function delete_static_route($id) { global $config, $a_routes, $changedesc_prefix; if (!isset($a_routes[$id])) { return; } $targets = array(); if (is_alias($a_routes[$id]['network'])) { foreach (filter_expand_alias_array($a_routes[$id]['network']) as $tgt) { if (is_ipaddrv4($tgt)) { $tgt .= "/32"; } else { if (is_ipaddrv6($tgt)) { $tgt .= "/128"; } } if (!is_subnet($tgt)) { continue; } $targets[] = $tgt; } } else { $targets[] = $a_routes[$id]['network']; } foreach ($targets as $tgt) { $family = is_subnetv6($tgt) ? "-inet6" : "-inet"; mwexec("/sbin/route delete {$family} " . escapeshellarg($tgt)); } unset($targets); }
echo gettext("edit alias"); ?> " data-toggle="tooltip"> <i class="fa fa-list"></i> </a> <?php } else { ?> <?php echo htmlspecialchars(pprint_address($natent['source'])); } ?> </td> <td> <?php if (isset($natent['destination']['address']) && is_alias($natent['destination']['address'])) { ?> <span title="<?php echo htmlspecialchars(get_alias_description($natent['destination']['address'])); ?> " data-toggle="tooltip"> <?php echo htmlspecialchars(pprint_address($natent['destination'])); ?> </span> <a href="/firewall_aliases_edit.php?name=<?php echo htmlspecialchars($natent['destination']['address']); ?> " title="<?php
if (is_alias($_POST['ftp_bind_to'])) { $engine['bind_to'] = $_POST['ftp_bind_to']; } elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") { $engine['bind_to'] = "all"; } else { $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); } } else { $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); } // Validate BOUNCE-TO Alias entries to be sure if one is set, then both are set; since // if you define a BOUNCE-TO address, you must also define the BOUNCE-TO port. if ($_POST['ftp_client_bounce_to_net'] && !is_alias($_POST['ftp_client_bounce_to_net'])) { $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO ADDRESS option."); } if ($_POST['ftp_client_bounce_to_port'] && !is_alias($_POST['ftp_client_bounce_to_port'])) { $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO PORT option."); } if ($_POST['ftp_client_bounce_to_net'] && empty($_POST['ftp_client_bounce_to_port'])) { $input_errors[] = gettext("FTP Protocol BOUNCE-TO PORT cannot be empty when BOUNCE-TO ADDRESS is set."); } if ($_POST['ftp_client_bounce_to_port'] && empty($_POST['ftp_client_bounce_to_net'])) { $input_errors[] = gettext("FTP Protocol BOUNCE-TO ADDRESS cannot be empty when BOUNCE-TO PORT is set."); } // Validate the BOUNCE-TO Alias entries for correct format of their defined values. BOUNCE-TO ADDRESS must be // a valid single IP, and BOUNCE-TO PORT must be either a single port value or a port range value. Provide // detailed error messages for the user that explain any problems. if ($_POST['ftp_client_bounce_to_net'] && $_POST['ftp_client_bounce_to_port']) { if (!snort_is_single_addr_alias($_POST['ftp_client_bounce_to_net'])) { $net = trim(filter_expand_alias($_POST['ftp_client_bounce_to_net'])); $net = preg_replace('/\\s+/', ',', $net);
if ($config['system']['gateway'] != "") { $config['interfaces']['wan']['gateway'] = $config['system']['gateway']; } unset($config['shaper']); /* optional if list */ $ifdescrs = get_configured_interface_list(true, true); /* remove special characters from interface descriptions */ if (is_array($ifdescrs)) { foreach ($ifdescrs as $iface) { $config['interfaces'][$iface]['descr'] = remove_bad_chars($config['interfaces'][$iface]['descr']); } } /* check for interface names with an alias */ if (is_array($ifdescrs)) { foreach ($ifdescrs as $iface) { if (is_alias($config['interfaces'][$iface]['descr'])) { // Firewall rules $origname = $config['interfaces'][$iface]['descr']; $newname = $config['interfaces'][$iface]['descr'] . "Alias"; update_alias_names_upon_change(array('filter', 'rule'), array('source', 'address'), $newname, $origname); update_alias_names_upon_change(array('filter', 'rule'), array('destination', 'address'), $newname, $origname); // NAT Rules update_alias_names_upon_change(array('nat', 'rule'), array('source', 'address'), $newname, $origname); update_alias_names_upon_change(array('nat', 'rule'), array('destination', 'address'), $newname, $origname); update_alias_names_upon_change(array('nat', 'rule'), array('target'), $newname, $origname); // Alias in an alias update_alias_names_upon_change(array('aliases', 'alias'), array('address'), $newname, $origname); } } } unlink_if_exists("{$g['tmp_path']}/config.cache");
/* Ensure that our pool names are unique */ for ($i = 0; isset($config['load_balancer']['lbpool'][$i]); $i++) { if ($_POST['name'] == $config['load_balancer']['lbpool'][$i]['name'] && $i != $id) { $input_errors[] = gettext("This pool name has already been used. Pool names must be unique."); } } if (preg_match('/[ \\/]/', $_POST['name'])) { $input_errors[] = gettext("You cannot use spaces or slashes in the 'name' field."); } if (strlen($_POST['name']) > 16) { $input_errors[] = gettext("The 'name' field must be 16 characters or less."); } if (in_array($_POST['name'], $reserved_table_names)) { $input_errors[] = sprintf(gettext("The name '%s' is a reserved word and cannot be used."), $_POST['name']); } if (is_alias($_POST['name'])) { $input_errors[] = sprintf(gettext("Sorry, an alias is already named %s."), $_POST['name']); } if (!is_portoralias($_POST['port'])) { $input_errors[] = gettext("The port must be an integer between 1 and 65535, or a port alias."); } // May as well use is_port as we want a positive integer and such. if (!empty($_POST['retry']) && !is_port($_POST['retry'])) { $input_errors[] = gettext("The retry value must be an integer between 1 and 65535."); } if (is_array($_POST['servers'])) { foreach ($pconfig['servers'] as $svrent) { if (!is_ipaddr($svrent) && !is_subnetv4($svrent)) { $input_errors[] = sprintf(gettext("%s is not a valid IP address or IPv4 subnet (in \"enabled\" list)."), $svrent); } else { if (is_subnetv4($svrent) && subnet_size($svrent) > 64) {
if ($_POST['dsttype'] == "single") { $_POST['dstmask'] = 32; } else { if (is_ipaddr($_POST['dsttype'])) { $_POST['dst'] = $_POST['dsttype']; $_POST['dstmask'] = 32; $_POST['dsttype'] = "single"; } } } /* For external, user can enter only ip's */ if ($_POST['external'] && !is_ipaddr($_POST['external'])) { $input_errors[] = gettext("A valid external subnet must be specified."); } /* For dst, if user enters an alias and selects "network" then disallow. */ if ($_POST['dsttype'] == "network" && is_alias($_POST['dst'])) { $input_errors[] = gettext("You must specify single host or alias for alias entries."); } /* For src, user can enter only ip's or networks */ if (!is_specialnet($_POST['srctype'])) { if ($_POST['src'] && !is_ipaddr($_POST['src'])) { $input_errors[] = sprintf(gettext("%s is not a valid internal IP address."), $_POST['src']); } if ($_POST['srcmask'] && !is_numericint($_POST['srcmask'])) { $input_errors[] = gettext("A valid internal bit count must be specified."); } } /* For dst, user can enter ip's, networks or aliases */ if (!is_specialnet($_POST['dsttype'])) { if ($_POST['dst'] && !is_ipaddroralias($_POST['dst'])) { $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $_POST['dst']);
$input_errors[] = sprintf(gettext("URL '%s' is not valid."), $_POST['address' . $x]); } } } unset($desc_fmt_err_found); if ($_POST['type'] == "url_ports") { $address = group_ports($address); } } else { /* item is a normal alias type */ $wrongaliases = ""; $desc_fmt_err_found = false; for ($x = 0; $x < 4999; $x++) { if ($_POST["address{$x}"] != "") { $_POST["address{$x}"] = trim($_POST["address{$x}"]); if (is_alias($_POST["address{$x}"])) { if (!alias_same_type($_POST["address{$x}"], $_POST['type'])) { // But alias type network can include alias type urltable. Feature#1603. if (!($_POST['type'] == 'network' && preg_match("/urltable/i", alias_get_type($_POST["address{$x}"])))) { $wrongaliases .= " " . $_POST["address{$x}"]; } } } else { if ($_POST['type'] == "port") { if (!is_port($_POST["address{$x}"]) && !is_portrange($_POST["address{$x}"])) { $input_errors[] = $_POST["address{$x}"] . " " . gettext("is not a valid port or alias."); } } else { if ($_POST['type'] == "host" || $_POST['type'] == "network") { if (is_subnet($_POST["address{$x}"]) || !is_ipaddr($_POST["address{$x}"]) && !is_hostname($_POST["address{$x}"]) && !is_iprange($_POST["address{$x}"])) { $input_errors[] = sprintf(gettext('%1$s is not a valid %2$s alias.'), $_POST["address{$x}"], $_POST['type']);
</td> <td class="hidden-xs hidden-sm"> <?php if (isset($natent['nonat'])) { $nat_address = '<I>NO NAT</I>'; } elseif (!$natent['target']) { $nat_address = htmlspecialchars(convert_friendly_interface_to_friendly_descr($natent['interface'])) . " address"; } elseif ($natent['target'] == "other-subnet") { $nat_address = $natent['targetip'] . '/' . $natent['targetip_subnet']; } else { $nat_address = $natent['target']; } ?> <?php echo htmlspecialchars($nat_address); if (isset($natent['target']) && is_alias($natent['target'])) { ?> <a href="/firewall_aliases_edit.php?name=<?php echo htmlspecialchars($natent['target']); ?> "><i class="fa fa-list"></i> </a> <?php } ?> </td> <td class="hidden-xs hidden-sm"> <?php echo empty($natent['natport']) ? "*" : htmlspecialchars($natent['natport']); ?> </td> <td>
function login($pass) { // RETURN VALUE: // 0 - OK // 1 - unknown user // 2 - password doesn't match // VARIABLES: // $admin - user has admin privileges (from auth table) // $userid - whatever is used internally (aside from login) global $userid, $admin, $login, $conf_system_auth, $conf_ldap_server, $conf_ldap_domain, $posljednji_pristup; $q1 = myquery("select id, password, admin, UNIX_TIMESTAMP(posljednji_pristup) from auth where login='******' and aktivan=1"); if (mysql_num_rows($q1) <= 0) { return 1; } function is_alias($results) { foreach ($results as $k1 => $v1) { if ($k1 === "objectclass") { foreach ($v1 as $k2 => $v2) { if ($v2 === "zimbraAlias") { return true; } } } } return false; } if ($conf_system_auth == "ldap") { $ds = ldap_connect($conf_ldap_server); ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); if ($ds) { if (ldap_bind($ds)) { $i = 0; // Probavamo UID $login = ldap_escape($login); $sr = ldap_search($ds, "", "uid={$login}", array()); if (!$sr) { niceerror("ldap_search() failed."); exit; } $results = ldap_get_entries($ds, $sr); // Ako ldap_get_entries vrati false, pretpostavićemo da nema rezultata // To se dešava rijetko ali se dešava i nije mi jasno zašto // Ovaj upit ce vratiti i aliase, koje moramo profiltrirati while ($results && is_alias($results[$i]) && $i < $results['count']) { $i++; } // Probavamo email adresu if (!$results || $i == $results['count']) { $sr = ldap_search($ds, "", "mail={$login}", array()); if (!$sr) { niceerror("ldap_search() 1 failed."); exit; } $results = ldap_get_entries($ds, $sr); $i = 0; while ($results && is_alias($results[$i]) && $i < $results['count']) { $i++; } } // Probavamo email adresu + domena if (!$results || $i == $results['count']) { $sr = ldap_search($ds, "", "mail={$login}{$conf_ldap_domain}", array()); if (!$sr) { niceerror("ldap_search() 2 failed."); exit; } $results = ldap_get_entries($ds, $sr); $i = 0; while ($results && is_alias($results[$i]) && $i < $results['count']) { $i++; } } if (!$results || $i == $results['count']) { return 1; } $dn = $results[$i]['dn']; if (!@ldap_bind($ds, $dn, $pass)) { // ldap_bind generiše warning svaki put kad je pogrešna šifra :( return 2; } // ldap_bind succeeded, user is authenticated } else { niceerror("LDAP anonymous bind failed."); exit; } } else { niceerror("Can't contact LDAP server."); exit; } } else { if ($conf_system_auth == "table") { if ($pass != mysql_result($q1, 0, 1)) { return 2; } } } $userid = mysql_result($q1, 0, 0); $admin = mysql_result($q1, 0, 2); $posljednji_pristup = mysql_result($q1, 0, 3); $q2 = myquery("update auth set posljednji_pristup=NOW() where id={$userid}"); // All OK, start session session_start(); //session_regenerate_id(); // prevent session fixation $_SESSION['login'] = $login; session_write_close(); }
// Check for returned "selected alias" if action is import if ($_GET['act'] == "import") { if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) { $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); } } if ($_POST['save']) { /* Grab all the POST values and save in new temp array */ $engine = array(); if ($_POST['frag3_name']) { $engine['name'] = trim($_POST['frag3_name']); } else { $engine['name'] = "default"; } if ($_POST['frag3_bind_to']) { if (is_alias($_POST['frag3_bind_to'])) { $engine['bind_to'] = $_POST['frag3_bind_to']; } elseif (strtolower(trim($_POST['frag3_bind_to'])) == "all") { $engine['bind_to'] = "all"; } else { $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); } } else { $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); } /* Validate the text input fields before saving */ if (!empty($_POST['frag3_timeout']) || $_POST['frag3_timeout'] == 0) { $engine['timeout'] = $_POST['frag3_timeout']; if (!is_numeric($_POST['frag3_timeout']) || $_POST['frag3_timeout'] < 1) { $input_errors[] = gettext("The value for Timeout must be numeric and greater than zero."); }
if (!empty($suricatacfg["def_{$alias}"]) && is_alias($suricatacfg["def_{$alias}"])) { $avalue = trim(filter_expand_alias($suricatacfg["def_{$alias}"])); $avalue = preg_replace('/\\s+/', ',', trim($avalue)); } $addr_vars .= " " . strtoupper($alias) . ": \"{$avalue}\"\n"; } $addr_vars = trim($addr_vars); if (is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) { $ssh_port = $config['system']['ssh']['port']; } else { $ssh_port = "22"; } $suricata_ports = array("ftp_ports" => "21", "http_ports" => "80", "oracle_ports" => "1521", "ssh_ports" => $ssh_port, "shellcode_ports" => "!80", "DNP3_PORTS" => "20000", "file_data_ports" => "\$HTTP_PORTS,110,143"); $port_vars = ""; foreach ($suricata_ports as $alias => $avalue) { if (!empty($suricatacfg["def_{$alias}"]) && is_alias($suricatacfg["def_{$alias}"])) { $avalue = trim(filter_expand_alias($suricatacfg["def_{$alias}"])); $avalue = preg_replace('/\\s+/', ',', trim($avalue)); } $port_vars .= " " . strtoupper($alias) . ": \"{$avalue}\"\n"; } $port_vars = trim($port_vars); // Define a Suppress List (Threshold) if one is configured $suppress = suricata_find_list($suricatacfg['suppresslistname'], 'suppress'); if (!empty($suppress)) { $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); @file_put_contents("{$suricatacfgdir}/threshold.config", $suppress_data); } else { @file_put_contents("{$suricatacfgdir}/threshold.config", ""); } // Add interface-specific detection engine settings
</tr> <tr> <td><a id="help_for_destination" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?php echo gettext("Destination"); ?> </td> <td> <table class="table table-condensed"> <tr> <td> <select name="destination" id="destination" class="selectpicker" data-live-search="true" data-size="5" data-width="auto"> <option data-other=true value="<?php echo $pconfig['destination']; ?> " <?php echo !is_alias($pconfig['destination']) && $pconfig['destination'] != 'any' ? "selected=\"selected\"" : ""; ?> ><?php echo gettext("Single host or Network"); ?> </option> <option value="any" <?php echo $pconfig['destination'] == "any" ? "selected=\"selected\"" : ""; ?> ><?php echo gettext("any"); ?> </option> <optgroup label="<?php echo gettext("Aliases"); ?>
} /* check for name conflicts */ foreach ($a_passlist as $p_list) { if (isset($id) && $a_passlist[$id] && $a_passlist[$id] === $p_list) { continue; } if ($p_list['name'] == $_POST['name']) { $input_errors[] = gettext("A Pass List file name with this name already exists."); break; } } if ($_POST['address']) { if (!is_alias($_POST['address'])) { $input_errors[] = gettext("A valid alias must be provided"); } if (is_alias($_POST['address']) && trim(filter_expand_alias($_POST['address'])) == "") { $input_errors[] = gettext("FQDN aliases are not supported in Suricata."); } } if (!$input_errors) { $p_list = array(); /* post user input */ $p_list['name'] = $_POST['name']; $p_list['uuid'] = $passlist_uuid; $p_list['localnets'] = $_POST['localnets'] ? 'yes' : 'no'; $p_list['wanips'] = $_POST['wanips'] ? 'yes' : 'no'; $p_list['wangateips'] = $_POST['wangateips'] ? 'yes' : 'no'; $p_list['wandnsips'] = $_POST['wandnsips'] ? 'yes' : 'no'; $p_list['vips'] = $_POST['vips'] ? 'yes' : 'no'; $p_list['vpnips'] = $_POST['vpnips'] ? 'yes' : 'no'; $p_list['address'] = $_POST['address'];
?> "><i class="fa fa-list"></i> </a> <?php } ?> </td> <td> <?php $localport = $natent['local-port']; if (strpos($natent['destination']['port'], '-') !== false) { list($dstbeginport, $dstendport) = explode("-", $natent['destination']['port']); $localendport = $natent['local-port'] + $dstendport - $dstbeginport; $localport .= '-' . $localendport; } if (isset($natent['destination']['port']) && is_alias($natent['destination']['port'])) { ?> <span title="<?php echo htmlspecialchars(get_alias_description($localport)); ?> " data-toggle="tooltip"> <?php echo htmlspecialchars(pprint_port($localport)); ?> </span> <a href="/firewall_aliases_edit.php?name=<?php echo htmlspecialchars($localport); ?> " title="<?php
} } if ($_POST['save']) { // Clear and close out any session variable we created session_start(); unset($_SESSION['http_inspect_import']); session_write_close(); // Grab all the POST values and save in new temp array $engine = array(); if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; } if ($_POST['httpinspect_bind_to']) { if (is_alias($_POST['httpinspect_bind_to'])) { $engine['bind_to'] = $_POST['httpinspect_bind_to']; } elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all") { $engine['bind_to'] = "all"; } else { $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); } } else { $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); } if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; } // Validate the text input fields before saving
ksort($snort_servers); ksort($snort_ports); $pconfig = $a_nat[$id]; /* convert fake interfaces to real */ $if_real = get_real_interface($pconfig['interface']); $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; if ($_POST['save']) { $natent = array(); $natent = $pconfig; foreach ($snort_servers as $key => $server) { if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) { $input_errors[] = "Only aliases are allowed"; } } foreach ($snort_ports as $key => $server) { if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) { $input_errors[] = "Only aliases are allowed"; } } /* if no errors write to conf */ if (!$input_errors) { /* post new options */ foreach ($snort_servers as $key => $server) { if ($_POST["def_{$key}"]) { $natent["def_{$key}"] = $_POST["def_{$key}"]; } else { unset($natent["def_{$key}"]); } } foreach ($snort_ports as $key => $server) { if ($_POST["def_{$key}"]) {
} else { if ($_POST['source_type'] == "(self)") { $osn = "(self)"; } else { if (is_alias($_POST['source'])) { $osn = $_POST['source']; } else { $osn = gen_subnet($_POST['source'], $_POST['source_subnet']) . "/" . $_POST['source_subnet']; } } } /* check for existing entries */ if ($_POST['destination_type'] == "any") { $ext = "any"; } else { if (is_alias($_POST['destination'])) { $ext = $_POST['destination']; } else { $ext = gen_subnet($_POST['destination'], $_POST['destination_subnet']) . "/" . $_POST['destination_subnet']; } } foreach ($a_out as $natent) { if (isset($id) && $a_out[$id] && $a_out[$id] === $natent) { continue; } if (!$natent['interface']) { $natent['interface'] = "wan"; } } if (!$input_errors) { $natent = array();
} else { log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); continue; } } else { log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); continue; } $http_inspect_servers .= $buffer; $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; if ($v['no_alerts'] == "on") { $http_inspect_servers .= "\tno_alerts \\\n"; } if ($v['ports'] == "default" || empty($v['ports'])) { $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; } elseif (is_alias($v['ports'])) { $tmp = trim(filter_expand_alias($v['ports'])); if (!empty($tmp)) { $tmp = preg_replace('/\\s+/', ' ', $tmp); $tmp = snort_expand_port_range($tmp, ' '); $http_inspect_servers .= "\tports { {$tmp} } \\\n"; } else { log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; } } else { log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; } $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n";
if (is_ipaddr($tgt)) { $tgt .= "/32"; } if (!is_subnet($tgt)) { continue; } $new_targets[] = $tgt; } } if (!isset($id)) { $id = count($a_routes); } $oroute = $a_routes[$id]; if (!empty($oroute)) { $old_targets = array(); if (is_alias($oroute['network'])) { foreach (filter_expand_alias_array($oroute['network']) as $tgt) { if (is_ipaddr($tgt)) { $tgt .= "/32"; } if (!is_subnet($tgt)) { continue; } $old_targets[] = $tgt; } } else { $old_targets[] = $oroute['network']; } } $overlaps = array_intersect($current_targets, $new_targets); $overlaps = array_diff($overlaps, $old_targets);
if (!empty($pconfig['srcbeginport']) && !is_portoralias($pconfig['srcbeginport']) && $pconfig['srcbeginport'] != 'any') { $input_errors[] = sprintf(gettext("%s is not a valid start source port. It must be a port alias or integer between 1 and 65535."), $pconfig['srcbeginport']); } if (!empty($pconfig['srcendport']) && !is_portoralias($pconfig['srcendport']) && $pconfig['srcendport'] != 'any') { $input_errors[] = sprintf(gettext("%s is not a valid end source port. It must be a port alias or integer between 1 and 65535."), $pconfig['srcendport']); } if (!empty($pconfig['dstbeginport']) && !is_portoralias($pconfig['dstbeginport']) && $pconfig['dstbeginport'] != 'any') { $input_errors[] = sprintf(gettext("%s is not a valid start destination port. It must be a port alias or integer between 1 and 65535."), $pconfig['dstbeginport']); } if (!empty($pconfig['dstendport']) && !is_portoralias($pconfig['dstendport']) && $pconfig['dstendport'] != 'any') { $input_errors[] = sprintf(gettext("%s is not a valid end destination port. It must be a port alias or integer between 1 and 65535."), $pconfig['dstendport']); } if ((is_alias($pconfig['srcbeginport']) || is_alias($pconfig['srcendport'])) && $pconfig['srcbeginport'] != $pconfig['srcendport']) { $input_errors[] = gettext('When selecting aliases for source ports, both from and to fields must be the same'); } if ((is_alias($pconfig['dstbeginport']) || is_alias($pconfig['dstendport'])) && $pconfig['dstbeginport'] != $pconfig['dstendport']) { $input_errors[] = gettext('When selecting aliases for destination ports, both from and to fields must be the same'); } if (!is_specialnet($pconfig['src'])) { if (!is_ipaddroralias($pconfig['src'])) { $input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."), $pconfig['src']); } if (!is_numericint($pconfig['srcmask'])) { $input_errors[] = gettext("A valid source bit count must be specified."); } } if (!is_specialnet($pconfig['dst'])) { if (!is_ipaddroralias($pconfig['dst'])) { $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $pconfig['dst']); } if (!is_numericint($pconfig['dstmask'])) {
$eng_enable_uri_include_all = $_POST['enable_uri_include_all']; $mode = "add_edit_libhtp_policy"; } if ($_POST['save_libhtp_policy']) { if ($_POST['eng_id'] != "") { $eng_id = $_POST['eng_id']; // Grab all the POST values and save in new temp array $engine = array(); $policy_name = trim($_POST['policy_name']); if ($policy_name) { $engine['name'] = $policy_name; } else { $input_errors[] = gettext("The 'Policy Name' value cannot be blank."); } if ($_POST['policy_bind_to']) { if (is_alias($_POST['policy_bind_to'])) { $engine['bind_to'] = $_POST['policy_bind_to']; } elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") { $engine['bind_to'] = "all"; } else { $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); } } else { $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); } if ($_POST['personality']) { $engine['personality'] = $_POST['personality']; } else { $engine['personality'] = "bsd"; } if (is_numeric($_POST['req_body_limit']) && $_POST['req_body_limit'] >= 0) {
} if (is_validpasslistname($_POST['name']) == false) { $input_errors[] = gettext("Pass List file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."); } /* check for name conflicts */ foreach ($a_passlist as $p_list) { if (isset($id) && $a_passlist[$id] && $a_passlist[$id] === $p_list) { continue; } if ($p_list['name'] == $_POST['name']) { $input_errors[] = gettext("A Pass List file name with this name already exists."); break; } } if ($_POST['address']) { if (!is_alias($_POST['address'])) { $input_errors[] = gettext("A valid alias must be provided"); } } if (!$input_errors) { $p_list = array(); /* post user input */ $p_list['name'] = $_POST['name']; $p_list['uuid'] = $passlist_uuid; $p_list['localnets'] = $_POST['localnets'] ? 'yes' : 'no'; $p_list['wanips'] = $_POST['wanips'] ? 'yes' : 'no'; $p_list['wangateips'] = $_POST['wangateips'] ? 'yes' : 'no'; $p_list['wandnsips'] = $_POST['wandnsips'] ? 'yes' : 'no'; $p_list['vips'] = $_POST['vips'] ? 'yes' : 'no'; $p_list['vpnips'] = $_POST['vpnips'] ? 'yes' : 'no'; $p_list['address'] = $_POST['address'];
$section->addInput(new Form_Input('floating', 'Floating', 'hidden', 'floating')); } $section->addInput(new Form_Select('ipprotocol', 'TCP/IP Version', $pconfig['ipprotocol'], array('inet' => 'IPv4', 'inet6' => 'IPv6', 'inet46' => 'IPv4+IPv6')))->setHelp('Select the Internet Protocol version this rule applies to'); $section->addInput(new Form_Select('proto', 'Protocol', $pconfig['proto'], array('tcp' => 'TCP', 'udp' => 'UDP', 'tcp/udp' => 'TCP/UDP', 'icmp' => 'ICMP', 'esp' => 'ESP', 'ah' => 'AH', 'gre' => 'GRE', 'ipv6' => 'IPV6', 'igmp' => 'IGMP', 'pim' => 'PIM', 'ospf' => 'OSPF', 'sctp' => 'SCTP', 'any' => 'any', 'carp' => 'CARP', 'pfsync' => 'PFSYNC')))->setHelp('Choose which IP protocol this rule should match.'); $section->addInput(new Form_Select('icmptype', 'ICMP type', $pconfig['icmptype'], $icmptypes))->setHelp('If you selected ICMP for the protocol above, you may specify an ICMP type here.'); $section->addInput(new Form_Select('icmp6type', 'ICMPv6 type', $pconfig['icmptype'], $icmp6types))->setHelp('If you selected ICMP for the protocol above, you may specify an ICMP type here.'); $form->add($section); // Source and destination share a lot of logic. Loop over the two foreach (['src' => 'Source', 'dst' => 'Destination'] as $type => $name) { $section = new Form_Section($name); $group = new Form_Group($name); $group->add(new Form_Checkbox($type . 'not', $name . ' not', 'Invert match.', $pconfig[$type . 'not']))->setWidth(2); $ruleType = $pconfig[$type]; if (is_specialnet($pconfig[$type])) { $ruleType = 'network'; } elseif (is_ipaddrv6($pconfig[$type]) && $pconfig[$type . 'mask'] == 128 || is_ipaddrv4($pconfig[$type]) && $pconfig[$type . 'mask'] == 32 || is_alias($pconfig[$type])) { $ruleType = 'single'; } $ruleValues = array('any' => 'any', 'single' => 'Single host or alias', 'network' => 'Network'); if (isset($a_filter[$id]['floating']) || $if == "FloatingRules") { $ruleValues['(self)'] = 'This Firewall (self)'; } if (have_ruleint_access("pppoe")) { $ruleValues['pppoe'] = 'PPPoE clients'; } if (have_ruleint_access("l2tp")) { $ruleValues['l2tp'] = 'L2TP clients'; } foreach ($ifdisp as $ifent => $ifdesc) { if (!have_ruleint_access($ifent)) { continue;
} if ($_POST['smtp_email_hdrs_log_depth'] < 0 || $_POST['smtp_email_hdrs_log_depth'] > 20480) { $input_errors[] = gettext("The value for SMTP Decoder E-Mail Headers Log Depth must be between 0 and 20,480."); } } // Validate AppID parameter values if AppID Detector is enabled if ($_POST['appid_preproc'] == 'on') { if ($_POST['sf_appid_mem_cap'] < 32 || $_POST['sf_appid_mem_cap'] > 3000) { $input_errors[] = gettext("The value for Application ID Memory Cap must be between 32 and 3000."); } if ($_POST['sf_appid_stats_period'] < 60 || $_POST['sf_appid_stats_period'] > 3600) { $input_errors[] = gettext("The value for Application ID Stats Period must be between 60 and 3600."); } } // Validate Portscan Ignore_Scanners parameter if ($_POST['sf_portscan'] == 'on' && is_alias($_POST['pscan_ignore_scanners'])) { if (trim(filter_expand_alias($_POST["def_{$key}"])) == "") { $input_errors[] = gettext("FQDN aliases are not supported in Snort for the PORTSCAN IGNORE_SCANNERS parameter."); } } /* if no errors write to conf */ if (!$input_errors) { /* post new options */ if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; } else { $natent['max_attribute_hosts'] = "10000"; } if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; } else {
} $final_address_details[] = $detail_text; $alias_address_count++; } } } if ($alias_address_count > $max_alias_addresses) { $input_errors[] = sprintf(gettext('The maximum number of entries in an alias has been exceeded (%s)'), $max_alias_addresses); break; } } } } // Validate the input data expanded above. foreach ($input_addresses as $idx => $input_address) { if (is_alias($input_address)) { if (!alias_same_type($input_address, $_POST['type'])) { // But alias type network can include alias type urltable. Feature#1603. if (!($_POST['type'] == 'network' && preg_match("/urltable/i", alias_get_type($input_address)))) { $wrongaliases .= " " . $input_address; } } } else { if ($_POST['type'] == "port") { if (!is_port($input_address) && !is_portrange($input_address)) { $input_errors[] = $input_address . " " . gettext("is not a valid port or alias."); } } else { if ($_POST['type'] == "host" || $_POST['type'] == "network") { if (is_subnet($input_address) || !is_ipaddr($input_address) && !is_hostname($input_address)) { $input_errors[] = sprintf(gettext('%1$s is not a valid %2$s address, FQDN or alias.'), $input_address, $_POST['type']);
<?php echo htmlspecialchars(pprint_address($filterent['destination'])); if (isset($filterent['destination']['address']) && is_alias($filterent['destination']['address'])) { ?> <a href="/firewall_aliases_edit.php?name=<?php echo htmlspecialchars($filterent['destination']['address']); ?> "><i class="fa fa-list"></i> </a> <?php } ?> </td> <td class="hidden-xs hidden-sm"> <?php echo htmlspecialchars(pprint_port(isset($filterent['destination']['port']) ? $filterent['destination']['port'] : null)); if (isset($filterent['destination']['port']) && is_alias($filterent['destination']['port'])) { ?> <a href="/firewall_aliases_edit.php?name=<?php echo htmlspecialchars($filterent['destination']['port']); ?> "><i class="fa fa-list"></i> </a> <?php } ?> </td> <td class="hidden-xs hidden-sm"> <?php if (isset($filterent['gateway'])) { ?> <?php echo isset($config['interfaces'][$filterent['gateway']]['descr']) ? htmlspecialchars($config['interfaces'][$filterent['gateway']]['descr']) : htmlspecialchars(pprint_port($filterent['gateway']));
$subnets_help = '<span class="help-block">' . gettext("Subnets are specified in CIDR format. " . "Select the CIDR mask that pertains to each entry.\t" . "/128 specifies a single IPv6 host; /64 specifies a normal IPv6 network; etc. " . "If no subnets are specified here, the Router Advertisement (RA) Daemon will advertise to the subnet to which the router's interface is assigned.") . '</span>'; if ($_POST) { unset($input_errors); $pconfig = $_POST; /* input validation */ $pconfig['subnets'] = array(); for ($x = 0; $x < 5000; $x += 1) { $address = trim($_POST['subnet_address' . $x]); if ($address === "") { continue; } $bits = trim($_POST['subnet_bits' . $x]); if ($bits === "") { $bits = "128"; } if (is_alias($address)) { $pconfig['subnets'][] = $address; } else { $pconfig['subnets'][] = $address . "/" . $bits; if (!is_ipaddrv6($address)) { $input_errors[] = sprintf(gettext("An invalid subnet or alias was specified. [%s/%s]"), $address, $bits); } } } if ($_POST['radns1'] && !is_ipaddrv6($_POST['radns1']) || $_POST['radns2'] && !is_ipaddrv6($_POST['radns2']) || $_POST['radns3'] && !is_ipaddrv6($_POST['radns3'])) { $input_errors[] = gettext("A valid IPv6 address must be specified for each of the DNS servers."); } if ($_POST['radomainsearchlist']) { $domain_array = preg_split("/[ ;]+/", $_POST['radomainsearchlist']); foreach ($domain_array as $curdomain) { if (!is_domain($curdomain)) {
} if ($_POST['ftp_bind_to']) { if (is_alias($_POST['ftp_bind_to'])) { $engine['bind_to'] = $_POST['ftp_bind_to']; } elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") { $engine['bind_to'] = "all"; } else { $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); } } else { $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); } if ($_POST['ftp_ports']) { if ($_POST['ftp_ports'] == "default") { $engine['ports'] = $_POST['ftp_ports']; } elseif (is_alias($_POST['ftp_ports'])) { $engine['ports'] = $_POST['ftp_ports']; } else { $input_errors[] = gettext("The value for Ports must be a valid Alias name or the keyword 'default'."); } } else { $engine['ports'] = 21; } $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no'; $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no'; $engine['ignore_data_chan'] = $_POST['ftp_ignore_data_chan'] ? 'yes' : 'no'; $engine['def_max_param_len'] = $_POST['ftp_def_max_param_len']; /* Can only have one "all" Bind_To address */ if ($engine['bind_to'] == "all" && $engine['name'] != "default") { $input_errors[] = gettext("Only one default ftp Engine can be bound to all addresses."); $pconfig = $engine;
name="dsttype" class="formselect" onchange="typesel_change()"> <?php $sel = is_specialnet($pconfig['dst']); ?> <option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected=\"selected\""; } ?> ><?php echo gettext("any"); ?> </option> <option value="single" <?php if (!$sel && (is_ipaddrv6($pconfig['dst']) && $pconfig['dstmask'] == 128 || is_ipaddrv4($pconfig['dst']) && $pconfig['dstmask'] == 32 || is_alias($pconfig['dst']))) { echo "selected=\"selected\""; $sel = 1; } ?> ><?php echo gettext("Single host or alias"); ?> </option> <option value="network" <?php if (!$sel) { echo "selected=\"selected\""; } ?> ><?php echo gettext("Network");
if ($_SERVER['REQUEST_METHOD'] === 'GET') { // initialize form vars $pconfig = array("name" => null, "descr" => null, "aliasimport" => null); } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { // save form data $input_errors = array(); $pconfig = $_POST; // input validation $reqdfields = explode(" ", "name aliasimport"); $reqdfieldsn = array(gettext("Name"), gettext("Aliases")); do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); if (is_validaliasname($pconfig['name']) == false) { $input_errors[] = gettext("The alias name may only consist of the characters") . " a-z, A-Z, 0-9, _."; } /* check for name duplicates */ if (is_alias($pconfig['name'])) { $input_errors[] = gettext("An alias with this name already exists."); } // Add all Load balance names to reserved_keywords if (isset($config['load_balancer']['lbpool'])) { foreach ($config['load_balancer']['lbpool'] as $lbpool) { $reserved_keywords[] = $lbpool['name']; } } // Keywords not allowed in names $reserved_keywords = array("all", "pass", "block", "out", "queue", "max", "min", "pptp", "pppoe", "L2TP", "OpenVPN", "IPsec"); $reserved_ifs = get_configured_interface_list(false, true); $reserved_keywords = array_merge($reserved_keywords, $reserved_ifs, $reserved_table_names); /* Check for reserved keyword names */ foreach ($reserved_keywords as $rk) { if ($rk == $pconfig['name']) {