-# User manual base URL (without trailing slash)
+# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page])
+
+# Base URL (without trailing slash)
BASE_URL=https://wiki.ipfire.org
+index=configuration/system/startpage
-# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page])
+# System menu
index=configuration/system/startpage
-pppsetup=configuration/system/dial
+mail=configuration/system/mail_service
+remote=configuration/system/ssh
+backup=configuration/system/backup
+gui=configuration/system/userinterface
+fireinfo=fireinfo
+vulnerabilities=configuration/system/vulnerabilities
+shutdown=configuration/system/shutdown
+credits=configuration/system/credits
+
+# Status menu
+system=configuration/status/system
+memory=configuration/status/memory
+services=configuration/status/services
+media=configuration/status/drives
+netexternal=configuration/status/network_ext
+netinternal=configuration/status/network_int
+netother=configuration/status/network_int
+netovpnrw=configuration/status/network_ovpnrw
+#netovpnsrv=
+hardwaregraphs=configuration/status/hardware_diagrams
+entropy=configuration/status/entropy
+connections=configuration/status/connections
+traffic=configuration/status/nettraffic
+#mdstat=
+
+# Network menu
+zoneconf=configuration/network/zoneconf
+dns=dns
+proxy=configuration/network/proxy
+urlfilter=configuration/network/proxy/url-filter
+#updatexlrator=configuration/network/proxy/update_accelerator
+dhcp=configuration/network/dhcp
+captive=configuration/network/captive
+connscheduler=configuration/network/connectionscheduler
+hosts=configuration/network/hosts
+dnsforward=configuration/network/dnsforward
+routing=configuration/network/static
+mac=configuration/network/mac-address
+wakeonlan=configuration/network/wake-on-lan
+
+# Services menu
+vpnmain=configuration/services/ipsec
+ovpnmain=configuration/services/openvpn
+ddns=configuration/services/dyndns
+time=configuration/services/ntp
qos=configuration/services/qos
+extrahd=configuration/services/extrahd
+
+# Firewall menu
+firewall=configuration/firewall
+fwhosts=configuration/firewall/fwgroups
+optionsfw=configuration/firewall/options
+ids=configuration/firewall/ips
+p2p-block=configuration/firewall/p2p-block
+location-block=configuration/firewall/geoip-block
+wireless=configuration/firewall/accesstoblue
+iptables=configuration/firewall/iptables
+
+# IPfire menu
+pakfire=configuration/ipfire/pakfire
+
+# Logs menu
+summary=configuration/logs/summary
+config=configuration/logs/logsettings
+proxylog=configuration/logs/proxy
+calamaris=configuration/logs/proxyreports
+firewalllog=configuration/logs/firewall
+firewalllogip=configuration/logs/firewall-ip
+firewalllogport=configuration/logs/firewall-port
+firewalllogcountry=configuration/logs/firewall-country
+ids=configuration/logs/ips
+#ovpnclients=
+urlfilter=configuration/logs/url-filter
+log=configuration/logs/system
#usr/share/suricata/rules/smtp-events.rules
#usr/share/suricata/rules/stream-events.rules
#usr/share/suricata/rules/tls-events.rules
+var/ipfire/suricata/suricata-default-rules.yaml
var/lib/suricata
var/lib/suricata/classification.config
var/lib/suricata/reference.config
#lib/firmware/pcengines
#lib/firmware/pcengines/apu
-lib/firmware/pcengines/apu/apu1_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu2_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu3_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu4_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu5_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu6_v4.14.0.4.rom
+lib/firmware/pcengines/apu/apu1_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu2_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu3_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu4_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu5_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu6_v4.15.0.1.rom
--- /dev/null
+%YAML 1.1
+---
+
+# Default rules which helps
+ - /usr/share/suricata/rules/app-layer-events.rules
+ - /usr/share/suricata/rules/decoder-events.rules
+ - /usr/share/suricata/rules/dhcp-events.rules
+ - /usr/share/suricata/rules/dnp3-events.rules
+ - /usr/share/suricata/rules/dns-events.rules
+ - /usr/share/suricata/rules/files.rules
+ - /usr/share/suricata/rules/http-events.rules
+ - /usr/share/suricata/rules/ipsec-events.rules
+ - /usr/share/suricata/rules/kerberos-events.rules
+ - /usr/share/suricata/rules/modbus-events.rules
+ - /usr/share/suricata/rules/nfs-events.rules
+ - /usr/share/suricata/rules/ntp-events.rules
+ - /usr/share/suricata/rules/smb-events.rules
+ - /usr/share/suricata/rules/smtp-events.rules
+ - /usr/share/suricata/rules/stream-events.rules
+ - /usr/share/suricata/rules/tls-events.rules
##
default-rule-path: /var/lib/suricata
rule-files:
- # Default rules
- - /usr/share/suricata/rules/app-layer-events.rules
- - /usr/share/suricata/rules/decoder-events.rules
- - /usr/share/suricata/rules/dhcp-events.rules
- - /usr/share/suricata/rules/dnp3-events.rules
- - /usr/share/suricata/rules/dns-events.rules
- - /usr/share/suricata/rules/files.rules
- - /usr/share/suricata/rules/http2-events.rules
- - /usr/share/suricata/rules/http-events.rules
- - /usr/share/suricata/rules/ipsec-events.rules
- - /usr/share/suricata/rules/kerberos-events.rules
- - /usr/share/suricata/rules/modbus-events.rules
- - /usr/share/suricata/rules/mqtt-events.rules
- - /usr/share/suricata/rules/nfs-events.rules
- - /usr/share/suricata/rules/ntp-events.rules
- - /usr/share/suricata/rules/smb-events.rules
- - /usr/share/suricata/rules/smtp-events.rules
- - /usr/share/suricata/rules/stream-events.rules
- - /usr/share/suricata/rules/tls-events.rules
-
# Include enabled ruleset files from external file
- - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+ include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+
+ # Include default rules.
+ include: /var/ipfire/suricata/suricata-default-rules.yaml
classification-file: /var/lib/suricata/classification.config
reference-config-file: /var/lib/suricata/reference.config
include Config
-VER = 4.14.0.4
+VER = 4.15.0.1
THISAPP = pcengines-apu-firmware-$(VER)
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = pcengines-apu-firmware
-PAK_VER = 9
+PAK_VER = 10
SUP_ARCH = i586 x86_64
DEPS = firmware-update
apu5_v$(VER).rom = $(DL_FROM)/apu5_v$(VER).rom
apu6_v$(VER).rom = $(DL_FROM)/apu6_v$(VER).rom
-apu1_v$(VER).rom_MD5 = e60ce8d903cb1e301aae1160aa8413cd
-apu2_v$(VER).rom_MD5 = 00da67aecd00e7479f0194ccc4ee5739
-apu3_v$(VER).rom_MD5 = 4f935c61fc4274c0b427d16d6aa0049a
-apu4_v$(VER).rom_MD5 = 3aed8f5e1e543a3912c808fe68067dde
-apu5_v$(VER).rom_MD5 = c39dbf45aa630c273fcace35fbc6324e
-apu6_v$(VER).rom_MD5 = b81f9da0f39b355344b602868b2ddcff
+apu1_v$(VER).rom_MD5 = 6b53385232624d48ec7c8fc7f0390413
+apu2_v$(VER).rom_MD5 = 062b6fe09e22077b7155f3eb3bf8ec34
+apu3_v$(VER).rom_MD5 = caa7a5b8d4977de9e4135ab1bc1d15dd
+apu4_v$(VER).rom_MD5 = ffc0f94f2d9c6c25e1d53e0386fbd20b
+apu5_v$(VER).rom_MD5 = e63e1f3392a414942ca65cfa46868665
+apu6_v$(VER).rom_MD5 = 9264657ad3fca49101b28901cf65f4bf
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-disable-sid-2210059.patch
cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--sysconfdir=/etc \
# Install IPFire related config file.
install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
+ # Install yaml file for loading default rules.
+ install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata
+
# Create emtpy rules directory.
-mkdir -p /var/lib/suricata
--- /dev/null
+diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules
+--- a/rules/stream-events.rules 2021-11-17 16:55:12.000000000 +0100
++++ b/rules/stream-events.rules 2021-12-08 18:12:39.850189502 +0100
+@@ -89,7 +89,7 @@
+ # rule to alert if a stream has excessive retransmissions
+ alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
+ # Packet on wrong thread. Fires at most once per flow.
+-alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
++#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
+
+ # Packet with FIN+SYN set
+ alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)