Since the kernel now always reports 256 bits of entropy to be available,
this CGI does not show any useful information anymore. To avoid
confusions, it will hereby be removed entirely.
Fixes: #12893
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
This patch adds default values and removes a missing translation
to fix "uninitialized value" and "odd number of elements" warnings.
Removes function calls from functions.pl that have already been
handled by the header before it is loaded by eval().
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Since we dropped support for blocking P2P protocols, the corresponding translation strings
are no longer needed.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This has not been compiled into our version of wpa_supplicant (if it has
been ever) and so there is no danger to disable this without any further
ado.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.
However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.
This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.
Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
that it is about toggling _logging_, not the actual _dropping_. Other
variables are still in need of being renamed to clarify this, which
will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
config/rootfiles/core/164/update.sh for "master", since this patch has
been developed against "next". Kindly cherry-pick the necessary
changes.
Partially fixes: #12778
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update of lfs
- Update of rootfile
- Addition of Spanish file provided by Roberto Peña (listed as author)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Improve lockfile test: Return immediately if lockfile is present,
to prevent unnecessary and expensive "pidof" calls
- Add better explanation to the log file reading command and JS
- Change user interface: If no errors occurred, the page returns to
the main screen (after a short delay). If an error occurred, the log
output remains and a message is shown.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
* Check if the system is online.
* Check if enough free disk space is available.
* Abort whith an error message if the ruleset could not be
downloaded.
In error case the provider now will be removed again from the file which
keeps the configured providers. Sadly it needs to be added first because
otherwise the downloader could not read the required values from it.....
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This section only will be displayed when an existing provider will be
edited and allows to reset a provider back to it's defaults or to force
a ruleset update.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The warning point to a wiki page which is currently in construction.
This should give us the opportunity to add further information for
these users even if we do not provide updates anymore.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
"advproxy advanced web proxy" was meant to be used in the first place,
followed by "advproxy advanced web proxy configuration", as it is done
in other CGIs.
This patch also fixes a missing German translation, and improves
translations of "one X per line" ("eines" != "eins"). :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This patch fixes two wrong translations now used by the new
user manual links feature and removes an abandoned constant.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
'bandwith...' should be 'bandwidth...'.
Despite being my favourite typo for the past few years(?),
today I decided to try to say 'Goodbye' to an old friend.
Similar to 'MB writen' its hard but I think it just about time.
'qos' and 'guardian' will never be the same for me... ;-)
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
ipfirereboot.c is able to force a file system check during reboot.
This patch makes this function available in the shutdown GUI.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
While maintaining privacy when accessing web sites probably has never
been more important than it is today, faking Referer and User-Agent
headers is both obsolete and counterproductive:
(a) Most web sites require HTTPS, thwarting manipulation attempts to
HTTP headers in transit. Given todays' internet landscape, faking
these headers is unlikely to work for the vast majority of web
sites.
(b) It is trivial to detect faked HTTP User-Agent headers by obtaining
corresponding browser information via JavaScript. Any difference
most likely indicates (trivial) header manipulation attempts, hence
rendering this feature useless if browsers do not behave in the same
manner, which we cannot control on IPFire.
(c) Especially static Referer headers make users stick out like a sore
thumb, as nobody else in the world is likely to have the same
Referer set _all the time_.
Modern browsers attempt to strip sensitive information from Referer
headers, or ditch them completely, particularly to 3rd party sites.
Given the state of the web ecosystem as we know it today, enforcing
privacy in a centralised manner does not even come close to being
sufficient. Without gaining control over users' browsers, their
settings, and their infrastructure (such as setting up terminal
environments for accessing the web, preventing hardware
fingerprinting), a centralised attempt will at best fail, if not making
things worse, as highlighted in (c).
Therefore, removing these features from the Squid GUI is the least worse
option we have. We should not give our users a false sense of privacy.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch removes translations, directives in LFS files, and ALG shared
object files which all became orphaned after we disabled ALGs due to NAT
Slipstreaming vulnerability in Core Update 155.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This time without bold. ;-)
Altered the info text for restore to make clear that only the addon configs
are restored, not the addons themselves.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Use the correct VLAN tag range 1-4094 and add an error message
to the range check.
The missing error message was discovered by Jonatan.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changes & new features:
- Add CSS for STP options, add texts to language files
- Read STP settings from ethernet configuration and display inputs
- Validate and save STP settings
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If a provider supports authentication with a token, now
the username and password fileds will be swapped by some
Java Script code in favour of an input field for the token.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
While preparing the Core153 update, I found by chance that a language string had been added from
Core152 to Core153 which I couldn't find in any CGI-file.
The translation suggested that this string ('Available Updates') could belong to 'pakfire.cgi'.
And I thought that on the pakfire GUI something was actually missing: the heading above the
box listing the 'Available Updates'. Don't know why I didn't saw this before.
So tried to add these missing heading. I hope I made it right...
Some cosmetic fixes:
I also added some space around the text for 'Available Addons' and 'Installed Addons'
because the text lines weren't separated. There is no seen wordwrapping. This required deleting
some unwanted '<br />' in the affected translation strings.
I tried this about 4 years ago, but somehow this patch got lost.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Swap colour generation to improve readability in case of no active SSH logins
- Unify table layout
- Improve German "SSH host key" translation to avoid Deppenleerzeichen
This patch does not introduce functional changes.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This adds in the option to have "deny known clients" in dhcpd.conf
This is applied to the range command so applies to the dynamic addresses
given.
If you have just a range statement say in blue then if you are not using
vlans you could have the situation where a known host in green might end
up getting a lease from the blue range. Here a deny known-clients makes
sense. Your range in this case would be limited to only unknown clients if
deny known-clients was selected.
dhcp WUI has been modified to add in this command. Error message has been
added to check that a range has been specified if the deny unknown clients
checkbox has been selected.
Language files updated with additional items (English, German & Dutch).
For more information on the history of this please see the bugzilla entry
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
