diff options
| author | jim-p <jimp@pfsense.org> | 2016-03-03 17:16:38 -0500 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2016-03-03 17:16:38 -0500 |
| commit | 31b151809d04c40fd915c129d28cc9b440a0eabe (patch) | |
| tree | dd77c564fa3ff1ea8710dc438df0a51d6f47f892 | |
| parent | 12d7d9e71e85308daeebf9533700d37f14fcc41b (diff) | |
| download | pfsense-31b151809d04c40fd915c129d28cc9b440a0eabe.zip pfsense-31b151809d04c40fd915c129d28cc9b440a0eabe.tar.gz | |
Move NTP access restrictions to their own tab and add the ability to craft custom restrictions for arbitrary networks. Fixes #4463
| -rw-r--r-- | src/etc/inc/system.inc | 37 | ||||
| -rw-r--r-- | src/etc/inc/util.inc | 10 | ||||
| -rw-r--r-- | src/usr/local/www/services_ntpd.php | 109 | ||||
| -rw-r--r-- | src/usr/local/www/services_ntpd_acls.php | 347 | ||||
| -rw-r--r-- | src/usr/local/www/services_ntpd_gps.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/services_ntpd_pps.php | 1 |
6 files changed, 396 insertions, 109 deletions
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 4bda7c1..d8b1efb 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1718,7 +1718,6 @@ function system_ntp_configure($start_ntpd=true) { unset($ts); $ntpcfg .= "\n\n"; - $ntpcfg .= "disable monitor\n"; //prevent NTP reflection attack, see https://forum.pfsense.org/index.php/topic,67189.msg389132.html#msg389132 if (!empty($config['ntpd']['clockstats']) || !empty($config['ntpd']['loopstats']) || !empty($config['ntpd']['peerstats'])) { $ntpcfg .= "enable stats\n"; $ntpcfg .= 'statistics'; @@ -1743,7 +1742,8 @@ function system_ntp_configure($start_ntpd=true) { } $ntpcfg .= "\n"; $ntpcfg .= "driftfile {$driftfile}\n"; - /* Access restrictions */ + + /* Default Access restrictions */ $ntpcfg .= 'restrict default'; if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */ $ntpcfg .= ' kod limited'; @@ -1782,7 +1782,40 @@ function system_ntp_configure($start_ntpd=true) { if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */ $ntpcfg .= ' notrap'; } + /* Custom Access Restrictions */ + if (is_array($config['ntpd']['restrictions']) && is_array($config['ntpd']['restrictions']['row'])) { + $networkacl = $config['ntpd']['restrictions']['row']; + foreach ($networkacl as $acl) { + $ntpcfg .= "\nrestrict "; + if (is_ipaddrv6($acl['acl_network'])) { + $ntpcfg .= "-6 {$acl['acl_network']} mask " . gen_subnet_mask_v6($acl['mask']) . " "; + } elseif (is_ipaddrv4($acl['acl_network'])) { + $ntpcfg .= "{$acl['acl_network']} mask " . gen_subnet_mask($acl['mask']) . " "; + } else { + continue; + } + if (!empty($acl['kod'])) { + $ntpcfg .= ' kod limited'; + } + if (!empty($acl['nomodify'])) { + $ntpcfg .= ' nomodify'; + } + if (!empty($acl['noquery'])) { + $ntpcfg .= ' noquery'; + } + if (!empty($acl['nopeer'])) { + $ntpcfg .= ' nopeer'; + } + if (!empty($acl['noserve'])) { + $ntpcfg .= ' noserve'; + } + if (!empty($acl['notrap'])) { + $ntpcfg .= ' notrap'; + } + } + } $ntpcfg .= "\n"; + /* End Custom Access Restrictions */ /* A leapseconds file is really only useful if this clock is stratum 1 */ $ntpcfg .= "\n"; diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index e1f5c80..e74dc64 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -425,6 +425,16 @@ function gen_subnet_mask($bits) { return long2ip(gen_subnet_mask_long($bits)); } +/* Convert a prefix length to an IPv6 address-like mask notation. Very rare but at least ntp needs it. See #4463 */ +function gen_subnet_mask_v6($bits) { + /* Binary representation of the prefix length */ + $bin = str_repeat('1', $bits); + /* Pad right with zeroes to reach the full address length */ + $bin = str_pad($bin, 128, '0', STR_PAD_RIGHT); + /* Convert back to an IPv6 address style notation */ + return Net_IPv6::_bin2Ip($bin); +} + /* Convert long int to IPv4 address Returns '' if not valid IPv4 (including if any bits >32 are non-zero) */ function long2ip32($ip) { diff --git a/src/usr/local/www/services_ntpd.php b/src/usr/local/www/services_ntpd.php index cd713d1..5f2818f 100644 --- a/src/usr/local/www/services_ntpd.php +++ b/src/usr/local/www/services_ntpd.php @@ -157,42 +157,6 @@ if ($_POST) { unset($config['ntpd']['peerstats']); } - if (empty($_POST['kod'])) { - $config['ntpd']['kod'] = 'on'; - } elseif (isset($config['ntpd']['kod'])) { - unset($config['ntpd']['kod']); - } - - if (empty($_POST['nomodify'])) { - $config['ntpd']['nomodify'] = 'on'; - } elseif (isset($config['ntpd']['nomodify'])) { - unset($config['ntpd']['nomodify']); - } - - if (!empty($_POST['noquery'])) { - $config['ntpd']['noquery'] = $_POST['noquery']; - } elseif (isset($config['ntpd']['noquery'])) { - unset($config['ntpd']['noquery']); - } - - if (!empty($_POST['noserve'])) { - $config['ntpd']['noserve'] = $_POST['noserve']; - } elseif (isset($config['ntpd']['noserve'])) { - unset($config['ntpd']['noserve']); - } - - if (empty($_POST['nopeer'])) { - $config['ntpd']['nopeer'] = 'on'; - } elseif (isset($config['ntpd']['nopeer'])) { - unset($config['ntpd']['nopeer']); - } - - if (empty($_POST['notrap'])) { - $config['ntpd']['notrap'] = 'on'; - } elseif (isset($config['ntpd']['notrap'])) { - unset($config['ntpd']['notrap']); - } - if ((empty($_POST['statsgraph'])) == (isset($config['ntpd']['statsgraph']))) { $enable_rrd_graphing = true; } @@ -264,6 +228,7 @@ if ($savemsg) { $tab_array = array(); $tab_array[] = array(gettext("Settings"), true, "services_ntpd.php"); +$tab_array[] = array(gettext("ACLs"), false, "services_ntpd_acls.php"); $tab_array[] = array(gettext("Serial GPS"), false, "services_ntpd_gps.php"); $tab_array[] = array(gettext("PPS"), false, "services_ntpd_pps.php"); display_top_tabs($tab_array); @@ -397,61 +362,6 @@ $section->addInput(new Form_Checkbox( $pconfig['peerstats'] )); -// Access restrictions section -$btnadvrestr = new Form_Button( - 'btnadvrestr', - 'Advanced' -); - -$btnadvrestr->removeClass('btn-primary')->addClass('btn-default btn-sm'); - -$section->addInput(new Form_StaticText( - 'Access Restrictions', - $btnadvrestr -))->setHelp('These options control access to NTP server.'); - -$section->addInput(new Form_Checkbox( - 'kod', - null, - 'Enable Kiss-o\'-death packets (default: checked).', - !$pconfig['kod'] -)); - -$section->addInput(new Form_Checkbox( - 'nomodify', - null, - 'Deny state modifications (i.e. run time configuration) by ntpq and ntpdc (default: checked).', - !$pconfig['nomodify'] -)); - -$section->addInput(new Form_Checkbox( - 'noquery', - null, - 'Disable ntpq and ntpdc queries (default: unchecked).', - $pconfig['noquery'] -)); - -$section->addInput(new Form_Checkbox( - 'noserve', - null, - 'Disable all except ntpq and ntpdc queries (default: unchecked).', - $pconfig['noserve'] -)); - -$section->addInput(new Form_Checkbox( - 'nopeer', - null, - 'Deny packets that attempt a peer association (default: checked).', - !$pconfig['nopeer'] -)); - -$section->addInput(new Form_Checkbox( - 'notrap', - null, - 'Deny mode 6 control message trap service (default: checked).', - !$pconfig['notrap'] -))->addClass('advrestrictions'); - // Leap seconds section $btnleap = new Form_Button( 'btnleap', @@ -479,6 +389,7 @@ $section->addInput(new Form_Input( ))->addClass('btn-default'); $form->add($section); + print($form); ?> @@ -507,16 +418,6 @@ events.push(function() { // Make the ‘clear’ button a plain button, not a submit button $('#btnadvrestr').prop('type','button'); - // On click, show the controls in the restrictions section - $("#btnadvrestr").click(function() { - hideCheckbox('kod', false); - hideCheckbox('nomodify', false); - hideCheckbox('noquery', false); - hideCheckbox('noserve', false); - hideCheckbox('nopeer', false); - hideCheckbox('notrap', false); - }); - // Make the ‘btnleap’ button a plain button, not a submit button $('#btnleap').prop('type','button'); @@ -530,12 +431,6 @@ events.push(function() { hideCheckbox('clockstats', true); hideCheckbox('loopstats', true); hideCheckbox('peerstats', true); - hideCheckbox('kod', true); - hideCheckbox('nomodify', true); - hideCheckbox('noquery', true); - hideCheckbox('noserve', true); - hideCheckbox('nopeer', true); - hideCheckbox('notrap', true); hideInput('leaptext', true); hideInput('leapfile', true); diff --git a/src/usr/local/www/services_ntpd_acls.php b/src/usr/local/www/services_ntpd_acls.php new file mode 100644 index 0000000..08ff080 --- /dev/null +++ b/src/usr/local/www/services_ntpd_acls.php @@ -0,0 +1,347 @@ +<?php +/* + services_ntpd_acls.php +*/ +/* ==================================================================== + * Copyright (c) 2004-2016 Electric Sheep Fencing, LLC. All rights reserved. + * Copyright (c) 2013 Dagorlad + * + * Redistribution and use in source and binary forms, with or without modification, + * are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgment: + * "This product includes software developed by the pfSense Project + * for use in the pfSense software distribution. (http://www.pfsense.org/). + * + * 4. The names "pfSense" and "pfSense Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * coreteam@pfsense.org. + * + * 5. Products derived from this software may not be called "pfSense" + * nor may "pfSense" appear in their names without prior written + * permission of the Electric Sheep Fencing, LLC. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * + * "This product includes software developed by the pfSense Project + * for use in the pfSense software distribution (http://www.pfsense.org/). + * + * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * ==================================================================== + * + */ + +##|+PRIV +##|*IDENT=page-services-ntpd-acls +##|*NAME=Services: NTP ACL Settings +##|*DESCR=Allow access to the 'Services: NTP ACL Settings' page. +##|*MATCH=services_ntpd_acls.php* +##|-PRIV + +define('NUMACLS', 50); // The maximum number of configurable ACLs +require("guiconfig.inc"); +require_once('rrd.inc'); +require_once("shaper.inc"); + +if (!is_array($config['ntpd'])) { + $config['ntpd'] = array(); +} +if (is_array($config['ntpd']['restrictions']) && is_array($config['ntpd']['restrictions']['row'])) { + $networkacl = $config['ntpd']['restrictions']['row']; +} else { + $networkacl = array('0' => array('acl_network' => '', 'mask' => '')); +} + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + for ($x = 0; $x < NUMACLS; $x++) { + if (isset($pconfig["acl_network{$x}"])) { + $networkacl[$x] = array(); + $networkacl[$x]['acl_network'] = $pconfig["acl_network{$x}"]; + $networkacl[$x]['mask'] = $pconfig["mask{$x}"]; + + /* ACL Flags */ + if (!empty($pconfig["kod{$x}"])) { + $networkacl[$x]['kod'] = $pconfig["kod{$x}"]; + } elseif (isset($networkacl[$x]['kod'])) { + unset($networkacl[$x]['kod']); + } + if (!empty($pconfig["nomodify{$x}"])) { + $networkacl[$x]['nomodify'] = $pconfig["nomodify{$x}"]; + } elseif (isset($networkacl[$x]['nomodify'])) { + unset($networkacl[$x]['nomodify']); + } + if (!empty($pconfig["noquery{$x}"])) { + $networkacl[$x]['noquery'] = $pconfig["noquery{$x}"]; + } elseif (isset($networkacl[$x]['noquery'])) { + unset($networkacl[$x]['noquery']); + } + if (!empty($pconfig["noserve{$x}"])) { + $networkacl[$x]['noserve'] = $pconfig["noserve{$x}"]; + } elseif (isset($networkacl[$x]['noserve'])) { + unset($networkacl[$x]['noserve']); + } + if (!empty($pconfig["nopeer{$x}"])) { + $networkacl[$x]['nopeer'] = $pconfig["nopeer{$x}"]; + } elseif (isset($networkacl[$x]['nopeer'])) { + unset($networkacl[$x]['nopeer']); + } + if (!empty($pconfig["notrap{$x}"])) { + $networkacl[$x]['notrap'] = $pconfig["notrap{$x}"]; + } elseif (isset($networkacl[$x]['notrap'])) { + unset($networkacl[$x]['notrap']); + } + /* End ACL Flags */ + + if (!is_ipaddr($networkacl[$x]['acl_network'])) { + $input_errors[] = gettext("You must enter a valid IP address for each row under Networks."); + } + if (is_ipaddr($networkacl[$x]['acl_network'])) { + if (!is_subnet($networkacl[$x]['acl_network']."/".$networkacl[$x]['mask'])) { + $input_errors[] = gettext("You must enter a valid IPv4 netmask for each IPv4 row under Networks."); + } + } else if (function_exists("is_ipaddrv6")) { + if (!is_ipaddrv6($networkacl[$x]['acl_network'])) { + $input_errors[] = gettext("You must enter a valid IPv6 address for {$networkacl[$x]['acl_network']}."); + } else if (!is_subnetv6($networkacl[$x]['acl_network']."/".$networkacl[$x]['mask'])) { + $input_errors[] = gettext("You must enter a valid IPv6 netmask for each IPv6 row under Networks."); + } + } else { + $input_errors[] = gettext("You must enter a valid IP address for each row under Networks."); + } + } else if (isset($networkacl[$x])) { + unset($networkacl[$x]); + } + } + + if (!$input_errors) { + /* Default Access Restrictions */ + if (empty($_POST['kod'])) { + $config['ntpd']['kod'] = 'on'; + } elseif (isset($config['ntpd']['kod'])) { + unset($config['ntpd']['kod']); + } + + if (empty($_POST['nomodify'])) { + $config['ntpd']['nomodify'] = 'on'; + } elseif (isset($config['ntpd']['nomodify'])) { + unset($config['ntpd']['nomodify']); + } + + if (!empty($_POST['noquery'])) { + $config['ntpd']['noquery'] = $_POST['noquery']; + } elseif (isset($config['ntpd']['noquery'])) { + unset($config['ntpd']['noquery']); + } + + if (!empty($_POST['noserve'])) { + $config['ntpd']['noserve'] = $_POST['noserve']; + } elseif (isset($config['ntpd']['noserve'])) { + unset($config['ntpd']['noserve']); + } + + if (empty($_POST['nopeer'])) { + $config['ntpd']['nopeer'] = 'on'; + } elseif (isset($config['ntpd']['nopeer'])) { + unset($config['ntpd']['nopeer']); + } + + if (empty($_POST['notrap'])) { + $config['ntpd']['notrap'] = 'on'; + } elseif (isset($config['ntpd']['notrap'])) { + unset($config['ntpd']['notrap']); + } + /* End Default Access Restrictions */ + $config['ntpd']['restrictions']['row'] = array(); + foreach ($networkacl as $acl) { + $config['ntpd']['restrictions']['row'][] = $acl; + } + + write_config("Updated NTP ACL Settings"); + + $retval = 0; + $retval = system_ntp_configure(); + $savemsg = get_std_save_message($retval); + } +} + +$pconfig = &$config['ntpd']; + +$pgtitle = array(gettext("Services"), gettext("NTP"), gettext("ACLs")); +$shortcut_section = "ntp"; +include("head.inc"); + +if ($input_errors) { + print_input_errors($input_errors); +} +if ($savemsg) { + print_info_box($savemsg, 'success'); +} + +$tab_array = array(); +$tab_array[] = array(gettext("Settings"), false, "services_ntpd.php"); +$tab_array[] = array(gettext("ACLs"), true, "services_ntpd_acls.php"); +$tab_array[] = array(gettext("Serial GPS"), false, "services_ntpd_gps.php"); +$tab_array[] = array(gettext("PPS"), false, "services_ntpd_pps.php"); +display_top_tabs($tab_array); + +$form = new Form; + +$section = new Form_Section('Default Access Restrictions'); + +$section->addInput(new Form_Checkbox( + 'kod', + 'Kiss-o\'-death', + 'Enable KOD packets.', + !$pconfig['kod'] +)); + +$section->addInput(new Form_Checkbox( + 'nomodify', + "Modifications", + 'Deny run-time Configuration (nomodify) by ntpq and ntpdc.', + !$pconfig['nomodify'] +)); + +$section->addInput(new Form_Checkbox( + 'noquery', + 'Queries', + 'Disable ntpq and ntpdc queries (noquery).', + $pconfig['noquery'] +)); + +$section->addInput(new Form_Checkbox( + 'noserve', + 'Service', + 'Disable all except ntpq and ntpdc queries (noserve).', + $pconfig['noserve'] +)); + +$section->addInput(new Form_Checkbox( + 'nopeer', + 'Peer Association', + 'Deny packets that attempt a peer association (nopeer).', + !$pconfig['nopeer'] +)); + +$section->addInput(new Form_Checkbox( + 'notrap', + 'Trap Service', + 'Deny mode 6 control message trap service (notrap).', + !$pconfig['notrap'] +)); + +/* End Default Restrictions*/ +$form->add($section); + +$section = new Form_Section('Custom Access Restrictions'); + +$numrows = count($networkacl) - 1; +$counter = 0; + +foreach ($networkacl as $item) { + $group = new Form_Group($counter == 0 ? 'Networks':''); + + $group->add(new Form_IpAddress( + 'acl_network' . $counter, + null, + $item['acl_network'] + ))->addMask('mask' . $counter, $item['mask'])->setWidth(3)->setHelp(($counter == $numrows) ? 'Network/mask':null); + + $group->add(new Form_Checkbox( + 'kod' . $counter, + null, + null, + $item['kod'] + ))->setHelp('KOD'); + + $group->add(new Form_Checkbox( + 'nomodify' . $counter, + null, + null, + $item['nomodify'] + ))->setHelp('nomodify'); + + $group->add(new Form_Checkbox( + 'noquery' . $counter, + null, + null, + $item['noquery'] + ))->setHelp('noquery'); + + $group->add(new Form_Checkbox( + 'noserve' . $counter, + null, + null, + $item['noserve'] + ))->setHelp('noserve'); + + $group->add(new Form_Checkbox( + 'nopeer' . $counter, + null, + null, + $item['nopeer'] + ))->setHelp('nopeer'); + + $group->add(new Form_Checkbox( + 'notrap' . $counter, + null, + null, + $item['notrap'] + ))->setHelp('notrap'); + + $group->add(new Form_Button( + 'deleterow' . $counter, + 'Delete' + ))->removeClass('btn-primary')->addClass('btn-warning'); + + $group->addClass('repeatable'); + $section->add($group); + + $counter++; +} + +$section->addInput(new Form_Button( + 'addrow', + 'Add' +))->removeClass('btn-primary')->addClass('btn-success'); + +$form->add($section); + +print($form); + +?> + +<script type="text/javascript"> +//<![CDATA[ + // If this variable is declared, any help text will not be deleted when rows are added + // IOW the help text will appear on every row + retainhelp = true; +</script> + +<?php include("foot.inc"); diff --git a/src/usr/local/www/services_ntpd_gps.php b/src/usr/local/www/services_ntpd_gps.php index 4ff9023..16f5f18 100644 --- a/src/usr/local/www/services_ntpd_gps.php +++ b/src/usr/local/www/services_ntpd_gps.php @@ -228,6 +228,7 @@ include("head.inc"); $tab_array = array(); $tab_array[] = array(gettext("Settings"), false, "services_ntpd.php"); +$tab_array[] = array(gettext("ACLs"), false, "services_ntpd_acls.php"); $tab_array[] = array(gettext("Serial GPS"), true, "services_ntpd_gps.php"); $tab_array[] = array(gettext("PPS"), false, "services_ntpd_pps.php"); display_top_tabs($tab_array); diff --git a/src/usr/local/www/services_ntpd_pps.php b/src/usr/local/www/services_ntpd_pps.php index 2eedfbe..e63ddb7 100644 --- a/src/usr/local/www/services_ntpd_pps.php +++ b/src/usr/local/www/services_ntpd_pps.php @@ -147,6 +147,7 @@ if ($savemsg) { $tab_array = array(); $tab_array[] = array(gettext("Settings"), false, "services_ntpd.php"); +$tab_array[] = array(gettext("ACLs"), false, "services_ntpd_acls.php"); $tab_array[] = array(gettext("Serial GPS"), false, "services_ntpd_gps.php"); $tab_array[] = array(gettext("PPS"), true, "services_ntpd_pps.php"); display_top_tabs($tab_array); |
