diff options
6 files changed, 278 insertions, 0 deletions
diff --git a/applications/luci-app-fwknopd/Makefile b/applications/luci-app-fwknopd/Makefile new file mode 100644 index 0000000000..a24b56285e --- /dev/null +++ b/applications/luci-app-fwknopd/Makefile @@ -0,0 +1,17 @@ +# +# Copyright (C) 2015 The LuCI Team <luci@lists.subsignal.org> +# +# This is free software, licensed under the GNU General Public License v2. +# + +include $(TOPDIR)/rules.mk + +LUCI_TITLE:=Fwknopd config - web config for the firewall knock daemon +LUCI_DEPENDS:=+fwknopd +PKG_VERSION:=1.0 +PKG_RELEASE:=1 +PKG_LICENSE:=GPLv2 +PKG_MAINTAINER:=Jonathan Bennett <JBennett@incomsystems.biz> +include ../../luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua b/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua new file mode 100644 index 0000000000..069a77ea3e --- /dev/null +++ b/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua @@ -0,0 +1,15 @@ +-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz> +-- Licensed to the public under the GNU General Public License v2. + +module("luci.controller.fwknopd", package.seeall) + +function index() + if not nixio.fs.access("/etc/config/fwknopd") then + return + end + + local page + + page = entry({"admin", "services", "fwknopd"}, cbi("fwknopd"), _("Firewall Knock Daemon")) + page.dependent = true +end diff --git a/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua b/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua new file mode 100644 index 0000000000..8a454dd58e --- /dev/null +++ b/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua @@ -0,0 +1,49 @@ +-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz> +-- Licensed to the public under the GNU General Public License v2. + +m = Map("fwknopd", translate("Firewall Knock Operator")) + +s = m:section(TypedSection, "global", translate("Enable Uci/Luci control")) -- Set uci control on or off +s.anonymous=true +s:option(Flag, "uci_enabled", translate("Enable config overwrite"), translate("When unchecked, the config files in /etc/fwknopd will be used as is, ignoring any settings here.")) + +s = m:section(TypedSection, "access", translate("access.conf stanzas")) -- set the access.conf settings +s.anonymous=true +s.addremove=true +s.dynamic=true +s:option(Value, "SOURCE", "SOURCE", translate("Use ANY for any source ip")) +k1 = s:option(Value, "KEY", "KEY", translate("Define the symmetric key used for decrypting an incoming SPA packet that is encrypted by the fwknop client with Rijndael.")) +k1:depends("keytype", translate("Normal Key")) +k2 = s:option(Value, "KEY_BASE64", "KEY_BASE64", translate("Define the symmetric key used for decrypting an incoming SPA \ + packet that is encrypted by the fwknop client with Rijndael.")) +k2:depends("keytype", translate("Base 64 key")) +l1 = s:option(ListValue, "keytype", "Key type") +l1:value("Normal Key", "Normal Key") +l1:value("Base 64 key", "Base 64 key") +k3 = s:option(Value, "HMAC_KEY", "HMAC_KEY", "The hmac key") +k3:depends("hkeytype", "Normal Key") +k4 = s:option(Value, "HMAC_KEY_BASE64", "HMAC_KEY_BASE64", translate("The base64 hmac key")) +k4:depends("hkeytype", "Base 64 key") +l2 = s:option(ListValue, "hkeytype", "HMAC Key type") +l2:value("Normal Key", "Normal Key") +l2:value("Base 64 key", "Base 64 key") +s:option(Value, "OPEN_PORTS", "OPEN_PORTS", translate("Define a set of ports and protocols (tcp or udp) that will be opened if a valid knock sequence is seen. \ + If this entry is not set, fwknopd will attempt to honor any proto/port request specified in the SPA data \ + (unless of it matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated.")) +s:option(Value, "FW_ACCESS_TIMEOUT", "FW_ACCESS_TIMEOUT", translate("Define the length of time access will be granted by fwknopd through the firewall after a \ + valid knock sequence from a source IP address. If “FW_ACCESS_TIMEOUT” is not set then the default \ + timeout of 30 seconds will automatically be set.")) +s:option(Value, "REQUIRE_SOURCE_ADDRESS", "REQUIRE_SOURCE_ADDRESS", translate("Force all SPA packets to contain a real IP address within the encrypted data. \ + This makes it impossible to use the -s command line argument on the fwknop client command line, so either -R \ + has to be used to automatically resolve the external address (if the client behind a NAT) or the client must \ + know the external IP and set it via the -a argument.")) +s:option(DummyValue, "note1", translate("Enter custom access.conf variables below:")) + +s = m:section(TypedSection, "config", translate("fwknopd.conf config options")) +s.anonymous=true +s.dynamic=true +s:option(Value, "MAX_SPA_PACKET_AGE", "MAX_SPA_PACKET_AGE", translate("Maximum age in seconds that an SPA packet will be accepted. defaults to 120 seconds")) +s:option(DummyValue, "note2", translate("Enter custom fwknopd.conf variables below:")) + +return m + diff --git a/applications/luci-app-fwknopd/po/en/en.po b/applications/luci-app-fwknopd/po/en/en.po new file mode 100644 index 0000000000..1abc6a8f95 --- /dev/null +++ b/applications/luci-app-fwknopd/po/en/en.po @@ -0,0 +1,103 @@ +msgid "" +msgstr "" +"Content-Type: text/plain; charset=UTF-8\n" +"Project-Id-Version: PACKAGE VERSION\n" +"PO-Revision-Date: 2015-05-12 21:03-0500\n" +"Last-Translator: Jonathan Bennett <JBennett@incomsystems.biz>\n" +"Language-Team: English\n" +"Language: en\n" +"MIME-Version: 1.0\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +msgid "Base 64 key" +msgstr "Base 64 key" + +msgid "" +"Define a set of ports and protocols (tcp or udp) that will be opened if a " +"valid knock sequence is seen. If this entry is not set, fwknopd will attempt " +"to honor any proto/port request specified in the SPA data (unless of it " +"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated." +msgstr "" +"Define a set of ports and protocols (tcp or udp) that will be opened if a " +"valid knock sequence is seen. If this entry is not set, fwknopd will attempt " +"to honor any proto/port request specified in the SPA data (unless of it " +"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated." + +msgid "" +"Define the length of time access will be granted by fwknopd through the " +"firewall after a valid knock sequence from a source IP address. If " +"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will " +"automatically be set." +msgstr "" +"Define the length of time access will be granted by fwknopd through the " +"firewall after a valid knock sequence from a source IP address. If " +"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will " +"automatically be set." + +msgid "" +"Define the symmetric key used for decrypting an incoming SPA packet that is " +"encrypted by the fwknop client with Rijndael." +msgstr "" +"Define the symmetric key used for decrypting an incoming SPA packet that is " +"encrypted by the fwknop client with Rijndael." + +msgid "Enable Uci/Luci control" +msgstr "Enable Uci/Luci control" + +msgid "Enable config overwrite" +msgstr "Enable config overwrite" + +msgid "Enter custom access.conf variables below:" +msgstr "Enter custom access.conf variables below:" + +msgid "Enter custom fwknopd.conf variables below:" +msgstr "Enter custom fwknopd.conf variables below:" + +msgid "Firewall Knock Daemon" +msgstr "Firewall Knock Daemon" + +msgid "Firewall Knock Operator" +msgstr "Firewall Knock Operator" + +msgid "" +"Force all SPA packets to contain a real IP address within the encrypted " +"data. This makes it impossible to use the -s command line argument on the " +"fwknop client command line, so either -R has to be used to automatically " +"resolve the external address (if the client behind a NAT) or the client must " +"know the external IP and set it via the -a argument." +msgstr "" +"Force all SPA packets to contain a real IP address within the encrypted " +"data. This makes it impossible to use the -s command line argument on the " +"fwknop client command line, so either -R has to be used to automatically " +"resolve the external address (if the client behind a NAT) or the client must " +"know the external IP and set it via the -a argument." + +msgid "" +"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 " +"seconds" +msgstr "" +"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 " +"seconds" + +msgid "Normal Key" +msgstr "Normal Key" + +msgid "The base64 hmac key" +msgstr "The base64 hmac key" + +msgid "Use ANY for any source ip" +msgstr "Use ANY for any source ip" + +msgid "" +"When unchecked, the config files in /etc/fwknopd will be used as is, " +"ignoring any settings here." +msgstr "" +"When unchecked, the config files in /etc/fwknopd will be used as is, " +"ignoring any settings here." + +msgid "access.conf stanzas" +msgstr "access.conf stanzas" + +msgid "fwknopd.conf config options" +msgstr "fwknopd.conf config options" diff --git a/applications/luci-app-fwknopd/po/templates/fwknopd.pot b/applications/luci-app-fwknopd/po/templates/fwknopd.pot new file mode 100644 index 0000000000..ec15504627 --- /dev/null +++ b/applications/luci-app-fwknopd/po/templates/fwknopd.pot @@ -0,0 +1,75 @@ +msgid "" +msgstr "Content-Type: text/plain; charset=UTF-8" + +msgid "Base 64 key" +msgstr "" + +msgid "" +"Define a set of ports and protocols (tcp or udp) that will be opened if a " +"valid knock sequence is seen. If this entry is not set, fwknopd will attempt " +"to honor any proto/port request specified in the SPA data (unless of it " +"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated." +msgstr "" + +msgid "" +"Define the length of time access will be granted by fwknopd through the " +"firewall after a valid knock sequence from a source IP address. If " +"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will " +"automatically be set." +msgstr "" + +msgid "" +"Define the symmetric key used for decrypting an incoming SPA packet that is " +"encrypted by the fwknop client with Rijndael." +msgstr "" + +msgid "Enable Uci/Luci control" +msgstr "" + +msgid "Enable config overwrite" +msgstr "" + +msgid "Enter custom access.conf variables below:" +msgstr "" + +msgid "Enter custom fwknopd.conf variables below:" +msgstr "" + +msgid "Firewall Knock Daemon" +msgstr "" + +msgid "Firewall Knock Operator" +msgstr "" + +msgid "" +"Force all SPA packets to contain a real IP address within the encrypted " +"data. This makes it impossible to use the -s command line argument on the " +"fwknop client command line, so either -R has to be used to automatically " +"resolve the external address (if the client behind a NAT) or the client must " +"know the external IP and set it via the -a argument." +msgstr "" + +msgid "" +"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 " +"seconds" +msgstr "" + +msgid "Normal Key" +msgstr "" + +msgid "The base64 hmac key" +msgstr "" + +msgid "Use ANY for any source ip" +msgstr "" + +msgid "" +"When unchecked, the config files in /etc/fwknopd will be used as is, " +"ignoring any settings here." +msgstr "" + +msgid "access.conf stanzas" +msgstr "" + +msgid "fwknopd.conf config options" +msgstr "" diff --git a/applications/luci-app-fwknopd/root/etc/uci-defaults/luci-fwknopd b/applications/luci-app-fwknopd/root/etc/uci-defaults/luci-fwknopd new file mode 100644 index 0000000000..a7c433f2bc --- /dev/null +++ b/applications/luci-app-fwknopd/root/etc/uci-defaults/luci-fwknopd @@ -0,0 +1,19 @@ +#!/bin/sh +#-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz> +#-- Licensed to the public under the GNU General Public License v2. + +uci batch <<EOF + add ucitrack fwknopd + set ucitrack.@fwknopd[-1].init=fwknopd + commit ucitrack +EOF + +if [ -f /usr/bin/fwknop ]; then + uci set fwknopd.@access[0].keytype='Base 64 key' + uci set fwknopd.@access[0].hkeytype='Base 64 key' + uci set fwknopd.@access[0].KEY_BASE64=`fwknop --key-gen | awk '/^KEY/ {print $2;}'` + uci set fwknopd.@access[0].HMAC_KEY_BASE64=`fwknop --key-gen | awk '/^HMAC/ {print $2;}'` + uci commit fwknopd +fi +rm -f /tmp/luci-indexcache +exit 0 |