From 5b237745003431d487de361ca0980a467ee2f5d5 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Sun, 7 Nov 2004 03:06:49 +0000 Subject: Initial revision --- usr/local/www/diag_backup.php | 126 ++++ usr/local/www/diag_defaults.php | 73 ++ usr/local/www/diag_dhcp_leases.php | 189 ++++++ usr/local/www/diag_ipsec_sad.php | 139 ++++ usr/local/www/diag_ipsec_spd.php | 155 +++++ usr/local/www/diag_logs.php | 102 +++ usr/local/www/diag_logs_dhcp.php | 103 +++ usr/local/www/diag_logs_filter.php | 190 ++++++ usr/local/www/diag_logs_settings.php | 202 ++++++ usr/local/www/diag_logs_vpn.php | 111 ++++ usr/local/www/diag_ping.php | 113 ++++ usr/local/www/diag_resetstate.php | 97 +++ usr/local/www/edit.php | 128 ++++ usr/local/www/exec.php | 240 +++++++ usr/local/www/exec_raw.php | 38 ++ usr/local/www/fbegin.inc | 131 ++++ usr/local/www/fend.inc | 8 + usr/local/www/firewall_aliases.php | 127 ++++ usr/local/www/firewall_aliases_edit.php | 195 ++++++ usr/local/www/firewall_nat.php | 171 +++++ usr/local/www/firewall_nat_1to1.php | 145 ++++ usr/local/www/firewall_nat_1to1_edit.php | 216 ++++++ usr/local/www/firewall_nat_edit.php | 365 ++++++++++ usr/local/www/firewall_nat_out.php | 184 +++++ usr/local/www/firewall_nat_out_edit.php | 311 +++++++++ usr/local/www/firewall_nat_server.php | 143 ++++ usr/local/www/firewall_nat_server_edit.php | 153 +++++ usr/local/www/firewall_rules.php | 268 ++++++++ usr/local/www/firewall_rules_edit.php | 773 +++++++++++++++++++++ usr/local/www/firewall_shaper.php | 269 ++++++++ usr/local/www/firewall_shaper_edit.php | 776 ++++++++++++++++++++++ usr/local/www/firewall_shaper_queues.php | 141 ++++ usr/local/www/firewall_shaper_queues_edit.php | 187 ++++++ usr/local/www/graph.php | 325 +++++++++ usr/local/www/gui.css | 271 ++++++++ usr/local/www/guiconfig.inc | 442 ++++++++++++ usr/local/www/ifstats.cgi | Bin 0 -> 4136 bytes usr/local/www/index.php | 180 +++++ usr/local/www/interfaces.php | 630 ++++++++++++++++++ usr/local/www/interfaces_assign.php | 265 ++++++++ usr/local/www/interfaces_lan.php | 173 +++++ usr/local/www/interfaces_opt.php | 276 ++++++++ usr/local/www/interfaces_vlan.php | 149 +++++ usr/local/www/interfaces_vlan_edit.php | 146 ++++ usr/local/www/interfaces_wan.php | 630 ++++++++++++++++++ usr/local/www/interfaces_wlan.inc | 182 +++++ usr/local/www/license.php | 187 ++++++ usr/local/www/logobig.jpg | Bin 0 -> 7911 bytes usr/local/www/reboot.php | 66 ++ usr/local/www/services_captiveportal.php | 396 +++++++++++ usr/local/www/services_captiveportal_ip.php | 152 +++++ usr/local/www/services_captiveportal_ip_edit.php | 152 +++++ usr/local/www/services_captiveportal_mac.php | 133 ++++ usr/local/www/services_captiveportal_mac_edit.php | 134 ++++ usr/local/www/services_dhcp.php | 337 ++++++++++ usr/local/www/services_dhcp_edit.php | 176 +++++ usr/local/www/services_dhcp_relay.php | 229 +++++++ usr/local/www/services_dnsmasq.php | 168 +++++ usr/local/www/services_dnsmasq_edit.php | 160 +++++ usr/local/www/services_dyndns.php | 197 ++++++ usr/local/www/services_proxyarp.php | 124 ++++ usr/local/www/services_proxyarp_edit.php | 231 +++++++ usr/local/www/services_snmp.php | 145 ++++ usr/local/www/services_wol.php | 162 +++++ usr/local/www/services_wol_edit.php | 143 ++++ usr/local/www/status.php | 150 +++++ usr/local/www/status_captiveportal.php | 128 ++++ usr/local/www/status_graph.php | 80 +++ usr/local/www/status_interfaces.php | 283 ++++++++ usr/local/www/status_wireless.php | 189 ++++++ usr/local/www/system.php | 260 ++++++++ usr/local/www/system_advanced.php | 289 ++++++++ usr/local/www/system_firmware.php | 206 ++++++ usr/local/www/system_routes.php | 126 ++++ usr/local/www/system_routes_edit.php | 176 +++++ usr/local/www/vpn_ipsec.php | 192 ++++++ usr/local/www/vpn_ipsec_edit.php | 527 +++++++++++++++ usr/local/www/vpn_ipsec_keys.php | 107 +++ usr/local/www/vpn_ipsec_keys_edit.php | 135 ++++ usr/local/www/vpn_ipsec_mobile.php | 330 +++++++++ usr/local/www/vpn_openvpn.php | 366 ++++++++++ usr/local/www/vpn_openvpn_cli.php | 148 +++++ usr/local/www/vpn_openvpn_cli_edit.php | 353 ++++++++++ usr/local/www/vpn_pptp.php | 309 +++++++++ usr/local/www/vpn_pptp_users.php | 126 ++++ usr/local/www/vpn_pptp_users_edit.php | 159 +++++ 86 files changed, 18169 insertions(+) create mode 100755 usr/local/www/diag_backup.php create mode 100755 usr/local/www/diag_defaults.php create mode 100755 usr/local/www/diag_dhcp_leases.php create mode 100755 usr/local/www/diag_ipsec_sad.php create mode 100755 usr/local/www/diag_ipsec_spd.php create mode 100755 usr/local/www/diag_logs.php create mode 100755 usr/local/www/diag_logs_dhcp.php create mode 100755 usr/local/www/diag_logs_filter.php create mode 100755 usr/local/www/diag_logs_settings.php create mode 100755 usr/local/www/diag_logs_vpn.php create mode 100755 usr/local/www/diag_ping.php create mode 100755 usr/local/www/diag_resetstate.php create mode 100755 usr/local/www/edit.php create mode 100755 usr/local/www/exec.php create mode 100755 usr/local/www/exec_raw.php create mode 100755 usr/local/www/fbegin.inc create mode 100755 usr/local/www/fend.inc create mode 100755 usr/local/www/firewall_aliases.php create mode 100755 usr/local/www/firewall_aliases_edit.php create mode 100755 usr/local/www/firewall_nat.php create mode 100755 usr/local/www/firewall_nat_1to1.php create mode 100755 usr/local/www/firewall_nat_1to1_edit.php create mode 100755 usr/local/www/firewall_nat_edit.php create mode 100755 usr/local/www/firewall_nat_out.php create mode 100755 usr/local/www/firewall_nat_out_edit.php create mode 100755 usr/local/www/firewall_nat_server.php create mode 100755 usr/local/www/firewall_nat_server_edit.php create mode 100755 usr/local/www/firewall_rules.php create mode 100755 usr/local/www/firewall_rules_edit.php create mode 100755 usr/local/www/firewall_shaper.php create mode 100755 usr/local/www/firewall_shaper_edit.php create mode 100755 usr/local/www/firewall_shaper_queues.php create mode 100755 usr/local/www/firewall_shaper_queues_edit.php create mode 100755 usr/local/www/graph.php create mode 100755 usr/local/www/gui.css create mode 100755 usr/local/www/guiconfig.inc create mode 100755 usr/local/www/ifstats.cgi create mode 100755 usr/local/www/index.php create mode 100755 usr/local/www/interfaces.php create mode 100755 usr/local/www/interfaces_assign.php create mode 100755 usr/local/www/interfaces_lan.php create mode 100755 usr/local/www/interfaces_opt.php create mode 100755 usr/local/www/interfaces_vlan.php create mode 100755 usr/local/www/interfaces_vlan_edit.php create mode 100755 usr/local/www/interfaces_wan.php create mode 100755 usr/local/www/interfaces_wlan.inc create mode 100755 usr/local/www/license.php create mode 100755 usr/local/www/logobig.jpg create mode 100755 usr/local/www/reboot.php create mode 100755 usr/local/www/services_captiveportal.php create mode 100755 usr/local/www/services_captiveportal_ip.php create mode 100755 usr/local/www/services_captiveportal_ip_edit.php create mode 100755 usr/local/www/services_captiveportal_mac.php create mode 100755 usr/local/www/services_captiveportal_mac_edit.php create mode 100755 usr/local/www/services_dhcp.php create mode 100755 usr/local/www/services_dhcp_edit.php create mode 100755 usr/local/www/services_dhcp_relay.php create mode 100755 usr/local/www/services_dnsmasq.php create mode 100755 usr/local/www/services_dnsmasq_edit.php create mode 100755 usr/local/www/services_dyndns.php create mode 100755 usr/local/www/services_proxyarp.php create mode 100755 usr/local/www/services_proxyarp_edit.php create mode 100755 usr/local/www/services_snmp.php create mode 100755 usr/local/www/services_wol.php create mode 100755 usr/local/www/services_wol_edit.php create mode 100755 usr/local/www/status.php create mode 100755 usr/local/www/status_captiveportal.php create mode 100755 usr/local/www/status_graph.php create mode 100755 usr/local/www/status_interfaces.php create mode 100755 usr/local/www/status_wireless.php create mode 100755 usr/local/www/system.php create mode 100755 usr/local/www/system_advanced.php create mode 100755 usr/local/www/system_firmware.php create mode 100755 usr/local/www/system_routes.php create mode 100755 usr/local/www/system_routes_edit.php create mode 100755 usr/local/www/vpn_ipsec.php create mode 100755 usr/local/www/vpn_ipsec_edit.php create mode 100755 usr/local/www/vpn_ipsec_keys.php create mode 100755 usr/local/www/vpn_ipsec_keys_edit.php create mode 100755 usr/local/www/vpn_ipsec_mobile.php create mode 100755 usr/local/www/vpn_openvpn.php create mode 100755 usr/local/www/vpn_openvpn_cli.php create mode 100755 usr/local/www/vpn_openvpn_cli_edit.php create mode 100755 usr/local/www/vpn_pptp.php create mode 100755 usr/local/www/vpn_pptp_users.php create mode 100755 usr/local/www/vpn_pptp_users_edit.php (limited to 'usr/local/www') diff --git a/usr/local/www/diag_backup.php b/usr/local/www/diag_backup.php new file mode 100755 index 0000000..888651c --- /dev/null +++ b/usr/local/www/diag_backup.php @@ -0,0 +1,126 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* omit no-cache headers because it confuses IE with file downloads */ +$omit_nocacheheaders = true; +require("guiconfig.inc"); + +if ($_POST) { + + unset($input_errors); + + if (stristr($_POST['Submit'], "Restore")) + $mode = "restore"; + else if (stristr($_POST['Submit'], "Download")) + $mode = "download"; + + if ($mode) { + if ($mode == "download") { + config_lock(); + + $fn = "config-" . $config['system']['hostname'] . "." . + $config['system']['domain'] . "-" . date("YmdHis") . ".xml"; + + $fs = filesize($g['conf_path'] . "/config.xml"); + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename=$fn"); + header("Content-Length: $fs"); + readfile($g['conf_path'] . "/config.xml"); + config_unlock(); + exit; + } else if ($mode == "restore") { + if (is_uploaded_file($_FILES['conffile']['tmp_name'])) { + if (config_install($_FILES['conffile']['tmp_name']) == 0) { + system_reboot(); + $savemsg = "The configuration has been restored. The firewall is now rebooting."; + } else { + $input_errors[] = "The configuration could not be restored."; + } + } else { + $input_errors[] = "The configuration could not be restored (file upload error)."; + } + } + } +} +?> + + + +<?=gentitle("Diagnostics: Backup/restore");?> + + + + + + +

Diagnostics: Backup/restore

+
+ + + + + + + + + + + + + + + + + +
Backup configuration
  +

Click this button to download the system configuration + in XML format.
+
+ +
+  
+  

Restore configuration
  +

Open a m0n0wall configuration XML file and click the button + below to restore the configuration.
+
+ Note:
+ The firewall will reboot after restoring the configuration.
+
+ +
+
+ +

+
+
+ + + diff --git a/usr/local/www/diag_defaults.php b/usr/local/www/diag_defaults.php new file mode 100755 index 0000000..3ba3ea0 --- /dev/null +++ b/usr/local/www/diag_defaults.php @@ -0,0 +1,73 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if ($_POST) { + if ($_POST['Submit'] != " No ") { + reset_factory_defaults(); + system_reboot(); + $rebootmsg = "The system has been reset to factory defaults and is now rebooting. This may take one minute."; + } else { + header("Location: index.php"); + exit; + } +} +?> + + + +<?=gentitle("Diagnostics: Factory defaults");?> + + + + + + +

Diagnostics: Factory defaults

+ +
+

If you click "Yes", the firewall will be reset + to factory defaults and will reboot immediately. The entire system + configuration will be overwritten. The LAN IP address will be + reset to 192.168.1.1, the system will be configured as a DHCP + server, and the password will be set to 'mono'.
+
+ Are you sure you want to proceed?

+

+ + +

+
+ + + + diff --git a/usr/local/www/diag_dhcp_leases.php b/usr/local/www/diag_dhcp_leases.php new file mode 100755 index 0000000..4b730fa --- /dev/null +++ b/usr/local/www/diag_dhcp_leases.php @@ -0,0 +1,189 @@ +#!/usr/local/bin/php + and Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +?> + + + +<?=gentitle("Diagnostics: DHCP leases");?> + + + + + + +

Diagnostics: DHCP leases

+ + + + + + + + + +"; + $fspane = ""; + } else { + $fspans = $fspane = ""; + } + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } +} +?> +
IP addressMAC addressHostnameStartEnd
{$fspans}{$data['ip']}{$fspane} {$fspans}{$data['mac']}{$fspane} {$fspans}{$data['hostname']}{$fspane} {$fspans}{$data['start']}{$fspane} {$fspans}{$data['end']}{$fspane} 
+

+

+ + + + + + + + +
+ +

No leases file found. Is the DHCP server active?

+ + + + diff --git a/usr/local/www/diag_ipsec_sad.php b/usr/local/www/diag_ipsec_sad.php new file mode 100755 index 0000000..caba9d1 --- /dev/null +++ b/usr/local/www/diag_ipsec_sad.php @@ -0,0 +1,139 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +?> + + + +<?=gentitle("Diagnostics: IPsec");?> + + + + + + +

Diagnostics: IPsec

+ + + +
+
    +
  • SAD
    • +
  • SPD
    • +
+
+ /dev/null 2>&1", "w"); + if ($fd) { + fwrite($fd, "delete {$_GET['src']} {$_GET['dst']} {$_GET['proto']} {$_GET['spi']} ;\n"); + pclose($fd); + sleep(1); + } +} + +/* query SAD */ +$fd = @popen("/usr/sbin/setkey -D", "r"); +$sad = array(); +if ($fd) { + while (!feof($fd)) { + $line = chop(fgets($fd)); + if (!$line) + continue; + if ($line == "No SAD entries.") + break; + if ($line[0] != "\t") { + if (is_array($cursa)) + $sad[] = $cursa; + $cursa = array(); + list($cursa['src'],$cursa['dst']) = explode(" ", $line); + $i = 0; + } else { + $linea = explode(" ", trim($line)); + if ($i == 1) { + $cursa['proto'] = $linea[0]; + $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); + } else if ($i == 2) { + $cursa['ealgo'] = $linea[1]; + } else if ($i == 3) { + $cursa['aalgo'] = $linea[1]; + } + } + $i++; + } + if (is_array($cursa) && count($cursa)) + $sad[] = $cursa; + pclose($fd); +} +if (count($sad)): +?> + + + + + + + + + + + + + + + + + + + + + + +
SourceDestinationProtocolSPIEnc. alg.Auth. alg.
+ + +
+ +

No IPsec security associations.

+ +
+ + + diff --git a/usr/local/www/diag_ipsec_spd.php b/usr/local/www/diag_ipsec_spd.php new file mode 100755 index 0000000..80cd066 --- /dev/null +++ b/usr/local/www/diag_ipsec_spd.php @@ -0,0 +1,155 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +?> + + + +<?=gentitle("Diagnostics: IPsec");?> + + + + + + +

Diagnostics: IPsec

+ + + +
+
    +
  • SAD
    • +
  • SPD
    • +
+
+ /dev/null 2>&1", "w"); + if ($fd) { + fwrite($fd, "spddelete {$_GET['src']} {$_GET['dst']} any -P {$_GET['dir']} ;\n"); + pclose($fd); + sleep(1); + } +} + +/* query SAD */ +$fd = @popen("/usr/sbin/setkey -DP", "r"); +$spd = array(); +if ($fd) { + while (!feof($fd)) { + $line = chop(fgets($fd)); + if (!$line) + continue; + if ($line == "No SPD entries.") + break; + if ($line[0] != "\t") { + if (is_array($cursp)) + $spd[] = $cursp; + $cursp = array(); + $linea = explode(" ", $line); + $cursp['src'] = substr($linea[0], 0, strpos($linea[0], "[")); + $cursp['dst'] = substr($linea[1], 0, strpos($linea[1], "[")); + $i = 0; + } else if (is_array($cursp)) { + $linea = explode(" ", trim($line)); + if ($i == 1) { + if ($linea[1] == "none") /* don't show default anti-lockout rule */ + unset($cursp); + else + $cursp['dir'] = $linea[0]; + } else if ($i == 2) { + $upperspec = explode("/", $linea[0]); + $cursp['proto'] = $upperspec[0]; + list($cursp['ep_src'], $cursp['ep_dst']) = explode("-", $upperspec[2]); + } + } + $i++; + } + if (is_array($cursp) && count($cursp)) + $spd[] = $cursp; + pclose($fd); +} +if (count($spd)): +?> + + + + + + + + + + + + + + + + + + + + +
SourceDestinationDirectionProtocolTunnel endpoints
-
+ 		+ + +
+
+ + + + + + + + + + + + +
incoming (as seen by firewall)
outgoing (as seen by firewall)
+ +

No IPsec security policies.

+ +
+ + + diff --git a/usr/local/www/diag_logs.php b/usr/local/www/diag_logs.php new file mode 100755 index 0000000..fe4d41a --- /dev/null +++ b/usr/local/www/diag_logs.php @@ -0,0 +1,102 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); +} + +function dump_clog($logfile, $tail, $withorig = true) { + global $g, $config; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + echo "\n"; + + if ($withorig) { + echo "" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "\n"; + echo "" . htmlspecialchars($logent[4] . " " . $logent[5]) . "\n"; + } else { + echo "" . htmlspecialchars($logent[5]) . "\n"; + } + echo "\n"; + } +} + +?> + + + +<?=gentitle("Diagnostics: System logs");?> + + + + + + +

Diagnostics: System logs

+ + + + + +
+ +
+ + + + + +
+ Last system log entries
+
+ +
+
+ + + diff --git a/usr/local/www/diag_logs_dhcp.php b/usr/local/www/diag_logs_dhcp.php new file mode 100755 index 0000000..ba13ee3 --- /dev/null +++ b/usr/local/www/diag_logs_dhcp.php @@ -0,0 +1,103 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("/usr/sbin/clog -i -s 32768 /var/log/dhcpd.log"); +} + +function dump_clog($logfile, $tail, $withorig = true) { + global $g, $config; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + echo "\n"; + + if ($withorig) { + echo "" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "\n"; + echo "" . htmlspecialchars($logent[4] . " " . $logent[5]) . "\n"; + } else { + echo "" . htmlspecialchars($logent[5]) . "\n"; + } + echo "\n"; + } +} + +?> + + + +<?=gentitle("Diagnostics: System logs");?> + + + + + + +

Diagnostics: System logs

+ + + + + +
+ +
+ + + + + +
+ Last DHCP service log entries
+
+ +
+
+ + + + diff --git a/usr/local/www/diag_logs_filter.php b/usr/local/www/diag_logs_filter.php new file mode 100755 index 0000000..fece0ac --- /dev/null +++ b/usr/local/www/diag_logs_filter.php @@ -0,0 +1,190 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("/usr/sbin/clog -i -s 262144 /var/log/filter.log"); +} + +function dump_clog($logfile, $tail, $withorig = true) { + global $g, $config; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + echo "\n"; + + if ($withorig) { + echo "" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "\n"; + echo "" . htmlspecialchars($logent[4] . " " . $logent[5]) . "\n"; + } else { + echo "" . htmlspecialchars($logent[5]) . "\n"; + } + echo "\n"; + } +} + +function conv_clog($logfile, $tail) { + global $g, $config; + + /* make interface/port table */ + $iftable = array(); + $iftable[$config['interfaces']['lan']['if']] = "LAN"; + $iftable[get_real_wan_interface()] = "WAN"; + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + $iftable[$config['interfaces']['opt' . $i]['if']] = $config['interfaces']['opt' . $i]['descr']; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + $filterlog = array(); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + $ipfa = explode(" ", $logent[5]); + + $flent = array(); + $i = 0; + $flent['time'] = $ipfa[$i]; + $i++; + if (substr($ipfa[$i], -1) == "x") { + $flent['count'] = substr($ipfa[$i], 0, -1); + $i++; + } + if ($iftable[$ipfa[$i]]) + $flent['interface'] = $iftable[$ipfa[$i]]; + else + $flent['interface'] = $ipfa[$i]; + $i += 2; + $flent['act'] = $ipfa[$i]; + $i++; + $flent['src'] = format_ipf_ip($ipfa[$i]); + $i += 2; + $flent['dst'] = format_ipf_ip($ipfa[$i]); + $i += 2; + $flent['proto'] = strtoupper($ipfa[$i]); + + $filterlog[] = $flent; + } + + return $filterlog; +} + +function format_ipf_ip($ipfip) { + list($ip,$port) = explode(",", $ipfip); + if (!$port) + return $ip; + + return $ip . ", port " . $port; +} + +?> + + + +<?=gentitle("Diagnostics: System logs");?> + + + + + + +

Diagnostics: System logs

+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + +
+ Last firewall log entries
ActTimeIfSourceDestinationProto
+ + +
+ + + + + + +
+ Last firewall log entries
+ +
+ +
+
+ + + diff --git a/usr/local/www/diag_logs_settings.php b/usr/local/www/diag_logs_settings.php new file mode 100755 index 0000000..7868c56 --- /dev/null +++ b/usr/local/www/diag_logs_settings.php @@ -0,0 +1,202 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['reverse'] = isset($config['syslog']['reverse']); +$pconfig['nentries'] = $config['syslog']['nentries']; +$pconfig['remoteserver'] = $config['syslog']['remoteserver']; +$pconfig['filter'] = isset($config['syslog']['filter']); +$pconfig['dhcp'] = isset($config['syslog']['dhcp']); +$pconfig['vpn'] = isset($config['syslog']['vpn']); +$pconfig['system'] = isset($config['syslog']['system']); +$pconfig['enable'] = isset($config['syslog']['enable']); +$pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']); +$pconfig['rawfilter'] = isset($config['syslog']['rawfilter']); + +if (!$pconfig['nentries']) + $pconfig['nentries'] = 50; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable'] && !is_ipaddr($_POST['remoteserver'])) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['nentries'] < 5) || ($_POST['nentries'] > 1000)) { + $input_errors[] = "Number of log entries to show must be between 5 and 1000."; + } + + if (!$input_errors) { + $config['syslog']['reverse'] = $_POST['reverse'] ? true : false; + $config['syslog']['nentries'] = (int)$_POST['nentries']; + $config['syslog']['remoteserver'] = $_POST['remoteserver']; + $config['syslog']['filter'] = $_POST['filter'] ? true : false; + $config['syslog']['dhcp'] = $_POST['dhcp'] ? true : false; + $config['syslog']['vpn'] = $_POST['vpn'] ? true : false; + $config['syslog']['system'] = $_POST['system'] ? true : false; + $config['syslog']['enable'] = $_POST['enable'] ? true : false; + $oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']); + $config['syslog']['nologdefaultblock'] = $_POST['logdefaultblock'] ? false : true; + $config['syslog']['rawfilter'] = $_POST['rawfilter'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = system_syslogd_start(); + if ($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} + +?> + + + +<?=gentitle("Diagnostics: System logs");?> + + + + + + + +

Diagnostics: System logs

+
+ + + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  > + Show log entries in reverse order (newest entries + on top)
 Number of log entries to + show: +
  > + Log packets blocked by the default rule
+ Hint: packets that are blocked by the + implicit default block rule will not be logged anymore + if you uncheck this option. Per-rule logging options are not affected.
  > + Show raw filter logs
+ Hint: If this is checked, filter logs are shown as generated by the packet filter, without any formatting. This will reveal more detailed information.
  onClick="enable_change(false)"> + Enable syslog'ing to remote syslog server
Remote syslog + server +
+ IP address of remote syslog server

> + system events
> + firewall events
> + DHCP service events
> + PPTP VPN events
  +
 Note:
+ syslog sends UDP datagrams to port 514 on the specified + remote syslog server. Be sure to set syslogd on the + remote server to accept syslog messages from m0n0wall. +
+
+
+ + + + diff --git a/usr/local/www/diag_logs_vpn.php b/usr/local/www/diag_logs_vpn.php new file mode 100755 index 0000000..3ed561c --- /dev/null +++ b/usr/local/www/diag_logs_vpn.php @@ -0,0 +1,111 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("/usr/sbin/clog -i -s 65536 /var/log/vpn.log"); +} + +function dump_clog($logfile, $tail) { + global $g, $config; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + $llent = explode(",", $logent[5]); + + echo "\n"; + echo "" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "\n"; + + if ($llent[0] == "login") + echo "\n"; + else + echo "\n"; + + echo "" . htmlspecialchars($llent[3]) . "\n"; + echo "" . htmlspecialchars($llent[2]) . " \n"; + echo "\n"; + } +} + +?> + + + +<?=gentitle("Diagnostics: System logs");?> + + + + + + +

Diagnostics: System logs

+ + + + + +
+ +
+ + + + + + + + + + +
+ Last firewall log entries
TimeActionUserIP address
+
+ +
+
+ + + diff --git a/usr/local/www/diag_ping.php b/usr/local/www/diag_ping.php new file mode 100755 index 0000000..33ad4ac --- /dev/null +++ b/usr/local/www/diag_ping.php @@ -0,0 +1,113 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +define('MAX_COUNT', 10); +define('DEFAULT_COUNT', 3); + +if ($_POST) { + unset($input_errors); + unset($do_ping); + + /* input validation */ + $reqdfields = explode(" ", "host count"); + $reqdfieldsn = explode(",", "Host,Count"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['count'] < 1) || ($_POST['count'] > MAX_COUNT)) { + $input_errors[] = "Count must be between 1 and {MAX_COUNT}"; + } + + if (!$input_errors) { + $do_ping = true; + $host = preg_replace ("/[^A-Za-z0-9.]/","",$_POST['host']); + $count = $_POST['count']; + + } +} +if (!isset($do_ping)) { + $do_ping = false; + $host = ''; + $count = DEFAULT_COUNT; +} +?> + + + +<?=gentitle("Diagnostics: Ping");?> + + + + + + +

Diagnostics: Ping

+ +
+ + + + + + + + + + + + + + + + +
Host +
Count +
  + +
+ Ping output:
"); + echo('
');
+					ob_end_flush();
+					system("/sbin/ping -c$count " . escapeshellarg($host));
+					echo('
'); + } + ?> +
+
+ + + diff --git a/usr/local/www/diag_resetstate.php b/usr/local/www/diag_resetstate.php new file mode 100755 index 0000000..3a7f028 --- /dev/null +++ b/usr/local/www/diag_resetstate.php @@ -0,0 +1,97 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if ($_POST) { + + $savemsg = ""; + if ($_POST['nattable']) { + filter_flush_nat_table(); + $savemsg = "The NAT table has been flushed successfully."; + } + if ($_POST['statetable']) { + filter_flush_state_table(); + if ($savemsg) + $savemsg .= " "; + $savemsg .= "The state table has been flushed successfully."; + } +} +?> + + + +<?=gentitle("Diagnostics: Reset state");?> + + + + + + +

Diagnostics: Reset state

+ + +
+ + + + + + + + + +
 

+ + NAT table
+ + Firewall state table
+
+ Resetting the state tables will remove all entries from + the corresponding tables. This means that all open connections + will be broken and will have to be re-established. This + may be necessary after making substantial changes to the + firewall and/or NAT rules, especially if there are IP protocol + mappings (e.g. for PPTP or IPv6) with open connections.
+
+ The firewall will normally leave + the state tables intact when changing rules.
+
+ NOTE: If you reset the firewall state table, the browser + session may appear to be hung after clicking "Reset". + Simply refresh the page to continue.

+
  + +
+
+ + + diff --git a/usr/local/www/edit.php b/usr/local/www/edit.php new file mode 100755 index 0000000..694f40b --- /dev/null +++ b/usr/local/www/edit.php @@ -0,0 +1,128 @@ +#!/usr/local/bin/php + "") + $rows = $_POST['rows']; +else + $rows = 40; + +if($_POST['cols'] <> "") + $cols = $_POST['cols']; +else + $cols = 80; +?> + + + +) + (modified for pfSense Edit/Save file by Scott Ullrich, Copyright 2004) +*/ + +// Function: is Blank +// Returns true or false depending on blankness of argument. + +function isBlank( $arg ) { return ereg( "^\s*$", $arg ); } + +// Function: Puts +// Put string, Ruby-style. + +function puts( $arg ) { echo "$arg\n"; } + +// "Constants". + +$Version = ''; +$ScriptName = $HTTP_SERVER_VARS['SCRIPT_NAME']; +$Title = 'pfSense: edit file'; + +// Get year. + +$arrDT = localtime(); +$intYear = $arrDT[5] + 1900; + +?> + +<?=$Title ?> + + + + +

+" . $ulmsg . "

\n"; ?> + +
+ + + + + + + +
+ Save/Load from path: + Rows: + Cols: + +
+
+
+

+

+
+ + + diff --git a/usr/local/www/exec.php b/usr/local/www/exec.php new file mode 100755 index 0000000..8f47fc5 --- /dev/null +++ b/usr/local/www/exec.php @@ -0,0 +1,240 @@ +#!/usr/local/bin/php + + + + +) +*/ + +// Function: is Blank +// Returns true or false depending on blankness of argument. + +function isBlank( $arg ) { return ereg( "^\s*$", $arg ); } + + +// Function: Puts +// Put string, Ruby-style. + +function puts( $arg ) { echo "$arg\n"; } + + +// "Constants". + +$Version = ''; +$ScriptName = $HTTP_SERVER_VARS['SCRIPT_NAME']; +$Title = 'm0n0wall: execute command'; + +// Get year. + +$arrDT = localtime(); +$intYear = $arrDT[5] + 1900; + +?> + +<?=$Title ?> + + + + + +

+ +

Note: this function is unsupported. Use it +on your own risk!

+ +" . $ulmsg . "

\n"; ?> +"); + puts("\$ " . htmlspecialchars($_POST['txtCommand'])); + putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); + putenv("SCRIPT_FILENAME=" . strtok($_POST['txtCommand'], " ")); /* PHP scripts */ + $ph = popen($_POST['txtCommand'], "r" ); + while ($line = fgets($ph)) echo htmlspecialchars($line); + pclose($ph); + puts(""); +} + +?> + +
+ + + + + + + + + + + + + + + + + + + + + +
Command:
    + + + + + +
Download: + + +
Upload: + +
+
+ + diff --git a/usr/local/www/exec_raw.php b/usr/local/www/exec_raw.php new file mode 100755 index 0000000..6d1ca34 --- /dev/null +++ b/usr/local/www/exec_raw.php @@ -0,0 +1,38 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +header("Content-Type: text/plain"); + +putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); +passthru($_GET['cmd']); + +exit(0); +?> \ No newline at end of file diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc new file mode 100755 index 0000000..1aae7f1 --- /dev/null +++ b/usr/local/www/fbegin.inc @@ -0,0 +1,131 @@ + + + + + + + + + + + + + +
+ + +
 webGUI + Configuration +   +
+
+ + + +
System +
+      General + setup
+      Static + routes
+      Firmware
+      Advanced
+ Interfaces + + (assign) + +
+      LAN
+      WAN
+ +      
+ + Firewall
+      Rules
+      NAT
+      Aliases
+ Services
+      DNS forwarder
+      Dynamic + DNS
+      DHCP server
+      DHCP relay
+      SNMP
+      Proxy ARP
+      Captive portal
+      Wake on LAN
+ VPN
+      IPsec
+      PPTP
+      OpenVPN
+ Status
+      System
+      Interfaces
+      Traffic graph
+      Wireless
+ +      Captive portal
+ + + Extensions
+ + + Diagnostics
+ + + Diagnostics
+ + +
+
diff --git a/usr/local/www/fend.inc b/usr/local/www/fend.inc new file mode 100755 index 0000000..871ec68 --- /dev/null +++ b/usr/local/www/fend.inc @@ -0,0 +1,8 @@ +
pfSense is © 2004 by Scott Ullrich. All Rights Reserved. +
pfSense is originally based on m0n0wall which is © 2002-2004 by Manuel Kasper. + All rights reserved.  [view license]
diff --git a/usr/local/www/firewall_aliases.php b/usr/local/www/firewall_aliases.php new file mode 100755 index 0000000..cb94725 --- /dev/null +++ b/usr/local/www/firewall_aliases.php @@ -0,0 +1,127 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); + +aliases_sort(); +$a_aliases = &$config['aliases']['alias']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + /* reload all components that use aliases */ + $retval = filter_configure(); + $retval |= shaper_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_aliasesdirty_path)) + unlink($d_aliasesdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_aliases[$_GET['id']]) { + unset($a_aliases[$_GET['id']]); + write_config(); + touch($d_aliasesdirty_path); + header("Location: firewall_aliases.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: Aliases");?> + + + + + + +

Firewall: Aliases

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + + + + + + + +
NameAddressDescription
+ + + + +   + +  
+
+

Note:
+ Aliases act as placeholders for real IP addresses + and can be used to minimize the number of changes that have to + be made if a host or network address changes. You can enter the + name of an alias instead of an IP address in all address fields + that have a blue background. The alias will be resolved to its + current address according to the list below. If an alias cannot + be resolved (e.g. because you deleted it), the corresponding element + (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.

+ + + diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php new file mode 100755 index 0000000..8955197 --- /dev/null +++ b/usr/local/www/firewall_aliases_edit.php @@ -0,0 +1,195 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); + +aliases_sort(); +$a_aliases = &$config['aliases']['alias']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_aliases[$id]) { + $pconfig['name'] = $a_aliases[$id]['name']; + list($pconfig['address'],$pconfig['address_subnet']) = + explode('/', $a_aliases[$id]['address']); + if ($pconfig['address_subnet']) + $pconfig['type'] = "network"; + else + $pconfig['type'] = "host"; + $pconfig['descr'] = $a_aliases[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "name address"); + $reqdfieldsn = explode(",", "Name,Address"); + + if ($_POST['type'] == "network") { + $reqdfields[] = "address_subnet"; + $reqdfieldsn[] = "Subnet bit count"; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['name'] && !is_validaliasname($_POST['name']))) { + $input_errors[] = "The alias name may only consist of the characters a-z, A-Z, 0-9."; + } + if (($_POST['address'] && !is_ipaddr($_POST['address']))) { + $input_errors[] = "A valid address must be specified."; + } + if (($_POST['address_subnet'] && !is_numeric($_POST['address_subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + + /* check for name conflicts */ + foreach ($a_aliases as $alias) { + if (isset($id) && ($a_aliases[$id]) && ($a_aliases[$id] === $alias)) + continue; + + if ($alias['name'] == $_POST['name']) { + $input_errors[] = "An alias with this name already exists."; + break; + } + } + + if (!$input_errors) { + $alias = array(); + $alias['name'] = $_POST['name']; + if ($_POST['type'] == "network") + $alias['address'] = $_POST['address'] . "/" . $_POST['address_subnet']; + else + $alias['address'] = $_POST['address']; + $alias['descr'] = $_POST['descr']; + + if (isset($id) && $a_aliases[$id]) + $a_aliases[$id] = $alias; + else + $a_aliases[] = $alias; + + touch($d_aliasesdirty_path); + + write_config(); + + header("Location: firewall_aliases.php"); + exit; + } +} +?> + + + +<?=gentitle("System: Firewall: Aliases: Edit alias");?> + + + + + + + +

Firewall: Aliases: Edit alias

+ +
+ + + + + + + + + + + + + + + + + + + + + +
Name +
The name of the alias may only consist + of the characters a-z, A-Z and 0-9.
Type + +
Address + / +
The address that this alias + represents.
Description +
You may enter a description here + for your reference (not parsed).
  + + + +
+
+ + + + diff --git a/usr/local/www/firewall_nat.php b/usr/local/www/firewall_nat.php new file mode 100755 index 0000000..1708ef8 --- /dev/null +++ b/usr/local/www/firewall_nat.php @@ -0,0 +1,171 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['rule'])) { + $config['nat']['rule'] = array(); +} +nat_rules_sort(); +$a_nat = &$config['nat']['rule']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_nat[$_GET['id']]) { + unset($a_nat[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: NAT");?> + + + + + + +

Firewall: NAT

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + +
IfProtoExt. port rangeNAT IPInt. port rangeDescription
+ + + + + + + + (ext.: " . $natent['external-address'] . ")"; + ?> + + + +   + +  
+

Note:
+ It is not possible to access NATed services + using the WAN IP address from within LAN (or an optional + network).

+
+ + + diff --git a/usr/local/www/firewall_nat_1to1.php b/usr/local/www/firewall_nat_1to1.php new file mode 100755 index 0000000..f4d2e20 --- /dev/null +++ b/usr/local/www/firewall_nat_1to1.php @@ -0,0 +1,145 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['onetoone'])) { + $config['nat']['onetoone'] = array(); +} +$a_1to1 = &$config['nat']['onetoone']; +nat_1to1_rules_sort(); + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_1to1[$_GET['id']]) { + unset($a_1to1[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat_1to1.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: NAT");?> + + + + + + +

Firewall: NAT

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
InterfaceExternal IPInternal IPDescription
+ + + + + + +   + +  
+

Note:
+ Depending on the way your WAN connection is setup, you may also need proxy ARP.

+
+
+ + + diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php new file mode 100755 index 0000000..7361c92 --- /dev/null +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -0,0 +1,216 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['onetoone'])) { + $config['nat']['onetoone'] = array(); +} +nat_1to1_rules_sort(); +$a_1to1 = &$config['nat']['onetoone']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_1to1[$id]) { + $pconfig['external'] = $a_1to1[$id]['external']; + $pconfig['internal'] = $a_1to1[$id]['internal']; + $pconfig['interface'] = $a_1to1[$id]['interface']; + if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; + if (!$a_1to1[$id]['subnet']) + $pconfig['subnet'] = 32; + else + $pconfig['subnet'] = $a_1to1[$id]['subnet']; + $pconfig['descr'] = $a_1to1[$id]['descr']; +} else { + $pconfig['subnet'] = 32; + $pconfig['interface'] = "wan"; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "interface external internal"); + $reqdfieldsn = explode(",", "Interface,External subnet,Internal subnet"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['external'] && !is_ipaddr($_POST['external']))) { + $input_errors[] = "A valid external subnet must be specified."; + } + if (($_POST['internal'] && !is_ipaddr($_POST['internal']))) { + $input_errors[] = "A valid internal subnet must be specified."; + } + + if (is_ipaddr($config['interfaces']['wan']['ipaddr'])) { + if (check_subnets_overlap($_POST['external'], $_POST['subnet'], + $config['interfaces']['wan']['ipaddr'], 32)) + $input_errors[] = "The WAN IP address may not be used in a 1:1 rule."; + } + + /* check for overlaps with other 1:1 */ + foreach ($a_1to1 as $natent) { + if (isset($id) && ($a_1to1[$id]) && ($a_1to1[$id] === $natent)) + continue; + + if (check_subnets_overlap($_POST['external'], $_POST['subnet'], $natent['external'], $natent['subnet'])) { + $input_errors[] = "Another 1:1 rule overlaps with the specified external subnet."; + break; + } else if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) { + $input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet."; + break; + } + } + + /* check for overlaps with server NAT */ + if (is_array($config['nat']['servernat'])) { + foreach ($config['nat']['servernat'] as $natent) { + if (check_subnets_overlap($_POST['external'], $_POST['subnet'], + $natent['ipaddr'], 32)) { + $input_errors[] = "A server NAT entry overlaps with the specified external subnet."; + break; + } + } + } + + /* check for overlaps with advanced outbound NAT */ + if (is_array($config['nat']['advancedoutbound']['rule'])) { + foreach ($config['nat']['advancedoutbound']['rule'] as $natent) { + if ($natent['target'] && + check_subnets_overlap($_POST['external'], $_POST['subnet'], $natent['target'], 32)) { + $input_errors[] = "An advanced outbound NAT entry overlaps with the specified external subnet."; + break; + } + } + } + + if (!$input_errors) { + $natent = array(); + $natent['external'] = $_POST['external']; + $natent['internal'] = $_POST['internal']; + $natent['subnet'] = $_POST['subnet']; + $natent['descr'] = $_POST['descr']; + $natent['interface'] = $_POST['interface']; + + if (isset($id) && $a_1to1[$id]) + $a_1to1[$id] = $natent; + else + $a_1to1[] = $natent; + + touch($d_natconfdirty_path); + + write_config(); + + header("Location: firewall_nat_1to1.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: NAT: Edit 1:1");?> + + + + + + +

Firewall: NAT: Edit 1:1

+ +
+ + + + + + + + + + + + + + + + + + + + + +
Interface +
+ Choose which interface this rule applies to.
+ Hint: in most cases, you'll want to use WAN here.
External subnet + + / + +
+ Enter the external (WAN) subnet for the 1:1 mapping. You may map single IP addresses by specifying a /32 subnet.
Internal subnet + +
+ Enter the internal (LAN) subnet for the 1:1 mapping. The subnet size specified for the external subnet also applies to the internal subnet (they have to be the same).
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php new file mode 100755 index 0000000..d80865f --- /dev/null +++ b/usr/local/www/firewall_nat_edit.php @@ -0,0 +1,365 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['rule'])) { + $config['nat']['rule'] = array(); +} +nat_rules_sort(); +$a_nat = &$config['nat']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_nat[$id]) { + $pconfig['extaddr'] = $a_nat[$id]['external-address']; + $pconfig['proto'] = $a_nat[$id]['protocol']; + list($pconfig['beginport'],$pconfig['endport']) = explode("-", $a_nat[$id]['external-port']); + $pconfig['localip'] = $a_nat[$id]['target']; + $pconfig['localbeginport'] = $a_nat[$id]['local-port']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['interface'] = $a_nat[$id]['interface']; + if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; +} else { + $pconfig['interface'] = "wan"; +} + +if ($_POST) { + + if ($_POST['beginport_cust'] && !$_POST['beginport']) + $_POST['beginport'] = $_POST['beginport_cust']; + if ($_POST['endport_cust'] && !$_POST['endport']) + $_POST['endport'] = $_POST['endport_cust']; + if ($_POST['localbeginport_cust'] && !$_POST['localbeginport']) + $_POST['localbeginport'] = $_POST['localbeginport_cust']; + + if (!$_POST['endport']) + $_POST['endport'] = $_POST['beginport']; + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "interface proto beginport localip localbeginport"); + $reqdfieldsn = explode(",", "Interface,Protocol,Start port,NAT IP,Local port"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['beginport'] && !is_port($_POST['beginport']))) { + $input_errors[] = "The start port must be an integer between 1 and 65535."; + } + if (($_POST['endport'] && !is_port($_POST['endport']))) { + $input_errors[] = "The end port must be an integer between 1 and 65535."; + } + if (($_POST['localbeginport'] && !is_port($_POST['localbeginport']))) { + $input_errors[] = "The local port must be an integer between 1 and 65535."; + } + if (($_POST['localip'] && !is_ipaddroralias($_POST['localip']))) { + $input_errors[] = "A valid NAT IP address or host alias must be specified."; + } + + if ($_POST['beginport'] > $_POST['endport']) { + /* swap */ + $tmp = $_POST['endport']; + $_POST['endport'] = $_POST['beginport']; + $_POST['beginport'] = $tmp; + } + + if (!$input_errors) { + if (($_POST['endport'] - $_POST['beginport'] + $_POST['localbeginport']) > 65535) + $input_errors[] = "The target port range must lie between 1 and 65535."; + } + + /* check for overlaps */ + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + if ($natent['external-address'] != $_POST['extaddr']) + continue; + + list($begp,$endp) = explode("-", $natent['external-port']); + if (!$endp) + $endp = $begp; + + if (!( (($_POST['beginport'] < $begp) && ($_POST['endport'] < $begp)) + || (($_POST['beginport'] > $endp) && ($_POST['endport'] > $endp)))) { + + $input_errors[] = "The external port range overlaps with an existing entry."; + break; + } + } + + if (!$input_errors) { + $natent = array(); + if ($_POST['extaddr']) + $natent['external-address'] = $_POST['extaddr']; + $natent['protocol'] = $_POST['proto']; + + if ($_POST['beginport'] == $_POST['endport']) + $natent['external-port'] = $_POST['beginport']; + else + $natent['external-port'] = $_POST['beginport'] . "-" . $_POST['endport']; + + $natent['target'] = $_POST['localip']; + $natent['local-port'] = $_POST['localbeginport']; + $natent['interface'] = $_POST['interface']; + $natent['descr'] = $_POST['descr']; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else + $a_nat[] = $natent; + + touch($d_natconfdirty_path); + + if ($_POST['autoadd']) { + /* auto-generate a matching firewall rule */ + $filterent = array(); + $filterent['interface'] = $_POST['interface']; + $filterent['protocol'] = $_POST['proto']; + $filterent['source']['any'] = ""; + $filterent['destination']['address'] = $_POST['localip']; + + $dstpfrom = $_POST['localbeginport']; + $dstpto = $dstpfrom + $_POST['endport'] - $_POST['beginport']; + + if ($dstpfrom == $dstpto) + $filterent['destination']['port'] = $dstpfrom; + else + $filterent['destination']['port'] = $dstpfrom . "-" . $dstpto; + + $filterent['descr'] = "NAT " . $_POST['descr']; + + $config['filter']['rule'][] = $filterent; + + touch($d_filterconfdirty_path); + } + + write_config(); + + header("Location: firewall_nat.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: NAT: Edit");?> + + + + + + + +

Firewall: NAT: Edit

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Interface +
+ Choose which interface this rule applies to.
+ Hint: in most cases, you'll want to use WAN here.
External address +
+ + If you want this rule to apply to another IP address than the IP address of the interface chosen above, + select it here (you need to define IP addresses on the + Server NAT page first).
Protocol +
Choose which IP protocol + this rule should match.
+ Hint: in most cases, you should specify TCP  here.
External port + range + + + + + + + + + +
from:  
to:
+
Specify the port or port range on + the firewall's external address for this mapping.
+ Hint: you can leave the 'to' field empty if you only + want to map a single port
NAT IP + +
Enter the internal IP address of + the server on which you want to map the ports.
+ e.g. 192.168.1.12
Local port + +
+ Specify the port on the machine with the + IP address entered above. In case of a port range, specify + the beginning port of the range (the end port will be calculated + automatically).
+ Hint: this is usually identical to the 'from' port above
Description + +
You may enter a description here + for your reference (not parsed).
  + + Auto-add a firewall rule to permit traffic through + this NAT rule
  + + + + +
+
+ + + + diff --git a/usr/local/www/firewall_nat_out.php b/usr/local/www/firewall_nat_out.php new file mode 100755 index 0000000..978f3b3 --- /dev/null +++ b/usr/local/www/firewall_nat_out.php @@ -0,0 +1,184 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['advancedoutbound']['rule'])) + $config['nat']['advancedoutbound']['rule'] = array(); + +$a_out = &$config['nat']['advancedoutbound']['rule']; +nat_out_rules_sort(); + +if ($_POST) { + + $pconfig = $_POST; + + $config['nat']['advancedoutbound']['enable'] = ($_POST['enable']) ? true : false; + write_config(); + + $retval = 0; + + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } +} + +if ($_GET['act'] == "del") { + if ($a_out[$_GET['id']]) { + unset($a_out[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat_out.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: NAT");?> + + + + + + +

Firewall: NAT

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + +
+ +
+ + + + + + + + + + +

+ > + Enable advanced outbound NAT
+

+

Note:
+ If advanced outbound NAT is enabled, no outbound NAT + rules will be automatically generated anymore. Instead, only the mappings + you specify below will be used. With advanced outbound NAT disabled, + a mapping is automatically created for each interface's subnet + (except WAN). If you use target addresses other than the WAN interface's IP address, then depending on the way your WAN connection is setup, you may also need proxy ARP.
+
+ You may enter your own mappings below.

+
+  
+ + + + + + + + + + + + + + + + + + + + + + + +
InterfaceSourceDestinationTargetDescription
+ + + + + + + + +   + +  
+
+
+ + + diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php new file mode 100755 index 0000000..723de78 --- /dev/null +++ b/usr/local/www/firewall_nat_out_edit.php @@ -0,0 +1,311 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['advancedoutbound']['rule'])) + $config['nat']['advancedoutbound']['rule'] = array(); + +$a_out = &$config['nat']['advancedoutbound']['rule']; +nat_out_rules_sort(); + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +function network_to_pconfig($adr, &$padr, &$pmask, &$pnot) { + + if (isset($adr['any'])) + $padr = "any"; + else if ($adr['network']) { + list($padr, $pmask) = explode("/", $adr['network']); + if (!$pmask) + $pmask = 32; + } + + if (isset($adr['not'])) + $pnot = 1; + else + $pnot = 0; +} + +if (isset($id) && $a_out[$id]) { + list($pconfig['source'],$pconfig['source_subnet']) = explode('/', $a_out[$id]['source']['network']); + network_to_pconfig($a_out[$id]['destination'], $pconfig['destination'], + $pconfig['destination_subnet'], $pconfig['destination_not']); + $pconfig['target'] = $a_out[$id]['target']; + $pconfig['interface'] = $a_out[$id]['interface']; + if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; + $pconfig['descr'] = $a_out[$id]['descr']; +} else { + $pconfig['source_subnet'] = 24; + $pconfig['destination'] = "any"; + $pconfig['destination_subnet'] = 24; + $pconfig['interface'] = "wan"; +} + +if ($_POST) { + + if ($_POST['destination_type'] == "any") { + $_POST['destination'] = "any"; + $_POST['destination_subnet'] = 24; + } + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "interface source source_subnet destination destination_subnet"); + $reqdfieldsn = explode(",", "Interface,Source,Source bit count,Destination,Destination bit count"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['source'] && !is_ipaddr($_POST['source'])) { + $input_errors[] = "A valid source must be specified."; + } + if ($_POST['source_subnet'] && !is_numericint($_POST['source_subnet'])) { + $input_errors[] = "A valid source bit count must be specified."; + } + if ($_POST['destination_type'] != "any") { + if ($_POST['destination'] && !is_ipaddr($_POST['destination'])) { + $input_errors[] = "A valid destination must be specified."; + } + if ($_POST['destination_subnet'] && !is_numericint($_POST['destination_subnet'])) { + $input_errors[] = "A valid destination bit count must be specified."; + } + } + if ($_POST['target'] && !is_ipaddr($_POST['target'])) { + $input_errors[] = "A valid target IP address must be specified."; + } + + /* check for existing entries */ + $osn = gen_subnet($_POST['source'], $_POST['source_subnet']) . "/" . $_POST['source_subnet']; + if ($_POST['destination_type'] == "any") + $ext = "any"; + else + $ext = gen_subnet($_POST['destination'], $_POST['destination_subnet']) . "/" + . $_POST['destination_subnet']; + + if ($_POST['target']) { + /* check for clashes with 1:1 NAT (Server NAT is OK) */ + if (is_array($config['nat']['onetoone'])) { + foreach ($config['nat']['onetoone'] as $natent) { + if (check_subnets_overlap($_POST['target'], 32, $natent['external'], $natent['subnet'])) { + $input_errors[] = "A 1:1 NAT mapping overlaps with the specified target IP address."; + break; + } + } + } + } + + foreach ($a_out as $natent) { + if (isset($id) && ($a_out[$id]) && ($a_out[$id] === $natent)) + continue; + + if (!$natent['interface']) + $natent['interface'] == "wan"; + + if (($natent['interface'] == $_POST['interface']) && ($natent['source']['network'] == $osn)) { + if (isset($natent['destination']['not']) == isset($_POST['destination_not'])) { + if ((isset($natent['destination']['any']) && ($ext == "any")) || + ($natent['destination']['network'] == $ext)) { + $input_errors[] = "There is already an outbound NAT rule with the specified settings."; + break; + } + } + } + } + + if (!$input_errors) { + $natent = array(); + $natent['source']['network'] = $osn; + $natent['descr'] = $_POST['descr']; + $natent['target'] = $_POST['target']; + $natent['interface'] = $_POST['interface']; + + if ($ext == "any") + $natent['destination']['any'] = true; + else + $natent['destination']['network'] = $ext; + + if (isset($_POST['destination_not']) && $ext != "any") + $natent['destination']['not'] = true; + + if (isset($id) && $a_out[$id]) + $a_out[$id] = $natent; + else + $a_out[] = $natent; + + touch($d_natconfdirty_path); + + write_config(); + + header("Location: firewall_nat_out.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: NAT: Edit outbound mapping");?> + + + + + + + +

Firewall: NAT: Edit outbound mapping

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + +
Interface +
+ Choose which interface this rule applies to.
+ Hint: in most cases, you'll want to use WAN here.
Source + + + / + +
+ Enter the source network for the outbound NAT mapping.
Destination +> + not
+ Use this option to invert the sense of the match.
+
+ + + + + + + + + + + + + +
Type:  
Address:   + / +
 Enter the destination network for + the outbound NAT mapping.
Target + +
+ Packets matching this rule will be mapped to the IP address given here. Leave blank to use the selected interface's IP address.
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + + diff --git a/usr/local/www/firewall_nat_server.php b/usr/local/www/firewall_nat_server.php new file mode 100755 index 0000000..11f44b6 --- /dev/null +++ b/usr/local/www/firewall_nat_server.php @@ -0,0 +1,143 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['servernat'])) { + $config['nat']['servernat'] = array(); +} +$a_snat = &$config['nat']['servernat']; +nat_server_rules_sort(); + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_snat[$_GET['id']]) { + /* make sure no inbound NAT mappings reference this entry */ + if (is_array($config['nat']['rule'])) { + foreach ($config['nat']['rule'] as $rule) { + if ($rule['external-address'] == $a_snat[$_GET['id']]['ipaddr']) { + $input_errors[] = "This entry cannot be deleted because it is still referenced by at least one inbound NAT mapping."; + break; + } + } + } + + if (!$input_errors) { + unset($a_snat[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat_server.php"); + exit; + } + } +} +?> + + + +<?=gentitle("Firewall: NAT");?> + + + + + + +

Firewall: NAT

+
+ + +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + +
External IP addressDescription
+ + +   + +  
+

Note:
+ The external IP addresses defined on this page may be used in inbound NAT mappings. Depending on the way your WAN connection is setup, you may also need proxy ARP.

+
+
+ + + diff --git a/usr/local/www/firewall_nat_server_edit.php b/usr/local/www/firewall_nat_server_edit.php new file mode 100755 index 0000000..4ed1f2d --- /dev/null +++ b/usr/local/www/firewall_nat_server_edit.php @@ -0,0 +1,153 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['servernat'])) { + $config['nat']['servernat'] = array(); +} +nat_server_rules_sort(); +$a_snat = &$config['nat']['servernat']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_snat[$id]) { + $pconfig['ipaddr'] = $a_snat[$id]['ipaddr']; + $pconfig['descr'] = $a_snat[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ipaddr"); + $reqdfieldsn = explode(",", "External IP address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid external IP address must be specified."; + } + + if ($_POST['ipaddr'] == $config['interfaces']['wan']['ipaddr']) + $input_errors[] = "The WAN IP address may not be used in a Server NAT entry."; + + /* check for overlaps with other server NAT */ + foreach ($a_snat as $natent) { + if (isset($id) && ($a_snat[$id]) && ($a_snat[$id] === $natent)) + continue; + + if ($_POST['ipaddr'] == $natent['ipaddr']) { + $input_errors[] = "There is already a server NAT entry for the specified external IP address."; + break; + } + } + + /* check for overlaps with 1:1 NAT */ + if (is_array($config['nat']['onetoone'])) { + foreach ($config['nat']['onetoone'] as $natent) { + if (check_subnets_overlap($_POST['ipaddr'], 32, $natent['external'], $natent['subnet'])) { + $input_errors[] = "A 1:1 NAT mapping overlaps with the specified external IP address."; + break; + } + } + } + + if (!$input_errors) { + $natent = array(); + $natent['ipaddr'] = $_POST['ipaddr']; + $natent['descr'] = $_POST['descr']; + + if (isset($id) && $a_snat[$id]) { + /* modify all inbound NAT rules with this address */ + for ($i = 0; isset($config['nat']['rule'][$i]); $i++) { + if ($config['nat']['rule'][$i]['external-address'] == $a_snat[$id]['ipaddr']) + $config['nat']['rule'][$i]['external-address'] = $natent['ipaddr']; + } + $a_snat[$id] = $natent; + } else + $a_snat[] = $natent; + + touch($d_natconfdirty_path); + + write_config(); + + header("Location: firewall_nat_server.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: NAT: Edit Server NAT");?> + + + + + + +

Firewall: NAT: Edit Server NAT

+ +
+ + + + + + + + + + + + + +
External IP address + + +
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php new file mode 100755 index 0000000..cd3424c --- /dev/null +++ b/usr/local/www/firewall_rules.php @@ -0,0 +1,268 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['filter']['rule'])) { + $config['filter']['rule'] = array(); +} +filter_rules_sort(); +$a_filter = &$config['filter']['rule']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_filter[$_GET['id']]) { + unset($a_filter[$_GET['id']]); + write_config(); + touch($d_filterconfdirty_path); + header("Location: firewall_rules.php"); + exit; + } +} else if ($_GET['act'] == "down") { + if ($a_filter[$_GET['id']] && $a_filter[$_GET['id']+1]) { + $tmp = $a_filter[$_GET['id']+1]; + $a_filter[$_GET['id']+1] = $a_filter[$_GET['id']]; + $a_filter[$_GET['id']] = $tmp; + write_config(); + touch($d_filterconfdirty_path); + header("Location: firewall_rules.php"); + exit; + } +} else if ($_GET['act'] == "up") { + if (($_GET['id'] > 0) && $a_filter[$_GET['id']]) { + $tmp = $a_filter[$_GET['id']-1]; + $a_filter[$_GET['id']-1] = $a_filter[$_GET['id']]; + $a_filter[$_GET['id']] = $tmp; + write_config(); + touch($d_filterconfdirty_path); + header("Location: firewall_rules.php"); + exit; + } +} else if ($_GET['act'] == "toggle") { + if ($a_filter[$_GET['id']]) { + $a_filter[$_GET['id']]['disabled'] = !isset($a_filter[$_GET['id']]['disabled']); + write_config(); + touch($d_filterconfdirty_path); + header("Location: firewall_rules.php"); + exit; + } +} + +?> + + + +<?=gentitle("Firewall: Rules");?> + + + + + + +

Firewall: Rules

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
'LAN interface', 'wan' => 'WAN interface', 'pptp' => 'PPTP clients'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['name'] . " interface"; + echo htmlspecialchars($iflabels[$filterent['interface']]); ?>
 ProtoSourcePortDestinationPortDescription
+ "; + $textse = ""; + $iconfn .= "_d"; + } else { + $textss = $textse = ""; + } + ?> + + +
+ + 		+ + + + + + + + + + +   + + + 0) && ($a_filter[$i-1]['interface'] == $filterent['interface'])): ?> + + + +
+ + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
passblockrejectlog
pass (disabled)block (disabled)reject (disabled)log (disabled)
+
+

+ Hint:
+ rules are evaluated on a first-match basis (i.e. + the action of the first rule to match a packet will be executed). + This means that if you use block rules, you'll have to pay attention + to the rule order. Everything that isn't explicitly passed is blocked + by default.

+
+ + + diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php new file mode 100755 index 0000000..620ea6e --- /dev/null +++ b/usr/local/www/firewall_rules_edit.php @@ -0,0 +1,773 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$specialsrcdst = explode(" ", "any lan pptp"); + +if (!is_array($config['filter']['rule'])) { + $config['filter']['rule'] = array(); +} +filter_rules_sort(); +$a_filter = &$config['filter']['rule']; + +$id = $_GET['id']; +if (is_numeric($_POST['id'])) + $id = $_POST['id']; + +$after = $_GET['after']; + +if (isset($_POST['after'])) + $after = $_POST['after']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +function is_specialnet($net) { + global $specialsrcdst; + + if (in_array($net, $specialsrcdst) || strstr($net, "opt")) + return true; + else + return false; +} + +function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) { + + if (isset($adr['any'])) + $padr = "any"; + else if ($adr['network']) + $padr = $adr['network']; + else if ($adr['address']) { + list($padr, $pmask) = explode("/", $adr['address']); + if (!$pmask) + $pmask = 32; + } + + if (isset($adr['not'])) + $pnot = 1; + else + $pnot = 0; + + if ($adr['port']) { + list($pbeginport, $pendport) = explode("-", $adr['port']); + if (!$pendport) + $pendport = $pbeginport; + } else { + $pbeginport = "any"; + $pendport = "any"; + } +} + +function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) { + + $adr = array(); + + if ($padr == "any") + $adr['any'] = true; + else if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } + + $adr['not'] = $pnot ? true : false; + + if (($pbeginport != 0) && ($pbeginport != "any")) { + if ($pbeginport != $pendport) + $adr['port'] = $pbeginport . "-" . $pendport; + else + $adr['port'] = $pbeginport; + } +} + +if (isset($id) && $a_filter[$id]) { + $pconfig['interface'] = $a_filter[$id]['interface']; + + if (!isset($a_filter[$id]['type'])) + $pconfig['type'] = "pass"; + else + $pconfig['type'] = $a_filter[$id]['type']; + + if (isset($a_filter[$id]['protocol'])) + $pconfig['proto'] = $a_filter[$id]['protocol']; + else + $pconfig['proto'] = "any"; + + if ($a_filter[$id]['protocol'] == "icmp") + $pconfig['icmptype'] = $a_filter[$id]['icmptype']; + + address_to_pconfig($a_filter[$id]['source'], $pconfig['src'], + $pconfig['srcmask'], $pconfig['srcnot'], + $pconfig['srcbeginport'], $pconfig['srcendport']); + + address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'], + $pconfig['dstmask'], $pconfig['dstnot'], + $pconfig['dstbeginport'], $pconfig['dstendport']); + + $pconfig['disabled'] = isset($a_filter[$id]['disabled']); + $pconfig['log'] = isset($a_filter[$id]['log']); + $pconfig['frags'] = isset($a_filter[$id]['frags']); + $pconfig['descr'] = $a_filter[$id]['descr']; + +} else { + /* defaults */ + $pconfig['type'] = "pass"; + $pconfig['src'] = "any"; + $pconfig['dst'] = "any"; +} + +if (isset($_GET['dup'])) + unset($id); + +if ($_POST) { + + if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + + if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport']) + $_POST['srcbeginport'] = $_POST['srcbeginport_cust']; + if ($_POST['srcendport_cust'] && !$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcendport_cust']; + + if ($_POST['srcbeginport'] == "any") { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } else { + if (!$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcbeginport']; + } + if ($_POST['srcendport'] == "any") + $_POST['srcendport'] = $_POST['srcbeginport']; + + if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport']) + $_POST['dstbeginport'] = $_POST['dstbeginport_cust']; + if ($_POST['dstendport_cust'] && !$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstendport_cust']; + + if ($_POST['dstbeginport'] == "any") { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + if (!$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstbeginport']; + } + if ($_POST['dstendport'] == "any") + $_POST['dstendport'] = $_POST['dstbeginport']; + } + + if (is_specialnet($_POST['srctype'])) { + $_POST['src'] = $_POST['srctype']; + $_POST['srcmask'] = 0; + } else if ($_POST['srctype'] == "single") { + $_POST['srcmask'] = 32; + } + if (is_specialnet($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 0; + } else if ($_POST['dsttype'] == "single") { + $_POST['dstmask'] = 32; + } + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "type interface proto src dst"); + $reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination"); + + if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) { + $reqdfields[] = "srcmask"; + $reqdfieldsn[] = "Source bit count"; + } + if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) { + $reqdfields[] = "dstmask"; + $reqdfieldsn[] = "Destination bit count"; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$_POST['srcbeginport']) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } + if (!$_POST['dstbeginport']) { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + + if (($_POST['srcbeginport'] && !is_port($_POST['srcbeginport']))) { + $input_errors[] = "The start source port must be an integer between 1 and 65535."; + } + if (($_POST['srcendport'] && !is_port($_POST['srcendport']))) { + $input_errors[] = "The end source port must be an integer between 1 and 65535."; + } + if (($_POST['dstbeginport'] && !is_port($_POST['dstbeginport']))) { + $input_errors[] = "The start destination port must be an integer between 1 and 65535."; + } + if (($_POST['dstendport'] && !is_port($_POST['dstendport']))) { + $input_errors[] = "The end destination port must be an integer between 1 and 65535."; + } + + if (!is_specialnet($_POST['srctype'])) { + if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) { + $input_errors[] = "A valid source IP address or alias must be specified."; + } + if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { + $input_errors[] = "A valid source bit count must be specified."; + } + } + if (!is_specialnet($_POST['dsttype'])) { + if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) { + $input_errors[] = "A valid destination IP address or alias must be specified."; + } + if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { + $input_errors[] = "A valid destination bit count must be specified."; + } + } + + if ($_POST['srcbeginport'] > $_POST['srcendport']) { + /* swap */ + $tmp = $_POST['srcendport']; + $_POST['srcendport'] = $_POST['srcbeginport']; + $_POST['srcbeginport'] = $tmp; + } + if ($_POST['dstbeginport'] > $_POST['dstendport']) { + /* swap */ + $tmp = $_POST['dstendport']; + $_POST['dstendport'] = $_POST['dstbeginport']; + $_POST['dstbeginport'] = $tmp; + } + + if (!$input_errors) { + $filterent = array(); + $filterent['type'] = $_POST['type']; + $filterent['interface'] = $_POST['interface']; + + if ($_POST['proto'] != "any") + $filterent['protocol'] = $_POST['proto']; + else + unset($filterent['protocol']); + + if ($_POST['proto'] == "icmp" && $_POST['icmptype']) + $filterent['icmptype'] = $_POST['icmptype']; + else + unset($filterent['icmptype']); + + pconfig_to_address($filterent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + pconfig_to_address($filterent['destination'], $_POST['dst'], + $_POST['dstmask'], $_POST['dstnot'], + $_POST['dstbeginport'], $_POST['dstendport']); + + $filterent['disabled'] = $_POST['disabled'] ? true : false; + $filterent['log'] = $_POST['log'] ? true : false; + $filterent['frags'] = $_POST['frags'] ? true : false; + $filterent['descr'] = $_POST['descr']; + + if (isset($id) && $a_filter[$id]) + $a_filter[$id] = $filterent; + else { + if (is_numeric($after)) + array_splice($a_filter, $after+1, 0, array($filterent)); + else + $a_filter[] = $filterent; + } + + /* ALTQ */ + $filterent['direction'] = $_POST['direction']; + $filterent['queue'] = $_POST['queue']; + + write_config(); + touch($d_filterconfdirty_path); + + header("Location: firewall_rules.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: Rules: Edit");?> + + + + + + + +

Firewall: Rules: Edit

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Action +
+ Choose what to do with packets that match + the criteria specified below.
+Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
Disabled + > + Disable this rule
+ Set this option to disable this rule without + removing it from the list.
Interface +
+ Choose on which interface packets must + come in to match this rule.
Protocol +
+ Choose which IP protocol this rule should + match.
+ Hint: in most cases, you should specify TCP  here.
ICMP type + +
+ If you selected ICMP for the protocol above, you may specify an ICMP type here.
Source +> + not
+ Use this option to invert the sense of the match.
+
+ + + + + + + + + +
Type:  
Address:   + / + +
Source port range + + + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the source of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Destination + > + not
+ Use this option to invert the sense of the match.
+
+ + + + + + + + + +
Type:  
Address:   + / +
Destination port + range + + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the destination of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Fragments + > + Allow fragmented packets
+ Hint: this option puts additional load + on the firewall and may make it vulnerable to DoS attacks. + In most cases, it is not needed. Try enabling it if you have + troubles connecting to certain sites.
Log + > + Log packets that are handled by this rule
+ Hint: the firewall has limited local log + space. Don't turn on logging for everything. If you want to + do a lot of logging, consider using a remote syslog server + (see the Diagnostics: System + logs: Settings page).
Description + +
You may enter a description here + for your reference (not parsed).
Traffic Queuing / Shaping + Direction: +
If you need fine grained control on direction, select an option here. +

Queue:
To enable traffic shaping on this rule, select a queue above. +
Automatically create a new queue for this rule. +

  + + + + + +
+
+ + + + diff --git a/usr/local/www/firewall_shaper.php b/usr/local/www/firewall_shaper.php new file mode 100755 index 0000000..242c3ed --- /dev/null +++ b/usr/local/www/firewall_shaper.php @@ -0,0 +1,269 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pfqueueing']['rule'])) { + $config['pfqueueing']['rule'] = array(); +} +if (!is_array($config['pfqueueing']['pipe'])) { + $config['pfqueueing']['pipe'] = array(); +} +if (!is_array($config['pfqueueing']['queue'])) { + $config['pfqueueing']['queue'] = array(); +} +$a_shaper = &$config['pfqueueing']['rule']; +$a_pipe = &$config['pfqueueing']['pipe']; +$a_queue = &$config['pfqueueing']['queue']; + +$pconfig['enable'] = isset($config['pfqueueing']['enable']); + +if ($_POST) { + + if ($_POST['submit']) { + $pconfig = $_POST; + $config['pfqueueing']['enable'] = $_POST['enable'] ? true : false; + write_config(); + } + + if ($_POST['apply'] || $_POST['submit']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = shaper_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_shaperconfdirty_path)) + unlink($d_shaperconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_shaper[$_GET['id']]) { + unset($a_shaper[$_GET['id']]); + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper.php"); + exit; + } +} else if ($_GET['act'] == "down") { + if ($a_shaper[$_GET['id']] && $a_shaper[$_GET['id']+1]) { + $tmp = $a_shaper[$_GET['id']+1]; + $a_shaper[$_GET['id']+1] = $a_shaper[$_GET['id']]; + $a_shaper[$_GET['id']] = $tmp; + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper.php"); + exit; + } +} else if ($_GET['act'] == "up") { + if (($_GET['id'] > 0) && $a_shaper[$_GET['id']]) { + $tmp = $a_shaper[$_GET['id']-1]; + $a_shaper[$_GET['id']-1] = $a_shaper[$_GET['id']]; + $a_shaper[$_GET['id']] = $tmp; + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper.php"); + exit; + } +} else if ($_GET['act'] == "toggle") { + if ($a_shaper[$_GET['id']]) { + $a_shaper[$_GET['id']]['disabled'] = !isset($a_shaper[$_GET['id']]['disabled']); + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: Traffic shaper");?> + + + + + + +

Firewall: Traffic shaper

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + +
+ +
+ + + + + + + +

+ > + Enable traffic shaper
+

+
+  
+ + + + + + + + + + + + + + + + + + + + + + + + + +
IfProtoSourceDestinationTargetDescription
+ "; + $textse = ""; + } else { + $textss = $textse = ""; + } + $iflabels = array('lan' => 'LAN', 'wan' => 'WAN', 'pptp' => 'PPTP'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + echo $textss . htmlspecialchars($iflabels[$shaperent['interface']]); + echo "
"; + echo ""; + if ($shaperent['direction'] != "in") + echo ""; + if ($shaperent['direction'] != "out") + echo ""; + echo "" . $textse;; + ?> + 		+ + +
+ Port: + + 		+
+ Port: + + 		+ {$desc}"; + } else if (isset($shaperent['targetqueue'])) { + if ($a_queue[$shaperent['targetqueue']]['descr']) + $desc = htmlspecialchars($a_queue[$shaperent['targetqueue']]['descr']); + else + $desc = "Queue " . ($shaperent['targetqueue']+1); + echo "{$desc}"; + } + ?> + + +   + 0): ?> + + + +
+ + + + + + + +
+ + + + + + + + + + + + + + + + + + + +
incoming (as seen by firewall)outgoing (as seen by firewall)
incoming (disabled)outgoing (disabled)
+

Note:
+ the first rule that matches a packet will be executed.
+ The following match patterns are not shown in the list above: + IP packet length, TCP flags.

+
+ + + diff --git a/usr/local/www/firewall_shaper_edit.php b/usr/local/www/firewall_shaper_edit.php new file mode 100755 index 0000000..5b0e249 --- /dev/null +++ b/usr/local/www/firewall_shaper_edit.php @@ -0,0 +1,776 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['shaper']['rule'])) { + $config['shaper']['rule'] = array(); +} +$a_shaper = &$config['shaper']['rule']; + +$specialsrcdst = explode(" ", "any lan pptp"); + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$after = $_GET['after']; +if (isset($_POST['after'])) + $after = $_POST['after']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +function is_specialnet($net) { + global $specialsrcdst; + + if (in_array($net, $specialsrcdst) || strstr($net, "opt")) + return true; + else + return false; +} + +function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) { + + if (isset($adr['any'])) + $padr = "any"; + else if ($adr['network']) + $padr = $adr['network']; + else if ($adr['address']) { + list($padr, $pmask) = explode("/", $adr['address']); + if (!$pmask) + $pmask = 32; + } + + if (isset($adr['not'])) + $pnot = 1; + else + $pnot = 0; + + if ($adr['port']) { + list($pbeginport, $pendport) = explode("-", $adr['port']); + if (!$pendport) + $pendport = $pbeginport; + } else { + $pbeginport = "any"; + $pendport = "any"; + } +} + +function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) { + + $adr = array(); + + if ($padr == "any") + $adr['any'] = true; + else if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } + + $adr['not'] = $pnot ? true : false; + + if (($pbeginport != 0) && ($pbeginport != "any")) { + if ($pbeginport != $pendport) + $adr['port'] = $pbeginport . "-" . $pendport; + else + $adr['port'] = $pbeginport; + } +} + +if (isset($id) && $a_shaper[$id]) { + $pconfig['interface'] = $a_shaper[$id]['interface']; + + if (isset($a_shaper[$id]['protocol'])) + $pconfig['proto'] = $a_shaper[$id]['protocol']; + else + $pconfig['proto'] = "any"; + + address_to_pconfig($a_shaper[$id]['source'], $pconfig['src'], + $pconfig['srcmask'], $pconfig['srcnot'], + $pconfig['srcbeginport'], $pconfig['srcendport']); + + address_to_pconfig($a_shaper[$id]['destination'], $pconfig['dst'], + $pconfig['dstmask'], $pconfig['dstnot'], + $pconfig['dstbeginport'], $pconfig['dstendport']); + + if (isset($a_shaper[$id]['targetpipe'])) { + $pconfig['target'] = "targetpipe:" . $a_shaper[$id]['targetpipe']; + } else if (isset($a_shaper[$id]['targetqueue'])) { + $pconfig['target'] = "targetqueue:" . $a_shaper[$id]['targetqueue']; + } + + $pconfig['direction'] = $a_shaper[$id]['direction']; + $pconfig['iptos'] = $a_shaper[$id]['iptos']; + $pconfig['iplen'] = $a_shaper[$id]['iplen']; + $pconfig['tcpflags'] = $a_shaper[$id]['tcpflags']; + $pconfig['descr'] = $a_shaper[$id]['descr']; + $pconfig['disabled'] = isset($a_shaper[$id]['disabled']); + + if ($pconfig['srcbeginport'] == 0) { + $pconfig['srcbeginport'] = "any"; + $pconfig['srcendport'] = "any"; + } + if ($pconfig['dstbeginport'] == 0) { + $pconfig['dstbeginport'] = "any"; + $pconfig['dstendport'] = "any"; + } + +} else { + /* defaults */ + $pconfig['src'] = "any"; + $pconfig['dst'] = "any"; +} + +if (isset($_GET['dup'])) + unset($id); + +if ($_POST) { + + if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "any")) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + + if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport']) + $_POST['srcbeginport'] = $_POST['srcbeginport_cust']; + if ($_POST['srcendport_cust'] && !$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcendport_cust']; + + if ($_POST['srcbeginport'] == "any") { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } else { + if (!$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcbeginport']; + } + if ($_POST['srcendport'] == "any") + $_POST['srcendport'] = $_POST['srcbeginport']; + + if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport']) + $_POST['dstbeginport'] = $_POST['dstbeginport_cust']; + if ($_POST['dstendport_cust'] && !$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstendport_cust']; + + if ($_POST['dstbeginport'] == "any") { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + if (!$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstbeginport']; + } + if ($_POST['dstendport'] == "any") + $_POST['dstendport'] = $_POST['dstbeginport']; + } + + if (is_specialnet($_POST['srctype'])) { + $_POST['src'] = $_POST['srctype']; + $_POST['srcmask'] = 0; + } else if ($_POST['srctype'] == "single") { + $_POST['srcmask'] = 32; + } + if (is_specialnet($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 0; + } else if ($_POST['dsttype'] == "single") { + $_POST['dstmask'] = 32; + } + + $intos = array(); + foreach ($iptos as $tos) { + if ($_POST['iptos_' . $tos] == "on") + $intos[] = $tos; + else if ($_POST['iptos_' . $tos] == "off") + $intos[] = "!" . $tos; + } + $_POST['iptos'] = join(",", $intos); + + $intcpflags = array(); + foreach ($tcpflags as $tcpflag) { + if ($_POST['tcpflags_' . $tcpflag] == "on") + $intcpflags[] = $tcpflag; + else if ($_POST['tcpflags_' . $tcpflag] == "off") + $intcpflags[] = "!" . $tcpflag; + } + $_POST['tcpflags'] = join(",", $intcpflags); + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "target proto src dst"); + $reqdfieldsn = explode(",", "Target,Protocol,Source,Destination"); + + if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) { + $reqdfields[] = "srcmask"; + $reqdfieldsn[] = "Source bit count"; + } + if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) { + $reqdfields[] = "dstmask"; + $reqdfieldsn[] = "Destination bit count"; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$_POST['srcbeginport']) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } + if (!$_POST['dstbeginport']) { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + + if (($_POST['srcbeginport'] && !is_port($_POST['srcbeginport']))) { + $input_errors[] = "The start source port must be an integer between 1 and 65535."; + } + if (($_POST['srcendport'] && !is_port($_POST['srcendport']))) { + $input_errors[] = "The end source port must be an integer between 1 and 65535."; + } + if (($_POST['dstbeginport'] && !is_port($_POST['dstbeginport']))) { + $input_errors[] = "The start destination port must be an integer between 1 and 65535."; + } + if (($_POST['dstendport'] && !is_port($_POST['dstendport']))) { + $input_errors[] = "The end destination port must be an integer between 1 and 65535."; + } + + if (!is_specialnet($_POST['srctype'])) { + if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) { + $input_errors[] = "A valid source IP address or alias must be specified."; + } + if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { + $input_errors[] = "A valid source bit count must be specified."; + } + } + if (!is_specialnet($_POST['dsttype'])) { + if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) { + $input_errors[] = "A valid destination IP address or alias must be specified."; + } + if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { + $input_errors[] = "A valid destination bit count must be specified."; + } + } + + if ($_POST['srcbeginport'] > $_POST['srcendport']) { + /* swap */ + $tmp = $_POST['srcendport']; + $_POST['srcendport'] = $_POST['srcbeginport']; + $_POST['srcbeginport'] = $tmp; + } + if ($_POST['dstbeginport'] > $_POST['dstendport']) { + /* swap */ + $tmp = $_POST['dstendport']; + $_POST['dstendport'] = $_POST['dstbeginport']; + $_POST['dstbeginport'] = $tmp; + } + + if (($_POST['iplen'] && !preg_match("/^(\d+)(-(\d+))?$/", $_POST['iplen']))) { + $input_errors[] = "The IP packet length must be an integer or a range (from-to)."; + } + + if (!$input_errors) { + $shaperent = array(); + $shaperent['interface'] = $_POST['interface']; + + if ($_POST['proto'] != "any") + $shaperent['protocol'] = $_POST['proto']; + else + unset($shaperent['protocol']); + + pconfig_to_address($shaperent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + pconfig_to_address($shaperent['destination'], $_POST['dst'], + $_POST['dstmask'], $_POST['dstnot'], + $_POST['dstbeginport'], $_POST['dstendport']); + + $shaperent['direction'] = $_POST['direction']; + $shaperent['iplen'] = $_POST['iplen']; + $shaperent['iptos'] = $_POST['iptos']; + $shaperent['tcpflags'] = $_POST['tcpflags']; + $shaperent['descr'] = $_POST['descr']; + $shaperent['disabled'] = $_POST['disabled'] ? true : false; + + list($targettype,$target) = explode(":", $_POST['target']); + $shaperent[$targettype] = $target; + + if (isset($id) && $a_shaper[$id]) + $a_shaper[$id] = $shaperent; + else { + if (is_numeric($after)) + array_splice($a_shaper, $after+1, 0, array($shaperent)); + else + $a_shaper[] = $shaperent; + } + + write_config(); + touch($d_shaperconfdirty_path); + + header("Location: firewall_shaper.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: Traffic shaper: Edit rule");?> + + + + + + + +

Firewall: Traffic shaper: Edit rule

+ + 0)): ?> +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Target
+ Choose a pipe or queue where packets that + match this rule should be sent.
Disabled + > + Disable this rule
+ Set this option to disable this rule without removing it from the list.
Interface
+ Choose which interface packets must pass + through to match this rule.
Protocol
Choose which IP protocol + this rule should match.
+ Hint: in most cases, you should specify TCP  here.
Source > + not
+ Use this option to invert the sense of the match.

+ + + + + + + + + +
Type:  
Address:   + / +
Source port range + + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the source of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Destination > + not
+ Use this option to invert the sense of the match.

+ + + + + + + + + +
Type:  
Address:   + / +
Destination port + range + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the destination of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Direction
+ Use this to match only packets travelling in a given direction + on the interface specified above (as seen from the firewall's + perspective).
IP Type of Service (TOS) + + + + + + + + +
+ + > + yes    > + no    > + don't care
+ Use this to match packets according to their IP TOS values. +
IP packet length +
+ Setting this makes the rule match packets of a given length + (either a single value or a range in the syntax from-to, + e.g. 0-80).
TCP flags + + + + + + + + +
+ + > + set    > + cleared    > + don't care
+ Use this to choose TCP flags that must + be set or cleared for this rule to match.
Description +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + +

You need to create a pipe or queue before you can add a new rule.

+ + + + diff --git a/usr/local/www/firewall_shaper_queues.php b/usr/local/www/firewall_shaper_queues.php new file mode 100755 index 0000000..fa60240 --- /dev/null +++ b/usr/local/www/firewall_shaper_queues.php @@ -0,0 +1,141 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pfqueueing']['pipe'])) { + $config['pfqueueing']['pipe'] = array(); +} +if (!is_array($config['pfqueueing']['queue'])) { + $config['pfqueueing']['queue'] = array(); +} +$a_queues = &$config['pfqueueing']['queue']; +$a_pipe = &$config['pfqueueing']['pipe']; + +if ($_GET['act'] == "del") { + if ($a_queues[$_GET['id']]) { + /* check that no rule references this queue */ + if (is_array($config['pfqueueing']['rule'])) { + foreach ($config['pfqueueing']['rule'] as $rule) { + if (isset($rule['targetqueue']) && ($rule['targetqueue'] == $_GET['id'])) { + $input_errors[] = "This queue cannot be deleted because it is still referenced by a rule."; + break; + } + } + } + + if (!$input_errors) { + unset($a_queues[$_GET['id']]); + + /* renumber all rules */ + if (is_array($config['pfqueueing']['rule'])) { + for ($i = 0; isset($config['pfqueueing']['rule'][$i]); $i++) { + $currule = &$config['pfqueueing']['rule'][$i]; + if (isset($currule['targetqueue']) && ($currule['targetqueue'] > $_GET['id'])) + $currule['targetqueue']--; + } + } + + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper_queues.php"); + exit; + } + } +} +?> + + + +<?=gentitle("Firewall: Traffic shaper");?> + + + + + + +

Firewall: Traffic shaper Queues

+
+ + +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + +

+ +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
No.PriorityOptionsDescription
+ + + + + +   + +   +  
+

+ Note: a queue can + only be deleted if it is not referenced by any rules.

+
+ + + diff --git a/usr/local/www/firewall_shaper_queues_edit.php b/usr/local/www/firewall_shaper_queues_edit.php new file mode 100755 index 0000000..15e0920 --- /dev/null +++ b/usr/local/www/firewall_shaper_queues_edit.php @@ -0,0 +1,187 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$a_queues = &$config['pfqueueing']['queue']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_queues[$id]) { + $pconfig['bandwidth'] = $a_queues[$id]['bandwidth'] . $a_queues[$id]['bandwidthtype']; + $pconfig['priority'] = $a_queues[$id]['priority']; + $pconfig['mask'] = $a_queues[$id]['mask']; + $pconfig['name'] = $a_queues[$id]['name']; + $pconfig['options'] = $a_queues[$id]['options']; + $pconfig['bandwidth'] = $a_queues[$id]['bandwidth']; + $pconfig['bandwidthtype'] = $a_queues[$id]['bandwidthtype']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "priority"); + $reqdfieldsn = explode(",", "Priority"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['priority'] && (!is_numericint($_POST['priority']) + || ($_POST['priority'] < 1) || ($_POST['priority'] > 100))) { + $input_errors[] = "The priority must be an integer between 1 and 100."; + } + + if (!$input_errors) { + $queue = array(); + + $queue['schedulertype'] = $_POST['scheduler']; + $queue['bandwidth'] = $_POST['bandwidth']; + $queue['priority'] = $_POST['priority']; + $queue['name'] = $_POST['name']; + + $scheduleroptions=""; + if($_POST['red'] == "on") + $scheduleroptions .= "red "; + + if($_POST['ecn'] == "on") + $scheduleroptions .= "ecn "; + + if($_POST['default'] == "on") + $scheduleroptions .= "default"; + + $queue['options'] = $scheduleroptions; + + if (isset($id) && $a_queues[$id]) + $a_queues[$id] = $queue; + else + $a_queues[] = $queue; + + write_config(); + touch($d_shaperconfdirty_path); + + header("Location: firewall_shaper_queues.php"); + exit; + } +} +?> + + + +<?=gentitle("Firewall: Traffic shaper: Edit queue");?> + + + + + + +

Firewall: Traffic shaper: Edit queue

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Bandwidth + +
+ Choose the amount of bandwidth for this queue +
Priority +
Valid range: 1..100.
+ All backlogged (i.e., with packets queued) queues linked to + the same pipe share the pipe's bandwidth proportionally to + their prioritys (higher priority = higher share of bandwidth). + Note that prioritys are not priorities; a queue with a lower + priority is still guaranteed to get its fraction of the bandwidth + even if a queue with a higher priority is permanently backlogged. +
Name +
Enter the name of the queue here. Do not use spaces! +
Scheduler + +
Select which type of queueing you would like to use +
Scheduler options + + > Random Early Detection
+ > Explicit Congestion Notification
+ > Default (Clasee based queueing only)
+
Select options for this queue +
  + + + +
+
+ + + diff --git a/usr/local/www/graph.php b/usr/local/www/graph.php new file mode 100755 index 0000000..7fac8f3 --- /dev/null +++ b/usr/local/www/graph.php @@ -0,0 +1,325 @@ +#!/usr/local/bin/php -f + and Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +// VERSION 1.0.4 + +/********** HTTP GET Based Conf ***********/ +$ifnum=@$_GET["ifnum"]; //BSD / SNMP interface name / number +$ifname=@$_GET["ifname"]?$_GET["ifname"]:"Interface $ifnum"; //Interface name that will be showed on top right of graph + +/********* Other conf *******/ +$scale_type="up"; //Autoscale default setup : "up" = only increase scale; "follow" = increase and decrease scale according to current graphed datas +$nb_plot=120; //NB plot in graph +$time_interval=1; //Refresh time Interval +$first_stage_time_interval=2; //First stage time Intervall + +$urldata=@$_SERVER["SCRIPT_NAME"]; +$fetch_link = "ifstats.cgi?$ifnum"; + +//Style +$style['bg']="fill:white;stroke:none;stroke-width:0;opacity:1;"; +$style['axis']="fill:black;stroke:black;stroke-width:1;"; +$style['in']="fill:#435370; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:7;"; +$style['out']="fill:#8092B3; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:7;"; +$style['graph_in']="fill:none;stroke:#435370;stroke-width:1;opacity:0.8;"; +$style['graph_out']="fill:none;stroke:#8092B3;stroke-width:1;opacity:0.8;"; +$style['legend']="fill:black; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:4;"; +$style['graphname']="fill:#435370; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:8;"; +$style['grid_txt']="fill:gray; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:6;"; +$style['grid']="stroke:gray;stroke-width:1;opacity:0.5;"; +$style['switch_unit']="fill:#435370; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:4; text-decoration:underline;"; +$style['switch_scale']="fill:#435370; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:4; text-decoration:underline;"; +$style['error']="fill:blue; font-family:Arial; font-size:4;"; +$style['collect_initial']="fill:gray; font-family:Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:4;"; + +//Error text if we cannot fetch data : depends on which method is used +$error_text = "Cannot get data about interface $ifnum"; + +$height=100; //SVG internal height : do not modify +$width=200; //SVG internal width : do not modify + +/********* Graph DATA **************/ +header("Content-type: image/svg+xml"); +print('' . "\n");?> + + + + + + + + + + + In + Out + + + + Switch to bytes/s + AutoScale () + + Graph shows last seconds + "/> + + + + + + \ No newline at end of file diff --git a/usr/local/www/gui.css b/usr/local/www/gui.css new file mode 100755 index 0000000..3a31c09 --- /dev/null +++ b/usr/local/www/gui.css @@ -0,0 +1,271 @@ +body,td,th,input,select { + font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; + font-size: 11px; +} +form { + margin: 0px; +} +.pgtitle { + font-size: 18px; + color: #777777; + font-weight: bold; +} +.tfrtitle { + font-size: 18px; + color: #ffffff; + font-weight: bold; +} +.vncell { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + border-bottom: 1px solid #999999; +} +.formfld { + +} +.formfldalias { + background-color: #e7edf9; +} +.formpre { + font-family: Courier New, Courier, monospaced; + font-size: 10px; +} +.formbtn { + font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; + font-size: 13px; + font-weight: bold; +} +.vvcell { + background-color: #FFFFC6; +} +.errmsg { + font-weight: bold; + color: #CC0000; +} +.red { + color: #CC0000; +} +.gray { + color: #A0A0A0; +} +.vexpl { + font-size: 11px; +} +a { + text-decoration: none; +} +.navlnk { + color: #FFFFFF; + text-decoration: none; + font-size: 13px; +} +.navlnks { + color: #FFFFFF; + text-decoration: none; + font-size: 11px; +} +.tblnk { + color: #FFFFFF; + text-decoration: none; +} +.vncellreq { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + font-weight: bold; + border-bottom: 1px solid #999999; +} +.vncellt { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + padding-top: 4px; + padding-bottom: 4px; + font-weight: bold; + border-bottom: 1px solid #999999; +} +.vtable { + border-bottom: 1px solid #999999; +} +.vnsepcell { + background-color: #BBBBBB; + padding-right: 20px; + padding-left: 8px; + font-weight: bold; + border-bottom: 1px solid #999999; + font-size: 11px; +} +.cpline { + font-size: 11px; + color: #FFFFFF; +} +.hostname { + font-size: 11px; + color: #FFFFFF; +} +.vnsepcellr { + background-color: #BBBBBB; + padding-right: 20px; + padding-left: 8px; + font-weight: bold; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; +} +.listr { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listrpad { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-right: 16px; + padding-left: 10px; + padding-top: 8px; + padding-bottom: 8px; +} +.listn { + font-size: 11px; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listbg { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #D9DEE8; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listhdr { + background-color: #BBBBBB; + padding-right: 16px; + padding-left: 6px; + font-weight: bold; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-top: 5px; + padding-bottom: 5px; +} +.listhdrr { + background-color: #BBBBBB; + padding-right: 16px; + padding-left: 6px; + font-weight: bold; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-top: 5px; + padding-bottom: 5px; +} +.listlr { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + border-left: 1px solid #999999; + font-size: 11px; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listlrns { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + border-left: 1px solid #999999; + font-size: 11px; + padding-top: 4px; + padding-bottom: 4px; +} +.list { + font-size: 11px; + padding-left: 6px; + padding-top: 2px; + padding-bottom: 2px; +} +.listt { + font-size: 11px; + padding-top: 5px; + padding-left: 4px; +} +.listhdrrns { + background-color: #BBBBBB; + padding-left: 6px; + padding-top: 5px; + padding-bottom: 5px; + padding-right: 6px; + font-weight: bold; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; +} +.listbgns { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #D9DEE8; + padding-left: 6px; + padding-right: 4px; + padding-top: 4px; + padding-bottom: 4px; +} +.listtopic { + border-right: 1px solid #999999; + font-size: 11px; + background-color: #435370; + padding-right: 16px; + padding-left: 6px; + color: #FFFFFF; + font-weight: bold; + padding-top: 5px; + padding-bottom: 5px; +} +ul#tabnav { + font-size: 11px; + font-weight: bold; + list-style-type: none; + margin: 0; + padding: 0; +} +ul#tabnav li.tabinact { + float: left; + border-left: 1px solid #999999; + background-color: #777777; + color: #FFFFFF; + padding: 0; + white-space: nowrap; +} +ul#tabnav li.tabinact a { + float: left; + display: block; + text-decoration: none; + padding: 5px 8px 5px 8px; + color: #FFFFFF; +} +ul#tabnav li.tabact { + float: left; + background-color: #EEEEEE; + color: #000000; + padding: 5px 8px 5px 8px; + white-space: nowrap; +} +.tabcont { + background-color: #EEEEEE; + padding-right: 12px; + padding-left: 12px; + padding-top: 12px; + padding-bottom: 12px; +} diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc new file mode 100755 index 0000000..8efccfb --- /dev/null +++ b/usr/local/www/guiconfig.inc @@ -0,0 +1,442 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* make sure nothing is cached */ +if (!$omit_nocacheheaders) { + header("Expires: 0"); + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); + header("Cache-Control: no-store, no-cache, must-revalidate"); + header("Cache-Control: post-check=0, pre-check=0", false); + header("Pragma: no-cache"); +} + +/* parse the configuration and include all configuration functions */ +require_once("config.inc"); +require_once("functions.inc"); + +$d_natconfdirty_path = $g['varrun_path'] . "/nat.conf.dirty"; +$d_filterconfdirty_path = $g['varrun_path'] . "/filter.conf.dirty"; +$d_ipsecconfdirty_path = $g['varrun_path'] . "/ipsec.conf.dirty"; +$d_shaperconfdirty_path = $g['varrun_path'] . "/shaper.conf.dirty"; +$d_pptpuserdirty_path = $g['varrun_path'] . "/pptpd.user.dirty"; +$d_hostsdirty_path = $g['varrun_path'] . "/hosts.dirty"; +$d_staticmapsdirty_path = $g['varrun_path'] . "/staticmaps.dirty"; +$d_staticroutesdirty_path = $g['varrun_path'] . "/staticroutes.dirty"; +$d_aliasesdirty_path = $g['varrun_path'] . "/aliases.dirty"; +$d_proxyarpdirty_path = $g['varrun_path'] . "/proxyarp.dirty"; +$d_fwupenabled_path = $g['varrun_path'] . "/fwup.enabled"; +$d_firmwarelock_path = $g['varrun_path'] . "/firmware.lock"; +$d_sysrebootreqd_path = $g['varrun_path'] . "/sysreboot.reqd"; +$d_passthrumacsdirty_path = $g['varrun_path'] . "/passthrumacs.dirty"; +$d_allowedipsdirty_path = $g['varrun_path'] . "/allowedips.dirty"; +$d_ovpnclidirty_path = $g['varrun_path'] . "/ovpnclient.dirty"; + +if (file_exists($d_firmwarelock_path)) { + if (!$d_isfwfile) { + header("Location: system_firmware.php"); + exit; + } else { + return; + } +} + +/* some well knows ports */ +$wkports = array(21 => "FTP", 22 => "SSH", 23 => "Telnet", 25 => "SMTP", 53 => "DNS", 80 => "HTTP", + 110 => "POP3", 143 => "IMAP", 443 => "HTTPS"); + +$iptos = array("lowdelay", "throughput", "reliability", "mincost", "congestion"); +/* TCP flags */ +$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg"); + +$specialnets = array("lan" => "LAN net", "pptp" => "PPTP clients"); + +for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $specialnets['opt' . $i] = $config['interfaces']['opt' . $i]['descr'] . " net"; +} + +$medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex", + "100half" => "100BASE-TX half-duplex", "10full" => "10BASE-T full-duplex", + "10half" => "10BASE-T half-duplex"); + +/* platforms that support firmware updating */ +$fwupplatforms = array('net45xx', 'net48xx', 'generic-pc', 'wrap'); + +/* IPsec defines */ +$my_identifier_list = array('myaddress' => 'My IP address', + 'address' => 'IP address', + 'fqdn' => 'Domain name', + 'user_fqdn' => 'User FQDN'); + +$p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', + 'cast128' => 'CAST128'); +$p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', + 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)'); +$p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5'); +$p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5'); +$p2_protos = array('esp' => 'ESP', 'ah' => 'AH'); +$p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5'); + +function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) { + + /* check for bad control characters */ + foreach ($postdata as $pn => $pd) { + if (is_string($pd) && preg_match("/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f]/", $pd)) { + $input_errors[] = "The field '" . $pn . "' contains invalid characters."; + } + } + + for ($i = 0; $i < count($reqdfields); $i++) { + if (!$_POST[$reqdfields[$i]]) { + $input_errors[] = "The field '" . $reqdfieldsn[$i] . "' is required."; + } + } +} + +function print_input_errors($input_errors) { + echo "

\n"; + echo "\n"; + echo "
"; + + echo "

The following input errors were detected:

    \n"; + foreach ($input_errors as $ierr) { + echo "
  • " . htmlspecialchars($ierr) . "
    • \n"; + } + echo "
"; + + echo "

"; +} + +function exec_rc_script($scriptname) { + + global $d_sysrebootreqd_path; + + if (file_exists($d_sysrebootreqd_path)) + return 0; + + exec($scriptname . " >/dev/null 2>&1", $execoutput, $retval); + return $retval; +} + +function exec_rc_script_async($scriptname) { + + global $d_sysrebootreqd_path; + + if (file_exists($d_sysrebootreqd_path)) + return 0; + + exec("nohup " . $scriptname . " >/dev/null 2>&1 &", $execoutput, $retval); + return $retval; +} + +function verify_gzip_file($fname) { + + $returnvar = mwexec("/usr/bin/gunzip -S \"\" -t " . escapeshellarg($fname)); + if ($returnvar != 0) + return 0; + else + return 1; +} + +function print_info_box_np($msg) { + echo "\n"; + echo "\n"; + echo "
"; + echo $msg; + echo "
"; +} + +function print_info_box($msg) { + echo "

"; + print_info_box_np($msg); + echo "

"; +} + +function format_bytes($bytes) { + if ($bytes >= 1073741824) { + return sprintf("%.2f GB", $bytes/1073741824); + } else if ($bytes >= 1048576) { + return sprintf("%.2f MB", $bytes/1048576); + } else if ($bytes >= 1024) { + return sprintf("%.0f KB", $bytes/1024); + } else { + return sprintf("%d bytes", $bytes); + } +} + +function get_std_save_message($ok) { + global $d_sysrebootreqd_path; + + if ($ok == 0) { + if (file_exists($d_sysrebootreqd_path)) + return "The changes have been saved. You must reboot your firewall for changes to take effect."; + else + return "The changes have been applied successfully."; + } else { + return "ERROR: the changes could not be applied (error code $ok)."; + } +} + +function pprint_address($adr) { + global $specialnets; + + if (isset($adr['any'])) { + $padr = "*"; + } else if ($adr['network']) { + $padr = $specialnets[$adr['network']]; + } else { + $padr = $adr['address']; + } + + if (isset($adr['not'])) + $padr = "! " . $padr; + + return $padr; +} + +function pprint_port($port) { + global $wkports; + + $pport = ""; + + if (!$port) + echo "*"; + else { + $srcport = explode("-", $port); + if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + $pport = $srcport[0]; + if ($wkports[$srcport[0]]) { + $pport .= " (" . $wkports[$srcport[0]] . ")"; + } + } else + $pport .= $srcport[0] . " - " . $srcport[1]; + } + + return $pport; +} + +/* sort by interface only, retain the original order of rules that apply to + the same interface */ +function filter_rules_sort() { + global $g, $config; + + /* mark each rule with the sequence number (to retain the order while sorting) */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) + $config['filter']['rule'][$i]['seq'] = $i; + + function filtercmp($a, $b) { + if ($a['interface'] == $b['interface']) + return $a['seq'] - $b['seq']; + else + return -strcmp($a['interface'], $b['interface']); + } + + usort($config['filter']['rule'], "filtercmp"); + + /* strip the sequence numbers again */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) + unset($config['filter']['rule'][$i]['seq']); +} + +function nat_rules_sort() { + global $g, $config; + + function natcmp($a, $b) { + if ($a['external-address'] == $b['external-address']) { + if ($a['protocol'] == $b['protocol']) { + if ($a['external-port'] == $b['external-port']) { + return 0; + } else { + return ($a['external-port'] - $b['external-port']); + } + } else { + return strcmp($a['protocol'], $b['protocol']); + } + } else if (!$a['external-address']) + return 1; + else if (!$b['external-address']) + return -1; + else + return ipcmp($a['external-address'], $b['external-address']); + } + + usort($config['nat']['rule'], "natcmp"); +} + +function nat_1to1_rules_sort() { + global $g, $config; + + function nat1to1cmp($a, $b) { + return ipcmp($a['external'], $b['external']); + } + + usort($config['nat']['onetoone'], "nat1to1cmp"); +} + +function nat_server_rules_sort() { + global $g, $config; + + function natservercmp($a, $b) { + return ipcmp($a['ipaddr'], $b['ipaddr']); + } + + usort($config['nat']['servernat'], "natservercmp"); +} + +function nat_out_rules_sort() { + global $g, $config; + + function natoutcmp($a, $b) { + return strcmp($a['source']['network'], $b['source']['network']); + } + + usort($config['nat']['advancedoutbound']['rule'], "natoutcmp"); +} + +function pptpd_users_sort() { + global $g, $config; + + function usercmp($a, $b) { + return strcasecmp($a['name'], $b['name']); + } + + usort($config['pptpd']['user'], "usercmp"); +} + +function staticroutes_sort() { + global $g, $config; + + function staticroutecmp($a, $b) { + return strcmp($a['network'], $b['network']); + } + + usort($config['staticroutes']['route'], "staticroutecmp"); +} + +function hosts_sort() { + global $g, $config; + + function hostcmp($a, $b) { + return strcasecmp($a['host'], $b['host']); + } + + usort($config['dnsmasq']['hosts'], "hostcmp"); +} + +function staticmaps_sort($if) { + global $g, $config; + + function staticmapcmp($a, $b) { + return ipcmp($a['ipaddr'], $b['ipaddr']); + } + + usort($config['dhcpd'][$if]['staticmap'], "staticmapcmp"); +} + +function aliases_sort() { + global $g, $config; + + function aliascmp($a, $b) { + return strcmp($a['name'], $b['name']); + } + + usort($config['aliases']['alias'], "aliascmp"); +} + +function ipsec_mobilekey_sort() { + global $g, $config; + + function mobilekeycmp($a, $b) { + return strcmp($a['ident'][0], $b['ident'][0]); + } + + usort($config['ipsec']['mobilekey'], "mobilekeycmp"); +} + +function proxyarp_sort() { + global $g, $config; + + function proxyarpcmp($a, $b) { + if (isset($a['network'])) + list($ast,$asn) = explode("/", $a['network']); + else if (isset($a['range'])) { + $ast = $a['range']['from']; + $asn = 32; + } + if (isset($b['network'])) + list($bst,$bsn) = explode("/", $b['network']); + else if (isset($b['range'])) { + $bst = $b['range']['from']; + $bsn = 32; + } + if (ipcmp($ast, $bst) == 0) + return ($asn - $bsn); + else + return ipcmp($ast, $bst); + } + + usort($config['proxyarp']['proxyarpnet'], "proxyarpcmp"); +} + +function passthrumacs_sort() { + global $g, $config; + + function passthrumacscmp($a, $b) { + return strcmp($a['mac'], $b['mac']); + } + + usort($config['captiveportal']['passthrumac'],"passthrumacscmp"); +} + +function allowedips_sort() { + global $g, $config; + + function allowedipscmp($a, $b) { + return strcmp($a['ip'], $b['ip']); + } + + usort($config['captiveportal']['allowedip'],"allowedipscmp"); +} + +function wol_sort() { + global $g, $config; + + function wolcmp($a, $b) { + return strcmp($a['descr'], $b['descr']); + } + + usort($config['wol']['wolentry'], "wolcmp"); +} + +function gentitle($pgname) { + global $config; + return $config['system']['hostname'] . "." . $config['system']['domain'] . " - " . $pgname; +} + +?> diff --git a/usr/local/www/ifstats.cgi b/usr/local/www/ifstats.cgi new file mode 100755 index 0000000..944e95e Binary files /dev/null and b/usr/local/www/ifstats.cgi differ diff --git a/usr/local/www/index.php b/usr/local/www/index.php new file mode 100755 index 0000000..ecaef0c --- /dev/null +++ b/usr/local/www/index.php @@ -0,0 +1,180 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +/* find out whether there's hardware encryption (hifn) */ +unset($hwcrypto); +$fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); +if ($fd) { + while (!feof($fd)) { + $dmesgl = fgets($fd); + if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) { + $hwcrypto = $matches[1]; + break; + } + } + fclose($fd); +} + +?> + + + +<?=gentitle("m0n0wall webGUI");?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 
System information
Name + +
Version + +
+ built on + +
Platform + +
Hardware crypto + +
Uptime + 60) + $uptime += 30; + $updays = (int)($uptime / 86400); + $uptime %= 86400; + $uphours = (int)($uptime / 3600); + $uptime %= 3600; + $upmins = (int)($uptime / 60); + + $uptimestr = ""; + if ($updays > 1) + $uptimestr .= "$updays days, "; + else if ($updays > 0) + $uptimestr .= "1 day, "; + $uptimestr .= sprintf("%02d:%02d", $uphours, $upmins); + echo htmlspecialchars($uptimestr); + ?> +
Last config change + +
CPU usage +"; +echo ""; +echo ""; +echo " "; +echo $cpuUsage . "%"; +?> +
Memory usage +"; +echo ""; +echo ""; +echo " "; +echo $memUsage . "%"; +?> +
+ + + diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php new file mode 100755 index 0000000..b4cc30b --- /dev/null +++ b/usr/local/www/interfaces.php @@ -0,0 +1,630 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$wancfg = &$config['interfaces']['wan']; +$optcfg = &$config['interfaces']['wan']; + +$pconfig['username'] = $config['pppoe']['username']; +$pconfig['password'] = $config['pppoe']['password']; +$pconfig['provider'] = $config['pppoe']['provider']; +$pconfig['pppoe_dialondemand'] = $config['pppoe']['ondemand']; +$pconfig['pppoe_idletimeout'] = $config['pppoe']['timeout']; + +$pconfig['pptp_username'] = $config['pptp']['username']; +$pconfig['pptp_password'] = $config['pptp']['password']; +$pconfig['pptp_local'] = $config['pptp']['local']; +$pconfig['pptp_subnet'] = $config['pptp']['subnet']; +$pconfig['pptp_remote'] = $config['pptp']['remote']; +$pconfig['pptp_dialondemand'] = $config['pptp']['ondemand']; +$pconfig['pptp_idletimeout'] = $config['pptp']['timeout']; + +$pconfig['bigpond_username'] = $config['bigpond']['username']; +$pconfig['bigpond_password'] = $config['bigpond']['password']; +$pconfig['bigpond_authserver'] = $config['bigpond']['authserver']; +$pconfig['bigpond_authdomain'] = $config['bigpond']['authdomain']; +$pconfig['bigpond_minheartbeatinterval'] = $config['bigpond']['minheartbeatinterval']; + +$pconfig['dhcphostname'] = $wancfg['dhcphostname']; + +if ($wancfg['ipaddr'] == "dhcp") { + $pconfig['type'] = "DHCP"; +} else if ($wancfg['ipaddr'] == "pppoe") { + $pconfig['type'] = "PPPoE"; +} else if ($wancfg['ipaddr'] == "pptp") { + $pconfig['type'] = "PPTP"; +} else if ($wancfg['ipaddr'] == "bigpond") { + $pconfig['type'] = "BigPond"; +} else { + $pconfig['type'] = "Static"; + $pconfig['ipaddr'] = $wancfg['ipaddr']; + $pconfig['subnet'] = $wancfg['subnet']; + $pconfig['gateway'] = $wancfg['gateway']; +} + +$pconfig['blockpriv'] = isset($wancfg['blockpriv']); +$pconfig['spoofmac'] = $wancfg['spoofmac']; +$pconfig['mtu'] = $wancfg['mtu']; + +/* Wireless interface? */ +if (isset($optcfg['wireless'])) { + require("interfaces_wlan.inc"); + wireless_config_init(); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['type'] == "Static") { + $reqdfields = explode(" ", "ipaddr subnet gateway"); + $reqdfieldsn = explode(",", "IP address,Subnet bit count,Gateway"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "PPPoE") { + if ($_POST['pppoe_dialondemand']) { + $reqdfields = explode(" ", "username password pppoe_dialondemand pppoe_idletimeout"); + $reqdfieldsn = explode(",", "PPPoE username,PPPoE password,Dial on demand,Idle timeout value"); + } else { + $reqdfields = explode(" ", "username password"); + $reqdfieldsn = explode(",", "PPPoE username,PPPoE password"); + } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "PPTP") { + if ($_POST['pptp_dialondemand']) { + $reqdfields = explode(" ", "pptp_username pptp_password pptp_local pptp_subnet pptp_remote pptp_dialondemand pptp_idletimeout"); + $reqdfieldsn = explode(",", "PPTP username,PPTP password,PPTP local IP address,PPTP subnet,PPTP remote IP address,Dial on demand,Idle timeout value"); + } else { + $reqdfields = explode(" ", "pptp_username pptp_password pptp_local pptp_subnet pptp_remote"); + $reqdfieldsn = explode(",", "PPTP username,PPTP password,PPTP local IP address,PPTP subnet,PPTP remote IP address"); + } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "BigPond") { + $reqdfields = explode(" ", "bigpond_username bigpond_password"); + $reqdfieldsn = explode(",", "BigPond username,BigPond password"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['subnet'] && !is_numeric($_POST['subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + if (($_POST['gateway'] && !is_ipaddr($_POST['gateway']))) { + $input_errors[] = "A valid gateway must be specified."; + } + if (($_POST['provider'] && !is_domain($_POST['provider']))) { + $input_errors[] = "The service name contains invalid characters."; + } + if ($_POST['pppoe_idletimeout'] && !is_numericint($_POST['pppoe_idletimeout'])) { + $input_errors[] = "The idle timeout value must be an integer."; + } + if (($_POST['pptp_local'] && !is_ipaddr($_POST['pptp_local']))) { + $input_errors[] = "A valid PPTP local IP address must be specified."; + } + if (($_POST['pptp_subnet'] && !is_numeric($_POST['pptp_subnet']))) { + $input_errors[] = "A valid PPTP subnet bit count must be specified."; + } + if (($_POST['pptp_remote'] && !is_ipaddr($_POST['pptp_remote']))) { + $input_errors[] = "A valid PPTP remote IP address must be specified."; + } + if ($_POST['pptp_idletimeout'] && !is_numericint($_POST['pptp_idletimeout'])) { + $input_errors[] = "The idle timeout value must be an integer."; + } + if (($_POST['bigpond_authserver'] && !is_domain($_POST['bigpond_authserver']))) { + $input_errors[] = "The authentication server name contains invalid characters."; + } + if (($_POST['bigpond_authdomain'] && !is_domain($_POST['bigpond_authdomain']))) { + $input_errors[] = "The authentication domain name contains invalid characters."; + } + if ($_POST['bigpond_minheartbeatinterval'] && !is_numericint($_POST['bigpond_minheartbeatinterval'])) { + $input_errors[] = "The minimum heartbeat interval must be an integer."; + } + if (($_POST['spoofmac'] && !is_macaddr($_POST['spoofmac']))) { + $input_errors[] = "A valid MAC address must be specified."; + } + if ($_POST['mtu'] && (($_POST['mtu'] < 576) || ($_POST['mtu'] > 1500))) { + $input_errors[] = "The MTU must be between 576 and 1500 bytes."; + } + + /* Wireless interface? */ + if (isset($optcfg['wireless'])) { + $wi_input_errors = wireless_config_post(); + if ($wi_input_errors) { + $input_errors = array_merge($input_errors, $wi_input_errors); + } + } + + if (!$input_errors) { + + unset($wancfg['ipaddr']); + unset($wancfg['subnet']); + unset($wancfg['gateway']); + unset($wancfg['dhcphostname']); + unset($config['pppoe']['username']); + unset($config['pppoe']['password']); + unset($config['pppoe']['provider']); + unset($config['pppoe']['ondemand']); + unset($config['pppoe']['timeout']); + unset($config['pptp']['username']); + unset($config['pptp']['password']); + unset($config['pptp']['local']); + unset($config['pptp']['subnet']); + unset($config['pptp']['remote']); + unset($config['pptp']['ondemand']); + unset($config['pptp']['timeout']); + unset($config['bigpond']['username']); + unset($config['bigpond']['password']); + unset($config['bigpond']['authserver']); + unset($config['bigpond']['authdomain']); + unset($config['bigpond']['minheartbeatinterval']); + + if ($_POST['type'] == "Static") { + $wancfg['ipaddr'] = $_POST['ipaddr']; + $wancfg['subnet'] = $_POST['subnet']; + $wancfg['gateway'] = $_POST['gateway']; + } else if ($_POST['type'] == "DHCP") { + $wancfg['ipaddr'] = "dhcp"; + $wancfg['dhcphostname'] = $_POST['dhcphostname']; + } else if ($_POST['type'] == "PPPoE") { + $wancfg['ipaddr'] = "pppoe"; + $config['pppoe']['username'] = $_POST['username']; + $config['pppoe']['password'] = $_POST['password']; + $config['pppoe']['provider'] = $_POST['provider']; + $config['pppoe']['ondemand'] = $_POST['pppoe_dialondemand']; + $config['pppoe']['timeout'] = $_POST['pppoe_idletimeout']; + } else if ($_POST['type'] == "PPTP") { + $wancfg['ipaddr'] = "pptp"; + $config['pptp']['username'] = $_POST['pptp_username']; + $config['pptp']['password'] = $_POST['pptp_password']; + $config['pptp']['local'] = $_POST['pptp_local']; + $config['pptp']['subnet'] = $_POST['pptp_subnet']; + $config['pptp']['remote'] = $_POST['pptp_remote']; + $config['pptp']['ondemand'] = $_POST['pptp_dialondemand']; + $config['pptp']['timeout'] = $_POST['pptp_idletimeout']; + } else if ($_POST['type'] == "BigPond") { + $wancfg['ipaddr'] = "bigpond"; + $config['bigpond']['username'] = $_POST['bigpond_username']; + $config['bigpond']['password'] = $_POST['bigpond_password']; + $config['bigpond']['authserver'] = $_POST['bigpond_authserver']; + $config['bigpond']['authdomain'] = $_POST['bigpond_authdomain']; + $config['bigpond']['minheartbeatinterval'] = $_POST['bigpond_minheartbeatinterval']; + } + + $wancfg['blockpriv'] = $_POST['blockpriv'] ? true : false; + $wancfg['spoofmac'] = $_POST['spoofmac']; + $wancfg['mtu'] = $_POST['mtu']; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = interfaces_wan_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("Interfaces: WAN");?> + + + + + + + +

Interfaces: WAN

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type
General configuration
MAC address +
+ This field can be used to modify ("spoof") the MAC + address of the WAN interface
+ (may be required with some cable connections)
+ Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx + or leave blank
MTU +
+ If you enter a value in this field, then MSS clamping for + TCP connections to the value entered above minus 40 (TCP/IP + header size) will be in effect. If you leave this field blank, + an MTU of 1492 bytes for PPPoE and 1500 bytes for all other + connection types will be assumed.
Static IP configuration
IP address + / +
Gateway +
DHCP client configuration
Hostname +
+ The value in this field is sent as the DHCP client identifier + and hostname when requesting a DHCP lease. Some ISPs may require + this (for client identification).
PPPoE configuration
Username +
Password +
Service name +
Hint: this field can usually be left + empty
Dial on demand onClick="enable_change(false)" > + Enable Dial-On-Demand mode
+ This option causes the interface to operate in dial-on-demand mode, allowing you to have a virtual full time connection. The interface is configured, but the actual connection of the link is delayed until qualifying outgoing traffic is detected.
Idle timeout + + seconds
+ If no qualifying outgoing packets are transmitted for the specified number of seconds, the connection is brought down. An idle timeout of zero disables this feature.
PPTP configuration
Username +
Password +
Local IP address + / +
Remote IP address +
Dial on demand onClick="enable_change_pptp(false)" > + Enable Dial-On-Demand mode
+ This option causes the interface to operate in dial-on-demand mode, allowing you to have a virtual full time connection. The interface is configured, but the actual connection of the link is delayed until qualifying outgoing traffic is detected.
Idle timeout + + seconds
+ If no qualifying outgoing packets are transmitted for the specified number of seconds, the connection is brought down. An idle timeout of zero disables this feature.
BigPond Cable configuration
Username +
Password +
Authentication server +
+ If this field is left empty, the default ("dce-server") is used.
Authentication domain +
+ If this field is left empty, the domain name assigned via DHCP will be used.
+
+ Note: the BigPond client implicitly sets the "Allow DNS server list to be overridden by DHCP/PPP on WAN" on the System: General setup page.
Min. heartbeat interval + + seconds
+ Setting this to a sensible value (e.g. 60 seconds) can protect against DoS attacks.
  > + Block private networks
+ When set, this option blocks traffic from IP addresses that + are reserved for private
+ networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as + well as loopback addresses
+ (127/8). You should generally leave this option turned on, + unless your WAN network
+ lies in such a private address space, too.
   
+
+
+ + + + diff --git a/usr/local/www/interfaces_assign.php b/usr/local/www/interfaces_assign.php new file mode 100755 index 0000000..0f57d30 --- /dev/null +++ b/usr/local/www/interfaces_assign.php @@ -0,0 +1,265 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +/* + In this file, "port" refers to the physical port name, + while "interface" refers to LAN, WAN, or OPTn. +*/ + +/* get list without VLAN interfaces */ +$portlist = get_interface_list(); + +/* add VLAN interfaces */ +if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) { + $i = 0; + foreach ($config['vlans']['vlan'] as $vlan) { + $portlist['vlan' . $i] = $vlan; + $portlist['vlan' . $i]['isvlan'] = true; + $i++; + } +} + +if ($_POST) { + + unset($input_errors); + + /* input validation */ + + /* Build a list of the port names so we can see how the interfaces map */ + $portifmap = array(); + foreach ($portlist as $portname => $portinfo) + $portifmap[$portname] = array(); + + /* Go through the list of ports selected by the user, + build a list of port-to-interface mappings in portifmap */ + foreach ($_POST as $ifname => $ifport) { + if (($ifname == 'lan') || ($ifname == 'wan') || (substr($ifname, 0, 3) == 'opt')) + $portifmap[$ifport][] = strtoupper($ifname); + } + + /* Deliver error message for any port with more than one assignment */ + foreach ($portifmap as $portname => $ifnames) { + if (count($ifnames) > 1) { + $errstr = "Port " . $portname . + " was assigned to " . count($ifnames) . + " interfaces:"; + + foreach ($portifmap[$portname] as $ifn) + $errstr .= " " . $ifn; + + $input_errors[] = $errstr; + } + } + + + if (!$input_errors) { + /* No errors detected, so update the config */ + foreach ($_POST as $ifname => $ifport) { + + if (($ifname == 'lan') || ($ifname == 'wan') || + (substr($ifname, 0, 3) == 'opt')) { + + if (!is_array($ifport)) { + $config['interfaces'][$ifname]['if'] = $ifport; + + /* check for wireless interfaces, set or clear ['wireless'] */ + if (preg_match("/^(wi|awi|an)/", $ifport)) { + if (!is_array($config['interfaces'][$ifname]['wireless'])) + $config['interfaces'][$ifname]['wireless'] = array(); + } else { + unset($config['interfaces'][$ifname]['wireless']); + } + + /* make sure there is a name for OPTn */ + if (substr($ifname, 0, 3) == 'opt') { + if (!isset($config['interfaces'][$ifname]['descr'])) + $config['interfaces'][$ifname]['descr'] = strtoupper($ifname); + } + } + } + } + + write_config(); + touch($d_sysrebootreqd_path); + } +} + +if ($_GET['act'] == "del") { + $id = $_GET['id']; + + unset($config['interfaces'][$id]); /* delete the specified OPTn */ + + /* shift down other OPTn interfaces to get rid of holes */ + $i = substr($id, 3); /* the number of the OPTn port being deleted */ + $i++; + + /* look at the following OPTn ports */ + while (is_array($config['interfaces']['opt' . $i])) { + $config['interfaces']['opt' . ($i - 1)] = + $config['interfaces']['opt' . $i]; + + if ($config['interfaces']['opt' . ($i - 1)]['descr'] == "OPT" . $i) + $config['interfaces']['opt' . ($i - 1)]['descr'] = "OPT" . ($i - 1); + + unset($config['interfaces']['opt' . $i]); + $i++; + } + + write_config(); + touch($d_sysrebootreqd_path); + header("Location: interfaces_assign.php"); + exit; +} + +if ($_GET['act'] == "add") { + /* find next free optional interface number */ + $i = 1; + while (is_array($config['interfaces']['opt' . $i])) + $i++; + + $newifname = 'opt' . $i; + $config['interfaces'][$newifname] = array(); + $config['interfaces'][$newifname]['descr'] = "OPT" . $i; + + /* Find an unused port for this interface */ + foreach ($portlist as $portname => $portinfo) { + $portused = false; + foreach ($config['interfaces'] as $ifname => $ifdata) { + if ($ifdata['if'] == $portname) { + $portused = true; + break; + } + } + if (!$portused) { + $config['interfaces'][$newifname]['if'] = $portname; + if (preg_match("/^(wi|awi|an)/", $portname)) + $config['interfaces'][$newifname]['wireless'] = array(); + break; + } + } + + write_config(); + touch($d_sysrebootreqd_path); + header("Location: interfaces_assign.php"); + exit; +} + +?> + + + +<?=gentitle("Interfaces: Assign network ports");?> + + + + + + +

Interfaces: Assign network ports

+ + +
+ + + + + +
+
    +
  • Interface assignments
    • +
  • VLANs
    • +
+
+ + + + + + + $iface): + if ($iface['descr']) + $ifdescr = $iface['descr']; + else + $ifdescr = strtoupper($ifname); + ?> + + + + + + + + + + + + + + + + +
InterfaceNetwork port 
+ + + + + +
+ +
+ +

Warning:
+ After you click "Save", you must reboot the firewall to make the changes take effect. You may also have to do one or more of the following steps before you can access your firewall again:

+
    +
  • change the IP address of your computer
    • +
  • renew its DHCP lease
    • +
  • access the webGUI with the new IP address
    • +
+
+ + + diff --git a/usr/local/www/interfaces_lan.php b/usr/local/www/interfaces_lan.php new file mode 100755 index 0000000..66af153 --- /dev/null +++ b/usr/local/www/interfaces_lan.php @@ -0,0 +1,173 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$lancfg = &$config['interfaces']['lan']; +$optcfg = &$config['interfaces']['lan']; +$pconfig['ipaddr'] = $config['interfaces']['lan']['ipaddr']; +$pconfig['subnet'] = $config['interfaces']['lan']['subnet']; + +/* Wireless interface? */ +if (isset($optcfg['wireless'])) { + require("interfaces_wlan.inc"); + wireless_config_init(); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ipaddr subnet"); + $reqdfieldsn = explode(",", "IP address,Subnet bit count"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['subnet'] && !is_numeric($_POST['subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + + /* Wireless interface? */ + if (isset($optcfg['wireless'])) { + $wi_input_errors = wireless_config_post(); + if ($wi_input_errors) { + $input_errors = array_merge($input_errors, $wi_input_errors); + } + } + + if (!$input_errors) { + $config['interfaces']['lan']['ipaddr'] = $_POST['ipaddr']; + $config['interfaces']['lan']['subnet'] = $_POST['subnet']; + + $dhcpd_was_enabled = 0; + if (isset($config['dhcpd']['enable'])) { + unset($config['dhcpd']['enable']); + $dhcpd_was_enabled = 1; + } + + write_config(); + touch($d_sysrebootreqd_path); + + $savemsg = get_std_save_message(0); + + if ($dhcpd_was_enabled) + $savemsg .= "
Note that the DHCP server has been disabled.
Please review its configuration " . + "and enable it again prior to rebooting."; + } +} +?> + + + +<?=gentitle("Interfaces: LAN");?> + + + + + + + +

Interfaces: LAN

+ + +
+ + + + + + + + + + + + + + +
IP address + + / +
  + +
 Warning:
+ after you click "Save", you must + reboot your firewall for changes to take effect. You may also + have to do one or more of the following steps before you can + access your firewall again: +
    +
  • change the IP address of your computer
    • +
  • renew its DHCP lease
    • +
  • access the webGUI with the new IP address
    • +
+
+
+ + + diff --git a/usr/local/www/interfaces_opt.php b/usr/local/www/interfaces_opt.php new file mode 100755 index 0000000..fffc17b --- /dev/null +++ b/usr/local/www/interfaces_opt.php @@ -0,0 +1,276 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +unset($index); +if ($_GET['index']) + $index = $_GET['index']; +else if ($_POST['index']) + $index = $_POST['index']; + +if (!$index) + exit; + +$optcfg = &$config['interfaces']['opt' . $index]; +$pconfig['descr'] = $optcfg['descr']; +$pconfig['bridge'] = $optcfg['bridge']; +$pconfig['ipaddr'] = $optcfg['ipaddr']; +$pconfig['subnet'] = $optcfg['subnet']; +$pconfig['enable'] = isset($optcfg['enable']); + +/* Wireless interface? */ +if (isset($optcfg['wireless'])) { + require("interfaces_wlan.inc"); + wireless_config_init(); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + + /* description unique? */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if ($i != $index) { + if ($config['interfaces']['opt' . $i]['descr'] == $_POST['descr']) { + $input_errors[] = "An interface with the specified description already exists."; + } + } + } + + if ($_POST['bridge']) { + /* double bridging? */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if ($i != $index) { + if ($config['interfaces']['opt' . $i]['bridge'] == $_POST['bridge']) { + $input_errors[] = "Optional interface {$i} " . + "({$config['interfaces']['opt' . $i]['descr']}) is already bridged to " . + "the specified interface."; + } else if ($config['interfaces']['opt' . $i]['bridge'] == "opt{$index}") { + $input_errors[] = "Optional interface {$i} " . + "({$config['interfaces']['opt' . $i]['descr']}) is already bridged to " . + "this interface."; + } + } + } + if ($config['interfaces'][$_POST['bridge']]['bridge']) { + $input_errors[] = "The specified interface is already bridged to " . + "another interface."; + } + /* captive portal on? */ + if (isset($config['captiveportal']['enable'])) { + $input_errors[] = "Interfaces cannot be bridged while the captive portal is enabled."; + } + } else { + $reqdfields = explode(" ", "descr ipaddr subnet"); + $reqdfieldsn = explode(",", "Description,IP address,Subnet bit count"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['subnet'] && !is_numeric($_POST['subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + } + } + + /* Wireless interface? */ + if (isset($optcfg['wireless'])) { + $wi_input_errors = wireless_config_post(); + if ($wi_input_errors) { + $input_errors = array_merge($input_errors, $wi_input_errors); + } + } + + if (!$input_errors) { + $optcfg['descr'] = $_POST['descr']; + $optcfg['ipaddr'] = $_POST['ipaddr']; + $optcfg['subnet'] = $_POST['subnet']; + $optcfg['bridge'] = $_POST['bridge']; + $optcfg['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = interfaces_optional_configure(); + + /* is this the captive portal interface? */ + if (isset($config['captiveportal']['enable']) && + ($config['captiveportal']['interface'] == ('opt' . $index))) { + captiveportal_configure(); + } + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("Interfaces: Optional $index (" . htmlspecialchars($optcfg['descr']) . ")");?> + + + + + + + +

Interfaces: Optional ()

+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable Optional interface
Description + +
Enter a description (name) for the interface here. +
IP configuration
Bridge with +
IP address + + / + +
  + + +
 Note:
+ be sure to add firewall rules to permit traffic + through the interface. Firewall rules for an interface in + bridged mode have no effect on packets to hosts other than + m0n0wall itself, unless "Enable filtering bridge" + is checked on the System: + Advanced functions page.
+
+ + +

Optional has been disabled because there is no OPT interface.

+ + + + diff --git a/usr/local/www/interfaces_vlan.php b/usr/local/www/interfaces_vlan.php new file mode 100755 index 0000000..f724ef3 --- /dev/null +++ b/usr/local/www/interfaces_vlan.php @@ -0,0 +1,149 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['vlans']['vlan'])) + $config['vlans']['vlan'] = array(); + +$a_vlans = &$config['vlans']['vlan'] ; + +function vlan_inuse($num) { + global $config, $g; + + if ($config['interfaces']['lan']['if'] == "vlan{$num}") + return true; + if ($config['interfaces']['wan']['if'] == "vlan{$num}") + return true; + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if ($config['interfaces']['opt' . $i]['if'] == "vlan{$num}") + return true; + } + + return false; +} + +function renumber_vlan($if, $delvlan) { + if (!preg_match("/^vlan/", $if)) + return $if; + + $vlan = substr($if, 4); + if ($vlan > $delvlan) + return "vlan" . ($vlan - 1); + else + return $if; +} + +if ($_GET['act'] == "del") { + /* check if still in use */ + if (vlan_inuse($_GET['id'])) { + $input_errors[] = "This VLAN cannot be deleted because it is still being used as an interface."; + } else { + unset($a_vlans[$_GET['id']]); + + /* renumber all interfaces that use VLANs */ + $config['interfaces']['lan']['if'] = renumber_vlan($config['interfaces']['lan']['if'], $_GET['id']); + $config['interfaces']['wan']['if'] = renumber_vlan($config['interfaces']['wan']['if'], $_GET['id']); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + $config['interfaces']['opt' . $i]['if'] = renumber_vlan($config['interfaces']['opt' . $i]['if'], $_GET['id']); + + write_config(); + touch($d_sysrebootreqd_path); + header("Location: interfaces_vlan.php"); + exit; + } +} + +?> + + + +<?=gentitle("Interfaces: Assign network ports: VLANs");?> + + + + + + +

Interfaces: Assign network ports: VLANs

+ + + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + +
InterfaceVLAN tagDescription
+ + + + +   + +  
 

+ Note:
+ + Not all drivers/NICs support 802.1Q VLAN tagging properly. On cards that do not explicitly support it, VLAN tagging will still work, but the reduced MTU may cause problems. See the m0n0wall homepage for information on supported cards.

+ 		 
+
+ + + diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php new file mode 100755 index 0000000..7932e2d --- /dev/null +++ b/usr/local/www/interfaces_vlan_edit.php @@ -0,0 +1,146 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['vlans']['vlan'])) + $config['vlans']['vlan'] = array(); + +$a_vlans = &$config['vlans']['vlan']; + +$portlist = get_interface_list(); + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_vlans[$id]) { + $pconfig['if'] = $a_vlans[$id]['if']; + $pconfig['tag'] = $a_vlans[$id]['tag']; + $pconfig['descr'] = $a_vlans[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "if tag"); + $reqdfieldsn = explode(",", "Parent interface,VLAN tag"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['tag'] && (!is_numericint($_POST['tag']) || ($_POST['tag'] < '1') || ($_POST['tag'] > '4094'))) { + $input_errors[] = "The VLAN tag must be an integer between 1 and 4094."; + } + + foreach ($a_vlans as $vlan) { + if (isset($id) && ($a_vlans[$id]) && ($a_vlans[$id] === $vlan)) + continue; + + if (($vlan['if'] == $_POST['if']) && ($vlan['tag'] == $_POST['tag'])) { + $input_errors[] = "A VLAN with the tag {$vlan['tag']} is already defined on this interface."; + break; + } + } + + if (!$input_errors) { + $vlan = array(); + $vlan['if'] = $_POST['if']; + $vlan['tag'] = $_POST['tag']; + $vlan['descr'] = $_POST['descr']; + + if (isset($id) && $a_vlans[$id]) + $a_vlans[$id] = $vlan; + else + $a_vlans[] = $vlan; + + write_config(); + touch($d_sysrebootreqd_path); + header("Location: interfaces_vlan.php"); + exit; + } +} +?> + + +<?=gentitle("Interfaces: Assign network ports: VLANs: Edit");?> + + + + + + +

Interfaces: Assign network ports: VLANs: Edit

+ +
+ + + + + + + + + + + + + + + + + +
Parent interface +
VLAN tag + +
+ 802.1Q VLAN tag (between 1 and 4094)
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/interfaces_wan.php b/usr/local/www/interfaces_wan.php new file mode 100755 index 0000000..b4cc30b --- /dev/null +++ b/usr/local/www/interfaces_wan.php @@ -0,0 +1,630 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$wancfg = &$config['interfaces']['wan']; +$optcfg = &$config['interfaces']['wan']; + +$pconfig['username'] = $config['pppoe']['username']; +$pconfig['password'] = $config['pppoe']['password']; +$pconfig['provider'] = $config['pppoe']['provider']; +$pconfig['pppoe_dialondemand'] = $config['pppoe']['ondemand']; +$pconfig['pppoe_idletimeout'] = $config['pppoe']['timeout']; + +$pconfig['pptp_username'] = $config['pptp']['username']; +$pconfig['pptp_password'] = $config['pptp']['password']; +$pconfig['pptp_local'] = $config['pptp']['local']; +$pconfig['pptp_subnet'] = $config['pptp']['subnet']; +$pconfig['pptp_remote'] = $config['pptp']['remote']; +$pconfig['pptp_dialondemand'] = $config['pptp']['ondemand']; +$pconfig['pptp_idletimeout'] = $config['pptp']['timeout']; + +$pconfig['bigpond_username'] = $config['bigpond']['username']; +$pconfig['bigpond_password'] = $config['bigpond']['password']; +$pconfig['bigpond_authserver'] = $config['bigpond']['authserver']; +$pconfig['bigpond_authdomain'] = $config['bigpond']['authdomain']; +$pconfig['bigpond_minheartbeatinterval'] = $config['bigpond']['minheartbeatinterval']; + +$pconfig['dhcphostname'] = $wancfg['dhcphostname']; + +if ($wancfg['ipaddr'] == "dhcp") { + $pconfig['type'] = "DHCP"; +} else if ($wancfg['ipaddr'] == "pppoe") { + $pconfig['type'] = "PPPoE"; +} else if ($wancfg['ipaddr'] == "pptp") { + $pconfig['type'] = "PPTP"; +} else if ($wancfg['ipaddr'] == "bigpond") { + $pconfig['type'] = "BigPond"; +} else { + $pconfig['type'] = "Static"; + $pconfig['ipaddr'] = $wancfg['ipaddr']; + $pconfig['subnet'] = $wancfg['subnet']; + $pconfig['gateway'] = $wancfg['gateway']; +} + +$pconfig['blockpriv'] = isset($wancfg['blockpriv']); +$pconfig['spoofmac'] = $wancfg['spoofmac']; +$pconfig['mtu'] = $wancfg['mtu']; + +/* Wireless interface? */ +if (isset($optcfg['wireless'])) { + require("interfaces_wlan.inc"); + wireless_config_init(); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['type'] == "Static") { + $reqdfields = explode(" ", "ipaddr subnet gateway"); + $reqdfieldsn = explode(",", "IP address,Subnet bit count,Gateway"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "PPPoE") { + if ($_POST['pppoe_dialondemand']) { + $reqdfields = explode(" ", "username password pppoe_dialondemand pppoe_idletimeout"); + $reqdfieldsn = explode(",", "PPPoE username,PPPoE password,Dial on demand,Idle timeout value"); + } else { + $reqdfields = explode(" ", "username password"); + $reqdfieldsn = explode(",", "PPPoE username,PPPoE password"); + } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "PPTP") { + if ($_POST['pptp_dialondemand']) { + $reqdfields = explode(" ", "pptp_username pptp_password pptp_local pptp_subnet pptp_remote pptp_dialondemand pptp_idletimeout"); + $reqdfieldsn = explode(",", "PPTP username,PPTP password,PPTP local IP address,PPTP subnet,PPTP remote IP address,Dial on demand,Idle timeout value"); + } else { + $reqdfields = explode(" ", "pptp_username pptp_password pptp_local pptp_subnet pptp_remote"); + $reqdfieldsn = explode(",", "PPTP username,PPTP password,PPTP local IP address,PPTP subnet,PPTP remote IP address"); + } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "BigPond") { + $reqdfields = explode(" ", "bigpond_username bigpond_password"); + $reqdfieldsn = explode(",", "BigPond username,BigPond password"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['subnet'] && !is_numeric($_POST['subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + if (($_POST['gateway'] && !is_ipaddr($_POST['gateway']))) { + $input_errors[] = "A valid gateway must be specified."; + } + if (($_POST['provider'] && !is_domain($_POST['provider']))) { + $input_errors[] = "The service name contains invalid characters."; + } + if ($_POST['pppoe_idletimeout'] && !is_numericint($_POST['pppoe_idletimeout'])) { + $input_errors[] = "The idle timeout value must be an integer."; + } + if (($_POST['pptp_local'] && !is_ipaddr($_POST['pptp_local']))) { + $input_errors[] = "A valid PPTP local IP address must be specified."; + } + if (($_POST['pptp_subnet'] && !is_numeric($_POST['pptp_subnet']))) { + $input_errors[] = "A valid PPTP subnet bit count must be specified."; + } + if (($_POST['pptp_remote'] && !is_ipaddr($_POST['pptp_remote']))) { + $input_errors[] = "A valid PPTP remote IP address must be specified."; + } + if ($_POST['pptp_idletimeout'] && !is_numericint($_POST['pptp_idletimeout'])) { + $input_errors[] = "The idle timeout value must be an integer."; + } + if (($_POST['bigpond_authserver'] && !is_domain($_POST['bigpond_authserver']))) { + $input_errors[] = "The authentication server name contains invalid characters."; + } + if (($_POST['bigpond_authdomain'] && !is_domain($_POST['bigpond_authdomain']))) { + $input_errors[] = "The authentication domain name contains invalid characters."; + } + if ($_POST['bigpond_minheartbeatinterval'] && !is_numericint($_POST['bigpond_minheartbeatinterval'])) { + $input_errors[] = "The minimum heartbeat interval must be an integer."; + } + if (($_POST['spoofmac'] && !is_macaddr($_POST['spoofmac']))) { + $input_errors[] = "A valid MAC address must be specified."; + } + if ($_POST['mtu'] && (($_POST['mtu'] < 576) || ($_POST['mtu'] > 1500))) { + $input_errors[] = "The MTU must be between 576 and 1500 bytes."; + } + + /* Wireless interface? */ + if (isset($optcfg['wireless'])) { + $wi_input_errors = wireless_config_post(); + if ($wi_input_errors) { + $input_errors = array_merge($input_errors, $wi_input_errors); + } + } + + if (!$input_errors) { + + unset($wancfg['ipaddr']); + unset($wancfg['subnet']); + unset($wancfg['gateway']); + unset($wancfg['dhcphostname']); + unset($config['pppoe']['username']); + unset($config['pppoe']['password']); + unset($config['pppoe']['provider']); + unset($config['pppoe']['ondemand']); + unset($config['pppoe']['timeout']); + unset($config['pptp']['username']); + unset($config['pptp']['password']); + unset($config['pptp']['local']); + unset($config['pptp']['subnet']); + unset($config['pptp']['remote']); + unset($config['pptp']['ondemand']); + unset($config['pptp']['timeout']); + unset($config['bigpond']['username']); + unset($config['bigpond']['password']); + unset($config['bigpond']['authserver']); + unset($config['bigpond']['authdomain']); + unset($config['bigpond']['minheartbeatinterval']); + + if ($_POST['type'] == "Static") { + $wancfg['ipaddr'] = $_POST['ipaddr']; + $wancfg['subnet'] = $_POST['subnet']; + $wancfg['gateway'] = $_POST['gateway']; + } else if ($_POST['type'] == "DHCP") { + $wancfg['ipaddr'] = "dhcp"; + $wancfg['dhcphostname'] = $_POST['dhcphostname']; + } else if ($_POST['type'] == "PPPoE") { + $wancfg['ipaddr'] = "pppoe"; + $config['pppoe']['username'] = $_POST['username']; + $config['pppoe']['password'] = $_POST['password']; + $config['pppoe']['provider'] = $_POST['provider']; + $config['pppoe']['ondemand'] = $_POST['pppoe_dialondemand']; + $config['pppoe']['timeout'] = $_POST['pppoe_idletimeout']; + } else if ($_POST['type'] == "PPTP") { + $wancfg['ipaddr'] = "pptp"; + $config['pptp']['username'] = $_POST['pptp_username']; + $config['pptp']['password'] = $_POST['pptp_password']; + $config['pptp']['local'] = $_POST['pptp_local']; + $config['pptp']['subnet'] = $_POST['pptp_subnet']; + $config['pptp']['remote'] = $_POST['pptp_remote']; + $config['pptp']['ondemand'] = $_POST['pptp_dialondemand']; + $config['pptp']['timeout'] = $_POST['pptp_idletimeout']; + } else if ($_POST['type'] == "BigPond") { + $wancfg['ipaddr'] = "bigpond"; + $config['bigpond']['username'] = $_POST['bigpond_username']; + $config['bigpond']['password'] = $_POST['bigpond_password']; + $config['bigpond']['authserver'] = $_POST['bigpond_authserver']; + $config['bigpond']['authdomain'] = $_POST['bigpond_authdomain']; + $config['bigpond']['minheartbeatinterval'] = $_POST['bigpond_minheartbeatinterval']; + } + + $wancfg['blockpriv'] = $_POST['blockpriv'] ? true : false; + $wancfg['spoofmac'] = $_POST['spoofmac']; + $wancfg['mtu'] = $_POST['mtu']; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = interfaces_wan_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("Interfaces: WAN");?> + + + + + + + +

Interfaces: WAN

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type
General configuration
MAC address +
+ This field can be used to modify ("spoof") the MAC + address of the WAN interface
+ (may be required with some cable connections)
+ Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx + or leave blank
MTU +
+ If you enter a value in this field, then MSS clamping for + TCP connections to the value entered above minus 40 (TCP/IP + header size) will be in effect. If you leave this field blank, + an MTU of 1492 bytes for PPPoE and 1500 bytes for all other + connection types will be assumed.
Static IP configuration
IP address + / +
Gateway +
DHCP client configuration
Hostname +
+ The value in this field is sent as the DHCP client identifier + and hostname when requesting a DHCP lease. Some ISPs may require + this (for client identification).
PPPoE configuration
Username +
Password +
Service name +
Hint: this field can usually be left + empty
Dial on demand onClick="enable_change(false)" > + Enable Dial-On-Demand mode
+ This option causes the interface to operate in dial-on-demand mode, allowing you to have a virtual full time connection. The interface is configured, but the actual connection of the link is delayed until qualifying outgoing traffic is detected.
Idle timeout + + seconds
+ If no qualifying outgoing packets are transmitted for the specified number of seconds, the connection is brought down. An idle timeout of zero disables this feature.
PPTP configuration
Username +
Password +
Local IP address + / +
Remote IP address +
Dial on demand onClick="enable_change_pptp(false)" > + Enable Dial-On-Demand mode
+ This option causes the interface to operate in dial-on-demand mode, allowing you to have a virtual full time connection. The interface is configured, but the actual connection of the link is delayed until qualifying outgoing traffic is detected.
Idle timeout + + seconds
+ If no qualifying outgoing packets are transmitted for the specified number of seconds, the connection is brought down. An idle timeout of zero disables this feature.
BigPond Cable configuration
Username +
Password +
Authentication server +
+ If this field is left empty, the default ("dce-server") is used.
Authentication domain +
+ If this field is left empty, the domain name assigned via DHCP will be used.
+
+ Note: the BigPond client implicitly sets the "Allow DNS server list to be overridden by DHCP/PPP on WAN" on the System: General setup page.
Min. heartbeat interval + + seconds
+ Setting this to a sensible value (e.g. 60 seconds) can protect against DoS attacks.
  > + Block private networks
+ When set, this option blocks traffic from IP addresses that + are reserved for private
+ networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as + well as loopback addresses
+ (127/8). You should generally leave this option turned on, + unless your WAN network
+ lies in such a private address space, too.
   
+
+
+ + + + diff --git a/usr/local/www/interfaces_wlan.inc b/usr/local/www/interfaces_wlan.inc new file mode 100755 index 0000000..8861ce6 --- /dev/null +++ b/usr/local/www/interfaces_wlan.inc @@ -0,0 +1,182 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function wireless_config_init() { + global $optcfg, $pconfig; + + $pconfig['mode'] = $optcfg['wireless']['mode']; + $pconfig['ssid'] = $optcfg['wireless']['ssid']; + $pconfig['stationname'] = $optcfg['wireless']['stationname']; + $pconfig['channel'] = $optcfg['wireless']['channel']; + $pconfig['wep_enable'] = isset($optcfg['wireless']['wep']['enable']); + + if (is_array($optcfg['wireless']['wep']['key'])) { + $i = 1; + foreach ($optcfg['wireless']['wep']['key'] as $wepkey) { + $pconfig['key' . $i] = $wepkey['value']; + if (isset($wepkey['txkey'])) + $pconfig['txkey'] = $i; + $i++; + } + if (!isset($wepkey['txkey'])) + $pconfig['txkey'] = 1; + } +} + +function wireless_config_post() { + global $optcfg, $pconfig; + + unset($input_errors); + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "mode ssid channel"); + $reqdfieldsn = explode(",", "Mode,SSID,Channel"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + /* bridge check (hostap only!) */ + if ($pconfig['bridge'] && ($pconfig['mode'] != "hostap")) + $input_errors[] = "Bridging a wireless interface is only possible in hostap mode."; + } + } + + if (!$input_errors) { + + $optcfg['wireless']['mode'] = $_POST['mode']; + $optcfg['wireless']['ssid'] = $_POST['ssid']; + $optcfg['wireless']['stationname'] = $_POST['stationname']; + $optcfg['wireless']['channel'] = $_POST['channel']; + $optcfg['wireless']['wep']['enable'] = $_POST['wep_enable'] ? true : false; + + $optcfg['wireless']['wep']['key'] = array(); + for ($i = 1; $i <= 4; $i++) { + if ($_POST['key' . $i]) { + $newkey = array(); + $newkey['value'] = $_POST['key' . $i]; + if ($_POST['txkey'] == $i) + $newkey['txkey'] = true; + $optcfg['wireless']['wep']['key'][] = $newkey; + } + } + } + + return $input_errors; +} + +function wireless_config_print() { + global $optcfg, $pconfig; +?> + + + + + Wireless configuration + + + Mode +
+ Note: IBSS mode is sometimes also called "ad-hoc" + mode;
+ BSS mode is also known as "infrastructure" mode + + + SSID + + + + + Channel + + + + Station name + +
+ Hint: this field can usually be left blank + + + WEP + > + Enable WEP
+   + + + + + + + + + + + + + + + + + + + + + + + + + +
   TX key 
Key 1:   > +
Key 2:   >
Key 3:   >
Key 4:   >
+
+ 40 (64) bit keys may be entered as 5 ASCII characters or 10 + hex digits preceded by '0x'.
+ 104 (128) bit keys may be entered as 13 ASCII characters or + 26 hex digits preceded by '0x'. + + diff --git a/usr/local/www/license.php b/usr/local/www/license.php new file mode 100755 index 0000000..2cb9fdf --- /dev/null +++ b/usr/local/www/license.php @@ -0,0 +1,187 @@ +#!/usr/local/bin/php + + + + +<?=gentitle("License");?> + + + + + + +

License

+

m0n0wall is Copyright © 2002-2004 by Manuel Kasper + (mk@neon1.net).
+ All rights reserved.

+

Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions + are met:
+
+ 1. Redistributions of source code must retain the above copyright + notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in + the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED "AS IS'' AND ANY EXPRESS + OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT + SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE
+ POSSIBILITY OF SUCH DAMAGE.

+
+

The following persons have contributed code to m0n0wall:

+

Bob Zoller (bob@kludgebox.com)
+     Diagnostics: Ping + function; WLAN channel auto-select; DNS forwarder
+
+ Michael Mee (mikemee2002@pobox.com)
+     Timezone and NTP + client support
+
+ Magne Andreassen (magne.andreassen@bluezone.no)
+     Remote syslog'ing; + some code bits for DHCP server on optional interfaces
+
+ Rob Whyte (rob@g-labs.com)
+     Idea/code bits + for encrypted webGUI passwords; minimalized SNMP agent
+
+ Petr Verner (verner@ipps.cz)
+     Advanced outbound + NAT: destination selection
+
+ Bruce A. Mah (bmah@acm.org)
+     Filtering bridge + patches
+
+ Jim McBeath (monowall@j.jimmc.org)
+     Filter rule patches + (ordering, block/pass, disabled); better status page;
+     webGUI assign network ports page
+
+ Chris Olive (chris@technologEase.com)
+     enhanced "execute + command" page
+
+ Pauline Middelink (middelink@polyware.nl)
+     DHCP client: send hostname patch
+
+ Björn Pålsson (bjorn@networksab.com)
+     DHCP lease list page
+
+ Peter Allgeyer (allgeyer@web.de)
+     "reject" type filter rules; dial-on-demand
+
+ Thierry Lechat (dev@lechat.org)
+     SVG-based traffic grapher
+
+ Steven Honson (steven@honson.org)
+     per-user IP address assignments for PPTP VPN
+
+ Kurt Inge Smådal (kurt@emsp.no)
+     NAT on optional interfaces
+
+ Dinesh Nair (dinesh@alphaque.com)
+     captive portal: pass-through MAC/IP addresses, RADIUS authentication & accounting;
+     HTTP server concurrency limit
+
+ Justin Ellison (justin@techadvise.com)
+     traffic shaper TOS matching; magic shaper; DHCP deny unknown clients;
+     IPsec user FQDNs; DHCP relay
+
+ Fred Wright (fw@well.com)
+     ipfilter window scaling fix; ipnat ICMP checksum adjustment fix; IPsec dead SA fixes
+
+ Michael Hanselmann (m0n0@hansmi.ch)
+     IDE hard disk standby
+
+ Audun Larsen (larsen@xqus.com)
+     CPU/memory usage display
+
+ Peter Curran (peter@closeconsultants.com)
+     OpenVPN support

+
+

m0n0wall is based upon/includes various free software packages, + listed below.
+ The author of m0n0wall would like to thank the authors of these + software packages for their efforts.

+

FreeBSD (http://www.freebsd.org)
+ Copyright © 1994-2003 FreeBSD, Inc. All rights reserved.
+
+ This product includes PHP, freely available from http://www.php.net.
+ Copyright © 1999 - 2003 The PHP Group. All rights reserved.
+
+ mini_httpd (http://www.acme.com/software/mini_httpd)
+ Copyright © 1999, 2000 by Jef Poskanzer <jef@acme.com>. + All rights reserved.
+
+ ISC DHCP server (http://www.isc.org/products/DHCP)
+ Copyright © 1996-2003 Internet Software Consortium. All rights + reserved.
+
+ ipfilter (http://www.ipfilter.org)
+ Copyright © 1993-2002 by Darren Reed.
+
+ MPD - Multi-link PPP daemon for FreeBSD (http://www.dellroad.org/mpd)
+ Copyright © 2003-2004, Archie L. Cobbs, Michael Bretterklieber, Alexander Motin
+All rights reserved.
+
+ ez-ipupdate (http://www.gusnet.cx/proj/ez-ipupdate)
+ Copyright © 1998-2001 Angus Mackay. All rights reserved.
+
+ Circular log support for FreeBSD syslogd (http://software.wwwi.com/syslogd)
+ Copyright © 2001 Jeff Wheelhouse (jdw@wwwi.com)
+
+ Dnsmasq - a DNS forwarder for NAT firewalls (http://www.thekelleys.org.uk)
+ Copyright © 2000-2003 Simon Kelley.
+
+ Racoon (http://www.kame.net/racoon)
+ Copyright © 1995-2002 WIDE Project. All rights reserved.
+
+ msntp (http://www.hpcf.cam.ac.uk/export)
+ Copyright © 1996, 1997, 2000 N.M. Maclaren, University of Cambridge. + All rights reserved.
+
+ UCD-SNMP (http://www.ece.ucdavis.edu/ucd-snmp)
+ Copyright © 1989, 1991, 1992 by Carnegie Mellon University.
+ Copyright © 1996, 1998-2000 The Regents of the University of + California. All rights reserved.
+ Copyright © 2001-2002, Network Associates Technology, Inc. + All rights reserved.
+ Portions of this code are copyright © 2001-2002, Cambridge + Broadband Ltd. All rights reserved.
+
+ choparp (http://choparp.sourceforge.net)
+ Copyright © 1997 Takamichi Tateoka (tree@mma.club.uec.ac.jp)
+ Copyright +© 2002 Thomas Quinot (thomas@cuivre.fr.eu.org)
+
+ BPALogin (http://bpalogin.sourceforge.net) - lightweight portable BIDS2 login client
+ Copyright © 2001-3 Shane Hyde, and others.
+
+ php-radius (http://www.mavetju.org/programming/php.php)
+ Copyright 2000, 2001, 2002 by Edwin Groothuis. All rights reserved.
+ This product includes software developed by Edwin Groothuis.
+
+ wol (http://ahh.sourceforge.net/wol)
+ Copyright © 2000,2001,2002,2003,2004 Thomas Krennwallner <krennwallner@aon.at> + + + diff --git a/usr/local/www/logobig.jpg b/usr/local/www/logobig.jpg new file mode 100755 index 0000000..d3143e7 Binary files /dev/null and b/usr/local/www/logobig.jpg differ diff --git a/usr/local/www/reboot.php b/usr/local/www/reboot.php new file mode 100755 index 0000000..0dbd6d1 --- /dev/null +++ b/usr/local/www/reboot.php @@ -0,0 +1,66 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if ($_POST) { + if ($_POST['Submit'] != " No ") { + system_reboot(); + $rebootmsg = "The system is rebooting now. This may take one minute."; + } else { + header("Location: index.php"); + exit; + } +} +?> + + + +<?=gentitle("Reboot system");?> + + + + + + +

Reboot system

+ +
+

Are you sure you want to reboot the system?

+

+ + +

+
+ + + + diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php new file mode 100755 index 0000000..99fb152 --- /dev/null +++ b/usr/local/www/services_captiveportal.php @@ -0,0 +1,396 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['captiveportal'])) { + $config['captiveportal'] = array(); + $config['captiveportal']['page'] = array(); + $config['captiveportal']['timeout'] = 60; +} + +if ($_GET['act'] == "viewhtml") { + echo base64_decode($config['captiveportal']['page']['htmltext']); + exit; +} else if ($_GET['act'] == "viewerrhtml") { + echo base64_decode($config['captiveportal']['page']['errtext']); + exit; +} + +$pconfig['cinterface'] = $config['captiveportal']['interface']; +$pconfig['timeout'] = $config['captiveportal']['timeout']; +$pconfig['idletimeout'] = $config['captiveportal']['idletimeout']; +$pconfig['enable'] = isset($config['captiveportal']['enable']); +$pconfig['radacct_enable'] = isset($config['captiveportal']['radacct_enable']); +$pconfig['httpslogin_enable'] = isset($config['captiveportal']['httpslogin']); +$pconfig['httpsname'] = $config['captiveportal']['httpsname']; +$pconfig['cert'] = base64_decode($config['captiveportal']['certificate']); +$pconfig['key'] = base64_decode($config['captiveportal']['private-key']); +$pconfig['logoutwin_enable'] = isset($config['captiveportal']['logoutwin_enable']); +$pconfig['nomacfilter'] = isset($config['captiveportal']['nomacfilter']); +$pconfig['redirurl'] = $config['captiveportal']['redirurl']; +$pconfig['radiusip'] = $config['captiveportal']['radiusip']; +$pconfig['radiusport'] = $config['captiveportal']['radiusport']; +$pconfig['radiusacctport'] = $config['captiveportal']['radiusacctport']; +$pconfig['radiuskey'] = $config['captiveportal']['radiuskey']; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "cinterface"); + $reqdfieldsn = explode(",", "Interface"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + /* make sure no interfaces are bridged */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $coptif = &$config['interfaces']['opt' . $i]; + if (isset($coptif['enable']) && $coptif['bridge']) { + $input_errors[] = "The captive portal cannot be used when one or more interfaces are bridged."; + break; + } + } + + if ($_POST['httpslogin_enable']) { + if (!$_POST['cert'] || !$_POST['key']) { + $input_errors[] = "Certificate and key must be specified for HTTPS login."; + } else { + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + } + + if (!$_POST['httpsname'] || !is_domain($_POST['httpsname'])) { + $input_errors[] = "The HTTPS server name must be specified for HTTPS login."; + } + } + } + + if ($_POST['timeout'] && (!is_numeric($_POST['timeout']) || ($_POST['timeout'] < 1))) { + $input_errors[] = "The timeout must be at least 1 minute."; + } + if ($_POST['idletimeout'] && (!is_numeric($_POST['idletimeout']) || ($_POST['idletimeout'] < 1))) { + $input_errors[] = "The idle timeout must be at least 1 minute."; + } + if (($_POST['radiusip'] && !is_ipaddr($_POST['radiusip']))) { + $input_errors[] = "A valid IP address must be specified. [".$_POST['radiusip']."]"; + } + if (($_POST['radiusport'] && !is_port($_POST['radiusport']))) { + $input_errors[] = "A valid port number must be specified. [".$_POST['radiusport']."]"; + } + if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { + $input_errors[] = "A valid port number must be specified. [".$_POST['radiusport']."]"; + } + + if (!$input_errors) { + $config['captiveportal']['interface'] = $_POST['cinterface']; + $config['captiveportal']['timeout'] = $_POST['timeout']; + $config['captiveportal']['idletimeout'] = $_POST['idletimeout']; + $config['captiveportal']['enable'] = $_POST['enable'] ? true : false; + $config['captiveportal']['radacct_enable'] = $_POST['radacct_enable'] ? true : false; + $config['captiveportal']['httpslogin'] = $_POST['httpslogin_enable'] ? true : false; + $config['captiveportal']['httpsname'] = $_POST['httpsname']; + $config['captiveportal']['certificate'] = base64_encode($_POST['cert']); + $config['captiveportal']['private-key'] = base64_encode($_POST['key']); + $config['captiveportal']['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false; + $config['captiveportal']['nomacfilter'] = $_POST['nomacfilter'] ? true : false; + $config['captiveportal']['redirurl'] = $_POST['redirurl']; + $config['captiveportal']['radiusip'] = $_POST['radiusip']; + $config['captiveportal']['radiusport'] = $_POST['radiusport']; + $config['captiveportal']['radiusacctport'] = $_POST['radiusacctport']; + $config['captiveportal']['radiuskey'] = $_POST['radiuskey']; + + /* file upload? */ + if (is_uploaded_file($_FILES['htmlfile']['tmp_name'])) + $config['captiveportal']['page']['htmltext'] = base64_encode(file_get_contents($_FILES['htmlfile']['tmp_name'])); + if (is_uploaded_file($_FILES['errfile']['tmp_name'])) + $config['captiveportal']['page']['errtext'] = base64_encode(file_get_contents($_FILES['errfile']['tmp_name'])); + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = captiveportal_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("Services: Captive portal");?> + + + + + + + +

Services: Captive portal

+ + +
+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable captive portal
Interface +
+ Choose which interface to run the captive portal on.
Idle timeout + +minutes
+Clients will be disconnected after this amount of inactivity. They may log in again immediately, though. Leave this field blank for no idle timeout.
Hard timeout + + minutes
+ Clients will be disconnected after this amount of time, regardless of activity. They may log in again immediately, though. Leave this field blank for no hard timeout (not recommended unless an idle timeout is set).
Logout popup window + > + Enable logout popup window
+ If enabled, a popup window will appear when clients are allowed through the captive portal. This allows clients to explicitly disconnect themselves before the idle or hard timeout occurs. When RADIUS accounting is enabled, this option is implied.
Redirection URL + +
+If you provide a URL here, clients will be redirected to that URL instead of the one they initially tried +to access after they've authenticated.
MAC filtering + > + Disable MAC filtering
+ If this option is set, no attempts will be made to ensure that the MAC address of clients stays the same while they're logged in. This is required when the MAC address of cannot be determined (usually because there are routers between m0n0wall and the clients).
RADIUS server + + + + + + + + + + + + + + + + + + +
IP address:
Port:
Shared secret:  
Accounting:   onClick="radacct_change()">
Accounting port:  
+
+ Enter the IP address and port of the RADIUS server which users of the captive portal have to authenticate against. Leave blank to disable RADIUS authentication. Leave port number blank to use the default port (1812). Leave the RADIUS shared secret blank to not use a RADIUS shared secret. RADIUS accounting packets will also be sent to the RADIUS server if accounting is enabled (default port is 1813). +
HTTPS login + > + Enable HTTPS login
+ If enabled, the username and password will be transmitted over an HTTPS connection to protect against eavesdroppers. This option only applies when RADIUS authentication is used. A server name, certificate and matching private key must also be specified below.
HTTPS server name +
+ This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS.
HTTPS certificate + +
+ Paste a signed certificate in X.509 PEM format here.
HTTPS private key + +
+ Paste an RSA private key in PEM format here.
Portal page contents +
+ + View current page +
+
+ + Upload an HTML file for the portal page here (leave blank to keep the current one). Make sure to include a form (POST to "$PORTAL_ACTION$") +with a submit button (name="accept"). Include the "auth_user" and "auth_pass" input elements if RADIUS authentication is enabled. If RADIUS is enabled and no "auth_user" is present, authentication will always fail. If RADIUS is not enabled, you can omit both these input elements. +When using HTTPS login, a hidden field with name="redirurl" and value="$PORTAL_REDIRURL$" has to be included as well. Example code for the form:
+
+ <form method="post" action="$PORTAL_ACTION$">
+    <input name="auth_user" type="text">
+    <input name="auth_pass" type="password">
+    <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$">
+   <input name="accept" type="submit" value="Continue">
+ </form>
Authentication
+ error page
+ contents		 +
+ + View current page +
+
+ +The contents of the HTML file that you upload here are displayed when a RADIUS authentication error occurs.
  + +
 Note:
+ Changing any settings on this page will disconnect all clients! Don't forget to enable the DHCP server on your captive portal interface! Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page. Also, the DNS forwarder needs to be enabled for DNS lookups by unauthenticated clients to work.
+
+
+ + + + diff --git a/usr/local/www/services_captiveportal_ip.php b/usr/local/www/services_captiveportal_ip.php new file mode 100755 index 0000000..b3d406a --- /dev/null +++ b/usr/local/www/services_captiveportal_ip.php @@ -0,0 +1,152 @@ +#!/usr/local/bin/php + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['captiveportal']['allowedip'])) + $config['captiveportal']['allowedip'] = array(); + +allowedips_sort(); +$a_allowedips = &$config['captiveportal']['allowedip'] ; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + $retval = captiveportal_allowedip_configure(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_allowedipsdirty_path)) { + config_lock(); + unlink($d_allowedipsdirty_path); + config_unlock(); + } + } + } +} + +if ($_GET['act'] == "del") { + if ($a_allowedips[$_GET['id']]) { + unset($a_allowedips[$_GET['id']]); + write_config(); + touch($d_allowedipsdirty_path); + header("Location: services_captiveportal_ip.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Captive portal");?> + + + + + + +

Services: Captive portal: Allowed IP addresses

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
IP addressDescription
+ "; + ?> + + any"; + ?> + +   + +  
 

+ Note:
+ + Adding allowed IP addresses will allow IP access to/from these addresses through the captive portal without being taken to the portal page. This can be used for a web server serving images for the portal page or a DNS server on another network, for example. By specifying from addresses, it may be used to always allow pass-through access from a client behind the captive portal.

+ + + + + + + + + + + + +
any x.x.x.x All connections to the IP address are allowed
x.x.x.x any    All connections from the IP address are allowed
 
+
+
+ + + diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php new file mode 100755 index 0000000..4b1cecf --- /dev/null +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -0,0 +1,152 @@ +#!/usr/local/bin/php + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['captiveportal']['allowedip'])) + $config['captiveportal']['allowedip'] = array(); + +allowedips_sort(); +$a_allowedips = &$config['captiveportal']['allowedip']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_allowedips[$id]) { + $pconfig['ip'] = $a_allowedips[$id]['ip']; + $pconfig['descr'] = $a_allowedips[$id]['descr']; + $pconfig['dir'] = $a_allowedips[$id]['dir']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ip dir"); + $reqdfieldsn = explode(",", "Allowed IP address,Direction"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ip'] && !is_ipaddr($_POST['ip']))) { + $input_errors[] = "A valid IP address must be specified. [".$_POST['ip']."]"; + } + + foreach ($a_allowedips as $ipent) { + if (isset($id) && ($a_allowedips[$id]) && ($a_allowedips[$id] === $ipent)) + continue; + + if (($ipent['dir'] == $_POST['dir']) && ($ipent['ip'] == $_POST['ip'])){ + $input_errors[] = "[" . $_POST['ip'] . "] already allowed." ; + break ; + } + } + + if (!$input_errors) { + $ip = array(); + $ip['ip'] = $_POST['ip']; + $ip['descr'] = $_POST['descr']; + $ip['dir'] = $_POST['dir']; + + if (isset($id) && $a_allowedips[$id]) + $a_allowedips[$id] = $ip; + else + $a_allowedips[] = $ip; + + write_config(); + + touch($d_allowedipsdirty_path) ; + + header("Location: services_captiveportal_ip.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Captive portal: Edit allowed IP address");?> + + + + + + +

Services: Captive portal: Edit allowed IP address

+ +
+ + + + + + + + + + + + + + + + + +
Direction + +
+ Use From to always allow an IP address through the captive portal (without authentication). + Use To to allow access from all clients (even non-authenticated ones) behind the portal to this IP address.
IP address + +
+ IP address
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/services_captiveportal_mac.php b/usr/local/www/services_captiveportal_mac.php new file mode 100755 index 0000000..d38c58c --- /dev/null +++ b/usr/local/www/services_captiveportal_mac.php @@ -0,0 +1,133 @@ +#!/usr/local/bin/php + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['captiveportal']['passthrumac'])) + $config['captiveportal']['passthrumac'] = array(); + +passthrumacs_sort(); +$a_passthrumacs = &$config['captiveportal']['passthrumac'] ; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + $retval = captiveportal_passthrumac_configure(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_passthrumacsdirty_path)) { + config_lock(); + unlink($d_passthrumacsdirty_path); + config_unlock(); + } + } + } +} + +if ($_GET['act'] == "del") { + if ($a_passthrumacs[$_GET['id']]) { + unset($a_passthrumacs[$_GET['id']]); + write_config(); + touch($d_passthrumacsdirty_path); + header("Location: services_captiveportal_mac.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Captive portal");?> + + + + + + +

Services: Captive portal: Pass-through MAC addresses

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
MAC addressDescription
+ + +   + +  
 
+ Note:
+ + Adding MAC addresses as pass-through MACs allows them access through the captive portal automatically without being taken to the portal page. The pass-through MACs can change their IP addresses on the fly and upon the next access, the pass-through tables are changed accordingly. Pass-through MACs will however still be disconnected after the captive portal timeout period.		 
+
+
+ + + diff --git a/usr/local/www/services_captiveportal_mac_edit.php b/usr/local/www/services_captiveportal_mac_edit.php new file mode 100755 index 0000000..f763bac --- /dev/null +++ b/usr/local/www/services_captiveportal_mac_edit.php @@ -0,0 +1,134 @@ +#!/usr/local/bin/php + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['captiveportal']['passthrumac'])) + $config['captiveportal']['passthrumac'] = array(); + +passthrumacs_sort(); +$a_passthrumacs = &$config['captiveportal']['passthrumac']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_passthrumacs[$id]) { + $pconfig['mac'] = $a_passthrumacs[$id]['mac']; + $pconfig['descr'] = $a_passthrumacs[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "mac"); + $reqdfieldsn = explode(",", "MAC address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['mac'] && !is_macaddr($_POST['mac']))) { + $input_errors[] = "A valid MAC address must be specified. [".$_POST['mac']."]"; + } + + foreach ($a_passthrumacs as $macent) { + if (isset($id) && ($a_passthrumacs[$id]) && ($a_passthrumacs[$id] === $macent)) + continue; + + if ($macent['mac'] == $_POST['mac']){ + $input_errors[] = "[" . $_POST['mac'] . "] already allowed." ; + break; + } + } + + if (!$input_errors) { + $mac = array(); + $mac['mac'] = $_POST['mac']; + $mac['descr'] = $_POST['descr']; + + if (isset($id) && $a_passthrumacs[$id]) + $a_passthrumacs[$id] = $mac; + else + $a_passthrumacs[] = $mac; + + write_config(); + + touch($d_passthrumacsdirty_path) ; + + header("Location: services_captiveportal_mac.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Captive portal: Edit pass-through MAC address");?> + + + + + + +

Services: Captive portal: Edit pass-through MAC address

+ +
+ + + + + + + + + + + + + +
MAC address + +
+ MAC address (6 hex octets separated by colons)
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/services_dhcp.php b/usr/local/www/services_dhcp.php new file mode 100755 index 0000000..5b35b6a --- /dev/null +++ b/usr/local/www/services_dhcp.php @@ -0,0 +1,337 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$if = $_GET['if']; +if ($_POST['if']) + $if = $_POST['if']; + +$iflist = array("lan" => "LAN"); + +for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $oc = $config['interfaces']['opt' . $i]; + + if (isset($oc['enable']) && $oc['if'] && (!$oc['bridge'])) { + $iflist['opt' . $i] = $oc['descr']; + } +} + +if (!$if || !isset($iflist[$if])) + $if = "lan"; + +$pconfig['range_from'] = $config['dhcpd'][$if]['range']['from']; +$pconfig['range_to'] = $config['dhcpd'][$if]['range']['to']; +$pconfig['deftime'] = $config['dhcpd'][$if]['defaultleasetime']; +$pconfig['maxtime'] = $config['dhcpd'][$if]['maxleasetime']; +list($pconfig['wins1'],$pconfig['wins2']) = $config['dhcpd'][$if]['winsserver']; +$pconfig['enable'] = isset($config['dhcpd'][$if]['enable']); +$pconfig['denyunknown'] = isset($config['dhcpd'][$if]['denyunknown']); + +$ifcfg = $config['interfaces'][$if]; + +if (!is_array($config['dhcpd'][$if]['staticmap'])) { + $config['dhcpd'][$if]['staticmap'] = array(); +} +staticmaps_sort($if); +$a_maps = &$config['dhcpd'][$if]['staticmap']; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "range_from range_to"); + $reqdfieldsn = explode(",", "Range begin,Range end"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['range_from'] && !is_ipaddr($_POST['range_from']))) { + $input_errors[] = "A valid range must be specified."; + } + if (($_POST['range_to'] && !is_ipaddr($_POST['range_to']))) { + $input_errors[] = "A valid range must be specified."; + } + if (($_POST['wins1'] && !is_ipaddr($_POST['wins1'])) || ($_POST['wins2'] && !is_ipaddr($_POST['wins2']))) { + $input_errors[] = "A valid IP address must be specified for the primary/secondary WINS server."; + } + if ($_POST['deftime'] && (!is_numeric($_POST['deftime']) || ($_POST['deftime'] < 60))) { + $input_errors[] = "The default lease time must be at least 60 seconds."; + } + if ($_POST['maxtime'] && (!is_numeric($_POST['maxtime']) || ($_POST['maxtime'] < 60) || ($_POST['maxtime'] <= $_POST['deftime']))) { + $input_errors[] = "The maximum lease time must be at least 60 seconds and higher than the default lease time."; + } + + if (!$input_errors) { + /* make sure the range lies within the current subnet */ + $subnet_start = (ip2long($ifcfg['ipaddr']) & gen_subnet_mask_long($ifcfg['subnet'])); + $subnet_end = (ip2long($ifcfg['ipaddr']) | (~gen_subnet_mask_long($ifcfg['subnet']))); + + if ((ip2long($_POST['range_from']) < $subnet_start) || (ip2long($_POST['range_from']) > $subnet_end) || + (ip2long($_POST['range_to']) < $subnet_start) || (ip2long($_POST['range_to']) > $subnet_end)) { + $input_errors[] = "The specified range lies outside of the current subnet."; + } + + if (ip2long($_POST['range_from']) > ip2long($_POST['range_to'])) + $input_errors[] = "The range is invalid (first element higher than second element)."; + + /* make sure that the DHCP Relay isn't enabled on this interface */ + if (isset($config['dhcrelay'][$if]['enable'])) + $input_errors[] = "You must disable the DHCP relay on the {$iflist[$if]} interface before enabling the DHCP server."; + } + } + + if (!$input_errors) { + $config['dhcpd'][$if]['range']['from'] = $_POST['range_from']; + $config['dhcpd'][$if]['range']['to'] = $_POST['range_to']; + $config['dhcpd'][$if]['defaultleasetime'] = $_POST['deftime']; + $config['dhcpd'][$if]['maxleasetime'] = $_POST['maxtime']; + $config['dhcpd'][$if]['enable'] = $_POST['enable'] ? true : false; + $config['dhcpd'][$if]['denyunknown'] = $_POST['denyunknown'] ? true : false; + + unset($config['dhcpd'][$if]['winsserver']); + if ($_POST['wins1']) + $config['dhcpd'][$if]['winsserver'][] = $_POST['wins1']; + if ($_POST['wins2']) + $config['dhcpd'][$if]['winsserver'][] = $_POST['wins2']; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_dhcpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_staticmapsdirty_path)) + unlink($d_staticmapsdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_maps[$_GET['id']]) { + unset($a_maps[$_GET['id']]); + write_config(); + touch($d_staticmapsdirty_path); + header("Location: services_dhcp.php?if={$if}"); + exit; + } +} +?> + + + +<?=gentitle("Services: DHCP server");?> + + + + + + + +

Services: DHCP server

+
+ + +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + +
+
    + $ifname): + if ($ifent == $if): ?> +
    • + +
    • + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable DHCP server on + + interface
  +> + Deny unknown clients
+ If this is checked, only the clients defined below will get DHCP leases from this server.
Subnet + +
Subnet + mask + +
Available + range + + - + +
Range + +  to 
WINS servers +
+
Default lease + time + + seconds
+ This is used for clients that do not ask for a specific + expiration time.
+ The default is 7200 seconds.
Maximum lease + time + + seconds
+ This is the maximum lease time for clients that ask + for a specific expiration time.
+ The default is 86400 seconds.
  + + +
 

Note:
+ The DNS servers entered in System: + General setup (or the DNS + forwarder, if enabled) will + be assigned to clients by the DHCP server.
+
+ The DHCP lease table can be viewed on the Diagnostics: + DHCP leases page.
+

+  
+ + + + + + + + + + + + + + + + + + + +
MAC address IP addressDescription
+ + +   + +   + +  
+
+
+ + + + diff --git a/usr/local/www/services_dhcp_edit.php b/usr/local/www/services_dhcp_edit.php new file mode 100755 index 0000000..80f64a9 --- /dev/null +++ b/usr/local/www/services_dhcp_edit.php @@ -0,0 +1,176 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$if = $_GET['if']; +if ($_POST['if']) + $if = $_POST['if']; + +if (!$if) { + header("Location: services_dhcp.php"); + exit; +} + +if (!is_array($config['dhcpd'][$if]['staticmap'])) { + $config['dhcpd'][$if]['staticmap'] = array(); +} +staticmaps_sort($if); +$a_maps = &$config['dhcpd'][$if]['staticmap']; +$ifcfg = &$config['interfaces'][$if]; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_maps[$id]) { + $pconfig['mac'] = $a_maps[$id]['mac']; + $pconfig['ipaddr'] = $a_maps[$id]['ipaddr']; + $pconfig['descr'] = $a_maps[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "mac"); + $reqdfieldsn = explode(",", "MAC address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['mac'] && !is_macaddr($_POST['mac']))) { + $input_errors[] = "A valid MAC address must be specified."; + } + + /* check for overlaps */ + foreach ($a_maps as $mapent) { + if (isset($id) && ($a_maps[$id]) && ($a_maps[$id] === $mapent)) + continue; + + if (($mapent['mac'] == $_POST['mac']) || ($_POST['ipaddr'] && (ip2long($mapent['ipaddr']) == ip2long($_POST['ipaddr'])))) { + $input_errors[] = "This IP or MAC address already exists."; + break; + } + } + + /* make sure it's not within the dynamic subnet */ + if ($_POST['ipaddr']) { + $dynsubnet_start = ip2long($config['dhcpd'][$if]['range']['from']); + $dynsubnet_end = ip2long($config['dhcpd'][$if]['range']['to']); + $lansubnet_start = (ip2long($ifcfg['ipaddr']) & gen_subnet_mask_long($ifcfg['subnet'])); + $lansubnet_end = (ip2long($ifcfg['ipaddr']) | (~gen_subnet_mask_long($ifcfg['subnet']))); + + if ((ip2long($_POST['ipaddr']) >= $dynsubnet_start) && + (ip2long($_POST['ipaddr']) <= $dynsubnet_end)) { + $input_errors[] = "Static IP addresses may not lie within the dynamic client range."; + } + if ((ip2long($_POST['ipaddr']) < $lansubnet_start) || + (ip2long($_POST['ipaddr']) > $lansubnet_end)) { + $input_errors[] = "The IP address must lie in the {$ifcfg['descr']} subnet."; + } + } + + if (!$input_errors) { + $mapent = array(); + $mapent['mac'] = $_POST['mac']; + $mapent['ipaddr'] = $_POST['ipaddr']; + $mapent['descr'] = $_POST['descr']; + + if (isset($id) && $a_maps[$id]) + $a_maps[$id] = $mapent; + else + $a_maps[] = $mapent; + + touch($d_staticmapsdirty_path); + + write_config(); + + header("Location: services_dhcp.php?if={$if}"); + exit; + } +} +?> + + + +<?=gentitle("Services: DHCP: Edit static mapping");?> + + + + + + +

Services: DHCP: Edit static mapping

+ +
+ + + + + + + + + + + + + + + + + +
MAC address + +
+ Enter a MAC address in the following format: + xx:xx:xx:xx:xx:xx
IP address + +
+ If no IP address is given, one will be dynamically allocated from the pool.
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + + +
+
+ + + diff --git a/usr/local/www/services_dhcp_relay.php b/usr/local/www/services_dhcp_relay.php new file mode 100755 index 0000000..674077c --- /dev/null +++ b/usr/local/www/services_dhcp_relay.php @@ -0,0 +1,229 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function get_wan_dhcp_server() { + global $config, $g; + $dhclientfn = $g['vardb_path'] . "/dhclient.leases"; + $leases = file($dhclientfn); + /* Start at the end, work backwards finding the latest lease for the WAN */ + for ($i = (count($leases)-1); $i >= 0; $i--) { + if ($leases[$i] == "}") { + unset($iface); + unset($dhcpserver); + } elseif (strstr($leases[$i],"interface")) { + preg_match("/\s+interface \"(\w+)\";/",$leases[$i],$iface); + } elseif (strstr($leases[$i],"dhcp-server-identifier")) { + preg_match("/\s+dhcp-server-identifier (\d+\.\d+\.\d+\.\d+);/",$leases[$i],$dhcpserver); + } + if ($iface == $config['interfaces']['wan'] && isset($dhcpserver)) { + break; + } + } + return $dhcpserver[1]; +} + + +require("guiconfig.inc"); + +$if = $_GET['if']; +if ($_POST['if']) + $if = $_POST['if']; + +$iflist = array("lan" => "LAN"); + +for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $oc = $config['interfaces']['opt' . $i]; + + if (isset($oc['enable']) && $oc['if'] && (!$oc['bridge'])) { + $iflist['opt' . $i] = $oc['descr']; + } +} + +if (!$if || !isset($iflist[$if])) + $if = "lan"; + +$pconfig['enable'] = isset($config['dhcrelay'][$if]['enable']); +$pconfig['server'] = $config['dhcrelay']['server']; +$pconfig['proxydhcp'] = isset($config['dhcrelay']['proxydhcp']); +$pconfig['agentoption'] = isset($config['dhcrelay']['agentoption']); + +$ifcfg = $config['interfaces'][$if]; + + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + if (isset($_POST['proxydhcp'])) + $_POST['server'] = get_wan_dhcp_server(); + $reqdfields = explode(" ", "server"); + $reqdfieldsn = explode(",", "Destination Server"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['server'] && !is_ipaddr($_POST['server']))) + $input_errors[] = "A valid Destination Server IP address must be specified."; + + if (!$input_errors) { + /* make sure that the DHCP server isn't enabled on this interface */ + if (isset($config['dhcpd'][$if]['enable'])) + $input_errors[] = "You must disable the DHCP server on the {$iflist[$if]} interface before enabling the DHCP Relay."; + /* make sure that the DHCP server isn't running on any of the implied interfaces */ + foreach ($config['interfaces'] as $ifname => $ifcfg) { + $subnet = $ifcfg['ipaddr'] . "/" . $ifcfg['subnet']; + if (ip_in_subnet($_POST['server'],$subnet)) + $destif = $ifname; + } + if (!isset($destif)) + $destif = "wan"; + if (isset($config['dhcpd'][$destif]['enable'])) + $input_errors[] = "You must disable the DHCP server on the {$destif} interface before enabling the DHCP Relay."; + + /* if proxydhcp is selected, make sure DHCP is enabled on WAN */ + if (isset($config['dhcrelay']['proxydhcp']) && $config['interfaces']['wan']['ipaddr'] != "dhcp") + $input_errors[] = "You must have DHCP active on the WAN interface before enabling the DHCP proxy option."; + } + } + + if (!$input_errors) { + $config['dhcrelay']['agentoption'] = $_POST['agentoption'] ? true : false; + $config['dhcrelay']['proxydhcp'] = $_POST['proxydhcp'] ? true : false; + $config['dhcrelay']['server'] = $_POST['server']; + $config['dhcrelay'][$if]['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_dhcrelay_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + } +} + +?> + + + +<?=gentitle("Services: DHCP relay");?> + + + + + + + +

Services: DHCP relay

+
+ + + + + + + +
+
    + $ifname): + if ($ifent == $if): ?> +
    • + +
    • + + +
+
+ + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable DHCP relay on + + interface
  +> + Append circuit ID and agent ID to requests
+ If this is checked, the DHCP relay will append the circuit ID (m0n0wall interface number) and the agent ID to the DHCP request.
Destination server + onClick="enable_change(false)"> Proxy requests to DHCP server on WAN subnet +

+
+ This is the IP address of the server to which the DHCP packet is relayed. Select "Proxy requests to DHCP server on WAN subnet" to relay DHCP packets to the server that was used on the WAN interface. +
  + + +
+
+
+ + + + diff --git a/usr/local/www/services_dnsmasq.php b/usr/local/www/services_dnsmasq.php new file mode 100755 index 0000000..c69bb85 --- /dev/null +++ b/usr/local/www/services_dnsmasq.php @@ -0,0 +1,168 @@ +#!/usr/local/bin/php + and Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['enable'] = isset($config['dnsmasq']['enable']); +$pconfig['regdhcp'] = isset($config['dnsmasq']['regdhcp']); + +if (!is_array($config['dnsmasq']['hosts'])) { + $config['dnsmasq']['hosts'] = array(); +} +hosts_sort(); +$a_hosts = &$config['dnsmasq']['hosts']; + +if ($_POST) { + + $pconfig = $_POST; + + $config['dnsmasq']['enable'] = ($_POST['enable']) ? true : false; + $config['dnsmasq']['regdhcp'] = ($_POST['regdhcp']) ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_dnsmasq_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_hostsdirty_path)) + unlink($d_hostsdirty_path); + } +} + +if ($_GET['act'] == "del") { + if ($a_hosts[$_GET['id']]) { + unset($a_hosts[$_GET['id']]); + write_config(); + touch($d_hostsdirty_path); + header("Location: services_dnsmasq.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: DNS forwarder");?> + + + + + + +

Services: DNS forwarder

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + +

+ > + Enable DNS forwarder
+

+ > + Register DHCP leases in DNS forwarder
+ If this option is set, then machines that specify + their hostname when requesting a DHCP lease will be registered + in the DNS forwarder, so that their name can be resolved. + You should also set the domain in System: + General setup to the proper value.

+
+

Note:
+ If the DNS forwarder is enabled, the DHCP + service (if enabled) will automatically serve the LAN IP + address as a DNS server to DHCP clients so they will use + the forwarder. The DNS forwarder will use the DNS servers + entered in System: General setup + or those obtained via DHCP or PPP on WAN if the "Allow + DNS server list to be overridden by DHCP/PPP on WAN" + is checked. If you don't use that option (or if you use + a static IP address on WAN), you must manually specify at + least one DNS server on the System: + General setup page.
+
+ You may enter records that override the results from the + forwarders below.

+  
+ + + + + + + + + + + + + + + + + + + + + +
HostDomainIPDescription
+   + +   + +   + +   + +  
+
+ + + diff --git a/usr/local/www/services_dnsmasq_edit.php b/usr/local/www/services_dnsmasq_edit.php new file mode 100755 index 0000000..810a415 --- /dev/null +++ b/usr/local/www/services_dnsmasq_edit.php @@ -0,0 +1,160 @@ +#!/usr/local/bin/php + and Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['dnsmasq']['hosts'])) { + $config['dnsmasq']['hosts'] = array(); +} +hosts_sort(); +$a_hosts = &$config['dnsmasq']['hosts']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_hosts[$id]) { + $pconfig['host'] = $a_hosts[$id]['host']; + $pconfig['domain'] = $a_hosts[$id]['domain']; + $pconfig['ip'] = $a_hosts[$id]['ip']; + $pconfig['descr'] = $a_hosts[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "domain ip"); + $reqdfieldsn = explode(",", "Domain,IP address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['host'] && !is_hostname($_POST['host']))) { + $input_errors[] = "A valid host must be specified."; + } + if (($_POST['domain'] && !is_domain($_POST['domain']))) { + $input_errors[] = "A valid domain must be specified."; + } + if (($_POST['ip'] && !is_ipaddr($_POST['ip']))) { + $input_errors[] = "A valid IP address must be specified."; + } + + /* check for overlaps */ + foreach ($a_hosts as $hostent) { + if (isset($id) && ($a_hosts[$id]) && ($a_hosts[$id] === $hostent)) + continue; + + if (($hostent['host'] == $_POST['host']) && ($hostent['domain'] == $_POST['domain'])) { + $input_errors[] = "This host/domain already exists."; + break; + } + } + + if (!$input_errors) { + $hostent = array(); + $hostent['host'] = $_POST['host']; + $hostent['domain'] = $_POST['domain']; + $hostent['ip'] = $_POST['ip']; + $hostent['descr'] = $_POST['descr']; + + if (isset($id) && $a_hosts[$id]) + $a_hosts[$id] = $hostent; + else + $a_hosts[] = $hostent; + + touch($d_hostsdirty_path); + + write_config(); + + header("Location: services_dnsmasq.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: DNS forwarder: Edit host");?> + + + + + + +

Services: DNS forwarder: Edit host

+ +
+ + + + + + + + + + + + + + + + + + + + + +
Host + +
Name of the host, without + domain part
+ e.g. myhost
Domain + +
Domain of the host
+ e.g. blah.com
IP address + +
IP address of the host
+ e.g. 192.168.100.100
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/services_dyndns.php b/usr/local/www/services_dyndns.php new file mode 100755 index 0000000..e4864e6 --- /dev/null +++ b/usr/local/www/services_dyndns.php @@ -0,0 +1,197 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['username'] = $config['dyndns']['username']; +$pconfig['password'] = $config['dyndns']['password']; +$pconfig['host'] = $config['dyndns']['host']; +$pconfig['mx'] = $config['dyndns']['mx']; +$pconfig['type'] = $config['dyndns']['type']; +$pconfig['enable'] = isset($config['dyndns']['enable']); +$pconfig['wildcard'] = isset($config['dyndns']['wildcard']); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "host username password type"); + $reqdfieldsn = explode(",", "Hostname,Username,Password,Service type"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (($_POST['host'] && !is_domain($_POST['host']))) { + $input_errors[] = "The host name contains invalid characters."; + } + if (($_POST['mx'] && !is_domain($_POST['mx']))) { + $input_errors[] = "The MX contains invalid characters."; + } + if (($_POST['username'] && !is_dyndns_username($_POST['username']))) { + $input_errors[] = "The username contains invalid characters."; + } + + if (!$input_errors) { + $config['dyndns']['type'] = $_POST['type']; + $config['dyndns']['username'] = $_POST['username']; + $config['dyndns']['password'] = $_POST['password']; + $config['dyndns']['host'] = $_POST['host']; + $config['dyndns']['mx'] = $_POST['mx']; + $config['dyndns']['wildcard'] = $_POST['wildcard'] ? true : false; + $config['dyndns']['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + /* nuke the cache file */ + config_lock(); + services_dyndns_reset(); + $retval = services_dyndns_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("Services: Dynamic DNS client");?> + + + + + + + +

Services: Dynamic DNS client

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable Dynamic DNS client
Service type +
Hostname + +
MX + +
+ Set this option only if you need a special MX record. Not + all services support this.
Wildcards + > + Enable Wildcard
Username + +
Password + +
  + +
 Note:
+ You must configure a DNS server in System: + General setup or allow the DNS server list to be overridden + by DHCP/PPP on WAN for the DynDNS client to work.
+
+ + + + diff --git a/usr/local/www/services_proxyarp.php b/usr/local/www/services_proxyarp.php new file mode 100755 index 0000000..ecb7315 --- /dev/null +++ b/usr/local/www/services_proxyarp.php @@ -0,0 +1,124 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['proxyarp']['proxyarpnet'])) { + $config['proxyarp']['proxyarpnet'] = array(); +} +proxyarp_sort(); +$a_proxyarp = &$config['proxyarp']['proxyarpnet']; + +if ($_POST) { + $pconfig = $_POST; + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_proxyarp_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_proxyarpdirty_path)) + unlink($d_proxyarpdirty_path); + } +} + +if ($_GET['act'] == "del") { + if ($a_proxyarp[$_GET['id']]) { + unset($a_proxyarp[$_GET['id']]); + write_config(); + touch($d_proxyarpdirty_path); + header("Location: services_proxyarp.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Proxy ARP");?> + + + + + + +

Services: Proxy ARP

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + + + + + +
NetworkDescription
+   + +   + +  
+
+

Note:
+ Proxy ARP can be used if you need m0n0wall to send ARP + replies on the WAN interface for other IP addresses than its own WAN + IP address (e.g. for 1:1, advanced outbound or server NAT). It is not + necessary if you have a subnet routed to you or if you use PPPoE/PPTP, and it only works if + the WAN interface is configured with a static IP address or DHCP.

+ + + diff --git a/usr/local/www/services_proxyarp_edit.php b/usr/local/www/services_proxyarp_edit.php new file mode 100755 index 0000000..2c5bd6c --- /dev/null +++ b/usr/local/www/services_proxyarp_edit.php @@ -0,0 +1,231 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['proxyarp']['proxyarpnet'])) { + $config['proxyarp']['proxyarpnet'] = array(); +} +proxyarp_sort(); +$a_proxyarp = &$config['proxyarp']['proxyarpnet']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_proxyarp[$id]) { + if (isset($a_proxyarp[$id]['network'])) + list($pconfig['subnet'], $pconfig['subnet_bits']) = explode("/", $a_proxyarp[$id]['network']); + else if (isset($a_proxyarp[$id]['range'])) { + $pconfig['range_from'] = $a_proxyarp[$id]['range']['from']; + $pconfig['range_to'] = $a_proxyarp[$id]['range']['to']; + } + $pconfig['descr'] = $a_proxyarp[$id]['descr']; +} else { + $pconfig['subnet_bits'] = 32; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['type'] == "single") { + $reqdfields = explode(" ", "subnet"); + $reqdfieldsn = explode(",", "Address"); + $_POST['subnet_bits'] = 32; + } else if ($_POST['type'] == "network") { + $reqdfields = explode(" ", "subnet subnet_bits"); + $reqdfieldsn = explode(",", "Network,Network mask"); + } else if ($_POST['type'] == "range") { + $reqdfields = explode(" ", "range_from range_to"); + $reqdfieldsn = explode(",", "Range start,Range end"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ((($_POST['type'] != "range") && $_POST['subnet'] && !is_ipaddr($_POST['subnet']))) { + $input_errors[] = "A valid address must be specified."; + } + if ((($_POST['type'] == "range") && $_POST['range_from'] && !is_ipaddr($_POST['range_from']))) { + $input_errors[] = "A valid range start must be specified."; + } + if ((($_POST['type'] == "range") && $_POST['range_to'] && !is_ipaddr($_POST['range_to']))) { + $input_errors[] = "A valid range end must be specified."; + } + + /* check for overlaps */ + foreach ($a_proxyarp as $arpent) { + if (isset($id) && ($a_proxyarp[$id]) && ($a_proxyarp[$id] === $arpent)) + continue; + + if (($_POST['type'] == "range") && isset($arpent['range'])) { + if (($_POST['range_from'] == $arpent['range']['from']) && + ($_POST['range_to'] == $arpent['range']['to'])) { + $input_errors[] = "This range already exists."; + break; + } + } else if (isset($arpent['network'])) { + if (($arpent['network'] == "{$_POST['subnet']}/{$_POST['subnet_bits']}")) { + $input_errors[] = "This network already exists."; + break; + } + } + } + + if (!$input_errors) { + $arpent = array(); + if ($_POST['type'] == "range") { + $arpent['range']['from'] = $_POST['range_from']; + $arpent['range']['to'] = $_POST['range_to']; + } else + $arpent['network'] = $_POST['subnet'] . "/" . $_POST['subnet_bits']; + $arpent['descr'] = $_POST['descr']; + + if (isset($id) && $a_proxyarp[$id]) + $a_proxyarp[$id] = $arpent; + else + $a_proxyarp[] = $arpent; + + touch($d_proxyarpdirty_path); + + write_config(); + + header("Location: services_proxyarp.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Proxy ARP: Edit");?> + + + + + + + +

Services: Proxy ARP: Edit

+ +
+ + + + + + + + + + + + + +
Network + + + + + + + + + + + + + +
Type:  
Address:   + / + +
Range:   +- + +
+
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + + diff --git a/usr/local/www/services_snmp.php b/usr/local/www/services_snmp.php new file mode 100755 index 0000000..e7c4464 --- /dev/null +++ b/usr/local/www/services_snmp.php @@ -0,0 +1,145 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['snmpd'])) { + $config['snmpd'] = array(); + $config['snmpd']['rocommunity'] = "public"; +} + +$pconfig['syslocation'] = $config['snmpd']['syslocation']; +$pconfig['syscontact'] = $config['snmpd']['syscontact']; +$pconfig['rocommunity'] = $config['snmpd']['rocommunity']; +$pconfig['enable'] = isset($config['snmpd']['enable']); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "rocommunity"); + $reqdfieldsn = explode(",", "Community"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (!$input_errors) { + $config['snmpd']['syslocation'] = $_POST['syslocation']; + $config['snmpd']['syscontact'] = $_POST['syscontact']; + $config['snmpd']['rocommunity'] = $_POST['rocommunity']; + $config['snmpd']['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_snmpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("Services: SNMP");?> + + + + + + + +

Services: SNMP

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable SNMP agent
System location + +
System contact + +
Community + +
+ In most cases, "public" is used here
  + +
+
+ + + + diff --git a/usr/local/www/services_wol.php b/usr/local/www/services_wol.php new file mode 100755 index 0000000..1ee5946 --- /dev/null +++ b/usr/local/www/services_wol.php @@ -0,0 +1,162 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['wol']['wolentry'])) { + $config['wol']['wolentry'] = array(); +} +wol_sort(); +$a_wol = &$config['wol']['wolentry']; + +if ($_POST || $_GET['mac']) { + unset($input_errors); + + if ($_GET['mac']) { + $mac = $_GET['mac']; + $if = $_GET['if']; + } else { + $mac = $_POST['mac_input']; + $if = $_POST['interface']; + } + + /* input validation */ + if (!$mac || !is_macaddr($mac)) + $input_errors[] = "A valid MAC address must be specified."; + if (!$if) + $input_errors[] = "A valid interface must be specified."; + + if (!$input_errors) { + /* determine broadcast address */ + $bcip = gen_subnet_max($config['interfaces'][$if]['ipaddr'], + $config['interfaces'][$if]['subnet']); + + mwexec("/usr/local/bin/wol -i {$bcip} {$mac}"); + $savemsg = "Sent magic packet to {$mac}."; + } +} + +if ($_GET['act'] == "del") { + if ($a_wol[$_GET['id']]) { + unset($a_wol[$_GET['id']]); + write_config(); + header("Location: services_wol.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Wake on LAN");?> + + + + + + +

Services: Wake on LAN

+ + +
+ + + + + + + + + + + + +
Interface +
+ Choose which interface the host to be woken up is connected to.
MAC address + +
+ Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx
  + +
+ Note:
+ This service can be used to wake up (power on) computers by sending special "Magic Packets". The NIC in the computer that is to be woken up must support Wake on LAN and has to be configured properly (WOL cable, BIOS settings).
+
+ You may store MAC addresses below for your convenience. +Click the MAC address to wake up a computer.
+  + + + + + + + + + + + + + + + + + + + +
InterfaceMAC addressDescription
+   + +   + +   + +  
+
+ + + diff --git a/usr/local/www/services_wol_edit.php b/usr/local/www/services_wol_edit.php new file mode 100755 index 0000000..1d483f7 --- /dev/null +++ b/usr/local/www/services_wol_edit.php @@ -0,0 +1,143 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['wol']['wolentry'])) { + $config['wol']['wolentry'] = array(); +} +wol_sort(); +$a_wol = &$config['wol']['wolentry']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_wol[$id]) { + $pconfig['interface'] = $a_wol[$id]['interface']; + $pconfig['mac'] = $a_wol[$id]['mac']; + $pconfig['descr'] = $a_wol[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "interface mac"); + $reqdfieldsn = explode(",", "Interface,MAC address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['mac'] && !is_macaddr($_POST['mac']))) { + $input_errors[] = "A valid MAC address must be specified."; + } + + if (!$input_errors) { + $wolent = array(); + $wolent['interface'] = $_POST['interface']; + $wolent['mac'] = $_POST['mac']; + $wolent['descr'] = $_POST['descr']; + + if (isset($id) && $a_wol[$id]) + $a_wol[$id] = $wolent; + else + $a_wol[] = $wolent; + + write_config(); + + header("Location: services_wol.php"); + exit; + } +} +?> + + + +<?=gentitle("Services: Wake on LAN: Edit entry");?> + + + + + + +

Services: Wake on LAN: Edit entry

+ +
+ + + + + + + + + + + + + + + + + +
Interface +
+ Choose which interface this host is connected to.
MAC address + +
+ Enter a MAC address in the following format: + xx:xx:xx:xx:xx:xx
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/status.php b/usr/local/www/status.php new file mode 100755 index 0000000..0b54797 --- /dev/null +++ b/usr/local/www/status.php @@ -0,0 +1,150 @@ +#!/usr/local/bin/php + Nov 2003 + * + * (modified for m0n0wall by Manuel Kasper ) + */ + +/* Execute a command, with a title, and generate an HTML table + * showing the results. + */ +function doCmdT($title, $command) { + echo "

\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "
" . $title . "
";		/* no newline after pre */
+	
+	if ($command == "dumpconfigxml") {
+		$fd = @fopen("/conf/config.xml", "r");
+		if ($fd) {
+			while (!feof($fd)) {
+				$line = fgets($fd);
+				/* remove password tag contents */
+				$line = preg_replace("/.*?<\\/password>/", "xxxxx", $line);
+				$line = preg_replace("/.*?<\\/pre-shared-key>/", "xxxxx", $line);
+				$line = str_replace("\t", "    ", $line);
+				echo htmlspecialchars($line,ENT_NOQUOTES);
+			}
+		}
+		fclose($fd);
+	} else {
+		exec ($command . " 2>&1", $execOutput, $execStatus);
+		for ($i = 0; isset($execOutput[$i]); $i++) {
+			if ($i > 0) {
+				echo "\n";
+			}
+			echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES);
+		}
+	}
+    echo "
\n"; +} + +/* Execute a command, giving it a title which is the same as the command. */ +function doCmd($command) { + doCmdT($command,$command); +} + +/* Define a command, with a title, to be executed later. */ +function defCmdT($title, $command) { + global $commands; + $title = htmlspecialchars($title,ENT_NOQUOTES); + $commands[] = array($title, $command); +} + +/* Define a command, with a title which is the same as the command, + * to be executed later. + */ +function defCmd($command) { + defCmdT($command,$command); +} + +/* List all of the commands as an index. */ +function listCmds() { + global $commands; + echo "

This status page includes the following information:\n"; + echo "

\n"; +} + +/* Execute all of the commands which were defined by a call to defCmd. */ +function execCmds() { + global $commands; + for ($i = 0; isset($commands[$i]); $i++ ) { + doCmdT($commands[$i][0], $commands[$i][1]); + } +} + +/* Set up all of the commands we want to execute. */ +defCmdT("System uptime","uptime"); +defCmdT("Interfaces","/sbin/ifconfig -a"); + +defCmdT("Routing tables","netstat -nr"); + +defCmdT("ipfw show", "/sbin/ipfw show"); +defCmdT("pfctl -s nat ", "/sbin/pfctl -s nat"); +defCmdT("pfctl -s rules", "/sbin/pfctl -s rules"); +defCmdT("pfctl -s all"," /sbin/pfctl -s all"); + +defCmdT("resolv.conf","cat /etc/resolv.conf"); + +defCmdT("Processes","ps xauww"); +defCmdT("dhcpd.conf","cat /var/etc/dhcpd.conf"); +defCmdT("ez-ipupdate.cache","cat /conf/ez-ipupdate.cache"); + +defCmdT("df","/bin/df"); + +defCmdT("racoon.conf","cat /var/etc/racoon.conf"); +defCmdT("SPD","/usr/sbin/setkey -DP"); +defCmdT("SAD","/usr/sbin/setkey -D"); + +defCmdT("last 200 system log entries","/usr/sbin/clog /var/log/system.log 2>&1 | tail -n 200"); +defCmdT("last 50 filter log entries","/usr/sbin/clog /var/log/filter.log 2>&1 | tail -n 50"); + +defCmd("ls /conf"); +defCmd("ls /var/run"); +defCmdT("config.xml","dumpconfigxml"); + +$pageTitle = "m0n0wall: status"; + +exec("/bin/date", $dateOutput, $dateStatus); +$currentDate = $dateOutput[0]; + +?> + + + +<?=$pageTitle;?> + + + + + + +


+ +

Note: make sure to remove any sensitive information +(passwords, maybe also IP addresses) before posting +information from this page in public places (like mailing lists)!
+Passwords in config.xml have been automatically removed. + + + + + + + diff --git a/usr/local/www/status_captiveportal.php b/usr/local/www/status_captiveportal.php new file mode 100755 index 0000000..80f2eff --- /dev/null +++ b/usr/local/www/status_captiveportal.php @@ -0,0 +1,128 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +?> + + + +<?=gentitle("Status: Captive portal");?> + + + + + + +

Status: Captive portal

+ + + + + + + + + + + + + + + + + + + + + + + + +
IP addressMAC addressSession startLast activitySession start
  +
+

+

+ + + + + + + + +
+

+ + + diff --git a/usr/local/www/status_graph.php b/usr/local/www/status_graph.php new file mode 100755 index 0000000..15330fd --- /dev/null +++ b/usr/local/www/status_graph.php @@ -0,0 +1,80 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$curif = "wan"; +if ($_GET['if']) + $curif = $_GET['if']; + +if ($curif == "wan") + $ifnum = get_real_wan_interface(); +else + $ifnum = $config['interfaces'][$curif]['if']; +?> + + + +<?=gentitle("Status: Traffic graph");?> + + + + + + +

Status: Traffic graph

+ 'WAN', 'lan' => 'LAN'); + +for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $ifdescrs['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; +} +?> +
+Interface: + +
+
+ +
+

Note: the Adobe SVG viewer is required to view the graph. + + + diff --git a/usr/local/www/status_interfaces.php b/usr/local/www/status_interfaces.php new file mode 100755 index 0000000..480312b --- /dev/null +++ b/usr/local/www/status_interfaces.php @@ -0,0 +1,283 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +function get_interface_info($ifdescr) { + + global $config, $g; + + $ifinfo = array(); + + /* find out interface name */ + if ($ifdescr == "wan") + $ifinfo['if'] = get_real_wan_interface(); + else + $ifinfo['if'] = $config['interfaces'][$ifdescr]['if']; + + /* run netstat to determine link info */ + unset($linkinfo); + exec("/usr/bin/netstat -I " . $ifinfo['if'] . " -nWb -f link", $linkinfo); + $linkinfo = preg_split("/\s+/", $linkinfo[1]); + if (preg_match("/\*$/", $linkinfo[0])) { + $ifinfo['status'] = "down"; + } else { + $ifinfo['status'] = "up"; + } + + if (($ifinfo['if'] != $g['pppoe_interface']) && (!strstr($ifinfo['if'],'tun'))) { + $ifinfo['macaddr'] = $linkinfo[3]; + $ifinfo['inpkts'] = $linkinfo[4]; + $ifinfo['inerrs'] = $linkinfo[5]; + $ifinfo['inbytes'] = $linkinfo[6]; + $ifinfo['outpkts'] = $linkinfo[7]; + $ifinfo['outerrs'] = $linkinfo[8]; + $ifinfo['outbytes'] = $linkinfo[9]; + $ifinfo['collisions'] = $linkinfo[10]; + } else { + $ifinfo['inpkts'] = $linkinfo[3]; + $ifinfo['inbytes'] = $linkinfo[5]; + $ifinfo['outpkts'] = $linkinfo[6]; + $ifinfo['outbytes'] = $linkinfo[8]; + } + + if ($ifinfo['status'] == "up") { + /* run netstat to determine inet info */ + unset($inetinfo); + exec("/usr/bin/netstat -I " . $ifinfo['if'] . " -nWb -f inet", $inetinfo); + $inetinfo = preg_split("/\s+/", $inetinfo[1]); + + $ifinfo['ipaddr'] = $inetinfo[3]; + + if ($ifdescr == "wan") { + /* run netstat to determine the default gateway */ + unset($netstatrninfo); + exec("/usr/bin/netstat -rnf inet", $netstatrninfo); + + foreach ($netstatrninfo as $nsr) { + if (preg_match("/^default\s*(\S+)/", $nsr, $matches)) { + $ifinfo['gateway'] = $matches[1]; + } + } + } + + /* try to determine netmask and media with ifconfig */ + unset($ifconfiginfo); + exec("/sbin/ifconfig " . $ifinfo['if'], $ifconfiginfo); + + foreach ($ifconfiginfo as $ici) { + if (preg_match("/netmask (\S+)/", $ici, $matches) && !$ifinfo['subnet']) { + if (preg_match("/^0x/", $matches[1])) { + $ifinfo['subnet'] = long2ip(hexdec($matches[1])); + } + } + if (!isset($config['interfaces'][$ifdescr]['wireless'])) { + /* don't list media/speed for wireless cards, as it always + displays 2 Mbps even though clients can connect at 11 Mbps */ + if (preg_match("/media: .*? \((.*?)\)/", $ici, $matches)) { + $ifinfo['media'] = $matches[1]; + } else if (preg_match("/media: Ethernet (.*)/", $ici, $matches)) { + $ifinfo['media'] = $matches[1]; + } + } + if (preg_match("/status: (.*)$/", $ici, $matches)) { + if ($matches[1] != "active") + $ifinfo['status'] = $matches[1]; + } + if (preg_match("/channel (\S*)/", $ici, $matches)) { + $ifinfo['channel'] = $matches[1]; + } + if (preg_match("/ssid (\S*)/", $ici, $matches)) { + $ifinfo['ssid'] = $matches[1]; + } + } + + /* PPPoE only: get media from underlying ethernet interface */ + if (($ifdescr == "wan") && ($config['interfaces']['wan']['ipaddr'] == "pppoe")) { + unset($ifconfiginfo); + exec("/sbin/ifconfig " . $config['interfaces']['wan']['if'], $ifconfiginfo); + + foreach ($ifconfiginfo as $ici) { + if (preg_match("/media: .*? \((.*?)\)/", $ici, $matches)) { + $ifinfo['media'] = $matches[1]; + } else if (preg_match("/ether (.*)/", $ici, $matches)) { + $ifinfo['macaddr'] = $matches[1]; + } + } + + /* get pppoe link status for dial on demand */ + unset($ifconfiginfo); + exec("/sbin/ifconfig " . $ifinfo['if'], $ifconfiginfo); + + $ifinfo['pppoelink'] = "up"; + + foreach ($ifconfiginfo as $ici) { + if (strpos($ici, 'LINK0') !== false) + $ifinfo['pppoelink'] = "down"; + } + } + + /* get ppptp link status for dial on demand */ + if (($ifdescr == "wan") && ($config['interfaces']['wan']['ipaddr'] == "pptp")) { + + unset($ifconfiginfo); + exec("/sbin/ifconfig " . $ifinfo['if'], $ifconfiginfo); + + $ifinfo['pptplink'] = "up"; + + foreach ($ifconfiginfo as $ici) { + if (strpos($ici, 'LINK0') !== false) + $ifinfo['pptplink'] = "down"; + } + } + } + + return $ifinfo; +} + +?> + + + +<?=gentitle("Status: Interfaces");?> + + + + + + +

Status: Interfaces

+ + 'WAN', 'lan' => 'LAN'); + + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $ifdescrs['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + } + + foreach ($ifdescrs as $ifdescr => $ifname): + $ifinfo = get_interface_info($ifdescr); + ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + interface
Status + +
PPPoE + +
PPTP + +
MAC address + +
IP address + +  
Subnet mask + +
Gateway + +
Media + +
Channel + +
SSID + +
In/out packets + +
In/out errors + +
Collisions + +
+ + + diff --git a/usr/local/www/status_wireless.php b/usr/local/www/status_wireless.php new file mode 100755 index 0000000..c87c8d6 --- /dev/null +++ b/usr/local/www/status_wireless.php @@ -0,0 +1,189 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +function get_wireless_info($ifdescr) { + + global $config, $g; + + $ifinfo = array(); + $ifinfo['if'] = $config['interfaces'][$ifdescr]['if']; + + /* get signal strength cache */ + exec("/usr/sbin/wicontrol -i " . $ifinfo['if'] . " -C", $sscache); + + $ifinfo['sscache'] = array(); + foreach ($sscache as $ss) { + if ($ss) { + $ssa = preg_split("/\s+/", $ss); + $sscent = array(); + $sscent['mac'] = chop($ssa[1], ","); + $sscent['ipaddr'] = chop($ssa[2], ","); + $sscent['sig'] = chop($ssa[4], ","); + $sscent['noise'] = chop($ssa[6], ","); + $sscent['qual'] = chop($ssa[8], ","); + $ifinfo['sscache'][] = $sscent; + } + } + + /* if in hostap mode: get associated stations */ + if ($config['interfaces'][$ifdescr]['wireless']['mode'] == "hostap") { + exec("/usr/sbin/wicontrol -i " . $ifinfo['if'] . " -l", $aslist); + + $ifinfo['aslist'] = array(); + array_shift($aslist); + foreach ($aslist as $as) { + if ($as) { + $asa = preg_split("/\s+/", $as); + $aslent = array(); + $aslent['mac'] = $asa[0]; + $aslent['rates'] = substr($asa[4], strpos($asa[4], "<")+1, + strpos($asa[4], ">")-strpos($asa[4], "<")-1); + $aslent['sig'] = substr($asa[5], strpos($asa[5], "=")+1); + $ifinfo['aslist'][] = $aslent; + } + } + } + + return $ifinfo; +} + +?> + + + +<?=gentitle("Status: Wireless");?> + + + + + + +

Status: Wireless

+ 0): ?> + + $ifname): + $ifinfo = get_wireless_info($ifdescr); + ?> + + + + + + + + + + + + + + + + + +
+ interface (SSID "")
Signal strength + cache + + + + + + + + + + + + + + + + + +
MAC addressIP addressSignalNoiseQuality
+ + + + + + + + + +
Associated stations + + + + + + + + + + + + + + +
MAC addressTX ratesSignal
+ + + + + +
+ +

No supported wireless interfaces were found for status display.

+ + + + diff --git a/usr/local/www/system.php b/usr/local/www/system.php new file mode 100755 index 0000000..90e9502 --- /dev/null +++ b/usr/local/www/system.php @@ -0,0 +1,260 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['hostname'] = $config['system']['hostname']; +$pconfig['domain'] = $config['system']['domain']; +list($pconfig['dns1'],$pconfig['dns2']) = $config['system']['dnsserver']; +$pconfig['dnsallowoverride'] = isset($config['system']['dnsallowoverride']); +$pconfig['username'] = $config['system']['username']; +if (!$pconfig['username']) + $pconfig['username'] = "admin"; +$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; +if (!$pconfig['webguiproto']) + $pconfig['webguiproto'] = "http"; +$pconfig['webguiport'] = $config['system']['webgui']['port']; +$pconfig['timezone'] = $config['system']['timezone']; +$pconfig['timeupdateinterval'] = $config['system']['time-update-interval']; +$pconfig['timeservers'] = $config['system']['timeservers']; + +if (!isset($pconfig['timeupdateinterval'])) + $pconfig['timeupdateinterval'] = 300; +if (!$pconfig['timezone']) + $pconfig['timezone'] = "Etc/UTC"; +if (!$pconfig['timeservers']) + $pconfig['timeservers'] = "pool.ntp.org"; + +function is_timezone($elt) { + return !preg_match("/\/$/", $elt); +} + +exec('/usr/bin/tar -tzf /usr/share/zoneinfo.tgz', $timezonelist); +$timezonelist = array_filter($timezonelist, 'is_timezone'); +sort($timezonelist); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = split(" ", "hostname domain username"); + $reqdfieldsn = split(",", "Hostname,Domain,Username"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['hostname'] && !is_hostname($_POST['hostname'])) { + $input_errors[] = "The hostname may only contain the characters a-z, 0-9 and '-'."; + } + if ($_POST['domain'] && !is_domain($_POST['domain'])) { + $input_errors[] = "The domain may only contain the characters a-z, 0-9, '-' and '.'."; + } + if (($_POST['dns1'] && !is_ipaddr($_POST['dns1'])) || ($_POST['dns2'] && !is_ipaddr($_POST['dns2']))) { + $input_errors[] = "A valid IP address must be specified for the primary/secondary DNS server."; + } + if ($_POST['username'] && !preg_match("/^[a-zA-Z0-9]*$/", $_POST['username'])) { + $input_errors[] = "The username may only contain the characters a-z, A-Z and 0-9."; + } + if ($_POST['webguiport'] && (!is_numericint($_POST['webguiport']) || + ($_POST['webguiport'] < 1) || ($_POST['webguiport'] > 65535))) { + $input_errors[] = "A valid TCP/IP port must be specified for the webGUI port."; + } + if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) { + $input_errors[] = "The passwords do not match."; + } + + $t = (int)$_POST['timeupdateinterval']; + if (($t < 0) || (($t > 0) && ($t < 6)) || ($t > 1440)) { + $input_errors[] = "The time update interval must be either 0 (disabled) or between 6 and 1440."; + } + foreach (explode(' ', $_POST['timeservers']) as $ts) { + if (!is_domain($ts)) { + $input_errors[] = "A NTP Time Server name may only contain the characters a-z, 0-9, '-' and '.'."; + } + } + + if (!$input_errors) { + $config['system']['hostname'] = strtolower($_POST['hostname']); + $config['system']['domain'] = strtolower($_POST['domain']); + $oldwebguiproto = $config['system']['webgui']['protocol']; + $config['system']['username'] = $_POST['username']; + $config['system']['webgui']['protocol'] = $pconfig['webguiproto']; + $oldwebguiport = $config['system']['webgui']['port']; + $config['system']['webgui']['port'] = $pconfig['webguiport']; + $config['system']['timezone'] = $_POST['timezone']; + $config['system']['timeservers'] = strtolower($_POST['timeservers']); + $config['system']['time-update-interval'] = $_POST['timeupdateinterval']; + + unset($config['system']['dnsserver']); + if ($_POST['dns1']) + $config['system']['dnsserver'][] = $_POST['dns1']; + if ($_POST['dns2']) + $config['system']['dnsserver'][] = $_POST['dns2']; + + $config['system']['dnsallowoverride'] = $_POST['dnsallowoverride'] ? true : false; + + if ($_POST['password']) { + $config['system']['password'] = crypt($_POST['password']); + } + + write_config(); + + if (($oldwebguiproto != $config['system']['webgui']['protocol']) || + ($oldwebguiport != $config['system']['webgui']['port'])) + touch($d_sysrebootreqd_path); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = system_hostname_configure(); + $retval |= system_hosts_generate(); + $retval |= system_resolvconf_generate(); + $retval |= system_password_configure(); + $retval |= services_dnsmasq_configure(); + $retval |= system_timezone_configure(); + $retval |= system_ntp_configure(); + config_unlock(); + } + + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("System: General setup");?> + + + + + + +

System: General setup

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Hostname +
name of the firewall host, without + domain part
+ e.g. firewall
Domain +
e.g. mycorp.com
DNS servers

+ +
+ +
+ IP addresses; these are also used for + the DHCP service, DNS forwarder and for PPTP VPN clients
+
+ > + Allow DNS server list to be overridden by DHCP/PPP + on WAN
+ If this option is set, m0n0wall will use DNS servers assigned + by a DHCP/PPP server on WAN for its own purposes (including + the DNS forwarder). They will not be assigned to DHCP and + PPTP VPN clients, though.

Username +
+ If you want + to change the username for accessing the webGUI, enter it + here.
Password +
+  (confirmation)
If you want + to change the password for accessing the webGUI, enter it + here twice.
webGUI protocol > + HTTP     > + HTTPS
webGUI port +
+ Enter a custom port number for the webGUI + above if you want to override the default (80 for HTTP, 443 + for HTTPS).
Time zone
Select the location closest + to you
Time update interval +
Minutes between network time sync.; + 300 recommended, or 0 to disable
NTP time server +
Use a space to separate multiple + hosts (only one required). Remember to set up at least one + DNS server if you enter a host name here!
  +
+
+ + + diff --git a/usr/local/www/system_advanced.php b/usr/local/www/system_advanced.php new file mode 100755 index 0000000..dbc665a --- /dev/null +++ b/usr/local/www/system_advanced.php @@ -0,0 +1,289 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['filteringbridge_enable'] = isset($config['bridge']['filteringbridge']); +$pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']); +$pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr']; +$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']); +$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']); +$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); +$pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']); +$pconfig['expanddiags'] = isset($config['system']['webgui']['expanddiags']); +if ($g['platform'] == "generic-pc") + $pconfig['harddiskstandby'] = $config['system']['harddiskstandby']; +$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); +$pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout']; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['ipv6nat_enable'] && !is_ipaddr($_POST['ipv6nat_ipaddr'])) { + $input_errors[] = "You must specify an IP address to NAT IPv6 packets."; + } + if ($_POST['tcpidletimeout'] && !is_numericint($_POST['tcpidletimeout'])) { + $input_errors[] = "The TCP idle timeout must be an integer."; + } + if (($_POST['cert'] && !$_POST['key']) || ($_POST['key'] && !$_POST['cert'])) { + $input_errors[] = "Certificate and key must always be specified together."; + } else if ($_POST['cert'] && $_POST['key']) { + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + } + + if (!$input_errors) { + $config['bridge']['filteringbridge'] = $_POST['filteringbridge_enable'] ? true : false; + $config['diag']['ipv6nat']['enable'] = $_POST['ipv6nat_enable'] ? true : false; + $config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr']; + $oldcert = $config['system']['webgui']['certificate']; + $oldkey = $config['system']['webgui']['private-key']; + $config['system']['webgui']['certificate'] = base64_encode($_POST['cert']); + $config['system']['webgui']['private-key'] = base64_encode($_POST['key']); + $config['system']['disableconsolemenu'] = $_POST['disableconsolemenu'] ? true : false; + $config['system']['disablefirmwarecheck'] = $_POST['disablefirmwarecheck'] ? true : false; + $config['system']['webgui']['expanddiags'] = $_POST['expanddiags'] ? true : false; + if ($g['platform'] == "generic-pc") { + $oldharddiskstandby = $config['system']['harddiskstandby']; + $config['system']['harddiskstandby'] = $_POST['harddiskstandby']; + } + $config['system']['webgui']['noantilockout'] = $_POST['noantilockout'] ? true : false; + $config['filter']['tcpidletimeout'] = $_POST['tcpidletimeout']; + + write_config(); + + if (($config['system']['webgui']['certificate'] != $oldcert) + || ($config['system']['webgui']['private-key'] != $oldkey)) { + touch($d_sysrebootreqd_path); + } else if (($g['platform'] == "generic-pc") && ($config['system']['harddiskstandby'] != $oldharddiskstandby)) { + if (!$config['system']['harddiskstandby']) { + // Reboot needed to deactivate standby due to a stupid ATA-protocol + touch($d_sysrebootreqd_path); + unset($config['system']['harddiskstandby']); + } else { + // No need to set the standby-time if a reboot is needed anyway + system_set_harddisk_standby(); + } + } + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = filter_configure(); + $retval |= interfaces_optional_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +<?=gentitle("System: Advanced functions");?> + + + + + + + +

System: Advanced functions

+ + +

Note: the + options on this page are intended for use by advanced users only, + and there's NO support for them.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IPv6 tunneling
  + onclick="enable_change(false)"> + NAT encapsulated IPv6 packets (IP protocol 41/RFC2893) + to:

+  (IP address)
+ Don't forget to add a firewall rule to permit IPv6 packets!
  + +
Filtering bridge
  + > + Enable filtering bridge
+ This will cause bridged packets to pass through the packet + filter in the same way as routed packets do (by default bridged + packets are always passed). If you enable this option, you'll + have to add filter rules to selectively permit traffic from + bridged interfaces.
  + +
webGUI SSL certificate/key
Certificate + +
+ Paste a signed certificate in X.509 PEM format here.
Key + +
+ Paste an RSA private key in PEM format here.
  + +
Miscellaneous
Console menu + > + Disable console menu
+ Changes to this option will take effect after a reboot.
Firmware version check + > + Disable firmware version check
+ This will cause m0n0wall not to check for newer firmware versions when the System: Firmware page is viewed.
TCP idle timeout + + seconds
+ Idle TCP connections will be removed from the state table after no packets have been received for the specified number of seconds. Don't set this too high or your state table could become full of connections that have been improperly shut down. The default is 2.5 hours.
Hard disk standby time + +
+ Puts the hard disk into standby mode when the selected amount of time after the last + access has elapsed. Do not set this for CF cards.
Navigation + > + Keep diagnostics in navigation expanded
webGUI anti-lockout + > + Disable webGUI anti-lockout rule
+ By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you in, or you will lock yourself out!).
+ Hint: + the "set LAN IP address" option in the console menu resets this setting as well.
  + +
+
+ + + + diff --git a/usr/local/www/system_firmware.php b/usr/local/www/system_firmware.php new file mode 100755 index 0000000..e008813 --- /dev/null +++ b/usr/local/www/system_firmware.php @@ -0,0 +1,206 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$d_isfwfile = 1; require("guiconfig.inc"); + +/* checks with m0n0.ch to see if a newer firmware version is available; + returns any HTML message it gets from the server */ +function check_firmware_version() { + global $g; + $post = "platform=" . rawurlencode($g['platform']) . + "&version=" . rawurlencode(trim(file_get_contents("/etc/version"))); + + $rfd = @fsockopen("m0n0.ch", 80, $errno, $errstr, 3); + if ($rfd) { + $hdr = "POST /wall/checkversion.php HTTP/1.0\r\n"; + $hdr .= "Content-Type: application/x-www-form-urlencoded\r\n"; + $hdr .= "User-Agent: m0n0wall-webGUI/1.0\r\n"; + $hdr .= "Host: m0n0.ch\r\n"; + $hdr .= "Content-Length: " . strlen($post) . "\r\n\r\n"; + + fwrite($rfd, $hdr); + fwrite($rfd, $post); + + $inhdr = true; + $resp = ""; + while (!feof($rfd)) { + $line = fgets($rfd); + if ($inhdr) { + if (trim($line) == "") + $inhdr = false; + } else { + $resp .= $line; + } + } + + fclose($rfd); + + return $resp; + } + + return null; +} + +if ($_POST && !file_exists($d_firmwarelock_path)) { + + unset($input_errors); + unset($sig_warning); + + if (stristr($_POST['Submit'], "Enable")) + $mode = "enable"; + else if (stristr($_POST['Submit'], "Disable")) + $mode = "disable"; + else if (stristr($_POST['Submit'], "Upgrade") || $_POST['sig_override']) + $mode = "upgrade"; + else if ($_POST['sig_no']) + unlink("{$g['ftmp_path']}/firmware.img"); + + if ($mode) { + if ($mode == "enable") { + exec_rc_script("/etc/rc.firmware enable"); + touch($d_fwupenabled_path); + } else if ($mode == "disable") { + exec_rc_script("/etc/rc.firmware disable"); + if (file_exists($d_fwupenabled_path)) + unlink($d_fwupenabled_path); + } else if ($mode == "upgrade") { + if (is_uploaded_file($_FILES['ulfile']['tmp_name'])) { + /* verify firmware image(s) */ + if (!stristr($_FILES['ulfile']['name'], $g['platform']) && !$_POST['sig_override']) + $input_errors[] = "The uploaded image file is not for this platfom ({$g['platform']})."; + else if (!file_exists($_FILES['ulfile']['tmp_name'])) { + /* probably out of memory for the MFS */ + $input_errors[] = "Image upload failed (out of memory?)"; + exec_rc_script("/etc/rc.firmware disable"); + if (file_exists($d_fwupenabled_path)) + unlink($d_fwupenabled_path); + } else { + /* move the image so PHP won't delete it */ + rename($_FILES['ulfile']['tmp_name'], "{$g['ftmp_path']}/firmware.img"); + + /* check digital signature */ + $sigchk = verify_digital_signature("{$g['ftmp_path']}/firmware.img"); + + if ($sigchk == 1) + $sig_warning = "The digital signature on this image is invalid."; + else if ($sigchk == 2) + $sig_warning = "This image is not digitally signed."; + else if (($sigchk == 3) || ($sigchk == 4)) + $sig_warning = "There has been an error verifying the signature on this image."; + + if (!verify_gzip_file("{$g['ftmp_path']}/firmware.img")) { + $input_errors[] = "The image file is corrupt."; + unlink("{$g['ftmp_path']}/firmware.img"); + } + } + } + + if (!$input_errors && !file_exists($d_firmwarelock_path) && (!$sig_warning || $_POST['sig_override'])) { + /* fire up the update script in the background */ + touch($d_firmwarelock_path); + exec_rc_script_async("/etc/rc.firmware upgrade {$g['ftmp_path']}/firmware.img"); + + $savemsg = "The firmware is now being installed. The firewall will reboot automatically."; + } + } + } +} else { + if (!isset($config['system']['disablefirmwarecheck'])) + $fwinfo = check_firmware_version(); +} +?> + + + +<?=gentitle("System: Firmware");?> + + + + + + +

System: Firmware

+ + + + +

Firmware uploading is not supported on this platform.

+ +
+" . $sig_warning . "
This means that the image you uploaded " . + "is not an official/supported image and may lead to unexpected behavior or security " . + "compromises. Only install images that come from sources that you trust, and make sure ". + "that the image has not been tampered with.

". + "Do you want to install this image anyway (on your own risk)?"; +print_info_box($sig_warning); +?> + + +
+ + +

Click "Enable firmware + upload" below, then choose the image file (-*.img) + to be uploaded.
Click "Upgrade firmware" + to start the upgrade process.

+
+ + + + + + + + + +
  + + + + + +

+ Firmware image file:   +

+ + + You must reboot the system before you can upgrade the firmware. + +
 Warning:
+ DO NOT abort the firmware upgrade once it + has started. The firewall will reboot automatically after + storing the new firmware. The configuration will be maintained.
+
+ + + + diff --git a/usr/local/www/system_routes.php b/usr/local/www/system_routes.php new file mode 100755 index 0000000..c4abdff --- /dev/null +++ b/usr/local/www/system_routes.php @@ -0,0 +1,126 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['staticroutes']['route'])) + $config['staticroutes']['route'] = array(); + +staticroutes_sort(); +$a_routes = &$config['staticroutes']['route']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + $retval = system_routing_configure(); + $retval |= filter_configure(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_staticroutesdirty_path)) { + config_lock(); + unlink($d_staticroutesdirty_path); + config_unlock(); + } + } + } +} + +if ($_GET['act'] == "del") { + if ($a_routes[$_GET['id']]) { + unset($a_routes[$_GET['id']]); + write_config(); + touch($d_staticroutesdirty_path); + header("Location: system_routes.php"); + exit; + } +} +?> + + + +<?=gentitle("System: Static routes");?> + + + + + + +

System: Static routes

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + + + + + + + + + +
InterfaceNetworkGatewayDescription
+ 'LAN', 'wan' => 'WAN', 'pptp' => 'PPTP'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + echo htmlspecialchars($iflabels[$route['interface']]); ?> + + + + + +   + +  
+
+ + + diff --git a/usr/local/www/system_routes_edit.php b/usr/local/www/system_routes_edit.php new file mode 100755 index 0000000..826a5f1 --- /dev/null +++ b/usr/local/www/system_routes_edit.php @@ -0,0 +1,176 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['staticroutes']['route'])) + $config['staticroutes']['route'] = array(); + +staticroutes_sort(); +$a_routes = &$config['staticroutes']['route']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_routes[$id]) { + $pconfig['interface'] = $a_routes[$id]['interface']; + list($pconfig['network'],$pconfig['network_subnet']) = + explode('/', $a_routes[$id]['network']); + $pconfig['gateway'] = $a_routes[$id]['gateway']; + $pconfig['descr'] = $a_routes[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "interface network network_subnet gateway"); + $reqdfieldsn = explode(",", "Interface,Destination network,Destination network bit count,Gateway"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['network'] && !is_ipaddr($_POST['network']))) { + $input_errors[] = "A valid destination network must be specified."; + } + if (($_POST['network_subnet'] && !is_numeric($_POST['network_subnet']))) { + $input_errors[] = "A valid destination network bit count must be specified."; + } + if (($_POST['gateway'] && !is_ipaddr($_POST['gateway']))) { + $input_errors[] = "A valid gateway IP address must be specified."; + } + + /* check for overlaps */ + $osn = gen_subnet($_POST['network'], $_POST['network_subnet']) . "/" . $_POST['network_subnet']; + foreach ($a_routes as $route) { + if (isset($id) && ($a_routes[$id]) && ($a_routes[$id] === $route)) + continue; + + if ($route['network'] == $osn) { + $input_errors[] = "A route to this destination network already exists."; + break; + } + } + + if (!$input_errors) { + $route = array(); + $route['interface'] = $_POST['interface']; + $route['network'] = $osn; + $route['gateway'] = $_POST['gateway']; + $route['descr'] = $_POST['descr']; + + if (isset($id) && $a_routes[$id]) + $a_routes[$id] = $route; + else + $a_routes[] = $route; + + touch($d_staticroutesdirty_path); + + write_config(); + + header("Location: system_routes.php"); + exit; + } +} +?> + + + +<?=gentitle("System: Static routes: Edit route");?> + + + + + + +

System: Static routes: Edit route

+ +
+ + + + + + + + + + + + + + + + + + + + + +
Interface +
+ Choose which interface this route applies to.
Destination network + + / + +
Destination network for this static route
Gateway + +
Gateway to be used to reach the destination network
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php new file mode 100755 index 0000000..cea915a --- /dev/null +++ b/usr/local/www/vpn_ipsec.php @@ -0,0 +1,192 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['tunnel'])) { + $config['ipsec']['tunnel'] = array(); +} +$a_ipsec = &$config['ipsec']['tunnel']; +$wancfg = &$config['interfaces']['wan']; + +$pconfig['enable'] = isset($config['ipsec']['enable']); + +if ($_POST) { + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) + $retval = vpn_ipsec_configure(); + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_ipsecconfdirty_path)) + unlink($d_ipsecconfdirty_path); + } + } else if ($_POST['submit']) { + $pconfig = $_POST; + + $config['ipsec']['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = vpn_ipsec_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_ipsecconfdirty_path)) + unlink($d_ipsecconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_ipsec[$_GET['id']]) { + unset($a_ipsec[$_GET['id']]); + write_config(); + touch($d_ipsecconfdirty_path); + header("Location: vpn_ipsec.php"); + exit; + } +} +?> + + + +<?=gentitle("VPN: IPsec");?> + + + + + + +

VPN: IPsec

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + +
+ +
+ + + + + + + +

+ > + Enable IPsec
+

+
+  
+ + + + + + + + + + + "; + $spane = ""; + } else { + $spans = $spane = ""; + } + ?> + + + + + + + + + + + + + + +
Local net
+ Remote net		Interface
Remote gw		P1 modeP1 Enc. AlgoP1 Hash AlgoDescription
+ +
+ + 		+ 'LAN', 'wan' => 'WAN'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + $if = htmlspecialchars($iflabels[$ipsecent['interface']]); + } else + $if = "WAN"; + + echo $if . "
" . $ipsecent['remote-gateway']; + ?> + 		+ + + + + + +   + +  
+
+
+ + + diff --git a/usr/local/www/vpn_ipsec_edit.php b/usr/local/www/vpn_ipsec_edit.php new file mode 100755 index 0000000..f0fafde --- /dev/null +++ b/usr/local/www/vpn_ipsec_edit.php @@ -0,0 +1,527 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['tunnel'])) { + $config['ipsec']['tunnel'] = array(); +} +$a_ipsec = &$config['ipsec']['tunnel']; + +$specialsrcdst = explode(" ", "lan"); + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +function is_specialnet($net) { + global $specialsrcdst; + + if (in_array($net, $specialsrcdst)) + return true; + else + return false; +} + +function address_to_pconfig($adr, &$padr, &$pmask) { + + if ($adr['network']) + $padr = $adr['network']; + else if ($adr['address']) { + list($padr, $pmask) = explode("/", $adr['address']); + if (is_null($pmask)) + $pmask = 32; + } +} + +function pconfig_to_address(&$adr, $padr, $pmask) { + + $adr = array(); + + if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } +} + +if (isset($id) && $a_ipsec[$id]) { + $pconfig['disabled'] = isset($a_ipsec[$id]['disabled']); + $pconfig['auto'] = isset($a_ipsec[$id]['auto']); + + if (!isset($a_ipsec[$id]['local-subnet'])) + $pconfig['localnet'] = "lan"; + else + address_to_pconfig($a_ipsec[$id]['local-subnet'], $pconfig['localnet'], $pconfig['localnetmask']); + + if ($a_ipsec[$id]['interface']) + $pconfig['interface'] = $a_ipsec[$id]['interface']; + else + $pconfig['interface'] = "wan"; + + list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_ipsec[$id]['remote-subnet']); + $pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway']; + $pconfig['p1mode'] = $a_ipsec[$id]['p1']['mode']; + + if (isset($a_ipsec[$id]['p1']['myident']['myaddress'])) + $pconfig['p1myidentt'] = 'myaddress'; + else if (isset($a_ipsec[$id]['p1']['myident']['address'])) { + $pconfig['p1myidentt'] = 'address'; + $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['address']; + } else if (isset($a_ipsec[$id]['p1']['myident']['fqdn'])) { + $pconfig['p1myidentt'] = 'fqdn'; + $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['fqdn']; + } else if (isset($a_ipsec[$id]['p1']['myident']['ufqdn'])) { + $pconfig['p1myidentt'] = 'user_fqdn'; + $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['ufqdn']; + } + + $pconfig['p1ealgo'] = $a_ipsec[$id]['p1']['encryption-algorithm']; + $pconfig['p1halgo'] = $a_ipsec[$id]['p1']['hash-algorithm']; + $pconfig['p1dhgroup'] = $a_ipsec[$id]['p1']['dhgroup']; + $pconfig['p1lifetime'] = $a_ipsec[$id]['p1']['lifetime']; + $pconfig['p1pskey'] = $a_ipsec[$id]['p1']['pre-shared-key']; + $pconfig['p2proto'] = $a_ipsec[$id]['p2']['protocol']; + $pconfig['p2ealgos'] = $a_ipsec[$id]['p2']['encryption-algorithm-option']; + $pconfig['p2halgos'] = $a_ipsec[$id]['p2']['hash-algorithm-option']; + $pconfig['p2pfsgroup'] = $a_ipsec[$id]['p2']['pfsgroup']; + $pconfig['p2lifetime'] = $a_ipsec[$id]['p2']['lifetime']; + $pconfig['descr'] = $a_ipsec[$id]['descr']; + +} else { + /* defaults */ + $pconfig['interface'] = "wan"; + $pconfig['localnet'] = "lan"; + $pconfig['p1mode'] = "aggressive"; + $pconfig['p1myidentt'] = "myaddress"; + $pconfig['p1ealgo'] = "3des"; + $pconfig['p1halgo'] = "sha1"; + $pconfig['p1dhgroup'] = "2"; + $pconfig['p2proto'] = "esp"; + $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); + $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); + $pconfig['p2pfsgroup'] = "0"; +} + +if ($_POST) { + if (is_specialnet($_POST['localnettype'])) { + $_POST['localnet'] = $_POST['localnettype']; + $_POST['localnetmask'] = 0; + } else if ($_POST['localnettype'] == "single") { + $_POST['localnetmask'] = 32; + } + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos"); + $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!is_specialnet($_POST['localnettype'])) { + if (($_POST['localnet'] && !is_ipaddr($_POST['localnet']))) { + $input_errors[] = "A valid local network IP address must be specified."; + } + if (($_POST['localnetmask'] && !is_numeric($_POST['localnetmask']))) { + $input_errors[] = "A valid local network bit count must be specified."; + } + } + if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { + $input_errors[] = "The P1 lifetime must be an integer."; + } + if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + if ($_POST['remotebits'] && (!is_numeric($_POST['remotebits']) || ($_POST['remotebits'] <= 0) || ($_POST['remotebits'] > 32))) { + $input_errors[] = "The remote network bits are invalid."; + } + if (($_POST['remotenet'] && !is_ipaddr($_POST['remotenet']))) { + $input_errors[] = "A valid remote network address must be specified."; + } + if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']))) { + $input_errors[] = "A valid remote gateway address must be specified."; + } + if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + } + if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + } + if ($_POST['p1myidentt'] == "user_fqdn") { + $ufqdn = explode("@",$_POST['p1myident']); + if (!is_domain($ufqdn[1])) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + } + + if ($_POST['p1myidentt'] == "myaddress") + $_POST['p1myident'] = ""; + + if (!$input_errors) { + $ipsecent['disabled'] = $_POST['disabled'] ? true : false; + $ipsecent['auto'] = $_POST['auto'] ? true : false; + $ipsecent['interface'] = $pconfig['interface']; + pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']); + $ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits']; + $ipsecent['remote-gateway'] = $_POST['remotegw']; + $ipsecent['p1']['mode'] = $_POST['p1mode']; + + $ipsecent['p1']['myident'] = array(); + switch ($_POST['p1myidentt']) { + case 'myaddress': + $ipsecent['p1']['myident']['myaddress'] = true; + break; + case 'address': + $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; + break; + case 'fqdn': + $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; + break; + case 'user_fqdn': + $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; + break; + } + + $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; + $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; + $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; + $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; + $ipsecent['p1']['pre-shared-key'] = $_POST['p1pskey']; + $ipsecent['p2']['protocol'] = $_POST['p2proto']; + $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; + $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; + $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; + $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; + $ipsecent['descr'] = $_POST['descr']; + + if (isset($id) && $a_ipsec[$id]) + $a_ipsec[$id] = $ipsecent; + else + $a_ipsec[] = $ipsecent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} +?> + + + +<?=gentitle("VPN: IPsec: Edit tunnel");?> + + + + + + + +

VPN: IPsec: Edit tunnel

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Mode Tunnel
Disabled + > + Disable this tunnel
+ Set this option to disable this tunnel without + removing it from the list.
Auto-establish + > + Automatically establish this tunnel
+ Set this option to automatically re-establish this tunnel after reboots/reconfigures. If this is not set, the tunnel is established on demand.
Interface
+ Select the interface for the local endpoint of this tunnel.
Local subnet + + + + + + + + + +
Type:  
Address:   + / +
Remote subnet + + / +
Remote gateway + +
+ Enter the public IP address of the remote gateway
Description + +
You may enter a description here + for your reference (not parsed).
Phase 1 proposal + (Authentication)
Negotiation mode +
Aggressive is faster, but + less secure.
My identifier + +
Encryption algorithm +
Must match the setting + chosen on the remote side.
Hash algorithm +
Must match the setting + chosen on the remote side.
DH key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
+ Must match the setting chosen on the remote side.
Lifetime + + seconds
Pre-Shared Key + +
Phase 2 proposal + (SA/Key Exchange)
Protocol +
ESP is encryption, AH is + authentication only
Encryption algorithms + $algoname): ?> + > + +
+ +
+ Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption.
Hash algorithms + $algoname): ?> + > + +
+ +
PFS key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
Lifetime + + seconds
  + + + + +
+
+ + + + diff --git a/usr/local/www/vpn_ipsec_keys.php b/usr/local/www/vpn_ipsec_keys.php new file mode 100755 index 0000000..f0a9330 --- /dev/null +++ b/usr/local/www/vpn_ipsec_keys.php @@ -0,0 +1,107 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['mobilekey'])) { + $config['ipsec']['mobilekey'] = array(); +} +ipsec_mobilekey_sort(); +$a_secret = &$config['ipsec']['mobilekey']; + +if ($_GET['act'] == "del") { + if ($a_secret[$_GET['id']]) { + unset($a_secret[$_GET['id']]); + write_config(); + touch($d_ipsecconfdirty_path); + header("Location: vpn_ipsec_keys.php"); + exit; + } +} + +?> + + + +<?=gentitle("VPN: IPsec");?> + + + + + + +

VPN: IPsec

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + +
+ +
+ + + + + + + + + + + + + + + + + +
IdentifierPre-shared key
+ + + + +  
+
+
+ + + diff --git a/usr/local/www/vpn_ipsec_keys_edit.php b/usr/local/www/vpn_ipsec_keys_edit.php new file mode 100755 index 0000000..8fe589e --- /dev/null +++ b/usr/local/www/vpn_ipsec_keys_edit.php @@ -0,0 +1,135 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['mobilekey'])) { + $config['ipsec']['mobilekey'] = array(); +} +ipsec_mobilekey_sort(); +$a_secret = &$config['ipsec']['mobilekey']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_secret[$id]) { + $pconfig['ident'] = $a_secret[$id]['ident']; + $pconfig['psk'] = $a_secret[$id]['pre-shared-key']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ident psk"); + $reqdfieldsn = explode(",", "Identifier,Pre-shared key"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident'])) + $input_errors[] = "The identifier contains invalid characters."; + + if (!$input_errors && !(isset($id) && $a_secret[$id])) { + /* make sure there are no dupes */ + foreach ($a_secret as $secretent) { + if ($secretent['ident'] == $_POST['ident']) { + $input_errors[] = "Another entry with the same identifier already exists."; + break; + } + } + } + + if (!$input_errors) { + + if (isset($id) && $a_secret[$id]) + $secretent = $a_secret[$id]; + + $secretent['ident'] = $_POST['ident']; + $secretent['pre-shared-key'] = $_POST['psk']; + + if (isset($id) && $a_secret[$id]) + $a_secret[$id] = $secretent; + else + $a_secret[] = $secretent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec_keys.php"); + exit; + } +} +?> + + + +<?=gentitle("VPN: IPsec: Edit pre-shared key");?> + + + + + + +

VPN: IPsec: Edit pre-shared key

+ +
+ + + + + + + + + + + + + +
Identifier + +
+This can be either an IP address, fully qualified domain name or an e-mail address. +
Pre-shared key + +
  + + + + +
+
+ + + diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php new file mode 100755 index 0000000..3031a45 --- /dev/null +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -0,0 +1,330 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['mobileclients'])) { + $config['ipsec']['mobileclients'] = array(); +} +$a_ipsec = &$config['ipsec']['mobileclients']; + +if (count($a_ipsec) == 0) { + /* defaults */ + $pconfig['p1mode'] = "aggressive"; + $pconfig['p1myidentt'] = "myaddress"; + $pconfig['p1ealgo'] = "3des"; + $pconfig['p1halgo'] = "sha1"; + $pconfig['p1dhgroup'] = "2"; + $pconfig['p2proto'] = "esp"; + $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); + $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); + $pconfig['p2pfsgroup'] = "0"; +} else { + $pconfig['enable'] = isset($a_ipsec['enable']); + $pconfig['p1mode'] = $a_ipsec['p1']['mode']; + + if (isset($a_ipsec['p1']['myident']['myaddress'])) + $pconfig['p1myidentt'] = 'myaddress'; + else if (isset($a_ipsec['p1']['myident']['address'])) { + $pconfig['p1myidentt'] = 'address'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['address']; + } else if (isset($a_ipsec['p1']['myident']['fqdn'])) { + $pconfig['p1myidentt'] = 'fqdn'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['fqdn']; + } else if (isset($a_ipsec['p1']['myident']['ufqdn'])) { + $pconfig['p1myidentt'] = 'user_fqdn'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['ufqdn']; + } + + $pconfig['p1ealgo'] = $a_ipsec['p1']['encryption-algorithm']; + $pconfig['p1halgo'] = $a_ipsec['p1']['hash-algorithm']; + $pconfig['p1dhgroup'] = $a_ipsec['p1']['dhgroup']; + $pconfig['p1lifetime'] = $a_ipsec['p1']['lifetime']; + $pconfig['p2proto'] = $a_ipsec['p2']['protocol']; + $pconfig['p2ealgos'] = $a_ipsec['p2']['encryption-algorithm-option']; + $pconfig['p2halgos'] = $a_ipsec['p2']['hash-algorithm-option']; + $pconfig['p2pfsgroup'] = $a_ipsec['p2']['pfsgroup']; + $pconfig['p2lifetime'] = $a_ipsec['p2']['lifetime']; +} + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "p2ealgos p2halgos"); + $reqdfieldsn = explode(",", "P2 Encryption Algorithms,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { + $input_errors[] = "The P1 lifetime must be an integer."; + } + if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + } + if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + } + if ($_POST['p1myidentt'] == "user_fqdn") { + $ufqdn = explode("@",$_POST['p1myident']); + if (!is_domain($ufqdn[1])) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + } + + if ($_POST['p1myidentt'] == "myaddress") + $_POST['p1myident'] = ""; + + if (!$input_errors) { + $ipsecent = array(); + $ipsecent['enable'] = $_POST['enable'] ? true : false; + $ipsecent['p1']['mode'] = $_POST['p1mode']; + + $ipsecent['p1']['myident'] = array(); + switch ($_POST['p1myidentt']) { + case 'myaddress': + $ipsecent['p1']['myident']['myaddress'] = true; + break; + case 'address': + $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; + break; + case 'fqdn': + $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; + break; + case 'user_fqdn': + $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; + break; + } + + $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; + $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; + $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; + $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; + $ipsecent['p2']['protocol'] = $_POST['p2proto']; + $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; + $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; + $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; + $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; + + $a_ipsec = $ipsecent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec_mobile.php"); + exit; + } +} +?> + + + +<?=gentitle("VPN: IPsec");?> + + + + + + +

VPN: IPsec

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ +
+
+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + > + Allow mobile clients
Phase 1 proposal + (Authentication)
Negotiation mode +
Aggressive is faster, but + less secure.
My identifier + +
Encryption algorithm +
Must match the setting + chosen on the remote side.
Hash algorithm +
Must match the setting + chosen on the remote side.
DH key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
+ Must match the setting chosen on the remote side.
Lifetime + + seconds
Phase 2 proposal + (SA/Key Exchange)
Protocol +
ESP is encryption, AH is + authentication only
Encryption algorithms + $algoname): ?> + > + +
+ +
+ Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption.
Hash algorithms + $algoname): ?> + > + +
+ +
PFS key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
Lifetime + + seconds
  + +
+
+
+ + + diff --git a/usr/local/www/vpn_openvpn.php b/usr/local/www/vpn_openvpn.php new file mode 100755 index 0000000..6fd3e1e --- /dev/null +++ b/usr/local/www/vpn_openvpn.php @@ -0,0 +1,366 @@ +#!/usr/local/bin/php + + + + +<?=gentitle("VPN: OpenVPN");?> + + + + + + +

VPN: OpenVPN

+ + + +
+ + + + + +
+ +
+ WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + > + Enable OpenVPN server
Tunnel type + > + TUN  + > + TAP +
OpenVPN protocol/port + > + UDP  + > + TCP

+ Port: +
+ Enter the port number to use for the server (default is 5000).
Interface binding + +
+ Choose an interface for the OpenVPN server to listen on.
IP address block + + / + +
+ Enter the IP address block for the OpenVPN server and clients to use.
+
+ Maximum number of simultaneous clients: + +
CA certificate + +
+ Paste a CA certificate in X.509 PEM format here.
Server certificate + +
+ Paste a server certificate in X.509 PEM format here.
Server key + +
Paste the server RSA private key here.
DH parameters + +
+ Paste the Diffie-Hellman parameters in PEM format here.
Crypto + +
+ Select a data channel encryption cipher.
Internal routing mode + > + Enable client-to-client routing
+ If this option is on, clients are allowed to talk to each other.
Client authentication + > + Permit duplicate client certificates
+ If this option is on, clients with duplicate certificates will not be disconnected.
Client-push options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
> + Redirect-gateway > + Local
> Route-delay  seconds
> + Inactive  + seconds
> Ping Interval: seconds
> Ping-exit Interval: seconds
> Ping-restart Interval: seconds
  + +
 Note:
+ Changing any settings on this page will disconnect all clients! +
+
+ + + diff --git a/usr/local/www/vpn_openvpn_cli.php b/usr/local/www/vpn_openvpn_cli.php new file mode 100755 index 0000000..3bd3d93 --- /dev/null +++ b/usr/local/www/vpn_openvpn_cli.php @@ -0,0 +1,148 @@ +#!/usr/local/bin/php + + + + +<?=gentitle("VPN: OpenVPN");?> + + + + + + +

VPN: OpenVPN

+ + +
+

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + +
+ +
+ WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.

+ + + + + + + + + + + "; + $spane = ""; + } else { + $spans = $spane = ""; + } + ?> + + + + + + + + + + + + + +
InterfaceServer addressVersionDescription
+ + + + + + + + +  
 
+
+
+ + + diff --git a/usr/local/www/vpn_openvpn_cli_edit.php b/usr/local/www/vpn_openvpn_cli_edit.php new file mode 100755 index 0000000..4c27709 --- /dev/null +++ b/usr/local/www/vpn_openvpn_cli_edit.php @@ -0,0 +1,353 @@ +#!/usr/local/bin/php + + + + +<?=gentitle("VPN: OpenVPN: Edit client");?> + + + + + + +

VPN: OpenVPN: Edit client

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Disabled + > + Disable this client
+ Set this option to disable this client without removing it from the list. +
Server information
Tunnel type + > TUN  +> TAP
Tunnel protocol +> UDP  +> TCP
+ Important: These settings must match the server's configuration.
Port +
+ Enter the server's port number (default is 5000).
Address + +
+ Enter the server's IP address or FQDN.
Version + > 2.0  + > 1.x +
+ Specify which version of the OpenVPN protocol the server runs.
Description + +
You may enter a description here for your reference (not parsed).
Client configuration
Interface + Auto +
Port + Auto +
CA certificate + +
+ Paste a CA certificate in X.509 PEM format here.
Client certificate + +
+ Paste a client certificate in X.509 PEM format here.
Client key + +
Paste the client RSA private key here.
Crypto + +
+ Select the data channel encryption cipher. This must match the setting on the server. +
Options + > + Client-pull
  + + + + +
+
+ + + + diff --git a/usr/local/www/vpn_pptp.php b/usr/local/www/vpn_pptp.php new file mode 100755 index 0000000..b796639 --- /dev/null +++ b/usr/local/www/vpn_pptp.php @@ -0,0 +1,309 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pptpd']['radius'])) { + $config['pptpd']['radius'] = array(); +} +$pptpcfg = &$config['pptpd']; + +$pconfig['remoteip'] = $pptpcfg['remoteip']; +$pconfig['localip'] = $pptpcfg['localip']; +$pconfig['redir'] = $pptpcfg['redir']; +$pconfig['mode'] = $pptpcfg['mode']; +$pconfig['req128'] = isset($pptpcfg['req128']); +$pconfig['radiusenable'] = isset($pptpcfg['radius']['enable']); +$pconfig['radacct_enable'] = isset($pptpcfg['radius']['accounting']); +$pconfig['radiusserver'] = $pptpcfg['radius']['server']; +$pconfig['radiussecret'] = $pptpcfg['radius']['secret']; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['mode'] == "server") { + $reqdfields = explode(" ", "localip remoteip"); + $reqdfieldsn = explode(",", "Server address,Remote start address"); + + if ($_POST['radiusenable']) { + $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret")); + $reqdfieldsn = array_merge($reqdfieldsn, + explode(",", "RADIUS server address,RADIUS shared secret")); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) { + $input_errors[] = "A valid server address must be specified."; + } + if (($_POST['subnet'] && !is_ipaddr($_POST['remoteip']))) { + $input_errors[] = "A valid remote start address must be specified."; + } + if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) { + $input_errors[] = "A valid RADIUS server address must be specified."; + } + + if (!$input_errors) { + $_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $g['pptp_subnet']); + $subnet_start = ip2long($_POST['remoteip']); + $subnet_end = ip2long($_POST['remoteip']) + $g['n_pptp_units'] - 1; + + if ((ip2long($_POST['localip']) >= $subnet_start) && + (ip2long($_POST['localip']) <= $subnet_end)) { + $input_errors[] = "The specified server address lies in the remote subnet."; + } + if ($_POST['localip'] == $config['interfaces']['lan']['ipaddr']) { + $input_errors[] = "The specified server address is equal to the LAN interface address."; + } + } + } else if ($_POST['mode'] == "redir") { + $reqdfields = explode(" ", "redir"); + $reqdfieldsn = explode(",", "PPTP redirection target address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['redir'] && !is_ipaddr($_POST['redir']))) { + $input_errors[] = "A valid target address must be specified."; + } + } + + if (!$input_errors) { + $pptpcfg['remoteip'] = $_POST['remoteip']; + $pptpcfg['redir'] = $_POST['redir']; + $pptpcfg['localip'] = $_POST['localip']; + $pptpcfg['mode'] = $_POST['mode']; + $pptpcfg['req128'] = $_POST['req128'] ? true : false; + $pptpcfg['radius']['enable'] = $_POST['radiusenable'] ? true : false; + $pptpcfg['radius']['accounting'] = $_POST['radacct_enable'] ? true : false; + $pptpcfg['radius']['server'] = $_POST['radiusserver']; + $pptpcfg['radius']['secret'] = $_POST['radiussecret']; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = vpn_pptpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + +<?=gentitle("VPN: PPTP");?> + + + + + + + +

VPN: PPTP

+
+ + + + + + + +
+
    +
  • Configuration
    • +
  • Users
    • +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + > + Off
  +> + Redirect incoming PPTP connections to:
PPTP redirection + +
+ Enter the IP address of a host which will accept incoming + PPTP connections.
  +> + Enable PPTP server
Max. concurrent + connections + +
Server address + +
+ Enter the IP address the PPTP server should use on its side + for all clients.
Remote address + range + + / + +
+ Specify the starting address for the client IP address subnet.
+ The PPTP server will assign + + addresses, starting at the address entered above, to clients.
RADIUS +

+ > + Use a RADIUS server for authentication
+ When set, all users will be authenticated using + the RADIUS server specified below. The local user database + will not be used.
+
+ > + Enable RADIUS accounting
+ Sends accounting packets to the RADIUS server.

RADIUS server +

+ +
+ Enter the IP address of the RADIUS server.

RADIUS shared secret +

+ +
+ Enter the shared secret that will be used to authenticate + to the RADIUS server.

  + > + Require 128-bit encryption
+ When set, 128-bit encryption will be accepted. Otherwise, + 40-bit and 56-bit encryption will be accepted, too. Note that + encryption will always be forced on PPTP connections (i.e. + unencrypted connections will not be accepted).
  + +
 Note:
+ don't forget to add a firewall rule to permit + traffic from PPTP clients!
+
+
+ + + + diff --git a/usr/local/www/vpn_pptp_users.php b/usr/local/www/vpn_pptp_users.php new file mode 100755 index 0000000..0122734 --- /dev/null +++ b/usr/local/www/vpn_pptp_users.php @@ -0,0 +1,126 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pptpd']['user'])) { + $config['pptpd']['user'] = array(); +} +pptpd_users_sort(); +$a_secret = &$config['pptpd']['user']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = vpn_pptpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_pptpuserdirty_path)) + unlink($d_pptpuserdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_secret[$_GET['id']]) { + unset($a_secret[$_GET['id']]); + write_config(); + touch($d_pptpuserdirty_path); + header("Location: vpn_pptp_users.php"); + exit; + } +} +?> + + + +<?=gentitle("VPN: PPTP: Users");?> + + + + + + +

VPN: PPTP: Users

+
+ + +

+You must apply the changes in order for them to take effect.
Warning: this will terminate all current PPTP sessions!");?>
+

+ + + + + + +
+ +
+ + + + + + + + + + + + + + + + + +
UsernameIP address
+ + +   + +  
+
+
+ + + diff --git a/usr/local/www/vpn_pptp_users_edit.php b/usr/local/www/vpn_pptp_users_edit.php new file mode 100755 index 0000000..1b681ee --- /dev/null +++ b/usr/local/www/vpn_pptp_users_edit.php @@ -0,0 +1,159 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pptpd']['user'])) { + $config['pptpd']['user'] = array(); +} +pptpd_users_sort(); +$a_secret = &$config['pptpd']['user']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_secret[$id]) { + $pconfig['username'] = $a_secret[$id]['name']; + $pconfig['ip'] = $a_secret[$id]['ip']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if (isset($id) && ($a_secret[$id])) { + $reqdfields = explode(" ", "username"); + $reqdfieldsn = explode(",", "Username"); + } else { + $reqdfields = explode(" ", "username password"); + $reqdfieldsn = explode(",", "Username,Password"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['username'])) + $input_errors[] = "The username contains invalid characters."; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['password'])) + $input_errors[] = "The password contains invalid characters."; + + if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) { + $input_errors[] = "The passwords do not match."; + } + if (($_POST['ip'] && !is_ipaddr($_POST['ip']))) { + $input_errors[] = "The IP address entered is not valid."; + } + + if (!$input_errors && !(isset($id) && $a_secret[$id])) { + /* make sure there are no dupes */ + foreach ($a_secret as $secretent) { + if ($secretent['name'] == $_POST['username']) { + $input_errors[] = "Another entry with the same username already exists."; + break; + } + } + } + + if (!$input_errors) { + + if (isset($id) && $a_secret[$id]) + $secretent = $a_secret[$id]; + + $secretent['name'] = $_POST['username']; + $secretent['ip'] = $_POST['ip']; + + if ($_POST['password']) + $secretent['password'] = $_POST['password']; + + if (isset($id) && $a_secret[$id]) + $a_secret[$id] = $secretent; + else + $a_secret[] = $secretent; + + write_config(); + touch($d_pptpuserdirty_path); + + header("Location: vpn_pptp_users.php"); + exit; + } +} +?> + + + +<?=gentitle("VPN: PPTP: Users: Edit");?> + + + + + + +

VPN: PPTP: Users: Edit

+ +
+ + + + + + + + + + + + + + + + +
Username + +
Password + +
+  (confirmation)
+ If you want to change the users' password, + enter it here twice.
IP address + +
If you want the user to be assigned a specific IP address, enter it here.
  + + + + +
+
+ + + -- cgit v1.1