Redirecting...

From 3949c6b57a779dd11daa7f2479965c5709cee279 Mon Sep 17 00:00:00 2001 From: mkasper Date: Sat, 7 Jan 2006 22:43:51 +0000 Subject: [PATCH] Import m0n0wall 1.2b1 files. git-svn-id: https://svn.m0n0.ch/wall/trunk@6 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- captiveportal/index.php | 40 +++++++++++-- captiveportal/radius_accounting.inc | 2 +- etc/rc | 2 +- phpconf/inc/captiveportal.inc | 40 +++++++++++++ phpconf/inc/config.inc | 3 + phpconf/inc/filter.inc | 15 +++-- phpconf/inc/interfaces.inc | 4 ++ phpconf/inc/services.inc | 23 ++++++-- phpconf/inc/system.inc | 42 +++++++++++++- phpconf/inc/vpn.inc | 17 +++++- phpconf/inc/xmlparse.inc | 4 +- phpconf/rc.bootup | 3 + phpconf/rc.initial.ping | 47 ++++++++++++++++ phpconf/rc.initial.setlanip | 5 ++ webgui/bar_blue.gif | Bin 0 -> 92 bytes webgui/bar_gray.gif | Bin 0 -> 92 bytes webgui/bar_left.gif | Bin 0 -> 165 bytes webgui/bar_right.gif | Bin 0 -> 114 bytes webgui/exec.php | 2 +- webgui/fbegin.inc | 2 +- webgui/firewall_rules.php | 2 +- webgui/guiconfig.inc | 12 +++- webgui/index.php | 54 ++++++++++++++++++ webgui/interfaces_assign.php | 19 +++++-- webgui/license.php | 8 ++- webgui/services_captiveportal.php | 84 ++++++++++++++++++++++++++-- webgui/status_wireless.php | 2 +- webgui/system_advanced.php | 64 ++++++++++++++++++++- webgui/system_routes.php | 2 +- webgui/system_routes_edit.php | 2 +- webgui/vpn_ipsec_edit.php | 18 ++++-- webgui/vpn_ipsec_keys_edit.php | 2 +- webgui/vpn_ipsec_mobile.php | 7 +-- 33 files changed, 472 insertions(+), 55 deletions(-) create mode 100644 phpconf/rc.initial.ping create mode 100644 webgui/bar_blue.gif create mode 100644 webgui/bar_gray.gif create mode 100644 webgui/bar_left.gif create mode 100644 webgui/bar_right.gif diff --git a/captiveportal/index.php b/captiveportal/index.php index 4b14fb7..5094cc0 100644 --- a/captiveportal/index.php +++ b/captiveportal/index.php @@ -109,9 +109,26 @@ setTimeout('window.close();',5000) ; EOD; +} else if (($_ENV['SERVER_PORT'] != 8001) && isset($config['captiveportal']['httpslogin'])) { + /* redirect to HTTPS login page */ + header("Location: https://{$config['captiveportal']['httpsname']}:8001/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}")); } else { /* display captive portal page */ - readfile("{$g['varetc_path']}/captiveportal.html"); + $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html"); + + /* substitute variables */ + if (isset($config['captiveportal']['httpslogin'])) + $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext); + else + $htmltext = str_replace("\$PORTAL_ACTION\$", "", $htmltext); + + if (preg_match("/redirurl=(.*)/", $orig_request, $matches)) + $redirurl = urldecode($matches[1]); + else + $redirurl = "http://{$orig_host}{$orig_request}"; + $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext); + + echo $htmltext; } exit; @@ -219,13 +236,26 @@ function portal_allow($clientip,$clientmac,$clientuser) { portal_unlock(); /* redirect user to desired destination */ + if ($config['captiveportal']['redirurl']) + $redirurl = $config['captiveportal']['redirurl']; + else if ($_POST['redirurl']) + $redirurl = $_POST['redirurl']; + else + $redirurl = "http://{$orig_host}{$orig_request}"; + if(isset($config['captiveportal']['logoutwin_enable'])) { + + if (isset($config['captiveportal']['httpslogin'])) + $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/"; + else + $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/"; + echo << Redirecting... -Redirecting to http://{$orig_host}{$orig_request}... +Redirecting to {$redirurl}... @@ -253,7 +283,7 @@ document.location.href="http://{$orig_host}{$orig_request}"; EOD; } else { - header("Location: http://" . $orig_host . $orig_request); + header("Location: " . $redirurl); } } diff --git a/captiveportal/radius_accounting.inc b/captiveportal/radius_accounting.inc index d7c9129..94922d4 100644 --- a/captiveportal/radius_accounting.inc +++ b/captiveportal/radius_accounting.inc @@ -37,7 +37,7 @@ function RADIUS_ACCOUNTING_START($username,$radiusip,$radiusport,$radiuskey) { exec("/bin/hostname", $nasHostname) ; if(!$nasHostname[0]) - $nasHostname[0] = "quewall" ; + $nasHostname[0] = "m0n0wall" ; $fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ; if(!$fd) diff --git a/etc/rc b/etc/rc index ced2cf7..0d26ae9 100644 --- a/etc/rc +++ b/etc/rc @@ -3,7 +3,7 @@ # /etc/rc # part of m0n0wall (http://neon1.net/m0n0wall) # -# Copyright (C) 2003 Manuel Kasper . +# Copyright (C) 2003-2004 Manuel Kasper . # All rights reserved. stty status '^T' diff --git a/phpconf/inc/captiveportal.inc b/phpconf/inc/captiveportal.inc index 344d432..83db7f8 100644 --- a/phpconf/inc/captiveportal.inc +++ b/phpconf/inc/captiveportal.inc @@ -44,6 +44,7 @@ function captiveportal_configure() { /* kill any running mini_httpd */ killbypid("{$g['varrun_path']}/mini_httpd.cp.pid"); + killbypid("{$g['varrun_path']}/mini_httpd.cps.pid"); /* kill any running minicron */ killbypid("{$g['varrun_path']}/minicron.pid"); @@ -149,6 +150,29 @@ EOD; /* start web server */ mwexec("/usr/local/sbin/mini_httpd -a -M 0 -u root -maxproc 16" . " -p 8000 -i {$g['varrun_path']}/mini_httpd.cp.pid"); + + /* fire up another one for HTTPS if requested */ + if (isset($config['captiveportal']['httpslogin']) && + $config['captiveportal']['certificate'] && $config['captiveportal']['private-key']) { + + $cert = base64_decode($config['captiveportal']['certificate']); + $key = base64_decode($config['captiveportal']['private-key']); + + $fd = fopen("{$g['varetc_path']}/cert-portal.pem", "w"); + if (!$fd) { + printf("Error: cannot open cert-portal.pem in system_webgui_start().\n"); + return 1; + } + chmod("{$g['varetc_path']}/cert-portal.pem", 0600); + fwrite($fd, $cert); + fwrite($fd, "\n"); + fwrite($fd, $key); + fclose($fd); + + mwexec("/usr/local/sbin/mini_httpd -S -a -M 0 -E {$g['varetc_path']}/cert-portal.pem" . + " -u root -maxproc 16 -p 8001" . + " -i {$g['varrun_path']}/mini_httpd.cps.pid"); + } /* start pruning process (interval = 60 seconds) */ mwexec("/usr/local/bin/minicron 60 {$g['varrun_path']}/minicron.pid " . @@ -248,6 +272,22 @@ add 1204 set 1 pass icmp from any to $cpip in icmptype 0 add 1300 set 1 pass udp from any to $cpip 53 in add 1301 set 1 pass udp from $cpip 53 to any out +# allow access to our web server +add 1302 set 1 pass tcp from any to $cpip 8000 in +add 1303 set 1 pass tcp from $cpip 8000 to any out + +EOD; + + if (isset($config['captiveportal']['httpslogin'])) { + $cprules .= << mktime(0, 0, 0, 9, 1, 2004)) /* make sure the clock settings is plausible */ + $config['lastchange'] = time(); + /* generate configuration XML */ $xmlconfig = dump_xml_config($config, $g['xml_rootobj']); diff --git a/phpconf/inc/filter.inc b/phpconf/inc/filter.inc index 7150c7d..975a36a 100644 --- a/phpconf/inc/filter.inc +++ b/phpconf/inc/filter.inc @@ -203,8 +203,9 @@ function filter_nat_rules_generate() { /* static routes */ if (is_array($config['staticroutes']['route'])) { foreach ($config['staticroutes']['route'] as $route) { - $natrules .= filter_nat_rules_generate_if($wanif, - $route['network'], "", null); + if ($route['interface'] != "wan") + $natrules .= filter_nat_rules_generate_if($wanif, + $route['network'], "", null); } } } @@ -249,13 +250,15 @@ function filter_nat_rules_generate() { } } - if ($pptpdcfg['mode']) { + if ($pptpdcfg['mode'] && $pptpdcfg['mode'] != "off") { if ($pptpdcfg['mode'] == "server") $pptpdtarget = "127.0.0.1"; - else + else if ($pptpdcfg['mode'] == "redir") $pptpdtarget = $pptpdcfg['redir']; + if ($pptpdtarget) { + $natrules .= << $pptpdtarget port 0 gre rdr $wanif 0/0 port 1723 -> $pptpdtarget port 1723 tcp EOD; + } } return $natrules; @@ -519,12 +523,15 @@ EOD; } + if (!isset($config['system']['webgui']['noantilockout'])) { + $ipfrules .= << diff --git a/phpconf/inc/vpn.inc b/phpconf/inc/vpn.inc index 097b14b..2c58af2 100644 --- a/phpconf/inc/vpn.inc +++ b/phpconf/inc/vpn.inc @@ -77,6 +77,9 @@ function vpn_ipsec_configure($ipchg = false) { mwexec("/usr/sbin/setkey -FP"); mwexec("/usr/sbin/setkey -F"); + /* prefer old SAs only for 30 seconds, then use the new one */ + mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); + if (isset($ipseccfg['enable'])) { if (!$curwanip) { @@ -174,7 +177,7 @@ remote {$tunnel['remote-gateway']} \{ peers_identifier address {$tunnel['remote-gateway']}; initial_contact on; support_proxy on; - proposal_check obey; + proposal_check claim; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; @@ -240,7 +243,7 @@ remote anonymous \{ passive on; generate_policy on; support_proxy on; - proposal_check obey; + proposal_check claim; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; @@ -312,6 +315,15 @@ EOD; /* start racoon */ mwexec("/usr/local/sbin/racoon -d -f {$g['varetc_path']}/racoon.conf"); + + foreach ($ipseccfg['tunnel'] as $tunnel) { + if (isset($tunnel['auto'])) { + $remotehost = substr($tunnel['remote-subnet'],0,strpos($tunnel['remote-subnet'],"/")); + $srchost = vpn_endpoint_determine($tunnel, $curwanip); + if ($srchost) + mwexec_bg("/sbin/ping -c 1 -S {$srchost} {$remotehost}"); + } + } } } @@ -412,7 +424,6 @@ pts: set link mtu 1460 set link keep-alive 10 60 set ipcp yes vjcomp - set ipcp dns {$dnsconf} set bundle enable compression set ccp yes mppc set ccp yes mpp-e128 diff --git a/phpconf/inc/xmlparse.inc b/phpconf/inc/xmlparse.inc index 9e5f0bd..2684d49 100644 --- a/phpconf/inc/xmlparse.inc +++ b/phpconf/inc/xmlparse.inc @@ -32,8 +32,8 @@ /* tags that are always to be handled as lists */ $listtags = explode(" ", "rule user key dnsserver winsserver " . "encryption-algorithm-option hash-algorithm-option hosts tunnel onetoone " . - "staticmap route alias pipe queue shellcmd mobilekey servernat " . - "proxyarpnet passthrumac allowedip wolentry vlan"); + "staticmap route alias pipe queue shellcmd earlyshellcmd mobilekey " . + "servernat proxyarpnet passthrumac allowedip wolentry vlan"); function startElement($parser, $name, $attrs) { global $depth, $curpath, $config, $havedata, $listtags; diff --git a/phpconf/rc.bootup b/phpconf/rc.bootup index 48bcd92..f8b92ac 100644 --- a/phpconf/rc.bootup +++ b/phpconf/rc.bootup @@ -42,6 +42,9 @@ /* convert configuration, if necessary */ convert_config(); + /* run any early shell commands specified in config.xml */ + system_do_shell_commands(1); + /* save dmesg output to file */ system_dmesg_save(); diff --git a/phpconf/rc.initial.ping b/phpconf/rc.initial.ping new file mode 100644 index 0000000..d069566 --- /dev/null +++ b/phpconf/rc.initial.ping @@ -0,0 +1,47 @@ +#!/usr/local/bin/php -f +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo "\nEnter a host name or IP address: "; + + $pinghost = chop(fgets($fp)); + if ($pinghost) { + echo "\n"; + passthru("/sbin/ping -c 3 -n " . escapeshellarg($pinghost)); + echo "\nPress ENTER to continue.\n"; + fgets($fp); + } +?> diff --git a/phpconf/rc.initial.setlanip b/phpconf/rc.initial.setlanip index 08ca3f8..99fd922 100644 --- a/phpconf/rc.initial.setlanip +++ b/phpconf/rc.initial.setlanip @@ -93,6 +93,11 @@ $config['system']['webgui']['protocol'] = "http"; } + if (isset($config['system']['webgui']['noantilockout'])) { + echo "\nNote: the anti-lockout rule on LAN has been re-enabled.\n"; + unset($config['system']['webgui']['noantilockout']); + } + write_config(); interfaces_lan_configure(); diff --git a/webgui/bar_blue.gif b/webgui/bar_blue.gif new file mode 100644 index 0000000000000000000000000000000000000000..428a895052e39108bf8475f5ae2a505d52675198 GIT binary patch literal 92 zcmZ?wbhEHbWMtrH*v!Ci`}XbQM~`-Qb$$Ex?c|9QZ{NP%=J YtOFuJW-zdDe&|V>u(yqcQHjAC0Mm0B!2kdN literal 0 HcmV?d00001 diff --git a/webgui/bar_gray.gif b/webgui/bar_gray.gif new file mode 100644 index 0000000000000000000000000000000000000000..fb0baa0e0453582293df89be80a92c3752daf49d GIT binary patch literal 92 zcmZ?wbhEHbWMtrH*v!E2`t|GEw{IUmdbGQ%>)W?)Cr_NITg027w+uZp@D~oD{lUIT)+~%{M(M literal 0 HcmV?d00001 diff --git a/webgui/bar_right.gif b/webgui/bar_right.gif new file mode 100644 index 0000000000000000000000000000000000000000..330b52aaef8fef7131722cac4f4cc69bb85ab926 GIT binary patch literal 114 zcmZ?wbhEHbWM$xI*v!E2^y$-+Cr*6(_U-ZG$GmDGj~+cbe)Q<=+qb*Bx@OLt`Tzfa z22`N diff --git a/webgui/fbegin.inc b/webgui/fbegin.inc index df453b7..4a0e533 100644 --- a/webgui/fbegin.inc +++ b/webgui/fbegin.inc @@ -104,7 +104,7 @@ if ($dh) { } endif; ?> - +

Diagnostics
diff --git a/webgui/firewall_rules.php b/webgui/firewall_rules.php index 7e2bd2a..cf74e7e 100644 --- a/webgui/firewall_rules.php +++ b/webgui/firewall_rules.php @@ -168,7 +168,7 @@ if ($_GET['act'] == "del") { if (isset($filterent['disabled'])) $iconfn .= "_d"; ?> -

diff --git a/webgui/guiconfig.inc b/webgui/guiconfig.inc index 437fab3..9b4f212 100644 --- a/webgui/guiconfig.inc +++ b/webgui/guiconfig.inc @@ -97,12 +97,20 @@ $p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', 'cast128' => 'CAST128'); $p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)'); -$p1_halgos = array('md5' => 'MD5', 'sha1' => 'SHA1'); -$p2_halgos = array('hmac_md5' => 'MD5', 'hmac_sha1' => 'SHA1'); +$p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5'); +$p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5'); $p2_protos = array('esp' => 'ESP', 'ah' => 'AH'); $p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5'); function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) { + + /* check for bad control characters */ + foreach ($postdata as $pn => $pd) { + if (is_string($pd) && preg_match("/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f]/", $pd)) { + $input_errors[] = "The field '" . $pn . "' contains invalid characters."; + } + } + for ($i = 0; $i < count($reqdfields); $i++) { if (!$_POST[$reqdfields[$i]]) { $input_errors[] = "The field '" . $reqdfieldsn[$i] . "' is required."; diff --git a/webgui/index.php b/webgui/index.php index dddee31..731f54c 100644 --- a/webgui/index.php +++ b/webgui/index.php @@ -119,6 +119,60 @@ if ($fd) { echo htmlspecialchars($uptimestr); ?> + + + Last config change + + + + + + CPU usage + +"; +echo "

"; +echo "

"; +echo $cpuUsage . "%"; +?> + + + + Memory usage + +"; +echo "

"; +echo "

"; +echo $memUsage . "%"; +?> + diff --git a/webgui/interfaces_assign.php b/webgui/interfaces_assign.php index 8e79882..26a31de 100644 --- a/webgui/interfaces_assign.php +++ b/webgui/interfaces_assign.php @@ -205,9 +205,14 @@ if ($_GET['act'] == "add") { Network port - $iface): ?> + $iface): + if ($iface['descr']) + $ifdescr = $iface['descr']; + else + $ifdescr = strtoupper($ifname); + ?> - +

Warning:
diff --git a/webgui/license.php b/webgui/license.php index a7cf2a4..e45dbdd 100644 --- a/webgui/license.php +++ b/webgui/license.php @@ -107,7 +107,13 @@ IPsec user FQDNs

Fred Wright (fw@well.com)
- ipfilter window scaling fix; ipnat ICMP checksum adjustment fix

+     ipfilter window scaling fix; ipnat ICMP checksum adjustment fix; IPsec dead SA fixes
+
+ Michael Hanselmann (public@hansmi.ch)
+     IDE hard disk standby
+
+ Audun Larsen (larsen@xqus.com)
+     CPU/memory usage display

m0n0wall is based upon/includes various free software packages, listed below.
diff --git a/webgui/services_captiveportal.php b/webgui/services_captiveportal.php index 8f9af28..0fb558f 100644 --- a/webgui/services_captiveportal.php +++ b/webgui/services_captiveportal.php @@ -50,7 +50,12 @@ $pconfig['timeout'] = $config['captiveportal']['timeout']; $pconfig['idletimeout'] = $config['captiveportal']['idletimeout']; $pconfig['enable'] = isset($config['captiveportal']['enable']); $pconfig['radacct_enable'] = isset($config['captiveportal']['radacct_enable']); +$pconfig['httpslogin_enable'] = isset($config['captiveportal']['httpslogin']); +$pconfig['httpsname'] = $config['captiveportal']['httpsname']; +$pconfig['cert'] = base64_decode($config['captiveportal']['certificate']); +$pconfig['key'] = base64_decode($config['captiveportal']['private-key']); $pconfig['logoutwin_enable'] = isset($config['captiveportal']['logoutwin_enable']); +$pconfig['redirurl'] = $config['captiveportal']['redirurl']; $pconfig['radiusip'] = $config['captiveportal']['radiusip']; $pconfig['radiusport'] = $config['captiveportal']['radiusport']; $pconfig['radiuskey'] = $config['captiveportal']['radiuskey']; @@ -75,6 +80,21 @@ if ($_POST) { break; } } + + if ($_POST['httpslogin_enable']) { + if (!$_POST['cert'] || !$_POST['key']) { + $input_errors[] = "Certificate and key must be specified for HTTPS login."; + } else { + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + } + + if (!$_POST['httpsname'] || !is_domain($_POST['httpsname'])) { + $input_errors[] = "The HTTPS server name must be specified for HTTPS login."; + } + } } if ($_POST['timeout'] && (!is_numeric($_POST['timeout']) || ($_POST['timeout'] < 1))) { @@ -96,7 +116,12 @@ if ($_POST) { $config['captiveportal']['idletimeout'] = $_POST['idletimeout']; $config['captiveportal']['enable'] = $_POST['enable'] ? true : false; $config['captiveportal']['radacct_enable'] = $_POST['radacct_enable'] ? true : false; + $config['captiveportal']['httpslogin'] = $_POST['httpslogin_enable'] ? true : false; + $config['captiveportal']['httpsname'] = $_POST['httpsname']; + $config['captiveportal']['certificate'] = base64_encode($_POST['cert']); + $config['captiveportal']['private-key'] = base64_encode($_POST['key']); $config['captiveportal']['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false; + $config['captiveportal']['redirurl'] = $_POST['redirurl']; $config['captiveportal']['radiusip'] = $_POST['radiusip']; $config['captiveportal']['radiusport'] = $_POST['radiusport']; $config['captiveportal']['radiuskey'] = $_POST['radiuskey']; @@ -138,10 +163,15 @@ function enable_change(enable_change) { document.iform.cinterface.disabled = 0; document.iform.idletimeout.disabled = 0; document.iform.timeout.disabled = 0; + document.iform.redirurl.disabled = 0; document.iform.radiusip.disabled = 0; document.iform.radiusport.disabled = 0; document.iform.radiuskey.disabled = 0; document.iform.radacct_enable.disabled = 0; + document.iform.httpslogin_enable.disabled = 0; + document.iform.httpsname.disabled = 0; + document.iform.cert.disabled = 0; + document.iform.key.disabled = 0; document.iform.logoutwin_enable.disabled = 0; document.iform.htmlfile.disabled = 0; document.iform.errfile.disabled = 0; @@ -149,10 +179,15 @@ function enable_change(enable_change) { document.iform.cinterface.disabled = 1; document.iform.idletimeout.disabled = 1; document.iform.timeout.disabled = 1; + document.iform.redirurl.disabled = 1; document.iform.radiusip.disabled = 1; document.iform.radiusport.disabled = 1; document.iform.radiuskey.disabled = 1; document.iform.radacct_enable.disabled = 1; + document.iform.httpslogin_enable.disabled = 1; + document.iform.httpsname.disabled = 1; + document.iform.cert.disabled = 1; + document.iform.key.disabled = 1; document.iform.logoutwin_enable.disabled = 1; document.iform.htmlfile.disabled = 1; document.iform.errfile.disabled = 1; @@ -223,9 +258,17 @@ Clients will be disconnected after this amount of inactivity. They may log in ag Logout popup window > -
+ Enable logout popup window
If enabled, a popup window will appear when clients are allowed through the captive portal. This allows clients to explicitly disconnect themselves before the idle or hard timeout occurs. When RADIUS accounting is enabled, this option is implied. + + Redirection URL + + +
+If you provide a URL here, clients will be redirected to that URL instead of the one they initially tried +to access after they've authenticated. + RADIUS server @@ -246,6 +289,33 @@ Clients will be disconnected after this amount of inactivity. They may log in ag
Enter the IP address and port of the RADIUS server which users of the captive portal have to authenticate against. Leave blank to disable RADIUS authentication. Leave port number blank to use the default port (1812). Leave the RADIUS shared secret blank to not use a RADIUS shared secret. RADIUS accounting packets will also be sent to port 1813 of the RADIUS server if RADIUS accounting is enabled. + + HTTPS login + + > + Enable HTTPS login
+ If enabled, the username and password will be transmitted over an HTTPS connection to protect against eavesdroppers. This option only applies when RADIUS authentication is used. A server name, certificate and matching private key must also be specified below. + + + HTTPS server name + +
+ This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS. + + + HTTPS certificate + + <?=htmlspecialchars($pconfig['cert']);?> +
+ Paste a signed certificate in X.509 PEM format here. + + + HTTPS private key + + <?=htmlspecialchars($pconfig['key']);?> +
+ Paste an RSA private key in PEM format here. + Portal page contents @@ -255,14 +325,16 @@ Clients will be disconnected after this amount of inactivity. They may log in ag

- Upload an HTML file for the portal page here (leave blank to keep the current one). Make sure to include a form (POST to the page itself) + Upload an HTML file for the portal page here (leave blank to keep the current one). Make sure to include a form (POST to "$PORTAL_ACTION$") with a submit button (name="accept"). Include the "auth_user" and "auth_pass" input elements if RADIUS authentication is enabled. If RADIUS is enabled and no "auth_user" is present, authentication will always fail. If RADIUS is not enabled, you can omit both these input elements. -Example code for the button:
-
<form method="post" action=""> -    <input name="accept" type="submit" value="Continue"> +When using HTTPS login, a hidden field with name="redirurl" and value="$PORTAL_REDIRURL$" has to be included as well. Example code for the form: + + <form method="post" action="$PORTAL_ACTION$">    <input name="auth_user" type="text">    <input name="auth_pass" type="password"> - </form> +    <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$"> +   <input name="accept" type="submit" value="Continue"> + </form> Authentication
diff --git a/webgui/status_wireless.php b/webgui/status_wireless.php index b020cd0..8abc57b 100644 --- a/webgui/status_wireless.php +++ b/webgui/status_wireless.php @@ -119,7 +119,7 @@ function get_wireless_info($ifdescr) { - interface + interface (SSID "") Signal strength diff --git a/webgui/system_advanced.php b/webgui/system_advanced.php index e43087d..ddf670c 100644 --- a/webgui/system_advanced.php +++ b/webgui/system_advanced.php @@ -38,6 +38,10 @@ $pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']); $pconfig['key'] = base64_decode($config['system']['webgui']['private-key']); $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']); +$pconfig['expanddiags'] = isset($config['system']['webgui']['expanddiags']); +if ($g['platform'] == "generic-pc") + $pconfig['harddiskstandby'] = $config['system']['harddiskstandby']; +$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); if ($_POST) { @@ -67,12 +71,27 @@ if ($_POST) { $config['system']['webgui']['private-key'] = base64_encode($_POST['key']); $config['system']['disableconsolemenu'] = $_POST['disableconsolemenu'] ? true : false; $config['system']['disablefirmwarecheck'] = $_POST['disablefirmwarecheck'] ? true : false; + $config['system']['webgui']['expanddiags'] = $_POST['expanddiags'] ? true : false; + if ($g['platform'] == "generic-pc") { + $oldharddiskstandby = $config['system']['harddiskstandby']; + $config['system']['harddiskstandby'] = $_POST['harddiskstandby']; + } + $config['system']['webgui']['noantilockout'] = $_POST['noantilockout'] ? true : false; write_config(); if (($config['system']['webgui']['certificate'] != $oldcert) || ($config['system']['webgui']['private-key'] != $oldkey)) { touch($d_sysrebootreqd_path); + } else if (($g['platform'] == "generic-pc") && ($config['system']['harddiskstandby'] != $oldharddiskstandby)) { + if (!$config['system']['harddiskstandby']) { + // Reboot needed to deactivate standby due to a stupid ATA-protocol + touch($d_sysrebootreqd_path); + unset($config['system']['harddiskstandby']); + } else { + // No need to set the standby-time if a reboot is needed anyway + system_set_harddisk_standby(); + } } $retval = 0; @@ -195,12 +214,51 @@ function enable_change(enable_over) { Disable console menu
Changes to this option will take effect after a reboot. + + + + > + Disable firmware version check
+ This will cause m0n0wall not to check for newer firmware versions when the System: Firmware page is viewed. + + - > - Disable firmware version check
- This will cause m0n0wall not to check for newer firmware versions when the System: Firmware page is viewed. + Hard disk standby time: + +
+ Puts the hard disk into standby mode when the selected amount of time after the last + access has elapsed. Do not set this for CF cards. + + + + + + > + Keep diagnostics in navigation expanded + + + + + > + Disable webGUI anti-lockout rule
+ By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you in, or you will lock yourself out!).
+ Hint: + the "set LAN IP address" option in the console menu resets this setting as well. diff --git a/webgui/system_routes.php b/webgui/system_routes.php index 438a74c..f5fb1c0 100644 --- a/webgui/system_routes.php +++ b/webgui/system_routes.php @@ -97,7 +97,7 @@ if ($_GET['act'] == "del") { 'LAN', 'pptp' => 'PPTP'); + $iflabels = array('lan' => 'LAN', 'wan' => 'WAN', 'pptp' => 'PPTP'); for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; echo htmlspecialchars($iflabels[$route['interface']]); ?> diff --git a/webgui/system_routes_edit.php b/webgui/system_routes_edit.php index 6d092fa..092754e 100644 --- a/webgui/system_routes_edit.php +++ b/webgui/system_routes_edit.php @@ -121,7 +121,7 @@ if ($_POST) { Interface > + Automatically establish this tunnel
+ Set this option to automatically re-establish this tunnel after reboots/reconfigures. If this is not set, the tunnel is established on demand. + + Interface + @@ -477,8 +486,7 @@ function typesel_change() {
-
- Hint: MD5 is slightly faster than SHA1. + PFS key group diff --git a/webgui/vpn_ipsec_keys_edit.php b/webgui/vpn_ipsec_keys_edit.php index 28baea2..f156f00 100644 --- a/webgui/vpn_ipsec_keys_edit.php +++ b/webgui/vpn_ipsec_keys_edit.php @@ -116,7 +116,7 @@ This can be either an IP address, fully qualified domain name or an e-mail addre Pre-shared key - + diff --git a/webgui/vpn_ipsec_mobile.php b/webgui/vpn_ipsec_mobile.php index 05aa797..9d22371 100644 --- a/webgui/vpn_ipsec_mobile.php +++ b/webgui/vpn_ipsec_mobile.php @@ -41,11 +41,11 @@ if (count($a_ipsec) == 0) { $pconfig['p1mode'] = "aggressive"; $pconfig['p1myidentt'] = "myaddress"; $pconfig['p1ealgo'] = "3des"; - $pconfig['p1halgo'] = "md5"; + $pconfig['p1halgo'] = "sha1"; $pconfig['p1dhgroup'] = "2"; $pconfig['p2proto'] = "esp"; $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); - $pconfig['p2halgos'] = explode(",", "hmac_md5,hmac_sha1"); + $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); $pconfig['p2pfsgroup'] = "0"; } else { $pconfig['enable'] = isset($a_ipsec['enable']); @@ -294,8 +294,7 @@ if ($_POST) {
-
- Hint: MD5 is slightly faster than SHA1. + PFS key group -- 2.43.0