note: Leave this blank for the default."); ?> <?php if (empty($pconfig['maximumtableentries'])) { ?> <?php echo gettext("On your system the default size is:"); ?> <?php echo pfsense_default_table_entries_size(); ?> <?php } ?> </span> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Static route filtering"); ?> </td> <td width="78%" class="vtable"> <input name="bypassstaticroutes" type="checkbox" id="bypassstaticroutes" value="yes" <?php if ($pconfig['bypassstaticroutes']) {