From fd130d0ce7f52480ccc8bd600fb66de1b36fdbb9 Mon Sep 17 00:00:00 2001 From: Jonathan Bennett Date: Fri, 8 May 2015 23:30:02 -0500 Subject: Add initial luci-app-fwknopd - a way to control the firewall knock daemon from luci Signed-off-by: Jonathan Bennett --- .../luci-app-fwknopd/luasrc/controller/fwknopd.lua | 15 +++++++ .../luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua | 49 ++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua create mode 100644 applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua (limited to 'applications/luci-app-fwknopd/luasrc') diff --git a/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua b/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua new file mode 100644 index 0000000000..069a77ea3e --- /dev/null +++ b/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua @@ -0,0 +1,15 @@ +-- Copyright 2015 Jonathan Bennett +-- Licensed to the public under the GNU General Public License v2. + +module("luci.controller.fwknopd", package.seeall) + +function index() + if not nixio.fs.access("/etc/config/fwknopd") then + return + end + + local page + + page = entry({"admin", "services", "fwknopd"}, cbi("fwknopd"), _("Firewall Knock Daemon")) + page.dependent = true +end diff --git a/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua b/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua new file mode 100644 index 0000000000..8a454dd58e --- /dev/null +++ b/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua @@ -0,0 +1,49 @@ +-- Copyright 2015 Jonathan Bennett +-- Licensed to the public under the GNU General Public License v2. + +m = Map("fwknopd", translate("Firewall Knock Operator")) + +s = m:section(TypedSection, "global", translate("Enable Uci/Luci control")) -- Set uci control on or off +s.anonymous=true +s:option(Flag, "uci_enabled", translate("Enable config overwrite"), translate("When unchecked, the config files in /etc/fwknopd will be used as is, ignoring any settings here.")) + +s = m:section(TypedSection, "access", translate("access.conf stanzas")) -- set the access.conf settings +s.anonymous=true +s.addremove=true +s.dynamic=true +s:option(Value, "SOURCE", "SOURCE", translate("Use ANY for any source ip")) +k1 = s:option(Value, "KEY", "KEY", translate("Define the symmetric key used for decrypting an incoming SPA packet that is encrypted by the fwknop client with Rijndael.")) +k1:depends("keytype", translate("Normal Key")) +k2 = s:option(Value, "KEY_BASE64", "KEY_BASE64", translate("Define the symmetric key used for decrypting an incoming SPA \ + packet that is encrypted by the fwknop client with Rijndael.")) +k2:depends("keytype", translate("Base 64 key")) +l1 = s:option(ListValue, "keytype", "Key type") +l1:value("Normal Key", "Normal Key") +l1:value("Base 64 key", "Base 64 key") +k3 = s:option(Value, "HMAC_KEY", "HMAC_KEY", "The hmac key") +k3:depends("hkeytype", "Normal Key") +k4 = s:option(Value, "HMAC_KEY_BASE64", "HMAC_KEY_BASE64", translate("The base64 hmac key")) +k4:depends("hkeytype", "Base 64 key") +l2 = s:option(ListValue, "hkeytype", "HMAC Key type") +l2:value("Normal Key", "Normal Key") +l2:value("Base 64 key", "Base 64 key") +s:option(Value, "OPEN_PORTS", "OPEN_PORTS", translate("Define a set of ports and protocols (tcp or udp) that will be opened if a valid knock sequence is seen. \ + If this entry is not set, fwknopd will attempt to honor any proto/port request specified in the SPA data \ + (unless of it matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated.")) +s:option(Value, "FW_ACCESS_TIMEOUT", "FW_ACCESS_TIMEOUT", translate("Define the length of time access will be granted by fwknopd through the firewall after a \ + valid knock sequence from a source IP address. If “FW_ACCESS_TIMEOUT” is not set then the default \ + timeout of 30 seconds will automatically be set.")) +s:option(Value, "REQUIRE_SOURCE_ADDRESS", "REQUIRE_SOURCE_ADDRESS", translate("Force all SPA packets to contain a real IP address within the encrypted data. \ + This makes it impossible to use the -s command line argument on the fwknop client command line, so either -R \ + has to be used to automatically resolve the external address (if the client behind a NAT) or the client must \ + know the external IP and set it via the -a argument.")) +s:option(DummyValue, "note1", translate("Enter custom access.conf variables below:")) + +s = m:section(TypedSection, "config", translate("fwknopd.conf config options")) +s.anonymous=true +s.dynamic=true +s:option(Value, "MAX_SPA_PACKET_AGE", "MAX_SPA_PACKET_AGE", translate("Maximum age in seconds that an SPA packet will be accepted. defaults to 120 seconds")) +s:option(DummyValue, "note2", translate("Enter custom fwknopd.conf variables below:")) + +return m + -- cgit v1.2.3