the application layer gateway modules can used to bypass the nat
via nat slipstreaming. I had disabled all of them. If one is really needed
we can reenable it later.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 12 Jan 2021 11:32:58 +0000 (11:32 +0000)]
kernel: Enable BBR as default TCP congestion algorithm
This will increase throughput since BBR is more modern and adjusted to
the nowadays version of the Internet whereas Cubic is more conservative
and might not always fully saturate the downlink.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 12 Jan 2021 10:55:57 +0000 (10:55 +0000)]
kernel: Trust the randomness from the CPU
This will allow the kernel to seed its CRNG using RDSEED or RDRAND.
During the boot process, it is required that the CRNG is being
initialised, but it may take some long time on systems that do not have
a random number generator.
This is the default for various other distributions like Debian.
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 12 Jan 2021 10:52:30 +0000 (10:52 +0000)]
kernel: Compile RNG drivers into the kernel
The kernel will try to gather entropy really early in the boot process
where those device drivers might not have been loaded yet. They are
small and can therefore be compiled into the kernel like we already do
on ARM.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 1 Jul 2021 10:10:17 +0000 (10:10 +0000)]
core158: Fully terminate apache before restarting it
Asking apache to restart itself fails when the binary is changed and
some symbols cannot be resolved. We therefore terminate all processes
and start them again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 20 Jun 2021 12:15:20 +0000 (14:15 +0200)]
knot: Update to 3.0.7
For details see:
https://www.knot-dns.cz/2021-06-16-version-307.html
Features:
knotd: new configuration policy option for CDS digest algorithm setting #738
keymgr: new command for primary SOA serial manipulation in on-secondary signing mode
Improvements:
knotd: improved algorithm rollover to shorten the last step of old RRSIG publication
Bugfixes:
knotd: zone is flushed upon server start, despite DNSSEC signing is up-to-date
knotd: wildcard nonexistence is proved on empty-non-terminal query
knotd: redundant wildcard proof for non-authoritative data in a reply
knotd: missing wildcard proofs in a wildcard-cname loop reply
knotd: incorrectly synthesized CNAME owner from a wildcard record #715
knotd: zone-in-journal changeset ignores journal-max-usage limit #736
knotd: incorrect processing of zone-in-journal changeset with SOA serial 0
knotd: broken initialization of processing workers if SO_REUSEPORT(_LB) not available
kjournalprint: reported journal usage is incorrect #736
keymgr: cannot parse algorithm name ed448 #739
keymgr: default key size not set properly
kdig: failed to process huge DoH responses
libknot/probe: some corner-case bugs
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 18 Jun 2021 07:07:21 +0000 (09:07 +0200)]
proxy.cgi: Suppress Squid version by default
While hiding version information does not come with any _actual_
security improvements, it is generally a good thing to do so by default:
Attackers will still be able to reasonably guess or enumerate the
software version running, but need to conduct additional effort to do
so, hence more likely raising alerts and drawing attention on their
operation.
In addition, we suppress version details somewhere else in IPFire 2.x by
default, too (e. g. Unbound and Apache), so we can justify this patch by
aiming to stay consistent, I guess. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 17 Jun 2021 09:47:00 +0000 (11:47 +0200)]
cups-filters: Update to 1.28.9
- Update from 1.28.8 to 1.28.9
- Update of rootfile not required
- Changelog
CHANGES IN V1.28.9
- libcupsfilters: Silenced compiler warnings
- libcupsfilters: Removed duplicate code in the
apply_filters() function.
- driverless: If there are no driverless IPP printers
available let "driverless" terminate with exit code 0 and
not 1, to follow CUPS' standard of backends in discovery
mode terminating with 0 if there are no appropriate printers
found (Issue #375).
- gstoraster, foomatic-rip: Fixed Ghostscript command line for
counting pages as it took too long on PDFs from evince when
printing DjVu files (Issue #354, Pull request #371, Ubuntu
bug #1920730).
- cups-browsed: Renamed ldap_connect() due to conflict in
new openldap (Issue #367, Pull request #370).
- pdftoraster: Free color data after processing of each page
(Pull request #363).
- cups-browsed: Always save "...-default" option entries
from printers.conf, regardless of presence or absense
of PPD file (Pull request #359).
- cups-browsed: Start after network-online.target (Pull
request #360).
- texttopdf: Set default margins when no PPD file is used
(Pull request #356).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 15 Jun 2021 20:29:34 +0000 (22:29 +0200)]
proxy.cgi: drop options for faking Referer and User-Agent HTTP headers
While maintaining privacy when accessing web sites probably has never
been more important than it is today, faking Referer and User-Agent
headers is both obsolete and counterproductive:
(a) Most web sites require HTTPS, thwarting manipulation attempts to
HTTP headers in transit. Given todays' internet landscape, faking
these headers is unlikely to work for the vast majority of web
sites.
(b) It is trivial to detect faked HTTP User-Agent headers by obtaining
corresponding browser information via JavaScript. Any difference
most likely indicates (trivial) header manipulation attempts, hence
rendering this feature useless if browsers do not behave in the same
manner, which we cannot control on IPFire.
(c) Especially static Referer headers make users stick out like a sore
thumb, as nobody else in the world is likely to have the same
Referer set _all the time_.
Modern browsers attempt to strip sensitive information from Referer
headers, or ditch them completely, particularly to 3rd party sites.
Given the state of the web ecosystem as we know it today, enforcing
privacy in a centralised manner does not even come close to being
sufficient. Without gaining control over users' browsers, their
settings, and their infrastructure (such as setting up terminal
environments for accessing the web, preventing hardware
fingerprinting), a centralised attempt will at best fail, if not making
things worse, as highlighted in (c).
Therefore, removing these features from the Squid GUI is the least worse
option we have. We should not give our users a false sense of privacy.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>