From: mkasper Date: Sat, 7 Jan 2006 22:27:43 +0000 (+0000) Subject: Import m0n0wall 1.0 files. X-Git-Url: https://git.gsnw.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17a1174664be69a3c11426e24e12d6f6223aa89f;p=m0n0chwall.git Import m0n0wall 1.0 files. git-svn-id: https://svn.m0n0.ch/wall/trunk@2 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- diff --git a/etc/pubkey.pem b/etc/pubkey.pem new file mode 100644 index 0000000..f935cb5 --- /dev/null +++ b/etc/pubkey.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH/03JimtLfN8ggkf26hOCdAaE +5Ha+c9cqoms2/AXPMWjapkalizztGhvffTk5v1Y/mDwgkI09kqArnXqRCGFSyRDB +utGizQ4OghmsBgWzBKw/biLiXZcfXpaZxfAsJ2aSDOy+ezIoPblRfqnVBzg49RPM +Pe9HoJqCn1GxIhHrKwIDAQAB +-----END PUBLIC KEY----- diff --git a/etc/rc b/etc/rc new file mode 100644 index 0000000..ced2cf7 --- /dev/null +++ b/etc/rc @@ -0,0 +1,46 @@ +#!/bin/sh + +# /etc/rc +# part of m0n0wall (http://neon1.net/m0n0wall) +# +# Copyright (C) 2003 Manuel Kasper . +# All rights reserved. + +stty status '^T' + +trap : 2 +trap : 3 + +HOME=/ +PATH=/sbin:/bin:/usr/sbin:/usr/bin +export HOME PATH + +set -T +trap "echo 'Reboot interrupted'; exit 1" 3 + +# make some directories in /var +mkdir /var/run /var/log /var/etc /var/db + +# generate circular logfiles +clog -i -s 262144 /var/log/system.log +clog -i -s 262144 /var/log/filter.log +clog -i -s 32768 /var/log/dhcpd.log +chmod 0600 /var/log/system.log /var/log/filter.log /var/log/dhcpd.log + +adjkerntz -i + +# Create an initial utmp file +cd /var/run && cp /dev/null utmp && chmod 644 utmp + +# Build devices database +dev_mkdb + +# Run ldconfig +/sbin/ldconfig -elf /usr/lib + +# let the PHP-based configuration subsystem set up the system now +/etc/rc.bootup + +/etc/rc.banner + +exit 0 diff --git a/etc/rc.dyndns.storecache b/etc/rc.dyndns.storecache new file mode 100644 index 0000000..180662e --- /dev/null +++ b/etc/rc.dyndns.storecache @@ -0,0 +1,8 @@ +#!/bin/sh + +# copy cache file to /conf for permanent storage +/sbin/umount -f /cf +/sbin/mount -w -o noatime /cf +/bin/cp /var/db/ez-ipupdate.cache /conf +/sbin/umount -f /cf +/sbin/mount -r /cf diff --git a/etc/rc.firmware b/etc/rc.firmware new file mode 100644 index 0000000..56fc7a4 --- /dev/null +++ b/etc/rc.firmware @@ -0,0 +1,55 @@ +#!/bin/sh + +# /etc/rc.firmware +# part of m0n0wall (http://neon1.net/m0n0wall) +# +# Copyright (C) 2003 Manuel Kasper . +# All rights reserved. + +CFDEVICE=`cat /var/etc/cfdevice` + +if [ $1 != "upgrade" ]; then + /sbin/umount -f /ftmp > /dev/null 2>&1 +fi + +case $1 in +enable) + /sbin/mount_mfs -s 15360 -T qp120at -b 8192 -f 1024 dummy /ftmp \ + > /dev/null 2>&1 + ;; +upgrade) + # wait 5 seconds before beginning + sleep 5 + + exec /dev/console 2>/dev/console + + echo + echo "Firmware upgrade in progress..." + + # backup config + mkdir /tmp/configbak + cp -p /conf/* /tmp/configbak + + # unmount /cf + /sbin/umount -f /cf + + # dd image onto card + if [ -r $2 ]; then + /usr/bin/gunzip -S "" -c $2 | dd of=/dev/r$CFDEVICE bs=16k > /dev/null 2>&1 + echo "Image installed." + fi + + # mount /cf + /sbin/mount -w -o noatime /cf + + # restore config + cp -p /tmp/configbak/* /conf + + # remount /cf ro + /sbin/umount -f /cf + /sbin/mount -r /cf + + echo "Done - rebooting system..." + /sbin/reboot + ;; +esac diff --git a/etc/rc.initial b/etc/rc.initial new file mode 100644 index 0000000..d1fe44a --- /dev/null +++ b/etc/rc.initial @@ -0,0 +1,69 @@ +#!/bin/sh + +# /etc/rc.initial +# part of m0n0wall (http://neon1.net/m0n0wall) +# +# Copyright (C) 2003 Manuel Kasper . +# All rights reserved. + +# make sure the user can't kill us by pressing Ctrl-C +trap : 2 +trap : 3 + +# redirect input/output +exec /dev/console 2>/dev/console + +if [ -r /var/etc/disableconsole ]; then + +while : ; do + +echo +echo +echo "*** Console menu disabled. ***" +echo + +read tmp + +done + +else + +# endless loop +while : ; do + +# display a cheap menu +echo +echo +echo "m0n0wall console setup" +echo "**********************" +echo "1) Interfaces: assign network ports" +echo "2) Set up LAN IP address" +echo "3) Reset webGUI password" +echo "4) Reset to factory defaults" +echo "5) Reboot system" +echo + +read -p "Enter a number: " opmode + +# see what the user has chosen +case ${opmode} in +1) + /etc/rc.initial.setports + ;; +2) + /etc/rc.initial.setlanip + ;; +3) + /etc/rc.initial.password + ;; +4) + /etc/rc.initial.defaults + ;; +5) + /etc/rc.initial.reboot + ;; +esac + +done + +fi diff --git a/etc/rc.reboot b/etc/rc.reboot new file mode 100644 index 0000000..228d24f --- /dev/null +++ b/etc/rc.reboot @@ -0,0 +1,4 @@ +#!/bin/sh + +sleep 5 +/sbin/reboot diff --git a/phpconf/config.xml b/phpconf/config.xml new file mode 100644 index 0000000..40f58ac --- /dev/null +++ b/phpconf/config.xml @@ -0,0 +1,396 @@ + + + + 1.4 + + m0n0wall + local + + + admin + $1$2xGLA75j$W/jiJc00HYBZX7kFjxjQv0 + Etc/UTC + 300 + pool.ntp.org + + http + + + + + + + + sis0 + 192.168.1.1 + 24 + + + + sis1 + dhcp + + + + + + + + + + + + + + + + + + + + + + + + + + + dyndns + + + + + + + + + + + 192.168.1.100 + 192.168.1.199 + + + + + + + + + + + + + + + + + + + + + + public + + + + + + + + + + + + + + + + + + + + + + pass + Default LAN -> any + lan + + lan + + + + + + + + + + + + + + + + + + + + + + diff --git a/phpconf/inc/config.inc b/phpconf/inc/config.inc new file mode 100644 index 0000000..ad3ecc0 --- /dev/null +++ b/phpconf/inc/config.inc @@ -0,0 +1,544 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include globals/utility/XML parser files */ +require_once("globals.inc"); +require_once("util.inc"); +require_once("xmlparse.inc"); + +/* read platform */ +if (file_exists("{$g['etc_path']}/platform")) { + $g['platform'] = chop(file_get_contents("{$g['etc_path']}/platform")); +} else { + $g['platform'] = "unknown"; +} + +if ($g['booting']) { + /* find the device where config.xml resides and write out an fstab */ + unset($cfgdevice); + + /* check if there's already an fstab (NFS booting?) */ + if (!file_exists("{$g['etc_path']}/fstab")) { + + if (strstr($g['platform'], "cdrom")) { + /* config is on floppy disk for CD-ROM version */ + $cfgdevice = $cfgpartition = "fd0"; + $cfgfstype = "msdos"; + } else { + /* probe ad0...ad3 until we find the one with config.xml */ + for ($cfgn = 0; $cfgn <= 3; $cfgn++) { + if (mwexec("/sbin/mount -r /dev/ad{$cfgn}a {$g['cf_path']}") == 0) { + if (file_exists("{$g['cf_conf_path']}/config.xml")) { + /* found it */ + $cfgdevice = "ad" . $cfgn; + $cfgpartition = $cfgdevice . "a"; + $cfgfstype = "ufs"; + echo "Found configuration on $cfgdevice.\n"; + } + + mwexec("/sbin/umount -f {$g['cf_path']}"); + + if ($cfgdevice) + break; + } + } + } + + if (!$cfgdevice) { + /* no device found, print an error and die */ + echo <<= + filemtime("{$g['conf_path']}/config.xml"))) { + + /* read cache */ + $config = unserialize(file_get_contents("{$g['tmp_path']}/config.cache")); + } else { + + if (!file_exists("{$g['conf_path']}/config.xml")) { + if ($g['booting']) { + if (strstr($g['platform'], "cdrom")) { + /* try copying the default config. to the floppy */ + reset_factory_defaults(); + + echo "No XML configuration file found - using factory defaults.\n"; + echo "Make sure that the configuration floppy disk with the conf/config.xml\n"; + echo "file is inserted. If it isn't, your configuration changes will be lost\n"; + echo "on reboot.\n"; + } else { + echo "XML configuration file not found. m0n0wall cannot continue booting.\n"; + mwexec("/sbin/halt"); + exit; + } + } else { + config_unlock(); + exit(0); + } + } + + $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); + + if ((float)$config['version'] > (float)$g['latest_config']) { + if ($g['booting']) { + echo << 1.1 */ + if ($config['version'] == "1.0") { + $opti = 1; + $ifmap = array('lan' => 'lan', 'wan' => 'wan', 'pptp' => 'pptp'); + + /* convert DMZ to optional, if necessary */ + if (isset($config['interfaces']['dmz'])) { + + $dmzcfg = &$config['interfaces']['dmz']; + + if ($dmzcfg['if']) { + $config['interfaces']['opt' . $opti] = array(); + $optcfg = &$config['interfaces']['opt' . $opti]; + + $optcfg['enable'] = $dmzcfg['enable']; + $optcfg['descr'] = "DMZ"; + $optcfg['if'] = $dmzcfg['if']; + $optcfg['ipaddr'] = $dmzcfg['ipaddr']; + $optcfg['subnet'] = $dmzcfg['subnet']; + + $ifmap['dmz'] = "opt" . $opti; + $opti++; + } + + unset($config['interfaces']['dmz']); + } + + /* convert WLAN1/2 to optional, if necessary */ + for ($i = 1; isset($config['interfaces']['wlan' . $i]); $i++) { + + if (!$config['interfaces']['wlan' . $i]['if']) { + unset($config['interfaces']['wlan' . $i]); + continue; + } + + $wlancfg = &$config['interfaces']['wlan' . $i]; + $config['interfaces']['opt' . $opti] = array(); + $optcfg = &$config['interfaces']['opt' . $opti]; + + $optcfg['enable'] = $wlancfg['enable']; + $optcfg['descr'] = "WLAN" . $i; + $optcfg['if'] = $wlancfg['if']; + $optcfg['ipaddr'] = $wlancfg['ipaddr']; + $optcfg['subnet'] = $wlancfg['subnet']; + $optcfg['bridge'] = $wlancfg['bridge']; + + $optcfg['wireless'] = array(); + $optcfg['wireless']['mode'] = $wlancfg['mode']; + $optcfg['wireless']['ssid'] = $wlancfg['ssid']; + $optcfg['wireless']['channel'] = $wlancfg['channel']; + $optcfg['wireless']['wep'] = $wlancfg['wep']; + + $ifmap['wlan' . $i] = "opt" . $opti; + + unset($config['interfaces']['wlan' . $i]); + $opti++; + } + + /* convert filter rules */ + $n = count($config['filter']['rule']); + for ($i = 0; $i < $n; $i++) { + + $fr = &$config['filter']['rule'][$i]; + + /* remap interface */ + if (array_key_exists($fr['interface'], $ifmap)) + $fr['interface'] = $ifmap[$fr['interface']]; + else { + /* remove the rule */ + echo "\nWarning: filter rule removed " . + "(interface '{$fr['interface']}' does not exist anymore)."; + unset($config['filter']['rule'][$i]); + continue; + } + + /* remap source network */ + if (isset($fr['source']['network'])) { + if (array_key_exists($fr['source']['network'], $ifmap)) + $fr['source']['network'] = $ifmap[$fr['source']['network']]; + else { + /* remove the rule */ + echo "\nWarning: filter rule removed " . + "(source network '{$fr['source']['network']}' does not exist anymore)."; + unset($config['filter']['rule'][$i]); + continue; + } + } + + /* remap destination network */ + if (isset($fr['destination']['network'])) { + if (array_key_exists($fr['destination']['network'], $ifmap)) + $fr['destination']['network'] = $ifmap[$fr['destination']['network']]; + else { + /* remove the rule */ + echo "\nWarning: filter rule removed " . + "(destination network '{$fr['destination']['network']}' does not exist anymore)."; + unset($config['filter']['rule'][$i]); + continue; + } + } + } + + /* convert shaper rules */ + $n = count($config['shaper']['rule']); + if (is_array($config['shaper']['rule'])) + for ($i = 0; $i < $n; $i++) { + + $fr = &$config['shaper']['rule'][$i]; + + /* remap interface */ + if (array_key_exists($fr['interface'], $ifmap)) + $fr['interface'] = $ifmap[$fr['interface']]; + else { + /* remove the rule */ + echo "\nWarning: traffic shaper rule removed " . + "(interface '{$fr['interface']}' does not exist anymore)."; + unset($config['shaper']['rule'][$i]); + continue; + } + + /* remap source network */ + if (isset($fr['source']['network'])) { + if (array_key_exists($fr['source']['network'], $ifmap)) + $fr['source']['network'] = $ifmap[$fr['source']['network']]; + else { + /* remove the rule */ + echo "\nWarning: traffic shaper rule removed " . + "(source network '{$fr['source']['network']}' does not exist anymore)."; + unset($config['shaper']['rule'][$i]); + continue; + } + } + + /* remap destination network */ + if (isset($fr['destination']['network'])) { + if (array_key_exists($fr['destination']['network'], $ifmap)) + $fr['destination']['network'] = $ifmap[$fr['destination']['network']]; + else { + /* remove the rule */ + echo "\nWarning: traffic shaper rule removed " . + "(destination network '{$fr['destination']['network']}' does not exist anymore)."; + unset($config['shaper']['rule'][$i]); + continue; + } + } + } + + $config['version'] = "1.1"; + } + + /* convert 1.1 -> 1.2 */ + if ($config['version'] == "1.1") { + /* move LAN DHCP server config */ + $tmp = $config['dhcpd']; + $config['dhcpd'] = array(); + $config['dhcpd']['lan'] = $tmp; + + /* encrypt password */ + $config['system']['password'] = crypt($config['system']['password']); + + $config['version'] = "1.2"; + } + + /* convert 1.2 -> 1.3 */ + if ($config['version'] == "1.2") { + /* convert advanced outbound NAT config */ + for ($i = 0; isset($config['nat']['advancedoutbound']['rule'][$i]); $i++) { + $curent = &$config['nat']['advancedoutbound']['rule'][$i]; + $src = $curent['source']; + $curent['source'] = array(); + $curent['source']['network'] = $src; + $curent['destination'] = array(); + $curent['destination']['any'] = true; + } + + /* add an explicit type="pass" to all filter rules to make things consistent */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) { + $config['filter']['rule'][$i]['type'] = "pass"; + } + + $config['version'] = "1.3"; + } + + /* convert 1.3 -> 1.4 */ + if ($config['version'] == "1.3") { + /* convert shaper rules (make pipes) */ + if (is_array($config['shaper']['rule'])) { + $config['shaper']['pipe'] = array(); + + for ($i = 0; isset($config['shaper']['rule'][$i]); $i++) { + $curent = &$config['shaper']['rule'][$i]; + + /* make new pipe and associate with this rule */ + $newpipe = array(); + $newpipe['descr'] = $curent['descr']; + $newpipe['bandwidth'] = $curent['bandwidth']; + $newpipe['delay'] = $curent['delay']; + $newpipe['mask'] = $curent['mask']; + $config['shaper']['pipe'][$i] = $newpipe; + + $curent['targetpipe'] = $i; + + unset($curent['bandwidth']); + unset($curent['delay']); + unset($curent['mask']); + } + } + + $config['version'] = "1.4"; + } + + write_config(); + + if ($g['booting']) + echo "done\n"; +} + +/* save the system configuration */ +function write_config() { + + global $config, $g; + + config_lock(); + + conf_mount_rw(); + + /* generate configuration XML */ + $xmlconfig = dump_xml_config($config, $g['xml_rootobj']); + + /* write configuration */ + $fd = fopen("{$g['cf_conf_path']}/config.xml", "w"); + + if (!$fd) + die("Unable to open config.xml for writing in write_config()\n"); + + fwrite($fd, $xmlconfig); + fclose($fd); + + conf_mount_ro(); + + /* re-read configuration */ + $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); + + /* write config cache */ + $fd = @fopen("{$g['tmp_path']}/config.cache", "wb"); + if ($fd) { + fwrite($fd, serialize($config)); + fclose($fd); + } + + config_unlock(); +} + +function reset_factory_defaults() { + + global $g; + + config_lock(); + + conf_mount_rw(); + + /* create conf directory, if necessary */ + if (!file_exists("{$g['cf_conf_path']}")) + @mkdir("{$g['cf_conf_path']}"); + + /* clear out /conf */ + $dh = opendir($g['conf_path']); + while ($filename = readdir($dh)) { + if (($filename != ".") && ($filename != "..")) { + unlink($g['conf_path'] . "/" . $filename); + } + } + closedir($dh); + + /* copy default configuration */ + @copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml"); + + conf_mount_ro(); + + config_unlock(); + + return 0; +} + +function config_install($conffile) { + + global $config, $g; + + if (!file_exists($conffile)) + return 1; + + config_lock(); + conf_mount_rw(); + + copy($conffile, "{$g['conf_path']}/config.xml"); + + conf_mount_ro(); + config_unlock(); + + return 0; +} + +/* lock configuration file, decide that the lock file is stale after + 10 seconds */ +function config_lock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/config.lock"; + + $n = 0; + while ($n < 10) { + /* open the lock file in append mode to avoid race condition */ + if ($fd = @fopen($lockfile, "x")) { + /* succeeded */ + fclose($fd); + return; + } else { + /* file locked, wait and try again */ + sleep(1); + $n++; + } + } +} + +/* unlock configuration file */ +function config_unlock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/config.lock"; + + if (file_exists($lockfile)) + unlink($lockfile); +} + +?> diff --git a/phpconf/inc/filter.inc b/phpconf/inc/filter.inc new file mode 100644 index 0000000..74e74b8 --- /dev/null +++ b/phpconf/inc/filter.inc @@ -0,0 +1,767 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function filter_resync() { + global $config, $g; + + mwexec("/sbin/ipf -y"); +} + +function filter_ipmon_start() { + global $config, $g; + + mwexec("/sbin/ipmon -sD"); +} + +function filter_configure() { + global $config, $g; + + if ($g['booting']) + echo "Configuring firewall... "; + + /* generate ipnat rules */ + $ipnatrules = filter_nat_rules_generate(); + + /* load ipnat rules */ + $fd = popen("/sbin/ipnat -C -f - > /dev/null 2>&1", "w"); + if (!$fd) { + printf("Cannot open /sbin/ipnat in filter_configure()\n"); + return 1; + } + + fwrite($fd, $ipnatrules); + pclose($fd); + + /* generate ipf rules */ + $ipfrules = filter_rules_generate(); + + $fd = popen("/sbin/ipf -Fa -f - > /dev/null 2>&1", "w"); + if (!$fd) { + printf("Cannot open /sbin/ipf in filter_configure()\n"); + return 1; + } + + fwrite($fd, $ipfrules); + pclose($fd); + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function filter_flush_nat_table() { + global $config, $g; + + return mwexec("/sbin/ipnat -F"); +} + +function filter_flush_state_table() { + global $config, $g; + + return mwexec("/sbin/ipf -FS"); +} + +function filter_nat_rules_generate_if($if, $src, $dst, $target, $mssclamp) { + + if ($target) + $tgt = $target . "/32"; + else + $tgt = "0/32"; + + $natrule = << {$tgt} proxy port ftp ftp/tcp $mssclamp +map $if $src $dst -> {$tgt} portmap tcp/udp auto $mssclamp +map $if $src $dst -> {$tgt} $mssclamp + +EOD; + + return $natrule; +} + +function filter_nat_rules_generate() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $lancfg = $config['interfaces']['lan']; + + $pptpdcfg = $config['pptpd']; + $wanif = get_real_wan_interface(); + + if ($wancfg['mtu']) + $mssclamp = "mssclamp " . ($wancfg['mtu'] - 40); + else if ($wancfg['ipaddr'] == "pppoe") + $mssclamp = "mssclamp 1452"; + else + $mssclamp = ""; + + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + + $natrules = ""; + + /* any 1:1 mappings? */ + if (is_array($config['nat']['onetoone'])) { + foreach ($config['nat']['onetoone'] as $natent) { + if (!is_numeric($natent['subnet'])) + $sn = 32; + else + $sn = $natent['subnet']; + $natrules .= "bimap {$wanif} {$natent['internal']}/{$sn} -> {$natent['external']}/{$sn}\n"; + } + } + + /* outbound rules - advanced or standard */ + if (isset($config['nat']['advancedoutbound']['enable'])) { + /* advanced outbound rules */ + if (is_array($config['nat']['advancedoutbound']['rule'])) { + foreach ($config['nat']['advancedoutbound']['rule'] as $obent) { + $dst = ""; + $src = ""; + if (!isset($obent['destination']['any'])) { + $src = "from "; + if (isset($obent['destination']['not'])) + $dst = "! to "; + else + $dst = "to "; + $dst .= $obent['destination']['network']; + } + $src .= $obent['source']['network']; + + $natrules .= filter_nat_rules_generate_if($wanif, $src, $dst, + $obent['target'], $mssclamp); + } + } + } else { + /* standard outbound rules (one for each interface) */ + $natrules .= filter_nat_rules_generate_if($wanif, + $lansa . "/" . $lancfg['subnet'], "", null, $mssclamp); + + /* optional interfaces */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $optcfg = $config['interfaces']['opt' . $i]; + + if (isset($optcfg['enable'])) { + $optsa = gen_subnet($optcfg['ipaddr'], $optcfg['subnet']); + $natrules .= filter_nat_rules_generate_if($wanif, + $optsa . "/" . $optcfg['subnet'], "", null, $mssclamp); + } + } + } + + /* DIAG: add ipv6 NAT, if requested */ + if (isset($config['diag']['ipv6nat']['enable'])) { + $natrules .= "rdr $wanif 0/0 port 0 -> " . + "{$config['diag']['ipv6nat']['ipaddr']} port 0 ipv6\n"; + } + + if (isset($config['nat']['rule'])) { + foreach ($config['nat']['rule'] as $rule) { + + $extport = explode("-", $rule['external-port']); + $target = alias_expand_host($rule['target']); + + if (!$target) + continue; /* unresolvable alias */ + + if ($rule['external-address']) + $extaddr = $rule['external-address'] . "/32"; + else + $extaddr = "0/0"; + + if ((!$extport[1]) || ($extport[0] == $extport[1])) { + $natrules .= + "rdr $wanif {$extaddr} port {$extport[0]} -> {$target} " . + "port {$rule['local-port']} {$rule['protocol']}"; + } else { + $natrules .= + "rdr $wanif {$extaddr} port {$extport[0]}-{$extport[1]} " . + "-> {$target} " . + "port {$rule['local-port']} {$rule['protocol']}"; + } + + $natrules .= " {$mssclamp}"; + + $natrules .= "\n"; + } + } + + if ($pptpdcfg['mode']) { + + if ($pptpdcfg['mode'] == "server") + $pptpdtarget = "127.0.0.1"; + else + $pptpdtarget = $pptpdcfg['redir']; + + $natrules .= << $pptpdtarget port 0 gre +rdr $wanif 0/0 port 1723 -> $pptpdtarget port 1723 tcp {$mssclamp} + +EOD; + } + + return $natrules; +} + +function filter_rules_generate() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $lancfg = $config['interfaces']['lan']; + $pptpdcfg = $config['pptpd']; + + $lanif = $lancfg['if']; + $wanif = get_real_wan_interface(); + + /* rule groups (optional interfaces: see below) */ + $ifgroups = array("lan" => 100, "wan" => 200); + + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + /* optional interfaces */ + $optcfg = array(); + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $oc = $config['interfaces']['opt' . $i]; + + if (isset($oc['enable']) && $oc['if']) { + $oic = array(); + $oic['if'] = $oc['if']; + + if ($oc['bridge']) { + $oic['ip'] = $config['interfaces'][$oc['bridge']]['ipaddr']; + $oic['sn'] = $config['interfaces'][$oc['bridge']]['subnet']; + $oic['bridge'] = 1; + } else { + $oic['ip'] = $oc['ipaddr']; + $oic['sn'] = $oc['subnet']; + } + + $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']); + $optcfg['opt' . $i] = $oic; + $ifgroups['opt' . $i] = ($i * 100) + 200; + } + } + + if ($pptpdcfg['mode'] == "server") { + $pptpip = $pptpdcfg['localip']; + $pptpsa = $pptpdcfg['remoteip']; + $pptpsn = $g['pptp_subnet']; + } + + /* default block logging? */ + if (!isset($config['syslog']['nologdefaultblock'])) + $log = "log"; + else + $log = ""; + + $ipfrules = << $oc) { + if (isset($config['dhcpd'][$on]['enable'])) { + $ipfrules .= << $oc) { + $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); + } + + /* block private networks on WAN? */ + if (isset($config['interfaces']['wan']['blockpriv'])) { + $ipfrules .= << $oc) { + $ipfrules .= filter_rules_ipsec_generate($oc['if'], $oc['ip']); + } + } + + /* XXX - the first section is only needed because ipf refuses to + parse rules that have "flags S/SAFR" and proto "tcp/udp" set because + UDP does not have flags, but we still want to offer the TCP/UDP protocol + option to the user */ + + $ipfrules .= << $oc) { + + $ingroup = $ifgroups[$on]; + + $ipfrules .= << diff --git a/phpconf/inc/functions.inc b/phpconf/inc/functions.inc new file mode 100644 index 0000000..51f02d7 --- /dev/null +++ b/phpconf/inc/functions.inc @@ -0,0 +1,39 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("system.inc"); +require_once("interfaces.inc"); +require_once("services.inc"); +require_once("filter.inc"); +require_once("shaper.inc"); +require_once("vpn.inc"); + +?> diff --git a/phpconf/inc/globals.inc b/phpconf/inc/globals.inc new file mode 100644 index 0000000..33d0291 --- /dev/null +++ b/phpconf/inc/globals.inc @@ -0,0 +1,51 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$g = array( + "varrun_path" => "/var/run", + "varetc_path" => "/var/etc", + "vardb_path" => "/var/db", + "etc_path" => "/etc", + "tmp_path" => "/tmp", + "conf_path" => "/conf", + "ftmp_path" => "/ftmp", + "conf_default_path" => "/conf.default", + "cf_path" => "/cf", + "cf_conf_path" => "/cf/conf", + "www_path" => "/usr/local/www", + "xml_rootobj" => "m0n0wall", + "pppoe_interface" => "ng0", + "n_pptp_units" => 16, + "pptp_subnet" => 28, + "debug" => false, + "latest_config" => "1.4" +); + +?> diff --git a/phpconf/inc/interfaces.inc b/phpconf/inc/interfaces.inc new file mode 100644 index 0000000..8986d1a --- /dev/null +++ b/phpconf/inc/interfaces.inc @@ -0,0 +1,542 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function interfaces_loopback_configure() { + global $config, $g; + + mwexec("/sbin/ifconfig lo0 127.0.0.1"); + + return 0; +} + +function interfaces_lan_configure() { + global $config, $g; + + if ($g['booting']) + echo "Configuring LAN interface... "; + + $lancfg = $config['interfaces']['lan']; + + /* wireless configuration? */ + if (is_array($lancfg['wireless'])) + interfaces_wireless_configure($lancfg['if'], $lancfg['wireless']); + + /* MAC spoofing? */ + if ($lancfg['spoofmac']) + mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) . + " link " . escapeshellarg($lancfg['spoofmac'])); + + mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) . " " . + escapeshellarg($lancfg['ipaddr'] . "/" . $lancfg['subnet'])); + + if (!$g['booting']) { + /* make new hosts file */ + system_hosts_generate(); + + /* reconfigure static routes (kernel may have deleted them) */ + system_routing_configure(); + + /* reload ipfilter (address may have changed) */ + filter_configure(); + + /* reload shaper (subnet may have changed) */ + shaper_configure(); + + /* reload IPsec tunnels */ + vpn_ipsec_configure(); + + /* reload dhcpd (gateway may have changed) */ + services_dhcpd_configure(); + + /* reload dnsmasq */ + services_dnsmasq_configure(); + + /* reload webgui */ + system_webgui_start(); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function interfaces_optional_configure() { + global $config, $g; + global $bridgeconfig; + + /* Reset bridge configuration. Interfaces will add to it. */ + $bridgeconfig = ""; + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + interfaces_optional_configure_if($i); + } + + if ($bridgeconfig) { + /* Set the system bridge configuration and enable bridging. */ + mwexec("/sbin/sysctl net.link.ether.bridge_cfg=" . $bridgeconfig); + + if (isset($config['bridge']['filteringbridge'])) + mwexec("/sbin/sysctl net.link.ether.bridge_ipf=1"); + + mwexec("/sbin/sysctl net.link.ether.bridge=1"); + } else { + mwexec("/sbin/sysctl net.link.ether.bridge_ipf=0"); + mwexec("/sbin/sysctl net.link.ether.bridge=0"); + } + + if (!$g['booting']) { + /* reconfigure static routes (kernel may have deleted them) */ + system_routing_configure(); + + /* reload ipfilter (address may have changed) */ + filter_configure(); + + /* reload shaper (address may have changed) */ + shaper_configure(); + + /* reload IPsec tunnels */ + vpn_ipsec_configure(); + + /* reload dhcpd (interface enabled/disabled/bridged status may have changed) */ + services_dhcpd_configure(); + + /* restart dnsmasq */ + services_dnsmasq_configure(); + } + + return 0; +} + +function interfaces_optional_configure_if($opti) { + global $config, $g; + global $bridgeconfig; + + $optcfg = $config['interfaces']['opt' . $opti]; + + if ($g['booting']) { + $optdescr = ""; + if ($optcfg['descr']) + $optdescr = " ({$optcfg['descr']})"; + echo "Configuring OPT{$opti}{$optdescr} interface... "; + } + + if (isset($optcfg['enable'])) { + /* wireless configuration? */ + if (is_array($optcfg['wireless'])) + interfaces_wireless_configure($optcfg['if'], $optcfg['wireless']); + + /* MAC spoofing? */ + if ($optcfg['spoofmac']) + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . + " link " . escapeshellarg($optcfg['spoofmac'])); + + /* bridged? */ + if ($optcfg['bridge']) { + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . + " delete up"); + + if ($bridgeconfig != "") + $bridgeconfig .= ","; + + $bridgeconfig .= $optcfg['if'] . ":" . $opti . "," . + $config['interfaces'][$optcfg['bridge']]['if'] . + ":" . $opti; + } else { + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . " " . + escapeshellarg($optcfg['ipaddr'] . "/" . $optcfg['subnet'])); + } + } else { + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . + " delete down"); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function interfaces_wireless_configure($if, $wlcfg) { + global $config, $g; + + /* wireless configuration */ + $ifcargs = escapeshellarg($if) . + " ssid " . escapeshellarg($wlcfg['ssid']) . " channel " . + escapeshellarg($wlcfg['channel']) . " "; + + if ($wlcfg['stationname']) + $ifcargs .= "stationname " . escapeshellarg($wlcfg['stationname']) . " "; + + if (isset($wlcfg['wep']['enable']) && is_array($wlcfg['wep']['key'])) { + $ifcargs .= "wepmode on "; + + $i = 1; + foreach ($wlcfg['wep']['key'] as $wepkey) { + $ifcargs .= "wepkey " . escapeshellarg("{$i}:{$wepkey['value']}") . " "; + if (isset($wepkey['txkey'])) { + $ifcargs .= "weptxkey {$i} "; + } + $i++; + } + } else { + $ifcargs .= "wepmode off "; + } + + switch ($wlcfg['mode']) { + case 'hostap': + if (strstr($if, "wi")) + $ifcargs .= "-mediaopt ibss mediaopt hostap "; + break; + case 'ibss': + case 'IBSS': + if (strstr($if, "wi")) + $ifcargs .= "-mediaopt hostap mediaopt ibss "; + else if (strstr($if, "an")) + $ifcargs .= "mediaopt adhoc "; + break; + case 'bss': + case 'BSS': + if (strstr($if, "wi")) + $ifcargs .= "-mediaopt hostap -mediaopt ibss "; + else if (strstr($if, "an")) + $ifcargs .= "-mediaopt adhoc "; + break; + } + + $ifcargs .= "up"; + + mwexec("/sbin/ifconfig " . $ifcargs); + + return 0; +} + +function interfaces_wan_configure() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + + if ($g['booting']) + echo "Configuring WAN interface... "; + else { + /* kill dhclient */ + killbypid("{$g['varrun_path']}/dhclient.pid"); + + /* kill PPPoE client (mpd) */ + killbypid("{$g['varrun_path']}/mpd.pid"); + + /* wait for processes to die */ + sleep(2); + + /* remove dhclient.conf, if it exists */ + if (file_exists("{$g['varetc_path']}/dhclient.conf")) { + unlink("{$g['varetc_path']}/dhclient.conf"); + } + /* remove mpd.conf, if it exists */ + if (file_exists("{$g['varetc_path']}/mpd.conf")) { + unlink("{$g['varetc_path']}/mpd.conf"); + } + /* remove mpd.links, if it exists */ + if (file_exists("{$g['varetc_path']}/mpd.links")) { + unlink("{$g['varetc_path']}/mpd.links"); + } + } + + /* remove all addresses first */ + while (mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " -alias") == 0); + mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " down"); + + /* wireless configuration? */ + if (is_array($wancfg['wireless'])) + interfaces_wireless_configure($wancfg['if'], $wancfg['wireless']); + + if ($wancfg['spoofmac']) + mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . + " link " . escapeshellarg($wancfg['spoofmac'])); + + switch ($wancfg['ipaddr']) { + + case 'dhcp': + interfaces_wan_dhcp_configure(); + break; + + case 'pppoe': + interfaces_wan_pppoe_configure(); + break; + + case 'pptp': + interfaces_wan_pptp_configure(); + break; + + default: + mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " " . + escapeshellarg($wancfg['ipaddr'] . "/" . $wancfg['subnet'])); + + /* install default route */ + mwexec("/sbin/route delete default"); + mwexec("/sbin/route add default " . escapeshellarg($wancfg['gateway'])); + + /* resync ipfilter (done automatically for DHCP/PPPoE/PPTP) */ + filter_resync(); + } + + if (!$g['booting']) { + /* reconfigure static routes (kernel may have deleted them) */ + system_routing_configure(); + + /* reload ipfilter */ + filter_configure(); + + /* reload shaper */ + shaper_configure(); + + /* reload ipsec tunnels */ + vpn_ipsec_configure(); + + /* restart ez-ipupdate */ + services_dyndns_configure(); + + /* restart dnsmasq */ + services_dnsmasq_configure(); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function interfaces_wan_dhcp_configure() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + + /* generate dhclient.conf */ + $fd = fopen("{$g['varetc_path']}/dhclient.conf", "w"); + if (!$fd) { + printf("Error: cannot open dhclient.conf in interfaces_wan_dhcp_configure().\n"); + return 1; + } + + $dhclientconf = ""; + + if ($wancfg['dhcphostname']) { + $dhclientconf .= << diff --git a/phpconf/inc/services.inc b/phpconf/inc/services.inc new file mode 100644 index 0000000..ef79dfe --- /dev/null +++ b/phpconf/inc/services.inc @@ -0,0 +1,345 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function services_dhcpd_configure() { + global $config, $g; + + /* kill any running dhcpd */ + killbypid("{$g['varrun_path']}/dhcpd.pid"); + + $syscfg = $config['system']; + $dhcpdcfg = $config['dhcpd']; + + /* DHCP enabled on any interfaces? */ + $dhcpdenable = false; + foreach ($dhcpdcfg as $dhcpif => $dhcpifconf) { + if (isset($dhcpifconf['enable']) && + (($dhcpif == "lan") || + (isset($config['interfaces'][$dhcpif]['enable']) && + $config['interfaces'][$dhcpif]['if'] && (!$config['interfaces'][$dhcpif]['bridge'])))) + $dhcpdenable = true; + } + + if (!$dhcpdenable) + return 0; + + if ($g['booting']) + echo "Starting DHCP service... "; + else + sleep(1); + + /* write dhcpd.conf */ + $fd = fopen("{$g['varetc_path']}/dhcpd.conf", "w"); + if (!$fd) { + printf("Error: cannot open dhcpd.conf in services_dhcpd_configure().\n"); + return 1; + } + + $dnscfg = ""; + if (isset($config['dnsmasq']['enable'])) { + $dnscfg = "option domain-name-servers " . $config['interfaces']['lan']['ipaddr'] . ";"; + } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { + $dnscfg = "option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";"; + } + + $dhcpdconf = << $dhcpifconf) { + + $ifcfg = $config['interfaces'][$dhcpif]; + + if (!isset($dhcpifconf['enable']) || + (($dhcpif != "lan") && + (!isset($ifcfg['enable']) || !$ifcfg['if'] || $ifcfg['bridge']))) + continue; + + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); + + $dhcpdconf .= << diff --git a/phpconf/inc/shaper.inc b/phpconf/inc/shaper.inc new file mode 100644 index 0000000..aa0ad6e --- /dev/null +++ b/phpconf/inc/shaper.inc @@ -0,0 +1,372 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function shaper_configure() { + global $config, $g; + + if (isset($config['shaper']['enable'])) { + + if ($g['booting']) + echo "Starting traffic shaper... "; + + /* generate shaper rules */ + $shaperrules = shaper_rules_generate(); + + /* make sure ipfw and dummynet are loaded */ + mwexec("/sbin/kldload ipfw"); + mwexec("/sbin/kldload dummynet"); + + /* change one_pass to 1 so ipfw stops checking after + a rule has matched */ + mwexec("/sbin/sysctl net.inet.ip.fw.one_pass=1"); + + /* load shaper rules */ + mwexec("/sbin/ipfw -f flush"); + mwexec("/sbin/ipfw -f pipe flush"); + + /* XXX - seems like ipfw cannot accept rules directly on stdin, + so we have to write them to a temporary file first */ + $fd = fopen("{$g['tmp_path']}/ipfw.rules", "w"); + if (!$fd) { + printf("Cannot open ipfw.rules in shaper_configure()\n"); + return 1; + } + + fwrite($fd, $shaperrules); + fclose($fd); + + mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules"); + + unlink("{$g['tmp_path']}/ipfw.rules"); + + /* make sure bridged packets are shaped as well */ + mwexec("/sbin/sysctl net.link.ether.bridge_ipfw=1"); + + if ($g['booting']) + echo "done\n"; + + } else { + /* unload ipfw and dummynet */ + mwexec("/sbin/sysctl net.link.ether.bridge_ipfw=0"); + mwexec("/sbin/kldunload dummynet"); + mwexec("/sbin/kldunload ipfw"); + } + + return 0; +} + +function shaper_rules_generate() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $lancfg = $config['interfaces']['lan']; + $pptpdcfg = $config['pptpd']; + + $lanif = $lancfg['if']; + $wanif = get_real_wan_interface(); + + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + /* optional interfaces */ + $optcfg = array(); + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $oc = $config['interfaces']['opt' . $i]; + + if (isset($oc['enable']) && $oc['if']) { + $oic = array(); + $oic['ip'] = $oc['ipaddr']; + $oic['if'] = $oc['if']; + $oic['sa'] = gen_subnet($oc['ipaddr'], $oc['subnet']); + $oic['sn'] = $oc['subnet']; + + $optcfg['opt' . $i] = $oic; + } + } + + if ($pptpdcfg['mode'] == "server") { + $pptpip = $pptpdcfg['localip']; + $pptpsa = $pptpdcfg['remoteip']; + $pptpsn = $g['pptp_subnet']; + } + + /* add a rule to pass all traffic from/to the firewall, + so the user cannot lock himself out of the webGUI */ + $shaperrules = "add pass all from $lanip to any\n"; + $shaperrules .= "add pass all from any to $lanip\n"; + + /* generate rules */ + if (isset($config['shaper']['rule'])) + foreach ($config['shaper']['rule'] as $rule) { + + /* does the rule deal with a PPTP interface? */ + if ($rule['interface'] == "pptp") { + + if ($pptpdcfg['mode'] != "server") + continue; + + $nif = $g['n_pptp_units']; + $ispptp = true; + } else { + + if (strstr($rule['interface'], "opt")) { + if (!array_key_exists($rule['interface'], $optcfg)) + continue; + } + + $nif = 1; + $ispptp = false; + } + + if ($pptpdcfg['mode'] != "server") { + if (($rule['source']['network'] == "pptp") || + ($rule['destination']['network'] == "pptp")) + continue; + } + + if (strstr($rule['source']['network'], "opt")) { + if (!array_key_exists($rule['source']['network'], $optcfg)) + continue; + } + if (strstr($rule['destination']['network'], "opt")) { + if (!array_key_exists($rule['destination']['network'], $optcfg)) + continue; + } + + /* check for unresolvable aliases */ + if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) + continue; + if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) + continue; + + for ($iif = 0; $iif < $nif; $iif++) { + + /* pipe or queue? */ + if (isset($rule['targetpipe']) && isset($config['shaper']['pipe'][$rule['targetpipe']])) { + $pipen = $rule['targetpipe'] + 1; + $line = "add pipe $pipen "; + } else if (isset($rule['targetqueue']) && isset($config['shaper']['queue'][$rule['targetqueue']])) { + $queuen = $rule['targetqueue'] + 1; + $line = "add queue $queuen "; + } else { + printf("Neither existing pipe nor queue found in rule $i\n"); + break; + } + + if (isset($rule['protocol'])) { + $line .= "{$rule['protocol']} "; + } else { + $line .= "all "; + } + + /* source address */ + if (isset($rule['source']['any'])) { + $src = "any"; + } else if ($rule['source']['network']) { + + if (strstr($rule['source']['network'], "opt")) { + $src = $optcfg[$rule['source']['network']]['sa'] . "/" . + $optcfg[$rule['source']['network']]['sn']; + } else { + switch ($rule['source']['network']) { + case 'lan': + $src = "$lansa/$lansn"; + break; + case 'pptp': + $src = "$pptpsa/$pptpsn"; + break; + } + } + } else if ($rule['source']['address']) { + $src = alias_expand($rule['source']['address']); + } + + if (!$src) { + printf("No source address found in rule $i\n"); + break; + } + + if (isset($rule['source']['not'])) { + $line .= "from not $src "; + } else { + $line .= "from $src "; + } + + if (in_array($rule['protocol'], array("tcp","udp"))) { + + if ($rule['source']['port']) { + $srcport = explode("-", $rule['source']['port']); + + if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + $line .= "{$srcport[0]} "; + } else { + $line .= "{$srcport[0]}-{$srcport[1]} "; + } + } + } + + /* destination address */ + if (isset($rule['destination']['any'])) { + $dst = "any"; + } else if ($rule['destination']['network']) { + + if (strstr($rule['destination']['network'], "opt")) { + $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" . + $optcfg[$rule['destination']['network']]['sn']; + } else { + switch ($rule['destination']['network']) { + case 'lan': + $dst = "$lansa/$lansn"; + break; + case 'pptp': + $dst = "$pptpsa/$pptpsn"; + break; + } + } + } else if ($rule['destination']['address']) { + $dst = alias_expand($rule['destination']['address']); + } + + if (!$dst) { + printf("No destination address found in rule $i\n"); + break; + } + + if (isset($rule['destination']['not'])) { + $line .= "to not $dst "; + } else { + $line .= "to $dst "; + } + + if (in_array($rule['protocol'], array("tcp","udp"))) { + + if ($rule['destination']['port']) { + $dstport = explode("-", $rule['destination']['port']); + + if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) { + $line .= "{$dstport[0]} "; + } else { + $line .= "{$dstport[0]}-{$dstport[1]} "; + } + } + } + + if ($rule['iplen']) + $line .= "iplen {$rule['iplen']} "; + + if ($rule['tcpflags']) + $line .= "tcpflags {$rule['tcpflags']} "; + + if ($rule['direction'] == "in") + $line .= "in "; + else if ($rule['direction'] == "out") + $line .= "out "; + + if ($ispptp) { + $line .= "via ng" . ($iif+1); + } else { + if ($rule['interface'] == "wan") + $if = $wanif; + else + $if = $config['interfaces'][$rule['interface']]['if']; + + $line .= "via {$if}"; + } + + $line .= "\n"; + $shaperrules .= $line; + } + + $i++; + } + + /* generate pipes */ + if (isset($config['shaper']['pipe'])) { + $pipei = 1; + foreach ($config['shaper']['pipe'] as $pipe) { + $line = "pipe $pipei config bw {$pipe['bandwidth']}Kbit/s "; + + if ($pipe['delay']) { + $line .= "delay {$pipe['delay']} "; + } + + switch ($pipe['mask']) { + case 'source': + $line .= "mask src-ip 0xffffffff "; + break; + case 'destination': + $line .= "mask dst-ip 0xffffffff "; + break; + } + + $line .= "\n"; + $shaperrules .= $line; + $pipei++; + } + } + + /* generate queues */ + if (isset($config['shaper']['queue'])) { + $queuei = 1; + foreach ($config['shaper']['queue'] as $queue) { + + $pipen = $queue['targetpipe'] + 1; + if (!isset($queue['targetpipe']) || !isset($config['shaper']['pipe'][$queue['targetpipe']])) { + printf("Pipe $pipen for queue $queuei not found!\n"); + continue; + } + + $line = "queue $queuei config pipe {$pipen}"; + $line .= " weight {$queue['weight']}"; + + switch ($queue['mask']) { + case 'source': + $line .= " mask src-ip 0xffffffff "; + break; + case 'destination': + $line .= " mask dst-ip 0xffffffff "; + break; + } + + $line .= "\n"; + $shaperrules .= $line; + $queuei++; + } + } + + return $shaperrules; +} + +?> diff --git a/phpconf/inc/system.inc b/phpconf/inc/system.inc new file mode 100644 index 0000000..60b4bbd --- /dev/null +++ b/phpconf/inc/system.inc @@ -0,0 +1,466 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function system_resolvconf_generate($dynupdate = false) { + global $config, $g; + + $syscfg = $config['system']; + + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); + if (!$fd) { + printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + return 1; + } + + $resolvconf = "domain {$syscfg['domain']}\n"; + + $havedns = false; + + if (isset($syscfg['dnsallowoverride'])) { + /* get dynamically assigned DNS servers (if any) */ + $nfd = @fopen("{$g['varetc_path']}/nameservers.conf", "r"); + if ($nfd) { + while (!feof($nfd)) { + $dnss = trim(fgets($nfd)); + if ($dnss) { + $resolvconf .= "nameserver $dnss\n"; + $havedns = true; + } + } + fclose($nfd); + } + } + if (!$havedns && is_array($syscfg['dnsserver'])) { + foreach ($syscfg['dnsserver'] as $ns) { + if ($ns) + $resolvconf .= "nameserver $ns\n"; + $havedns = true; + } + } + + fwrite($fd, $resolvconf); + fclose($fd); + + if (!$g['booting']) { + /* restart dhcpd (nameservers may have changed) */ + if (!$dynupdate) + services_dhcpd_configure(); + } + + return 0; +} + +function system_hosts_generate() { + global $config, $g; + + $syscfg = $config['system']; + $lancfg = $config['interfaces']['lan']; + $dnsmasqcfg = $config['dnsmasq']; + + if (!is_array($dnsmasqcfg['hosts'])) { + $dnsmasqcfg['hosts'] = array(); + } + $hostscfg = $dnsmasqcfg['hosts']; + + $fd = fopen("{$g['varetc_path']}/hosts", "w"); + if (!$fd) { + printf("Error: cannot open hosts file in system_hosts_generate().\n"); + return 1; + } + + $hosts = << /etc/localtime"); + + if ($g['booting']) + echo "done\n"; +} + +function system_ntp_configure() { + global $config, $g; + + $syscfg = $config['system']; + + if ($g['booting']) + echo "Starting NTP client... "; + else { + killbypid("{$g['varrun_path']}/runmsntp.pid"); + killbypid("{$g['varrun_path']}/msntp.pid"); + } + + /* start ntp client if needed - needs to be forced into background */ + $updateinterval = $syscfg['time-update-interval']; + + if ($updateinterval > 0) { + if ($updateinterval < 6) + $updateinterval = 6; + + $timeservers = ""; + foreach (explode(' ', $syscfg['timeservers']) as $ts) + $timeservers .= " " . $ts; + + mwexec_bg("/usr/local/bin/runmsntp.sh " . + escapeshellarg("{$g['varrun_path']}/runmsntp.pid") . " " . + escapeshellarg("{$g['varrun_path']}/msntp.pid") . " " . + escapeshellarg($updateinterval) . " " . + escapeshellarg($timeservers)); + } + + if ($g['booting']) + echo "done\n"; +} + +function system_reboot() { + global $g; + + mwexec("nohup /etc/rc.reboot > /dev/null 2>&1 &"); +} + +function system_reboot_sync() { + global $g; + + mwexec("/etc/rc.reboot > /dev/null 2>&1"); +} + +function system_do_shell_commands() { + global $config, $g; + + if (is_array($config['system']['shellcmd'])) { + + foreach ($config['system']['shellcmd'] as $cmd) { + exec($cmd); + } + } +} + +function system_console_configure() { + global $config, $g; + + if (isset($config['system']['disableconsolemenu'])) { + touch("{$g['varetc_path']}/disableconsole"); + } else { + unlink_if_exists("{$g['varetc_path']}/disableconsole"); + } +} + +?> diff --git a/phpconf/inc/util.inc b/phpconf/inc/util.inc new file mode 100644 index 0000000..cf5fecb --- /dev/null +++ b/phpconf/inc/util.inc @@ -0,0 +1,392 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* kill a process by pid file */ +function killbypid($pidfile) { + sigkillbypid($pidfile, "TERM"); +} + +/* sigkill a process by pid file */ +function sigkillbypid($pidfile, $sig) { + if (file_exists($pidfile)) { + mwexec("/bin/kill -s $sig `/bin/cat " . $pidfile . "`"); + } +} + +/* kill a process by name */ +function killbyname($procname) { + mwexec("/usr/bin/killall " . escapeshellarg($procname)); +} + +/* return the subnet address given a host address and a subnet bit count */ +function gen_subnet($ipaddr, $bits) { + if (!is_ipaddr($ipaddr) || !is_numeric($bits)) + return ""; + + return long2ip(ip2long($ipaddr) & gen_subnet_mask_long($bits)); +} + +/* return the highest address in the subnet given a host address and a subnet bit count */ +function gen_subnet_max($ipaddr, $bits) { + if (!is_ipaddr($ipaddr) || !is_numeric($bits)) + return ""; + + return long2ip(ip2long($ipaddr) | gen_subnet_mask_long($bits)); +} + +/* returns a subnet mask (long given a bit count) */ +function gen_subnet_mask_long($bits) { + $sm = 0; + for ($i = 0; $i < $bits; $i++) { + $sm >>= 1; + $sm |= 0x80000000; + } + return $sm; +} + +/* same as above but returns a string */ +function gen_subnet_mask($bits) { + return long2ip(gen_subnet_mask_long($bits)); +} + +/* returns true if $ipaddr is a valid dotted IPv4 address */ +function is_ipaddr($ipaddr) { + if (!is_string($ipaddr)) + return false; + + $ip_long = ip2long($ipaddr); + $ip_reverse = long2ip($ip_long); + + if ($ipaddr == $ip_reverse) + return true; + else + return false; +} + +/* returns true if $ipaddr is a valid dotted IPv4 address or an alias thereof */ +function is_ipaddroralias($ipaddr) { + + global $aliastable; + + if (isset($aliastable[$ipaddr]) && is_ipaddr($aliastable[$ipaddr])) + return true; + else + return is_ipaddr($ipaddr); +} + +/* returns true if $ipaddr is a valid dotted IPv4 address or any alias */ +function is_ipaddroranyalias($ipaddr) { + + global $aliastable; + + if (isset($aliastable[$ipaddr])) + return true; + else + return is_ipaddr($ipaddr); +} + +/* returns true if $subnet is a valid subnet in CIDR format */ +function is_subnet($subnet) { + if (!is_string($subnet)) + return false; + + list($hp,$np) = explode('/', $subnet); + + if (!is_ipaddr($hp)) + return false; + + if (!is_numeric($np) || ($np < 1) || ($np > 32)) + return false; + + return true; +} + +/* returns true if $subnet is a valid subnet in CIDR format or an alias thereof */ +function is_subnetoralias($subnet) { + + global $aliastable; + + if (isset($aliastable[$subnet]) && is_subnet($aliastable[$subnet])) + return true; + else + return is_subnet($subnet); +} + +/* returns true if $hostname is a valid hostname */ +function is_hostname($hostname) { + if (!is_string($hostname)) + return false; + + if (preg_match("/^[a-z0-9\-]+$/i", $hostname)) + return true; + else + return false; +} + +/* returns true if $domain is a valid domain name */ +function is_domain($domain) { + if (!is_string($domain)) + return false; + + if (preg_match("/^([a-z0-9\-]+\.?)*$/i", $domain)) + return true; + else + return false; +} + +/* returns true if $uname is a valid DynDNS username */ +function is_dyndns_username($uname) { + if (!is_string($uname)) + return false; + + if (preg_match("/[^a-z0-9\-.@_]/i", $uname)) + return false; + else + return true; +} + +/* returns true if $macaddr is a valid MAC address */ +function is_macaddr($macaddr) { + if (!is_string($macaddr)) + return false; + + $maca = explode(":", $macaddr); + if (count($maca) != 6) + return false; + + foreach ($maca as $macel) { + if (($macel === "") || (strlen($macel) > 2)) + return false; + if (preg_match("/[^0-9a-f]/i", $macel)) + return false; + } + + return true; +} + +/* returns true if $name is a valid name for an alias */ +function is_validaliasname($name) { + if (!preg_match("/[^a-zA-Z0-9]/", $name)) + return true; + else + return false; +} + +/* returns true if $port is a valid TCP/UDP port */ +function is_port($port) { + if (!is_numericint($port)) + return false; + + if (($port < 1) || ($port > 65535)) + return false; + else + return true; +} + +/* returns a list of interfaces with MAC addresses */ +function get_interface_list() { + + global $g; + + /* build interface list with netstat */ + exec("/usr/bin/netstat -inW -f link", $linkinfo); + array_shift($linkinfo); + + $iflist = array(); + + foreach ($linkinfo as $link) { + $alink = preg_split("/\s+/", $link); + $ifname = chop($alink[0]); + + if (substr($ifname, -1) == "*") + $ifname = substr($ifname, 0, strlen($ifname) - 1); + + if (!preg_match("/^(ppp|sl|gif|faith|lo|ng|tun)/", $ifname)) { + $iflist[$ifname] = array(); + $iflist[$ifname]['mac'] = chop($alink[3]); + $iflist[$ifname]['up'] = false; + + /* find out if the link on this interface is up */ + unset($ifinfo); + exec("/sbin/ifconfig {$ifname}", $ifinfo); + + foreach ($ifinfo as $ifil) { + if (preg_match("/status: (.*)$/", $ifil, $matches)) { + if ($matches[1] == "active") + $iflist[$ifname]['up'] = true; + break; + } + } + } + } + + return $iflist; +} + +/* wrapper for exec() */ +function mwexec($command) { + + global $g; + + if ($g['debug']) { + if (!$_SERVER['REMOTE_ADDR']) + echo "mwexec(): $command\n"; + passthru($command, $retval); + } else { + exec("$command > /dev/null 2>&1", $oarr, $retval); + } + + return $retval; +} + +/* wrapper for exec() in background */ +function mwexec_bg($command) { + + global $g; + + if ($g['debug']) { + if (!$_SERVER['REMOTE_ADDR']) + echo "mwexec(): $command\n"; + } + + exec("nohup $command > /dev/null 2>&1 &"); +} + +/* unlink a file, if it exists */ +function unlink_if_exists($fn) { + if (file_exists($fn)) + unlink($fn); +} + +/* make a global alias table (for faster lookups) */ +function alias_make_table() { + + global $config, $g, $aliastable; + + $aliastable = array(); + + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name']) + $aliastable[$alias['name']] = $alias['address']; + } + } +} + +/* check if an alias exists */ +function is_alias($name) { + + global $aliastable; + + return isset($aliastable[$name]); +} + +/* expand a host or network alias, if necessary */ +function alias_expand($name) { + + global $aliastable; + + if (isset($aliastable[$name])) + return $aliastable[$name]; + else if (is_ipaddr($name) || is_subnet($name)) + return $name; + else + return null; +} + +/* expand a host alias, if necessary */ +function alias_expand_host($name) { + + global $aliastable; + + if (isset($aliastable[$name]) && is_ipaddr($aliastable[$name])) + return $aliastable[$name]; + else if (is_ipaddr($name)) + return $name; + else + return null; +} + +/* expand a network alias, if necessary */ +function alias_expand_net($name) { + + global $aliastable; + + if (isset($aliastable[$name]) && is_subnet($aliastable[$name])) + return $aliastable[$name]; + else if (is_subnet($name)) + return $name; + else + return null; +} + +/* find out whether two subnets overlap */ +function check_subnets_overlap($subnet1, $bits1, $subnet2, $bits2) { + + if (!is_numeric($bits1)) + $bits1 = 32; + if (!is_numeric($bits2)) + $bits2 = 32; + + if ($bits1 < $bits2) + $relbits = $bits1; + else + $relbits = $bits2; + + $sn1 = gen_subnet_mask_long($relbits) & ip2long($subnet1); + $sn2 = gen_subnet_mask_long($relbits) & ip2long($subnet2); + + if ($sn1 == $sn2) + return true; + else + return false; +} + +/* compare two IP addresses */ +function ipcmp($a, $b) { + if (ip2long($a) < ip2long($b)) + return -1; + else if (ip2long($a) > ip2long($b)) + return 1; + else + return 0; +} + +/* verify (and remove) the digital signature on a file - returns 0 if OK */ +function verify_digital_signature($fname) { + + global $g; + + return mwexec("/usr/local/bin/verifysig " . + escapeshellarg("{$g['etc_path']}/pubkey.pem") . " " . + escapeshellarg($fname)); +} + +?> diff --git a/phpconf/inc/vpn.inc b/phpconf/inc/vpn.inc new file mode 100644 index 0000000..df33dc5 --- /dev/null +++ b/phpconf/inc/vpn.inc @@ -0,0 +1,545 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function vpn_ipsec_configure($ipchg = false) { + global $config, $g; + + $curwanip = get_current_wan_address(); + + if ($ipchg) { + /* dhclient or MPD told us that the IP address has changed; + let's see if that's really true to avoid reloading the whole + IPsec stuff when it's not really necessary (dhclient likes to + execute its dhclient-exit-hooks also on renewals) + */ + if (file_exists("{$g['vardb_path']}/ipsec.wanip")) { + $oldwanip = chop(file_get_contents("{$g['vardb_path']}/ipsec.wanip")); + + if ($curwanip == $oldwanip) + return 0; /* nothing to do */ + } + } + + $syscfg = $config['system']; + $ipseccfg = $config['ipsec']; + $lancfg = $config['interfaces']['lan']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + + if ($g['booting']) { + if (!isset($ipseccfg['enable'])) + return 0; + + echo "Configuring IPsec VPN... "; + } else { + /* kill racoon */ + killbypid("{$g['varrun_path']}/racoon.pid"); + + /* wait for process to die */ + sleep(2); + + /* send a SIGKILL to be sure */ + sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); + } + + /* flush SPD and SAD */ + mwexec("/usr/sbin/setkey -FP"); + mwexec("/usr/sbin/setkey -F"); + + if (isset($ipseccfg['enable'])) { + + if (!$curwanip) { + /* IP address not configured yet, exit */ + if ($g['booting']) + echo "done\n"; + return 0; + } + + if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || + isset($ipseccfg['mobileclients']['enable'])) { + + if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { + + /* generate spd.conf */ + $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); + if (!$fd) { + printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n"); + return 1; + } + + $spdconf = ""; + foreach ($ipseccfg['tunnel'] as $tunnel) { + + if (isset($tunnel['disabled'])) + continue; + + $ep = vpn_endpoint_determine($tunnel, $curwanip); + if (!$ep) + continue; + + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); + + $spdconf .= "spdadd {$sa}/{$sn} " . + "{$tunnel['remote-subnet']} any -P out ipsec " . + "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . + "{$tunnel['remote-gateway']}/unique;\n"; + + $spdconf .= "spdadd {$tunnel['remote-subnet']} " . + "{$sa}/{$sn} any -P in ipsec " . + "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . + "{$ep}/unique;\n"; + } + + fwrite($fd, $spdconf); + fclose($fd); + + /* load SPD */ + mwexec("/usr/sbin/setkey -c < {$g['varetc_path']}/spd.conf"); + } + + /* generate racoon.conf */ + $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); + if (!$fd) { + printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n"); + return 1; + } + + $racoonconf = "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; + + if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) + foreach ($ipseccfg['tunnel'] as $tunnel) { + + if (isset($tunnel['disabled'])) + continue; + + $ep = vpn_endpoint_determine($tunnel, $curwanip); + if (!$ep) + continue; + + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); + + if (isset($tunnel['p1']['myident']['myaddress'])) { + $myidentt = "address"; + $myident = $ep; + } else if (isset($tunnel['p1']['myident']['address'])) { + $myidentt = "address"; + $myident = $tunnel['p1']['myident']['address']; + } else if (isset($tunnel['p1']['myident']['fqdn'])) { + $myidentt = "fqdn"; + $myident = $tunnel['p1']['myident']['fqdn']; + } + + $racoonconf .= << diff --git a/phpconf/inc/xmlparse.inc b/phpconf/inc/xmlparse.inc new file mode 100644 index 0000000..40edd38 --- /dev/null +++ b/phpconf/inc/xmlparse.inc @@ -0,0 +1,202 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* tags that are always to be handled as lists */ +$listtags = explode(" ", "rule user key dnsserver winsserver encryption-algorithm-option hash-algorithm-option hosts tunnel onetoone staticmap route alias pipe queue shellcmd mobilekey servernat proxyarpnet"); + +function startElement($parser, $name, $attrs) { + global $depth, $curpath, $config, $havedata, $listtags; + + array_push($curpath, strtolower($name)); + + $ptr =& $config; + foreach ($curpath as $path) { + $ptr =& $ptr[$path]; + } + + /* is it an element that belongs to a list? */ + if (in_array(strtolower($name), $listtags)) { + + /* is there an array already? */ + if (!is_array($ptr)) { + /* make an array */ + $ptr = array(); + } + + array_push($curpath, count($ptr)); + + } else if (isset($ptr)) { + /* multiple entries not allowed for this element, bail out */ + die(sprintf("XML error: %s at line %d cannot occur more than once\n", + $name, + xml_get_current_line_number($parser))); + } + + $depth++; + $havedata = $depth; +} + +function endElement($parser, $name) { + global $depth, $curpath, $config, $havedata, $listtags; + + if ($havedata == $depth) { + $ptr =& $config; + foreach ($curpath as $path) { + $ptr =& $ptr[$path]; + } + $ptr = ""; + } + + array_pop($curpath); + + if (in_array(strtolower($name), $listtags)) + array_pop($curpath); + + $depth--; +} + +function cData($parser, $data) { + global $depth, $curpath, $config, $havedata; + + $data = trim($data, "\t\n\r"); + + if ($data != "") { + $ptr =& $config; + foreach ($curpath as $path) { + $ptr =& $ptr[$path]; + } + + if (is_string($ptr)) { + $ptr .= $data; + } else { + if (trim($data, " ") != "") { + $ptr = $data; + $havedata++; + } + } + } +} + +function parse_xml_config($cffile, $rootobj) { + + global $depth, $curpath, $config, $havedata, $listtags; + + $config = array(); + $curpath = array(); + $depth = 0; + $havedata = 0; + + $xml_parser = xml_parser_create(); + + xml_set_element_handler($xml_parser, "startElement", "endElement"); + xml_set_character_data_handler($xml_parser, "cdata"); + + if (!($fp = fopen($cffile, "r"))) { + die("Error: could not open XML input\n"); + } + + while ($data = fread($fp, 4096)) { + if (!xml_parse($xml_parser, $data, feof($fp))) { + die(sprintf("XML error: %s at line %d\n", + xml_error_string(xml_get_error_code($xml_parser)), + xml_get_current_line_number($xml_parser))); + } + } + xml_parser_free($xml_parser); + + if (!$config[$rootobj]) { + die("XML error: no $rootobj object found!\n"); + } + + return $config[$rootobj]; +} + +function dump_xml_config_sub($arr, $indent) { + + global $listtags; + + $xmlconfig = ""; + + foreach ($arr as $ent => $val) { + if (is_array($val)) { + /* is it just a list of multiple values? */ + if (in_array(strtolower($ent), $listtags)) { + foreach ($val as $cval) { + if (is_array($cval)) { + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent>\n"; + $xmlconfig .= dump_xml_config_sub($cval, $indent + 1); + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "\n"; + } else { + $xmlconfig .= str_repeat("\t", $indent); + if ((is_bool($cval) && ($cval == true)) || + ($cval === "")) + $xmlconfig .= "<$ent/>\n"; + else if (!is_bool($cval)) + $xmlconfig .= "<$ent>" . htmlspecialchars($cval) . "\n"; + } + } + } else { + /* it's an array */ + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent>\n"; + $xmlconfig .= dump_xml_config_sub($val, $indent + 1); + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "\n"; + } + } else { + if ((is_bool($val) && ($val == true)) || ($val === "")) { + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent/>\n"; + } else if (!is_bool($val)) { + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent>" . htmlspecialchars($val) . "\n"; + } + } + } + + return $xmlconfig; +} + +function dump_xml_config($arr, $rootobj) { + + $xmlconfig = "\n"; + $xmlconfig .= "<$rootobj>\n"; + + $xmlconfig .= dump_xml_config_sub($arr, 1); + + $xmlconfig .= "\n"; + + return $xmlconfig; +} + +?> diff --git a/phpconf/rc.banner b/phpconf/rc.banner new file mode 100644 index 0000000..bb0804f --- /dev/null +++ b/phpconf/rc.banner @@ -0,0 +1,60 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $version = chop(file_get_contents("{$g['etc_path']}/version")); + $buildtime = chop(file_get_contents("{$g['etc_path']}/version.buildtime")); + + echo << {$config['interfaces']['lan']['if']} + WAN -> {$config['interfaces']['wan']['if']} + +EOD; + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + echo " OPT{$i} -> {$config['interfaces']['opt' . $i]['if']} " . + "({$config['interfaces']['opt' . $i]['descr']})\n"; +?> diff --git a/phpconf/rc.bootup b/phpconf/rc.bootup new file mode 100644 index 0000000..f7a7d60 --- /dev/null +++ b/phpconf/rc.bootup @@ -0,0 +1,128 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + require_once("globals.inc"); + + /* let the other functions know we're booting */ + $g['booting'] = TRUE; + touch("{$g['varrun_path']}/booting"); + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + /* convert configuration, if necessary */ + convert_config(); + + /* set up our timezone */ + system_timezone_configure(); + + /* set up our hostname */ + system_hostname_configure(); + + /* make hosts file */ + system_hosts_generate(); + + /* generate resolv.conf */ + system_resolvconf_generate(); + + /* start pccardd */ + system_pccard_start(); + + /* establish ipfilter ruleset */ + filter_configure(); + + /* configure loopback interface */ + interfaces_loopback_configure(); + + /* set up LAN interface */ + interfaces_lan_configure(); + + /* set up WAN interface */ + interfaces_wan_configure(); + + /* set up Optional interfaces */ + interfaces_optional_configure(); + + /* resync ipfilter */ + filter_resync(); + + /* start ipmon */ + filter_ipmon_start(); + + /* set up static routes */ + system_routing_configure(); + + /* enable routing */ + system_routing_enable(); + + /* start syslogd */ + system_syslogd_start(); + + /* start web server */ + system_webgui_start(); + + /* configure console menu */ + system_console_configure(); + + /* start dnsmasq service */ + services_dnsmasq_configure(); + + /* start dyndns service */ + services_dyndns_configure(); + + /* start DHCP service */ + services_dhcpd_configure(); + + /* start SNMP service */ + services_snmpd_configure(); + + /* start proxy ARP service */ + services_proxyarp_configure(); + + /* start the NTP client */ + system_ntp_configure(); + + /* start pptpd */ + vpn_pptpd_configure(); + + /* start traffic shaper */ + shaper_configure(); + + /* start IPsec tunnels */ + vpn_ipsec_configure(); + + /* run any shell commands specified in config.xml */ + system_do_shell_commands(); + + /* done */ + unlink("{$g['varrun_path']}/booting"); +?> diff --git a/phpconf/rc.initial.defaults b/phpconf/rc.initial.defaults new file mode 100644 index 0000000..8e33fd2 --- /dev/null +++ b/phpconf/rc.initial.defaults @@ -0,0 +1,61 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* don't parse the config so we can restore in case it's broken */ + $noparseconfig = 1; + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo << diff --git a/phpconf/rc.initial.password b/phpconf/rc.initial.password new file mode 100644 index 0000000..7859e2c --- /dev/null +++ b/phpconf/rc.initial.password @@ -0,0 +1,65 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo << diff --git a/phpconf/rc.initial.reboot b/phpconf/rc.initial.reboot new file mode 100644 index 0000000..053d492 --- /dev/null +++ b/phpconf/rc.initial.reboot @@ -0,0 +1,55 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo << diff --git a/phpconf/rc.initial.setlanip b/phpconf/rc.initial.setlanip new file mode 100644 index 0000000..08ca3f8 --- /dev/null +++ b/phpconf/rc.initial.setlanip @@ -0,0 +1,112 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + do { + echo "\nEnter the new LAN IP address: "; + $lanip = chop(fgets($fp)); + if ($lanip === "") { + exit(0); + } + } while (!is_ipaddr($lanip)); + + echo "\nSubnet masks are entered as bit counts (as in CIDR notation) in m0n0wall.\n"; + echo "e.g. 255.255.255.0 = 24\n"; + echo " 255.255.0.0 = 16\n"; + echo " 255.0.0.0 = 8\n\n"; + + do { + echo "Enter the new LAN subnet bit count: "; + $lanbits = chop(fgets($fp)); + if ($lanbits === "") { + exit(0); + } + } while (!is_numeric($lanbits) || ($lanbits < 1) || ($lanbits > 31)); + + $config['interfaces']['lan']['ipaddr'] = $lanip; + $config['interfaces']['lan']['subnet'] = $lanbits; + + echo "\nDo you want to enable the DHCP server on LAN? (y/n) "; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) { + do { + echo "Enter the start address of the client address range: "; + $dhcpstartip = chop(fgets($fp)); + if ($dhcpstartip === "") { + exit(0); + } + } while (!is_ipaddr($dhcpstartip)); + + do { + echo "Enter the end address of the client address range: "; + $dhcpendip = chop(fgets($fp)); + if ($dhcpendip === "") { + exit(0); + } + } while (!is_ipaddr($dhcpendip)); + + $config['dhcpd']['lan']['enable'] = true; + $config['dhcpd']['lan']['range']['from'] = $dhcpstartip; + $config['dhcpd']['lan']['range']['to'] = $dhcpendip; + } else { + unset($config['dhcpd']['lan']['enable']); + } + + if ($config['system']['webgui']['protocol'] == "https") { + + echo "\nDo you want to revert to HTTP as the webGUI protocol? (y/n) "; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) + $config['system']['webgui']['protocol'] = "http"; + } + + write_config(); + interfaces_lan_configure(); + + echo << diff --git a/phpconf/rc.initial.setports b/phpconf/rc.initial.setports new file mode 100644 index 0000000..d2d54ce --- /dev/null +++ b/phpconf/rc.initial.setports @@ -0,0 +1,231 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + $iflist = get_interface_list(); + + echo << $ifa) { + echo sprintf("% -8s%s%s\n", $iface, $ifa['mac'], + $ifa['up'] ? " (up)" : ""); + } + + echo << {$lanif} +WAN -> {$wanif} + +EOD; + + for ($i = 0; $i < count($optif); $i++) { + echo "OPT" . ($i+1) . " -> " . $optif[$i] . "\n"; + } + +echo << $ifa) { + if (!$ifa['up'] && $iflist[$ifn]['up']) { + echo "Detected link-up on interface {$ifn}.\n"; + return $ifn; + } + } + + echo "No link-up detected.\n"; + + return null; + } +?> diff --git a/phpconf/rc.newwanip b/phpconf/rc.newwanip new file mode 100644 index 0000000..e99059a --- /dev/null +++ b/phpconf/rc.newwanip @@ -0,0 +1,52 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + /* WAN IP address has changed */ + + /* make sure to wait until the boot scripts have finished */ + while (file_exists("{$g['varrun_path']}/booting")) { + sleep(1); + } + + /* resync ipfilter */ + filter_resync(); + + /* reconfigure IPsec tunnels */ + vpn_ipsec_configure(true); + + /* regenerate resolv.conf if DNS overrides are allowed */ + if (isset($config['system']['dnsallowoverride'])) + system_resolvconf_generate(true); +?> diff --git a/webgui/block.gif b/webgui/block.gif new file mode 100644 index 0000000..df95240 Binary files /dev/null and b/webgui/block.gif differ diff --git a/webgui/block_d.gif b/webgui/block_d.gif new file mode 100644 index 0000000..2d3d980 Binary files /dev/null and b/webgui/block_d.gif differ diff --git a/webgui/check.gif b/webgui/check.gif new file mode 100644 index 0000000..09a979a Binary files /dev/null and b/webgui/check.gif differ diff --git a/webgui/diag_backup.php b/webgui/diag_backup.php new file mode 100644 index 0000000..cdeda0a --- /dev/null +++ b/webgui/diag_backup.php @@ -0,0 +1,122 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* omit no-cache headers because it confuses IE with file downloads */ +$omit_nocacheheaders = true; +require("guiconfig.inc"); + +if ($_POST) { + + unset($input_errors); + + if (stristr($_POST['Submit'], "Restore")) + $mode = "restore"; + else if (stristr($_POST['Submit'], "Download")) + $mode = "download"; + + if ($mode) { + if ($mode == "download") { + config_lock(); + $fs = filesize($g['conf_path'] . "/config.xml"); + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename=config.xml"); + header("Content-Length: $fs"); + readfile($g['conf_path'] . "/config.xml"); + config_unlock(); + exit; + } else if ($mode == "restore") { + if (is_uploaded_file($_FILES['conffile']['tmp_name'])) { + if (config_install($_FILES['conffile']['tmp_name']) == 0) { + system_reboot(); + $savemsg = "The configuration has been restored. The firewall is now rebooting."; + } else { + $input_errors[] = "The configuration could not be restored."; + } + } else { + $input_errors[] = "The configuration could not be restored (file upload error)."; + } + } + } +} +?> + + + +m0n0wall webGUI - Diagnostics: Backup/restore + + + + + + +

Diagnostics: Backup/restore

+ + +
+ + + + + + + + + + + + + + + +
Backup configuration
  +

Click this button to download the system configuration + in XML format.
+
+ +
+  
+  

Restore configuration
  +

Open a m0n0wall configuration XML file and click the button + below to restore the configuration.
+
+ Note:
+ The firewall will reboot after restoring the configuration.
+
+ +
+
+ +

+
+
+ + + diff --git a/webgui/diag_defaults.php b/webgui/diag_defaults.php new file mode 100644 index 0000000..b47c7ff --- /dev/null +++ b/webgui/diag_defaults.php @@ -0,0 +1,73 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if ($_POST) { + if ($_POST['Submit'] != " No ") { + reset_factory_defaults(); + system_reboot(); + $rebootmsg = "The system has been reset to factory defaults and is now rebooting. This may take one minute."; + } else { + header("Location: index.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Diagnostics: Factory defaults + + + + + + +

Diagnostics: Factory defaults

+ +
+

If you click "Yes", the firewall will be reset + to factory defaults and will reboot immediately. The entire system + configuration will be overwritten. The LAN IP address will be + reset to 192.168.1.1, the system will be configured as a DHCP + server, and the password will be set to 'mono'.
+
+ Are you sure you want to proceed?

+

+ + +

+
+ + + + diff --git a/webgui/diag_dhcp_leases.php b/webgui/diag_dhcp_leases.php new file mode 100644 index 0000000..58a7d55 --- /dev/null +++ b/webgui/diag_dhcp_leases.php @@ -0,0 +1,189 @@ +#!/usr/local/bin/php + and Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +?> + + + +m0n0wall webGUI - Diagnostics: DHCP leases + + + + + + +

Diagnostics: DHCP leases

+ + + + + + + + + +"; + $fspane = ""; + } else { + $fspans = $fspane = ""; + } + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } +} +?> +
IP addressMAC addressHostnameStartEnd
{$fspans}{$data['ip']}{$fspane} {$fspans}{$data['mac']}{$fspane} {$fspans}{$data['hostname']}{$fspane} {$fspans}{$data['start']}{$fspane} {$fspans}{$data['end']}{$fspane} 
+

+

+ + + + + + + + +
+ +

No leases file found. Is the DHCP server active?

+ + + + diff --git a/webgui/diag_ipsec_sad.php b/webgui/diag_ipsec_sad.php new file mode 100644 index 0000000..0930de9 --- /dev/null +++ b/webgui/diag_ipsec_sad.php @@ -0,0 +1,138 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +?> + + + +m0n0wall webGUI - Diagnostics: IPsec + + + + + + +

Diagnostics: IPsec

+ + + + + + + +
SADSPD 
+ /dev/null 2>&1", "w"); + if ($fd) { + fwrite($fd, "delete {$_GET['src']} {$_GET['dst']} {$_GET['proto']} {$_GET['spi']} ;\n"); + pclose($fd); + sleep(1); + } +} + +/* query SAD */ +$fd = @popen("/usr/sbin/setkey -D", "r"); +$sad = array(); +if ($fd) { + while (!feof($fd)) { + $line = chop(fgets($fd)); + if (!$line) + continue; + if ($line == "No SAD entries.") + break; + if ($line[0] != "\t") { + if (is_array($cursa)) + $sad[] = $cursa; + $cursa = array(); + list($cursa['src'],$cursa['dst']) = explode(" ", $line); + $i = 0; + } else { + $linea = explode(" ", trim($line)); + if ($i == 1) { + $cursa['proto'] = $linea[0]; + $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); + } else if ($i == 2) { + $cursa['ealgo'] = $linea[1]; + } else if ($i == 3) { + $cursa['aalgo'] = $linea[1]; + } + } + $i++; + } + if (is_array($cursa) && count($cursa)) + $sad[] = $cursa; + pclose($fd); +} +if (count($sad)): +?> + + + + + + + + + + + + + + + + + + + + + + +
SourceDestinationProtocolSPIEnc. alg.Auth. alg.
+ + +
+ +

No IPsec security associations.

+ +
+ + + diff --git a/webgui/diag_ipsec_spd.php b/webgui/diag_ipsec_spd.php new file mode 100644 index 0000000..1faeba7 --- /dev/null +++ b/webgui/diag_ipsec_spd.php @@ -0,0 +1,151 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +?> + + + +m0n0wall webGUI - Diagnostics: IPsec + + + + + + +

Diagnostics: IPsec

+ + + + + + + +
SADSPD 
+ /dev/null 2>&1", "w"); + if ($fd) { + fwrite($fd, "spddelete {$_GET['src']} {$_GET['dst']} any -P {$_GET['dir']} ;\n"); + pclose($fd); + sleep(1); + } +} + +/* query SAD */ +$fd = @popen("/usr/sbin/setkey -DP", "r"); +$spd = array(); +if ($fd) { + while (!feof($fd)) { + $line = chop(fgets($fd)); + if (!$line) + continue; + if ($line == "No SPD entries.") + break; + if ($line[0] != "\t") { + if (is_array($cursp)) + $spd[] = $cursp; + $cursp = array(); + $linea = explode(" ", $line); + $cursp['src'] = substr($linea[0], 0, strpos($linea[0], "[")); + $cursp['dst'] = substr($linea[1], 0, strpos($linea[1], "[")); + $i = 0; + } else { + $linea = explode(" ", trim($line)); + if ($i == 1) { + $cursp['dir'] = $linea[0]; + } else if ($i == 2) { + $upperspec = explode("/", $linea[0]); + $cursp['proto'] = $upperspec[0]; + list($cursp['ep_src'], $cursp['ep_dst']) = explode("-", $upperspec[2]); + } + } + $i++; + } + if (is_array($cursp) && count($cursp)) + $spd[] = $cursp; + pclose($fd); +} +if (count($spd)): +?> + + + + + + + + + + + + + + + + + + + + +
SourceDestinationDirectionProtocolTunnel endpoints
-
+ 		+ + +
+
+ + + + + + + + + + + + +
incoming (as seen by firewall)
outgoing (as seen by firewall)
+ +

No IPsec security policies.

+ +
+ + + diff --git a/webgui/diag_logs.php b/webgui/diag_logs.php new file mode 100644 index 0000000..5c2bbb6 --- /dev/null +++ b/webgui/diag_logs.php @@ -0,0 +1,100 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); +} + +function dump_clog($logfile, $tail, $withorig = true) { + global $g, $config; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + echo "\n"; + + if ($withorig) { + echo "" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "\n"; + echo "" . htmlspecialchars($logent[4] . " " . $logent[5]) . "\n"; + } else { + echo "" . htmlspecialchars($logent[5]) . "\n"; + } + echo "\n"; + } +} + +?> + + + +m0n0wall webGUI - Diagnostics: System logs + + + + + + +

Diagnostics: System logs

+ + + + + + + + + + + +
SystemFirewallDHCPSettings 
+ + + + + +
+ Last system log entries
+
+ +
+
+ + + diff --git a/webgui/diag_logs_dhcp.php b/webgui/diag_logs_dhcp.php new file mode 100644 index 0000000..64fb4cb --- /dev/null +++ b/webgui/diag_logs_dhcp.php @@ -0,0 +1,101 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("/usr/sbin/clog -i -s 32768 /var/log/dhcpd.log"); +} + +function dump_clog($logfile, $tail, $withorig = true) { + global $g, $config; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + echo "\n"; + + if ($withorig) { + echo "" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "\n"; + echo "" . htmlspecialchars($logent[4] . " " . $logent[5]) . "\n"; + } else { + echo "" . htmlspecialchars($logent[5]) . "\n"; + } + echo "\n"; + } +} + +?> + + + +m0n0wall webGUI - Diagnostics: System logs + + + + + + +

Diagnostics: System logs

+ + + + + + + + + + + +
SystemFirewallDHCPSettings 
+ + + + + +
+ Last DHCP service log entries
+
+ +
+
+ + + + diff --git a/webgui/diag_logs_filter.php b/webgui/diag_logs_filter.php new file mode 100644 index 0000000..5f8c733 --- /dev/null +++ b/webgui/diag_logs_filter.php @@ -0,0 +1,100 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("/usr/sbin/clog -i -s 262144 /var/log/filter.log"); +} + +function dump_clog($logfile, $tail, $withorig = true) { + global $g, $config; + + $sor = isset($config['syslog']['reverse']) ? "-r" : ""; + + exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); + + foreach ($logarr as $logent) { + $logent = preg_split("/\s+/", $logent, 6); + echo "\n"; + + if ($withorig) { + echo "" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "\n"; + echo "" . htmlspecialchars($logent[4] . " " . $logent[5]) . "\n"; + } else { + echo "" . htmlspecialchars($logent[5]) . "\n"; + } + echo "\n"; + } +} + +?> + + + +m0n0wall webGUI - Diagnostics: System logs + + + + + + +

Diagnostics: System logs

+ + + + + + + + + + + +
SystemFirewallDHCPSettings 
+ + + + + +
+ Last firewall log entries
+
+ +
+
+ + + diff --git a/webgui/diag_logs_settings.php b/webgui/diag_logs_settings.php new file mode 100644 index 0000000..3a53e9f --- /dev/null +++ b/webgui/diag_logs_settings.php @@ -0,0 +1,187 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['reverse'] = isset($config['syslog']['reverse']); +$pconfig['nentries'] = $config['syslog']['nentries']; +$pconfig['remoteserver'] = $config['syslog']['remoteserver']; +$pconfig['filter'] = isset($config['syslog']['filter']); +$pconfig['dhcp'] = isset($config['syslog']['dhcp']); +$pconfig['system'] = isset($config['syslog']['system']); +$pconfig['enable'] = isset($config['syslog']['enable']); +$pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']); + +if (!$pconfig['nentries']) + $pconfig['nentries'] = 50; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable'] && !is_ipaddr($_POST['remoteserver'])) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['nentries'] < 5) || ($_POST['nentries'] > 1000)) { + $input_errors[] = "Number of log entries to show must be between 5 and 1000."; + } + + if (!$input_errors) { + $config['syslog']['reverse'] = $_POST['reverse'] ? true : false; + $config['syslog']['nentries'] = (int)$_POST['nentries']; + $config['syslog']['remoteserver'] = $_POST['remoteserver']; + $config['syslog']['filter'] = $_POST['filter'] ? true : false; + $config['syslog']['dhcp'] = $_POST['dhcp'] ? true : false; + $config['syslog']['system'] = $_POST['system'] ? true : false; + $config['syslog']['enable'] = $_POST['enable'] ? true : false; + $oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']); + $config['syslog']['nologdefaultblock'] = $_POST['logdefaultblock'] ? false : true; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = system_syslogd_start(); + if ($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} + +?> + + + +m0n0wall webGUI - Diagnostics: System logs + + + + + + + +

Diagnostics: System logs

+ + +
+ + + + + + + + + + + +
SystemFirewallDHCPSettings 
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  > + Show log entries in reverse order (newest entries + on top)
 Number of log entries to + show: +
  > + Log packets blocked by the default rule
+ Hint: packets that are blocked by the + implicit default block rule will not be logged anymore + if you uncheck this option. Per-rule logging options are not affected.
  onClick="enable_change(false)"> + Enable syslog'ing to remote syslog server
Remote syslog + server +
+ IP address of remote syslog server

> + system events
> + firewall events
> + DHCP service events
  +
 Note:
+ syslog sends UDP datagrams to port 514 on the specified + remote syslog server. Be sure to set syslogd on the + remote server to accept syslog messages from m0n0wall. +
+
+
+ + + + diff --git a/webgui/diag_ping.php b/webgui/diag_ping.php new file mode 100644 index 0000000..ad12e59 --- /dev/null +++ b/webgui/diag_ping.php @@ -0,0 +1,113 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +define('MAX_COUNT', 10); +define('DEFAULT_COUNT', 3); + +if ($_POST) { + unset($input_errors); + unset($do_ping); + + /* input validation */ + $reqdfields = explode(" ", "host count"); + $reqdfieldsn = explode(",", "Host,Count"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['count'] < 1) || ($_POST['count'] > MAX_COUNT)) { + $input_errors[] = "Count must be between 1 and {MAX_COUNT}"; + } + + if (!$input_errors) { + $do_ping = true; + $host = preg_replace ("/[^A-Za-z0-9.]/","",$_POST['host']); + $count = $_POST['count']; + + } +} +if (!isset($do_ping)) { + $do_ping = false; + $host = ''; + $count = DEFAULT_COUNT; +} +?> + + + +m0n0wall webGUI - Diagnostics: Ping + + + + + + +

Diagnostics: Ping

+ +
+ + + + + + + + + + + + + + + + +
Host +
Count +
  + +
+ Ping output:
"); + echo('
');
+					ob_end_flush();
+					system("/sbin/ping -c$count " . escapeshellarg($host));
+					echo('
'); + } + ?> +
+
+ + + diff --git a/webgui/diag_resetstate.php b/webgui/diag_resetstate.php new file mode 100644 index 0000000..058ed5a --- /dev/null +++ b/webgui/diag_resetstate.php @@ -0,0 +1,97 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if ($_POST) { + + $savemsg = ""; + if ($_POST['nattable']) { + filter_flush_nat_table(); + $savemsg = "The NAT table has been flushed successfully."; + } + if ($_POST['statetable']) { + filter_flush_state_table(); + if ($savemsg) + $savemsg .= " "; + $savemsg .= "The state table has been flushed successfully."; + } +} +?> + + + +m0n0wall webGUI - Diagnostics: Reset state + + + + + + +

Diagnostics: Reset state

+ + +
+ + + + + + + + + +
 

+ + NAT table
+ + Firewall state table
+
+ Resetting the state tables will remove all entries from + the corresponding tables. This means that all open connections + will be broken and will have to be re-established. This + may be necessary after making substantial changes to the + firewall and/or NAT rules, especially if there are IP protocol + mappings (e.g. for PPTP or IPv6) with open connections.
+
+ The firewall will normally leave + the state tables intact when changing rules.
+
+ NOTE: If you reset the firewall state table, the browser + session may appear to be hung after clicking "Reset". + Simply refresh the page to continue.

+
  + +
+
+ + + diff --git a/webgui/down.gif b/webgui/down.gif new file mode 100644 index 0000000..236339f Binary files /dev/null and b/webgui/down.gif differ diff --git a/webgui/down_d.gif b/webgui/down_d.gif new file mode 100644 index 0000000..7d84373 Binary files /dev/null and b/webgui/down_d.gif differ diff --git a/webgui/e.gif b/webgui/e.gif new file mode 100644 index 0000000..046a809 Binary files /dev/null and b/webgui/e.gif differ diff --git a/webgui/err.gif b/webgui/err.gif new file mode 100644 index 0000000..a44c78a Binary files /dev/null and b/webgui/err.gif differ diff --git a/webgui/exclam.gif b/webgui/exclam.gif new file mode 100644 index 0000000..9a6d424 Binary files /dev/null and b/webgui/exclam.gif differ diff --git a/webgui/exec.php b/webgui/exec.php new file mode 100644 index 0000000..80b5d3d --- /dev/null +++ b/webgui/exec.php @@ -0,0 +1,239 @@ +#!/usr/local/bin/php + + + + +) +*/ + +// Function: is Blank +// Returns true or false depending on blankness of argument. + +function isBlank( $arg ) { return ereg( "^\s*$", $arg ); } + + +// Function: Puts +// Put string, Ruby-style. + +function puts( $arg ) { echo "$arg\n"; } + + +// "Constants". + +$Version = ''; +$ScriptName = $HTTP_SERVER_VARS['SCRIPT_NAME']; +$Title = 'm0n0wall: execute command'; + +// Get year. + +$arrDT = localtime(); +$intYear = $arrDT[5] + 1900; + +?> + +<?=$Title ?> + + + + + +

+ +

Note: this function is unsupported. Use it +on your own risk!

+ +" . $ulmsg . "

\n"; ?> +" ); + puts( "\$ " . htmlspecialchars($_POST['txtCommand']) ); + putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); + $ph = popen( $_POST['txtCommand'], "r" ); + while ($line = fgets( $ph )) echo htmlspecialchars( $line ); + pclose( $ph ); + puts( "" ); +} + +?> + +
+ + + + + + + + + + + + + + + + + + + + + +
Command:
    + + + + + +
Download: + + +
Upload: + +
+
+ + diff --git a/webgui/exec_raw.php b/webgui/exec_raw.php new file mode 100644 index 0000000..6d1ca34 --- /dev/null +++ b/webgui/exec_raw.php @@ -0,0 +1,38 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +header("Content-Type: text/plain"); + +putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); +passthru($_GET['cmd']); + +exit(0); +?> \ No newline at end of file diff --git a/webgui/fbegin.inc b/webgui/fbegin.inc new file mode 100644 index 0000000..c908229 --- /dev/null +++ b/webgui/fbegin.inc @@ -0,0 +1,103 @@ + + + + + + + + + + + + + +
 webGUI + Configuration
+ + + +
System +
+      General + setup
+      Static + routes
+      Firmware
+      Advanced
+ Interfaces + + (assign) + +
+      LAN
+      WAN
+ +      
+ + Firewall
+      Rules
+      NAT
+      Traffic + shaper
+      Aliases
+ Services
+      DNS forwarder
+      Dynamic + DNS
+      DHCP
+      SNMP
+      Proxy ARP
+ VPN
+      IPsec
+      PPTP
+           Users
+ Status
+      System
+      Interfaces
+      Wireless
+ + Diagnostics
+ + + Diagnostics
+ + +
+
\ No newline at end of file diff --git a/webgui/fend.inc b/webgui/fend.inc new file mode 100644 index 0000000..f1f5d89 --- /dev/null +++ b/webgui/fend.inc @@ -0,0 +1,7 @@ +
m0n0wall is © 2002-2004 by Manuel Kasper. + All rights reserved.  [view license]
\ No newline at end of file diff --git a/webgui/firewall_aliases.php b/webgui/firewall_aliases.php new file mode 100644 index 0000000..639292a --- /dev/null +++ b/webgui/firewall_aliases.php @@ -0,0 +1,127 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); + +aliases_sort(); +$a_aliases = &$config['aliases']['alias']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + /* reload all components that use aliases */ + $retval = filter_configure(); + $retval |= shaper_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_aliasesdirty_path)) + unlink($d_aliasesdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_aliases[$_GET['id']]) { + unset($a_aliases[$_GET['id']]); + write_config(); + touch($d_aliasesdirty_path); + header("Location: firewall_aliases.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: Aliases + + + + + + +

Firewall: Aliases

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + + + + + + + +
NameAddressDescription
+ + + + +   + +  
+
+

Note:
+ Aliases act as placeholders for real IP addresses + and can be used to minimize the number of changes that have to + be made if a host or network address changes. You can enter the + name of an alias instead of an IP address in all address fields + that have a blue background. The alias will be resolved to its + current address according to the list below. If an alias cannot + be resolved (e.g. because you deleted it), the corresponding element + (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.

+ + + diff --git a/webgui/firewall_aliases_edit.php b/webgui/firewall_aliases_edit.php new file mode 100644 index 0000000..d608be8 --- /dev/null +++ b/webgui/firewall_aliases_edit.php @@ -0,0 +1,196 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); + +aliases_sort(); +$a_aliases = &$config['aliases']['alias']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_aliases[$id]) { + $pconfig['name'] = $a_aliases[$id]['name']; + list($pconfig['address'],$pconfig['address_subnet']) = + explode('/', $a_aliases[$id]['address']); + if ($pconfig['address_subnet']) + $pconfig['type'] = "network"; + else + $pconfig['type'] = "host"; + $pconfig['descr'] = $a_aliases[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "name address"); + $reqdfieldsn = explode(",", "Name,Address"); + + if ($_POST['type'] == "network") { + $reqdfields[] = "address_subnet"; + $reqdfieldsn[] = "Subnet bit count"; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['name'] && !is_validaliasname($_POST['name']))) { + $input_errors[] = "The alias name may only consist of the characters a-z, A-Z, 0-9."; + } + if (($_POST['address'] && !is_ipaddr($_POST['address']))) { + $input_errors[] = "A valid address must be specified."; + } + if (($_POST['address_subnet'] && !is_numeric($_POST['address_subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + + /* check for name conflicts */ + foreach ($a_aliases as $alias) { + if (isset($id) && ($a_aliases[$id]) && ($a_aliases[$id] === $alias)) + continue; + + if ($alias['name'] == $_POST['name']) { + $input_errors[] = "An alias with this name already exists."; + break; + } + } + + if (!$input_errors) { + $alias = array(); + $alias['name'] = $_POST['name']; + if ($_POST['type'] == "network") + $alias['address'] = $_POST['address'] . "/" . $_POST['address_subnet']; + else + $alias['address'] = $_POST['address']; + $alias['descr'] = $_POST['descr']; + + if (isset($id) && $a_aliases[$id]) + $a_aliases[$id] = $alias; + else + $a_aliases[] = $alias; + + touch($d_aliasesdirty_path); + + write_config(); + + header("Location: firewall_aliases.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - System: Firewall: Aliases: Edit alias + + + + + + + +

Firewall: Aliases: Edit alias

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
Name +
The name of the alias may only consist + of the characters a-z, A-Z and 0-9.
Type + +
Address + / +
The address that this alias + represents.
Description +
You may enter a description here + for your reference (not parsed).
  + + + +
+
+ + + + diff --git a/webgui/firewall_nat.php b/webgui/firewall_nat.php new file mode 100644 index 0000000..7df148d --- /dev/null +++ b/webgui/firewall_nat.php @@ -0,0 +1,161 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['rule'])) { + $config['nat']['rule'] = array(); +} +nat_rules_sort(); +$a_nat = &$config['nat']['rule']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_nat[$_GET['id']]) { + unset($a_nat[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT + + + + + + +

Firewall: NAT

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + +
InboundServer NAT1:1Outbound 
+ + + + + + + + + + + + + + + + + + + + + + + +
ProtoExt. port rangeNAT IP
(ext. IP)		Int. port rangeDescription
+ + + + + + (" . $natent['external-address'] . ")"; + ?> + + + +   + +  
+

Note:
+ It is not possible to access NATed services + using the WAN IP address from within LAN (or an optional + network).

+
+ + + diff --git a/webgui/firewall_nat_1to1.php b/webgui/firewall_nat_1to1.php new file mode 100644 index 0000000..d3ab765 --- /dev/null +++ b/webgui/firewall_nat_1to1.php @@ -0,0 +1,136 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['onetoone'])) { + $config['nat']['onetoone'] = array(); +} +$a_1to1 = &$config['nat']['onetoone']; +nat_1to1_rules_sort(); + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_1to1[$_GET['id']]) { + unset($a_1to1[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat_1to1.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT + + + + + + +

Firewall: NAT

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + +
InboundServer NAT1:1Outbound 
+ + + + + + + + + + + + + + + + + + + +
External IPInternal IPDescription
+ + + + +   + +  
+

Note:
+ Depending on the way your WAN connection is setup, you may also need proxy ARP.

+
+
+ + + diff --git a/webgui/firewall_nat_1to1_edit.php b/webgui/firewall_nat_1to1_edit.php new file mode 100644 index 0000000..135650a --- /dev/null +++ b/webgui/firewall_nat_1to1_edit.php @@ -0,0 +1,194 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['onetoone'])) { + $config['nat']['onetoone'] = array(); +} +nat_1to1_rules_sort(); +$a_1to1 = &$config['nat']['onetoone']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_1to1[$id]) { + $pconfig['external'] = $a_1to1[$id]['external']; + $pconfig['internal'] = $a_1to1[$id]['internal']; + if (!$a_1to1[$id]['subnet']) + $pconfig['subnet'] = 32; + else + $pconfig['subnet'] = $a_1to1[$id]['subnet']; + $pconfig['descr'] = $a_1to1[$id]['descr']; +} else { + $pconfig['subnet'] = 32; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "external internal"); + $reqdfieldsn = explode(",", "External subnet,Internal subnet"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['external'] && !is_ipaddr($_POST['external']))) { + $input_errors[] = "A valid external subnet must be specified."; + } + if (($_POST['internal'] && !is_ipaddr($_POST['internal']))) { + $input_errors[] = "A valid internal subnet must be specified."; + } + + if (is_ipaddr($config['interfaces']['wan']['ipaddr'])) { + if (check_subnets_overlap($_POST['external'], $_POST['subnet'], + $config['interfaces']['wan']['ipaddr'], 32)) + $input_errors[] = "The WAN IP address may not be used in a 1:1 rule."; + } + + /* check for overlaps with other 1:1 */ + foreach ($a_1to1 as $natent) { + if (isset($id) && ($a_1to1[$id]) && ($a_1to1[$id] === $natent)) + continue; + + if (check_subnets_overlap($_POST['external'], $_POST['subnet'], $natent['external'], $natent['subnet'])) { + $input_errors[] = "Another 1:1 rule overlaps with the specified external subnet."; + break; + } else if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) { + $input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet."; + break; + } + } + + /* check for overlaps with server NAT */ + if (is_array($config['nat']['servernat'])) { + foreach ($config['nat']['servernat'] as $natent) { + if (check_subnets_overlap($_POST['external'], $_POST['subnet'], + $natent['ipaddr'], 32)) { + $input_errors[] = "A server NAT entry overlaps with the specified external subnet."; + break; + } + } + } + + /* check for overlaps with advanced outbound NAT */ + if (is_array($config['nat']['advancedoutbound']['rule'])) { + foreach ($config['nat']['advancedoutbound']['rule'] as $natent) { + if ($natent['target'] && + check_subnets_overlap($_POST['external'], $_POST['subnet'], $natent['target'], 32)) { + $input_errors[] = "An advanced outbound NAT entry overlaps with the specified external subnet."; + break; + } + } + } + + if (!$input_errors) { + $natent = array(); + $natent['external'] = $_POST['external']; + $natent['internal'] = $_POST['internal']; + $natent['subnet'] = $_POST['subnet']; + $natent['descr'] = $_POST['descr']; + + if (isset($id) && $a_1to1[$id]) + $a_1to1[$id] = $natent; + else + $a_1to1[] = $natent; + + touch($d_natconfdirty_path); + + write_config(); + + header("Location: firewall_nat_1to1.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT: Edit 1:1 + + + + + + +

Firewall: NAT: Edit 1:1

+ + +
+ + + + + + + + + + + + + + + + + +
External subnet + + / + +
+ Enter the external (WAN) subnet for the 1:1 mapping. You may map single IP addresses by specifying a /32 subnet.
Internal subnet + +
+ Enter the internal (LAN) subnet for the 1:1 mapping. The subnet size specified for the external subnet also applies to the internal subnet (they have to be the same).
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/webgui/firewall_nat_edit.php b/webgui/firewall_nat_edit.php new file mode 100644 index 0000000..a3f4719 --- /dev/null +++ b/webgui/firewall_nat_edit.php @@ -0,0 +1,334 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['rule'])) { + $config['nat']['rule'] = array(); +} +nat_rules_sort(); +$a_nat = &$config['nat']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_nat[$id]) { + $pconfig['extaddr'] = $a_nat[$id]['external-address']; + $pconfig['proto'] = $a_nat[$id]['protocol']; + list($pconfig['beginport'],$pconfig['endport']) = explode("-", $a_nat[$id]['external-port']); + $pconfig['localip'] = $a_nat[$id]['target']; + $pconfig['localbeginport'] = $a_nat[$id]['local-port']; + $pconfig['descr'] = $a_nat[$id]['descr']; +} + +if ($_POST) { + + if ($_POST['beginport_cust'] && !$_POST['beginport']) + $_POST['beginport'] = $_POST['beginport_cust']; + if ($_POST['endport_cust'] && !$_POST['endport']) + $_POST['endport'] = $_POST['endport_cust']; + if ($_POST['localbeginport_cust'] && !$_POST['localbeginport']) + $_POST['localbeginport'] = $_POST['localbeginport_cust']; + + if (!$_POST['endport']) + $_POST['endport'] = $_POST['beginport']; + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "proto beginport localip localbeginport"); + $reqdfieldsn = explode(",", "Protocol,Start port,NAT IP,Local port"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['beginport'] && !is_port($_POST['beginport']))) { + $input_errors[] = "The start port must be an integer between 1 and 65535."; + } + if (($_POST['endport'] && !is_port($_POST['endport']))) { + $input_errors[] = "The end port must be an integer between 1 and 65535."; + } + if (($_POST['localbeginport'] && !is_port($_POST['localbeginport']))) { + $input_errors[] = "The local port must be an integer between 1 and 65535."; + } + if (($_POST['localip'] && !is_ipaddroralias($_POST['localip']))) { + $input_errors[] = "A valid NAT IP address or host alias must be specified."; + } + + if ($_POST['beginport'] > $_POST['endport']) { + /* swap */ + $tmp = $_POST['endport']; + $_POST['endport'] = $_POST['beginport']; + $_POST['beginport'] = $tmp; + } + + /* check for overlaps */ + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['external-address'] != $_POST['extaddr']) + continue; + + list($begp,$endp) = explode("-", $natent['external-port']); + if (!$endp) + $endp = $begp; + + if (!( (($_POST['beginport'] < $begp) && ($_POST['endport'] < $begp)) + || (($_POST['beginport'] > $endp) && ($_POST['endport'] > $endp)))) { + + $input_errors[] = "The external port range overlaps with an existing entry."; + break; + } + } + + if (!$input_errors) { + $natent = array(); + if ($_POST['extaddr']) + $natent['external-address'] = $_POST['extaddr']; + $natent['protocol'] = $_POST['proto']; + + if ($_POST['beginport'] == $_POST['endport']) + $natent['external-port'] = $_POST['beginport']; + else + $natent['external-port'] = $_POST['beginport'] . "-" . $_POST['endport']; + + $natent['target'] = $_POST['localip']; + $natent['local-port'] = $_POST['localbeginport']; + $natent['descr'] = $_POST['descr']; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else + $a_nat[] = $natent; + + touch($d_natconfdirty_path); + + if ($_POST['autoadd']) { + /* auto-generate a matching firewall rule */ + $filterent = array(); + $filterent['interface'] = "wan"; + $filterent['protocol'] = $_POST['proto']; + $filterent['source']['any'] = ""; + $filterent['destination']['address'] = $_POST['localip']; + + $dstpfrom = $_POST['localbeginport']; + $dstpto = $dstpfrom + $_POST['endport'] - $_POST['beginport']; + + if ($dstpfrom == $dstpto) + $filterent['destination']['port'] = $dstpfrom; + else + $filterent['destination']['port'] = $dstpfrom . "-" . $dstpto; + + $filterent['descr'] = "NAT " . $_POST['descr']; + + $config['filter']['rule'][] = $filterent; + + touch($d_filterconfdirty_path); + } + + write_config(); + + header("Location: firewall_nat.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT: Edit + + + + + + + +

Firewall: NAT: Edit

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
External address +
+ If you want this rule to apply to another IP address than m0n0wall's WAN IP address, + select it here (you need to define IP addresses on the + Server NAT page first).
Protocol +
Choose which IP protocol + this rule should match.
+ Hint: in most cases, you should specify TCP  here.
External port + range + + + + + + + + + +
from:  
to:
+
Specify the port or port range on + the firewall's external address for this mapping.
+ Hint: you can leave the 'to' field empty if you only + want to map a single port
NAT IP + +
Enter the internal IP address of + the server on which you want to map the ports.
+ e.g. 192.168.1.12
Local port + +
+ Specify the port on the machine with the + IP address entered above. In case of a port range, specify + the beginning port of the range (the end port will be calculated + automatically).
+ Hint: this is usually identical to the 'from' port above
Description + +
You may enter a description here + for your reference (not parsed).
  + + Auto-add a firewall rule to permit traffic through + this NAT rule
  + + + + +
+
+ + + + diff --git a/webgui/firewall_nat_out.php b/webgui/firewall_nat_out.php new file mode 100644 index 0000000..6c812ea --- /dev/null +++ b/webgui/firewall_nat_out.php @@ -0,0 +1,175 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['advancedoutbound']['rule'])) + $config['nat']['advancedoutbound']['rule'] = array(); + +$a_out = &$config['nat']['advancedoutbound']['rule']; +nat_out_rules_sort(); + +if ($_POST) { + + $pconfig = $_POST; + + $config['nat']['advancedoutbound']['enable'] = ($_POST['enable']) ? true : false; + write_config(); + + $retval = 0; + + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } +} + +if ($_GET['act'] == "del") { + if ($a_out[$_GET['id']]) { + unset($a_out[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat_out.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT + + + + + + +

Firewall: NAT

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + +
InboundServer NAT1:1Outbound 
+ + + + + + + + + + +

+ > + Enable advanced outbound NAT
+

+

Note:
+ If advanced outbound NAT is enabled, no outbound NAT + rules will be automatically generated anymore. Instead, only the mappings + you specify below will be used. With advanced outbound NAT disabled, + a mapping is automatically created for each interface's subnet + (except WAN). If you use target addresses other than the WAN interface's IP address, then depending on the way your WAN connection is setup, you may also need proxy ARP.
+
+ You may enter your own mappings below.

+
+  
+ + + + + + + + + + + + + + + + + + + + + +
SourceDestinationTargetDescription
+ + + + + + +   + +  
+
+
+ + + diff --git a/webgui/firewall_nat_out_edit.php b/webgui/firewall_nat_out_edit.php new file mode 100644 index 0000000..b9625f8 --- /dev/null +++ b/webgui/firewall_nat_out_edit.php @@ -0,0 +1,286 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['advancedoutbound']['rule'])) + $config['nat']['advancedoutbound']['rule'] = array(); + +$a_out = &$config['nat']['advancedoutbound']['rule']; +nat_out_rules_sort(); + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +function network_to_pconfig($adr, &$padr, &$pmask, &$pnot) { + + if (isset($adr['any'])) + $padr = "any"; + else if ($adr['network']) { + list($padr, $pmask) = explode("/", $adr['network']); + if (!$pmask) + $pmask = 32; + } + + if (isset($adr['not'])) + $pnot = 1; + else + $pnot = 0; +} + +if (isset($id) && $a_out[$id]) { + list($pconfig['source'],$pconfig['source_subnet']) = explode('/', $a_out[$id]['source']['network']); + network_to_pconfig($a_out[$id]['destination'], $pconfig['destination'], + $pconfig['destination_subnet'], $pconfig['destination_not']); + $pconfig['target'] = $a_out[$id]['target']; + $pconfig['descr'] = $a_out[$id]['descr']; +} else { + $pconfig['source_subnet'] = 24; + $pconfig['destination'] = "any"; + $pconfig['destination_subnet'] = 24; +} + +if ($_POST) { + + if ($_POST['destination_type'] == "any") { + $_POST['destination'] = "any"; + $_POST['destination_subnet'] = 24; + } + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "source source_subnet destination destination_subnet"); + $reqdfieldsn = explode(",", "Source,Source bit count,Destination,Destination bit count"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['source'] && !is_ipaddr($_POST['source'])) { + $input_errors[] = "A valid source must be specified."; + } + if ($_POST['source_subnet'] && !is_numericint($_POST['source_subnet'])) { + $input_errors[] = "A valid source bit count must be specified."; + } + if ($_POST['destination_type'] != "any") { + if ($_POST['destination'] && !is_ipaddr($_POST['destination'])) { + $input_errors[] = "A valid destination must be specified."; + } + if ($_POST['destination_subnet'] && !is_numericint($_POST['destination_subnet'])) { + $input_errors[] = "A valid destination bit count must be specified."; + } + } + if ($_POST['target'] && !is_ipaddr($_POST['target'])) { + $input_errors[] = "A valid target IP address must be specified."; + } + + /* check for existing entries */ + $osn = gen_subnet($_POST['source'], $_POST['source_subnet']) . "/" . $_POST['source_subnet']; + if ($_POST['destination_type'] == "any") + $ext = "any"; + else + $ext = gen_subnet($_POST['destination'], $_POST['destination_subnet']) . "/" + . $_POST['destination_subnet']; + + if ($_POST['target']) { + /* check for clashes with 1:1 NAT (Server NAT is OK) */ + if (is_array($config['nat']['onetoone'])) { + foreach ($config['nat']['onetoone'] as $natent) { + if (check_subnets_overlap($_POST['target'], 32, $natent['external'], $natent['subnet'])) { + $input_errors[] = "A 1:1 NAT mapping overlaps with the specified target IP address."; + break; + } + } + } + } + + foreach ($a_out as $natent) { + if (isset($id) && ($a_out[$id]) && ($a_out[$id] === $natent)) + continue; + + if ($natent['source']['network'] == $osn) { + if (isset($natent['destination']['not']) == isset($_POST['destination_not'])) { + if ((isset($natent['destination']['any']) && ($ext == "any")) || + ($natent['destination']['network'] == $ext)) { + $input_errors[] = "There is already an outbound NAT rule with the specified settings."; + break; + } + } + } + } + + if (!$input_errors) { + $natent = array(); + $natent['source']['network'] = $osn; + $natent['descr'] = $_POST['descr']; + $natent['target'] = $_POST['target']; + + if ($ext == "any") + $natent['destination']['any'] = true; + else + $natent['destination']['network'] = $ext; + + if (isset($_POST['destination_not']) && $ext != "any") + $natent['destination']['not'] = true; + + if (isset($id) && $a_out[$id]) + $a_out[$id] = $natent; + else + $a_out[] = $natent; + + touch($d_natconfdirty_path); + + write_config(); + + header("Location: firewall_nat_out.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT: Edit outbound mapping + + + + + + + +

Firewall: NAT: Edit outbound mapping

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
Source + + + / + +
+ Enter the source network for the outbound NAT mapping.
Destination +> + not
+ Use this option to invert the sense of the match.
+
+ + + + + + + + + + + + + +
Type:  
Address:   + / +
 Enter the destination network for + the outbound NAT mapping.
Target + +
+ Packets matching this rule will be mapped to the IP address given here. Leave blank to use the WAN interface's IP address.
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + + diff --git a/webgui/firewall_nat_server.php b/webgui/firewall_nat_server.php new file mode 100644 index 0000000..bebceeb --- /dev/null +++ b/webgui/firewall_nat_server.php @@ -0,0 +1,143 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['servernat'])) { + $config['nat']['servernat'] = array(); +} +$a_snat = &$config['nat']['servernat']; +nat_server_rules_sort(); + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval |= filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_snat[$_GET['id']]) { + /* make sure no inbound NAT mappings reference this entry */ + if (is_array($config['nat']['rule'])) { + foreach ($config['nat']['rule'] as $rule) { + if ($rule['external-address'] == $a_snat[$_GET['id']]['ipaddr']) { + $input_errors[] = "This entry cannot be deleted because it is still referenced by at least one inbound NAT mapping."; + break; + } + } + } + + if (!$input_errors) { + unset($a_snat[$_GET['id']]); + write_config(); + touch($d_natconfdirty_path); + header("Location: firewall_nat_server.php"); + exit; + } + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT + + + + + + +

Firewall: NAT

+
+ + +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + +
InboundServer NAT1:1Outbound 
+ + + + + + + + + + + + + + + + + +
External IPDescription
+ + +   + +  
+

Note:
+ The external IP addresses defined on this page may be used in inbound NAT mappings. Depending on the way your WAN connection is setup, you may also need proxy ARP.

+
+
+ + + diff --git a/webgui/firewall_nat_server_edit.php b/webgui/firewall_nat_server_edit.php new file mode 100644 index 0000000..6baafb2 --- /dev/null +++ b/webgui/firewall_nat_server_edit.php @@ -0,0 +1,149 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['nat']['servernat'])) { + $config['nat']['servernat'] = array(); +} +nat_server_rules_sort(); +$a_snat = &$config['nat']['servernat']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_snat[$id]) { + $pconfig['ipaddr'] = $a_snat[$id]['ipaddr']; + $pconfig['descr'] = $a_snat[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ipaddr"); + $reqdfieldsn = explode(",", "External IP address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid external IP address must be specified."; + } + + if ($_POST['ipaddr'] == $config['interfaces']['wan']['ipaddr']) + $input_errors[] = "The WAN IP address may not be used in a Server NAT entry."; + + /* check for overlaps with other server NAT */ + foreach ($a_snat as $natent) { + if (isset($id) && ($a_snat[$id]) && ($a_snat[$id] === $natent)) + continue; + + if ($_POST['ipaddr'] == $natent['ipaddr']) { + $input_errors[] = "There is already a server NAT entry for the specified external IP address."; + break; + } + } + + /* check for overlaps with 1:1 NAT */ + if (is_array($config['nat']['onetoone'])) { + foreach ($config['nat']['onetoone'] as $natent) { + if (check_subnets_overlap($_POST['ipaddr'], 32, $natent['external'], $natent['subnet'])) { + $input_errors[] = "A 1:1 NAT mapping overlaps with the specified external IP address."; + break; + } + } + } + + if (!$input_errors) { + $natent = array(); + $natent['ipaddr'] = $_POST['ipaddr']; + $natent['descr'] = $_POST['descr']; + + if (isset($id) && $a_snat[$id]) + $a_snat[$id] = $natent; + else + $a_snat[] = $natent; + + touch($d_natconfdirty_path); + + write_config(); + + header("Location: firewall_nat_server.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: NAT: Edit Server NAT + + + + + + +

Firewall: NAT: Edit Server NAT

+ + +
+ + + + + + + + + + + + + +
External IP + + +
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/webgui/firewall_rules.php b/webgui/firewall_rules.php new file mode 100644 index 0000000..ed44d69 --- /dev/null +++ b/webgui/firewall_rules.php @@ -0,0 +1,242 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['filter']['rule'])) { + $config['filter']['rule'] = array(); +} +filter_rules_sort(); +$a_filter = &$config['filter']['rule']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = filter_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_filter[$_GET['id']]) { + unset($a_filter[$_GET['id']]); + write_config(); + touch($d_filterconfdirty_path); + header("Location: firewall_rules.php"); + exit; + } +} else if ($_GET['act'] == "down") { + if ($a_filter[$_GET['id']] && $a_filter[$_GET['id']+1]) { + $tmp = $a_filter[$_GET['id']+1]; + $a_filter[$_GET['id']+1] = $a_filter[$_GET['id']]; + $a_filter[$_GET['id']] = $tmp; + write_config(); + touch($d_filterconfdirty_path); + header("Location: firewall_rules.php"); + exit; + } +} else if ($_GET['act'] == "up") { + if (($_GET['id'] > 0) && $a_filter[$_GET['id']]) { + $tmp = $a_filter[$_GET['id']-1]; + $a_filter[$_GET['id']-1] = $a_filter[$_GET['id']]; + $a_filter[$_GET['id']] = $tmp; + write_config(); + touch($d_filterconfdirty_path); + header("Location: firewall_rules.php"); + exit; + } +} + +?> + + + +m0n0wall webGUI - Firewall: Rules + + + + + + +

Firewall: Rules

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
'LAN interface', 'wan' => 'WAN interface', 'pptp' => 'PPTP clients'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr'] . " interface"; + echo htmlspecialchars($iflabels[$filterent['interface']]); ?>
 ProtoSourcePortDestinationPortDescription
+ + + +
+ + 		+ + + + + + + + + + +   + + edit rule + 0) && ($a_filter[$i-1]['interface'] == $filterent['interface'])): ?> + move up + + +
+ delete rule + + move down + + + + add a new rule based on this one +
add new rule
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
passblockrejectlog
pass (disabled)block (disabled)reject (disabled)log (disabled)
+

+ Hint:
+ rules are evaluated on a first-match basis (i.e. + the action of the first rule to match a packet will be executed). + This means that if you use block rules, you'll have to pay attention + to the rule order. Everything that isn't explicitly passed is blocked + by default.

+
+ + + diff --git a/webgui/firewall_rules_edit.php b/webgui/firewall_rules_edit.php new file mode 100644 index 0000000..ca78a7f --- /dev/null +++ b/webgui/firewall_rules_edit.php @@ -0,0 +1,691 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$specialsrcdst = explode(" ", "any lan pptp"); + +if (!is_array($config['filter']['rule'])) { + $config['filter']['rule'] = array(); +} +filter_rules_sort(); +$a_filter = &$config['filter']['rule']; + +$id = $_GET['id']; +if (is_numeric($_POST['id'])) + $id = $_POST['id']; + +$after = $_GET['after']; + +if (isset($_POST['after'])) + $after = $_POST['after']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +function is_specialnet($net) { + global $specialsrcdst; + + if (in_array($net, $specialsrcdst) || strstr($net, "opt")) + return true; + else + return false; +} + +function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) { + + if (isset($adr['any'])) + $padr = "any"; + else if ($adr['network']) + $padr = $adr['network']; + else if ($adr['address']) { + list($padr, $pmask) = explode("/", $adr['address']); + if (!$pmask) + $pmask = 32; + } + + if (isset($adr['not'])) + $pnot = 1; + else + $pnot = 0; + + if ($adr['port']) { + list($pbeginport, $pendport) = explode("-", $adr['port']); + if (!$pendport) + $pendport = $pbeginport; + } else { + $pbeginport = "any"; + $pendport = "any"; + } +} + +function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) { + + $adr = array(); + + if ($padr == "any") + $adr['any'] = true; + else if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } + + $adr['not'] = $pnot ? true : false; + + if (($pbeginport != 0) && ($pbeginport != "any")) { + if ($pbeginport != $pendport) + $adr['port'] = $pbeginport . "-" . $pendport; + else + $adr['port'] = $pbeginport; + } +} + +if (isset($id) && $a_filter[$id]) { + $pconfig['interface'] = $a_filter[$id]['interface']; + + if (!isset($a_filter[$id]['type'])) + $pconfig['type'] = "pass"; + else + $pconfig['type'] = $a_filter[$id]['type']; + + if (isset($a_filter[$id]['protocol'])) + $pconfig['proto'] = $a_filter[$id]['protocol']; + else + $pconfig['proto'] = "any"; + + address_to_pconfig($a_filter[$id]['source'], $pconfig['src'], + $pconfig['srcmask'], $pconfig['srcnot'], + $pconfig['srcbeginport'], $pconfig['srcendport']); + + address_to_pconfig($a_filter[$id]['destination'], $pconfig['dst'], + $pconfig['dstmask'], $pconfig['dstnot'], + $pconfig['dstbeginport'], $pconfig['dstendport']); + + $pconfig['disabled'] = isset($a_filter[$id]['disabled']); + $pconfig['log'] = isset($a_filter[$id]['log']); + $pconfig['frags'] = isset($a_filter[$id]['frags']); + $pconfig['descr'] = $a_filter[$id]['descr']; + +} else { + /* defaults */ + $pconfig['type'] = "pass"; + $pconfig['src'] = "any"; + $pconfig['dst'] = "any"; +} + +if (isset($_GET['dup'])) + unset($id); + +if ($_POST) { + + if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + + if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport']) + $_POST['srcbeginport'] = $_POST['srcbeginport_cust']; + if ($_POST['srcendport_cust'] && !$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcendport_cust']; + + if ($_POST['srcbeginport'] == "any") { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } else { + if (!$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcbeginport']; + } + if ($_POST['srcendport'] == "any") + $_POST['srcendport'] = $_POST['srcbeginport']; + + if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport']) + $_POST['dstbeginport'] = $_POST['dstbeginport_cust']; + if ($_POST['dstendport_cust'] && !$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstendport_cust']; + + if ($_POST['dstbeginport'] == "any") { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + if (!$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstbeginport']; + } + if ($_POST['dstendport'] == "any") + $_POST['dstendport'] = $_POST['dstbeginport']; + } + + if (is_specialnet($_POST['srctype'])) { + $_POST['src'] = $_POST['srctype']; + $_POST['srcmask'] = 0; + } else if ($_POST['srctype'] == "single") { + $_POST['srcmask'] = 32; + } + if (is_specialnet($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 0; + } else if ($_POST['dsttype'] == "single") { + $_POST['dstmask'] = 32; + } + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "type interface proto src dst"); + $reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination"); + + if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) { + $reqdfields[] = "srcmask"; + $reqdfieldsn[] = "Source bit count"; + } + if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) { + $reqdfields[] = "dstmask"; + $reqdfieldsn[] = "Destination bit count"; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$_POST['srcbeginport']) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } + if (!$_POST['dstbeginport']) { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + + if (($_POST['srcbeginport'] && !is_port($_POST['srcbeginport']))) { + $input_errors[] = "The start source port must be an integer between 1 and 65535."; + } + if (($_POST['srcendport'] && !is_port($_POST['srcendport']))) { + $input_errors[] = "The end source port must be an integer between 1 and 65535."; + } + if (($_POST['dstbeginport'] && !is_port($_POST['dstbeginport']))) { + $input_errors[] = "The start destination port must be an integer between 1 and 65535."; + } + if (($_POST['dstendport'] && !is_port($_POST['dstendport']))) { + $input_errors[] = "The end destination port must be an integer between 1 and 65535."; + } + + if (!is_specialnet($_POST['srctype'])) { + if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) { + $input_errors[] = "A valid source IP address or alias must be specified."; + } + if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { + $input_errors[] = "A valid source bit count must be specified."; + } + } + if (!is_specialnet($_POST['dsttype'])) { + if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) { + $input_errors[] = "A valid destination IP address or alias must be specified."; + } + if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { + $input_errors[] = "A valid destination bit count must be specified."; + } + } + + if ($_POST['srcbeginport'] > $_POST['srcendport']) { + /* swap */ + $tmp = $_POST['srcendport']; + $_POST['srcendport'] = $_POST['srcbeginport']; + $_POST['srcbeginport'] = $tmp; + } + if ($_POST['dstbeginport'] > $_POST['dstendport']) { + /* swap */ + $tmp = $_POST['dstendport']; + $_POST['dstendport'] = $_POST['dstbeginport']; + $_POST['dstbeginport'] = $tmp; + } + + if (!$input_errors) { + $filterent = array(); + $filterent['type'] = $_POST['type']; + $filterent['interface'] = $_POST['interface']; + + if ($_POST['proto'] != "any") + $filterent['protocol'] = $_POST['proto']; + else + unset($filterent['protocol']); + + pconfig_to_address($filterent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + pconfig_to_address($filterent['destination'], $_POST['dst'], + $_POST['dstmask'], $_POST['dstnot'], + $_POST['dstbeginport'], $_POST['dstendport']); + + $filterent['disabled'] = $_POST['disabled'] ? true : false; + $filterent['log'] = $_POST['log'] ? true : false; + $filterent['frags'] = $_POST['frags'] ? true : false; + $filterent['descr'] = $_POST['descr']; + + if (isset($id) && $a_filter[$id]) + $a_filter[$id] = $filterent; + else { + if (is_numeric($after)) + array_splice($a_filter, $after+1, 0, array($filterent)); + else + $a_filter[] = $filterent; + } + + write_config(); + touch($d_filterconfdirty_path); + + header("Location: firewall_rules.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: Rules: Edit + + + + + + + +

Firewall: Rules: Edit

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Action +
+ Choose what to do with packets that match + the criteria specified below.
+Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Reject only works when the protocol is set to either TCP or UDP (but not "TCP/UDP") below.
Disabled + > + Disable this rule
+ Set this option to disable this rule without + removing it from the list.
Interface +
+ Choose on which interface packets must + come in to match this rule.
Protocol +
+ Choose which IP protocol this rule should + match.
+ Hint: in most cases, you should specify TCP  here.
Source +> + not
+ Use this option to invert the sense of the match.
+
+ + + + + + + + + +
Type:  
Address:   + / + +
Source port range + + + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the source of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Destination + > + not
+ Use this option to invert the sense of the match.
+
+ + + + + + + + + +
Type:  
Address:   + / +
Destination port + range + + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the destination of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Fragments + > + Allow fragmented packets
+ Hint: this option puts additional load + on the firewall and may make it vulnerable to DoS attacks. + In most cases, it is not needed. Try enabling it if you have + troubles connecting to certain sites.
Log + > + Log packets that are handled by this rule
+ Hint: the firewall has limited local log + space. Don't turn on logging for everything. If you want to + do a lot of logging, consider using a remote syslog server + (see the Diagnostics: System + logs: Settings page).
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + + +
+
+ + + + diff --git a/webgui/firewall_shaper.php b/webgui/firewall_shaper.php new file mode 100644 index 0000000..8288402 --- /dev/null +++ b/webgui/firewall_shaper.php @@ -0,0 +1,225 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['shaper']['rule'])) { + $config['shaper']['rule'] = array(); +} +$a_shaper = &$config['shaper']['rule']; + +$pconfig['enable'] = isset($config['shaper']['enable']); + +if ($_POST) { + + if ($_POST['submit']) { + $pconfig = $_POST; + $config['shaper']['enable'] = $_POST['enable'] ? true : false; + write_config(); + } + + if ($_POST['apply'] || $_POST['submit']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = shaper_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_shaperconfdirty_path)) + unlink($d_shaperconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_shaper[$_GET['id']]) { + unset($a_shaper[$_GET['id']]); + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper.php"); + exit; + } +} else if ($_GET['act'] == "down") { + if ($a_shaper[$_GET['id']] && $a_shaper[$_GET['id']+1]) { + $tmp = $a_shaper[$_GET['id']+1]; + $a_shaper[$_GET['id']+1] = $a_shaper[$_GET['id']]; + $a_shaper[$_GET['id']] = $tmp; + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper.php"); + exit; + } +} else if ($_GET['act'] == "up") { + if (($_GET['id'] > 0) && $a_shaper[$_GET['id']]) { + $tmp = $a_shaper[$_GET['id']-1]; + $a_shaper[$_GET['id']-1] = $a_shaper[$_GET['id']]; + $a_shaper[$_GET['id']] = $tmp; + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: Traffic shaper + + + + + + +

Firewall: Traffic shaper

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + +

+ +
RulesPipesQueues 
+ + + + + + + +

+ > + Enable traffic shaper
+

+
+  
+ + + + + + + + + + + + + + + + + + + + + + + + + +
IfProtoSourceDestinationTargetDescription
+ 'LAN', 'wan' => 'WAN', 'pptp' => 'PPTP'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + echo htmlspecialchars($iflabels[$shaperent['interface']]); + if ($shaperent['direction']) + echo "
"; + ?> + 		+ + +
+ Port: + + 		+
+ Port: + + 		+ Pipe " . + ($shaperent['targetpipe']+1) . ""; + else if (isset($shaperent['targetqueue'])) + echo "Queue " . + ($shaperent['targetqueue']+1) . ""; + ?> + + +   edit rule + 0): ?> + move up + + +
+ delete rule + + move down + + + + add a new rule based on this one +
+ + + + + + + + + + + + + +
incoming (as seen by firewall)
outgoing (as seen by firewall)
+

Note:
+ the first rule that matches a packet will be executed.
+ The following match patterns are not shown in the list above: + IP packet length, TCP flags.

+
+ + + diff --git a/webgui/firewall_shaper_edit.php b/webgui/firewall_shaper_edit.php new file mode 100644 index 0000000..14b39f5 --- /dev/null +++ b/webgui/firewall_shaper_edit.php @@ -0,0 +1,735 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['shaper']['rule'])) { + $config['shaper']['rule'] = array(); +} +$a_shaper = &$config['shaper']['rule']; + +$specialsrcdst = explode(" ", "any lan pptp"); + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$after = $_GET['after']; +if (isset($_POST['after'])) + $after = $_POST['after']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +function is_specialnet($net) { + global $specialsrcdst; + + if (in_array($net, $specialsrcdst) || strstr($net, "opt")) + return true; + else + return false; +} + +function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) { + + if (isset($adr['any'])) + $padr = "any"; + else if ($adr['network']) + $padr = $adr['network']; + else if ($adr['address']) { + list($padr, $pmask) = explode("/", $adr['address']); + if (!$pmask) + $pmask = 32; + } + + if (isset($adr['not'])) + $pnot = 1; + else + $pnot = 0; + + if ($adr['port']) { + list($pbeginport, $pendport) = explode("-", $adr['port']); + if (!$pendport) + $pendport = $pbeginport; + } else { + $pbeginport = "any"; + $pendport = "any"; + } +} + +function pconfig_to_address(&$adr, $padr, $pmask, $pnot, $pbeginport, $pendport) { + + $adr = array(); + + if ($padr == "any") + $adr['any'] = true; + else if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } + + $adr['not'] = $pnot ? true : false; + + if (($pbeginport != 0) && ($pbeginport != "any")) { + if ($pbeginport != $pendport) + $adr['port'] = $pbeginport . "-" . $pendport; + else + $adr['port'] = $pbeginport; + } +} + +if (isset($id) && $a_shaper[$id]) { + $pconfig['interface'] = $a_shaper[$id]['interface']; + + if (isset($a_shaper[$id]['protocol'])) + $pconfig['proto'] = $a_shaper[$id]['protocol']; + else + $pconfig['proto'] = "any"; + + address_to_pconfig($a_shaper[$id]['source'], $pconfig['src'], + $pconfig['srcmask'], $pconfig['srcnot'], + $pconfig['srcbeginport'], $pconfig['srcendport']); + + address_to_pconfig($a_shaper[$id]['destination'], $pconfig['dst'], + $pconfig['dstmask'], $pconfig['dstnot'], + $pconfig['dstbeginport'], $pconfig['dstendport']); + + if (isset($a_shaper[$id]['targetpipe'])) { + $pconfig['target'] = "targetpipe:" . $a_shaper[$id]['targetpipe']; + } else if (isset($a_shaper[$id]['targetqueue'])) { + $pconfig['target'] = "targetqueue:" . $a_shaper[$id]['targetqueue']; + } + + $pconfig['direction'] = $a_shaper[$id]['direction']; + $pconfig['iplen'] = $a_shaper[$id]['iplen']; + $pconfig['tcpflags'] = $a_shaper[$id]['tcpflags']; + $pconfig['descr'] = $a_shaper[$id]['descr']; + + if ($pconfig['srcbeginport'] == 0) { + $pconfig['srcbeginport'] = "any"; + $pconfig['srcendport'] = "any"; + } + if ($pconfig['dstbeginport'] == 0) { + $pconfig['dstbeginport'] = "any"; + $pconfig['dstendport'] = "any"; + } + +} else { + /* defaults */ + $pconfig['src'] = "any"; + $pconfig['dst'] = "any"; +} + +if (isset($_GET['dup'])) + unset($id); + +if ($_POST) { + + if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + + if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport']) + $_POST['srcbeginport'] = $_POST['srcbeginport_cust']; + if ($_POST['srcendport_cust'] && !$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcendport_cust']; + + if ($_POST['srcbeginport'] == "any") { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } else { + if (!$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcbeginport']; + } + if ($_POST['srcendport'] == "any") + $_POST['srcendport'] = $_POST['srcbeginport']; + + if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport']) + $_POST['dstbeginport'] = $_POST['dstbeginport_cust']; + if ($_POST['dstendport_cust'] && !$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstendport_cust']; + + if ($_POST['dstbeginport'] == "any") { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + if (!$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstbeginport']; + } + if ($_POST['dstendport'] == "any") + $_POST['dstendport'] = $_POST['dstbeginport']; + } + + if (is_specialnet($_POST['srctype'])) { + $_POST['src'] = $_POST['srctype']; + $_POST['srcmask'] = 0; + } else if ($_POST['srctype'] == "single") { + $_POST['srcmask'] = 32; + } + if (is_specialnet($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 0; + } else if ($_POST['dsttype'] == "single") { + $_POST['dstmask'] = 32; + } + + $intcpflags = array(); + foreach ($tcpflags as $tcpflag) { + if ($_POST['tcpflags_' . $tcpflag] == "on") + $intcpflags[] = $tcpflag; + else if ($_POST['tcpflags_' . $tcpflag] == "off") + $intcpflags[] = "!" . $tcpflag; + } + $_POST['tcpflags'] = join(",", $intcpflags); + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "target proto src dst"); + $reqdfieldsn = explode(",", "Target,Protocol,Source,Destination"); + + if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) { + $reqdfields[] = "srcmask"; + $reqdfieldsn[] = "Source bit count"; + } + if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) { + $reqdfields[] = "dstmask"; + $reqdfieldsn[] = "Destination bit count"; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$_POST['srcbeginport']) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } + if (!$_POST['dstbeginport']) { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + + if (($_POST['srcbeginport'] && !is_port($_POST['srcbeginport']))) { + $input_errors[] = "The start source port must be an integer between 1 and 65535."; + } + if (($_POST['srcendport'] && !is_port($_POST['srcendport']))) { + $input_errors[] = "The end source port must be an integer between 1 and 65535."; + } + if (($_POST['dstbeginport'] && !is_port($_POST['dstbeginport']))) { + $input_errors[] = "The start destination port must be an integer between 1 and 65535."; + } + if (($_POST['dstendport'] && !is_port($_POST['dstendport']))) { + $input_errors[] = "The end destination port must be an integer between 1 and 65535."; + } + + if (!is_specialnet($_POST['srctype'])) { + if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) { + $input_errors[] = "A valid source IP address or alias must be specified."; + } + if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { + $input_errors[] = "A valid source bit count must be specified."; + } + } + if (!is_specialnet($_POST['dsttype'])) { + if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) { + $input_errors[] = "A valid destination IP address or alias must be specified."; + } + if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { + $input_errors[] = "A valid destination bit count must be specified."; + } + } + + if ($_POST['srcbeginport'] > $_POST['srcendport']) { + /* swap */ + $tmp = $_POST['srcendport']; + $_POST['srcendport'] = $_POST['srcbeginport']; + $_POST['srcbeginport'] = $tmp; + } + if ($_POST['dstbeginport'] > $_POST['dstendport']) { + /* swap */ + $tmp = $_POST['dstendport']; + $_POST['dstendport'] = $_POST['dstbeginport']; + $_POST['dstbeginport'] = $tmp; + } + + if (($_POST['iplen'] && !preg_match("/^(\d+)(-(\d+))?$/", $_POST['iplen']))) { + $input_errors[] = "The IP packet length must be an integer or a range (from-to)."; + } + + if (!$input_errors) { + $shaperent = array(); + $shaperent['interface'] = $_POST['interface']; + + if ($_POST['proto'] != "any") + $shaperent['protocol'] = $_POST['proto']; + else + unset($shaperent['protocol']); + + pconfig_to_address($shaperent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + pconfig_to_address($shaperent['destination'], $_POST['dst'], + $_POST['dstmask'], $_POST['dstnot'], + $_POST['dstbeginport'], $_POST['dstendport']); + + $shaperent['direction'] = $_POST['direction']; + $shaperent['iplen'] = $_POST['iplen']; + $shaperent['tcpflags'] = $_POST['tcpflags']; + $shaperent['descr'] = $_POST['descr']; + + list($targettype,$target) = explode(":", $_POST['target']); + $shaperent[$targettype] = $target; + + if (isset($id) && $a_shaper[$id]) + $a_shaper[$id] = $shaperent; + else { + if (is_numeric($after)) + array_splice($a_shaper, $after+1, 0, array($shaperent)); + else + $a_shaper[] = $shaperent; + } + + write_config(); + touch($d_shaperconfdirty_path); + + header("Location: firewall_shaper.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: Traffic shaper: Edit rule + + + + + + + +

Firewall: Traffic shaper: Edit rule

+ + + 0)): ?> +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Target
+ Choose a pipe or queue where packets that + match this rule should be sent.
Interface
+ Choose which interface packets must pass + through to match this rule.
Protocol
Choose which IP protocol + this rule should match.
+ Hint: in most cases, you should specify TCP  here.
Source > + not
+ Use this option to invert the sense of the match.

+ + + + + + + + + +
Type:  
Address:   + / +
Source port range + + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the source of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Destination > + not
+ Use this option to invert the sense of the match.

+ + + + + + + + + +
Type:  
Address:   + / +
Destination port + range + + + + + + + + +
from:  
to:
+
Specify the port or port range for + the destination of the packet for this rule.
+ Hint: you can leave the 'to' field empty if you only + want to filter a single port
Direction
+ Use this to match only packets travelling in a given direction + on the interface specified above (as seen from the firewall's + perspective).
IP packet length +
+ Setting this makes the rule match packets of a given length + (either a single value or a range in the syntax from-to, + e.g. 0-80).
TCP flags + + + + + + + + +
+ + > + set    > + cleared    > + don't care
+ Use this to choose TCP flags that must + be set or cleared for this rule to match.
Description +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + +

You need to create a pipe or queue before you can add a new rule.

+ + + + diff --git a/webgui/firewall_shaper_pipes.php b/webgui/firewall_shaper_pipes.php new file mode 100644 index 0000000..e80500a --- /dev/null +++ b/webgui/firewall_shaper_pipes.php @@ -0,0 +1,165 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['shaper']['pipe'])) { + $config['shaper']['pipe'] = array(); +} +if (!is_array($config['shaper']['queue'])) { + $config['shaper']['queue'] = array(); +} +$a_pipes = &$config['shaper']['pipe']; + +if ($_GET['act'] == "del") { + if ($a_pipes[$_GET['id']]) { + /* check that no rule references this pipe */ + if (is_array($config['shaper']['rule'])) { + foreach ($config['shaper']['rule'] as $rule) { + if (isset($rule['targetpipe']) && ($rule['targetpipe'] == $_GET['id'])) { + $input_errors[] = "This pipe cannot be deleted because it is still referenced by a rule."; + break; + } + } + } + + /* check that no queue references this pipe */ + if (is_array($config['shaper']['queue'])) { + foreach ($config['shaper']['queue'] as $queue) { + if ($queue['targetpipe'] == $_GET['id']) { + $input_errors[] = "This pipe cannot be deleted because it is still referenced by a queue."; + break; + } + } + } + + if (!$input_errors) { + unset($a_pipes[$_GET['id']]); + + /* renumber all rules and queues */ + if (is_array($config['shaper']['rule'])) { + for ($i = 0; isset($config['shaper']['rule'][$i]); $i++) { + $currule = &$config['shaper']['rule'][$i]; + if (isset($currule['targetpipe']) && ($currule['targetpipe'] > $_GET['id'])) + $currule['targetpipe']--; + } + } + if (is_array($config['shaper']['queue'])) { + for ($i = 0; isset($config['shaper']['queue'][$i]); $i++) { + $curqueue = &$config['shaper']['queue'][$i]; + if ($curqueue['targetpipe'] > $_GET['id']) + $curqueue['targetpipe']--; + } + } + + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper_pipes.php"); + exit; + } + } +} +?> + + + +m0n0wall webGUI - Firewall: Traffic shaper + + + + + + +

Firewall: Traffic shaper

+
+ + +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + +

+ +
RulesPipesQueues 
+ + + + + + + + + + + + + + + + + + + + + + + +
No.BandwidthDelayMaskDescription
+ + + Kbit/s + + + ms + +   + + + +   + +   +  
+

+ Note: a pipe can + only be deleted if it is not referenced by any rules or queues.

+
+ + + diff --git a/webgui/firewall_shaper_pipes_edit.php b/webgui/firewall_shaper_pipes_edit.php new file mode 100644 index 0000000..80650c7 --- /dev/null +++ b/webgui/firewall_shaper_pipes_edit.php @@ -0,0 +1,145 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$a_pipes = &$config['shaper']['pipe']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_pipes[$id]) { + $pconfig['bandwidth'] = $a_pipes[$id]['bandwidth']; + $pconfig['delay'] = $a_pipes[$id]['delay']; + $pconfig['mask'] = $a_pipes[$id]['mask']; + $pconfig['descr'] = $a_pipes[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "bandwidth"); + $reqdfieldsn = explode(",", "Bandwidth"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['bandwidth'] && !is_numericint($_POST['bandwidth']))) { + $input_errors[] = "The bandwidth must be an integer."; + } + if (($_POST['delay'] && !is_numericint($_POST['delay']))) { + $input_errors[] = "The delay must be an integer."; + } + + if (!$input_errors) { + $pipe = array(); + + $pipe['bandwidth'] = $_POST['bandwidth']; + if ($_POST['delay']) + $pipe['delay'] = $_POST['delay']; + if ($_POST['mask']) + $pipe['mask'] = $_POST['mask']; + $pipe['descr'] = $_POST['descr']; + + if (isset($id) && $a_pipes[$id]) + $a_pipes[$id] = $pipe; + else + $a_pipes[] = $pipe; + + write_config(); + touch($d_shaperconfdirty_path); + + header("Location: firewall_shaper_pipes.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: Traffic shaper: Edit pipe + + + + + + +

Firewall: Traffic shaper: Edit pipe

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
Bandwidth +  Kbit/s
Delay +  ms
Hint: in most cases, you + should specify 0 here (or leave the field empty)
Mask
+ If 'source' or 'destination' is chosen, + a dynamic pipe with the bandwidth and delay given above will + be created for each source/destination IP address encountered, + respectively. This makes it possible to easily specify bandwidth + limits per host.
Description +
You may enter a description here + for your reference (not parsed).
  + + + +
+
+ + + diff --git a/webgui/firewall_shaper_queues.php b/webgui/firewall_shaper_queues.php new file mode 100644 index 0000000..8a8bf76 --- /dev/null +++ b/webgui/firewall_shaper_queues.php @@ -0,0 +1,143 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['shaper']['pipe'])) { + $config['shaper']['pipe'] = array(); +} +if (!is_array($config['shaper']['queue'])) { + $config['shaper']['queue'] = array(); +} +$a_queues = &$config['shaper']['queue']; + +if ($_GET['act'] == "del") { + if ($a_queues[$_GET['id']]) { + /* check that no rule references this queue */ + if (is_array($config['shaper']['rule'])) { + foreach ($config['shaper']['rule'] as $rule) { + if (isset($rule['targetqueue']) && ($rule['targetqueue'] == $_GET['id'])) { + $input_errors[] = "This queue cannot be deleted because it is still referenced by a rule."; + break; + } + } + } + + if (!$input_errors) { + unset($a_queues[$_GET['id']]); + + /* renumber all rules */ + if (is_array($config['shaper']['rule'])) { + for ($i = 0; isset($config['shaper']['rule'][$i]); $i++) { + $currule = &$config['shaper']['rule'][$i]; + if (isset($currule['targetqueue']) && ($currule['targetqueue'] > $_GET['id'])) + $currule['targetqueue']--; + } + } + + write_config(); + touch($d_shaperconfdirty_path); + header("Location: firewall_shaper_queues.php"); + exit; + } + } +} +?> + + + +m0n0wall webGUI - Firewall: Traffic shaper + + + + + + +

Firewall: Traffic shaper

+
+ + +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + +

+ +
RulesPipesQueues 
+ + + + + + + + + + + + + + + + + + + + + + + +
No.PipeWeightMaskDescription
+ + + + + + +   + +   +  
+

+ Note: a queue can + only be deleted if it is not referenced by any rules.

+
+ + + diff --git a/webgui/firewall_shaper_queues_edit.php b/webgui/firewall_shaper_queues_edit.php new file mode 100644 index 0000000..48e4ef7 --- /dev/null +++ b/webgui/firewall_shaper_queues_edit.php @@ -0,0 +1,162 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$a_queues = &$config['shaper']['queue']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_queues[$id]) { + $pconfig['targetpipe'] = $a_queues[$id]['targetpipe']; + $pconfig['weight'] = $a_queues[$id]['weight']; + $pconfig['mask'] = $a_queues[$id]['mask']; + $pconfig['descr'] = $a_queues[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "weight"); + $reqdfieldsn = explode(",", "Weight"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['weight'] && (!is_numericint($_POST['weight']) + || ($_POST['weight'] < 1) || ($_POST['weight'] > 100))) { + $input_errors[] = "The weight must be an integer between 1 and 100."; + } + + if (!$input_errors) { + $queue = array(); + + $queue['targetpipe'] = $_POST['targetpipe']; + $queue['weight'] = $_POST['weight']; + if ($_POST['mask']) + $queue['mask'] = $_POST['mask']; + $queue['descr'] = $_POST['descr']; + + if (isset($id) && $a_queues[$id]) + $a_queues[$id] = $queue; + else + $a_queues[] = $queue; + + write_config(); + touch($d_shaperconfdirty_path); + + header("Location: firewall_shaper_queues.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Firewall: Traffic shaper: Edit queue + + + + + + +

Firewall: Traffic shaper: Edit queue

+ + + 0)): ?> +
+ + + + + + + + + + + + + + + + + + + + + +
Pipe
+ Choose the pipe that this queue is linked + to.
Weight +
Valid range: 1..100.
+ All backlogged (i.e., with packets queued) queues linked to + the same pipe share the pipe's bandwidth proportionally to + their weights (higher weight = higher share of bandwidth). + Note that weights are not priorities; a queue with a lower + weight is still guaranteed to get its fraction of the bandwidth + even if a queue with a higher weight is permanently backlogged.
Mask
If 'source' or 'destination' + is chosen, a dynamic queue associated with the pipe and with + the weight given above will be created for each source/destination + IP address encountered, respectively. This makes it possible + to easily specify bandwidth limits per host.
Description +
You may enter a description here + for your reference (not parsed).
  + + + +
+
+ +

You need to create a pipe before you can add a new queue.

+ + + + diff --git a/webgui/gui.css b/webgui/gui.css new file mode 100644 index 0000000..b019c31 --- /dev/null +++ b/webgui/gui.css @@ -0,0 +1,259 @@ +body,td,th,input,select { + font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; + font-size: 11px; +} +form { + margin: 0px; +} +.pgtitle { + font-size: 18px; + color: #777777; + font-weight: bold; +} +.tfrtitle { + font-size: 18px; + color: #ffffff; + font-weight: bold; +} +.vncell { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + border-bottom: 1px solid #999999; +} +.formfld { + +} +.formfldalias { + background-color: #e7edf9; +} +.formpre { + font-family: Courier New, Courier, monospaced; + font-size: 10px; +} +.formbtn { + font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; + font-size: 13px; + font-weight: bold; +} +.vvcell { + background-color: #FFFFC6; +} +.errmsg { + font-weight: bold; + color: #CC0000; +} +.red { + color: #CC0000; +} +.gray { + color: #A0A0A0; +} +.vexpl { + font-size: 11px; +} +a { + text-decoration: none; +} +.navlnk { + color: #FFFFFF; + text-decoration: none; + font-size: 13px; +} +.navlnks { + color: #FFFFFF; + text-decoration: none; + font-size: 11px; +} +.tblnk { + color: #FFFFFF; + text-decoration: none; +} +.vncellreq { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + font-weight: bold; + border-bottom: 1px solid #999999; +} +.vncellt { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + padding-top: 4px; + padding-bottom: 4px; + font-weight: bold; + border-bottom: 1px solid #999999; +} +.vtable { + border-bottom: 1px solid #999999; +} +.vnsepcell { + background-color: #BBBBBB; + padding-right: 20px; + padding-left: 8px; + font-weight: bold; + border-bottom: 1px solid #999999; + font-size: 11px; +} +.cpline { + font-size: 11px; + color: #FFFFFF; +} +.vnsepcellr { + background-color: #BBBBBB; + padding-right: 20px; + padding-left: 8px; + font-weight: bold; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; +} +.listr { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listrpad { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-right: 16px; + padding-left: 10px; + padding-top: 8px; + padding-bottom: 8px; +} +.listn { + font-size: 11px; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listbg { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #D9DEE8; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listhdr { + background-color: #BBBBBB; + padding-right: 16px; + padding-left: 6px; + font-weight: bold; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-top: 5px; + padding-bottom: 5px; +} +.listhdrr { + background-color: #BBBBBB; + padding-right: 16px; + padding-left: 6px; + font-weight: bold; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-top: 5px; + padding-bottom: 5px; +} +.listlr { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + border-left: 1px solid #999999; + font-size: 11px; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listlrns { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + border-left: 1px solid #999999; + font-size: 11px; + padding-top: 4px; + padding-bottom: 4px; +} +.list { + font-size: 11px; + padding-left: 6px; + padding-top: 2px; + padding-bottom: 2px; +} +.listt { + font-size: 11px; + padding-top: 5px; + padding-left: 4px; +} +.listhdrrns { + background-color: #BBBBBB; + padding-left: 6px; + padding-top: 5px; + padding-bottom: 5px; + padding-right: 6px; + font-weight: bold; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; +} +.listbgns { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #D9DEE8; + padding-left: 6px; + padding-right: 4px; + padding-top: 4px; + padding-bottom: 4px; +} +.listtopic { + border-right: 1px solid #999999; + font-size: 11px; + background-color: #435370; + padding-right: 16px; + padding-left: 6px; + color: #FFFFFF; + font-weight: bold; + padding-top: 5px; + padding-bottom: 5px; +} +.tabinact { + border-left: 1px solid #999999; + font-size: 11px; + background-color: #777777; + padding-right: 8px; + padding-left: 8px; + padding-top: 5px; + padding-bottom: 5px; + color: #FFFFFF; + font-weight: bold; +} +.tabact { + font-size: 11px; + background-color: #EEEEEE; + padding-right: 8px; + padding-left: 8px; + padding-top: 5px; + padding-bottom: 5px; + color: #000000; + font-weight: bold; +} +.tabcont { + background-color: #EEEEEE; + padding-right: 12px; + padding-left: 12px; + padding-top: 12px; + padding-bottom: 12px; +} diff --git a/webgui/guiconfig.inc b/webgui/guiconfig.inc new file mode 100644 index 0000000..8cd038a --- /dev/null +++ b/webgui/guiconfig.inc @@ -0,0 +1,398 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* make sure nothing is cached */ +if (!$omit_nocacheheaders) { + header("Expires: 0"); + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); + header("Cache-Control: no-store, no-cache, must-revalidate"); + header("Cache-Control: post-check=0, pre-check=0", false); + header("Pragma: no-cache"); +} + +$d_natconfdirty_path = $g['varrun_path'] . "/nat.conf.dirty"; +$d_filterconfdirty_path = $g['varrun_path'] . "/filter.conf.dirty"; +$d_ipsecconfdirty_path = $g['varrun_path'] . "/ipsec.conf.dirty"; +$d_shaperconfdirty_path = $g['varrun_path'] . "/shaper.conf.dirty"; +$d_pptpuserdirty_path = $g['varrun_path'] . "/pptpd.user.dirty"; +$d_hostsdirty_path = $g['varrun_path'] . "/hosts.dirty"; +$d_staticmapsdirty_path = $g['varrun_path'] . "/staticmaps.dirty"; +$d_staticroutesdirty_path = $g['varrun_path'] . "/staticroutes.dirty"; +$d_aliasesdirty_path = $g['varrun_path'] . "/aliases.dirty"; +$d_proxyarpdirty_path = $g['varrun_path'] . "/proxyarp.dirty"; +$d_fwupenabled_path = $g['varrun_path'] . "/fwup.enabled"; +$d_firmwarelock_path = $g['varrun_path'] . "/firmware.lock"; +$d_sysrebootreqd_path = $g['varrun_path'] . "/sysreboot.reqd"; + +if (file_exists($d_firmwarelock_path)) { + if (!$d_isfwfile) { + header("Location: system_firmware.php"); + exit; + } else { + return; + } +} + +/* parse the configuration and include all configuration functions */ +require_once("config.inc"); +require_once("functions.inc"); + +/* some well knows ports */ +$wkports = array(21 => "FTP", 22 => "SSH", 23 => "Telnet", 25 => "SMTP", 53 => "DNS", 80 => "HTTP", + 110 => "POP3", 143 => "IMAP", 443 => "HTTPS"); + +/* TCP flags */ +$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg"); + +$specialnets = array("lan" => "LAN net", "pptp" => "PPTP clients"); + +for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $specialnets['opt' . $i] = $config['interfaces']['opt' . $i]['descr'] . " net"; +} + +$medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex", + "100half" => "100BASE-TX half-duplex", "10full" => "10BASE-T full-duplex", + "10half" => "10BASE-T half-duplex"); + +/* platforms that support firmware updating */ +$fwupplatforms = array('net45xx', 'net48xx', 'generic-pc', 'wrap'); + +/* IPsec defines */ +$my_identifier_list = array('myaddress' => 'My IP address', + 'address' => 'IP address', + 'fqdn' => 'Domain name'); + +$p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', + 'cast128' => 'CAST128'); +$p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', + 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)'); +$p1_halgos = array('md5' => 'MD5', 'sha1' => 'SHA1'); +$p2_halgos = array('hmac_md5' => 'MD5', 'hmac_sha1' => 'SHA1'); +$p2_protos = array('esp' => 'ESP', 'ah' => 'AH'); +$p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5'); + +function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) { + for ($i = 0; $i < count($reqdfields); $i++) { + if (!$_POST[$reqdfields[$i]]) { + $input_errors[] = "The field '" . $reqdfieldsn[$i] . "' is required."; + } + } +} + +function print_input_errors($input_errors) { + echo "

\n"; + echo "\n"; + echo "
"; + + echo "

The following input errors were detected:

    \n"; + foreach ($input_errors as $ierr) { + echo "
  • " . htmlspecialchars($ierr) . "
    • \n"; + } + echo "
"; + + echo "

"; +} + +function exec_rc_script($scriptname) { + + global $d_sysrebootreqd_path; + + if (file_exists($d_sysrebootreqd_path)) + return 0; + + exec($scriptname . " >/dev/null 2>&1", $execoutput, $retval); + return $retval; +} + +function exec_rc_script_async($scriptname) { + + global $d_sysrebootreqd_path; + + if (file_exists($d_sysrebootreqd_path)) + return 0; + + exec("nohup " . $scriptname . " >/dev/null 2>&1 &", $execoutput, $retval); + return $retval; +} + +function verify_gzip_file($fname) { + + $returnvar = mwexec("/usr/bin/gunzip -S \"\" -t " . escapeshellarg($fname)); + if ($returnvar != 0) + return 0; + else + return 1; +} + +function print_info_box_np($msg) { + echo "\n"; + echo "\n"; + echo "
"; + echo $msg; + echo "
"; +} + +function print_info_box($msg) { + echo "

"; + print_info_box_np($msg); + echo "

"; +} + +function format_bytes($bytes) { + if ($bytes >= 1073741824) { + return sprintf("%.2f GB", $bytes/1073741824); + } else if ($bytes >= 1048576) { + return sprintf("%.2f MB", $bytes/1048576); + } else if ($bytes >= 1024) { + return sprintf("%.0f KB", $bytes/1024); + } else { + return sprintf("%d bytes", $bytes); + } +} + +function get_std_save_message($ok) { + global $d_sysrebootreqd_path; + + if ($ok == 0) { + if (file_exists($d_sysrebootreqd_path)) + return "The changes have been saved. You must reboot your firewall for changes to take effect."; + else + return "The changes have been applied successfully."; + } else { + return "ERROR: the changes could not be applied (error code $ok)."; + } +} + +function pprint_address($adr) { + global $specialnets; + + if (isset($adr['any'])) { + $padr = "*"; + } else if ($adr['network']) { + $padr = $specialnets[$adr['network']]; + } else { + $padr = $adr['address']; + } + + if (isset($adr['not'])) + $padr = "! " . $padr; + + return $padr; +} + +function pprint_port($port) { + global $wkports; + + $pport = ""; + + if (!$port) + echo "*"; + else { + $srcport = explode("-", $port); + if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + $pport = $srcport[0]; + if ($wkports[$srcport[0]]) { + $pport .= " (" . $wkports[$srcport[0]] . ")"; + } + } else + $pport .= $srcport[0] . " - " . $srcport[1]; + } + + return $pport; +} + +/* sort by interface only, retain the original order of rules that apply to + the same interface */ +function filter_rules_sort() { + global $g, $config; + + /* mark each rule with the sequence number (to retain the order while sorting) */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) + $config['filter']['rule'][$i]['seq'] = $i; + + function filtercmp($a, $b) { + if ($a['interface'] == $b['interface']) + return $a['seq'] - $b['seq']; + else + return -strcmp($a['interface'], $b['interface']); + } + + usort($config['filter']['rule'], "filtercmp"); + + /* strip the sequence numbers again */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) + unset($config['filter']['rule'][$i]['seq']); +} + +function nat_rules_sort() { + global $g, $config; + + function natcmp($a, $b) { + if ($a['external-address'] == $b['external-address']) { + if ($a['protocol'] == $b['protocol']) { + if ($a['external-port'] == $b['external-port']) { + return 0; + } else { + return ($a['external-port'] - $b['external-port']); + } + } else { + return strcmp($a['protocol'], $b['protocol']); + } + } else if (!$a['external-address']) + return 1; + else if (!$b['external-address']) + return -1; + else + return ipcmp($a['external-address'], $b['external-address']); + } + + usort($config['nat']['rule'], "natcmp"); +} + +function nat_1to1_rules_sort() { + global $g, $config; + + function nat1to1cmp($a, $b) { + return ipcmp($a['external'], $b['external']); + } + + usort($config['nat']['onetoone'], "nat1to1cmp"); +} + +function nat_server_rules_sort() { + global $g, $config; + + function natservercmp($a, $b) { + return ipcmp($a['ipaddr'], $b['ipaddr']); + } + + usort($config['nat']['servernat'], "natservercmp"); +} + +function nat_out_rules_sort() { + global $g, $config; + + function natoutcmp($a, $b) { + return strcmp($a['source']['network'], $b['source']['network']); + } + + usort($config['nat']['advancedoutbound']['rule'], "natoutcmp"); +} + +function pptpd_users_sort() { + global $g, $config; + + function usercmp($a, $b) { + return strcasecmp($a['name'], $b['name']); + } + + usort($config['pptpd']['user'], "usercmp"); +} + +function staticroutes_sort() { + global $g, $config; + + function staticroutecmp($a, $b) { + return strcmp($a['network'], $b['network']); + } + + usort($config['staticroutes']['route'], "staticroutecmp"); +} + +function hosts_sort() { + global $g, $config; + + function hostcmp($a, $b) { + return strcasecmp($a['host'], $b['host']); + } + + usort($config['dnsmasq']['hosts'], "hostcmp"); +} + +function staticmaps_sort($if) { + global $g, $config; + + function staticmapcmp($a, $b) { + return ipcmp($a['ipaddr'], $b['ipaddr']); + } + + usort($config['dhcpd'][$if]['staticmap'], "staticmapcmp"); +} + +function aliases_sort() { + global $g, $config; + + function aliascmp($a, $b) { + return strcmp($a['name'], $b['name']); + } + + usort($config['aliases']['alias'], "aliascmp"); +} + +function ipsec_mobilekey_sort() { + global $g, $config; + + function mobilekeycmp($a, $b) { + return strcmp($a['ident'][0], $b['ident'][0]); + } + + usort($config['ipsec']['mobilekey'], "mobilekeycmp"); +} + +function proxyarp_sort() { + global $g, $config; + + function proxyarpcmp($a, $b) { + if (isset($a['network'])) + list($ast,$asn) = explode("/", $a['network']); + else if (isset($a['range'])) { + $ast = $a['range']['from']; + $asn = 32; + } + if (isset($b['network'])) + list($bst,$bsn) = explode("/", $b['network']); + else if (isset($b['range'])) { + $bst = $b['range']['from']; + $bsn = 32; + } + if (ipcmp($ast, $bst) == 0) + return ($asn - $bsn); + else + return ipcmp($ast, $bst); + } + + usort($config['proxyarp']['proxyarpnet'], "proxyarpcmp"); +} + +function is_numericint($arg) { + return (preg_match("/[^0-9]/", $arg) ? false : true); +} + +?> diff --git a/webgui/in.gif b/webgui/in.gif new file mode 100644 index 0000000..95a67cf Binary files /dev/null and b/webgui/in.gif differ diff --git a/webgui/index.php b/webgui/index.php new file mode 100644 index 0000000..e3a2908 --- /dev/null +++ b/webgui/index.php @@ -0,0 +1,104 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +/* find out whether there's hardware encryption (hifn) */ +exec("/sbin/dmesg", $dmesg); + +unset($hwcrypto); +foreach ($dmesg as $dmesgl) { + if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) { + $hwcrypto = $matches[1]; + break; + } +} + +?> + + + +m0n0wall webGUI + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 
System information
Name + +
Version + +
+ built on + +
Platform + +
Hardware crypto + +
Uptime + +
+ + + diff --git a/webgui/interfaces_assign.php b/webgui/interfaces_assign.php new file mode 100644 index 0000000..e992d96 --- /dev/null +++ b/webgui/interfaces_assign.php @@ -0,0 +1,249 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +/* + In this file, "port" refers to the physical port name, + while "interface" refers to LAN, WAN, or OPTn. +*/ + +$portlist = get_interface_list(); + +if ($_POST) { + + unset($input_errors); + + /* input validation */ + + /* Build a list of the port names so we can see how the interfaces map */ + $portifmap = array(); + foreach ($portlist as $portname => $portinfo) + $portifmap[] = array($portname => array()); + + /* Go through the list of ports selected by the user, + build a list of port-to-interface mappings in portifmap */ + foreach ($_POST as $ifname => $ifport) { + if (($ifname == 'lan') || ($ifname == 'wan') || (substr($ifname, 0, 3) == 'opt')) + $portifmap[$ifport][] = strtoupper($ifname); + } + + /* Deliver error message for any port with more than one assignment */ + foreach ($portifmap as $portname => $ifnames) { + if (count($ifnames) > 1) { + $errstr = "Port " . $portname . + " was assigned to " . count($ifnames) . + " interfaces:"; + + foreach ($portifmap[$portname] as $ifn) + $errstr .= " " . $ifn; + + $input_errors[] = $errstr; + } + } + + + if (!$input_errors) { + /* No errors detected, so update the config */ + foreach ($_POST as $ifname => $ifport) { + + if (($ifname == 'lan') || ($ifname == 'wan') || + (substr($ifname, 0, 3) == 'opt')) { + + if (!is_array($ifport)) { + $config['interfaces'][$ifname]['if'] = $ifport; + + /* check for wireless interfaces, set or clear ['wireless'] */ + if (preg_match("/^(wi|awi|an)/", $ifport)) { + if (!is_array($config['interfaces'][$ifname]['wireless'])) + $config['interfaces'][$ifname]['wireless'] = array(); + } else { + unset($config['interfaces'][$ifname]['wireless']); + } + + /* make sure there is a name for OPTn */ + if (substr($ifname, 0, 3) == 'opt') { + if (!isset($config['interfaces'][$ifname]['descr'])) + $config['interfaces'][$ifname]['descr'] = strtoupper($ifname); + } + } + } + } + + write_config(); + touch($d_sysrebootreqd_path); + /* message is set up below based on existence of bootreqd file */ + } +} + +if ($_GET['act'] == "del") { + $id = $_GET['id']; + + unset($config['interfaces'][$id]); /* delete the specified OPTn */ + + /* shift down other OPTn interfaces to get rid of holes */ + $i = substr($id, 3); /* the number of the OPTn port being deleted */ + $i++; + + /* look at the following OPTn ports */ + while (is_array($config['interfaces']['opt' . $i])) { + $config['interfaces']['opt' . ($i - 1)] = + $config['interfaces']['opt' . $i]; + + if ($config['interfaces']['opt' . ($i - 1)]['descr'] == "OPT" . $i) + $config['interfaces']['opt' . ($i - 1)]['descr'] = "OPT" . ($i - 1); + + unset($config['interfaces']['opt' . $i]); + $i++; + } + + write_config(); + touch($d_sysrebootreqd_path); + header("Location: interfaces_assign.php"); + exit; +} + +if ($_GET['act'] == "add") { + $i = 0; + + while (1) { + $newifname = 'opt' . ($i+1); + + if (!is_array($config['interfaces'][$newifname])) { + $config['interfaces'][$newifname] = array(); + $config['interfaces'][$newifname]['descr'] = "OPT" . ($i+1); + + /* Find an unused port for this interface */ + foreach ($portlist as $portname => $portinfo) { + $portused = false; + foreach ($config['interfaces'] as $ifname => $ifdata) { + if ($ifdata['if'] == $portname) { + $portused = true; + break; + } + } + if (!$portused) { + $config['interfaces'][$newifname]['if'] = $portname; + if (preg_match("/^(wi|awi|an)/", $portname)) + $config['interfaces'][$newifname]['wireless'] = array(); + break; + } + } + break; + } + $i++; + } + + write_config(); + touch($d_sysrebootreqd_path); + header("Location: interfaces_assign.php"); + exit; +} + +?> + + + +m0n0wall webGUI - Interfaces: Assign network ports + + + + + + +

Interfaces: Assign network ports

+ + +
+ + + + + + + + + + + + + +
Interface assignments + + + + + + + $iface): ?> + + + + + + + + + + +
InterfaceNetwork port 
+ + + + delete interface + +
+ add interface +
+
  + +
  Warning:
+ After you click "Save", you must + reboot the firewall to make the changes take effect. You may + also have to do one or more of the following steps before + you can access your firewall again: +
    +
  • change the IP address of your computer
    • +
  • renew it's DHCP lease
    • +
  • access the webGUI with the new IP address
    • +
+
+
+ + + diff --git a/webgui/interfaces_lan.php b/webgui/interfaces_lan.php new file mode 100644 index 0000000..72101fe --- /dev/null +++ b/webgui/interfaces_lan.php @@ -0,0 +1,173 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$lancfg = &$config['interfaces']['lan']; +$optcfg = &$config['interfaces']['lan']; +$pconfig['ipaddr'] = $config['interfaces']['lan']['ipaddr']; +$pconfig['subnet'] = $config['interfaces']['lan']['subnet']; + +/* Wireless interface? */ +if (isset($optcfg['wireless'])) { + require("interfaces_wlan.inc"); + wireless_config_init(); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ipaddr subnet"); + $reqdfieldsn = explode(",", "IP address,Subnet bit count"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['subnet'] && !is_numeric($_POST['subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + + /* Wireless interface? */ + if (isset($optcfg['wireless'])) { + $wi_input_errors = wireless_config_post(); + if ($wi_input_errors) { + $input_errors = array_merge($input_errors, $wi_input_errors); + } + } + + if (!$input_errors) { + $config['interfaces']['lan']['ipaddr'] = $_POST['ipaddr']; + $config['interfaces']['lan']['subnet'] = $_POST['subnet']; + + $dhcpd_was_enabled = 0; + if (isset($config['dhcpd']['enable'])) { + unset($config['dhcpd']['enable']); + $dhcpd_was_enabled = 1; + } + + write_config(); + touch($d_sysrebootreqd_path); + + $savemsg = get_std_save_message(0); + + if ($dhcpd_was_enabled) + $savemsg .= "
Note that the DHCP server has been disabled.
Please review its configuration " . + "and enable it again prior to rebooting."; + } +} +?> + + + +m0n0wall webGUI - Interfaces: LAN + + + + + + + +

Interfaces: LAN

+ + +
+ + + + + + + + + + + + + + +
IP address + + / +
  + +
 Warning:
+ after you click "Save", you must + reboot your firewall for changes to take effect. You may also + have to do one or more of the following steps before you can + access your firewall again: +
    +
  • change the IP address of your computer
    • +
  • renew it's DHCP lease
    • +
  • access the webGUI with the new IP address
    • +
+
+
+ + + diff --git a/webgui/interfaces_opt.php b/webgui/interfaces_opt.php new file mode 100644 index 0000000..b5cb192 --- /dev/null +++ b/webgui/interfaces_opt.php @@ -0,0 +1,266 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +unset($index); +if ($_GET['index']) + $index = $_GET['index']; +else if ($_POST['index']) + $index = $_POST['index']; + +if (!$index) + exit; + +$optcfg = &$config['interfaces']['opt' . $index]; +$pconfig['descr'] = $optcfg['descr']; +$pconfig['bridge'] = $optcfg['bridge']; +$pconfig['ipaddr'] = $optcfg['ipaddr']; +$pconfig['subnet'] = $optcfg['subnet']; +$pconfig['enable'] = isset($optcfg['enable']); + +/* Wireless interface? */ +if (isset($optcfg['wireless'])) { + require("interfaces_wlan.inc"); + wireless_config_init(); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + + /* description unique? */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if ($i != $index) { + if ($config['interfaces']['opt' . $i]['descr'] == $_POST['descr']) { + $input_errors[] = "An interface with the specified description already exists."; + } + } + } + + if ($_POST['bridge']) { + /* double bridging? */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if ($i != $index) { + if ($config['interfaces']['opt' . $i]['bridge'] == $_POST['bridge']) { + $input_errors[] = "Optional interface {$i} " . + "({$config['interfaces']['opt' . $i]['descr']}) is already bridged to " . + "the specified interface."; + } else if ($config['interfaces']['opt' . $i]['bridge'] == "opt{$index}") { + $input_errors[] = "Optional interface {$i} " . + "({$config['interfaces']['opt' . $i]['descr']}) is already bridged to " . + "this interface."; + } + } + } + if ($config['interfaces'][$_POST['bridge']]['bridge']) { + $input_errors[] = "The specified interface is already bridged to " . + "another interface."; + } + } else { + $reqdfields = explode(" ", "descr ipaddr subnet"); + $reqdfieldsn = explode(",", "Description,IP address,Subnet bit count"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['subnet'] && !is_numeric($_POST['subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + } + } + + /* Wireless interface? */ + if (isset($optcfg['wireless'])) { + $wi_input_errors = wireless_config_post(); + if ($wi_input_errors) { + $input_errors = array_merge($input_errors, $wi_input_errors); + } + } + + if (!$input_errors) { + $optcfg['descr'] = $_POST['descr']; + $optcfg['ipaddr'] = $_POST['ipaddr']; + $optcfg['subnet'] = $_POST['subnet']; + $optcfg['bridge'] = $_POST['bridge']; + $optcfg['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = interfaces_optional_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +m0n0wall webGUI - Interfaces: Optional <?=$index;?> (<?=htmlspecialchars($optcfg['descr']);?>) + + + + + + + +

Interfaces: Optional ()

+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable Optional interface
Description + +
Enter a description (name) for the interface here. +
IP configuration
Bridge with +
IP address + + / + +
  + + +
 Note:
+ be sure to add firewall rules to permit traffic + through the interface. Firewall rules for an interface in + bridged mode have no effect on packets to hosts other than + m0n0wall itself, unless "Enable filtering bridge" + is checked on the System: + Advanced functions page.
+
+ + +

Optional has been disabled because there is no OPT interface.

+ + + + diff --git a/webgui/interfaces_wan.php b/webgui/interfaces_wan.php new file mode 100644 index 0000000..f3ecbd0 --- /dev/null +++ b/webgui/interfaces_wan.php @@ -0,0 +1,421 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$wancfg = &$config['interfaces']['wan']; +$optcfg = &$config['interfaces']['wan']; + +$pconfig['username'] = $config['pppoe']['username']; +$pconfig['password'] = $config['pppoe']['password']; +$pconfig['provider'] = $config['pppoe']['provider']; + +$pconfig['pptp_username'] = $config['pptp']['username']; +$pconfig['pptp_password'] = $config['pptp']['password']; +$pconfig['pptp_local'] = $config['pptp']['local']; +$pconfig['pptp_subnet'] = $config['pptp']['subnet']; +$pconfig['pptp_remote'] = $config['pptp']['remote']; + +$pconfig['dhcphostname'] = $wancfg['dhcphostname']; + +if ($wancfg['ipaddr'] == "dhcp") { + $pconfig['type'] = "DHCP"; +} else if ($wancfg['ipaddr'] == "pppoe") { + $pconfig['type'] = "PPPoE"; +} else if ($wancfg['ipaddr'] == "pptp") { + $pconfig['type'] = "PPTP"; +} else { + $pconfig['type'] = "Static"; + $pconfig['ipaddr'] = $wancfg['ipaddr']; + $pconfig['subnet'] = $wancfg['subnet']; + $pconfig['gateway'] = $wancfg['gateway']; +} + +$pconfig['blockpriv'] = isset($wancfg['blockpriv']); +$pconfig['spoofmac'] = $wancfg['spoofmac']; +$pconfig['mtu'] = $wancfg['mtu']; + +/* Wireless interface? */ +if (isset($optcfg['wireless'])) { + require("interfaces_wlan.inc"); + wireless_config_init(); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['type'] == "Static") { + $reqdfields = explode(" ", "ipaddr subnet gateway"); + $reqdfieldsn = explode(",", "IP address,Subnet bit count,Gateway"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "PPPoE") { + $reqdfields = explode(" ", "username password"); + $reqdfieldsn = explode(",", "PPPoE Username,PPPoE Password"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } else if ($_POST['type'] == "PPTP") { + $reqdfields = explode(" ", "pptp_username pptp_password pptp_local pptp_subnet pptp_remote"); + $reqdfieldsn = explode(",", "PPTP Username,PPTP Password,PPTP local IP address,PPTP subnet,PPTP remote IP address"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['subnet'] && !is_numeric($_POST['subnet']))) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + if (($_POST['gateway'] && !is_ipaddr($_POST['gateway']))) { + $input_errors[] = "A valid gateway must be specified."; + } + if (($_POST['provider'] && !is_domain($_POST['provider']))) { + $input_errors[] = "The service name contains invalid characters."; + } + if (($_POST['pptp_local'] && !is_ipaddr($_POST['pptp_local']))) { + $input_errors[] = "A valid PPTP local IP address must be specified."; + } + if (($_POST['pptp_subnet'] && !is_numeric($_POST['pptp_subnet']))) { + $input_errors[] = "A valid PPTP subnet bit count must be specified."; + } + if (($_POST['pptp_remote'] && !is_ipaddr($_POST['pptp_remote']))) { + $input_errors[] = "A valid PPTP remote IP address must be specified."; + } + if (($_POST['spoofmac'] && !is_macaddr($_POST['spoofmac']))) { + $input_errors[] = "A valid MAC address must be specified."; + } + if ($_POST['mtu'] && (($_POST['mtu'] < 576) || ($_POST['mtu'] > 1500))) { + $input_errors[] = "The MTU must be between 576 and 1500 bytes."; + } + + /* Wireless interface? */ + if (isset($optcfg['wireless'])) { + $wi_input_errors = wireless_config_post(); + if ($wi_input_errors) { + $input_errors = array_merge($input_errors, $wi_input_errors); + } + } + + if (!$input_errors) { + + unset($wancfg['ipaddr']); + unset($wancfg['subnet']); + unset($wancfg['gateway']); + unset($wancfg['dhcphostname']); + unset($config['pppoe']['username']); + unset($config['pppoe']['password']); + unset($config['pppoe']['provider']); + unset($config['pptp']['username']); + unset($config['pptp']['password']); + unset($config['pptp']['local']); + unset($config['pptp']['subnet']); + unset($config['pptp']['remote']); + + if ($_POST['type'] == "Static") { + $wancfg['ipaddr'] = $_POST['ipaddr']; + $wancfg['subnet'] = $_POST['subnet']; + $wancfg['gateway'] = $_POST['gateway']; + } else if ($_POST['type'] == "DHCP") { + $wancfg['ipaddr'] = "dhcp"; + $wancfg['dhcphostname'] = $_POST['dhcphostname']; + } else if ($_POST['type'] == "PPPoE") { + $wancfg['ipaddr'] = "pppoe"; + $config['pppoe']['username'] = $_POST['username']; + $config['pppoe']['password'] = $_POST['password']; + $config['pppoe']['provider'] = $_POST['provider']; + } else if ($_POST['type'] == "PPTP") { + $wancfg['ipaddr'] = "pptp"; + $config['pptp']['username'] = $_POST['pptp_username']; + $config['pptp']['password'] = $_POST['pptp_password']; + $config['pptp']['local'] = $_POST['pptp_local']; + $config['pptp']['subnet'] = $_POST['pptp_subnet']; + $config['pptp']['remote'] = $_POST['pptp_remote']; + } + + $wancfg['blockpriv'] = $_POST['blockpriv'] ? true : false; + $wancfg['spoofmac'] = $_POST['spoofmac']; + $wancfg['mtu'] = $_POST['mtu']; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = interfaces_wan_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +m0n0wall webGUI - Interfaces: WAN + + + + + + + +

Interfaces: WAN

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type
General configuration
MAC address +
+ This field can be used to modify ("spoof") the MAC + address of the WAN interface
+ (may be required with some cable connections)
+ Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx + or leave blank
MTU +
+ If you enter a value in this field, then MSS clamping for + TCP connections to the value entered above minus 40 (TCP/IP + header size) will be in effect. If you leave this field blank, + an MTU of 1492 bytes for PPPoE and 1500 bytes for all other + connection types will be assumed.
Static IP configuration
IP address + / +
Gateway +
DHCP client configuration
Hostname +
+ The value in this field is sent as the DHCP client identifier + and hostname when requesting a DHCP lease. Some ISPs may require + this (for client identification).
PPPoE configuration
Username +
Password +
Service name +
Hint: this field can usually be left + empty
PPTP configuration
Username +
Password +
Local IP address + / +
Remote IP address +
  > + Block private networks
+ When set, this option blocks traffic from IP addresses that + are reserved for private
+ networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as + well as loopback addresses
+ (127/8). You should generally leave this option turned on, + unless your WAN network
+ lies in such a private address space, too.
   
+
+
+ + + + diff --git a/webgui/interfaces_wlan.inc b/webgui/interfaces_wlan.inc new file mode 100644 index 0000000..8861ce6 --- /dev/null +++ b/webgui/interfaces_wlan.inc @@ -0,0 +1,182 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function wireless_config_init() { + global $optcfg, $pconfig; + + $pconfig['mode'] = $optcfg['wireless']['mode']; + $pconfig['ssid'] = $optcfg['wireless']['ssid']; + $pconfig['stationname'] = $optcfg['wireless']['stationname']; + $pconfig['channel'] = $optcfg['wireless']['channel']; + $pconfig['wep_enable'] = isset($optcfg['wireless']['wep']['enable']); + + if (is_array($optcfg['wireless']['wep']['key'])) { + $i = 1; + foreach ($optcfg['wireless']['wep']['key'] as $wepkey) { + $pconfig['key' . $i] = $wepkey['value']; + if (isset($wepkey['txkey'])) + $pconfig['txkey'] = $i; + $i++; + } + if (!isset($wepkey['txkey'])) + $pconfig['txkey'] = 1; + } +} + +function wireless_config_post() { + global $optcfg, $pconfig; + + unset($input_errors); + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "mode ssid channel"); + $reqdfieldsn = explode(",", "Mode,SSID,Channel"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + /* bridge check (hostap only!) */ + if ($pconfig['bridge'] && ($pconfig['mode'] != "hostap")) + $input_errors[] = "Bridging a wireless interface is only possible in hostap mode."; + } + } + + if (!$input_errors) { + + $optcfg['wireless']['mode'] = $_POST['mode']; + $optcfg['wireless']['ssid'] = $_POST['ssid']; + $optcfg['wireless']['stationname'] = $_POST['stationname']; + $optcfg['wireless']['channel'] = $_POST['channel']; + $optcfg['wireless']['wep']['enable'] = $_POST['wep_enable'] ? true : false; + + $optcfg['wireless']['wep']['key'] = array(); + for ($i = 1; $i <= 4; $i++) { + if ($_POST['key' . $i]) { + $newkey = array(); + $newkey['value'] = $_POST['key' . $i]; + if ($_POST['txkey'] == $i) + $newkey['txkey'] = true; + $optcfg['wireless']['wep']['key'][] = $newkey; + } + } + } + + return $input_errors; +} + +function wireless_config_print() { + global $optcfg, $pconfig; +?> + + + + + Wireless configuration + + + Mode +
+ Note: IBSS mode is sometimes also called "ad-hoc" + mode;
+ BSS mode is also known as "infrastructure" mode + + + SSID + + + + + Channel + + + + Station name + +
+ Hint: this field can usually be left blank + + + WEP + > + Enable WEP
+   + + + + + + + + + + + + + + + + + + + + + + + + + +
   TX key 
Key 1:   > +
Key 2:   >
Key 3:   >
Key 4:   >
+
+ 40 (64) bit keys may be entered as 5 ASCII characters or 10 + hex digits preceded by '0x'.
+ 104 (128) bit keys may be entered as 13 ASCII characters or + 26 hex digits preceded by '0x'. + + diff --git a/webgui/license.php b/webgui/license.php new file mode 100644 index 0000000..851d94b --- /dev/null +++ b/webgui/license.php @@ -0,0 +1,148 @@ +#!/usr/local/bin/php + + + + +m0n0wall webGUI - License + + + + + + +

License

+

m0n0wall is Copyright © 2002-2004 by Manuel Kasper + (mk@neon1.net).
+ All rights reserved.

+

Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions + are met:
+
+ 1. Redistributions of source code must retain the above copyright + notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in + the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED "AS IS'' AND ANY EXPRESS + OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT + SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE
+ POSSIBILITY OF SUCH DAMAGE.

+
+

The following persons have contributed code to m0n0wall:

+

Bob Zoller (bob@kludgebox.com)
+     Diagnostics: Ping + function; WLAN channel auto-select; DNS forwarder
+
+ Michael Mee (mikemee2002@pobox.com)
+     Timezone and NTP + client support
+
+ Magne Andreassen (magne.andreassen@bluezone.no)
+     Remote syslog'ing; + some code bits for DHCP server on optional interfaces
+
+ Rob Whyte (rob@g-labs.com)
+     Idea/code bits + for encrypted webGUI passwords; minimalized SNMP agent
+
+ Petr Verner (verner@ipps.cz)
+     Advanced outbound + NAT: destination selection
+
+ Bruce A. Mah (bmah@acm.org)
+     Filtering bridge + patches
+
+ Jim McBeath (monowall@j.jimmc.org)
+     Filter rule patches + (ordering, block/pass, disabled); better status page;
+     webGUI assign network ports page
+
+ Chris Olive (chris@technologEase.com)
+     enhanced "execute + command" page
+
+ Pauline Middelink (middelink@polyware.nl)
+     DHCP client: send hostname patch
+
+ Björn Pålsson (bjorn@networksab.com)
+     DHCP lease list page
+
+ Peter Allgeyer (allgeyer@web.de)
+     "reject" type filter rules

+
+

m0n0wall is based upon/includes various free software packages, + listed below.
+ The author of m0n0wall would like to thank the authors of these + software packages for their efforts.

+

FreeBSD (http://www.freebsd.org)
+ Copyright © 1994-2003 FreeBSD, Inc. All rights reserved.
+
+ This product includes PHP, freely available from http://www.php.net.
+ Copyright © 1999 - 2003 The PHP Group. All rights reserved.
+
+ mini_httpd (http://www.acme.com/software/mini_httpd)
+ Copyright © 1999, 2000 by Jef Poskanzer <jef@acme.com>. + All rights reserved.
+
+ ISC DHCP server (http://www.isc.org/products/DHCP)
+ Copyright © 1996-2003 Internet Software Consortium. All rights + reserved.
+
+ ipfilter (http://www.ipfilter.org)
+ Copyright © 1993-2002 by Darren Reed.
+
+ MPD - Multi-link PPP daemon for FreeBSD (http://www.dellroad.org/mpd)
+ Copyright © 1995-1999 Whistle Communications, Inc. All rights + reserved.
+
+ ez-ipupdate (http://www.gusnet.cx/proj/ez-ipupdate)
+ Copyright © 1998-2001 Angus Mackay. All rights reserved.
+
+ Circular log support for FreeBSD syslogd (http://software.wwwi.com/syslogd)
+ Copyright © 2001 Jeff Wheelhouse (jdw@wwwi.com)
+
+ Dnsmasq - a DNS forwarder for NAT firewalls (http://www.thekelleys.org.uk)
+ Copyright © 2000-2003 Simon Kelley.
+
+ Racoon (http://www.kame.net/racoon)
+ Copyright © 1995-2002 WIDE Project. All rights reserved.
+
+ msntp (http://www.hpcf.cam.ac.uk/export)
+ Copyright © 1996, 1997, 2000 N.M. Maclaren, University of Cambridge. + All rights reserved.
+
+ UCD-SNMP (http://www.ece.ucdavis.edu/ucd-snmp)
+ Copyright © 1989, 1991, 1992 by Carnegie Mellon University.
+ Copyright © 1996, 1998-2000 The Regents of the University of + California. All rights reserved.
+ Copyright © 2001-2002, Network Associates Technology, Inc. + All rights reserved.
+ Portions of this code are copyright © 2001-2002, Cambridge + Broadband Ltd. All rights reserved.
+
+ choparp (http://choparp.sourceforge.net)
+ Copyright © 1997 Takamichi Tateoka (tree@mma.club.uec.ac.jp)
+ Copyright +© 2002 Thomas Quinot (thomas@cuivre.fr.eu.org) + + + diff --git a/webgui/log.gif b/webgui/log.gif new file mode 100644 index 0000000..bd8660f Binary files /dev/null and b/webgui/log.gif differ diff --git a/webgui/log_d.gif b/webgui/log_d.gif new file mode 100644 index 0000000..2c67b29 Binary files /dev/null and b/webgui/log_d.gif differ diff --git a/webgui/log_s.gif b/webgui/log_s.gif new file mode 100644 index 0000000..2179b8d Binary files /dev/null and b/webgui/log_s.gif differ diff --git a/webgui/log_s_d.gif b/webgui/log_s_d.gif new file mode 100644 index 0000000..2c17d78 Binary files /dev/null and b/webgui/log_s_d.gif differ diff --git a/webgui/logo.gif b/webgui/logo.gif new file mode 100644 index 0000000..3422a59 Binary files /dev/null and b/webgui/logo.gif differ diff --git a/webgui/logobig.gif b/webgui/logobig.gif new file mode 100644 index 0000000..dc2b78b Binary files /dev/null and b/webgui/logobig.gif differ diff --git a/webgui/out.gif b/webgui/out.gif new file mode 100644 index 0000000..d94474d Binary files /dev/null and b/webgui/out.gif differ diff --git a/webgui/pass.gif b/webgui/pass.gif new file mode 100644 index 0000000..1526e31 Binary files /dev/null and b/webgui/pass.gif differ diff --git a/webgui/pass_d.gif b/webgui/pass_d.gif new file mode 100644 index 0000000..47087d4 Binary files /dev/null and b/webgui/pass_d.gif differ diff --git a/webgui/plus.gif b/webgui/plus.gif new file mode 100644 index 0000000..025e9b2 Binary files /dev/null and b/webgui/plus.gif differ diff --git a/webgui/reboot.php b/webgui/reboot.php new file mode 100644 index 0000000..548d4f4 --- /dev/null +++ b/webgui/reboot.php @@ -0,0 +1,66 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if ($_POST) { + if ($_POST['Submit'] != " No ") { + system_reboot(); + $rebootmsg = "The system is rebooting now. This may take one minute."; + } else { + header("Location: index.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Reboot system + + + + + + +

Reboot system

+ +
+

Are you sure you want to reboot the system?

+

+ + +

+
+ + + + diff --git a/webgui/reject.gif b/webgui/reject.gif new file mode 100644 index 0000000..852e37c Binary files /dev/null and b/webgui/reject.gif differ diff --git a/webgui/reject_d.gif b/webgui/reject_d.gif new file mode 100644 index 0000000..1300200 Binary files /dev/null and b/webgui/reject_d.gif differ diff --git a/webgui/services_dhcp.php b/webgui/services_dhcp.php new file mode 100644 index 0000000..6c08690 --- /dev/null +++ b/webgui/services_dhcp.php @@ -0,0 +1,325 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$if = $_GET['if']; +if ($_POST['if']) + $if = $_POST['if']; + +$iflist = array("lan" => "LAN"); + +for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $oc = $config['interfaces']['opt' . $i]; + + if (isset($oc['enable']) && $oc['if'] && (!$oc['bridge'])) { + $iflist['opt' . $i] = $oc['descr']; + } +} + +if (!$if || !isset($iflist[$if])) + $if = "lan"; + +$pconfig['range_from'] = $config['dhcpd'][$if]['range']['from']; +$pconfig['range_to'] = $config['dhcpd'][$if]['range']['to']; +$pconfig['deftime'] = $config['dhcpd'][$if]['defaultleasetime']; +$pconfig['maxtime'] = $config['dhcpd'][$if]['maxleasetime']; +list($pconfig['wins1'],$pconfig['wins2']) = $config['dhcpd'][$if]['winsserver']; +$pconfig['enable'] = isset($config['dhcpd'][$if]['enable']); + +$ifcfg = $config['interfaces'][$if]; + +if (!is_array($config['dhcpd'][$if]['staticmap'])) { + $config['dhcpd'][$if]['staticmap'] = array(); +} +staticmaps_sort($if); +$a_maps = &$config['dhcpd'][$if]['staticmap']; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "range_from range_to"); + $reqdfieldsn = explode(",", "Range begin,Range end"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['range_from'] && !is_ipaddr($_POST['range_from']))) { + $input_errors[] = "A valid range must be specified."; + } + if (($_POST['range_to'] && !is_ipaddr($_POST['range_to']))) { + $input_errors[] = "A valid range must be specified."; + } + if (($_POST['wins1'] && !is_ipaddr($_POST['wins1'])) || ($_POST['wins2'] && !is_ipaddr($_POST['wins2']))) { + $input_errors[] = "A valid IP address must be specified for the primary/secondary WINS server."; + } + if ($_POST['deftime'] && (!is_numeric($_POST['deftime']) || ($_POST['deftime'] < 60))) { + $input_errors[] = "The default lease time must be at least 60 seconds."; + } + if ($_POST['maxtime'] && (!is_numeric($_POST['maxtime']) || ($_POST['maxtime'] < 60) || ($_POST['maxtime'] <= $_POST['deftime']))) { + $input_errors[] = "The maximum lease time must be at least 60 seconds and higher than the default lease time."; + } + + if (!$input_errors) { + /* make sure the range lies within the current subnet */ + $subnet_start = (ip2long($ifcfg['ipaddr']) & gen_subnet_mask_long($ifcfg['subnet'])); + $subnet_end = (ip2long($ifcfg['ipaddr']) | (~gen_subnet_mask_long($ifcfg['subnet']))); + + if ((ip2long($_POST['range_from']) < $subnet_start) || (ip2long($_POST['range_from']) > $subnet_end) || + (ip2long($_POST['range_to']) < $subnet_start) || (ip2long($_POST['range_to']) > $subnet_end)) { + $input_errors[] = "The specified range lies outside of the current subnet."; + } + + if (ip2long($_POST['range_from']) > ip2long($_POST['range_to'])) + $input_errors[] = "The range is invalid (first element higher than second element)."; + } + } + + if (!$input_errors) { + $config['dhcpd'][$if]['range']['from'] = $_POST['range_from']; + $config['dhcpd'][$if]['range']['to'] = $_POST['range_to']; + $config['dhcpd'][$if]['defaultleasetime'] = $_POST['deftime']; + $config['dhcpd'][$if]['maxleasetime'] = $_POST['maxtime']; + $config['dhcpd'][$if]['enable'] = $_POST['enable'] ? true : false; + + unset($config['dhcpd'][$if]['winsserver']); + if ($_POST['wins1']) + $config['dhcpd'][$if]['winsserver'][] = $_POST['wins1']; + if ($_POST['wins2']) + $config['dhcpd'][$if]['winsserver'][] = $_POST['wins2']; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_dhcpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_staticmapsdirty_path)) + unlink($d_staticmapsdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_maps[$_GET['id']]) { + unset($a_maps[$_GET['id']]); + write_config(); + touch($d_staticmapsdirty_path); + header("Location: services_dhcp.php?if={$if}"); + exit; + } +} +?> + + + +m0n0wall webGUI - Services: DHCP + + + + + + + +

Services: DHCP

+
+ + +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + $ifname): + if ($ifent == $if): ?> + + + + + + + + + + +
 
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable DHCP server on + + interface
Subnet + +
Subnet + mask + +
Available + range + + - + +
Range + +  to 
WINS servers +
+
Default lease + time + + seconds
+ This is used for clients that do not ask for a specific + expiration time.
+ The default is 7200 seconds.
Maximum lease + time + + seconds
+ This is the maximum lease time for clients that ask + for a specific expiration time.
+ The default is 86400 seconds.
  + + +
 

Note:
+ The DNS servers entered in System: + General setup (or the DNS + forwarder, if enabled) will + be assigned to clients by the DHCP server.
+
+ The DHCP lease table can be viewed on the Diagnostics: + DHCP leases page.
+
+ You may enter static mappings between IP and MAC addresses + below.

+  
+ + + + + + + + + + + + + + + + + + + +
IP addressMAC address Description
+ + + + +   + +  
+
+
+ + + + diff --git a/webgui/services_dhcp_edit.php b/webgui/services_dhcp_edit.php new file mode 100644 index 0000000..86ce158 --- /dev/null +++ b/webgui/services_dhcp_edit.php @@ -0,0 +1,174 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$if = $_GET['if']; +if ($_POST['if']) + $if = $_POST['if']; + +if (!$if) { + header("Location: services_dhcp.php"); + exit; +} + +if (!is_array($config['dhcpd'][$if]['staticmap'])) { + $config['dhcpd'][$if]['staticmap'] = array(); +} +staticmaps_sort($if); +$a_maps = &$config['dhcpd'][$if]['staticmap']; +$ifcfg = &$config['interfaces'][$if]; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_maps[$id]) { + $pconfig['mac'] = $a_maps[$id]['mac']; + $pconfig['ipaddr'] = $a_maps[$id]['ipaddr']; + $pconfig['descr'] = $a_maps[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "mac ipaddr"); + $reqdfieldsn = explode(",", "MAC address,IP address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['ipaddr'] && !is_ipaddr($_POST['ipaddr']))) { + $input_errors[] = "A valid IP address must be specified."; + } + if (($_POST['mac'] && !is_macaddr($_POST['mac']))) { + $input_errors[] = "A valid MAC address must be specified."; + } + + /* check for overlaps */ + foreach ($a_maps as $mapent) { + if (isset($id) && ($a_maps[$id]) && ($a_maps[$id] === $mapent)) + continue; + + if (($mapent['mac'] == $_POST['mac']) || (ip2long($mapent['ipaddr']) == ip2long($_POST['ipaddr']))) { + $input_errors[] = "This IP or MAC address already exists."; + break; + } + } + + /* make sure it's not within the dynamic subnet */ + $dynsubnet_start = ip2long($config['dhcpd'][$if]['range']['from']); + $dynsubnet_end = ip2long($config['dhcpd'][$if]['range']['to']); + $lansubnet_start = (ip2long($ifcfg['ipaddr']) & gen_subnet_mask_long($ifcfg['subnet'])); + $lansubnet_end = (ip2long($ifcfg['ipaddr']) | (~gen_subnet_mask_long($ifcfg['subnet']))); + + if ((ip2long($_POST['ipaddr']) >= $dynsubnet_start) && + (ip2long($_POST['ipaddr']) <= $dynsubnet_end)) { + $input_errors[] = "Static IP addresses may not lie within the dynamic client range."; + } + if ((ip2long($_POST['ipaddr']) < $lansubnet_start) || + (ip2long($_POST['ipaddr']) > $lansubnet_end)) { + $input_errors[] = "The IP address must lie in the {$ifcfg['descr']} subnet."; + } + + if (!$input_errors) { + $mapent = array(); + $mapent['mac'] = $_POST['mac']; + $mapent['ipaddr'] = $_POST['ipaddr']; + $mapent['descr'] = $_POST['descr']; + + if (isset($id) && $a_maps[$id]) + $a_maps[$id] = $mapent; + else + $a_maps[] = $mapent; + + touch($d_staticmapsdirty_path); + + write_config(); + + header("Location: services_dhcp.php?if={$if}"); + exit; + } +} +?> + + + +m0n0wall webGUI - Services: DHCP: Edit static mapping + + + + + + +

Services: DHCP: Edit static mapping

+ + +
+ + + + + + + + + + + + + + + + + +
IP address + +
MAC address + +
+ Enter a MAC address in the following format: + xx:xx:xx:xx:xx:xx
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + + +
+
+ + + diff --git a/webgui/services_dnsmasq.php b/webgui/services_dnsmasq.php new file mode 100644 index 0000000..af4acd0 --- /dev/null +++ b/webgui/services_dnsmasq.php @@ -0,0 +1,168 @@ +#!/usr/local/bin/php + and Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['enable'] = isset($config['dnsmasq']['enable']); +$pconfig['regdhcp'] = isset($config['dnsmasq']['regdhcp']); + +if (!is_array($config['dnsmasq']['hosts'])) { + $config['dnsmasq']['hosts'] = array(); +} +hosts_sort(); +$a_hosts = &$config['dnsmasq']['hosts']; + +if ($_POST) { + + $pconfig = $_POST; + + $config['dnsmasq']['enable'] = ($_POST['enable']) ? true : false; + $config['dnsmasq']['regdhcp'] = ($_POST['regdhcp']) ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_dnsmasq_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_hostsdirty_path)) + unlink($d_hostsdirty_path); + } +} + +if ($_GET['act'] == "del") { + if ($a_hosts[$_GET['id']]) { + unset($a_hosts[$_GET['id']]); + write_config(); + touch($d_hostsdirty_path); + header("Location: services_dnsmasq.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Services: DNS forwarder + + + + + + +

Services: DNS forwarder

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + +

+ > + Enable DNS forwarder
+

+ > + Register DHCP leases in DNS forwarder
+ If this option is set, then machines that specify + their hostname when requesting a DHCP lease will be registered + in the DNS forwarder, so that their name can be resolved. + You should also set the domain in System: + General setup to the proper value.

+
+

Note:
+ If the DNS forwarder is enabled, the DHCP + service (if enabled) will automatically serve the LAN IP + address as a DNS server to DHCP clients so they will use + the forwarder. The DNS forwarder will use the DNS servers + entered in System: General setup + or those obtained via DHCP or PPP on WAN if the "Allow + DNS server list to be overridden by DHCP/PPP on WAN" + is checked. If you don't use that option (or if you use + a static IP address on WAN), you must manually specify at + least one DNS server on the System: + General setup page.
+
+ You may enter records that override the results from the + forwarders below.

+  
+ + + + + + + + + + + + + + + + + + + + + +
HostDomainIPDescription
+   + +   + +   + +   + +  
+
+ + + diff --git a/webgui/services_dnsmasq_edit.php b/webgui/services_dnsmasq_edit.php new file mode 100644 index 0000000..b48e22f --- /dev/null +++ b/webgui/services_dnsmasq_edit.php @@ -0,0 +1,161 @@ +#!/usr/local/bin/php + and Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['dnsmasq']['hosts'])) { + $config['dnsmasq']['hosts'] = array(); +} +hosts_sort(); +$a_hosts = &$config['dnsmasq']['hosts']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_hosts[$id]) { + $pconfig['host'] = $a_hosts[$id]['host']; + $pconfig['domain'] = $a_hosts[$id]['domain']; + $pconfig['ip'] = $a_hosts[$id]['ip']; + $pconfig['descr'] = $a_hosts[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "domain ip"); + $reqdfieldsn = explode(",", "Domain,IP address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['host'] && !is_hostname($_POST['host']))) { + $input_errors[] = "A valid host must be specified."; + } + if (($_POST['domain'] && !is_domain($_POST['domain']))) { + $input_errors[] = "A valid domain must be specified."; + } + if (($_POST['ip'] && !is_ipaddr($_POST['ip']))) { + $input_errors[] = "A valid IP address must be specified."; + } + + /* check for overlaps */ + foreach ($a_hosts as $hostent) { + if (isset($id) && ($a_hosts[$id]) && ($a_hosts[$id] === $hostent)) + continue; + + if (($hostent['host'] == $_POST['host']) && ($hostent['domain'] == $_POST['domain'])) { + $input_errors[] = "This host/domain already exists."; + break; + } + } + + if (!$input_errors) { + $hostent = array(); + $hostent['host'] = $_POST['host']; + $hostent['domain'] = $_POST['domain']; + $hostent['ip'] = $_POST['ip']; + $hostent['descr'] = $_POST['descr']; + + if (isset($id) && $a_hosts[$id]) + $a_hosts[$id] = $hostent; + else + $a_hosts[] = $hostent; + + touch($d_hostsdirty_path); + + write_config(); + + header("Location: services_dnsmasq.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Services: DNS forwarder: Edit host + + + + + + +

Services: DNS forwarder: Edit host

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
Host + +
Name of the host, without + domain part
+ e.g. myhost
Domain + +
Domain of the host
+ e.g. blah.com
IP address + +
IP address of the host
+ e.g. 192.168.100.100
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/webgui/services_dyndns.php b/webgui/services_dyndns.php new file mode 100644 index 0000000..e12098b --- /dev/null +++ b/webgui/services_dyndns.php @@ -0,0 +1,197 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['username'] = $config['dyndns']['username']; +$pconfig['password'] = $config['dyndns']['password']; +$pconfig['host'] = $config['dyndns']['host']; +$pconfig['mx'] = $config['dyndns']['mx']; +$pconfig['type'] = $config['dyndns']['type']; +$pconfig['enable'] = isset($config['dyndns']['enable']); +$pconfig['wildcard'] = isset($config['dyndns']['wildcard']); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "host username password type"); + $reqdfieldsn = explode(",", "Hostname,Username,Password,Service type"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (($_POST['host'] && !is_domain($_POST['host']))) { + $input_errors[] = "The host name contains invalid characters."; + } + if (($_POST['mx'] && !is_domain($_POST['mx']))) { + $input_errors[] = "The MX contains invalid characters."; + } + if (($_POST['username'] && !is_dyndns_username($_POST['username']))) { + $input_errors[] = "The username contains invalid characters."; + } + + if (!$input_errors) { + $config['dyndns']['type'] = $_POST['type']; + $config['dyndns']['username'] = $_POST['username']; + $config['dyndns']['password'] = $_POST['password']; + $config['dyndns']['host'] = $_POST['host']; + $config['dyndns']['mx'] = $_POST['mx']; + $config['dyndns']['wildcard'] = $_POST['wildcard'] ? true : false; + $config['dyndns']['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + /* nuke the cache file */ + config_lock(); + services_dyndns_reset(); + $retval = services_dyndns_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +m0n0wall webGUI - Services: Dynamic DNS client + + + + + + + +

Services: Dynamic DNS client

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable Dynamic DNS client
Service type +
Hostname + +
MX + +
+ Set this option only if you need a special MX record. Not + all services support this.
Wildcards + > + Enable Wildcard
Username + +
Password + +
  + +
 Note:
+ You must configure a DNS server in System: + General setup or allow the DNS server list to be overridden + by DHCP/PPP on WAN for the DynDNS client to work.
+
+ + + + diff --git a/webgui/services_proxyarp.php b/webgui/services_proxyarp.php new file mode 100644 index 0000000..9591063 --- /dev/null +++ b/webgui/services_proxyarp.php @@ -0,0 +1,124 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['proxyarp']['proxyarpnet'])) { + $config['proxyarp']['proxyarpnet'] = array(); +} +proxyarp_sort(); +$a_proxyarp = &$config['proxyarp']['proxyarpnet']; + +if ($_POST) { + $pconfig = $_POST; + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_proxyarp_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + + if ($retval == 0) { + if (file_exists($d_proxyarpdirty_path)) + unlink($d_proxyarpdirty_path); + } +} + +if ($_GET['act'] == "del") { + if ($a_proxyarp[$_GET['id']]) { + unset($a_proxyarp[$_GET['id']]); + write_config(); + touch($d_proxyarpdirty_path); + header("Location: services_proxyarp.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Services: Proxy ARP + + + + + + +

Services: Proxy ARP

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + + + + + +
NetworkDescription
+   + +   + +  
+
+

Note:
+ Proxy ARP can be used if you need m0n0wall to send ARP + replies on the WAN interface for other IP addresses than its own WAN + IP address (e.g. for 1:1, advanced outbound or server NAT). It is not + necessary if you have a subnet routed to you or if you use PPPoE/PPTP, and it only works if + the WAN interface is configured with a static IP address or DHCP.

+ + + diff --git a/webgui/services_proxyarp_edit.php b/webgui/services_proxyarp_edit.php new file mode 100644 index 0000000..a9ee249 --- /dev/null +++ b/webgui/services_proxyarp_edit.php @@ -0,0 +1,232 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['proxyarp']['proxyarpnet'])) { + $config['proxyarp']['proxyarpnet'] = array(); +} +proxyarp_sort(); +$a_proxyarp = &$config['proxyarp']['proxyarpnet']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_proxyarp[$id]) { + if (isset($a_proxyarp[$id]['network'])) + list($pconfig['subnet'], $pconfig['subnet_bits']) = explode("/", $a_proxyarp[$id]['network']); + else if (isset($a_proxyarp[$id]['range'])) { + $pconfig['range_from'] = $a_proxyarp[$id]['range']['from']; + $pconfig['range_to'] = $a_proxyarp[$id]['range']['to']; + } + $pconfig['descr'] = $a_proxyarp[$id]['descr']; +} else { + $pconfig['subnet_bits'] = 32; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['type'] == "single") { + $reqdfields = explode(" ", "subnet"); + $reqdfieldsn = explode(",", "Address"); + $_POST['subnet_bits'] = 32; + } else if ($_POST['type'] == "network") { + $reqdfields = explode(" ", "subnet subnet_bits"); + $reqdfieldsn = explode(",", "Network,Network mask"); + } else if ($_POST['type'] == "range") { + $reqdfields = explode(" ", "range_from range_to"); + $reqdfieldsn = explode(",", "Range start,Range end"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ((($_POST['type'] != "range") && $_POST['subnet'] && !is_ipaddr($_POST['subnet']))) { + $input_errors[] = "A valid address must be specified."; + } + if ((($_POST['type'] == "range") && $_POST['range_from'] && !is_ipaddr($_POST['range_from']))) { + $input_errors[] = "A valid range start must be specified."; + } + if ((($_POST['type'] == "range") && $_POST['range_to'] && !is_ipaddr($_POST['range_to']))) { + $input_errors[] = "A valid range end must be specified."; + } + + /* check for overlaps */ + foreach ($a_proxyarp as $arpent) { + if (isset($id) && ($a_proxyarp[$id]) && ($a_proxyarp[$id] === $arpent)) + continue; + + if (($_POST['type'] == "range") && isset($arpent['range'])) { + if (($_POST['range_from'] == $arpent['range']['from']) && + ($_POST['range_to'] == $arpent['range']['to'])) { + $input_errors[] = "This range already exists."; + break; + } + } else if (isset($arpent['network'])) { + if (($arpent['network'] == "{$_POST['subnet']}/{$_POST['subnet_bits']}")) { + $input_errors[] = "This network already exists."; + break; + } + } + } + + if (!$input_errors) { + $arpent = array(); + if ($_POST['type'] == "range") { + $arpent['range']['from'] = $_POST['range_from']; + $arpent['range']['to'] = $_POST['range_to']; + } else + $arpent['network'] = $_POST['subnet'] . "/" . $_POST['subnet_bits']; + $arpent['descr'] = $_POST['descr']; + + if (isset($id) && $a_proxyarp[$id]) + $a_proxyarp[$id] = $arpent; + else + $a_proxyarp[] = $arpent; + + touch($d_proxyarpdirty_path); + + write_config(); + + header("Location: services_proxyarp.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - Services: Proxy ARP: Edit + + + + + + + +

Services: Proxy ARP: Edit

+ + +
+ + + + + + + + + + + + + +
Network + + + + + + + + + + + + + +
Type:  
Address:   + / + +
Range:   +- + +
+
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + + diff --git a/webgui/services_snmp.php b/webgui/services_snmp.php new file mode 100644 index 0000000..7d02cfe --- /dev/null +++ b/webgui/services_snmp.php @@ -0,0 +1,145 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['snmpd'])) { + $config['snmpd'] = array(); + $config['snmpd']['rocommunity'] = "public"; +} + +$pconfig['syslocation'] = $config['snmpd']['syslocation']; +$pconfig['syscontact'] = $config['snmpd']['syscontact']; +$pconfig['rocommunity'] = $config['snmpd']['rocommunity']; +$pconfig['enable'] = isset($config['snmpd']['enable']); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "rocommunity"); + $reqdfieldsn = explode(",", "Community"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (!$input_errors) { + $config['snmpd']['syslocation'] = $_POST['syslocation']; + $config['snmpd']['syscontact'] = $_POST['syscontact']; + $config['snmpd']['rocommunity'] = $_POST['rocommunity']; + $config['snmpd']['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = services_snmpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +m0n0wall webGUI - Services: SNMP + + + + + + + +

Services: SNMP

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
  + onClick="enable_change(false)"> + Enable SNMP agent
System location + +
System contact + +
Community + +
+ In most cases, "public" is used here
  + +
+
+ + + + diff --git a/webgui/status.php b/webgui/status.php new file mode 100644 index 0000000..37558ac --- /dev/null +++ b/webgui/status.php @@ -0,0 +1,150 @@ +#!/usr/local/bin/php + Nov 2003 + * + * (modified for m0n0wall by Manuel Kasper ) + */ + +/* Execute a command, with a title, and generate an HTML table + * showing the results. + */ +function doCmdT($title, $command) { + echo "

\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "
" . $title . "
";		/* no newline after pre */
+	
+	if ($command == "dumpconfigxml") {
+		$fd = @fopen("/conf/config.xml", "r");
+		if ($fd) {
+			while (!feof($fd)) {
+				$line = fgets($fd);
+				/* remove password tag contents */
+				$line = preg_replace("/.*?<\\/password>/", "xxxxx", $line);
+				$line = preg_replace("/.*?<\\/pre-shared-key>/", "xxxxx", $line);
+				$line = str_replace("\t", "    ", $line);
+				echo htmlspecialchars($line,ENT_NOQUOTES);
+			}
+		}
+		fclose($fd);
+	} else {
+		exec ($command . " 2>&1", $execOutput, $execStatus);
+		for ($i = 0; isset($execOutput[$i]); $i++) {
+			if ($i > 0) {
+				echo "\n";
+			}
+			echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES);
+		}
+	}
+    echo "
\n"; +} + +/* Execute a command, giving it a title which is the same as the command. */ +function doCmd($command) { + doCmdT($command,$command); +} + +/* Define a command, with a title, to be executed later. */ +function defCmdT($title, $command) { + global $commands; + $title = htmlspecialchars($title,ENT_NOQUOTES); + $commands[] = array($title, $command); +} + +/* Define a command, with a title which is the same as the command, + * to be executed later. + */ +function defCmd($command) { + defCmdT($command,$command); +} + +/* List all of the commands as an index. */ +function listCmds() { + global $commands; + echo "

This status page includes the following information:\n"; + echo "

\n"; +} + +/* Execute all of the commands which were defined by a call to defCmd. */ +function execCmds() { + global $commands; + for ($i = 0; isset($commands[$i]); $i++ ) { + doCmdT($commands[$i][0], $commands[$i][1]); + } +} + +/* Set up all of the commands we want to execute. */ +defCmdT("System uptime","uptime"); +defCmdT("Interfaces","/sbin/ifconfig -a"); + +defCmdT("Routing tables","netstat -nr"); + +defCmdT("ipfw show", "/sbin/ipfw show"); +defCmdT("ipnat -lv", "/sbin/ipnat -lv"); +defCmdT("ipfstat -v", "/sbin/ipfstat -v"); +defCmdT("ipfstat -nio", "/sbin/ipfstat -nio"); + +defCmdT("resolv.conf","cat /etc/resolv.conf"); + +defCmdT("Processes","ps xauww"); +defCmdT("dhcpd.conf","cat /var/etc/dhcpd.conf"); +defCmdT("ez-ipupdate.cache","cat /conf/ez-ipupdate.cache"); + +defCmdT("df","/bin/df"); + +defCmdT("racoon.conf","cat /var/etc/racoon.conf"); +defCmdT("SPD","/usr/sbin/setkey -DP"); +defCmdT("SAD","/usr/sbin/setkey -D"); + +defCmdT("last 200 system log entries","/usr/sbin/clog /var/log/system.log 2>&1 | tail -n 200"); +defCmdT("last 50 filter log entries","/usr/sbin/clog /var/log/filter.log 2>&1 | tail -n 50"); + +defCmd("ls /conf"); +defCmd("ls /var/run"); +defCmdT("config.xml","dumpconfigxml"); + +$pageTitle = "m0n0wall: status"; + +exec("/bin/date", $dateOutput, $dateStatus); +$currentDate = $dateOutput[0]; + +?> + + + +<?=$pageTitle;?> + + + + + + +


+ +

Note: make sure to remove any sensitive information +(passwords, maybe also IP addresses) before posting +information from this page in public places (like mailing lists)!
+Passwords in config.xml have been automatically removed. + + + + + + + diff --git a/webgui/status_interfaces.php b/webgui/status_interfaces.php new file mode 100644 index 0000000..a7923ef --- /dev/null +++ b/webgui/status_interfaces.php @@ -0,0 +1,228 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +function get_interface_info($ifdescr) { + + global $config, $g; + + $ifinfo = array(); + + /* find out interface name */ + if ($ifdescr == "wan") + $ifinfo['if'] = get_real_wan_interface(); + else + $ifinfo['if'] = $config['interfaces'][$ifdescr]['if']; + + /* run netstat to determine link info */ + unset($linkinfo); + exec("/usr/bin/netstat -I " . $ifinfo['if'] . " -nWb -f link", $linkinfo); + $linkinfo = preg_split("/\s+/", $linkinfo[1]); + if (preg_match("/\*$/", $linkinfo[0])) { + $ifinfo['status'] = "down"; + } else { + $ifinfo['status'] = "up"; + } + + if ($ifinfo['if'] != $g['pppoe_interface']) { + $ifinfo['macaddr'] = $linkinfo[3]; + $ifinfo['inpkts'] = $linkinfo[4]; + $ifinfo['inbytes'] = $linkinfo[6]; + $ifinfo['outpkts'] = $linkinfo[7]; + $ifinfo['outbytes'] = $linkinfo[9]; + } else { + $ifinfo['inpkts'] = $linkinfo[3]; + $ifinfo['inbytes'] = $linkinfo[5]; + $ifinfo['outpkts'] = $linkinfo[6]; + $ifinfo['outbytes'] = $linkinfo[8]; + } + + if ($ifinfo['status'] == "up") { + /* run netstat to determine inet info */ + unset($inetinfo); + exec("/usr/bin/netstat -I " . $ifinfo['if'] . " -nWb -f inet", $inetinfo); + $inetinfo = preg_split("/\s+/", $inetinfo[1]); + + $ifinfo['ipaddr'] = $inetinfo[3]; + + if ($ifdescr == "wan") { + /* run netstat to determine the default gateway */ + unset($netstatrninfo); + exec("/usr/bin/netstat -rnf inet", $netstatrninfo); + + foreach ($netstatrninfo as $nsr) { + if (preg_match("/^default\s*(\S+)/", $nsr, $matches)) { + $ifinfo['gateway'] = $matches[1]; + } + } + } + + /* try to determine netmask and media with ifconfig */ + unset($ifconfiginfo); + exec("/sbin/ifconfig " . $ifinfo['if'], $ifconfiginfo); + + foreach ($ifconfiginfo as $ici) { + if (preg_match("/netmask (\S+)/", $ici, $matches) && !$ifinfo['subnet']) { + if (preg_match("/^0x/", $matches[1])) { + $ifinfo['subnet'] = long2ip(hexdec($matches[1])); + } + } + if (!isset($config['interfaces'][$ifdescr]['wireless'])) { + /* don't list media/speed for wireless cards, as it always + displays 2 Mbps even though clients can connect at 11 Mbps */ + if (preg_match("/media: .*? \((.*?)\)/", $ici, $matches)) { + $ifinfo['media'] = $matches[1]; + } + } + if (preg_match("/status: (.*)$/", $ici, $matches)) { + if ($matches[1] != "active") + $ifinfo['status'] = $matches[1]; + } + if (preg_match("/channel (\S*)/", $ici, $matches)) { + $ifinfo['channel'] = $matches[1]; + } + if (preg_match("/ssid (\S*)/", $ici, $matches)) { + $ifinfo['ssid'] = $matches[1]; + } + } + + /* PPPoE only: get media from underlying ethernet interface */ + if (($ifdescr == "wan") && ($config['interfaces']['wan']['ipaddr'] == "pppoe")) { + unset($ifconfiginfo); + exec("/sbin/ifconfig " . $config['interfaces']['wan']['if'], $ifconfiginfo); + + foreach ($ifconfiginfo as $ici) { + if (preg_match("/media: .*? \((.*?)\)/", $ici, $matches)) { + $ifinfo['media'] = $matches[1]; + } else if (preg_match("/ether (.*)/", $ici, $matches)) { + $ifinfo['macaddr'] = $matches[1]; + } + } + } + } + + return $ifinfo; +} + +?> + + + +m0n0wall webGUI - Status: Interfaces + + + + + + +

Status: Interfaces

+ + 'WAN', 'lan' => 'LAN'); + + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $ifdescrs['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + } + + foreach ($ifdescrs as $ifdescr => $ifname): + $ifinfo = get_interface_info($ifdescr); + ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + interface
Status + +
MAC address + +
IP address + +  
Subnet mask + +
Gateway + +
Media + +
Channel + +
SSID + +
In/out packets + +
+ + + diff --git a/webgui/status_wireless.php b/webgui/status_wireless.php new file mode 100644 index 0000000..b020cd0 --- /dev/null +++ b/webgui/status_wireless.php @@ -0,0 +1,189 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +function get_wireless_info($ifdescr) { + + global $config, $g; + + $ifinfo = array(); + $ifinfo['if'] = $config['interfaces'][$ifdescr]['if']; + + /* get signal strength cache */ + exec("/usr/sbin/wicontrol -i " . $ifinfo['if'] . " -C", $sscache); + + $ifinfo['sscache'] = array(); + foreach ($sscache as $ss) { + if ($ss) { + $ssa = preg_split("/\s+/", $ss); + $sscent = array(); + $sscent['mac'] = chop($ssa[1], ","); + $sscent['ipaddr'] = chop($ssa[2], ","); + $sscent['sig'] = chop($ssa[4], ","); + $sscent['noise'] = chop($ssa[6], ","); + $sscent['qual'] = chop($ssa[8], ","); + $ifinfo['sscache'][] = $sscent; + } + } + + /* if in hostap mode: get associated stations */ + if ($config['interfaces'][$ifdescr]['wireless']['mode'] == "hostap") { + exec("/usr/sbin/wicontrol -i " . $ifinfo['if'] . " -l", $aslist); + + $ifinfo['aslist'] = array(); + array_shift($aslist); + foreach ($aslist as $as) { + if ($as) { + $asa = preg_split("/\s+/", $as); + $aslent = array(); + $aslent['mac'] = $asa[0]; + $aslent['rates'] = substr($asa[4], strpos($asa[4], "<")+1, + strpos($asa[4], ">")-strpos($asa[4], "<")-1); + $aslent['sig'] = substr($asa[5], strpos($asa[5], "=")+1); + $ifinfo['aslist'][] = $aslent; + } + } + } + + return $ifinfo; +} + +?> + + + +m0n0wall webGUI - Status: Wireless + + + + + + +

Status: Wireless

+ 0): ?> + + $ifname): + $ifinfo = get_wireless_info($ifdescr); + ?> + + + + + + + + + + + + + + + + + +
+ interface
Signal strength + cache + + + + + + + + + + + + + + + + + +
MAC addressIP addressSignalNoiseQuality
+ + + + + + + + + +
Associated stations + + + + + + + + + + + + + + +
MAC addressTX ratesSignal
+ + + + + +
+ +

No supported wireless interfaces were found for status display.

+ + + + diff --git a/webgui/system.php b/webgui/system.php new file mode 100644 index 0000000..faa9d60 --- /dev/null +++ b/webgui/system.php @@ -0,0 +1,260 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['hostname'] = $config['system']['hostname']; +$pconfig['domain'] = $config['system']['domain']; +list($pconfig['dns1'],$pconfig['dns2']) = $config['system']['dnsserver']; +$pconfig['dnsallowoverride'] = isset($config['system']['dnsallowoverride']); +$pconfig['username'] = $config['system']['username']; +if (!$pconfig['username']) + $pconfig['username'] = "admin"; +$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; +if (!$pconfig['webguiproto']) + $pconfig['webguiproto'] = "http"; +$pconfig['webguiport'] = $config['system']['webgui']['port']; +$pconfig['timezone'] = $config['system']['timezone']; +$pconfig['timeupdateinterval'] = $config['system']['time-update-interval']; +$pconfig['timeservers'] = $config['system']['timeservers']; + +if (!isset($pconfig['timeupdateinterval'])) + $pconfig['timeupdateinterval'] = 300; +if (!$pconfig['timezone']) + $pconfig['timezone'] = "Etc/UTC"; +if (!$pconfig['timeservers']) + $pconfig['timeservers'] = "pool.ntp.org"; + +function is_timezone($elt) { + return !preg_match("/\/$/", $elt); +} + +exec('/usr/bin/tar -tzf /usr/share/zoneinfo.tgz', $timezonelist); +$timezonelist = array_filter($timezonelist, 'is_timezone'); +sort($timezonelist); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = split(" ", "hostname domain username"); + $reqdfieldsn = split(",", "Hostname,Domain,Username"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['hostname'] && !is_hostname($_POST['hostname'])) { + $input_errors[] = "The hostname may only contain the characters a-z, 0-9 and '-'."; + } + if ($_POST['domain'] && !is_domain($_POST['domain'])) { + $input_errors[] = "The domain may only contain the characters a-z, 0-9, '-' and '.'."; + } + if (($_POST['dns1'] && !is_ipaddr($_POST['dns1'])) || ($_POST['dns2'] && !is_ipaddr($_POST['dns2']))) { + $input_errors[] = "A valid IP address must be specified for the primary/secondary DNS server."; + } + if ($_POST['username'] && !preg_match("/^[a-zA-Z0-9]*$/", $_POST['username'])) { + $input_errors[] = "The username may only contain the characters a-z, A-Z and 0-9."; + } + if ($_POST['webguiport'] && (!is_numericint($_POST['webguiport']) || + ($_POST['webguiport'] < 1) || ($_POST['webguiport'] > 65535))) { + $input_errors[] = "A valid TCP/IP port must be specified for the webGUI port."; + } + if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) { + $input_errors[] = "The passwords do not match."; + } + + $t = (int)$_POST['timeupdateinterval']; + if (($t < 0) || (($t > 0) && ($t < 6)) || ($t > 1440)) { + $input_errors[] = "The time update interval must be either 0 (disabled) or between 6 and 1440."; + } + foreach (explode(' ', $_POST['timeservers']) as $ts) { + if (!is_domain($ts)) { + $input_errors[] = "A NTP Time Server name may only contain the characters a-z, 0-9, '-' and '.'."; + } + } + + if (!$input_errors) { + $config['system']['hostname'] = strtolower($_POST['hostname']); + $config['system']['domain'] = strtolower($_POST['domain']); + $oldwebguiproto = $config['system']['webgui']['protocol']; + $config['system']['username'] = $_POST['username']; + $config['system']['webgui']['protocol'] = $pconfig['webguiproto']; + $oldwebguiport = $config['system']['webgui']['port']; + $config['system']['webgui']['port'] = $pconfig['webguiport']; + $config['system']['timezone'] = $_POST['timezone']; + $config['system']['timeservers'] = strtolower($_POST['timeservers']); + $config['system']['time-update-interval'] = $_POST['timeupdateinterval']; + + unset($config['system']['dnsserver']); + if ($_POST['dns1']) + $config['system']['dnsserver'][] = $_POST['dns1']; + if ($_POST['dns2']) + $config['system']['dnsserver'][] = $_POST['dns2']; + + $config['system']['dnsallowoverride'] = $_POST['dnsallowoverride'] ? true : false; + + if ($_POST['password']) { + $config['system']['password'] = crypt($_POST['password']); + } + + write_config(); + + if (($oldwebguiproto != $config['system']['webgui']['protocol']) || + ($oldwebguiport != $config['system']['webgui']['port'])) + touch($d_sysrebootreqd_path); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = system_hostname_configure(); + $retval |= system_hosts_generate(); + $retval |= system_resolvconf_generate(); + $retval |= system_password_configure(); + $retval |= services_dnsmasq_configure(); + $retval |= system_timezone_configure(); + $retval |= system_ntp_configure(); + config_unlock(); + } + + $savemsg = get_std_save_message($retval); + } +} +?> + + + +m0n0wall webGUI - System: General setup + + + + + + +

System: General setup

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Hostname +
name of the firewall host, without + domain part
+ e.g. firewall
Domain +
e.g. mycorp.com
DNS servers

+ +
+ +
+ IP addresses; these are also used for + the DHCP service, DNS forwarder and for PPTP VPN clients
+
+ > + Allow DNS server list to be overridden by DHCP + on WAN
+ If this option is set, m0n0wall will use DNS servers assigned + by a DHCP server on WAN for its own purposes (including + the DNS forwarder). They will not be assigned to DHCP and + PPTP VPN clients, though.

Username +
+ If you want + to change the username for accessing the webGUI, enter it + here.
Password +
+  (confirmation)
If you want + to change the password for accessing the webGUI, enter it + here twice.
webGUI protocol > + HTTP     > + HTTPS
webGUI port +
+ Enter a custom port number for the webGUI + above if you want to override the default (80 for HTTP, 443 + for HTTPS).
Time zone
Select the location closest + to you
Time update interval +
Minutes between network time sync.; + 300 recommended, or 0 to disable
NTP time server +
Use a space to separate multiple + hosts (only one required). Remember to set up at least one + DNS server if you enter a host name here!
  +
+
+ + + diff --git a/webgui/system_advanced.php b/webgui/system_advanced.php new file mode 100644 index 0000000..c0dde29 --- /dev/null +++ b/webgui/system_advanced.php @@ -0,0 +1,211 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pconfig['filteringbridge_enable'] = isset($config['bridge']['filteringbridge']); +$pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']); +$pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr']; +$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']); +$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']); +$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['ipv6nat_enable'] && !is_ipaddr($_POST['ipv6nat_ipaddr'])) { + $input_errors[] = "You must specify an IP address to NAT IPv6 packets."; + } + if (($_POST['cert'] && !$_POST['key']) || ($_POST['key'] && !$_POST['cert'])) { + $input_errors[] = "Certificate and key must always be specified together."; + } else if ($_POST['cert'] && $_POST['key']) { + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + } + + if (!$input_errors) { + $config['bridge']['filteringbridge'] = $_POST['filteringbridge_enable'] ? true : false; + $config['diag']['ipv6nat']['enable'] = $_POST['ipv6nat_enable'] ? true : false; + $config['diag']['ipv6nat']['ipaddr'] = $_POST['ipv6nat_ipaddr']; + $oldcert = $config['system']['webgui']['certificate']; + $oldkey = $config['system']['webgui']['private-key']; + $config['system']['webgui']['certificate'] = base64_encode($_POST['cert']); + $config['system']['webgui']['private-key'] = base64_encode($_POST['key']); + $config['system']['disableconsolemenu'] = $_POST['disableconsolemenu'] ? true : false; + + write_config(); + + if (($config['system']['webgui']['certificate'] != $oldcert) + || ($config['system']['webgui']['private-key'] != $oldkey)) { + touch($d_sysrebootreqd_path); + } + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = filter_configure(); + $retval = interfaces_optional_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +m0n0wall webGUI - System: Advanced functions + + + + + + + +

System: Advanced functions

+ + +

Note: the + options on this page are intended for use by advanced users only, + and there's NO support for them.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IPv6 tunneling
  + onclick="enable_change(false)"> + NAT encapsulated IPv6 packets (IP protocol 41/RFC2893) + to:

+  (IP address)
+ Don't forget to add a firewall rule to permit IPv6 packets!
  + +
Filtering bridge
  + > + Enable filtering bridge
+ This will cause bridged packets to pass through the packet + filter in the same way as routed packets do (by default bridged + packets are always passed). If you enable this option, you'll + have to add filter rules to selectively permit traffic from + bridged interfaces.
  + +
webGUI SSL certificate/key
Certificate + +
+ Paste a signed certificate in X.509 PEM format here.
Key + +
+ Paste an RSA private key in PEM format here.
  + +
Miscellaneous
  + > + Disable console menu
+ Changes to this option will take effect after a reboot.
  + +
+
+ + + + diff --git a/webgui/system_firmware.php b/webgui/system_firmware.php new file mode 100644 index 0000000..421b62b --- /dev/null +++ b/webgui/system_firmware.php @@ -0,0 +1,199 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$d_isfwfile = 1; require("guiconfig.inc"); + +/* checks with m0n0.ch to see if a newer firmware version is available; + returns any HTML message it gets from the server */ +function check_firmware_version() { + global $g; + $post = "platform=" . rawurlencode($g['platform']) . + "&version=" . rawurlencode(trim(file_get_contents("/etc/version"))); + + $rfd = @fsockopen("m0n0.ch", 80, $errno, $errstr, 3); + if ($rfd) { + $hdr = "POST /wall/checkversion.php HTTP/1.0\r\n"; + $hdr .= "Content-Type: application/x-www-form-urlencoded\r\n"; + $hdr .= "User-Agent: m0n0wall-webGUI/1.0\r\n"; + $hdr .= "Host: m0n0.ch\r\n"; + $hdr .= "Content-Length: " . strlen($post) . "\r\n\r\n"; + + fwrite($rfd, $hdr); + fwrite($rfd, $post); + + $inhdr = true; + $resp = ""; + while (!feof($rfd)) { + $line = fgets($rfd); + if ($inhdr) { + if (trim($line) == "") + $inhdr = false; + } else { + $resp .= $line; + } + } + + fclose($rfd); + + return $resp; + } + + return null; +} + +if ($_POST && !file_exists($d_firmwarelock_path)) { + + unset($input_errors); + unset($sig_warning); + + if (stristr($_POST['Submit'], "Enable")) + $mode = "enable"; + else if (stristr($_POST['Submit'], "Disable")) + $mode = "disable"; + else if (stristr($_POST['Submit'], "Upgrade") || $_POST['sig_override']) + $mode = "upgrade"; + else if ($_POST['sig_no']) + unlink("{$g['ftmp_path']}/firmware.img"); + + if ($mode) { + if ($mode == "enable") { + exec_rc_script("/etc/rc.firmware enable"); + touch($d_fwupenabled_path); + } else if ($mode == "disable") { + exec_rc_script("/etc/rc.firmware disable"); + if (file_exists($d_fwupenabled_path)) + unlink($d_fwupenabled_path); + } else if ($mode == "upgrade") { + if (is_uploaded_file($_FILES['ulfile']['tmp_name'])) { + /* verify firmware image(s) */ + if (!stristr($_FILES['ulfile']['name'], $g['platform']) && !$_POST['sig_override']) + $input_errors[] = "The uploaded image file is not for this platfom ({$g['platform']})."; + else { + /* move the image so PHP won't delete it */ + rename($_FILES['ulfile']['tmp_name'], "{$g['ftmp_path']}/firmware.img"); + + /* check digital signature */ + $sigchk = verify_digital_signature("{$g['ftmp_path']}/firmware.img"); + + if ($sigchk == 1) + $sig_warning = "The digital signature on this image is invalid."; + else if ($sigchk == 2) + $sig_warning = "This image is not digitally signed."; + else if (($sigchk == 3) || ($sigchk == 4)) + $sig_warning = "There has been an error verifying the signature on this image."; + + if (!verify_gzip_file("{$g['ftmp_path']}/firmware.img")) { + $input_errors[] = "The image file is corrupt."; + unlink("{$g['ftmp_path']}/firmware.img"); + } + } + } + + if (!$input_errors && !file_exists($d_firmwarelock_path) && (!$sig_warning || $_POST['sig_override'])) { + /* fire up the update script in the background */ + touch($d_firmwarelock_path); + exec_rc_script_async("/etc/rc.firmware upgrade {$g['ftmp_path']}/firmware.img"); + + $savemsg = "The firmware is now being installed. The firewall will reboot automatically."; + } + } + } +} else { + $fwinfo = check_firmware_version(); +} +?> + + + +m0n0wall webGUI - System: Firmware + + + + + + +

System: Firmware

+ + + + +

Firmware uploading is not supported on this platform.

+ +
+" . $sig_warning . "
This means that the image you uploaded " . + "is not an official supported image and may lead to unexpected behavior or security " . + "compromises. Only install images that come from sources that you trust, and make sure ". + "that the image has not been tampered with.

". + "Do you want to install this image anyway (on your own risk)?"; +print_info_box($sig_warning); +?> + + +
+ + +

Click "Enable firmware + upload" below, then choose the image file (-*.img) + to be uploaded.
Click "Upgrade firmware" + to start the upgrade process.

+
+ + + + + + + + + +
  + + + + + +

+ Firmware image file:   +

+ + + You must reboot the system before you can upgrade the firmware. + +
 Warning:
+ DO NOT abort the firmware upgrade once it + has started. The firewall will reboot automatically after + storing the new firmware. The configuration will be maintained.
+
+ + + + diff --git a/webgui/system_routes.php b/webgui/system_routes.php new file mode 100644 index 0000000..b63b410 --- /dev/null +++ b/webgui/system_routes.php @@ -0,0 +1,126 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['staticroutes']['route'])) + $config['staticroutes']['route'] = array(); + +staticroutes_sort(); +$a_routes = &$config['staticroutes']['route']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + $retval = system_routing_configure(); + $retval |= filter_configure(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_staticroutesdirty_path)) { + config_lock(); + unlink($d_staticroutesdirty_path); + config_unlock(); + } + } + } +} + +if ($_GET['act'] == "del") { + if ($a_routes[$_GET['id']]) { + unset($a_routes[$_GET['id']]); + write_config(); + touch($d_staticroutesdirty_path); + header("Location: system_routes.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - System: Static routes + + + + + + +

System: Static routes

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + + + + + + + + + + + + +
InterfaceNetworkGatewayDescription
+ 'LAN', 'pptp' => 'PPTP'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + echo htmlspecialchars($iflabels[$route['interface']]); ?> + + + + + +   + +  
+
+ + + diff --git a/webgui/system_routes_edit.php b/webgui/system_routes_edit.php new file mode 100644 index 0000000..a267dbe --- /dev/null +++ b/webgui/system_routes_edit.php @@ -0,0 +1,177 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['staticroutes']['route'])) + $config['staticroutes']['route'] = array(); + +staticroutes_sort(); +$a_routes = &$config['staticroutes']['route']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_routes[$id]) { + $pconfig['interface'] = $a_routes[$id]['interface']; + list($pconfig['network'],$pconfig['network_subnet']) = + explode('/', $a_routes[$id]['network']); + $pconfig['gateway'] = $a_routes[$id]['gateway']; + $pconfig['descr'] = $a_routes[$id]['descr']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "interface network network_subnet gateway"); + $reqdfieldsn = explode(",", "Interface,Destination network,Destination network bit count,Gateway"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['network'] && !is_ipaddr($_POST['network']))) { + $input_errors[] = "A valid destination network must be specified."; + } + if (($_POST['network_subnet'] && !is_numeric($_POST['network_subnet']))) { + $input_errors[] = "A valid destination network bit count must be specified."; + } + if (($_POST['gateway'] && !is_ipaddr($_POST['gateway']))) { + $input_errors[] = "A valid gateway IP address must be specified."; + } + + /* check for overlaps */ + $osn = gen_subnet($_POST['network'], $_POST['network_subnet']) . "/" . $_POST['network_subnet']; + foreach ($a_routes as $route) { + if (isset($id) && ($a_routes[$id]) && ($a_routes[$id] === $route)) + continue; + + if ($route['network'] == $osn) { + $input_errors[] = "A route to this destination network already exists."; + break; + } + } + + if (!$input_errors) { + $route = array(); + $route['interface'] = $_POST['interface']; + $route['network'] = $osn; + $route['gateway'] = $_POST['gateway']; + $route['descr'] = $_POST['descr']; + + if (isset($id) && $a_routes[$id]) + $a_routes[$id] = $route; + else + $a_routes[] = $route; + + touch($d_staticroutesdirty_path); + + write_config(); + + header("Location: system_routes.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - System: Static routes: Edit route + + + + + + +

System: Static routes: Edit route

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
Interface +
+ Choose which interface this route applies to.
Destination network + + / + +
Destination network for this static route
Gateway + +
Gateway to be used to reach the destination network
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + + diff --git a/webgui/tri_c.gif b/webgui/tri_c.gif new file mode 100644 index 0000000..317b758 Binary files /dev/null and b/webgui/tri_c.gif differ diff --git a/webgui/tri_o.gif b/webgui/tri_o.gif new file mode 100644 index 0000000..eb95c32 Binary files /dev/null and b/webgui/tri_o.gif differ diff --git a/webgui/up.gif b/webgui/up.gif new file mode 100644 index 0000000..3db680a Binary files /dev/null and b/webgui/up.gif differ diff --git a/webgui/up_d.gif b/webgui/up_d.gif new file mode 100644 index 0000000..5918e70 Binary files /dev/null and b/webgui/up_d.gif differ diff --git a/webgui/vpn_ipsec.php b/webgui/vpn_ipsec.php new file mode 100644 index 0000000..255454e --- /dev/null +++ b/webgui/vpn_ipsec.php @@ -0,0 +1,191 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['tunnel'])) { + $config['ipsec']['tunnel'] = array(); +} +$a_ipsec = &$config['ipsec']['tunnel']; +$wancfg = &$config['interfaces']['wan']; + +$pconfig['enable'] = isset($config['ipsec']['enable']); + +if ($_POST) { + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) + $retval = vpn_ipsec_configure(); + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_ipsecconfdirty_path)) + unlink($d_ipsecconfdirty_path); + } + } else if ($_POST['submit']) { + $pconfig = $_POST; + + $config['ipsec']['enable'] = $_POST['enable'] ? true : false; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = vpn_ipsec_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_ipsecconfdirty_path)) + unlink($d_ipsecconfdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_ipsec[$_GET['id']]) { + unset($a_ipsec[$_GET['id']]); + write_config(); + touch($d_ipsecconfdirty_path); + header("Location: vpn_ipsec.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - VPN: IPsec + + + + + + +

VPN: IPsec

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + +
TunnelsMobile clientsPre-shared keys 
+ + + + + + + +

+ > + Enable IPsec
+

+
+  
+ + + + + + + + + + + "; + $spane = ""; + } else { + $spans = $spane = ""; + } + ?> + + + + + + + + + + + + + + +
Local net
+ Remote net		Interface
Remote gw		P1 modeP1 Enc. AlgoP1 Hash AlgoDescription
+ +
+ + 		+ 'LAN', 'wan' => 'WAN'); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + $if = htmlspecialchars($iflabels[$ipsecent['interface']]); + } else + $if = "WAN"; + + echo $if . "
" . $ipsecent['remote-gateway']; + ?> + 		+ + + + + + +   + +  
+
+
+ + + diff --git a/webgui/vpn_ipsec_edit.php b/webgui/vpn_ipsec_edit.php new file mode 100644 index 0000000..b6a13c0 --- /dev/null +++ b/webgui/vpn_ipsec_edit.php @@ -0,0 +1,509 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['tunnel'])) { + $config['ipsec']['tunnel'] = array(); +} +$a_ipsec = &$config['ipsec']['tunnel']; + +$specialsrcdst = explode(" ", "lan"); + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +function is_specialnet($net) { + global $specialsrcdst; + + if (in_array($net, $specialsrcdst)) + return true; + else + return false; +} + +function address_to_pconfig($adr, &$padr, &$pmask) { + + if ($adr['network']) + $padr = $adr['network']; + else if ($adr['address']) { + list($padr, $pmask) = explode("/", $adr['address']); + if (!$pmask) + $pmask = 32; + } +} + +function pconfig_to_address(&$adr, $padr, $pmask) { + + $adr = array(); + + if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } +} + +if (isset($id) && $a_ipsec[$id]) { + $pconfig['disabled'] = isset($a_ipsec[$id]['disabled']); + + if (!isset($a_ipsec[$id]['local-subnet'])) + $pconfig['localnet'] = "lan"; + else + address_to_pconfig($a_ipsec[$id]['local-subnet'], $pconfig['localnet'], $pconfig['localnetmask']); + + if ($a_ipsec[$id]['interface']) + $pconfig['interface'] = $a_ipsec[$id]['interface']; + else + $pconfig['interface'] = "wan"; + + list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_ipsec[$id]['remote-subnet']); + $pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway']; + $pconfig['p1mode'] = $a_ipsec[$id]['p1']['mode']; + + if (isset($a_ipsec[$id]['p1']['myident']['myaddress'])) + $pconfig['p1myidentt'] = 'myaddress'; + else if (isset($a_ipsec[$id]['p1']['myident']['address'])) { + $pconfig['p1myidentt'] = 'address'; + $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['address']; + } else if (isset($a_ipsec[$id]['p1']['myident']['fqdn'])) { + $pconfig['p1myidentt'] = 'fqdn'; + $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['fqdn']; + } + + $pconfig['p1ealgo'] = $a_ipsec[$id]['p1']['encryption-algorithm']; + $pconfig['p1halgo'] = $a_ipsec[$id]['p1']['hash-algorithm']; + $pconfig['p1dhgroup'] = $a_ipsec[$id]['p1']['dhgroup']; + $pconfig['p1lifetime'] = $a_ipsec[$id]['p1']['lifetime']; + $pconfig['p1pskey'] = $a_ipsec[$id]['p1']['pre-shared-key']; + $pconfig['p2proto'] = $a_ipsec[$id]['p2']['protocol']; + $pconfig['p2ealgos'] = $a_ipsec[$id]['p2']['encryption-algorithm-option']; + $pconfig['p2halgos'] = $a_ipsec[$id]['p2']['hash-algorithm-option']; + $pconfig['p2pfsgroup'] = $a_ipsec[$id]['p2']['pfsgroup']; + $pconfig['p2lifetime'] = $a_ipsec[$id]['p2']['lifetime']; + $pconfig['descr'] = $a_ipsec[$id]['descr']; + +} else { + /* defaults */ + $pconfig['interface'] = "wan"; + $pconfig['localnet'] = "lan"; + $pconfig['p1mode'] = "aggressive"; + $pconfig['p1myidentt'] = "myaddress"; + $pconfig['p1ealgo'] = "3des"; + $pconfig['p1halgo'] = "md5"; + $pconfig['p1dhgroup'] = "2"; + $pconfig['p2proto'] = "esp"; + $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); + $pconfig['p2halgos'] = explode(",", "hmac_md5,hmac_sha1"); + $pconfig['p2pfsgroup'] = "0"; +} + +if ($_POST) { + if (is_specialnet($_POST['localnettype'])) { + $_POST['localnet'] = $_POST['localnettype']; + $_POST['localnetmask'] = 0; + } else if ($_POST['localnettype'] == "single") { + $_POST['localnetmask'] = 32; + } + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos"); + $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!is_specialnet($_POST['localnettype'])) { + if (($_POST['localnet'] && !is_ipaddr($_POST['localnet']))) { + $input_errors[] = "A valid local network IP address must be specified."; + } + if (($_POST['localnetmask'] && !is_numeric($_POST['localnetmask']))) { + $input_errors[] = "A valid local network bit count must be specified."; + } + } + if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { + $input_errors[] = "The P1 lifetime must be an integer."; + } + if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + if ($_POST['remotebits'] && (!is_numeric($_POST['remotebits']) || ($_POST['remotebits'] <= 0) || ($_POST['remotebits'] > 32))) { + $input_errors[] = "The remote network bits are invalid."; + } + if (($_POST['remotenet'] && !is_ipaddr($_POST['remotenet']))) { + $input_errors[] = "A valid remote network address must be specified."; + } + if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']))) { + $input_errors[] = "A valid remote gateway address must be specified."; + } + if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + } + if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + } + + if ($_POST['p1myidentt'] == "myaddress") + $_POST['p1myident'] = ""; + + if (!$input_errors) { + $ipsecent['disabled'] = $_POST['disabled'] ? true : false; + $ipsecent['interface'] = $pconfig['interface']; + pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']); + $ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits']; + $ipsecent['remote-gateway'] = $_POST['remotegw']; + $ipsecent['p1']['mode'] = $_POST['p1mode']; + + $ipsecent['p1']['myident'] = array(); + switch ($_POST['p1myidentt']) { + case 'myaddress': + $ipsecent['p1']['myident']['myaddress'] = true; + break; + case 'address': + $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; + break; + case 'fqdn': + $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; + break; + } + + $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; + $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; + $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; + $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; + $ipsecent['p1']['pre-shared-key'] = $_POST['p1pskey']; + $ipsecent['p2']['protocol'] = $_POST['p2proto']; + $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; + $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; + $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; + $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; + $ipsecent['descr'] = $_POST['descr']; + + if (isset($id) && $a_ipsec[$id]) + $a_ipsec[$id] = $ipsecent; + else + $a_ipsec[] = $ipsecent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - VPN: IPsec: Edit tunnel + + + + + + + +

VPN: IPsec: Edit tunnel

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Mode Tunnel
Disabled + > + Disable this tunnel
+ Set this option to disable this tunnel without + removing it from the list.
Interface
+ Select the interface for the local endpoint of this tunnel.
Local subnet + + + + + + + + + +
Type:  
Address:   + / +
Remote subnet + + / +
Remote gateway + +
+ Enter the public IP address of the remote gateway
Description + +
You may enter a description here + for your reference (not parsed).
Phase 1 proposal + (Authentication)
Negotiation mode +
Aggressive is faster, but + less secure.
My identifier + +
Encryption algorithm +
Must match the setting + chosen on the remote side.
Hash algorithm +
Must match the setting + chosen on the remote side.
DH key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
+ Must match the setting chosen on the remote side.
Lifetime + + seconds
Pre-Shared Key + +
Phase 2 proposal + (SA/Key Exchange)
Protocol +
ESP is encryption, AH is + authentication only
Encryption algorithms + $algoname): ?> + > + +
+ +
+ Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption.
Hash algorithms + $algoname): ?> + > + +
+ +
+ Hint: MD5 is slightly faster than SHA1.
PFS key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
Lifetime + + seconds
  + + + + +
+
+ + + + diff --git a/webgui/vpn_ipsec_keys.php b/webgui/vpn_ipsec_keys.php new file mode 100644 index 0000000..830d504 --- /dev/null +++ b/webgui/vpn_ipsec_keys.php @@ -0,0 +1,106 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['mobilekey'])) { + $config['ipsec']['mobilekey'] = array(); +} +ipsec_mobilekey_sort(); +$a_secret = &$config['ipsec']['mobilekey']; + +if ($_GET['act'] == "del") { + if ($a_secret[$_GET['id']]) { + unset($a_secret[$_GET['id']]); + write_config(); + touch($d_ipsecconfdirty_path); + header("Location: vpn_ipsec_keys.php"); + exit; + } +} + +?> + + + +m0n0wall webGUI - VPN: IPsec + + + + + + +

VPN: IPsec

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + + + + + +
TunnelsMobile clientsPre-shared keys 
+ + + + + + + + + + + + + + + + + +
IdentifierPre-shared key
+ + + + +  
+
+
+ + + diff --git a/webgui/vpn_ipsec_keys_edit.php b/webgui/vpn_ipsec_keys_edit.php new file mode 100644 index 0000000..28baea2 --- /dev/null +++ b/webgui/vpn_ipsec_keys_edit.php @@ -0,0 +1,135 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['mobilekey'])) { + $config['ipsec']['mobilekey'] = array(); +} +ipsec_mobilekey_sort(); +$a_secret = &$config['ipsec']['mobilekey']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_secret[$id]) { + $pconfig['ident'] = $a_secret[$id]['ident']; + $pconfig['psk'] = $a_secret[$id]['pre-shared-key']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ident psk"); + $reqdfieldsn = explode(",", "Identifier,Pre-shared key"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident'])) + $input_errors[] = "The identifier contains invalid characters."; + + if (!$input_errors && !(isset($id) && $a_secret[$id])) { + /* make sure there are no dupes */ + foreach ($a_secret as $secretent) { + if ($secretent['ident'] == $_POST['ident']) { + $input_errors[] = "Another entry with the same identifier already exists."; + break; + } + } + } + + if (!$input_errors) { + + if (isset($id) && $a_secret[$id]) + $secretent = $a_secret[$id]; + + $secretent['ident'] = $_POST['ident']; + $secretent['pre-shared-key'] = $_POST['psk']; + + if (isset($id) && $a_secret[$id]) + $a_secret[$id] = $secretent; + else + $a_secret[] = $secretent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec_keys.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - VPN: IPsec: Edit pre-shared key + + + + + + +

VPN: IPsec: Edit pre-shared key

+ +
+ + + + + + + + + + + + + +
Identifier + +
+This can be either an IP address, fully qualified domain name or an e-mail address. +
Pre-shared key + +
  + + + + +
+
+ + + diff --git a/webgui/vpn_ipsec_mobile.php b/webgui/vpn_ipsec_mobile.php new file mode 100644 index 0000000..d1bea14 --- /dev/null +++ b/webgui/vpn_ipsec_mobile.php @@ -0,0 +1,319 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['mobileclients'])) { + $config['ipsec']['mobileclients'] = array(); +} +$a_ipsec = &$config['ipsec']['mobileclients']; + +if (count($a_ipsec) == 0) { + /* defaults */ + $pconfig['p1mode'] = "aggressive"; + $pconfig['p1myidentt'] = "myaddress"; + $pconfig['p1ealgo'] = "3des"; + $pconfig['p1halgo'] = "md5"; + $pconfig['p1dhgroup'] = "2"; + $pconfig['p2proto'] = "esp"; + $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); + $pconfig['p2halgos'] = explode(",", "hmac_md5,hmac_sha1"); + $pconfig['p2pfsgroup'] = "0"; +} else { + $pconfig['enable'] = isset($a_ipsec['enable']); + $pconfig['p1mode'] = $a_ipsec['p1']['mode']; + + if (isset($a_ipsec['p1']['myident']['myaddress'])) + $pconfig['p1myidentt'] = 'myaddress'; + else if (isset($a_ipsec['p1']['myident']['address'])) { + $pconfig['p1myidentt'] = 'address'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['address']; + } else if (isset($a_ipsec['p1']['myident']['fqdn'])) { + $pconfig['p1myidentt'] = 'fqdn'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['fqdn']; + } + + $pconfig['p1ealgo'] = $a_ipsec['p1']['encryption-algorithm']; + $pconfig['p1halgo'] = $a_ipsec['p1']['hash-algorithm']; + $pconfig['p1dhgroup'] = $a_ipsec['p1']['dhgroup']; + $pconfig['p1lifetime'] = $a_ipsec['p1']['lifetime']; + $pconfig['p2proto'] = $a_ipsec['p2']['protocol']; + $pconfig['p2ealgos'] = $a_ipsec['p2']['encryption-algorithm-option']; + $pconfig['p2halgos'] = $a_ipsec['p2']['hash-algorithm-option']; + $pconfig['p2pfsgroup'] = $a_ipsec['p2']['pfsgroup']; + $pconfig['p2lifetime'] = $a_ipsec['p2']['lifetime']; +} + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "p2ealgos p2halgos"); + $reqdfieldsn = explode(",", "P2 Encryption Algorithms,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { + $input_errors[] = "The P1 lifetime must be an integer."; + } + if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + } + if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + } + + if ($_POST['p1myidentt'] == "myaddress") + $_POST['p1myident'] = ""; + + if (!$input_errors) { + $ipsecent = array(); + $ipsecent['enable'] = $_POST['enable'] ? true : false; + $ipsecent['p1']['mode'] = $_POST['p1mode']; + + $ipsecent['p1']['myident'] = array(); + switch ($_POST['p1myidentt']) { + case 'myaddress': + $ipsecent['p1']['myident']['myaddress'] = true; + break; + case 'address': + $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; + break; + case 'fqdn': + $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; + break; + } + + $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; + $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; + $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; + $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; + $ipsecent['p2']['protocol'] = $_POST['p2proto']; + $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; + $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; + $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; + $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; + + $a_ipsec = $ipsecent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec_mobile.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - VPN: IPsec + + + + + + +

VPN: IPsec

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ +
+
+ + + + + + + + + + +
TunnelsMobile clientsPre-shared keys 
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + > + Allow mobile clients
Phase 1 proposal + (Authentication)
Negotiation mode +
Aggressive is faster, but + less secure.
My identifier + +
Encryption algorithm +
Must match the setting + chosen on the remote side.
Hash algorithm +
Must match the setting + chosen on the remote side.
DH key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
+ Must match the setting chosen on the remote side.
Lifetime + + seconds
Phase 2 proposal + (SA/Key Exchange)
Protocol +
ESP is encryption, AH is + authentication only
Encryption algorithms + $algoname): ?> + > + +
+ +
+ Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption.
Hash algorithms + $algoname): ?> + > + +
+ +
+ Hint: MD5 is slightly faster than SHA1.
PFS key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
Lifetime + + seconds
  + +
+
+
+ + + diff --git a/webgui/vpn_pptp.php b/webgui/vpn_pptp.php new file mode 100644 index 0000000..90e7d8c --- /dev/null +++ b/webgui/vpn_pptp.php @@ -0,0 +1,289 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pptpd']['radius'])) { + $config['pptpd']['radius'] = array(); +} +$pptpcfg = &$config['pptpd']; + +$pconfig['remoteip'] = $pptpcfg['remoteip']; +$pconfig['localip'] = $pptpcfg['localip']; +$pconfig['redir'] = $pptpcfg['redir']; +$pconfig['mode'] = $pptpcfg['mode']; +$pconfig['req128'] = isset($pptpcfg['req128']); +$pconfig['radiusenable'] = isset($pptpcfg['radius']['enable']); +$pconfig['radiusserver'] = $pptpcfg['radius']['server']; +$pconfig['radiussecret'] = $pptpcfg['radius']['secret']; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['mode'] == "server") { + $reqdfields = explode(" ", "localip remoteip"); + $reqdfieldsn = explode(",", "Server address,Remote start address"); + + if ($_POST['radiusenable']) { + $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret")); + $reqdfieldsn = array_merge($reqdfieldsn, + explode(",", "RADIUS server address,RADIUS shared secret")); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) { + $input_errors[] = "A valid server address must be specified."; + } + if (($_POST['subnet'] && !is_ipaddr($_POST['remoteip']))) { + $input_errors[] = "A valid remote start address must be specified."; + } + if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) { + $input_errors[] = "A valid RADIUS server address must be specified."; + } + + if (!$input_errors) { + $_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $g['pptp_subnet']); + $subnet_start = ip2long($_POST['remoteip']); + $subnet_end = ip2long($_POST['remoteip']) + $g['n_pptp_units'] - 1; + + if ((ip2long($_POST['localip']) >= $subnet_start) && + (ip2long($_POST['localip']) <= $subnet_end)) { + $input_errors[] = "The specified server address lies in the remote subnet."; + } + if ($_POST['localip'] == $config['interfaces']['lan']['ipaddr']) { + $input_errors[] = "The specified server address is equal to the LAN interface address."; + } + } + } else if ($_POST['mode'] == "redir") { + $reqdfields = explode(" ", "redir"); + $reqdfieldsn = explode(",", "PPTP redirection target address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['redir'] && !is_ipaddr($_POST['redir']))) { + $input_errors[] = "A valid target address must be specified."; + } + } + + if (!$input_errors) { + $pptpcfg['remoteip'] = $_POST['remoteip']; + $pptpcfg['redir'] = $_POST['redir']; + $pptpcfg['localip'] = $_POST['localip']; + $pptpcfg['mode'] = $_POST['mode']; + $pptpcfg['req128'] = $_POST['req128'] ? true : false; + $pptpcfg['radius']['enable'] = $_POST['radiusenable'] ? true : false; + $pptpcfg['radius']['server'] = $_POST['radiusserver']; + $pptpcfg['radius']['secret'] = $_POST['radiussecret']; + + write_config(); + + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = vpn_pptpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + } +} +?> + + + +m0n0wall webGUI - VPN: PPTP + + + + + + + +

VPN: PPTP

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + > + Off
  +> + Redirect incoming PPTP connections to:
PPTP redirection + +
+ Enter the IP address of a host which will accept incoming + PPTP connections.
  +> + Enable PPTP server
Max. concurrent + connections + +
Server address + +
+ Enter the IP address the PPTP server should use on its side + for all clients.
Remote address + range + + / + +
+ Specify the starting address for the client IP address subnet.
+ The PPTP server will assign + + addresses, starting at the address entered above, to clients.
RADIUS +

+ > + Use a RADIUS server for authentication
+ When set, all users will be authenticated using + the RADIUS server specified below. The local user database + will not be used.

RADIUS server +

+ +
+ Enter the IP address of the RADIUS server.

RADIUS shared secret +

+ +
+ Enter the shared secret that will be used to authenticate + to the RADIUS server.

  + > + Require 128-bit encryption
+ When set, 128-bit encryption will be accepted. Otherwise, + 40-bit and 56-bit encryption will be accepted, too. Note that + encryption will always be forced on PPTP connections (i.e. + unencrypted connections will not be accepted).
  + +
 Note:
+ don't forget to add a firewall rule to permit + traffic from PPTP clients!
+
+ + + + diff --git a/webgui/vpn_pptp_users.php b/webgui/vpn_pptp_users.php new file mode 100644 index 0000000..1f1b458 --- /dev/null +++ b/webgui/vpn_pptp_users.php @@ -0,0 +1,110 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pptpd']['user'])) { + $config['pptpd']['user'] = array(); +} +pptpd_users_sort(); +$a_secret = &$config['pptpd']['user']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + if (!file_exists($d_sysrebootreqd_path)) { + config_lock(); + $retval = vpn_pptpd_configure(); + config_unlock(); + } + $savemsg = get_std_save_message($retval); + if ($retval == 0) { + if (file_exists($d_pptpuserdirty_path)) + unlink($d_pptpuserdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_secret[$_GET['id']]) { + unset($a_secret[$_GET['id']]); + write_config(); + touch($d_pptpuserdirty_path); + header("Location: vpn_pptp_users.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - VPN: PPTP: Users + + + + + + +

VPN: PPTP: Users

+
+ + +

+You must apply the changes in order for them to take effect.
Warning: this will terminate all current PPTP sessions!");?>
+

+ + + + + + + + + + + + + + + + +
Username
+ + +  
+
+ + + diff --git a/webgui/vpn_pptp_users_edit.php b/webgui/vpn_pptp_users_edit.php new file mode 100644 index 0000000..54661a2 --- /dev/null +++ b/webgui/vpn_pptp_users_edit.php @@ -0,0 +1,149 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['pptpd']['user'])) { + $config['pptpd']['user'] = array(); +} +pptpd_users_sort(); +$a_secret = &$config['pptpd']['user']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_secret[$id]) { + $pconfig['username'] = $a_secret[$id]['name']; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if (isset($id) && ($a_secret[$id])) { + $reqdfields = explode(" ", "username"); + $reqdfieldsn = explode(",", "Username"); + } else { + $reqdfields = explode(" ", "username password"); + $reqdfieldsn = explode(",", "Username,Password"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['username'])) + $input_errors[] = "The username contains invalid characters."; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['password'])) + $input_errors[] = "The password contains invalid characters."; + + if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) { + $input_errors[] = "The passwords do not match."; + } + + if (!$input_errors && !(isset($id) && $a_secret[$id])) { + /* make sure there are no dupes */ + foreach ($a_secret as $secretent) { + if ($secretent['name'] == $_POST['username']) { + $input_errors[] = "Another entry with the same username already exists."; + break; + } + } + } + + if (!$input_errors) { + + if (isset($id) && $a_secret[$id]) + $secretent = $a_secret[$id]; + + $secretent['name'] = $_POST['username']; + + if ($_POST['password']) + $secretent['password'] = $_POST['password']; + + if (isset($id) && $a_secret[$id]) + $a_secret[$id] = $secretent; + else + $a_secret[] = $secretent; + + write_config(); + touch($d_pptpuserdirty_path); + + header("Location: vpn_pptp_users.php"); + exit; + } +} +?> + + + +m0n0wall webGUI - VPN: PPTP: Users: Edit + + + + + + +

VPN: PPTP: Users: Edit

+ + +
+ + + + + + + + + + + + +
Username + +
Password + +
+  (confirmation)
+ If you want to change the users' password, + enter it here twice.
  + + + + +
+
+ + + diff --git a/webgui/x.gif b/webgui/x.gif new file mode 100644 index 0000000..c469c9a Binary files /dev/null and b/webgui/x.gif differ