From c437156bf59cb3a689761670e9e040e9a8ceaa62 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Wed, 28 Sep 2011 00:54:04 +0200 Subject: Make sure advanced options, for optimization, are actually used --- config/unbound/unbound.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index 001f05d7..6c6a814d 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -526,7 +526,7 @@ function unbound_ctl_exec($cmd) { function unbound_optimization() { global $config; - $unbound_config = $config['installedpackages']['unbound']['config'][0]; + $unbound_config = $config['installedpackages']['unboundadvanced']['config'][0]; $optimization_settings = array(); // Set the number of threads equal to number of CPUs. -- cgit v1.2.3 From c6b67d94011e4c91388100a7f6a0b274f64e555a Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Wed, 28 Sep 2011 01:24:19 +0200 Subject: Start the support IPv6 ACLs --- config/unbound/unbound_acls.php | 860 +++++++++++++++++++++++++++++++++++ config/unbound/unbound_acls_edit.php | 277 +++++++++++ 2 files changed, 1137 insertions(+) create mode 100644 config/unbound/unbound_acls.php create mode 100644 config/unbound/unbound_acls_edit.php (limited to 'config') diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php new file mode 100644 index 00000000..d1b501d6 --- /dev/null +++ b/config/unbound/unbound_acls.php @@ -0,0 +1,860 @@ + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if(!is_process_running("unbound")) { + Header("Location: /pkg_edit.php?xml=unbound.xml&id=0"); + exit; +} + +if (!is_array($config['installedpackages']['unboundacls'][0]['config'])) + $config['installedpackages']['unboundacls'][0]['config'] = array(); + +$a_acls = &$config['installedpackages']['unboundacls'][0]['config']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_client[$id]) { + pfSenseHeader("vpn_openvpn_client.php"); + exit; + } + + openvpn_delete('client', $a_client[$id]); + unset($a_client[$id]); + write_config(); + $savemsg = gettext("Client successfully deleted")."
"; +} + +if($_GET['act']=="new"){ + $pconfig['autokey_enable'] = "yes"; + $pconfig['tlsauth_enable'] = "yes"; + $pconfig['autotls_enable'] = "yes"; + $pconfig['interface'] = "wan"; + $pconfig['server_port'] = 1194; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_client[$id]) { + + $pconfig['disable'] = isset($a_client[$id]['disable']); + $pconfig['mode'] = $a_client[$id]['mode']; + $pconfig['protocol'] = $a_client[$id]['protocol']; + $pconfig['interface'] = $a_client[$id]['interface']; + if (!empty($a_client[$id]['ipaddr'])) { + $pconfig['interface'] = $pconfig['interface'] . '|' . $a_client[$id]['ipaddr']; + } + $pconfig['local_port'] = $a_client[$id]['local_port']; + $pconfig['server_addr'] = $a_client[$id]['server_addr']; + $pconfig['server_port'] = $a_client[$id]['server_port']; + $pconfig['resolve_retry'] = $a_client[$id]['resolve_retry']; + $pconfig['proxy_addr'] = $a_client[$id]['proxy_addr']; + $pconfig['proxy_port'] = $a_client[$id]['proxy_port']; + $pconfig['proxy_user'] = $a_client[$id]['proxy_user']; + $pconfig['proxy_passwd'] = $a_client[$id]['proxy_passwd']; + $pconfig['proxy_authtype'] = $a_client[$id]['proxy_authtype']; + $pconfig['description'] = $a_client[$id]['description']; + $pconfig['custom_options'] = $a_client[$id]['custom_options']; + $pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type']; + $pconfig['dev_mode'] = $a_client[$id]['dev_mode']; + + if ($pconfig['mode'] != "p2p_shared_key") { + $pconfig['caref'] = $a_client[$id]['caref']; + $pconfig['certref'] = $a_client[$id]['certref']; + if ($a_client[$id]['tls']) { + $pconfig['tlsauth_enable'] = "yes"; + $pconfig['tls'] = base64_decode($a_client[$id]['tls']); + } + } else + $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); + $pconfig['crypto'] = $a_client[$id]['crypto']; + $pconfig['engine'] = $a_client[$id]['engine']; + + $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; + $pconfig['remote_network'] = $a_client[$id]['remote_network']; + $pconfig['compression'] = $a_client[$id]['compression']; + $pconfig['passtos'] = $a_client[$id]['passtos']; + + // just in case the modes switch + $pconfig['autokey_enable'] = "yes"; + $pconfig['autotls_enable'] = "yes"; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + if (isset($id) && $a_client[$id]) + $vpnid = $a_client[$id]['vpnid']; + else + $vpnid = 0; + + if ($pconfig['mode'] != "p2p_shared_key") + $tls_mode = true; + else + $tls_mode = false; + + /* input validation */ + if ($pconfig['local_port']) { + + if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) + $input_errors[] = $result; + + $portused = openvpn_port_used($pconfig['protocol'], $pconfig['local_port']); + if (($portused != $vpnid) && ($portused != 0)) + $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); + } + + if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port')) + $input_errors[] = $result; + + if ($pconfig['proxy_addr']) { + + if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port')) + $input_errors[] = $result; + + if ($pconfig['proxy_authtype'] != "none") { + if (empty($pconfig['proxy_user']) || empty($pconfig['proxy_passwd'])) + $input_errors[] = gettext("User name and password are required for proxy with authentication."); + } + } + + if($pconfig['tunnel_network']) + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) + $input_errors[] = $result; + + if ($pconfig['autokey_enable']) + $pconfig['shared_key'] = openvpn_create_key(); + + if (!$tls_mode && !$pconfig['autokey_enable']) + if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); + + if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) + if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); + + /* If we are not in shared key mode, then we need the CA/Cert. */ + if ($pconfig['mode'] != "p2p_shared_key") { + $reqdfields = explode(" ", "caref certref"); + $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + } elseif (!$pconfig['autokey_enable']) { + /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ + $reqdfields = array('shared_key'); + $reqdfieldsn = array(gettext('Shared key')); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $client = array(); + + if ($vpnid) + $client['vpnid'] = $vpnid; + else + $client['vpnid'] = openvpn_vpnid_next(); + + if ($_POST['disable'] == "yes") + $client['disable'] = true; + $client['protocol'] = $pconfig['protocol']; + $client['dev_mode'] = $pconfig['dev_mode']; + list($client['interface'], $client['ipaddr']) = explode ("|",$pconfig['interface']); + $client['local_port'] = $pconfig['local_port']; + $client['server_addr'] = $pconfig['server_addr']; + $client['server_port'] = $pconfig['server_port']; + $client['resolve_retry'] = $pconfig['resolve_retry']; + $client['proxy_addr'] = $pconfig['proxy_addr']; + $client['proxy_port'] = $pconfig['proxy_port']; + $client['proxy_authtype'] = $pconfig['proxy_authtype']; + $client['proxy_user'] = $pconfig['proxy_user']; + $client['proxy_passwd'] = $pconfig['proxy_passwd']; + $client['description'] = $pconfig['description']; + $client['mode'] = $pconfig['mode']; + $client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); + + if ($tls_mode) { + $client['caref'] = $pconfig['caref']; + $client['certref'] = $pconfig['certref']; + if ($pconfig['tlsauth_enable']) { + if ($pconfig['autotls_enable']) + $pconfig['tls'] = openvpn_create_key(); + $client['tls'] = base64_encode($pconfig['tls']); + } + } else { + $client['shared_key'] = base64_encode($pconfig['shared_key']); + } + $client['crypto'] = $pconfig['crypto']; + $client['engine'] = $pconfig['engine']; + + $client['tunnel_network'] = $pconfig['tunnel_network']; + $client['remote_network'] = $pconfig['remote_network']; + $client['compression'] = $pconfig['compression']; + $client['passtos'] = $pconfig['passtos']; + + if (isset($id) && $a_client[$id]) + $a_client[$id] = $client; + else + $a_client[] = $client; + + openvpn_resync('client', $client); + write_config(); + + header("Location: vpn_openvpn_client.php"); + exit; + } +} + + +$pgtitle = "Services: Unbound DNS Forwarder: Access Lists"; +include("head.inc"); + +?> + + + + + + + + + + +
+
    + +
+
+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ + /> + +   + +
+
+
+ . +
+ +
+ +
+ +
+
+
+ +
+ +
+ +
+ +
+ +
+ +
+ + + + + +
+ +   :  + + + +
+
+ + + + + + + + + + +
+ + + + + +
+ + > + + + + +
+ . +
+ +
+ . +
+ + + + + +
+ + onClick="tlsauth_change()"> + + + . + +
+ + + + + + +
+ + onClick="autotls_change()"> + + + . + +
+ + + + + +
+ +
+ . +
+
+ + + + No Certificate Authorities defined.
Create one under System > Cert Manager. + +
+ + + + No Certificates defined.
Create one under System > Cert Manager. + +
+ + + + + + +
+ + onClick="autokey_change()"> + + + . + +
+ + + + + +
+ +
+ . +
+
+ +
+ +
+ +
+ . +
+ +
+ . +
+ +
+ . +
+ + + + + +
+ + > + + + . + +
+
+ + + + + +
+ + > + + + . + +
+
+ + + + +
+
+
+ +
+
  + "> + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + " width="17" height="17" border="0"> + +   + ')"> + " width="17" height="17" border="0"> + +
+ " width="17" height="17" border="0"> + +
+

+ +

+
+ + + +
+ + + + + \ No newline at end of file diff --git a/config/unbound/unbound_acls_edit.php b/config/unbound/unbound_acls_edit.php new file mode 100644 index 00000000..db1f9bdb --- /dev/null +++ b/config/unbound/unbound_acls_edit.php @@ -0,0 +1,277 @@ + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ +
+ Deny: This actions stops queries from hosts within the netblock defined below.");?>
+ Refuse: This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?>
+ Allow: This actions allows queries from hosts within the netblock defined below.");?>
+ Allow Snoop: This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?>
+
+
+ > +
+ +
+ +
+
+ + + + + + + + + + + +
   
/   + +
+ + + + + + + + + + +
   + +
   + / + +
+
+ +
+ +
 
  +  
  + "> " onclick="history.back()"> + + + + +
+
+ + + -- cgit v1.2.3 From aa5e95e3d1829d86f8f851b4d77488dc59a23a19 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 29 Sep 2011 20:58:58 +0200 Subject: Add function to determine next available ACL id and replace spaces with _ for acl actions --- config/unbound/unbound.inc | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'config') diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index 6c6a814d..cec618c9 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -623,6 +623,7 @@ function unbound_validate($post, $type=null) { /* Validate the access lists */ if($type == "acl") { $acls = $post; + $acls['aclaction'] = preg_replace(" ", "_", $acls['aclaction']); // Check to ensure values entered is an action that is in the list if ($acls['aclaction'] != 'refuse' && $acls['aclaction'] != 'allow' && $acls['aclaction'] != 'allow_snoop' && $acls['aclaction'] != 'deny') $input_errors[] = "{$acls['aclaction']} is not a valid ACL Action. Please select one of the four actions defined in the list."; @@ -861,4 +862,24 @@ function unbound_add_domain_overrides($pvt=false) { } } +function unbound_acl_id_used($id) { + global $config; + + if (is_array($config['installedpackages']['unboundacls']['config'])) + foreach ($config['installedpackages']['unboundacls']['config'] as & $acls) + if ($id == $acls['aclid']) + return true; + + return false; +} + +function unbound_get_next_id() { + + $aclid = 0; + while(unbound_acl_id_used($aclid)) + $aclid++; + + return $aclid; +} + ?> \ No newline at end of file -- cgit v1.2.3 From d7f430d3f66fa0461737b2cf2485649084c469e2 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 29 Sep 2011 21:06:07 +0200 Subject: Add support for IPv6 ACLs and mixing of both IPv6 and v4 ACLs --- config/unbound/unbound_acls.php | 805 +++++++---------------------------- config/unbound/unbound_acls_edit.php | 277 ------------ 2 files changed, 158 insertions(+), 924 deletions(-) delete mode 100644 config/unbound/unbound_acls_edit.php (limited to 'config') diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php index d1b501d6..b60de2dd 100644 --- a/config/unbound/unbound_acls.php +++ b/config/unbound/unbound_acls.php @@ -30,91 +30,46 @@ */ require("guiconfig.inc"); +require("unbound.inc"); if(!is_process_running("unbound")) { Header("Location: /pkg_edit.php?xml=unbound.xml&id=0"); exit; } -if (!is_array($config['installedpackages']['unboundacls'][0]['config'])) - $config['installedpackages']['unboundacls'][0]['config'] = array(); +if (!is_array($config['installedpackages']['unboundacls']['config'])) + $config['installedpackages']['unboundacls']['config'] = array(); -$a_acls = &$config['installedpackages']['unboundacls'][0]['config']; +$a_acls = &$config['installedpackages']['unboundacls']['config']; $id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; +if (isset($_POST['aclid'])) + $id = $_POST['aclid']; $act = $_GET['act']; if (isset($_POST['act'])) $act = $_POST['act']; -if ($_GET['act'] == "del") { - - if (!$a_client[$id]) { - pfSenseHeader("vpn_openvpn_client.php"); +if ($act == "del") { + if (!$a_acls[$id]) { + pfSenseHeader("unbound_acls.php"); exit; } - openvpn_delete('client', $a_client[$id]); - unset($a_client[$id]); + unset($a_acls[$id]); write_config(); - $savemsg = gettext("Client successfully deleted")."
"; + unbound_reconfigure(); + $savemsg = gettext("Access List successfully deleted")."
"; } -if($_GET['act']=="new"){ - $pconfig['autokey_enable'] = "yes"; - $pconfig['tlsauth_enable'] = "yes"; - $pconfig['autotls_enable'] = "yes"; - $pconfig['interface'] = "wan"; - $pconfig['server_port'] = 1194; +if ($act == "new") { + $id = unbound_get_next_id(); } -if($_GET['act']=="edit"){ - - if (isset($id) && $a_client[$id]) { - - $pconfig['disable'] = isset($a_client[$id]['disable']); - $pconfig['mode'] = $a_client[$id]['mode']; - $pconfig['protocol'] = $a_client[$id]['protocol']; - $pconfig['interface'] = $a_client[$id]['interface']; - if (!empty($a_client[$id]['ipaddr'])) { - $pconfig['interface'] = $pconfig['interface'] . '|' . $a_client[$id]['ipaddr']; - } - $pconfig['local_port'] = $a_client[$id]['local_port']; - $pconfig['server_addr'] = $a_client[$id]['server_addr']; - $pconfig['server_port'] = $a_client[$id]['server_port']; - $pconfig['resolve_retry'] = $a_client[$id]['resolve_retry']; - $pconfig['proxy_addr'] = $a_client[$id]['proxy_addr']; - $pconfig['proxy_port'] = $a_client[$id]['proxy_port']; - $pconfig['proxy_user'] = $a_client[$id]['proxy_user']; - $pconfig['proxy_passwd'] = $a_client[$id]['proxy_passwd']; - $pconfig['proxy_authtype'] = $a_client[$id]['proxy_authtype']; - $pconfig['description'] = $a_client[$id]['description']; - $pconfig['custom_options'] = $a_client[$id]['custom_options']; - $pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type']; - $pconfig['dev_mode'] = $a_client[$id]['dev_mode']; - - if ($pconfig['mode'] != "p2p_shared_key") { - $pconfig['caref'] = $a_client[$id]['caref']; - $pconfig['certref'] = $a_client[$id]['certref']; - if ($a_client[$id]['tls']) { - $pconfig['tlsauth_enable'] = "yes"; - $pconfig['tls'] = base64_decode($a_client[$id]['tls']); - } - } else - $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); - $pconfig['crypto'] = $a_client[$id]['crypto']; - $pconfig['engine'] = $a_client[$id]['engine']; - - $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; - $pconfig['remote_network'] = $a_client[$id]['remote_network']; - $pconfig['compression'] = $a_client[$id]['compression']; - $pconfig['passtos'] = $a_client[$id]['passtos']; - - // just in case the modes switch - $pconfig['autokey_enable'] = "yes"; - $pconfig['autotls_enable'] = "yes"; +if ($act == "edit") { + if (isset($id) && $a_acls[$id]) { + $pconfig = $a_acls[$id]; + $networkacl = $a_acls[$id]['row']; } } @@ -123,134 +78,46 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - if (isset($id) && $a_client[$id]) - $vpnid = $a_client[$id]['vpnid']; - else - $vpnid = 0; - - if ($pconfig['mode'] != "p2p_shared_key") - $tls_mode = true; - else - $tls_mode = false; - - /* input validation */ - if ($pconfig['local_port']) { - - if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) - $input_errors[] = $result; - - $portused = openvpn_port_used($pconfig['protocol'], $pconfig['local_port']); - if (($portused != $vpnid) && ($portused != 0)) - $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); - } - - if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address')) - $input_errors[] = $result; - - if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port')) - $input_errors[] = $result; - - if ($pconfig['proxy_addr']) { - - if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address')) - $input_errors[] = $result; - - if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port')) - $input_errors[] = $result; - - if ($pconfig['proxy_authtype'] != "none") { - if (empty($pconfig['proxy_user']) || empty($pconfig['proxy_passwd'])) - $input_errors[] = gettext("User name and password are required for proxy with authentication."); + /* input validation - only allow 50 entries in a single ACL*/ + for($x=0; $x<50; $x++) { + if(isset($pconfig["acl_network{$x}"])) { + $networkacl[$x] = array(); + $networkacl[$x]['acl_network'] = $pconfig["acl_network{$x}"]; + $networkacl[$x]['mask'] = $pconfig["mask{$x}"]; + $networkacl[$x]['description'] = $pconfig["description{$x}"]; + if (!is_ipaddr($networkacl[$x]['acl_network'])) + $input_errors[] = gettext("You must enter a valid network IP address for {$networkacl[$x]['acl_network']}."); + + if (is_ipaddrv4($networkacl[$x]['acl_network'])) { + if (!is_subnet($networkacl[$x]['acl_network']."/".$networkacl[$x]['mask'])) + $input_errors[] = gettext("You must enter a valid IPv4 netmask for {$networkacl[$x]['acl_network']}/{$networkacl[$x]['mask']}."); + } else if (function_exists("is_ipaddrv6")) { + if (!is_ipaddrv6($networkacl[$x]['acl_network'])) + $input_errors[] = gettext("You must enter a valid IPv6 address for {$networkacl[$x]['acl_network']}."); + else if (!is_subnetv6($networkacl[$x]['acl_network']."/".$networkacl[$x]['mask'])) + $input_errors[] = gettext("You must enter a valid IPv6 netmask for {$networkacl[$x]['acl_network']}/{$networkacl[$x]['mask']}."); + } else + $input_errors[] = gettext("You must enter a valid IPv4 address for {$networkacl[$x]['acl_network']}."); } } - - if($pconfig['tunnel_network']) - if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) - $input_errors[] = $result; - - if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) - $input_errors[] = $result; - - if ($pconfig['autokey_enable']) - $pconfig['shared_key'] = openvpn_create_key(); - - if (!$tls_mode && !$pconfig['autokey_enable']) - if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || - !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) - $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); - - if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) - if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || - !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) - $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); - - /* If we are not in shared key mode, then we need the CA/Cert. */ - if ($pconfig['mode'] != "p2p_shared_key") { - $reqdfields = explode(" ", "caref certref"); - $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); - } elseif (!$pconfig['autokey_enable']) { - /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ - $reqdfields = array('shared_key'); - $reqdfieldsn = array(gettext('Shared key')); - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (!$input_errors) { - $client = array(); - - if ($vpnid) - $client['vpnid'] = $vpnid; - else - $client['vpnid'] = openvpn_vpnid_next(); - - if ($_POST['disable'] == "yes") - $client['disable'] = true; - $client['protocol'] = $pconfig['protocol']; - $client['dev_mode'] = $pconfig['dev_mode']; - list($client['interface'], $client['ipaddr']) = explode ("|",$pconfig['interface']); - $client['local_port'] = $pconfig['local_port']; - $client['server_addr'] = $pconfig['server_addr']; - $client['server_port'] = $pconfig['server_port']; - $client['resolve_retry'] = $pconfig['resolve_retry']; - $client['proxy_addr'] = $pconfig['proxy_addr']; - $client['proxy_port'] = $pconfig['proxy_port']; - $client['proxy_authtype'] = $pconfig['proxy_authtype']; - $client['proxy_user'] = $pconfig['proxy_user']; - $client['proxy_passwd'] = $pconfig['proxy_passwd']; - $client['description'] = $pconfig['description']; - $client['mode'] = $pconfig['mode']; - $client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); - - if ($tls_mode) { - $client['caref'] = $pconfig['caref']; - $client['certref'] = $pconfig['certref']; - if ($pconfig['tlsauth_enable']) { - if ($pconfig['autotls_enable']) - $pconfig['tls'] = openvpn_create_key(); - $client['tls'] = base64_encode($pconfig['tls']); - } - } else { - $client['shared_key'] = base64_encode($pconfig['shared_key']); - } - $client['crypto'] = $pconfig['crypto']; - $client['engine'] = $pconfig['engine']; - - $client['tunnel_network'] = $pconfig['tunnel_network']; - $client['remote_network'] = $pconfig['remote_network']; - $client['compression'] = $pconfig['compression']; - $client['passtos'] = $pconfig['passtos']; - - if (isset($id) && $a_client[$id]) - $a_client[$id] = $client; - else - $a_client[] = $client; - - openvpn_resync('client', $client); - write_config(); - - header("Location: vpn_openvpn_client.php"); + if(!$a_acls[$id]) + $a_acls[$id]['aclid'] = $id; + + if (isset($id) && $a_acls[$id]) { + $a_acls[$id]['aclid'] = $pconfig['aclid']; + $a_acls[$id]['aclname'] = $pconfig['aclname']; + $a_acls[$id]['aclaction'] = $pconfig['aclaction']; + $a_acls[$id]['description'] = $pconfig['description']; + $a_acls[$id]['row'] = array(); + foreach ($networkacl as $acl) + $a_acls[$id]['row'][] = $acl; + write_config(); + unbound_reconfigure(); + } + header("Location: unbound_acls.php"); exit; } } @@ -260,7 +127,31 @@ $pgtitle = "Services: Unbound DNS Forwarder: Access Lists"; include("head.inc"); ?> + + + + + + @@ -291,476 +183,119 @@ if ($savemsg) -
+ + + + - - - - - + - + - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - + - + - + - - - - - - - -
- - - - - -
- - /> - -   - -
-
-
- . -
- + +
+
- -
- -
- + + -
-
- +
- -
- -
- -
- -
- -
- - - - - -
- -   :  - - - -
-
- - - - - - - - - - + +
+ Deny: This actions stops queries from hosts within the netblock defined below.");?>
+ Refuse: This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?>
+ Allow: This actions allows queries from hosts within the netblock defined below.");?>
+ Allow Snoop: This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?>
+
- + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + +
+ + - - + + + -
- - > - - - - -
- . -
- -
- . -
- - - - - -
- - onClick="tlsauth_change()"> - - - . - -
- - - - - - -
- - onClick="autotls_change()"> - - - . - -
- - + + + - -
- -
- . +
-
- - - - No Certificate Authorities defined.
Create one under System > Cert Manager. - -
- - - - No Certificates defined.
Create one under System > Cert Manager. - -
- - - - -
- - onClick="autokey_change()"> + - - . - +
- - - -
- -
- . +
-
- -
- -
- -
- . -
- -
- . -
- -
- . -
- - - - - -
- - > - - - . - -
+
+ + " /> + + +
- - - - - -
- - > - - - . - -
+ +
+
 
- - - - -
-
-
- -
-
  - "> - - - - + +  
  + "> " onclick="history.back()">
@@ -781,23 +316,16 @@ if ($savemsg) - + - - - - + - + @@ -818,7 +346,7 @@ if ($savemsg) - " width="17" height="17" border="0"> + " width="17" height="17" border="0"> @@ -837,24 +365,7 @@ if ($savemsg) - - \ No newline at end of file diff --git a/config/unbound/unbound_acls_edit.php b/config/unbound/unbound_acls_edit.php deleted file mode 100644 index db1f9bdb..00000000 --- a/config/unbound/unbound_acls_edit.php +++ /dev/null @@ -1,277 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
- -
- Deny: This actions stops queries from hosts within the netblock defined below.");?>
- Refuse: This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?>
- Allow: This actions allows queries from hosts within the netblock defined below.");?>
- Allow Snoop: This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?>
-
-
- > -
- -
- -
-
- - - - - - - - - - - -
   
/   - -
- - - - - - - - - - -
   - -
   - / - -
-
- -
- -
 
  -  
  - "> " onclick="history.back()"> - - - - -
-
- - - -- cgit v1.2.3 From 9667e04e3eddfcb4bc140898af8c4026c4d02b9d Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 29 Sep 2011 21:23:48 +0200 Subject: Update files to make use of new ACLs --- config/unbound/unbound.xml | 6 +++--- config/unbound/unbound_advanced.xml | 2 +- config/unbound/unbound_status.php | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'config') diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index ff73d1ed..5e6361d5 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -66,9 +66,9 @@ http://www.pfsense.org/packages/config/unbound/unbound_status.php - /usr/local/pkg/ + /usr/local/www/ 0644 - http://www.pfsense.org/packages/config/unbound/unbound_acls.xml + http://www.pfsense.org/packages/config/unbound/unbound_acls.php /usr/local/pkg/ @@ -89,7 +89,7 @@ Unbound DNS ACLs - /pkg.php?xml=unbound_acls.xml + /unbound_acls.php Unbound DNS Status diff --git a/config/unbound/unbound_advanced.xml b/config/unbound/unbound_advanced.xml index 10449b2d..239c39ee 100644 --- a/config/unbound/unbound_advanced.xml +++ b/config/unbound/unbound_advanced.xml @@ -68,7 +68,7 @@ Unbound DNS ACLs - /pkg.php?xml=unbound_acls.xml + /unbound_acls.php Unbound DNS Status diff --git a/config/unbound/unbound_status.php b/config/unbound/unbound_status.php index 405b24d4..d011b109 100644 --- a/config/unbound/unbound_status.php +++ b/config/unbound/unbound_status.php @@ -127,7 +127,7 @@ function execCmds() { $tab_array = array(); $tab_array[] = array(gettext("Unbound DNS Settings"), false, "/pkg_edit.php?xml=unbound.xml&id=0"); $tab_array[] = array(gettext("Unbound DNS Advanced Settings"), false, "/pkg_edit.php?xml=unbound_advanced.xml&id=0"); - $tab_array[] = array(gettext("Unbound DNS ACLs"), false, "/pkg.php?xml=unbound_acls.xml"); + $tab_array[] = array(gettext("Unbound DNS ACLs"), false, "/unbound_acls.php"); $tab_array[] = array(gettext("Unbound DNS Status"), true, "/unbound_status.php"); display_top_tabs($tab_array, true); ?> -- cgit v1.2.3 From 053744f58c69b71f6d2cce08b29173106a2e46ac Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 29 Sep 2011 21:46:39 +0200 Subject: Late nights equal though processes to suffer and thus mistakes start to happen and silly things like this get done, but i blame it on jetlag - swop order around for ln --- config/unbound/unbound.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index cec618c9..d44d01a0 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -200,7 +200,7 @@ function unbound_control($action) { unbound_ctl_exec("start"); /* Link dnsmasq.pid to prevent dhcpleases logging error */ if (!file_exists("/var/run/dnsmasq.pid")) - mwexec("/bin/ln -s /var/run/dnsmasq.pid /var/run/unbound.pid"); + mwexec("/bin/ln -s /var/run/unbound.pid /var/run/dnsmasq.pid"); fetch_root_hints(); } break; -- cgit v1.2.3 From bf6f1542ec79dcf5e363732f9c902b6bbd4b5535 Mon Sep 17 00:00:00 2001 From: jim-p Date: Thu, 29 Sep 2011 16:23:20 -0400 Subject: Ensure a newline comes before the options placed into loader.conf --- config/open-vm-tools/open-vm-tools.inc | 1 + config/open-vm-tools_2/open-vm-tools.inc | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/open-vm-tools/open-vm-tools.inc b/config/open-vm-tools/open-vm-tools.inc index f963d9b7..5db7de3f 100644 --- a/config/open-vm-tools/open-vm-tools.inc +++ b/config/open-vm-tools/open-vm-tools.inc @@ -11,6 +11,7 @@ function open_vm_tools_install() { $load_conf = file_get_contents("/boot/loader.conf") . "\n"; if(!strstr($load_conf, "vmxnet")) { $load_conf .= << \ No newline at end of file +?> -- cgit v1.2.3 From df75910df06941921b7bbb2f0ccc71168d587f12 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 29 Sep 2011 22:50:09 +0200 Subject: Handle snoop acl correctly --- config/unbound/unbound.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index d44d01a0..afb3c0b7 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -311,6 +311,8 @@ function unbound_acls_config() { foreach($unbound_acls as $unbound_acl){ $unboundcfg .= "#{$unbound_acl['aclname']}\n"; foreach($unbound_acl['row'] as $network) { + if ($unbound_acl['aclaction'] == "allow snoop") + $unbound_acl['aclaction'] = "allow_snoop"; $unboundcfg .= "access-control: {$network['acl_network']}/{$network['mask']} {$unbound_acl['aclaction']}\n"; } } @@ -623,7 +625,6 @@ function unbound_validate($post, $type=null) { /* Validate the access lists */ if($type == "acl") { $acls = $post; - $acls['aclaction'] = preg_replace(" ", "_", $acls['aclaction']); // Check to ensure values entered is an action that is in the list if ($acls['aclaction'] != 'refuse' && $acls['aclaction'] != 'allow' && $acls['aclaction'] != 'allow_snoop' && $acls['aclaction'] != 'deny') $input_errors[] = "{$acls['aclaction']} is not a valid ACL Action. Please select one of the four actions defined in the list."; -- cgit v1.2.3 From 63b21977b98eec6857eb112fbfd3a3267717e3f7 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 29 Sep 2011 22:50:31 +0200 Subject: Swop order for select list --- config/unbound/unbound_acls.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php index b60de2dd..40f21595 100644 --- a/config/unbound/unbound_acls.php +++ b/config/unbound/unbound_acls.php @@ -203,7 +203,7 @@ if ($savemsg) All - log files will be saved. + onclick="return confirm('Do you really want to remove all your logs ? All snort rule interfces may have to be restarted.')"> Warning: all log files will be deleted. @@ -561,21 +560,11 @@ if ($pconfig['arefresh'] == 'on') - - + - var myTable = {}; - window.addEvent('domready', function(){ - myTable = new sortableTable('myTable', {overCls: 'over'}); - }); - +echo $snort_custom_rnd_box; +?> -- cgit v1.2.3