summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* add a check to avoid foreach on non-arrayRELENG_2_2_4Chris Buechler2015-07-271-0/+4
|
* Upgrade config to 11.9. Changes IPsec peer ID for EAP types to "any", to ↵Chris Buechler2015-07-253-2/+15
| | | | retain previous behavior.
* Change the log for CRLs with no data (exists but no certs revoked) to a ↵Chris Buechler2015-07-251-1/+1
| | | | warning since it's not technically an error.
* Add 'any' option for peer ID, for mobile IPsec scenarios where you can't or ↵Chris Buechler2015-07-253-5/+11
| | | | don't want to check peer ID.
* Lower LoginGraceTime to 30s, should be plenty long for users, and mitigates ↵Chris Buechler2015-07-231-0/+1
| | | | the password login attempt bypass bug in OpenSSH. Ticket #4875
* Bump to 2.2.4-RELEASEChris Buechler2015-07-231-1/+1
|
* Only omit rightid for PSK mobile types. Flip the logic here as the 2_1 !Chris Buechler2015-07-231-2/+3
| | | | logic gets ugly.
* change iketype auto to ikev2 on upgrade. Ticket #4873Chris Buechler2015-07-231-0/+5
|
* Remove "auto", it's just a synonym for IKEv2. Ticket #4873Chris Buechler2015-07-232-6/+4
|
* include vpn.inc so IPsec CRL reload works. require_once filter.inc inChris Buechler2015-07-232-1/+3
| | | | vpn.inc for callers there that haven't already included it.
* Most of the flowtable bits were removed some time ago, take out the last of ↵Chris Buechler2015-07-231-30/+0
| | | | them too.
* When a CRL is updated, refresh strongswan's CRLs.Chris Buechler2015-07-231-0/+6
|
* Merge pull request #1775 from phil-davis/Interfaces-Widget-2-2Chris Buechler2015-07-222-5/+5
|\
| * Interfaces widget use more obscure separator RELENG_2_2Phil Davis2015-07-222-5/+5
| | | | | | | | Redmine #4859 fix for RELENG_2_2
* | Add isset check for strictcrlpolicyPhil Davis2015-07-221-1/+1
| | | | | | | | To be consistent with the checks in the rest of this code.
* | make the IPsec bypass LAN from LAN subnet to LAN subnet rather than fromChris Buechler2015-07-221-1/+1
| | | | | | | | | | LAN subnet to LAN IP. Same end result except it'll work for VIPs on same interface now.
* | Add IPsec advanced option for strict CRL checkingChris Buechler2015-07-222-0/+20
| |
* | fix typoChris Buechler2015-07-222-2/+2
| |
* | Handle IPsec Advanced Settings save before IPsec is enabledPhil Davis2015-07-221-12/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | If the Advanced Settings are saved before any other IPsec is set up then $config['ipsec'] can be just the empty string. As a result you can get: a) If you select some debug settings then those are not saved. The code to save those settings was only executed when $config['ipsec'] was already an array. Actually the code already did the necessary "if isset() then unset()" stuuf. So I just took the the "if is_array()" away from the code block. b) Some potential unset() can go wrong with errors like: Fatal error: Cannot unset string offsets in /usr/local/www/vpn_ipsec_settings.php on line 168 This is corrected by adding more "if (isset())" checks. Fixes Redmine #4865 Conflicts: usr/local/www/vpn_ipsec_settings.php
* | write out built-in CRLs for strongswanChris Buechler2015-07-221-2/+18
|/
* Unset old CA and Cert in left system configPhil Davis2015-07-211-0/+8
| | | | Unset any old CA and Cert in the system section that might still be there from when upgrade_066_to_067 did not unset them. That will tidy up old configs that had the conversion done originally but these old sections were left behind.
* Allocate dnpipe and dnqueue numbers even if no filter rulesPhil Davis2015-07-211-2/+3
| | | | It would be quite unusual to have no filter rules array, but if that is indeed the case then the first part of this code that sets dnpipe and dnqueue numbers should execute anyway.
* Captive Portal zoneid upgrade fix var name typoPhil Davis2015-07-211-1/+1
| | | With the typo, this empty() test would always have been true. So maybe on upgrade some existing captive portal zoneid values have been getting overwritten by this even number counter? Or?
* Add "netstat -ni" to status.phpjim-p2015-07-211-0/+1
|
* Allow pre-filling (but no automatic action) of the download filename on ↵jim-p2015-07-212-2/+3
| | | | exec.php. Setup a link to download the status output.tgz in status.php
* fix indent my editor broke in my earlier commitChris Buechler2015-07-211-26/+26
|
* Add IPsec IKE Intermediate EKU to server certificates. The serverAuth EKU ↵Chris Buechler2015-07-201-2/+2
| | | | already added suffices for Windows clients, though strongswan docs suggest setting this as well.
* Specify keyUsage and extendedKeyUsage in openssl.cnf, use crl_ext.Chris Buechler2015-07-201-6/+6
|
* Fix capsdoktornotor2015-07-191-1/+1
|
* Bug #4551 - consistent usage of Forwarder/Resolver across the WebGUIdoktornotor2015-07-191-2/+2
| | | Clarify that this applies to DNS Resolver as well. Update the translations template.
* Bug #4551 - consistent usage of Forwarder/Resolver across the WebGUIdoktornotor2015-07-191-1/+1
| | | | Clarify that this applies to DNS Resolver as well.
* Bug #4551 - consistent usage of Forwarder/Resolver across the WebGUIdoktornotor2015-07-191-1/+1
| | | | Clarify that this applies to DNS Resolver as well.
* Merge pull request #1762 from doktornotor/patch-3Renato Botelho2015-07-181-4/+4
|\
| * Add labels to some default firewall rules doktornotor2015-07-181-4/+4
| | | | | | ... so that people can get useful descriptions in the System Logs - Firewall GUI, instead of useless tracker numbers.
* | Merge pull request #1756 from phil-davis/traffic-graph-widget-2-2Renato Botelho2015-07-182-24/+39
|\ \
| * | Only process Traffic Graph object if it is openPhil Davis2015-07-012-24/+39
| | | | | | | | | | | | | | | Reduces useless CPU use on the pfSense box when the dashboard is displayed with the Traffic Graphs widget.
* | | Really avoid error loading rules for numeric host name in aliasPhil Davis2015-07-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Create a host-type alias. Put just a number in "IP or FQDN" - e.g. I made alias name "Zqw" and a single host "23". The webGUI reports: There were error(s) loading the rules: /tmp/rules.debug:44: syntax error - The line in question reads [44]: table { 23 } and /tmp/rules.debug has: table { 23 } Zqw = "" which pf does not cope with. This change will differentiate between a number in the context of a port alias and a number that is_hostname. This time I think it really works :) The call to alias_get_type() needed to send the alias name as parameter. alias_get_type() is a bit expensive - it scans through the whole list of aliases looking for a match on the name. So I made this code just call it once for the name and then use that $alias_type var each time as it loops through all the addresses in an alias. I have tried this successfully with a few combinations of nested port/host/network aliases. But maybe there is some wacky combination of nested aliases possible that could still break this? I don't see how, but it needs testing on some configs that have all sorts of nested alias types.
* | | Merge pull request #1761 from doktornotor/patch-2Renato Botelho2015-07-181-4/+4
|\ \ \ | |_|/ |/| |
| * | Fix Firewall - Aliases GUI inconsistencies for URL Table type aliasesdoktornotor2015-07-171-4/+4
| | | | | | | | | | | | | | | The GUI should show descriptions according to what's selected from the dropdown, but currently does not for URL Table (IPs) and URL Table (Ports) type of aliases. This is for RELENG_2_2 branch.
* | | Handle OpenVPN bound to gateway groups using CARP IPs in ↵Chris Buechler2015-07-182-2/+31
|/ / | | | | | | rc.carpmaster/backup. Ticket #4854
* | Fixes for IPSec ASN1.DN, ticket #4792Renato Botelho2015-07-171-7/+17
| | | | | | | | | | | | - Do not add leftid to confir when value is empty - When asn1dn param is in binary form, explicit type - Always add double quotes for asn1dn
* | Only add outgoing-interface if IP. Ticket #4852Chris Buechler2015-07-171-2/+2
| |
* | Fix #4794:Renato Botelho2015-07-173-2/+23
| | | | | | | | | | - Add a upgrade code to fix asn1dn string format to match strongSwan needs - Bump config version to 11.8
* | Contrary to some reports this is actually usable in some cases, just notChris Buechler2015-07-161-14/+8
| | | | | | | | | | | | mandatory. Revert "myid_data and peerid_data fields are not relevant with asn1dn." This reverts commit b8754cc85db7e92322f605bbb4b2f90bde90bb7f.
* | myid_data and peerid_data fields are not relevant with asn1dn.Chris Buechler2015-07-161-8/+14
| |
* | Restrict serial ports glob to cua followed by alphaPhil Davis2015-07-161-3/+3
| | | | | | Improve this a little more to match only alpha after /dev/cua (/dev/cuau for example)
* | Make serial ports glob cope with many more possibilitiesPhil Davis2015-07-161-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | It originally coped with things like cuau1 cuau1.1 Then I made it cope with things like cuau1 cuau11 but it stopped working for cuau1.1 This one copes with: cuau1 cuau1.1 cuau1.11 cuau11 cuau11.1 cuau11.11 That should allow for all sorts of reasonable device name files without matching other stuff in /dev (like cuau1.init cuau1.lock) that we need to ignore. Please think if I have covered the bases here.
* | Add leftid and rightid value between double quotes on ipsec config when type ↵Renato Botelho2015-07-162-3/+8
| | | | | | | | is asn1dn. Ticket #4792
* | Remove old, unused NetUtils.jsChris Buechler2015-07-162-114/+1
| |
* | Revert "Avoid error loading rules for numeric host name in alias"Renato Botelho2015-07-151-1/+1
| | | | | | | | This reverts commit 6605035f9d2a04d1d4b724f6e993bc3f5c6d173d.
OpenPOWER on IntegriCloud