summaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #1762 from doktornotor/patch-3Renato Botelho2015-07-181-4/+4
|\
| * Add labels to some default firewall rules doktornotor2015-07-181-4/+4
| | | | | | ... so that people can get useful descriptions in the System Logs - Firewall GUI, instead of useless tracker numbers.
* | Really avoid error loading rules for numeric host name in aliasPhil Davis2015-07-181-1/+2
|/ | | | | | | | | | | | Create a host-type alias. Put just a number in "IP or FQDN" - e.g. I made alias name "Zqw" and a single host "23". The webGUI reports: There were error(s) loading the rules: /tmp/rules.debug:44: syntax error - The line in question reads [44]: table { 23 } and /tmp/rules.debug has: table { 23 } Zqw = "" which pf does not cope with. This change will differentiate between a number in the context of a port alias and a number that is_hostname. This time I think it really works :) The call to alias_get_type() needed to send the alias name as parameter. alias_get_type() is a bit expensive - it scans through the whole list of aliases looking for a match on the name. So I made this code just call it once for the name and then use that $alias_type var each time as it loops through all the addresses in an alias. I have tried this successfully with a few combinations of nested port/host/network aliases. But maybe there is some wacky combination of nested aliases possible that could still break this? I don't see how, but it needs testing on some configs that have all sorts of nested alias types.
* Handle OpenVPN bound to gateway groups using CARP IPs in ↵Chris Buechler2015-07-182-2/+31
| | | | rc.carpmaster/backup. Ticket #4854
* Fixes for IPSec ASN1.DN, ticket #4792Renato Botelho2015-07-171-7/+17
| | | | | | - Do not add leftid to confir when value is empty - When asn1dn param is in binary form, explicit type - Always add double quotes for asn1dn
* Only add outgoing-interface if IP. Ticket #4852Chris Buechler2015-07-171-2/+2
|
* Fix #4794:Renato Botelho2015-07-172-1/+22
| | | | | - Add a upgrade code to fix asn1dn string format to match strongSwan needs - Bump config version to 11.8
* Add leftid and rightid value between double quotes on ipsec config when type ↵Renato Botelho2015-07-162-3/+8
| | | | is asn1dn. Ticket #4792
* Remove old, unused NetUtils.jsChris Buechler2015-07-161-0/+1
|
* Revert "Avoid error loading rules for numeric host name in alias"Renato Botelho2015-07-151-1/+1
| | | | This reverts commit 6605035f9d2a04d1d4b724f6e993bc3f5c6d173d.
* Fix issue_ip_type var name spellingPhil Davis2015-07-151-6/+6
| | | Actually there was no real problem, but having a mis-spelling like this means that English speakers will waste time (like I did) double-checking to see if the mis-spelling would cause a real problem.
* Avoid error loading rules for numeric host name in aliasPhil Davis2015-07-151-1/+1
| | | | | | | | | | | Create a host-type alias. Put just a number in "IP or FQDN" - e.g. I made alias name "Zqw" and a single host "23". The webGUI reports: There were error(s) loading the rules: /tmp/rules.debug:44: syntax error - The line in question reads [44]: table { 23 } and /tmp/rules.debug has: table <Zqw> { 23 } Zqw = "<Zqw>" which pf does not cope with. It is possible to have a host name that is a number, and end up with a domain name like 23.mycompany.com - unfortunately some Wally allowed such things in standards many years ago, so it can be rather difficult to tell the difference between a number and a host name. This change improves the check when looking through alias entries and deciding if they are meant to be a name or a "bottom-level" value (address, subnet, port, port range). Anything that ends up looking like a host name gets given to filterdns to sort out. "Names" like "23" now get given to filterdns instead of being put directly into the table in pf. This makes things happier. Even if filterdns cannot resolve "23", at least it tries and nothing barfs.
* Fix GratisDNS support, manual merge of commit ↵Chris Buechler2015-07-141-2/+2
| | | | 3e31a7f82589d3350f111bd7d81cc83a0ab253e2
* fix fsync, thanks Phil Davis for noticingChris Buechler2015-07-101-1/+1
|
* fix fsyncChris Buechler2015-07-101-1/+1
|
* fsync after fclose here, clean up some white space while here.Chris Buechler2015-07-101-21/+27
|
* fsync conf_path here tooChris Buechler2015-07-101-0/+1
|
* fix typoChris Buechler2015-07-101-1/+1
|
* Make sure config.xml is safe on disk when restoring a backup, ticket #4803Renato Botelho2015-07-061-0/+1
|
* Make sure temporary config file is safe on disk before rename, ticket #4803Renato Botelho2015-07-061-1/+1
|
* Remove reference to vfs.forcesyncRenato Botelho2015-07-061-1/+0
|
* Use right function pfSense_fsync to make sure config file is safe on disk, ↵Renato Botelho2015-07-061-4/+2
| | | | ticket #4803
* fix includes so shellsession restartipsec works.Chris Buechler2015-07-051-0/+2
|
* remove debug.pfftpproxy, it no longer exists.Chris Buechler2015-07-041-1/+0
|
* Fix keyid identifers, and go back to using %any in ipsec.secrets as in ↵Chris Buechler2015-07-031-2/+4
| | | | previous versions, fixing a variety of other ID issues. Latter will break some mobile IPsec circumstances, fix for that to come after more testing. Ticket #4811
* sync up vpn.inc with master. Mostly white space and style changesChris Buechler2015-07-021-280/+426
|
* sync up ipsec.inc with master. Mostly whitespace and style changes.Chris Buechler2015-07-021-174/+219
|
* fix part of keyid problem. Ticket #4811Chris Buechler2015-07-011-1/+1
|
* Remove unnecessary deletion of rc.conf. Add an empty rc.conf with a noteChris Buechler2015-07-013-6/+1
| | | | so people don't think they should be using it.
* Improve handling of port ranges in relayd, fixes #4810jim-p2015-07-011-1/+5
|
* Use interface-automatic for Unbound when the interfaces list is empty (same ↵jim-p2015-06-261-0/+2
| | | | as All) otherwise it breaks with a default CARP config.
* Bump version to 2.2.4-DEVELOPMENTRenato Botelho2015-06-251-1/+1
|
* It's time for 2.2.3-RELEASERELENG_2_2_3Renato Botelho2015-06-231-1/+1
|
* Add D1540-XG.Matt Smith2015-06-231-0/+3
|
* Introduce Netgate RCC-DFF to the list of known platformsRenato Botelho2015-06-232-2/+8
|
* rereadall is not enough here, restore reload call to make sure everything ↵Renato Botelho2015-06-231-0/+1
| | | | works. Ticket #4785
* Replace ipsec rereadsecrets + reload by single rereadall, that will re-read ↵Renato Botelho2015-06-231-2/+1
| | | | also cert changes. Ticket #4785
* Instead of sending USR1, just call ipsec reload. And before it, call ipsec ↵Renato Botelho2015-06-231-1/+2
| | | | rereadsecrets to make sure new secretes are updated. It should fix #4785
* Partially revert 019ee2bc8c, this workaround is not necessary. Real fix will ↵Renato Botelho2015-06-231-8/+0
| | | | be committed after this
* Add a workaround for ticket #4785:Renato Botelho2015-06-231-4/+18
| | | | | | There was a regression on strongswan between 5.3.0 and 5.3.2 as reported at [1]. To workaround this issue, add an extra line on ipsec.secrets with right fqdn.
* Fix var name typo in shaper.incChris Buechler2015-06-231-1/+1
|
* Don't delete /var/tmp/, that was originally done to clear session data at ↵Chris Buechler2015-06-221-1/+0
| | | | boot, but no longer applicable as session data is no longer in /var/tmp/. Credit to 'aa' on opnsense forum.
* Use $myid in ipsec.secrets. Ticket #4785Chris Buechler2015-06-221-2/+2
|
* This is incomplete. Leaving for 2.3. Revert "Ticket #4683 merge in brainpool ↵Chris Buechler2015-06-221-11/+2
| | | | | | for DH parameters" This reverts commit 7dc35024af3af1d644c25b002ca9f40f1d61c05b.
* Specify $myid rather than %any here, otherwise user manager and mobile PSKs ↵Chris Buechler2015-06-211-3/+4
| | | | won't match. Ticket #4781
* Obsolete pt_BR.ISO-88591 in favor of UTF-8Renato Botelho2015-06-191-1/+1
|
* Move pt_BR translation from ISO to UTF-8Renato Botelho2015-06-191-1/+1
|
* Ticket #4746 Correctly set global variables to be used by hostnames cod epathsErmal LUÇI2015-06-191-2/+2
|
* Ticket #4683 merge in brainpool for DH parametersErmal LUÇI2015-06-191-2/+11
|
* Add a GUI field to increase the pf frag entries limit. Fixes ticket #4775jim-p2015-06-181-0/+5
|
OpenPOWER on IntegriCloud