aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/bind/bind.inc164
-rw-r--r--config/bind/bind.xml29
-rw-r--r--config/bind/bind_zones.xml27
-rw-r--r--config/freeradius2/freeradiusclients.xml2
-rw-r--r--config/squidGuard/squidguard.xml2
-rw-r--r--config/squidGuard/squidguard_configurator.inc5
6 files changed, 176 insertions, 53 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 66b16464..167f0af3 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -56,16 +56,6 @@ function bind_zone_validate($post, &$input_errors)
}
switch ($_POST['type']) {
- case 'slave':
- if ($_POST['slaveip'] == "") {
- $input_errors[] = 'The field \'Master Zone IP\' is required for slave zones.';
- }
- break;
- case 'forward':
- if ($_POST['forwarders'] == "") {
- $input_errors[] = 'The field \'Forwarders\' is required for forward zones.';
- }
- break;
case 'redirect':
$_POST['tll'] = 300;
$_POST['refresh'] = 0;
@@ -76,7 +66,8 @@ function bind_zone_validate($post, &$input_errors)
if ($_POST['mail'] == '') {
$input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones.";
}
- default:
+ // Intentionally fall through to 'master' zone case
+ case 'master':
if ($_POST['nameserver'] == '') {
$input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones.";
}
@@ -106,6 +97,18 @@ function bind_zone_validate($post, &$input_errors)
}
}
break;
+ case 'slave':
+ if ($_POST['slaveip'] == "") {
+ $input_errors[] = 'The field \'Master Zone IP\' is required for slave zones.';
+ }
+ break;
+ case 'forward':
+ if ($_POST['forwarders'] == "") {
+ $input_errors[] = 'The field \'Forwarders\' is required for forward zones.';
+ }
+ break;
+ default:
+ break;
}
}
@@ -128,7 +131,6 @@ function bind_sync()
if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsense")) {
$rndc_conf = file(BIND_LOCALBASE."/etc/rndc-confgen.pfsense");
$confgen = "rndc.conf";
- $rndc_bindconf = "";
foreach ($rndc_conf as $line) {
if ($confgen == "rndc.conf") {
if (!preg_match("/^#/", $line)) {
@@ -154,10 +156,12 @@ function bind_sync()
$hide_version = $bind['bind_hide_version'];
$bind_notify = $bind['bind_notify'];
$custom_options = base64_decode($bind['bind_custom_options']);
+ $bind_global_settings = base64_decode($bind['bind_global_settings']);
$bind_logging = $bind['bind_logging'];
$bind_conf = "#Bind pfsense configuration\n";
$bind_conf .= "#Do not edit this file!!!\n\n";
$bind_conf .= "$rndc_bindconf\n";
+ $bind_conf .= "$bind_global_settings\n";
$bind_conf .= <<<EOD
options {
@@ -208,23 +212,23 @@ EOD;
$bind_listenon = ($bind_listenon == "" ? "none;" : $bind_listenon);
// print "<PRE>$bind_listenonv6 $bind_listenon";
if (array_key_exists("ipv6allow", $config['system'])) {
- $bind_conf .= "\t\tlisten-on-v6 { $bind_listenonv6 };\n";
+ $bind_conf .= "\tlisten-on-v6 { $bind_listenonv6 };\n";
}
$bind_conf .= "\tlisten-on { $bind_listenon };\n";
// forwarder config
if ($bind_forwarder == 'on') {
- $bind_conf .= "\t\tforwarders { $forwarder_ips };\n";
+ $bind_conf .= "\tforwarders { $forwarder_ips };\n";
}
if ($bind_notify == 'on') {
- $bind_conf .= "\t\tnotify yes;\n";
+ $bind_conf .= "\tnotify yes;\n";
}
if ($hide_version == 'on') {
- $bind_conf .= "\t\tversion none;\n";
+ $bind_conf .= "\tversion none;\n";
}
$bind_conf .= preg_replace("/^/m", "\t", $custom_options);
- $bind_conf .= "\n\t};\n\n";
+ $bind_conf .= "\n};\n\n";
if ($bind_logging == 'on') {
//check if bind is included on syslog
@@ -258,13 +262,14 @@ logging {
EOD;
foreach ($log_categories as $category) {
- $bind_conf .= "\t\t\tcategory $category\t{custom;};\n";
+ $bind_conf .= "\tcategory $category { custom; };\n";
}
- $bind_conf .= "\t\t};\n\n";
+ $bind_conf .= "};";
}
} else {
- $bind_conf .= "\t\tlogging { category default { null; }; };\n\n";
+ $bind_conf .= "logging { category default { null; }; };";
}
+ $bind_conf .= "\n\n";
// Config Zone domain
@@ -317,11 +322,14 @@ EOD;
}
$viewcustomoptions = base64_decode($views['bind_custom_options']);
- $bind_conf .= "view \"$viewname\" { \n\n";
+ $bind_conf .= "view \"$viewname\" { \n";
$bind_conf .= "\trecursion $viewrecursion;\n";
$bind_conf .= "\tmatch-clients { $viewmatchclients; };\n";
$bind_conf .= "\tallow-recursion { $viewallowrecursion; };\n";
- $bind_conf .= "\t$viewcustomoptions\n\n";
+ if (!empty($viewcustomoptions)) {
+ $bind_conf .= preg_replace("/^/m", "\t", $viewcustomoptions)."\n";
+ }
+ $bind_conf .= "\n";
if (is_array($config['installedpackages']['bindzone'])) {
$bindzone = $config['installedpackages']['bindzone']['config'];
@@ -342,37 +350,54 @@ EOD;
$custom_root_zone = true;
}
$zonetype = $zone['type'];
- $zoneview = $zone['view'];
+ $zoneviewlist = explode(',', $zone['view']);
$zonecustom = base64_decode($zone['custom']);
$zoneipslave = $zone['slaveip'];
$zoneforwarders = $zone['forwarders'];
+ if (!empty($zoneforwarders)) {
+ $zoneforwarders = rtrim($zoneforwarders, ';');
+ }
$zonereverso = $zone['reverso'];
+ $zonereversv6o = $zone['reversv6o'];
// Ensure zone view folder exists
- if (!(is_dir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview"))) {
- mkdir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview", 0755, true);
+ if ($zonetype != "forward") {
+ foreach ($zoneviewlist as $zoneview) {
+ if (!(is_dir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview"))) {
+ mkdir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview", 0755, true);
+ }
+ }
}
- if ($zone['allowupdate'] == '') {
+ if (empty($zone['allowupdate'])) {
$zoneallowupdate = "none";
} else {
$zoneallowupdate = str_replace(',', '; ', $zone['allowupdate']);
}
- if ($zone['allowquery'] == '') {
+ $zoneupdatepolicy = $zone['updatepolicy'];
+ if (!empty($zoneupdatepolicy)) {
+ $zoneupdatepolicy = rtrim($zoneupdatepolicy, ';');
+ }
+ if (empty($zone['allowquery'])) {
$zoneallowquery = "none";
} else {
$zoneallowquery = str_replace(',', '; ', $zone['allowquery']);
}
- if ($zone['allowtransfer'] == '') {
+ if (empty($zone['allowtransfer'])) {
$zoneallowtransfer = "none";
} else {
$zoneallowtransfer = str_replace(',', '; ', $zone['allowtransfer']);
}
- if ($zoneview == $viewname) {
+ if (in_array($viewname, $zoneviewlist)) {
+ $zoneview = $viewname;
// Add zone name
if ($zonereverso == "on") {
- $bind_conf .= "\tzone \"$zonename.in-addr.arpa\" {\n";
+ if ($zonereversv6o == "on") {
+ $bind_conf .= "\tzone \"$zonename.ip6.arpa\" {\n";
+ } else {
+ $bind_conf .= "\tzone \"$zonename.in-addr.arpa\" {\n";
+ }
} else {
$bind_conf .= "\tzone \"$zonename\" {\n";
}
@@ -385,8 +410,27 @@ EOD;
// Add zone statements
switch ($zonetype) {
+ case 'master':
+ $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
+ $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer; };\n";
+ if ($zone['enable_updatepolicy'] == "on") {
+ $bind_conf .= "\t\tupdate-policy { $zoneupdatepolicy; };\n";
+ } else {
+ $bind_conf .= "\t\tallow-update { $zoneallowupdate; };\n";
+ }
+ if ($zone['dnssec'] == "on") {
+ //https://kb.isc.org/article/AA-00626/
+ $bind_conf .= "\n\t\t# look for dnssec keys here:\n";
+ $bind_conf .= "\t\tkey-directory \"/etc/namedb/keys\";\n\n";
+ $bind_conf .= "\t\t# publish and activate dnssec keys:\n";
+ $bind_conf .= "\t\tauto-dnssec maintain;\n\n";
+ $bind_conf .= "\t\t# use inline signing:\n";
+ $bind_conf .= "\t\tinline-signing yes;\n\n";
+ }
+ break;
case 'slave':
$bind_conf .= "\t\tmasters { $zoneipslave; };\n";
+ $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
$bind_conf .= "\t\tallow-transfer { $zoneallowtransfer; };\n";
$bind_conf .= "\t\tnotify no;\n";
break;
@@ -398,20 +442,9 @@ EOD;
$bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n";
$bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n";
$bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n";
+ $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
break;
default:
- $bind_conf .= "\t\tallow-update { $zoneallowupdate; };\n";
- $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
- $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer; };\n";
- if ($zone['dnssec'] == "on") {
- //https://kb.isc.org/article/AA-00626/
- $bind_conf .= "\n\t\t# look for dnssec keys here:\n";
- $bind_conf .= "\t\tkey-directory \"/etc/namedb/keys\";\n\n";
- $bind_conf .= "\t\t# publish and activate dnssec keys:\n";
- $bind_conf .= "\t\tauto-dnssec maintain;\n\n";
- $bind_conf .= "\t\t# use inline signing:\n";
- $bind_conf .= "\t\tinline-signing yes;\n\n";
- }
break;
}
@@ -440,10 +473,15 @@ EOD;
$zonenameserver = $zone['nameserver'];
$zoneipns = $zone['ipns'];
$zonereverso = $zone['reverso'];
+ $zonereversv6o = $zone['reversv6o'];
$zone_conf = "\$TTL {$zonetll}\n;\n";
if ($zonereverso == "on") {
- $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n\n";
+ if ($zonereversv6o == "on") {
+ $zone_conf .= "\$ORIGIN {$zonename}.ip6.arpa.\n\n";
+ } else {
+ $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n\n";
+ }
} else {
$zone_conf .= "\$ORIGIN {$zonename}.\n\n";
}
@@ -625,6 +663,13 @@ EOD;
$config['installedpackages']['bindzone']['config'][$x]['resultconfig'] = base64_encode($rsconfig);
$write_config++;
break;
+ case 'forward':
+ // forwarder zone does not have a DB file
+ $config['installedpackages']['bindzone']['config'][$x]['resultconfig'] = '';
+ $write_config++;
+ break;
+ default:
+ break;
}
}
}
@@ -704,6 +749,7 @@ function bind_print_javascript_type_zone()
document.iform.tll.disabled = 0;
document.iform.nameserver.disabled = 0;
document.iform.reverso.disabled = 0;
+ document.iform.reversv6o.disabled = 0;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 0;
document.iform.backupkeys.disabled = 0;
@@ -715,12 +761,17 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 0;
document.iform.expire.disabled = 0;
document.iform.minimum.disabled = 0;
+ document.iform.allowquery.disabled = 0;
+ document.iform.allowupdate.disabled = 0;
+ document.iform.enable_updatepolicy.disabled = 0;
+ document.iform.updatepolicy.disabled = 1;
break;
case 'slave':
document.iform.slaveip.disabled = 0;
document.iform.tll.disabled = 1;
document.iform.nameserver.disabled = 1;
document.iform.reverso.disabled = 0;
+ document.iform.reversv6o.disabled = 0;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 0;
document.iform.backupkeys.disabled = 0;
@@ -732,12 +783,17 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 1;
document.iform.expire.disabled = 1;
document.iform.minimum.disabled = 1;
+ document.iform.allowquery.disabled = 0;
+ document.iform.allowupdate.disabled = 1;
+ document.iform.enable_updatepolicy.disabled = 1;
+ document.iform.updatepolicy.disabled = 1;
break;
case 'forward':
document.iform.slaveip.disabled = 1;
document.iform.tll.disabled = 1;
document.iform.nameserver.disabled = 1;
document.iform.reverso.disabled = 1;
+ document.iform.reversv6o.disabled = 1;
document.iform.forwarders.disabled = 0;
document.iform.dnssec.disabled = 1;
document.iform.backupkeys.disabled = 1;
@@ -749,12 +805,17 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 1;
document.iform.expire.disabled = 1;
document.iform.minimum.disabled = 1;
+ document.iform.allowquery.disabled = 1;
+ document.iform.allowupdate.disabled = 1;
+ document.iform.enable_updatepolicy.disabled = 1;
+ document.iform.updatepolicy.disabled = 1;
break;
case 'redirect':
document.iform.slaveip.disabled = 1;
document.iform.tll.disabled = 1;
document.iform.nameserver.disabled = 0;
document.iform.reverso.disabled = 1;
+ document.iform.reversv6o.disabled = 1;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 1;
document.iform.backupkeys.disabled = 1;
@@ -766,6 +827,10 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 0;
document.iform.expire.disabled = 0;
document.iform.minimum.disabled = 0;
+ document.iform.allowquery.disabled = 0;
+ document.iform.allowupdate.disabled = 1;
+ document.iform.enable_updatepolicy.disabled = 1;
+ document.iform.updatepolicy.disabled = 1;
break;
default:
break;
@@ -783,12 +848,15 @@ function bind_print_javascript_type_zone2()
function bind_write_rcfile()
{
+ global $config;
+ $bind = $config['installedpackages']['bind']['config'][0];
+ $ip_version = ($bind['bind_ip_version'] ? $bind['bind_ip_version'] : "");
$rc = array();
$BIND_LOCALBASE = "/usr/local";
$rc['file'] = 'named.sh';
$rc['start'] = <<<EOD
- if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
- {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/
+ if [ -z "`ps auxw | grep "[n]amed {$ip_version} -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
+ {$BIND_LOCALBASE}/sbin/named {$ip_version} -c /etc/namedb/named.conf -u bind -t /cf/named/
fi
EOD;
$rc['stop'] = <<<EOD
@@ -796,12 +864,12 @@ EOD;
sleep 2
EOD;
$rc['restart'] = <<<EOD
- if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
- {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/
+ if [ -z "`ps auxw | grep "[n]amed {$ip_version} -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
+ {$BIND_LOCALBASE}/sbin/named {$ip_version} -c /etc/namedb/named.conf -u bind -t /cf/named/
else
killall -9 named 2>/dev/null
sleep 3
- {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/
+ {$BIND_LOCALBASE}/sbin/named {$ip_version} -c /etc/namedb/named.conf -u bind -t /cf/named/
fi
EOD;
conf_mount_rw();
diff --git a/config/bind/bind.xml b/config/bind/bind.xml
index b64ba256..c24bf351 100644
--- a/config/bind/bind.xml
+++ b/config/bind/bind.xml
@@ -143,6 +143,18 @@
<required/>
</field>
<field>
+ <fielddescr>IP Version</fielddescr>
+ <fieldname>bind_ip_version</fieldname>
+ <description><![CDATA[Select IP transport version.<br>
+ This controls which transports are used when resolving queries.]]></description>
+ <type>select</type>
+ <options>
+ <option><name>IPv4+IPv6</name><value></value></option>
+ <option><name>IPv4</name><value>-4</value></option>
+ <option><name>IPv6</name><value>-6</value></option>
+ </options>
+ </field>
+ <field>
<fielddescr>Listen on</fielddescr>
<fieldname>listenon</fieldname>
<description><![CDATA[Choose the interfaces on which to enable BIND.]]></description>
@@ -298,6 +310,23 @@
<rows>5</rows>
<encoding>base64</encoding>
</field>
+ <field>
+ <type>listtopic</type>
+ <name>Global Settings</name>
+ <fieldname>temp01</fieldname>
+ </field>
+ <field>
+ <fielddescr>Global Settings</fielddescr>
+ <fieldname>bind_global_settings</fieldname>
+ <description>
+ <![CDATA[You can put your own global settings here.<br>
+ They'll be added to the configuration. They need to be named.conf native settings.]]>
+ </description>
+ <type>textarea</type>
+ <cols>65</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
</fields>
<custom_php_after_head_command>
</custom_php_after_head_command>
diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml
index a62c1aaf..c289ddd3 100644
--- a/config/bind/bind_zones.xml
+++ b/config/bind/bind_zones.xml
@@ -154,17 +154,26 @@
<field>
<fielddescr>View</fielddescr>
<fieldname>view</fieldname>
- <description><![CDATA[Select the View that this zone will belong.]]></description>
+ <description><![CDATA[Select(CTRL+click) views that this zone will belong.]]></description>
<type>select_source</type>
<source><![CDATA[$config['installedpackages']['bindviews']['config']]]></source>
<source_name>name</source_name>
<source_value>name</source_value>
+ <multiple/>
+ <size>02</size>
</field>
<field>
<fielddescr>Reverse Zone</fielddescr>
<fieldname>reverso</fieldname>
<description>Enable if this is a reverse zone.</description>
<type>checkbox</type>
+ <enablefields>reversv6o</enablefields>
+ </field>
+ <field>
+ <fielddescr>IPv6 Reverse Zone</fielddescr>
+ <fieldname>reversv6o</fieldname>
+ <description>Enable if this is a IPv6 reverse zone. Reverse Zone must also be enabled.</description>
+ <type>checkbox</type>
</field>
<field>
<fielddescr>Custom Option</fielddescr>
@@ -305,6 +314,22 @@
<size>03</size>
</field>
<field>
+ <fielddescr>Enable Update-policy</fielddescr>
+ <fieldname>enable_updatepolicy</fieldname>
+ <description><![CDATA[Enable Update-policy which overrides Allow-update.<br>
+ The update-policy statement replaces the allow-update statement.]]></description>
+ <type>checkbox</type>
+ <enablefields>updatepolicy</enablefields>
+ </field>
+ <field>
+ <fielddescr>Update-policy</fielddescr>
+ <fieldname>updatepolicy</fieldname>
+ <description><![CDATA[Update-policy defines the policy for submitting dynamic updates to 'master' zones.<br>
+ Do not include the surrounding { } when using multiple statements]]></description>
+ <type>input</type>
+ <size>75</size>
+ </field>
+ <field>
<fielddescr>Allow-query</fielddescr>
<fieldname>allowquery</fieldname>
<description><![CDATA[Select(CTRL+click) who are allowed to query this zone.<br>
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index 4e66a597..99ac2af1 100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -163,7 +163,7 @@
<field>
<fielddescr>Client Shared Secret</fielddescr>
<fieldname>varclientsharedsecret</fieldname>
- <description><![CDATA[Enter the shared secret of the RADIUS client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server.]]></description>
+ <description><![CDATA[Enter the shared secret of the RADIUS client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server. FreeRADIUS is limited to 31 characters for the shared secret.]]></description>
<type>password</type>
<required/>
</field>
diff --git a/config/squidGuard/squidguard.xml b/config/squidGuard/squidguard.xml
index 7f3036ba..a1b80164 100644
--- a/config/squidGuard/squidguard.xml
+++ b/config/squidGuard/squidguard.xml
@@ -6,7 +6,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>squidguardgeneral</name>
- <version>1.4_7 pkg v.1.9.11</version>
+ <version>1.4_7 pkg v.1.9.13</version>
<title>Proxy filter SquidGuard: General settings</title>
<include_file>/usr/local/pkg/squidguard.inc</include_file>
<!-- Installation -->
diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc
index ca66d89a..551ca542 100644
--- a/config/squidGuard/squidguard_configurator.inc
+++ b/config/squidGuard/squidguard_configurator.inc
@@ -2038,15 +2038,16 @@ function squidguard_ramdisk($enable)
# delete old squidguard ramdisk
if (file_exists("/dev/md15")) {
- mwexec("umount -f " . SQUIDGUARD_TMP);
+ mwexec("/sbin/umount -f " . SQUIDGUARD_TMP);
mwexec("sleep 1");
- mwexec("mdconfig -d -u 15");
+ mwexec("/sbin/mdconfig -d -u 15");
}
if ($enable === true) {
# create temp ramdisk
# size 300Mb very nice for work with Archive < 30Mb
# this is size use physical RAM + Swap file
+ mkdir(SQUIDGUARD_TMP);
mwexec("/sbin/mdmfs -s {$ramsize}M md15 " . SQUIDGUARD_TMP);
mwexec("chmod 1777 " . SQUIDGUARD_TMP);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-27 19:03:26 +0000