diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/captiveportal.inc | 82 | ||||
-rw-r--r-- | etc/inc/config.lib.inc | 11 | ||||
-rw-r--r-- | etc/inc/easyrule.inc | 2 | ||||
-rw-r--r-- | etc/inc/filter.inc | 19 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 138 | ||||
-rw-r--r-- | etc/inc/voucher.inc | 45 | ||||
-rwxr-xr-x | etc/rc.bootup | 4 | ||||
-rwxr-xr-x | etc/sshd | 8 |
8 files changed, 191 insertions, 118 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 0962cd8..fb2384c 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -57,6 +57,7 @@ function get_default_captive_portal_html() { <html> <body> <form method="post" action="\$PORTAL_ACTION\$"> + <input name="redirurl" type="hidden" value="\$PORTAL_REDIRURL\$"> <center> <table cellpadding="6" cellspacing="0" width="550" height="380" style="border:1px solid #000000"> <tr height="10" bgcolor="#990000"> @@ -94,7 +95,6 @@ function get_default_captive_portal_html() { <div id='loginbox'> Enter Voucher Code: <input name="auth_voucher" type="text" style="border:1px dashed;" size="22"> - <input name="redirurl" type="hidden" value="\$PORTAL_REDIRURL\$"> <input name="accept" type="submit" value="Continue"> </div> </center> @@ -273,82 +273,8 @@ function captiveportal_configure() { if ($config['captiveportal']['page']['errtext']) $errtext = base64_decode($config['captiveportal']['page']['errtext']); else { - /* example page */ - $errtext = <<<EOD -<html> - <body> - <form method="post" action="\$PORTAL_ACTION\$"> - <input name="redirurl" type="hidden" value="\$PORTAL_REDIRURL\$"> - <center> - <table cellpadding="6" cellspacing="0" width="550" height="380" style="border:1px solid #000000"> - <tr height="10" bgcolor="#990000"> - <td style="border-bottom:1px solid #000000"> - <font color='white'> - <b> - {$g['product_name']} captive portal - </b> - </font> - </td> - </tr> - <tr> - <td> - <div id="mainlevel"> - <center> - <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> - <center> - <div id="mainarea"> - <center> - <table width="100%" border="0" cellpadding="5" cellspacing="5"> - <tr> - <td> - <div id="maindivarea"> - <center> - <div id='statusbox'> - <font color='red' face='arial' size='+1'> - <b> - \$PORTAL_MESSAGE\$ - </b> - </font> - </div> - <br/> - <div id='loginbox'> - <table> - <tr><td colspan="2"><center>Welcome to the {$g['product_name']} Captive Portal!</td></tr> - <tr><td> </td></tr> - <tr><td align="right">Username:</td><td><input name="auth_user" type="text" style="border: 1px dashed;"></td></tr> - <tr><td align="right">Password:</td><td><input name="auth_pass" type="password" style="border: 1px dashed;"></td></tr> - <tr><td> </td></tr> - <tr> - <td colspan="2"> - <center><input name="accept" type="submit" value="Continue"></center> - </td> - </tr> - </table> - </div> - </center> - </div> - </td> - </tr> - </table> - </center> - </div> - </center> - </td> - </tr> - </table> - </center> - </div> - </td> - </tr> - </table> - </center> - </form> - </body> -</html> - -EOD; + /* example page */ + $errtext = get_default_captive_portal_html(); } $fd = @fopen("{$g['varetc_path']}/captiveportal-error.html", "w"); @@ -1814,7 +1740,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut /* redirect user to desired destination */ if (!empty($attributes['url_redirection'])) $my_redirurl = $attributes['url_redirection']; - else if ($config['captiveportal']['redirurl']) + else if (!empty($config['captiveportal']['redirurl'])) $my_redirurl = $config['captiveportal']['redirurl']; else $my_redirurl = $redirurl; diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index b319ef8..9a5bd12 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -301,16 +301,13 @@ EOD; * null ******/ /* mount flash card read/write */ -function conf_mount_rw($nobootcheck = false) { +function conf_mount_rw() { global $g; /* do not mount on cdrom platform */ if($g['platform'] == "cdrom" or $g['platform'] == "pfSense") return; - if($g['booting'] && !$nobootcheck) - return; - if (refcount_reference(1000) > 1) return; @@ -324,7 +321,7 @@ function conf_mount_rw($nobootcheck = false) { /* if the platform is soekris or wrap or pfSense, lets mount the * compact flash cards root. - */ + */ $status = mwexec("/sbin/mount -u -w -o sync,noatime /"); /* we could not mount this correctly. kick off fsck */ if($status <> 0) { @@ -342,14 +339,14 @@ function conf_mount_rw($nobootcheck = false) { * RESULT * null ******/ -function conf_mount_ro($nobootcheck = false) { +function conf_mount_ro() { global $g; /* do not umount on cdrom or pfSense platforms */ if($g['platform'] == "cdrom" or $g['platform'] == "pfSense") return; - if($g['booting'] && !$nobootcheck) + if($g['booting']) return; if (refcount_unreference(1000) > 0) diff --git a/etc/inc/easyrule.inc b/etc/inc/easyrule.inc index 0a6c703..fed7cba 100644 --- a/etc/inc/easyrule.inc +++ b/etc/inc/easyrule.inc @@ -53,7 +53,7 @@ function easyrule_find_rule_interface($int) { $iflist['l2tp'] = "L2TP VPN"; /* add ipsec interfaces */ - if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])){ + if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])){ $iflist["enc0"] = "IPSEC"; } diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7d558eb..08b166f 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -793,7 +793,7 @@ function filter_generate_optcfg_array() { $FilterIflist['pppoe'] = $oic; } /* add ipsec interfaces */ - if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) { + if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { $oic = array(); $oic['if'] = 'enc0'; $oic['descr'] = 'IPsec'; @@ -1071,7 +1071,12 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $socktype = "stream"; $dash_u = ""; } - $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; + $target = explode(" ", trim($target)); + foreach ($target as $targip) { + if (empty($targip)) + continue; + $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$targip} {$tda}\n"; + } } $inetdport++; } @@ -1621,7 +1626,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = "{$lansa}/{$lansn}"; break; case 'pptp': - $pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']); + $pptpsa = gen_subnet($FilterIflist['pptp']['sa'], $FilterIflist['pptp']['sn']); $pptpsn = $FilterIflist['pptp']['sn']; $src = "{$pptpsa}/{$pptpsn}"; break; @@ -2154,6 +2159,7 @@ EOD; $ipfrules .= <<<EOD # allow PPTP client pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on {$oc['descr']}" +pass in on \${$oc['descr']} proto gre from any to any keep state label "allow PPTP client on {$oc['descr']}" EOD; break; @@ -2185,8 +2191,8 @@ EOD; if($config['dhcpd'][$on]['failover_peerip'] <> "") { $ipfrules .= <<<EOD # allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']} -pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover" -pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover" +pass in on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover" +pass in on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover" EOD; } @@ -2223,7 +2229,7 @@ EOD; /* add ipsec interfaces */ - if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) + if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) $ipfrules .= <<<EOD pass out on \$IPsec all keep state label "IPsec internal host to host" @@ -2271,6 +2277,7 @@ EOD; $ipfrules .= <<<EOD # PPTPd rules pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "allow pptpd {$pptpdtarget}" +pass in on \${$FilterIflist['wan']['descr']} proto gre from any to any keep state label "allow gre pptpd" EOD; diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index f530165..8cdc97c 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -982,6 +982,7 @@ function upgrade_046_to_047() { $ph1alg = array( 'name' => 'aes', 'keylen' => '128' ); break; case "rijndael 256": + case "aes 256": $ph1alg = array( 'name' => 'aes', 'keylen' => '256' ); break; } @@ -1066,6 +1067,7 @@ function upgrade_046_to_047() { break; case "rijndael": case "rijndael 256": + case "aes 256": $ph2alg = array( 'name' => 'aes', 'keylen' => 'auto' ); $aes_found = true; $aes_count++; @@ -1090,6 +1092,142 @@ function upgrade_046_to_047() { $config['ipsec']['phase1'] = $a_phase1; $config['ipsec']['phase2'] = $a_phase2; } + + /* Upgrade Mobile IPsec */ + if (isset($config['ipsec']['mobileclients']) + && is_array($config['ipsec']['mobileclients']) + && is_array($config['ipsec']['mobileclients']['p1']) + && is_array($config['ipsec']['mobileclients']['p2'])) { + + if (isset($config['ipsec']['mobileclients']['enable'])) { + $config['ipsec']['client']['enable'] = true; + $config['ipsec']['client']['user_source'] = 'system'; + $config['ipsec']['client']['group_source'] = 'system'; + } + + $mobilecfg = $config['ipsec']['mobileclients']; + + $ph1ent = array(); + $ph1ent['ikeid'] = ++$ikeid; + + if (!isset($mobilecfg['enable'])) + $ph1ent['disabled'] = true; + + /* Assume WAN since mobile tunnels couldn't be on a separate interface on 1.2.x */ + $ph1ent['interface'] = 'wan'; + $ph1ent['descr'] = "Mobile Clients (upgraded)"; + $ph1ent['mode'] = $mobilecfg['p1']['mode']; + + if (isset($mobilecfg['p1']['myident']['myaddress'])) + $ph1ent['myid_type'] = "myaddress"; + if (isset($mobilecfg['p1']['myident']['address'])) { + $ph1ent['myid_type'] = "address"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['address']; + } + if (isset($mobilecfg['p1']['myident']['fqdn'])) { + $ph1ent['myid_type'] = "fqdn"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['fqdn']; + } + if (isset($mobilecfg['p1']['myident']['ufqdn'])) { + $ph1ent['myid_type'] = "user_fqdn"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['ufqdn']; + } + if (isset($mobilecfg['p1']['myident']['asn1dn'])) { + $ph1ent['myid_type'] = "asn1dn"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['asn1dn']; + } + if (isset($mobilecfg['p1']['myident']['dyn_dns'])) { + $ph1ent['myid_type'] = "dyn_dns"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['dyn_dns']; + } + $ph1ent['peerid_type'] = "fqdn"; + $ph1ent['peerid_data'] = ""; + + switch ($mobilecfg['p1']['encryption-algorithm']) { + case "des": + $ph1alg = array( 'name' => 'des' ); + break; + case "3des": + $ph1alg = array( 'name' => '3des' ); + break; + case "blowfish": + $ph1alg = array( 'name' => 'blowfish', 'keylen' => '128' ); + break; + case "cast128": + $ph1alg = array( 'name' => 'cast128' ); + break; + case "rijndael": + $ph1alg = array( 'name' => 'aes', 'keylen' => '128' ); + break; + case "rijndael 256": + case "aes 256": + $ph1alg = array( 'name' => 'aes', 'keylen' => '256' ); + break; + } + + $ph1ent['encryption-algorithm'] = $ph1alg; + $ph1ent['hash-algorithm'] = $mobilecfg['p1']['hash-algorithm']; + $ph1ent['dhgroup'] = $mobilecfg['p1']['dhgroup']; + $ph1ent['lifetime'] = $mobilecfg['p1']['lifetime']; + $ph1ent['authentication_method'] = $mobilecfg['p1']['authentication_method']; + + if (isset($mobilecfg['p1']['cert'])) + $ph1ent['cert'] = $mobilecfg['p1']['cert']; + if (isset($mobilecfg['p1']['peercert'])) + $ph1ent['peercert'] = $mobilecfg['p1']['peercert']; + if (isset($mobilecfg['p1']['private-key'])) + $ph1ent['private-key'] = $mobilecfg['p1']['private-key']; + + $ph1ent['nat_traversal'] = "on"; + $ph1ent['dpd_enable'] = 1; + $ph1ent['dpd_delay'] = 10; + $ph1ent['dpd_maxfail'] = 5; + $ph1ent['mobile'] = true; + + $ph2ent = array(); + $ph2ent['ikeid'] = $ph1ent['ikeid']; + $ph2ent['descr'] = "phase2 for ".$mobilecfg['descr']; + $ph2ent['localid'] = array('type' => 'none'); + $ph2ent['remoteid'] = array('type' => 'mobile'); + $ph2ent['protocol'] = $mobilecfg['p2']['protocol']; + + $aes_count = 0; + foreach( $mobilecfg['p2']['encryption-algorithm-option'] as $tunalg ) { + $aes_found = false; + switch ($tunalg) { + case "des": + $ph2alg = array( 'name' => 'des' ); + break; + case "3des": + $ph2alg = array( 'name' => '3des' ); + break; + case "blowfish": + $ph2alg = array( 'name' => 'blowfish', 'keylen' => 'auto' ); + break; + case "cast128": + $ph2alg = array( 'name' => 'cast128' ); + break; + case "rijndael": + case "rijndael 256": + case "aes 256": + $ph2alg = array( 'name' => 'aes', 'keylen' => 'auto' ); + $aes_found = true; + $aes_count++; + break; + } + + if( !$aes_found || ($aes_count < 2)) + $ph2ent['encryption-algorithm-option'][] = $ph2alg; + } + $ph2ent['hash-algorithm-option'] = $mobilecfg['p2']['hash-algorithm-option']; + $ph2ent['pfsgroup'] = $mobilecfg['p2']['pfsgroup']; + $ph2ent['lifetime'] = $mobilecfg['p2']['lifetime']; + $ph2ent['mobile'] = true; + + $config['ipsec']['phase1'][] = $ph1ent; + $config['ipsec']['phase2'][] = $ph2ent; + unset($config['ipsec']['mobileclients']); + } } diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index 7d618ee..fee5d12 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -41,9 +41,9 @@ function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $user global $g, $config; require_once("xmlrpc.inc"); if($port == "443") - $url = "https://{$syncip}:{$port}"; + $url = "https://{$syncip}"; else - $url = "http://{$syncip}:{$port}"; + $url = "http://{$syncip}"; /* Construct code that is run on remote machine */ $method = 'pfsense.exec_php'; @@ -89,15 +89,15 @@ function xmlrpc_sync_used_voucher($voucher_received, $syncip, $port, $password, global $g, $config; require_once("xmlrpc.inc"); if($port == "443") - $url = "https://{$syncip}:{$port}"; + $url = "https://{$syncip}"; else - $url = "http://{$syncip}:{$port}"; + $url = "http://{$syncip}"; /* Construct code that is run on remote machine */ $method = 'pfsense.exec_php'; $execcmd = <<<EOF require_once('/etc/inc/voucher.inc'); - \$timeleft = voucher_auth($voucher_received); + \$timeleft = voucher_auth({$voucher_received}); \$toreturn = array(); \$toreturn['timeleft'] = \$timeleft; \$toreturn['voucher']['roll'] = \$config['voucher']['roll']; @@ -119,12 +119,12 @@ EOF; $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); - return array("timeleft" => "0"); + return 0; // $timeleft } elseif($resp->faultCode()) { $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); - return array("timeleft" => "0"); + return 0; // $timeleft } else { log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } @@ -132,7 +132,7 @@ EOF; if(count($toreturn['voucher']['roll']) <> count($config['voucher']['roll'])) { $config['voucher']['roll'] = $toreturn['voucher']['roll']; write_config("Captive Portal Voucher database synchronized with {$url}"); - voucher_configure(); + voucher_configure(true); } return $toreturn['timeleft']; @@ -230,12 +230,12 @@ function voucher_auth($voucher_received, $test = 0) { } } else { $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s): not found on any registererd Roll'), $voucher, $roll, $nr); - captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); } } else { // hmm, thats weird ... not what I expected - $test_result[] = "$voucher " . gettext("invalid:") . " $result !!"; - captiveportal_syslog("$voucher " . gettext("invalid:") . " $result !!"); + $test_result[] = sprintf(gettext('%1$s invalid: %2$s !!'),$voucher,$result); + captiveportal_syslog("$voucher invalid: $result !!"); $error++; } } @@ -247,7 +247,7 @@ function voucher_auth($voucher_received, $test = 0) { } else { $test_result[] = sprintf(gettext("Access granted for %d Minutes in total."), $total_minutes); } - unlock($voucherlck); + unlock($voucherlck); return $test_result; } @@ -264,8 +264,8 @@ function voucher_auth($voucher_received, $test = 0) { // If we did a XMLRPC sync earlier check the timeleft if(!empty($a_voucher['vouchersyncdbip'])) - if($remote_time_used['timeleft'] < $total_minutes) - $total_minutes = $remote_time_used['timeleft']; + if($remote_time_used < $total_minutes) + $total_minutes = $remote_time_used; // All given vouchers were valid and this isn't simply a test. // Write back the used DB's @@ -301,8 +301,8 @@ function voucher_auth($voucher_received, $test = 0) { return $total_minutes; } -function voucher_configure() { - global $config, $g; +function voucher_configure($sync = false) { + global $config, $g; /* kill any running minicron */ killbypid("{$g['varrun_path']}/vouchercron.pid"); @@ -311,7 +311,9 @@ function voucher_configure() { return 0; if ($g['booting']) - echo gettext("Enabling voucher support... "); + echo "Enabling voucher support... "; + if ($sync == true) + captiveportal_syslog("Writing voucher db from sync data..."); // start cron if we're asked to save runtime DB periodically // to XML config if it changed @@ -328,8 +330,8 @@ function voucher_configure() { $pubkey = base64_decode($config['voucher']['publickey']); $fd = fopen("{$g['varetc_path']}/voucher.public", "w"); if (!$fd) { - captiveportal_syslog(gettext("Voucher error: cannot write voucher.public") . "\n"); - unlock($voucherlck); + captiveportal_syslog("Voucher error: cannot write voucher.public\n"); + unlock($voucherlck); return 1; } fwrite($fd, $pubkey); @@ -348,7 +350,7 @@ function voucher_configure() { @chmod("{$g['varetc_path']}/voucher.cfg", 0600); unlock($voucherlck); - if ($g['booting'] && is_array($config['voucher']['roll'])) { + if (($g['booting'] || $sync == true) && is_array($config['voucher']['roll'])) { // create active and used DB per roll on ramdisk from config $a_roll = &$config['voucher']['roll']; @@ -375,7 +377,8 @@ function voucher_configure() { } unlock($voucherlck); - echo gettext("done") . "\n"; + if ($g['booting']) + echo "done\n"; } return 0; diff --git a/etc/rc.bootup b/etc/rc.bootup index b7a632e..6cff6ac 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -129,7 +129,7 @@ $memory = get_memory(); $avail = $memory[0]; echo " done.\n"; -conf_mount_rw(true); +conf_mount_rw(); /* save dmesg output to file */ system_dmesg_save(); @@ -400,6 +400,6 @@ unset($g['booting']); led_normalize(); -conf_mount_ro(true); +conf_mount_ro(); ?> @@ -42,7 +42,10 @@ exit; } - conf_mount_rw(true); + /* are we already running? if not, do conf_mount_rw(), otherwise it should already be rw */ + if(!is_subsystem_dirty('sshdkeys')) { + conf_mount_rw(); + } function file_size($file) { $size = filesize($file); @@ -138,7 +141,6 @@ /* are we already running? if so exit */ if(is_subsystem_dirty('sshdkeys')) { - conf_mount_ro(true); exit; } @@ -185,6 +187,6 @@ exec("mkdir /conf/sshd"); exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd"); } - conf_mount_ro(true); + conf_mount_ro(); ?> |