diff options
-rwxr-xr-x | usr/local/www/vpn_pptp.php | 208 |
1 files changed, 143 insertions, 65 deletions
diff --git a/usr/local/www/vpn_pptp.php b/usr/local/www/vpn_pptp.php index b796639..4d386f1 100755 --- a/usr/local/www/vpn_pptp.php +++ b/usr/local/www/vpn_pptp.php @@ -3,20 +3,20 @@ /* vpn_pptp.php part of m0n0wall (http://m0n0.ch/wall) - + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. All rights reserved. - + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - + 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - + 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -55,15 +55,15 @@ if ($_POST) { if ($_POST['mode'] == "server") { $reqdfields = explode(" ", "localip remoteip"); $reqdfieldsn = explode(",", "Server address,Remote start address"); - + if ($_POST['radiusenable']) { $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret")); - $reqdfieldsn = array_merge($reqdfieldsn, + $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "RADIUS server address,RADIUS shared secret")); } - + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - + if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) { $input_errors[] = "A valid server address must be specified."; } @@ -73,26 +73,26 @@ if ($_POST) { if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) { $input_errors[] = "A valid RADIUS server address must be specified."; } - - if (!$input_errors) { + + if (!$input_errors) { $_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $g['pptp_subnet']); $subnet_start = ip2long($_POST['remoteip']); $subnet_end = ip2long($_POST['remoteip']) + $g['n_pptp_units'] - 1; - - if ((ip2long($_POST['localip']) >= $subnet_start) && + + if ((ip2long($_POST['localip']) >= $subnet_start) && (ip2long($_POST['localip']) <= $subnet_end)) { - $input_errors[] = "The specified server address lies in the remote subnet."; + $input_errors[] = "The specified server address lies in the remote subnet."; } if ($_POST['localip'] == $config['interfaces']['lan']['ipaddr']) { - $input_errors[] = "The specified server address is equal to the LAN interface address."; + $input_errors[] = "The specified server address is equal to the LAN interface address."; } } } else if ($_POST['mode'] == "redir") { $reqdfields = explode(" ", "redir"); $reqdfieldsn = explode(",", "PPTP redirection target address"); - + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - + if (($_POST['redir'] && !is_ipaddr($_POST['redir']))) { $input_errors[] = "A valid target address must be specified."; } @@ -108,9 +108,25 @@ if ($_POST) { $pptpcfg['radius']['accounting'] = $_POST['radacct_enable'] ? true : false; $pptpcfg['radius']['server'] = $_POST['radiusserver']; $pptpcfg['radius']['secret'] = $_POST['radiussecret']; - + + if (($pconfig['mode'] == "server")) { + /* + * traverse ruleset. if no PPTP rule is found + * install one. + */ + $found_pptp_rule = 0; + foreach($config['filter']['rule'] as $rule) { + $pos = strpos($rule['descr'], "PPTP"); + if ( $pos <> false ) $found_pptp_rule = 1; + } + if($found_pptp_rule == 0) { + /* no PPTP rule found. craete one. */ + add_default_pptp_rule(); + } + } + write_config(); - + $retval = 0; if (!file_exists($d_sysrebootreqd_path)) { config_lock(); @@ -118,6 +134,7 @@ if ($_POST) { config_unlock(); } $savemsg = get_std_save_message($retval); + if($found_pptp_rule ==0) $savemsg .= "<br>A default PPTP rule has been added to the firewall rules section."; } } ?> @@ -143,7 +160,7 @@ function enable_change(enable_over) { document.iform.localip.disabled = 0; document.iform.req128.disabled = 0; document.iform.radiusenable.disabled = 0; - + if (document.iform.radiusenable.checked || enable_over) { document.iform.radacct_enable.disabled = 0; document.iform.radiusserver.disabled = 0; @@ -185,113 +202,113 @@ function enable_change(enable_over) { <li class="tabinact"><a href="vpn_pptp_users.php">Users</a></li> </ul> </td></tr> - <tr> + <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> + <tr> <td width="22%" valign="top" class="vtable"> </td> - <td width="78%" class="vtable"> + <td width="78%" class="vtable"> <input name="mode" type="radio" onclick="enable_change(false)" value="off" <?php if (($pconfig['mode'] != "server") && ($pconfig['mode'] != "redir")) echo "checked";?>> Off</td> - <tr> + <tr> <td width="22%" valign="top" class="vtable"> </td> <td width="78%" class="vtable"> <input type="radio" name="mode" value="redir" onclick="enable_change(false)" <?php if ($pconfig['mode'] == "redir") echo "checked"; ?>> Redirect incoming PPTP connections to:</td> - <tr> + <tr> <td width="22%" valign="top" class="vncellreq">PPTP redirection</td> - <td width="78%" class="vtable"> - <input name="redir" type="text" class="formfld" id="redir" size="20" value="<?=htmlspecialchars($pconfig['redir']);?>"> + <td width="78%" class="vtable"> + <input name="redir" type="text" class="formfld" id="redir" size="20" value="<?=htmlspecialchars($pconfig['redir']);?>"> <br> - Enter the IP address of a host which will accept incoming + Enter the IP address of a host which will accept incoming PPTP connections.</td> - <tr> + <tr> <td width="22%" valign="top" class="vtable"> </td> <td width="78%" class="vtable"> <input type="radio" name="mode" value="server" onclick="enable_change(false)" <?php if ($pconfig['mode'] == "server") echo "checked"; ?>> Enable PPTP server</td> - <tr> - <td width="22%" valign="top" class="vncellreq">Max. concurrent + <tr> + <td width="22%" valign="top" class="vncellreq">Max. concurrent connections</td> - <td width="78%" class="vtable"> + <td width="78%" class="vtable"> <?=$g['n_pptp_units'];?> </td> - <tr> + <tr> <td width="22%" valign="top" class="vncellreq">Server address</td> - <td width="78%" class="vtable"> - <input name="localip" type="text" class="formfld" id="localip" size="20" value="<?=htmlspecialchars($pconfig['localip']);?>"> + <td width="78%" class="vtable"> + <input name="localip" type="text" class="formfld" id="localip" size="20" value="<?=htmlspecialchars($pconfig['localip']);?>"> <br> - Enter the IP address the PPTP server should use on its side + Enter the IP address the PPTP server should use on its side for all clients.</td> </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Remote address + <tr> + <td width="22%" valign="top" class="vncellreq">Remote address range</td> - <td width="78%" class="vtable"> + <td width="78%" class="vtable"> <input name="remoteip" type="text" class="formfld" id="remoteip" size="20" value="<?=htmlspecialchars($pconfig['remoteip']);?>"> - / + / <?=$g['pptp_subnet'];?> <br> Specify the starting address for the client IP address subnet.<br> - The PPTP server will assign + The PPTP server will assign <?=$g['n_pptp_units'];?> addresses, starting at the address entered above, to clients.</td> </tr> - <tr> + <tr> <td width="22%" valign="top" class="vncell">RADIUS</td> - <td width="78%" class="vtable"> - <p> + <td width="78%" class="vtable"> + <p> <input name="radiusenable" type="checkbox" id="radiusenable" onclick="enable_change(false)" value="yes" <?php if ($pconfig['radiusenable'] == "yes") echo "checked"; ?>> <strong>Use a RADIUS server for authentication<br> - </strong>When set, all users will be authenticated using - the RADIUS server specified below. The local user database + </strong>When set, all users will be authenticated using + the RADIUS server specified below. The local user database will not be used.<br> <br> <input name="radacct_enable" type="checkbox" id="radacct_enable" onclick="enable_change(false)" value="yes" <?php if ($pconfig['radacct_enable'] == "yes") echo "checked"; ?>> <strong>Enable RADIUS accounting <br> </strong>Sends accounting packets to the RADIUS server. </p></td> </tr> - <tr> + <tr> <td width="22%" valign="top" class="vncell">RADIUS server </td> - <td width="78%" class="vtable"> - <p> + <td width="78%" class="vtable"> + <p> <input name="radiusserver" type="text" class="formfld" id="radiusserver" size="20" value="<?=htmlspecialchars($pconfig['radiusserver']);?>"> <br> Enter the IP address of the RADIUS server.</p></td> </tr> - <tr> + <tr> <td width="22%" valign="top" class="vncell">RADIUS shared secret</td> - <td width="78%" valign="top" class="vtable"> - <p> + <td width="78%" valign="top" class="vtable"> + <p> <input name="radiussecret" type="password" class="formfld" id="radiussecret" size="20" value="<?=htmlspecialchars($pconfig['radiussecret']);?>"> <br> - Enter the shared secret that will be used to authenticate + Enter the shared secret that will be used to authenticate to the RADIUS server.</p></td> </tr> - <tr> + <tr> <td height="16" colspan="2" valign="top"></td> </tr> - <tr> + <tr> <td width="22%" valign="middle"> </td> - <td width="78%" class="vtable"> - <input name="req128" type="checkbox" id="req128" value="yes" <?php if ($pconfig['req128'] == "yes") echo "checked"; ?>> + <td width="78%" class="vtable"> + <input name="req128" type="checkbox" id="req128" value="yes" <?php if ($pconfig['req128'] == "yes") echo "checked"; ?>> <strong>Require 128-bit encryption</strong><br> - When set, 128-bit encryption will be accepted. Otherwise, - 40-bit and 56-bit encryption will be accepted, too. Note that - encryption will always be forced on PPTP connections (i.e. + When set, 128-bit encryption will be accepted. Otherwise, + 40-bit and 56-bit encryption will be accepted, too. Note that + encryption will always be forced on PPTP connections (i.e. unencrypted connections will not be accepted).</td> </tr> - <tr> + <tr> <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)"> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)"> </td> </tr> - <tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>don't forget to add a firewall rule to permit + </strong></span>don't forget to add a firewall rule to permit traffic from PPTP clients!</span></td> </tr> </table> @@ -307,3 +324,64 @@ enable_change(false); <?php include("fend.inc"); ?> </body> </html> + +<?php + +function add_default_pptp_rule() { + global $config; + + $specialsrcdst = explode(" ", "any lan pptp"); + if (!is_array($config['filter']['rule'])) $config['filter']['rule'] = array(); + filter_rules_sort(); + $a_filter = &$config['filter']['rule']; + $filterent = array(); + $filterent['type'] = "pass"; + $filterent['interface'] = "pptp"; + + unset($filterent['max-src-nodes']); + unset($filterent['max-src-states']); + unset($filterent['protocol']); + unset($filterent['icmptype']); + + pconfig_to_address($filterent['source'], "any", + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + pconfig_to_address($filterent['destination'], "any", + $_POST['dstmask'], $_POST['dstnot'], + $_POST['dstbeginport'], $_POST['dstendport']); + + $filterent['disabled'] = false; + $filterent['log'] = false; + $filterent['frags'] = false; + $filterent['descr'] = "Default PPTP -> any"; + $a_filter[] = $filterent; + write_config(); + +} + +function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) { + + $adr = array(); + + if ($padr == "any") + $adr['any'] = true; + else if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } + + $adr['not'] = $pnot ? true : false; + + if (($pbeginport != 0) && ($pbeginport != "any")) { + if ($pbeginport != $pendport) + $adr['port'] = $pbeginport . "-" . $pendport; + else + $adr['port'] = $pbeginport; + } +} + +?> |