diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/arpwatch.xml | 138 | ||||
-rw-r--r-- | config/asterisk/asterisk.inc | 49 | ||||
-rw-r--r-- | config/sarg/sarg.inc | 16 | ||||
-rw-r--r-- | config/sm.php | 41 | ||||
-rw-r--r-- | config/squid3/33/pkg_squid.inc | 11 | ||||
-rwxr-xr-x | config/squid3/33/squid.inc | 134 | ||||
-rw-r--r-- | config/squid3/33/squid.xml | 11 | ||||
-rwxr-xr-x | config/squid3/33/squid_auth.xml | 19 | ||||
-rwxr-xr-x | config/squid3/33/squid_monitor.php | 1 | ||||
-rw-r--r-- | config/unbound/unbound.inc | 2 |
10 files changed, 284 insertions, 138 deletions
diff --git a/config/arpwatch.xml b/config/arpwatch.xml index c9434075..64aadcea 100644 --- a/config/arpwatch.xml +++ b/config/arpwatch.xml @@ -2,65 +2,64 @@ <!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ + <copyright> + <![CDATA[ +/* ========================================================================== /* - arpwatch.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. + arpwatch.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>ARP Monitoring Daemon</description> + <requirements>None</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>arpwatch</name> - <version>2.1.a13</version> + <version>2.1.a14 pkg v1.1</version> <title>arpwatch: Settings</title> <aftersaveredirect>pkg_edit.php?xml=arpwatch.xml&id=0</aftersaveredirect> <menu> - <name>arpwatch</name> - <tooltiptext>Modify arpwatch settings.</tooltiptext> - <section>Services</section> - <configfile>arpwatch.xml</configfile> - <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> - </menu> + <name>arpwatch</name> + <tooltiptext>Modify arpwatch settings.</tooltiptext> + <section>Services</section> + <configfile>arpwatch.xml</configfile> + <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> + </menu> <service> - <name>arpwatch</name> - <rcfile>arpwatch.sh</rcfile> - <executable>arpwatch</executable> - </service> + <name>arpwatch</name> + <rcfile>arpwatch.sh</rcfile> + <executable>arpwatch</executable> + </service> <tabs> <tab> <text>Settings</text> @@ -74,10 +73,15 @@ </tabs> <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>a+rx</chmod> - <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> - </additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/sbin/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/sm.php</item> + </additional_files_needed> <fields> <field> <fielddescr>Listening Interface</fielddescr> @@ -85,21 +89,37 @@ <description>Choose the desired listening interface here.</description> <type>interfaces_selection</type> </field> + <field> + <fielddescr>Enable E-mail Notifications</fielddescr> + <fieldname>enable_email</fieldname> + <type>checkbox</type> + <description>Sends an E-mail notification for each new station and ARP change as they are seen <strong>instead of</strong> local reports.<br/>NOTE: Only works on pfSense 2.1 or later. <br/>NOTE 2: Disables local reports which rely on arpwatch debug mode, which does not work with e-mail notifications.<br/>Configure SMTP and address settings in System > Advanced on the Notifications tab</description> + </field> </fields> <custom_php_global_functions> + <![CDATA[ function sync_package_arpwatch() { global $config; + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); conf_mount_rw(); config_lock(); $log_file = "/var/log/arp.dat"; if($_POST['interface'] != "") { - $int = $_POST['interface']; + $int = $_POST['interface']; } else { $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; } + $mail = ""; + $debug = ""; + if(($pf_version > 2.0) && (isset($_POST['enable_email']) || ($config['installedpackages']['arpwatch']['config'][0]['enable_email'] == "on"))) { + if (!empty($config['notifications']['smtp']['notifyemailaddress'])) + $mail = " -m {$config['notifications']['smtp']['notifyemailaddress']}"; + } else { + $debug = "-d"; + } $int = convert_friendly_interface_to_real_interface_name($int); $start = "touch {$log_file}\n"; - $start .= "/usr/local/sbin/arpwatch -d -f {$log_file} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; + $start .= "/usr/local/sbin/arpwatch {$debug} -f {$log_file} {$mail} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; $stop = "/usr/bin/killall arpwatch"; write_rcfile(array( "file" => "arpwatch.sh", @@ -111,11 +131,17 @@ conf_mount_ro(); config_unlock(); } + ]]> </custom_php_global_functions> <custom_add_php_command> + <![CDATA[ sync_package_arpwatch(); + ]]> </custom_add_php_command> <custom_php_install_command> + <![CDATA[ unlink_if_exists("/usr/local/etc/rc.d/arpwatch.sh"); - </custom_php_install_command> -</packagegui>
\ No newline at end of file + @link("/usr/sbin/sm.php", "/usr/sbin/sendmail"); + ]]> + </custom_php_install_command> +</packagegui> diff --git a/config/asterisk/asterisk.inc b/config/asterisk/asterisk.inc index 642a73c2..07d3d923 100644 --- a/config/asterisk/asterisk.inc +++ b/config/asterisk/asterisk.inc @@ -58,26 +58,25 @@ function sync_package_asterisk() { #mount filesystem writeable conf_mount_rw(); - //for NanoBSD compatibility, move the /etc/asterisk configuration directory to /conf, and symlink it back - if (!file_exists("/conf/asterisk/") && file_exists(ASTERISK_LOCALBASE."/etc/asterisk/")){ - rename(ASTERISK_LOCALBASE. "/etc/asterisk", ASTERISK_CONF_DIR); - symlink (ASTERISK_CONF_DIR , ASTERISK_LOCALBASE. "/etc/asterisk"); - } - - //check or move -dist files on dist dir $dist_dir=ASTERISK_CONF_DIR ."/dist"; if (!is_dir($dist_dir)) mkdir($dist_dir,0755,TRUE); - $dist_files= scandir(ASTERISK_CONF_DIR); - foreach ($dist_files as $dist){ - if (preg_match("/-dist/",$dist)) - rename (ASTERISK_CONF_DIR."/$dist", ASTERISK_CONF_DIR."/dist/$dist"); - } + if(file_exists (ASTERISK_LOCALBASE."/etc/asterisk") && !is_link(ASTERISK_LOCALBASE."/etc/asterisk")){ + $dist_files= scandir(ASTERISK_LOCALBASE."/etc/asterisk"); + foreach ($dist_files as $dist){ + if (preg_match("/-dist/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", "$dist_dir/$dist"); + elseif (preg_match("/\w+/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", ASTERISK_CONF_DIR."/$dist"); + } + rmdir(ASTERISK_LOCALBASE. "/etc/asterisk"); + symlink (ASTERISK_CONF_DIR , ASTERISK_LOCALBASE. "/etc/asterisk"); + } //fix asterisk options for nanobsd: logging, db and calls log in /tmp -// if ($g['platform'] == "nanobsd"){ + // if ($g['platform'] == "nanobsd"){ $script='/conf/asterisk/logger.conf'; if (file_exists($script)){ $script_file=file_get_contents($script); @@ -91,17 +90,17 @@ function sync_package_asterisk() { if (file_exists($script)){ //point to the /var subdirs in the writable area in RAM $script_file=file_get_contents($script); - $pattern[0]='@[directories](!)@'; - $replace[0]='[directories]'; - $pattern[1]='@astetcdir => \S+@'; + $pattern[0]='/(\Wdirectories\W)\S+/'; + $replace[0]='$1'; + $pattern[1]='/astetcdir => \S+/'; $replace[1]='astetcdir => /conf/asterisk'; - $pattern[2]='@astdbdir => \S+@'; + $pattern[2]='/astdbdir => \S+/'; $replace[2]='astdbdir => /var/db/asterisk'; - $pattern[3]='@astspooldir => \S+@'; + $pattern[3]='/astspooldir => \S+/'; $replace[3]='astspooldir => /var/spool/asterisk'; - $pattern[4]='@astrundir => \S+@'; + $pattern[4]='/astrundir => \S+/'; $replace[4]='astrundir => /var/run/asterisk'; - $pattern[5]='@astlogdir => \S+@'; + $pattern[5]='/astlogdir => \S+/'; $replace[5]='astlogdir => /var/log/asterisk'; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); @@ -339,14 +338,14 @@ EOF; $script_file=file_get_contents($script); //strenghten a couple of security settings, and predefine codecs in the default SIP configuration if (strpos($script_file,'pfSense') === false) { //first check if already added... - $pattern[0]=';allowguest'; + $pattern[0]='/;allowguest\S+/'; $replace[0]='allowguest=no ;by pfSense ;'; - $pattern[1]=';alwaysauthreject'; + $pattern[1]='/;alwaysauthreject/'; $replace[1]='alwaysauthreject=yes ;by pfSense ;'; - $pattern[2]='; jbenable'; + $pattern[2]='/; jbenable/'; $replace[2]='jbenable=yes ;by pfSense ;'; - $pattern[3]='[general]'; - $replace[3]='[general]\n;The following general settings usually work on pfSense boxes (note: please do not remove this comment line).\ndisallow=all ;by pfSense\nallow=g729\nallow=ulaw\nallow=alaw\n\n'; + $pattern[3]='/(First disallow all codecs)/'; + $replace[3]="$1\n;The following general settings usually work on pfSense boxes (note: please do not remove this comment line).\ndisallow=all ;by pfSense\nallow=g729\nallow=gsm\nallow=ulaw\nallow=alaw\n\n"; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); } diff --git a/config/sarg/sarg.inc b/config/sarg/sarg.inc index 97abc138..0a66137b 100644 --- a/config/sarg/sarg.inc +++ b/config/sarg/sarg.inc @@ -33,8 +33,20 @@ /* ========================================================================== */ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0){ + + // Function to get squidGuard directory + // each squidGuard version has a different directory + function getsqGuardDir() { + foreach (glob("/usr/pbi/*",GLOB_ONLYDIR) as $dirname) { + if (preg_match("/squidguard-/i", $dirname)) { + return trim($dirname); + break; + } + } + } + define('SARG_DIR', '/usr/pbi/sarg-' . php_uname("m")); - define('SQGARD_DIR','/usr/pbi/squidguard-' . php_uname("m")); + define('SQGARD_DIR', getsqGuardDir()); define('SQUID_DIR', '/usr/pbi/squid-' . php_uname("m")); define('DANSG_DIR', '/usr/pbi/dansguardian-' . php_uname("m")); } @@ -142,7 +154,7 @@ EOF; } #create a new file to speedup find search file_put_contents("/root/sarg_run_{$id}.sh",$gzip_script,LOCK_EX); - mwexec($cmd. " ".$args); + mwexec("export LC_ALL=C && " .$cmd. " ".$args); #check if there is a script to run after file save if (is_array($config['installedpackages']['sarg'])) switch ($config['installedpackages']['sarg']['config'][0]['proxy_server']){ diff --git a/config/sm.php b/config/sm.php new file mode 100644 index 00000000..e2c56fc4 --- /dev/null +++ b/config/sm.php @@ -0,0 +1,41 @@ +#!/usr/local/bin/php -q +<?php +require_once("config.inc"); +require_once("globals.inc"); +require_once("notices.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if (($pf_version < 2.1)) { + $error = "Sending e-mail on this version of pfSense is not supported. Please use pfSense 2.1 or later"; + log_error($error); + echo "{$error}\n"; + return; +} + +$options = getopt("s::"); + +$message = ""; + +if($options['s'] <> "") { + $subject = $options['s']; +} + + +$in = file("php://stdin"); +foreach($in as $line){ + if ( (substr($line, 0, 6) == "From: ") + || (substr($line, 0, 6) == "Date: ") + || (substr($line, 0, 4) == "To: ")) + continue; + if (empty($subject) && (substr($line, 0, 9) == "Subject: ")) { + $subject = substr($line, 9); + continue; + } + $message .= "$line"; +} + +if (!empty($subject)) + send_smtp_message($message, $subject); +else + send_smtp_message($message); +?>
\ No newline at end of file diff --git a/config/squid3/33/pkg_squid.inc b/config/squid3/33/pkg_squid.inc new file mode 100644 index 00000000..47b64e2d --- /dev/null +++ b/config/squid3/33/pkg_squid.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['squid'] = array(); +$shortcuts['squid']['main'] = "pkg_edit.php?xml=squid.xml"; +$shortcuts['squid']['log'] = "squid_monitor.php"; +$shortcuts['squid']['status'] = "status_services.php"; +$shortcuts['squid']['service'] = "squid"; + +?>
\ No newline at end of file diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 1da86847..c55160bc 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -40,7 +40,8 @@ require_once('service-utils.inc'); if(!function_exists("filter_configure")) require_once("filter.inc"); - + +$shortcut_section = "squid"; $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); @@ -155,7 +156,9 @@ function squid_install_command() { $settingsnac = $config['installedpackages']['squidnac']['config'][0]; if (is_array($config['installedpackages']['squid']['config'])) $settingsgen = $config['installedpackages']['squid']['config'][0]; - + + if (file_exists("/usr/local/pkg/check_ip.php")) + rename("/usr/local/pkg/check_ip.php",SQUID_LOCALBASE . "/libexec/squid/check_ip.php"); /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; @@ -659,7 +662,7 @@ function squid_validate_auth($post, $input_errors) { } $auth_method = $post['auth_method']; - if (($auth_method != 'none') && ($auth_method != 'local')) { + if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { $server = trim($post['auth_server']); if (empty($server)) $input_errors[] = 'The field \'Authentication server\' is required'; @@ -1633,13 +1636,22 @@ function squid_resync_auth() { $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + if ($transparent_proxy){ + if (preg_match ("/(none|cp)/",$settings['auth_method'])) + $auth_method=$settings['auth_method']; + else + $auth_method="none"; + } + else{ + $auth_method=$settings['auth_method']; + } // Allow the remaining ACLs if no authentication is set - if ($auth_method == 'none') { + if ($auth_method == 'none' || $auth_method == 'cp') { // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) $conf .="http_access deny sglog\n"; - + } + if ($auth_method == 'none' ) { $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1658,7 +1670,7 @@ function squid_resync_auth() { } // Set up the external authentication programs - $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 5); $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { @@ -1674,11 +1686,17 @@ function squid_resync_auth() { $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; + case 'cp': + $conf .= "external_acl_type check_filter children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n"; + $conf .= "acl dgfilter external check_filter\n"; + $conf .= "http_access allow dgfilter\n"; + break; case 'msnt': $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; squid_resync_msnt(); break; } + if ($auth_method != 'cp'){ $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt @@ -1686,7 +1704,7 @@ auth_param basic credentialsttl $auth_ttl minutes acl password proxy_auth REQUIRED EOD; - + } // Onto the ACLs $password = array('localnet', 'allowed_subnets'); $passwordless = array('unrestricted_hosts'); @@ -1703,13 +1721,15 @@ EOD; foreach ($passwordless as $acl) $conf .= "http_access allow $acl\n"; - // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + if ($auth_method != 'cp'){ + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + } } $conf .= "# Default block all to be sure\n"; @@ -1844,7 +1864,7 @@ function squid_print_javascript_auth() { $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); // No authentication for transparent proxy - if ($transparent_proxy) { + if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { $javascript = <<< EOD <script language="JavaScript"> <!-- @@ -1959,6 +1979,24 @@ function on_auth_method_changed() { document.iform.radius_secret.disabled = 1; document.iform.msnt_secondary.disabled = 0; break; + case 'cp': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + break; } } --> @@ -1975,43 +2013,51 @@ function squid_print_javascript_auth2() { } function squid_generate_rules($type) { - global $config; + global $config,$pf_version; $squid_conf = $config['installedpackages']['squid']['config'][0]; - //check captive portal option $cp_file='/etc/inc/captiveportal.inc'; $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $cp_inc = file($cp_file); - $new_cp_inc=""; - $found_rule=0; - foreach ($cp_inc as $line){ - $new_line=$line; - //remove applied squid patch - if (preg_match('/} set 1 skipto 65314/',$line)){ - $found_rule++; - $new_line =""; + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line){ + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)){ + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0){ + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + } + } + else{ + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; + } + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; + } + } + $new_cp_inc .= $new_line; } - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; + if($found_rule > 0){ + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); } - $new_cp_inc .= $new_line; - } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); - } - if($found_rule > 0){ - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); - } - //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index d64aabb9..a8bc0530 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -238,7 +238,16 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid3/33/squid_log_parser.php</item> </additional_files_needed> - + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/pkg_squid.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/check_ip.php</item> + </additional_files_needed> <fields> <field> <name>Squid General Settings</name> diff --git a/config/squid3/33/squid_auth.xml b/config/squid3/33/squid_auth.xml index 111085a8..e71a7e8d 100755 --- a/config/squid3/33/squid_auth.xml +++ b/config/squid3/33/squid_auth.xml @@ -110,6 +110,7 @@ <option><name>Local</name><value>local</value></option> <option><name>LDAP</name><value>ldap</value></option> <option><name>RADIUS</name><value>radius</value></option> + <option><name>Captive Portal</name><value>cp</value></option> <option><name>NT domain</name><value>msnt</value></option> </options> <onchange>on_auth_method_changed()</onchange> @@ -140,16 +141,16 @@ <fieldname>auth_processes</fieldname> <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> <type>input</type> - <size>60</size> + <size>5</size> <default_value>5</default_value> </field> <field> <fielddescr>Authentication TTL</fielddescr> <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <description>This specifies for how long (in seconds) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.Default value is 5.</description> <type>input</type> - <size>60</size> - <default_value>60</default_value> + <size>5</size> + <default_value>5</default_value> </field> <field> <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> @@ -193,7 +194,7 @@ <fieldname>ldap_pass</fieldname> <description>Enter here the password to use to connect to the LDAP server.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> <field> <fielddescr>LDAP base domain</fielddescr> @@ -207,7 +208,7 @@ <fieldname>ldap_userattribute</fieldname> <description>Enter LDAP username DN attibute.</description> <type>input</type> - <size>60</size> + <size>20</size> <default_value>uid</default_value> </field> <field> @@ -215,7 +216,7 @@ <fieldname>ldap_filter</fieldname> <description>Enter LDAP search filter.</description> <type>input</type> - <size>60</size> + <size>40</size> <default_value>(&(objectClass=person)(uid=%s))</default_value> </field> <field> @@ -245,7 +246,7 @@ <fieldname>radius_secret</fieldname> <description>The RADIUS secret for RADIUS authentication.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> </fields> <custom_php_validation_command> @@ -262,7 +263,7 @@ </custom_php_before_form_command> <custom_php_after_head_command> $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - if($transparent_proxy) + if($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; squid_print_javascript_auth(); </custom_php_after_head_command> diff --git a/config/squid3/33/squid_monitor.php b/config/squid3/33/squid_monitor.php index 3a7b1d01..272cc9c4 100755 --- a/config/squid3/33/squid_monitor.php +++ b/config/squid3/33/squid_monitor.php @@ -43,6 +43,7 @@ if(strstr($pfSversion, "1.2")) $one_two = true; $pgtitle = "Status: Proxy Monitor"; +$shortcut_section = "squid"; include("head.inc"); ?> diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index d013608c..0d2b995f 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -461,7 +461,7 @@ function unbound_resync_config() { private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 -private-address: 192.254.0.0/16 +private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 # Set private domains in case authorative name server returns a RFC1918 IP address |