| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
generation for differentiating between pipes and queues.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
* Much improved rule generation speed
* Many bug fixing in general of the interface handling
NOTE: this is only half part of the changes the other half will come after
|
| |
|
|
|
|
|
|
|
| |
mobile client tab is now used to configure user authentication (Xauth) and
client configuration (mode-cfg) options. User authentication is currently
limited to system password file entries. This will be extended to support
external RADIUS and LDAP account DBs in a follow up comiit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a new file named /etc/ipsec.inc. Tunnel definitions have been split into
phase1 and phase2. This allows any number of phase2 definitions to be
created for a single phase1 definition. Several facets of configuration
have also been improved. The key size for variable length algorithms can
now be selected and the phase1 ID options have been extended to allow for
more flexible configuration. Several NAT-T related issues have also been
resolved.
Please note, IPsec remote access functionality has been temporarily
disabled. An improved implementation will be included in a follow up
commit.
|
|
|
|
| |
workaround is disabled.
|
| |
|
|
|
|
|
|
| |
till the
merge of the RELENG_1_MULTI_ANYTHING happens.
|
| |
|
| |
|
| |
|
|
|
|
| |
yesterday did.
|
|
|
|
| |
Not sure if this works for DHCP yet.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Do not generate static ipsec rules when mobile is already enabled.
Set route-to for outbound and reply-to for inbound traffic.
Only generate rules for interfaces with a gateway.
.. (do we need really need ipsec rules on interfaces without a gateway? ..
This might work around the need to set static routes for static ipsec tunnels.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
A few FIXME efforts here
- Tested with static everything.
- Dynamic interfaces dhcp/pppoe are not tested.
- Single gateway rules probably don't parse, need testing and adaptation.
|
|
|
|
|
|
|
|
| |
Move gateway load balancing code into gwlb.inc - still uses slbd
TODO: vs and pool status screens are currently broken...and wouldn't work
with the gateway pools anyway, ultimately, the gateway pools need
to move.
|
| |
|
|
|
|
|
|
| |
negate rule instead of looping it every rule it applies to.
Also add function that returns locally connected networks.
|
|
|
|
| |
negation for local and vpn networks
|
|
|
|
| |
Add subnet checking for robustness
|
| |
|
| |
|
|
|
|
|
|
|
| |
multiple IP addresses can be of the type DHCP on WAN. This is nice because
prior it was impossible to run dhclient on WAN to obtain multiple IP
addresses. This is much cleaner than the previous proposed ethernet
cloning mojo using netgraph.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
passing
through pfSense when PPTP redirecting is active.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
any special treatment other than get exposed to the GUI of OpenVPN. This will come incrementally.
For rules a note would be added to the OpenVPN page as it is currently for PPTP/PPPoE to create filter rules themselves to allow traffic to flow.
NOTE: This is as a code cleanup as a security fix since it opened people firewalls under their hood.
|
|
|
|
|
|
|
| |
This is just a s/ng0/typeof connection0/ for now.
The major work should be done to allow all optX and lan to be pppoe or pptp interafaces and take just assign the network interface accordingly. It simplifies a lot o things but this has to be done.
This would propperly identifying interfaces and not hardcoding names around.
|
|
|
|
|
|
| |
the names.
Better do this than patch netstat to allow space for IFNAMSIZ in the interface column.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* The only downside for now is that we can leak tun devices when tunnels are deleted.
The propper fix can be by using devd script on down interface event or use the on down script called by openvpn itself.
* Rename those to openvpnX names and add tehm to the openvpn group(to not rely on groups created by FreeBSD automatically).
* Use group openvpn on filtering for all OpenVPN tunnels.
* Remove redundant creation of rules for allowing traffic outside of the pfSense itself since pf allows this with a rule without interface specified.
NOTE: left in place are the TAP interface rules which i do not know if they can be configured for openvpn as of now.
There is even a check for tun/openvpn and tap interfaces if they are being used as WAN interfaces to create explicit pass in rules which are questionable if are needed since there are outgoing rules whith keep state active which should compensate this.
For now leave those untouched.
|
|
|
|
|
|
|
| |
Make the needed change to make stateless rules be generated correctly.
Also there are no advanced options to be generated with this.
Fix this regression too.
|
| |
|
| |
|
| |
|