From fcf19fcfacb2615df2ee4657d755b9d408e30d14 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 9 Sep 2014 16:18:55 +0200 Subject: [PATCH] Ship a default ocserv-script, which will put connecting clients into the internal firewall zone. --- ocserv-script | 10 ++++++++++ ocserv.conf | 7 +++---- ocserv.spec | 10 +++++++++- 3 files changed, 22 insertions(+), 5 deletions(-) create mode 100755 ocserv-script diff --git a/ocserv-script b/ocserv-script new file mode 100755 index 0000000..b3e2061 --- /dev/null +++ b/ocserv-script @@ -0,0 +1,10 @@ +#!/bin/sh + +if [ "$REASON" = "connect" ];then + # add the user's interface into the internal zone + firewall-cmd --zone=internal --add-interface=$DEVICE +else + firewall-cmd --zone=internal --remove-interface=$DEVICE +fi + +exit 0 diff --git a/ocserv.conf b/ocserv.conf index 44872d5..b554b1d 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -151,8 +151,8 @@ rekey-method = ssl # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /usr/bin/myscript -#disconnect-script = /usr/bin/myscript +#connect-script = /usr/bin/ocserv-script +#disconnect-script = /usr/bin/ocserv-script # UTMP use-utmp = true @@ -285,8 +285,7 @@ route = 192.168.1.0/255.255.255.0 #default-select-group = DEFAULT # Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. That -# option is only functional on plain authentication. +# ocserv to scan all available groups and include the full list. #auto-select-group = true # The system command to use to setup a route. %R will be replaced with the diff --git a/ocserv.spec b/ocserv.spec index b3341b5..5474956 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -14,6 +14,7 @@ Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source7: ocserv-genkey +Source8: ocserv-script # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -111,6 +112,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ mkdir -p %{buildroot}/%{_sbindir} install -p -m 755 %{SOURCE7} %{buildroot}/%{_sbindir} +mkdir -p %{buildroot}/%{_bindir} +install -p -m 755 %{SOURCE8} %{buildroot}/%{_bindir} %make_install %clean @@ -132,12 +135,17 @@ rm -rf %{buildroot} %{_mandir}/man8/ocpasswd.8* %{_bindir}/ocpasswd %{_bindir}/occtl +%{_bindir}/ocserv-script %{_sbindir}/ocserv %{_sbindir}/ocserv-genkey %{_unitdir}/ocserv.service %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Sep 09 2014 Nikos Mavrogiannopoulos - 0.8.4-2 +- Ship a default ocserv-script, which will put connecting clients + into the internal firewall zone. + * Thu Aug 28 2014 Nikos Mavrogiannopoulos - 0.8.4-1 - New upstream release