summaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAgeFilesLines
* Use 1-6 rather than 0-5 for IPsec logging levels, to stay away from ↵Chris Buechler2015-10-263-5/+22
| | | | complications of 0 due to PHP stupidity. Upgrade config to add 1 to any configured log levels. Default to 1 as log level where none is configured by the user. Ticket #5340
* IKE auto mode is back, remove this config upgrade code unsetting it.Chris Buechler2015-10-241-4/+0
|
* Check unbound root.key file contents, and remove it if invalid, before ↵Chris Buechler2015-10-211-0/+9
| | | | unbound-anchor runs otherwise it will fail and unbound will fail to start. fsync the file after writing to prevent the problem. Ticket #5334
* Make setting charon.plugins.attr.subnet conditional on net_list being set. SetMatt Smith2015-10-211-3/+1
| | | | it's value to list of subnets configured as P2's for mobile IPsec. Fixes #5327.
* Disable strongswan logging under auth since it's all logged under daemon,Chris Buechler2015-10-201-0/+5
| | | | so nothing is duplicated. Ticket #5242
* Check whether the P2 or its associated P1 are disabled before adding NATChris Buechler2015-10-201-1/+8
| | | | rules. Ticket #5320
* Disable zero copy buffers in bpf.Luiz Otavio O Souza2015-10-191-1/+0
| | | | | | | | | This was a no-op before my changes (so this was never really enabled) and now it is known to cause issues with tcpdump and hostapd. Disable this until we fix all the raised issues. Issue: #5257
* Cherry-pick 98bf4991dc31f97fc7315a6b8aba433de9d39cea:Luiz Otavio O Souza2015-10-191-20/+14
| | | | | | | | | | | | Fixes #4150. Move to tables to accomodate unlimited number of interfaces. Cherry-pick 52fe0465b463dd8b8f4b2099d562254da320e704: Fix the captive portal rules after 98bf4991dc31f97fc7315a6b8aba433de9d39cea. The malformed rules breaks the parsing of initialisation rules. Issue: #4746
* Add 'caref' attribute to the ca object passed into ca_inter_create so aMatt Smith2015-10-161-0/+1
| | | | relationship to the signing CA can be maintained. Fixes #5313.
* Limit strongswan trusted CA certificates to those required for authentication ofMatt Smith2015-10-161-22/+46
| | | | the configured IPsec SA's instead of trusting all known CA's. Fixes #5243.
* only use daemon and not auth for strongswan logging. As it was, all logs ↵Chris Buechler2015-10-151-6/+0
| | | | were duplicated. Ticket #5242
* fix comparison here. Ticket #4558Chris Buechler2015-10-151-1/+1
|
* Set rightca for IPsec phase 1 using Mutual RSA, Mutual RSA + xauth, or ↵Matt Smith2015-10-151-0/+24
| | | | EAP-TLS. Fixes #5241.
* s/ip/IP/ it got lost on revert. Spotted by @phil-davisRenato Botelho2015-10-141-1/+1
|
* This is necessary for dhcrelay to function. Revert "remove the destination ↵Chris Buechler2015-10-141-6/+132
| | | | | | server's interface(s) from dhcrelay" This reverts commit 97613114b5b74c334609d7fcd79c94741b111793.
* Auto-add firewall rules for DHCP Relay, same as is done for DHCP Server. Add ↵Chris Buechler2015-10-141-0/+13
| | | | filter reload to DHCP Relay config so rules are immediately added/removed. Ticket #4558
* Remove original rightsourceip. Ticket #5284Chris Buechler2015-10-131-1/+0
|
* PHP chmod() doesn't like 1777, gives it 01777 thenRenato Botelho2015-10-131-1/+1
|
* Add missing ; and also mute chmodRenato Botelho2015-10-131-1/+1
|
* Preserve /tmp permission, it fixes #5298Renato Botelho2015-10-131-0/+1
|
* Remove strongswan's cert directories and repopulate them, to ensure no ↵Chris Buechler2015-10-121-0/+5
| | | | removed CAs, certs, or CRLs remain. Ticket #5238
* Fix up strongswan logging levels. Remove charondebug since strongswan.conf ↵Chris Buechler2015-10-121-7/+11
| | | | settings take precedence. Set logging levels in strongswan.conf to match what's set on a running system via 'ipsec stroke loglevel', and remove log levels that were hard coded in strongswan.conf. Ticket #5242
* Add SVG MIME type - RELENG_2_2doktornotor2015-10-091-0/+1
| | | Because it breaks traffic graphs for people.https://forum.pfsense.org/index.php?topic=87390.0
* Do curl_init above any curl_setopt, and take it out of that if block since ↵Chris Buechler2015-10-081-1/+2
| | | | it applies to all types.
* https://redmine.pfsense.org/issues/5207Matt Smith2015-10-071-2/+1
| | | | change auth methods for both peers when using hybrid RSA + xauth with IKEv1
* Add support for an IPv6 pool for mobile clients.Matt Smith2015-10-071-4/+13
|
* Where doing a dynamic DNS update on IPv4, force curl to resolve IPv4 IPs. ↵Chris Buechler2015-10-031-0/+4
| | | | Ticket #3858
* Fix typoChris Buechler2015-10-021-1/+1
|
* Specify PSK for mobile configurations without the leading ID selectors. ↵Chris Buechler2015-10-021-0/+3
| | | | Fixes PSK mismatches from iOS clients.
* When using eap-radius, if the virtual address pool is left blank, pull the ↵jim-p2015-10-011-2/+6
| | | | IP addresses from RADIUS instead. (Will need an IP address defined for each account.) Doesn't seem to be possible to pull from either RADIUS *or* a local pool that I can see from experimenting and looking at strongSwan's docs.
* Specify %any where identifier is "any", so the note on these pagesChris Buechler2015-10-011-0/+3
| | | | actually works.
* Only need to check 'vip' here.Chris Buechler2015-09-301-1/+1
|
* Can't use continue here as it continues the foreach, which skips theChris Buechler2015-09-301-6/+5
| | | | | "ipfw zone" command, breaking CP for any system that doesn't have VIPs defined.
* Bring this back, I'll fix issues afterwards. Revert "Remove "auto", it's ↵Chris Buechler2015-09-291-1/+3
| | | | | | just a synonym for IKEv2. Ticket #4873" This reverts commit 47f802694a1e1dfbbd011d7ec431c0948358b5c3.
* Use the appropriate parent interface with gateway groups using CARP VIPs.Chris Buechler2015-09-291-2/+9
| | | | Ticket #4990
* Disable DHS as a dynamic DNS provider option. It's never worked, andChris Buechler2015-09-292-5/+6
| | | | | | | fixing is more complex than just fixing the variable screw up and disabling cert validation for their SSLLabs F-graded site. Updates made on their site even take quite some time to be reflected, seems to be a largely abandoned service.
* Use self rather than any in auto-added IPsec rules to preventChris Buechler2015-09-281-8/+8
| | | | over-matching. Ticket #5211
* Merge pull request #1938 from phil-davis/patch-5Renato Botelho2015-09-281-2/+21
|\
| * Redmine #5200 be less aggressive about DHCP Pool Notice V2Phil Davis2015-09-261-2/+21
| | | | | | | | | | This one will log_error() the DHCP pool message when it detects the inconsistency at the end of the setup wizard during reload all. That way it can still be seen in the system log that this happened, and one day someone might chase down all the steps in the "reload all" process. Compare this with https://github.com/pfsense/pfsense/pull/1935 and choose which way you would like to go.
* | Fix comment languagedoktornotor2015-09-281-1/+1
| |
* | Remove syslog.conf entries on package uninstall (Bug #5210) - RELENG_2_2doktornotor2015-09-271-3/+10
|/ | | The remove_text_from_file() is not needed at all. However, system_syslogd_start() must be run after the package entries are gone from config.xml, otherwise system_syslogd_start() just re-adds the (now almost removed) package logging configuration from there.
* Use get_interface rather than find_interface here. It'll work for VIPs on ↵Chris Buechler2015-09-231-2/+2
| | | | gateway groups this way, and cache doesn't really matter here. Partial fix for Ticket #4990
* Do not pass vouchers shorter than 5 characters to voucher application, theyLuiz Otavio O Souza2015-09-221-2/+4
| | | | | | | are too short to be a valid voucher. Discussed with: Jim P Issue: #4985
* Merge pull request #1790 from phil-davis/pkg-install-4884-RELENG_2_2Renato Botelho2015-09-211-6/+12
|\
| * Pkg install error handling and connect timeout RELENG_2_2Phil Davis2015-07-271-6/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes Redmine #4884 1) Line 778-780 - If the fetch of any of the package additional files fails then bail out. This prevents half-installed packages that look like they had a successful install. 2) Line 1458 - use the return boolean value from download_file_with_progress_bar() to determine success or failure here, like is done in the other places in this file. I had a case of installing a package with an error (timeout) and the download (I presume it was the download code) had left an empty file /usr/local/pkg/autoconfigbackup.xml - it passed the file_exists() check and the rest of the code went on to happily install the "nothing" in the package and then claim the package was successfully installed :( After the above 2 changes I could get reliable indication of success/failure of the package install and the code would abort nicely if a download went wrong. 3) Package installs happen either: i) On the end of a boot after upgrade or config restore, or; ii) Online while the main system is running (happily) Therefore there is no need to rush to abort if the download of a package file is taking some time to get started. It seems better to me to wait a decent amount of time rather than abort. Thus I have increased the connect timeout for this from the default (5) to 30 seconds. This makes my crap sites load packages much better :)
* | GratisDNS support for hosts without subdomainsmortencombat2015-09-211-2/+9
| | | | | | | | Resubmit of #1793
* | Add L2TP server's interface to mpd.confTarasSavchuk2015-09-211-0/+7
| | | | | | | | | | https://redmine.pfsense.org/issues/4830 https://forum.pfsense.org/index.php?topic=95908.0
* | Merge pull request #1916 from doktornotor/patch-15Renato Botelho2015-09-211-32/+50
|\ \
| * | Fix Cloudflare support for Dynamic DNS Updatesdoktornotor2015-09-201-32/+50
| | | | | | | | | | | | | | | Backport of #1812 to RELENG_2_2 The current implementation isn't working due to API change. Credits: det0nat3 @ https://forum.pfsense.org/index.php?topic=87436.msg534817#msg534817
* | | Merge pull request #1807 from miken32/RELENG_2_2Renato Botelho2015-09-211-0/+9
|\ \ \
OpenPOWER on IntegriCloud