Previously the assets directory has ExecCGI privileges
which is not at all required and potentially dangerous.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If one active client with a license existed, any other client
authenticating will overwrite the configuration line.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When choosing voucher as authentication type there is no need to display the license agreement textbox
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
To improve the user experience, the configuration part of generating new vouchers has been reworked.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When configuring the captiveportal for the first time the form
will be empty after clicking on save button if not all relevant fields are set.
Now the settings are stored even if there is an error.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Introduce new Captive-Portal.
Here we add the menu, apache configuration (vhost), IPFire configuration
website and Captive-Portal Access site. Also the languagefiles are
updated.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
- Added missing box heading ('Access Point Configuration') in 'wlanap.cgi'.
- For this to work, added missing string 'wlanap configuration' in translations.
- Changed existing translation strings in 'de.pl' and 'en.pl': 'wlanap' means 'wlan access point', so why is it called
'wlan*ap* access point'?
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The OINKCODE variable was only validated for proper input
when the Save button was clicked.
Did the user demand to download new rules instead, the
content of that variable was not being validated (again)
and was passed to wget on the shell.
This was done with privileges of the "nobody" user.
Fixes#11401
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #11278
When creating networks which are part of an internal network, there was an errormessage displayed and the creation was prohibited.
Now it is possible to create such subnets. This is used at own risk! Users have to take care of the firewallrule sequence.
It is possible to create situations that are not wanted.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds some status information so that we know what
authentication an access point is using.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
I altered 'showrequestfromcountry.dat', 'showrequestfromip.dat' and 'showrequestfromport.dat'
in the same manner as the 'Loggraphs'-Pages in commit
Each 'Details'-page got a unique title.
Furthermore, I added a 'Back'-Button to go back to the previous page. For this, I used
'back.png' from 'wio' (thanks Stephan! ;-) ) since I found no other appropriate image.
'ipinfo.cgi' got a centered 'Back'-Button, too.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will break compatibility with old clients like
Windows XP, but these are too old now to be supported.
SHA1 is considered to be weak and should not be used any more
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixed the 'details'-Button in 'firewalllogcountry.dat' by adding missing
translation string.
Each 'Loggraphs'-Page got a unique title and a new heading for the corresponding
diagram.
Just cosmetics...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is helpful when debugging on-demand connections
when you can see if strongswan tries to connect or is
still idle.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since we somehow have to support these algorithms this patch
adds some information for the user that it is very strongly
discouraged to use them in production.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
MODP-768 is broken but some systems out there (for example old
Cisco ASAs) do not support anything better. Hence it is better
to allow this instead of using no VPN at all.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://bugzilla.ipfire.org/show_bug.cgi?id=11318
Temporary files for 'iptables', 'iptablesmangle' and 'iptablesnat' created by
'iptables.cgi' were not deleted after use but stayed in '/srv/weg/ipfire/html/'.
As a workaround I changed 'getipstat.c' to create these files in '/var/tmp' and the
"open (file..." and "rm" commands in 'iptables.cgi'.
Works here.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is necessary because commit bf1985fae5baca327fcded31264f45638442f02e changes the
place where temporary files from 'iptables' are stored.
Some typos where fixed, too.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024
when initiating a connection. These are considered weak although
many off-the-shelf hardware is still using this as defaults.
This patch disables those algorithms and additionally changes
default behaviour to only accept the configured cipher suites.
This might create some interoperability issues, but increases
security of IPFire-to-IPFire IPsec connections.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The images are now a little bigger and will be scaled down
here, but the iframe box never grows bigger than the max.
size of the container.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The graphs are using an iframe and PNG images where the resolution
did often not fit and the browser had to resize the image. That
led to blurred fonts and hard to read graphs.
This patch increases the size of the box and the image. With that
higher resolution resizing should not be too much of an issue, but
since the sizes of the iframe and image have been aligned should
not even be necessary.
Reported-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will create IPsec VPN connections with auto=route set
instead of auto=start which will cause the connection being
created, but not brought up yet.
As soon as the first packet is received, the connection will
be established and data will be passed through it.
This allows IPFire to handle more VPN connections on weaker
systems and avoids negotiating many connections which are
rarely used.
Suggested-by: Tom Rymes <tomvend@rymes.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #10733
