</HTML>
EOD;
+} else if (($_ENV['SERVER_PORT'] != 8001) && isset($config['captiveportal']['httpslogin'])) {
+ /* redirect to HTTPS login page */
+ header("Location: https://{$config['captiveportal']['httpsname']}:8001/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));
} else {
/* display captive portal page */
- readfile("{$g['varetc_path']}/captiveportal.html");
+ $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html");
+
+ /* substitute variables */
+ if (isset($config['captiveportal']['httpslogin']))
+ $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext);
+ else
+ $htmltext = str_replace("\$PORTAL_ACTION\$", "", $htmltext);
+
+ if (preg_match("/redirurl=(.*)/", $orig_request, $matches))
+ $redirurl = urldecode($matches[1]);
+ else
+ $redirurl = "http://{$orig_host}{$orig_request}";
+ $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext);
+
+ echo $htmltext;
}
exit;
portal_unlock();
/* redirect user to desired destination */
+ if ($config['captiveportal']['redirurl'])
+ $redirurl = $config['captiveportal']['redirurl'];
+ else if ($_POST['redirurl'])
+ $redirurl = $_POST['redirurl'];
+ else
+ $redirurl = "http://{$orig_host}{$orig_request}";
+
if(isset($config['captiveportal']['logoutwin_enable'])) {
+
+ if (isset($config['captiveportal']['httpslogin']))
+ $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/";
+ else
+ $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/";
+
echo <<<EOD
<HTML>
<HEAD><TITLE>Redirecting...</TITLE></HEAD>
<BODY>
<SPAN STYLE="font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">
-<B>Redirecting to <A HREF="http://{$orig_host}{$orig_request}">http://{$orig_host}{$orig_request}</A>...</B>
+<B>Redirecting to <A HREF="{$redirurl}">{$redirurl}</A>...</B>
</SPAN>
<SCRIPT LANGUAGE="JavaScript">
<!--
LogoutWin.document.write('<BODY BGCOLOR="#435370">');
LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ;
LogoutWin.document.write('<B>Click the button below to disconnect</B><P>');
- LogoutWin.document.write('<FORM METHOD="POST" ACTION="http://{$config['interfaces']['lan']['ipaddr']}:8000/index.php">');
+ LogoutWin.document.write('<FORM METHOD="POST" ACTION="{$logouturl}">');
LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="{$clientmac}">');
LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">');
LogoutWin.document.write('</FORM>');
LogoutWin.document.close();
}
-document.location.href="http://{$orig_host}{$orig_request}";
+document.location.href="{$redirurl}";
-->
</SCRIPT>
</BODY>
EOD;
} else {
- header("Location: http://" . $orig_host . $orig_request);
+ header("Location: " . $redirurl);
}
}
exec("/bin/hostname", $nasHostname) ;
if(!$nasHostname[0])
- $nasHostname[0] = "quewall" ;
+ $nasHostname[0] = "m0n0wall" ;
$fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
if(!$fd)
# /etc/rc
# part of m0n0wall (http://neon1.net/m0n0wall)
#
-# Copyright (C) 2003 Manuel Kasper <mk@neon1.net>.
+# Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
# All rights reserved.
stty status '^T'
/* kill any running mini_httpd */
killbypid("{$g['varrun_path']}/mini_httpd.cp.pid");
+ killbypid("{$g['varrun_path']}/mini_httpd.cps.pid");
/* kill any running minicron */
killbypid("{$g['varrun_path']}/minicron.pid");
/* start web server */
mwexec("/usr/local/sbin/mini_httpd -a -M 0 -u root -maxproc 16" .
" -p 8000 -i {$g['varrun_path']}/mini_httpd.cp.pid");
+
+ /* fire up another one for HTTPS if requested */
+ if (isset($config['captiveportal']['httpslogin']) &&
+ $config['captiveportal']['certificate'] && $config['captiveportal']['private-key']) {
+
+ $cert = base64_decode($config['captiveportal']['certificate']);
+ $key = base64_decode($config['captiveportal']['private-key']);
+
+ $fd = fopen("{$g['varetc_path']}/cert-portal.pem", "w");
+ if (!$fd) {
+ printf("Error: cannot open cert-portal.pem in system_webgui_start().\n");
+ return 1;
+ }
+ chmod("{$g['varetc_path']}/cert-portal.pem", 0600);
+ fwrite($fd, $cert);
+ fwrite($fd, "\n");
+ fwrite($fd, $key);
+ fclose($fd);
+
+ mwexec("/usr/local/sbin/mini_httpd -S -a -M 0 -E {$g['varetc_path']}/cert-portal.pem" .
+ " -u root -maxproc 16 -p 8001" .
+ " -i {$g['varrun_path']}/mini_httpd.cps.pid");
+ }
/* start pruning process (interval = 60 seconds) */
mwexec("/usr/local/bin/minicron 60 {$g['varrun_path']}/minicron.pid " .
add 1300 set 1 pass udp from any to $cpip 53 in
add 1301 set 1 pass udp from $cpip 53 to any out
+# allow access to our web server
+add 1302 set 1 pass tcp from any to $cpip 8000 in
+add 1303 set 1 pass tcp from $cpip 8000 to any out
+
+EOD;
+
+ if (isset($config['captiveportal']['httpslogin'])) {
+ $cprules .= <<<EOD
+add 1304 set 1 pass tcp from any to $cpip 8001 in
+add 1305 set 1 pass tcp from $cpip 8001 to any out
+
+EOD;
+ }
+
+ $cprules .= <<<EOD
+
# ... 10000-19899: rules per authenticated client go here...
# redirect non-authenticated clients to captive portal
conf_mount_rw();
+ if (time() > mktime(0, 0, 0, 9, 1, 2004)) /* make sure the clock settings is plausible */
+ $config['lastchange'] = time();
+
/* generate configuration XML */
$xmlconfig = dump_xml_config($config, $g['xml_rootobj']);
/* static routes */
if (is_array($config['staticroutes']['route'])) {
foreach ($config['staticroutes']['route'] as $route) {
- $natrules .= filter_nat_rules_generate_if($wanif,
- $route['network'], "", null);
+ if ($route['interface'] != "wan")
+ $natrules .= filter_nat_rules_generate_if($wanif,
+ $route['network'], "", null);
}
}
}
}
}
- if ($pptpdcfg['mode']) {
+ if ($pptpdcfg['mode'] && $pptpdcfg['mode'] != "off") {
if ($pptpdcfg['mode'] == "server")
$pptpdtarget = "127.0.0.1";
- else
+ else if ($pptpdcfg['mode'] == "redir")
$pptpdtarget = $pptpdcfg['redir'];
+ if ($pptpdtarget) {
+
$natrules .= <<<EOD
# PPTP
rdr $wanif 0/0 port 1723 -> $pptpdtarget port 1723 tcp
EOD;
+ }
}
return $natrules;
}
+ if (!isset($config['system']['webgui']['noantilockout'])) {
+
$ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webGUI
pass in quick from $lansa/$lansn to $lanip keep state group 100
EOD;
+ }
/* PPTPd enabled? */
if ($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off")) {
$cmd .= " mtu 1500";
mwexec($cmd);
+
+ /* make sure the parent interface is up */
+ mwexec("/sbin/ifconfig " . escapeshellarg($vlan['if']) . " up");
+
$i++;
}
}
$subnetmask = gen_subnet_mask($ifcfg['subnet']);
$dnscfg = "";
+
+ if ($dhcpifconf['domain']) {
+ $dnscfg .= " option domain-name \"{$dhcpifconf['domain']}\";\n";
+ }
+
if (isset($config['dnsmasq']['enable'])) {
- $dnscfg = "option domain-name-servers " . $ifcfg['ipaddr'] . ";";
+ $dnscfg .= " option domain-name-servers " . $ifcfg['ipaddr'] . ";";
} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
- $dnscfg = "option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";";
+ $dnscfg .= " option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";";
}\r
\r
$dhcpdconf .= "subnet $subnet netmask $subnetmask {\n";\r
if (isset($dhcpifconf['denyunknown'])) \r
$dhcpdconf .= " deny unknown clients;\n";
+ if ($dhcpifconf['gateway'])
+ $routers = $dhcpifconf['gateway'];
+ else
+ $routers = $ifcfg['ipaddr'];
+
$dhcpdconf .= <<<EOD
range {$dhcpifconf['range']['from']} {$dhcpifconf['range']['to']};
}
- option routers {$ifcfg['ipaddr']};
- $dnscfg
+ option routers {$routers};
+$dnscfg
EOD;
$dhcpdconf .= " option netbios-name-servers " . join(",", $dhcpifconf['winsserver']) . ";\n";
$dhcpdconf .= " option netbios-node-type 8;\n";
}
+
+ if ($dhcpifconf['next-server'])
+ $dhcpdconf .= " next-server {$dhcpifconf['next-server']};\n";
+ if ($dhcpifconf['filename'])
+ $dhcpdconf .= " filename \"{$dhcpifconf['filename']}\";\n";
$dhcpdconf .= <<<EOD
}
captiveportal_radius_stop_all();
}
-function system_do_shell_commands() {
+function system_do_shell_commands($early = 0) {
global $config, $g;
- if (is_array($config['system']['shellcmd'])) {
+ if ($early)
+ $cmdn = "earlyshellcmd";
+ else
+ $cmdn = "shellcmd";
+
+ if (is_array($config['system'][$cmdn])) {
- foreach ($config['system']['shellcmd'] as $cmd) {
+ foreach ($config['system'][$cmdn] as $cmd) {
exec($cmd);
}
}
return 0;
}
+function system_set_harddisk_standby() {
+ global $g, $config;
+
+ if ($g['platform'] != "generic-pc")
+ return;
+
+ if (isset($config['system']['harddiskstandby'])) {
+ if ($g['booting']) {
+ echo 'Setting harddisk standby time... ';
+ }
+
+ $standby = $config['system']['harddiskstandby'];
+ // Check for a numeric value
+ if (is_numeric($standby)) {
+ // Sync the disk(s)
+ mwexec('/bin/sync');
+ if (!mwexec('/sbin/sysctl hw.ata.standby=' . ((int)$standby))) {
+ // Reinitialize ATA-drives
+ mwexec('/usr/local/sbin/atareinit');
+ if ($g['booting']) {
+ echo "done\n";
+ }
+ } else if ($g['booting']) {
+ echo "failed\n";
+ }
+ } else if ($g['booting']) {
+ echo "failed\n";
+ }
+ }
+}
+
?>
mwexec("/usr/sbin/setkey -FP");
mwexec("/usr/sbin/setkey -F");
+ /* prefer old SAs only for 30 seconds, then use the new one */
+ mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
+
if (isset($ipseccfg['enable'])) {
if (!$curwanip) {
peers_identifier address {$tunnel['remote-gateway']};
initial_contact on;
support_proxy on;
- proposal_check obey;
+ proposal_check claim;
proposal \{
encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
passive on;
generate_policy on;
support_proxy on;
- proposal_check obey;
+ proposal_check claim;
proposal \{
encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
\r
/* start racoon */
mwexec("/usr/local/sbin/racoon -d -f {$g['varetc_path']}/racoon.conf");
+
+ foreach ($ipseccfg['tunnel'] as $tunnel) {\r
+ if (isset($tunnel['auto'])) {\r
+ $remotehost = substr($tunnel['remote-subnet'],0,strpos($tunnel['remote-subnet'],"/"));
+ $srchost = vpn_endpoint_determine($tunnel, $curwanip);
+ if ($srchost)\r
+ mwexec_bg("/sbin/ping -c 1 -S {$srchost} {$remotehost}");\r
+ }\r
+ }
}
}
set link mtu 1460
set link keep-alive 10 60
set ipcp yes vjcomp
- set ipcp dns {$dnsconf}
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
/* tags that are always to be handled as lists */
$listtags = explode(" ", "rule user key dnsserver winsserver " .
"encryption-algorithm-option hash-algorithm-option hosts tunnel onetoone " .
- "staticmap route alias pipe queue shellcmd mobilekey servernat " .
- "proxyarpnet passthrumac allowedip wolentry vlan");
+ "staticmap route alias pipe queue shellcmd earlyshellcmd mobilekey " .
+ "servernat proxyarpnet passthrumac allowedip wolentry vlan");
function startElement($parser, $name, $attrs) {
global $depth, $curpath, $config, $havedata, $listtags;
/* convert configuration, if necessary */
convert_config();
+ /* run any early shell commands specified in config.xml */
+ system_do_shell_commands(1);
+
/* save dmesg output to file */
system_dmesg_save();
--- /dev/null
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.initial.ping
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $fp = fopen('php://stdin', 'r');
+
+ echo "\nEnter a host name or IP address: ";
+
+ $pinghost = chop(fgets($fp));
+ if ($pinghost) {
+ echo "\n";
+ passthru("/sbin/ping -c 3 -n " . escapeshellarg($pinghost));
+ echo "\nPress ENTER to continue.\n";
+ fgets($fp);
+ }
+?>
$config['system']['webgui']['protocol'] = "http";
}
+ if (isset($config['system']['webgui']['noantilockout'])) {
+ echo "\nNote: the anti-lockout rule on LAN has been re-enabled.\n";
+ unset($config['system']['webgui']['noantilockout']);
+ }
+
write_config();
interfaces_lan_configure();
exit;
} else if (($_POST['submit'] == "Upload") && is_uploaded_file($_FILES['ulfile']['tmp_name'])) {
move_uploaded_file($_FILES['ulfile']['tmp_name'], "/tmp/" . $_FILES['ulfile']['name']);
- $ulmsg = "Uploaded file " . htmlentities($_FILES['ulfile']['name']) . " to /tmp.";
+ $ulmsg = "Uploaded file to /tmp/" . htmlentities($_FILES['ulfile']['name']);
unset($_POST['txtCommand']);
}
?>
}
endif;
?>
- <?php if (strstr($_SERVER['SCRIPT_FILENAME'], "diag_") || strstr($_SERVER['SCRIPT_FILENAME'], "reboot")): ?>
+ <?php if (isset($config['system']['webgui']['expanddiags']) || strstr($_SERVER['SCRIPT_FILENAME'], "diag_") || strstr($_SERVER['SCRIPT_FILENAME'], "reboot")): ?>
<a href="javascript:showhide('diag','tri_diag')"><img src="/tri_o.gif" id="tri_diag" width="14" height="10" border="0"></a><strong><a href="javascript:showhide('diag','tri_diag')" class="navlnk">Diagnostics</a></strong><br>
<span id="diag">
<?php else: ?>
if (isset($filterent['disabled']))
$iconfn .= "_d";
?>
- <br><a href="?act=toggle&id=<?=$i;?>"><img src="<?=$iconfn;?>.gif" width="11" height="15" border="0" title="click to toggle enabled/disabled status"></a>
+ <br><img src="<?=$iconfn;?>.gif" width="11" height="15" border="0">
<?php endif; ?>
</td>
<td class="listlr">
'cast128' => 'CAST128');
$p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish',
'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)');
-$p1_halgos = array('md5' => 'MD5', 'sha1' => 'SHA1');
-$p2_halgos = array('hmac_md5' => 'MD5', 'hmac_sha1' => 'SHA1');
+$p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5');
+$p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5');
$p2_protos = array('esp' => 'ESP', 'ah' => 'AH');
$p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5');
function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) {
+
+ /* check for bad control characters */
+ foreach ($postdata as $pn => $pd) {
+ if (is_string($pd) && preg_match("/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f]/", $pd)) {
+ $input_errors[] = "The field '" . $pn . "' contains invalid characters.";
+ }
+ }
+
for ($i = 0; $i < count($reqdfields); $i++) {
if (!$_POST[$reqdfields[$i]]) {
$input_errors[] = "The field '" . $reqdfieldsn[$i] . "' is required.";
echo htmlspecialchars($uptimestr);
?>
</td>
+ </tr><?php if ($config['lastchange']): ?>
+ <tr>
+ <td width="25%" class="vncellt">Last config change</td>
+ <td width="75%" class="listr">
+ <?=htmlspecialchars(date("D M j G:i:s T Y", $config['lastchange']));?>
+ </td>
+ </tr><?php endif; ?>
+ <tr>
+ <td width="25%" class="vncellt">CPU usage</td>
+ <td width="75%" class="listr">
+<?php
+$cpuTicks = explode(" ", `/sbin/sysctl -n kern.cp_time`);
+sleep(1);
+$cpuTicks2 = explode(" ", `/sbin/sysctl -n kern.cp_time`);
+
+$diff = array();
+$diff['user'] = $cpuTicks2[0] - $cpuTicks[0];
+$diff['nice'] = $cpuTicks2[1] - $cpuTicks[1];
+$diff['sys'] = $cpuTicks2[2] - $cpuTicks[2];
+$diff['intr'] = $cpuTicks2[3] - $cpuTicks[3];
+$diff['idle'] = $cpuTicks2[4] - $cpuTicks[4];
+
+$totalDiff = $diff['user'] + $diff['nice'] + $diff['sys'] + $diff['intr'] + $diff['idle'];
+
+$cpuUsage = round(100 * (1 - $diff['idle'] / $totalDiff), 0);
+
+echo "<img src='bar_left.gif' height='15' width='4' border='0' align='absmiddle'>";
+echo "<img src='bar_blue.gif' height='15' width='" . $cpuUsage . "' border='0' align='absmiddle'>";
+echo "<img src='bar_gray.gif' height='15' width='" . (100 - $cpuUsage) . "' border='0' align='absmiddle'>";
+echo "<img src='bar_right.gif' height='15' width='5' border='0' align='absmiddle'> ";
+echo $cpuUsage . "%";
+?>
+ </td>
+ </tr>
+ <tr>
+ <td width="25%" class="vncellt">Memory usage</td>
+ <td width="75%" class="listr">
+<?php
+
+exec("/sbin/sysctl -n vm.stats.vm.v_active_count vm.stats.vm.v_inactive_count " .
+ "vm.stats.vm.v_wire_count vm.stats.vm.v_cache_count vm.stats.vm.v_free_count", $memory);
+
+$totalMem = $memory[0] + $memory[1] + $memory[2] + $memory[3] + $memory[4];
+$freeMem = $memory[4];
+$usedMem = $totalMem - $freeMem;
+$memUsage = round(($usedMem * 100) / $totalMem, 0);
+
+echo " <img src='bar_left.gif' height='15' width='4' border='0' align='absmiddle'>";
+echo "<img src='bar_blue.gif' height='15' width='" . $memUsage . "' border='0' align='absmiddle'>";
+echo "<img src='bar_gray.gif' height='15' width='" . (100 - $memUsage) . "' border='0' align='absmiddle'>";
+echo "<img src='bar_right.gif' height='15' width='5' border='0' align='absmiddle'> ";
+echo $memUsage . "%";
+?>
+ </td>
</tr>
</table>
<?php include("fend.inc"); ?>
<td class="listhdr">Network port</td>
<td class="list"> </td>
</tr>
- <?php foreach ($config['interfaces'] as $ifname => $iface): ?>
+ <?php foreach ($config['interfaces'] as $ifname => $iface):
+ if ($iface['descr'])
+ $ifdescr = $iface['descr'];
+ else
+ $ifdescr = strtoupper($ifname);
+ ?>
<tr>
- <td class="listlr" valign="middle"><strong><?=strtoupper($ifname);?></strong></td>
+ <td class="listlr" valign="middle"><strong><?=$ifdescr;?></strong></td>
<td valign="middle" class="listr">
<select name="<?=$ifname;?>" class="formfld" id="<?=$ifname;?>">
<?php foreach ($portlist as $portname => $portinfo): ?>
</td>
</tr>
<?php endforeach; ?>
+ <?php if (count($config['interfaces']) < count($portlist)): ?>
<tr>
<td class="list" colspan="2"></td>
- <td class="list" nowrap><?php if (count($config['interfaces']) < count($portlist)): ?>
+ <td class="list" nowrap>
<a href="interfaces_assign.php?act=add"><img src="plus.gif" title="add interface" width="17" height="17" border="0"></a>
- <?php endif; ?> </td>
+ </td>
</tr>
+ <?php else: ?>
+ <tr>
+ <td class="list" colspan="3" height="10"></td>
+ </tr>
+ <?php endif; ?>
</table>
<input name="Submit" type="submit" class="formbtn" value="Save">
<p><span class="vexpl"><strong><span class="red">Warning:</span><br>
IPsec user FQDNs</font></em><br>
<br>
Fred Wright (<a href="mailto:fw@well.com">fw@well.com</a>)<br>
- <em><font color="#666666">ipfilter window scaling fix; ipnat ICMP checksum adjustment fix </font></em></p>
+ <em><font color="#666666">ipfilter window scaling fix; ipnat ICMP checksum adjustment fix; IPsec dead SA fixes</font></em><br>
+ <br>
+ Michael Hanselmann (<a href="mailto:public@hansmi.ch">public@hansmi.ch</a>)<br>
+ <em><font color="#666666">IDE hard disk standby</font></em><br>
+ <br>
+ Audun Larsen (<a href="mailto:larsen@xqus.com">larsen@xqus.com</a>)<br>
+ <em><font color="#666666">CPU/memory usage display</font></em></p>
<hr size="1">
<p>m0n0wall is based upon/includes various free software packages,
listed below.<br>
$pconfig['idletimeout'] = $config['captiveportal']['idletimeout'];
$pconfig['enable'] = isset($config['captiveportal']['enable']);
$pconfig['radacct_enable'] = isset($config['captiveportal']['radacct_enable']);
+$pconfig['httpslogin_enable'] = isset($config['captiveportal']['httpslogin']);
+$pconfig['httpsname'] = $config['captiveportal']['httpsname'];
+$pconfig['cert'] = base64_decode($config['captiveportal']['certificate']);
+$pconfig['key'] = base64_decode($config['captiveportal']['private-key']);
$pconfig['logoutwin_enable'] = isset($config['captiveportal']['logoutwin_enable']);
+$pconfig['redirurl'] = $config['captiveportal']['redirurl'];
$pconfig['radiusip'] = $config['captiveportal']['radiusip'];
$pconfig['radiusport'] = $config['captiveportal']['radiusport'];
$pconfig['radiuskey'] = $config['captiveportal']['radiuskey'];
break;
}
}
+
+ if ($_POST['httpslogin_enable']) {
+ if (!$_POST['cert'] || !$_POST['key']) {
+ $input_errors[] = "Certificate and key must be specified for HTTPS login.";
+ } else {
+ if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE"))
+ $input_errors[] = "This certificate does not appear to be valid.";
+ if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY"))
+ $input_errors[] = "This key does not appear to be valid.";
+ }
+
+ if (!$_POST['httpsname'] || !is_domain($_POST['httpsname'])) {
+ $input_errors[] = "The HTTPS server name must be specified for HTTPS login.";
+ }
+ }
}
if ($_POST['timeout'] && (!is_numeric($_POST['timeout']) || ($_POST['timeout'] < 1))) {
$config['captiveportal']['idletimeout'] = $_POST['idletimeout'];
$config['captiveportal']['enable'] = $_POST['enable'] ? true : false;
$config['captiveportal']['radacct_enable'] = $_POST['radacct_enable'] ? true : false;
+ $config['captiveportal']['httpslogin'] = $_POST['httpslogin_enable'] ? true : false;
+ $config['captiveportal']['httpsname'] = $_POST['httpsname'];
+ $config['captiveportal']['certificate'] = base64_encode($_POST['cert']);
+ $config['captiveportal']['private-key'] = base64_encode($_POST['key']);
$config['captiveportal']['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false;
+ $config['captiveportal']['redirurl'] = $_POST['redirurl'];
$config['captiveportal']['radiusip'] = $_POST['radiusip'];
$config['captiveportal']['radiusport'] = $_POST['radiusport'];
$config['captiveportal']['radiuskey'] = $_POST['radiuskey'];
document.iform.cinterface.disabled = 0;
document.iform.idletimeout.disabled = 0;
document.iform.timeout.disabled = 0;
+ document.iform.redirurl.disabled = 0;
document.iform.radiusip.disabled = 0;
document.iform.radiusport.disabled = 0;
document.iform.radiuskey.disabled = 0;
document.iform.radacct_enable.disabled = 0;
+ document.iform.httpslogin_enable.disabled = 0;
+ document.iform.httpsname.disabled = 0;
+ document.iform.cert.disabled = 0;
+ document.iform.key.disabled = 0;
document.iform.logoutwin_enable.disabled = 0;
document.iform.htmlfile.disabled = 0;
document.iform.errfile.disabled = 0;
document.iform.cinterface.disabled = 1;
document.iform.idletimeout.disabled = 1;
document.iform.timeout.disabled = 1;
+ document.iform.redirurl.disabled = 1;
document.iform.radiusip.disabled = 1;
document.iform.radiusport.disabled = 1;
document.iform.radiuskey.disabled = 1;
document.iform.radacct_enable.disabled = 1;
+ document.iform.httpslogin_enable.disabled = 1;
+ document.iform.httpsname.disabled = 1;
+ document.iform.cert.disabled = 1;
+ document.iform.key.disabled = 1;
document.iform.logoutwin_enable.disabled = 1;
document.iform.htmlfile.disabled = 1;
document.iform.errfile.disabled = 1;
<td width="22%" valign="top" class="vncell">Logout popup window</td>
<td width="78%" class="vtable">
<input name="logoutwin_enable" type="checkbox" class="formfld" id="logoutwin_enable" value="yes" <?php if($pconfig['logoutwin_enable']) echo "checked"; ?>>
- <br>
+ <strong>Enable logout popup window</strong><br>
If enabled, a popup window will appear when clients are allowed through the captive portal. This allows clients to explicitly disconnect themselves before the idle or hard timeout occurs. When RADIUS accounting is enabled, this option is implied.</td>
</tr>
+ <tr>
+ <td valign="top" class="vncell">Redirection URL</td>
+ <td class="vtable">
+ <input name="redirurl" type="text" class="formfld" id="redirurl" size="60" value="<?=htmlspecialchars($pconfig['redirurl']);?>">
+ <br>
+If you provide a URL here, clients will be redirected to that URL instead of the one they initially tried
+to access after they've authenticated.</td>
+ </tr>
<tr>
<td width="22%" valign="top" class="vncell">RADIUS server</td>
<td width="78%" class="vtable">
<br>
Enter the IP address and port of the RADIUS server which users of the captive portal have to authenticate against. Leave blank to disable RADIUS authentication. Leave port number blank to use the default port (1812). Leave the RADIUS shared secret blank to not use a RADIUS shared secret. RADIUS accounting packets will also be sent to port 1813 of the RADIUS server if RADIUS accounting is enabled.
</tr>
+ <tr>
+ <td valign="top" class="vncell">HTTPS login</td>
+ <td class="vtable">
+ <input name="httpslogin_enable" type="checkbox" class="formfld" id="httpslogin_enable" value="yes" <?php if($pconfig['httpslogin_enable']) echo "checked"; ?>>
+ <strong>Enable HTTPS login</strong><br>
+ If enabled, the username and password will be transmitted over an HTTPS connection to protect against eavesdroppers. This option only applies when RADIUS authentication is used. A server name, certificate and matching private key must also be specified below.</td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell">HTTPS server name </td>
+ <td class="vtable">
+ <input name="httpsname" type="text" class="formfld" id="httpsname" size="30" value="<?=htmlspecialchars($pconfig['httpsname']);?>"><br>
+ This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS. </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell">HTTPS certificate</td>
+ <td class="vtable">
+ <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea>
+ <br>
+ Paste a signed certificate in X.509 PEM format here.</td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell">HTTPS private key</td>
+ <td class="vtable">
+ <textarea name="key" cols="65" rows="7" id="key" class="formpre"><?=htmlspecialchars($pconfig['key']);?></textarea>
+ <br>
+ Paste an RSA private key in PEM format here.</td>
+ </tr>
<tr>
<td width="22%" valign="top" class="vncellreq">Portal page contents</td>
<td width="78%" class="vtable">
<br>
<br>
<?php endif; ?>
- Upload an HTML file for the portal page here (leave blank to keep the current one). Make sure to include a form (POST to the page itself)
+ Upload an HTML file for the portal page here (leave blank to keep the current one). Make sure to include a form (POST to "$PORTAL_ACTION$")
with a submit button (name="accept"). Include the "auth_user" and "auth_pass" input elements if RADIUS authentication is enabled. If RADIUS is enabled and no "auth_user" is present, authentication will always fail. If RADIUS is not enabled, you can omit both these input elements.
-Example code for the button:<br>
- <br><tt><form method="post" action=""><br>
- <input name="accept" type="submit" value="Continue"><br>
+When using HTTPS login, a hidden field with name="redirurl" and value="$PORTAL_REDIRURL$" has to be included as well. Example code for the form:<br>
+ <br>
+ <tt><form method="post" action="$PORTAL_ACTION$"><br>
<input name="auth_user" type="text"><br>
<input name="auth_pass" type="password"><br>
- </form></tt> </td>
+ <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$"><br>
+ <input name="accept" type="submit" value="Continue"><br>
+ </form></tt></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell">Authentication<br>
<?php endif; ?>
<tr>
<td colspan="2" class="listtopic">
- <?=htmlspecialchars($ifname);?> interface</td>
+ <?=htmlspecialchars($ifname);?> interface (SSID "<?=htmlspecialchars($config['interfaces'][$ifdescr]['wireless']['ssid']);?>")</td>
</tr>
<tr>
<td width="22%" valign="top" class="listhdrr">Signal strength
$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']);
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
$pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']);
+$pconfig['expanddiags'] = isset($config['system']['webgui']['expanddiags']);
+if ($g['platform'] == "generic-pc")
+ $pconfig['harddiskstandby'] = $config['system']['harddiskstandby'];
+$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
if ($_POST) {
$config['system']['webgui']['private-key'] = base64_encode($_POST['key']);
$config['system']['disableconsolemenu'] = $_POST['disableconsolemenu'] ? true : false;
$config['system']['disablefirmwarecheck'] = $_POST['disablefirmwarecheck'] ? true : false;
+ $config['system']['webgui']['expanddiags'] = $_POST['expanddiags'] ? true : false;
+ if ($g['platform'] == "generic-pc") {
+ $oldharddiskstandby = $config['system']['harddiskstandby'];
+ $config['system']['harddiskstandby'] = $_POST['harddiskstandby'];
+ }
+ $config['system']['webgui']['noantilockout'] = $_POST['noantilockout'] ? true : false;
write_config();
if (($config['system']['webgui']['certificate'] != $oldcert)
|| ($config['system']['webgui']['private-key'] != $oldkey)) {
touch($d_sysrebootreqd_path);
+ } else if (($g['platform'] == "generic-pc") && ($config['system']['harddiskstandby'] != $oldharddiskstandby)) {
+ if (!$config['system']['harddiskstandby']) {
+ // Reboot needed to deactivate standby due to a stupid ATA-protocol
+ touch($d_sysrebootreqd_path);
+ unset($config['system']['harddiskstandby']);
+ } else {
+ // No need to set the standby-time if a reboot is needed anyway
+ system_set_harddisk_standby();
+ }
}
$retval = 0;
<strong>Disable console menu</strong><span class="vexpl"><br>
Changes to this option will take effect after a reboot.</span></td>
</tr>
+ <tr>
+ <td valign="top" class="vtable"> </td>
+ <td class="vtable">
+ <input name="disablefirmwarecheck" type="checkbox" id="disablefirmwarecheck" value="yes" <?php if ($pconfig['disablefirmwarecheck']) echo "checked"; ?>>
+ <strong>Disable firmware version check</strong><span class="vexpl"><br>
+ This will cause m0n0wall not to check for newer firmware versions when the <a href="system_firmware.php">System: Firmware</a> page is viewed.</span></td>
+ </tr>
+<?php if ($g['platform'] == "generic-pc"): ?>
<tr>
<td width="22%" valign="top" class="vtable"> </td>
<td width="78%" class="vtable">
- <input name="disablefirmwarecheck" type="checkbox" id="disablefirmwarecheck" value="yes" <?php if ($pconfig['disablefirmwarecheck']) echo "checked"; ?>>
- <strong>Disable firmware version check</strong><span class="vexpl"><br>
- This will cause m0n0wall not to check for newer firmware versions when the <a href="system_firmware.php">System: Firmware</a> page is viewed.</span></td>
+ <strong>Hard disk standby time: </strong>
+ <select name="harddiskstandby" class="formfld">
+ <?php
+ /* Values from ATA-2
+ http://www.t13.org/project/d0948r3-ATA-2.pdf
+ Page 66 */
+ $sbvals = explode(" ", "0.5,6 1,12 2,24 3,36 4,48 5,60 7.5,90 10,120 15,180 20,240 30,241 60,242");
+ ?>
+ <option value="" <?php if(!$pconfig['harddiskstandby']) echo('selected');?>>Always on</option>
+ <?php
+ foreach ($sbvals as $sbval):
+ list($min,$val) = explode(",", $sbval); ?>
+ <option value="<?=$val;?>" <?php if($pconfig['harddiskstandby'] == $val) echo('selected');?>><?=$min;?> minutes</option>
+ <?php endforeach; ?>
+ </select>
+ <br>
+ Puts the hard disk into standby mode when the selected amount of time after the last
+ access has elapsed. <em>Do not set this for CF cards.</em></td>
+ </tr>
+<?php endif; ?>
+ <tr>
+ <td width="22%" valign="top" class="vtable"> </td>
+ <td width="78%" class="vtable">
+ <input name="expanddiags" type="checkbox" id="expanddiags" value="yes" <?php if ($pconfig['expanddiags']) echo "checked"; ?>>
+ <strong>Keep diagnostics in navigation expanded </strong></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vtable"> </td>
+ <td width="78%" class="vtable">
+ <input name="noantilockout" type="checkbox" id="noantilockout" value="yes" <?php if ($pconfig['noantilockout']) echo "checked"; ?>>
+ <strong>Disable webGUI anti-lockout rule</strong><br>
+ By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you in, or you will lock yourself out!).<br>
+ Hint:
+ the "set LAN IP address" option in the console menu resets this setting as well.</td>
</tr>
<tr>
<td width="22%" valign="top"> </td>
<tr>
<td class="listlr">
<?php
- $iflabels = array('lan' => 'LAN', 'pptp' => 'PPTP');
+ $iflabels = array('lan' => 'LAN', 'wan' => 'WAN', 'pptp' => 'PPTP');
for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++)
$iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr'];
echo htmlspecialchars($iflabels[$route['interface']]); ?>
<td width="22%" valign="top" class="vncellreq">Interface</td>
<td width="78%" class="vtable">
<select name="interface" class="formfld">
- <?php $interfaces = array('lan' => 'LAN', 'pptp' => 'PPTP');
+ <?php $interfaces = array('lan' => 'LAN', 'wan' => 'WAN', 'pptp' => 'PPTP');
for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
$interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr'];
}
if (isset($id) && $a_ipsec[$id]) {
$pconfig['disabled'] = isset($a_ipsec[$id]['disabled']);
+ $pconfig['auto'] = isset($a_ipsec[$id]['auto']);
if (!isset($a_ipsec[$id]['local-subnet']))
$pconfig['localnet'] = "lan";
$pconfig['p1mode'] = "aggressive";
$pconfig['p1myidentt'] = "myaddress";
$pconfig['p1ealgo'] = "3des";
- $pconfig['p1halgo'] = "md5";
+ $pconfig['p1halgo'] = "sha1";
$pconfig['p1dhgroup'] = "2";
$pconfig['p2proto'] = "esp";
$pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael");
- $pconfig['p2halgos'] = explode(",", "hmac_md5,hmac_sha1");
+ $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5");
$pconfig['p2pfsgroup'] = "0";
}
if (!$input_errors) {
$ipsecent['disabled'] = $_POST['disabled'] ? true : false;
+ $ipsecent['auto'] = $_POST['auto'] ? true : false;
$ipsecent['interface'] = $pconfig['interface'];
pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']);
$ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits'];
removing it from the list.</span></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncellreq">Auto-establish</td>
+ <td width="78%" class="vtable">
+ <input name="auto" type="checkbox" id="auto" value="yes" <?php if ($pconfig['auto']) echo "checked"; ?>>
+ <strong>Automatically establish this tunnel</strong><br>
+ <span class="vexpl">Set this option to automatically re-establish this tunnel after reboots/reconfigures. If this is not set, the tunnel is established on demand.</span></td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncellreq">Interface</td>
<td width="78%" class="vtable"> <select name="interface" class="formfld">
<?php $interfaces = array('wan' => 'WAN', 'lan' => 'LAN');
<tr>
<td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td>
<td width="78%" class="vtable">
- <input name="p1pskey" type="text" class="formfld" id="p1pskey" size="40" value="<?=$pconfig['p1pskey'];?>">
+ <input name="p1pskey" type="text" class="formfld" id="p1pskey" size="40" value="<?=htmlspecialchars($pconfig['p1pskey']);?>">
</td>
</tr>
<tr>
<?=htmlspecialchars($algoname);?>
<br>
<?php endforeach; ?>
- <br>
- Hint: MD5 is slightly faster than SHA1.</td>
+ </td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq">PFS key group</td>
<tr>
<td width="22%" valign="top" class="vncellreq">Pre-shared key</td>
<td width="78%" class="vtable">
- <input name="psk" type="text" class="formfld" id="psk" size="40" value="<?=$pconfig['psk'];?>">
+ <input name="psk" type="text" class="formfld" id="psk" size="40" value="<?=htmlspecialchars($pconfig['psk']);?>">
</td>
</tr>
<tr>
$pconfig['p1mode'] = "aggressive";
$pconfig['p1myidentt'] = "myaddress";
$pconfig['p1ealgo'] = "3des";
- $pconfig['p1halgo'] = "md5";
+ $pconfig['p1halgo'] = "sha1";
$pconfig['p1dhgroup'] = "2";
$pconfig['p2proto'] = "esp";
$pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael");
- $pconfig['p2halgos'] = explode(",", "hmac_md5,hmac_sha1");
+ $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5");
$pconfig['p2pfsgroup'] = "0";
} else {
$pconfig['enable'] = isset($a_ipsec['enable']);
<?=htmlspecialchars($algoname);?>
<br>
<?php endforeach; ?>
- <br>
- Hint: MD5 is slightly faster than SHA1.</td>
+ </td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq">PFS key group</td>
projects / m0n0chwall.git / commitdiff
