established compatibility with opnsense 24.1.*.

linuxmuster · Feb 19, 2024 · 6de6c58 · 6de6c58
1 parent 9e61b17
commit 6de6c58
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 36 deletions.
diff --git a/lib/constants.py b/lib/constants.py
@@ -3,7 +3,7 @@
 # constants.py
 #
 # thomas@linuxmuster.net
-# 20231014
+# 20240219
 #
 
 # don't change this file
@@ -49,7 +49,7 @@
 TPLDIR = SHAREDIR + '/templates'
 CUSTOMINI = CACHEDIR + '/custom.ini'
 FWSHAREDIR = SHAREDIR + '/firewall/opnsense'
-FWAUTHCFG = FWSHAREDIR + '/50-linuxmuster.pre-auth.conf'
+FWAUTHCFG = FWSHAREDIR + '/pre-auth.conf'
 FWOSCONFTPL = FWSHAREDIR + '/config.xml.tpl'
 FWCONFLOCAL = CACHEDIR + '/opnsense.xml'
 FWCONFREMOTE = '/conf/config.xml'

diff --git a/lib/setup.d/m_firewall.py b/lib/setup.d/m_firewall.py
@@ -2,7 +2,7 @@
 #
 # firewall setup
 # thomas@linuxmuster.net
-# 20220210
+# 20220219
 #
 
 import bcrypt
@@ -100,7 +100,8 @@ def main():
         rc, content = readTextfile(fwconftmp)
         soup = BeautifulSoup(content, 'lxml')
         # save certain configuration values for later use
-        sysctl = str(soup.findAll('sysctl')[0])
+        firmware = str(soup.find('firmware'))
+        sysctl = str(soup.find('sysctl'))
         # get already configured interfaces
         for item in soup.findAll('interfaces'):
             if '<lan>' in str(item):
@@ -122,17 +123,6 @@ def main():
             gwconfig = str(soup.find('gateways').content)
         except:
             gwconfig = ''
-        # save dnsserver configuration
-        try:
-            dnsconfig = str(soup.findAll('dnsserver')[0])
-        except:
-            dnsconfig = ''
-        # add server as dnsserver
-        dnsserver = '<dnsserver>' + serverip + '</dnsserver>'
-        if dnsconfig == '':
-            dnsconfig = dnsserver
-        else:
-            dnsconfig = dnsserver + '\n    ' + dnsconfig
         # save opt1 configuration if present
         try:
             opt1config = str(soup.findAll('opt1')[0])
@@ -188,12 +178,12 @@ def main():
         # read template
         rc, content = readTextfile(fwconftpl)
         # replace placeholders with values
+        content = content.replace('@@firmware@@', firmware)
         content = content.replace('@@sysctl@@', sysctl)
         content = content.replace('@@servername@@', servername)
         content = content.replace('@@domainname@@', domainname)
         content = content.replace('@@basedn@@', basedn)
         content = content.replace('@@interfaces@@', interfaces)
-        content = content.replace('@@dnsconfig@@', dnsconfig)
         content = content.replace('@@gwconfig@@', gwconfig)
         content = content.replace('@@serverip@@', serverip)
         content = content.replace('@@firewallip@@', firewallip)
@@ -243,9 +233,7 @@ def main():
     conftmp = '/tmp/' + os.path.basename(constants.FWAUTHCFG)
     if not os.path.isfile(conftmp):
         sys.exit(1)
-    rc, content = readTextfile(conftmp)
-    fwpath = content.split('\n')[0].partition(' ')[2]
-    rc = putSftp(firewallip, conftmp, fwpath, rolloutpw)
+    rc = putSftp(firewallip, conftmp, conftmp, rolloutpw)
     if not rc:
         sys.exit(1)
 

diff --git a/share/firewall/opnsense/config.xml.tpl b/share/firewall/opnsense/config.xml.tpl
@@ -7,7 +7,6 @@
     <optimization>normal</optimization>
     <hostname>firewall</hostname>
     <domain>@@domainname@@</domain>
-    <dnsallowoverride/>
     <group>
       <name>admins</name>
       <description>System Administrators</description>
@@ -89,8 +88,12 @@
       <passwordauth>1</passwordauth>
       <permitrootlogin>1</permitrootlogin>
     </ssh>
-    @@dnsconfig@@
+    <dnsserver>@@serverip@@</dnsserver>
+    <dnsserver>193.110.81.1</dnsserver>
+    <dnsserver>185.253.5.1</dnsserver>
+    <dnslocalhost>1</dnslocalhost>
     <secondaryconsole>serial</secondaryconsole>
+    @@firmware@@
   </system>
   @@interfaces@@
   <dhcpd>
@@ -435,9 +438,10 @@
         <LogPayload>0</LogPayload>
       </general>
     </IDS>
-    <proxy version="1.0.0">
+    <proxy version="1.0.6">
       <general>
         <enabled>1</enabled>
+        <error_pages/>
         <icpPort/>
         <logging>
           <enable>
@@ -448,11 +452,12 @@
           <target/>
         </logging>
         <alternateDNSservers/>
-        <dnsV4First>0</dnsV4First>
         <forwardedForHandling>on</forwardedForHandling>
         <uriWhitespaceHandling>strip</uriWhitespaceHandling>
+        <enablePinger>1</enablePinger>
         <useViaHeader>1</useViaHeader>
         <suppressVersion>0</suppressVersion>
+        <connecttimeout/>
         <VisibleEmail>administrator@@@domainname@@</VisibleEmail>
         <VisibleHostname>firewall</VisibleHostname>
         <cache>
@@ -461,6 +466,8 @@
             <directory>/var/squid/cache</directory>
             <cache_mem>256</cache_mem>
             <maximum_object_size/>
+            <maximum_object_size_in_memory/>
+            <memory_cache_mode/>
             <size>100</size>
             <l1>16</l1>
             <l2>256</l2>
@@ -475,6 +482,16 @@
           <OverallBandwidthTrotteling>1024</OverallBandwidthTrotteling>
           <perHostTrotteling>256</perHostTrotteling>
         </traffic>
+        <parentproxy>
+          <enabled>0</enabled>
+          <host/>
+          <enableauth>0</enableauth>
+          <user>username</user>
+          <password>password</password>
+          <port/>
+          <localdomains/>
+          <localips/>
+        </parentproxy>
       </general>
       <forward>
         <interfaces>lan</interfaces>
@@ -486,6 +503,9 @@
         <sslnobumpsites/>
         <ssl_crtd_storage_max_size>4</ssl_crtd_storage_max_size>
         <sslcrtd_children>5</sslcrtd_children>
+        <snmp_enable>0</snmp_enable>
+        <snmp_port>3401</snmp_port>
+        <snmp_password>public</snmp_password>
         <ftpInterfaces/>
         <ftpPort>2121</ftpPort>
         <ftpTransparentMode>0</ftpTransparentMode>
@@ -499,6 +519,8 @@
           <blackList/>
           <browser/>
           <mimeType/>
+          <googleapps/>
+          <youtube/>
           <safePorts>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</safePorts>
           <sslPorts>443:https</sslPorts>
           <remoteACLs>
@@ -521,11 +543,16 @@
         </icap>
         <authentication>
           <method>linuxmuster</method>
+          <authEnforceGroup/>
           <realm>OPNsense proxy authentication</realm>
           <credentialsttl>2</credentialsttl>
           <children>5</children>
         </authentication>
       </forward>
+      <pac/>
+      <error_pages>
+        <template/>
+      </error_pages>
     </proxy>
     <ProxyUserACL version="1.0.0">
       <general>

diff --git a/share/firewall/opnsense/fwsetup.sh b/share/firewall/opnsense/fwsetup.sh
@@ -2,19 +2,23 @@
 #
 # install extensions and reboot
 # thomas@linuxmuster.net
-# 20240210
+# 20240212
 #
 
-# install extensions
-extensions="os-web-proxy-sso os-freeradius os-api-backup"
-for item in $extensions; do
-  pkg install -y $item
-done
+# test if necessary files are present
+[ -s /tmp/opnsense.xml -a -s /tmp/pre-auth.conf ] || exit 1
 
-if [ -s /tmp/opnsense.xml ]; then
-  # copy setup config
-  cp /tmp/opnsense.xml /conf/config.xml
+# install necessary extensions
+pkg install -y os-squid os-web-proxy-sso os-freeradius || exit 1
 
-  # reboot finally
-  reboot
-fi
+# copy squid's pre-auth.conf in place
+paconf="$(head -1 /tmp/pre-auth.conf | awk '{print $2}')"
+padir="$(dirname "$paconf")"
+[ -d "$padir" ] || mkdir -p "$padir"
+cp /tmp/pre-auth.conf "$paconf" || exit 1
+
+# copy setup config
+cp /tmp/opnsense.xml /conf/config.xml || exit 1
+
+# reboot finally
+reboot
diff --git a/...all/opnsense/50-linuxmuster.pre-auth.conf → share/firewall/opnsense/pre-auth.conf b/...all/opnsense/50-linuxmuster.pre-auth.conf → share/firewall/opnsense/pre-auth.conf
@@ -1,7 +1,7 @@
 # /usr/local/etc/squid/pre-auth/50-linuxmuster.pre-auth.conf
 #
 # thomas@linuxmuster.net
-# 20200313
+# 20240212
 #
 # web proxy sso, allow only internet group
 #