captive portal: removed unused logfile from rootfiles

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>

captive: Fix bug with multiple license clients

If one active client with a license existed, any other client
authenticating will overwrite the configuration line.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Do not generally allow access to TCP/1013

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Only make CGI script executable in document root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Reindent apache configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Log into default apache log files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Captive-portal: Design changes

When choosing voucher as authentication type there is no need to display the license agreement textbox

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11141: Redesign of configuration website

To improve the user experience, the configuration part of generating new vouchers has been reworked.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11140: Captive logo dimensions

Now the min and max logo dimensions are shown in webinterface.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11137: Captive save action messes up the form

When configuring the captiveportal for the first time the form
will be empty after clicking on save button if not all relevant fields are set.

Now the settings are stored even if there is an error.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11139: Captive voucher table too wide

Set table to 100% and the remark textfield to 96% (cellwidth)

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Improve the wording of the Captive Portal configuration site

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Captive-Portal: fix fontsize of generated voucher

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: Fix folder permissions

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: fix some typos and missing dir

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: Add logo upload feature

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-portal: Add directory for logo upload

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

captivectrl: Add protection against DNS tunnels

Limit the amount of DNS traffic for each client that
has not registered, yet.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captivectrl: Skip all lines that start with #

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Captive-Portal: fix cleanup script

The cleanup-script did not write back the hash after the expired voucher
was delted

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add Errormessage when wrong code is entered

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: fix wrong expiretime of unused vouchers

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: fix voucher form

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add logging to syslog

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: SHow always licencebox in config

Also fix index.cgi to show individual title

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: several design changes

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: redesign Webinterface

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: fix some rootfiles

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add backup-part

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add captive logdir to apache2 rootfile

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add files to configroot rootfile

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: Add files for webinterface tio rootfile

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add vhost config to apache2 rootfile

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: create dir for cative logfiles

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add captive dirs and files to configroot

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add captive chains to firewall initscript

When loading the initscript of the firewall the neccessary chains for
the captive portalneed to be created.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add crontab and cleanup scripts

The cleanup script is called every hour and deletes expired clients from
the clients file.
every night the captivectrl warpper runs once to flush the chains and
reload rules for active clients

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

Captive-Portal: add web-part

Introduce new Captive-Portal.
Here we add the menu, apache configuration (vhost), IPFire configuration
website and Captive-Portal Access site. Also the languagefiles are
updated.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

captivectrl: Move sure that the settings are always initialised

This just removes a compiler warning.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wirelessctrl: Disable MAC filter on blue if captive portal is enabled

Fixes #11038

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captivectrl: Add missing space character

The iptables argument list was botched. Oops. Sorry.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captivectrl: Support unlimited leases

When the expiry time equals zero, the lease will have
no time constraints. The IP address will also be removed
as it might probably change.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captivectrl: Allow empty IP addresses

Probably required for very long leases

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captivectrl: Change format of clients configuration

We store the start of the lease now and the time in
seconds after the lease expires

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Captive Portal: add c-wrapper captivectrl

This wrapper reads the captive settings and clients and sets the
firewall access rules. It is called every time the config changed or
everytime that a client changes. Also this wrapper is later called once
hourly to flush the chains and rebuild rules for actual clients.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>

unbound: EDNS buffer size defaults to 4096

If this is changed, a warning will be shown.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Test for working EDNS buffer size and adjust accordingly

Some networks have equipment that fails to forward DNS queries
with EDNS and the DO bit set. They might even lose the replies.

This patch will adjust unbound so that it will not try to receive
too large replies and falls back to TCP earlier. This creates
some higher load on the DNS servers but at least gives us
working DNS.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

finish core108

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

squid 3.5.22: latest patches (14119-14122)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano: Update to 2.7.1

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core108: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patches (14114-14118)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patches (14103-14113)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patches (14100-14102)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patch (14099)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core108: Ship updated NTP

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp: Update to 4.2.8p9

"It addresses 1 high-, 2 medium-, 2 medium-/low-, and 5 low-severity
security issues, 28 bugfixes, and contains other improvements over 4.2.8p8."

For a complete list, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Update to 0.2.8.10

Brings various major bugfixes and privacy enhancements

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Fix DNS forwarder test

The previous version aborted when the validation test
suceeded, but this is not always sufficient in case a
provider filters any DNSKEY, DS or RRSIG records.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Do not try removing forwarders when unbound is not running

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Always enable asynchronous logging

This patch always enables asynchronous logging which slows
down the system a lot on slow storage and some virtual environments.

It also removes the configuration options in the web
user interface, since this is not configurable any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core108: Ship updated ddns

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ddns: Import patches for schokokeks.org support.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 108

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

strongswan: Update to 5.5.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Deactivate qname-minimization & harden-below-nxdomain

This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11242: Fix for adding 2 VPN Hosts/network with same name

If one has an IPSec network named "aaa" and an OpenVPn Host with the same name
it was not possible to group them together because of the same name.
Now the Network type is also checked wich allows Entries with same name, but different networks.

Fixes: #11242
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'origin/master' into next

Merge remote-tracking branch 'origin/core107'

ntp: init with hardcoded ip if dns not work

DNSSec need the correct time to validate the zones so we need
a workaround to init the time without dns.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Send out replies from where they came in

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core107: Restart unbound to activate configuration changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Allow list of INSECURE_ZONES being set in sysconfig

A list of DNS zones can be given for which DNSSEC validation
will be disabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Allow recursion from everywhere

Users use the IPFire DNS service from VPNs and other
routed networks.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

guardian: add path to update-lang-cache

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

guardian: add languange cache regeneration at (un)install

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Fix for DNS forwarding of .local zones

These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Fix for DNS forwarding of .local zones

These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

set pakfire version to 107

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

start core107 updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

log.dat: cosmetical upgrade

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hdparm: Update to 9.50

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: fix CVE-2016-5159 (Dirty COW)

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: add support aes-ni support for aes-192 and 256

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'master' into next

core106: set version to 106

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Revert "setup: Store passwords in SHA format"

This reverts commit eef9b2529c3cab522dac4f4bcfa1a0075376514e.

It appears that htpasswd is not salting any passwords that are
stored with the SHA (-s) algorithm. MD5 passwords however are
salted.

That leads us to the conclusion that the "MD5 algorithm" in htpasswd
is more secure than the "SHA algorithm" although the hash function
itself should be stronger.

With a rainbow table, cracking "SHA" is easily done.

A rainbow table for "MD5" + salt would be way too large to be
efficiently stored.

Hence this commit is reverted to old behaviour to avoid the clear
failure of design in SHA.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>

unbound: Omit reverse PTRs if address equals GREEN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Make leases unique by IP address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Only update cache when lease was added/removed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Rewrite update algorithm

Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.

This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Skip processing leases with empty hostname

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Reading in static hosts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound/dhcp: stop lease bridge if dhcp was needed to killed

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Omit reverse PTRs if address equals GREEN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Make leases unique by IP address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Only update cache when lease was added/removed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Rewrite update algorithm

Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.

This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>