sync IPFire fwhosts.cgi
commit 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:05:32 2025 +0200
fwhosts.cgi: Escape PROT in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ad995081302f6b28ea11c74e56306d94a7bee076
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:02:18 2025 +0200
fwhosts.cgi: Check country code before proceeding
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit a2c624b99dbcecb469e6001505731049ef5cbbd3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:37 2025 +0200
fwhosts.cgi Fix for bug 13876 & bug 13877
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 798556ec29207d5131a7600d5489f1ee92a7b87a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:57 2025 +0000
fwhosts.cgi: Move the tooltip into the usage counter
This will clutter the page less as we don't have any good icon sets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 61b277aa9c578a9a69e552f593a8bde421b811bc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:56 2025 +0000
fwhosts.cgi: Don't show anything if a host/group is unused
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ca811a746a79f0e02cfb780cbd4543a057131e3a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:55 2025 +0000
fwhosts.cgi: Remove whitespace issues
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5511d94ed0d8ea6fd372d52cba515b4d6726abed
Author: Peer Dietzmann <dietzmann@brecht-schule.hamburg>
Date: Mon Jun 23 17:16:54 2025 +0000
fwhosts.cgi: Show in which firewall rule objects are being used
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 341eb00a821c4254ddd04968beed2e98e5a33aff
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat May 3 15:10:16 2025 +0200
fwhosts.cgi: Correctly show IP addresses for WireGuard RW peers
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit a461fd70445aec9dfa34bf9c5a29a85e0ad0e2fe
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Sat May 10 12:30:56 2025 +0200
chpasswd.cgi: Fixes bug12755 - v3 with password verification correction
- v3 version based on feedback from @Michael to use the status value returned from
using the htpasswd command.
- Also simplified the whole section to carry out the change if the status is 0, ie all
went well, otherwise give an error but without identifying if the error is in the
username or the password. This makes it more secure as any attacker only knows it
failed and doesn't know if any part of the authentication was correct or not.
- Changed the error messages in line with this so the language file changes are in the
other part of this patch set submission.
- Tested out on my vm test bed and worked fine. If the username was incorrect or the
password was incorrect or both were incorrect the same error message is given. If
both are correct then the update is carried out.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9c0dab3d3ca807e836823253aced80a14bc1970a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 7 09:06:12 2025 +0000
chpasswd.cgi: Add missing $
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 4c39e38f90fea60ef62e07267fd84f1b89de0297
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue May 6 16:10:11 2025 +0200
chpasswd.cgi: Make swroot refs the same as for other cgi files
- This uses the swroot definition from general-functions.pl and makes the definition
the same as used in the majority of other IPFire cgi files.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6c1549ff7a9c8e3f9f17a29a6b169fce175fea42
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue May 6 16:10:09 2025 +0200
chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars
- The existing version of the perl module Apache::Htpasswd was using the crypt hash for
the password hashing, which is very insecure. The only alternative with this module
is the md5 and sha1 hashes which are also considered weak now.
- The module was last updated in Nov 2012 and there is no alternative module available.
- This patch replaces that perl module with using the apache htpasswd program. This can
be set to use the bcrypt hash which is considered secure. This is used for the
generation of the root and admin passwords during the IPFire install.
- Tested out on my vm testbed system and the password for a specific user name was
changed successfully without any restriction to the length of the password.
- Existing passwords with the existing md5 or crypt options will still work as htpasswd
can manage different encoding hashes in the one file.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Choose one IP from client pool and add it to road warrior interface
wg0 so road warrior VPN client could reach firewall through the VPN
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit c29a07b2ee505811a6cd78ca643bf816beb77375
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon May 26 11:38:57 2025 +0200
index.cgi: Show WireGuard status using the function library
The settings file is also loaded all the time and we don't need to load
it again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add dummy ip 192.0.2.1 in virutal_ipaddress from (TEST-NET-1)
according to https://www.rfc-editor.org/rfc/rfc5737#section-3
for keepalived HA state tracking, the Master will always
have the dummy ip assigned to green0.
add refresh button for HA state refresh
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
In BPFire HA deployment, a floating/shared router IP
is required for backend/endpoint server. by default
BPFire uses the primary IP on green0 when running
setup script. Now the floating/shared router IP can
be added to green0 interface as secondary IP through
loxilb UI, keepalived UI can configure the secondary
IP as virtual ipaddress, when HA failover happens,
keepalived will move the virtual ipaddress to new active
BPFire.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
BPFire red0 does not support multicast, need to
have unicast peer configured, then the virtual
ipaddress can be added to red0 interface.
the UI requires /var/ipfire/keepalived/runsettings
/var/ipfire/keepalived/settings to be created, so
add them lfs/configroot
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
run command below when update language menu
perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Add China mainland, China hk, China tw
translation. remember to remove log/configroot
to re-build image with new language support
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This is necessary since we now have a much shorter lifetime for the host
certificate. However, it is complicated to do this is which is why we
are copying the previous certificate and generate a new CSR. This is
then signed.
A caveat of this patch is that we do not rollover the key.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- In this v3 version have added translations for hostile networks in and hostile
networks out and log drop hostile in and log drop hostile out.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
