Michael Tremer [Thu, 1 Dec 2016 17:13:07 +0000 (17:13 +0000)]
unbound: Fix DNS forwarder test
The previous version aborted when the validation test
suceeded, but this is not always sufficient in case a
provider filters any DNSKEY, DS or RRSIG records.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Mon, 31 Oct 2016 11:19:15 +0000 (12:19 +0100)]
BUG11242: Fix for adding 2 VPN Hosts/network with same name
If one has an IPSec network named "aaa" and an OpenVPn Host with the same name
it was not possible to group them together because of the same name.
Now the Network type is also checked wich allows Entries with same name, but different networks.
Fixes: #11242 Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 2 Nov 2016 15:42:40 +0000 (15:42 +0000)]
unbound: Fix for DNS forwarding of .local zones
These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 2 Nov 2016 15:42:40 +0000 (15:42 +0000)]
unbound: Fix for DNS forwarding of .local zones
These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It appears that htpasswd is not salting any passwords that are
stored with the SHA (-s) algorithm. MD5 passwords however are
salted.
That leads us to the conclusion that the "MD5 algorithm" in htpasswd
is more secure than the "SHA algorithm" although the hash function
itself should be stronger.
With a rainbow table, cracking "SHA" is easily done.
A rainbow table for "MD5" + salt would be way too large to be
efficiently stored.
Hence this commit is reverted to old behaviour to avoid the clear
failure of design in SHA.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Michael Tremer [Sat, 15 Oct 2016 17:08:22 +0000 (19:08 +0200)]
unbound-dhcp-bridge: Rewrite update algorithm
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 15 Oct 2016 17:08:22 +0000 (19:08 +0200)]
unbound-dhcp-bridge: Rewrite update algorithm
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Marcel Lorenz [Fri, 7 Oct 2016 16:26:38 +0000 (18:26 +0200)]
netpbm: update to 10.47.61
To keep the files in the right place, the files are installed into the build directory
and only the files which are useful are copied to the usual places in /usr.
Since the first three columns of 'iptables.cgi' gave a nearly unreadable output
with large numbers, so I made 'pkts', 'bytes' and 'target'-columns a bit wider.
BEFORE - it was something like this:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytestarget proc opt in out source destination
32M38G BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
32M38G CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
00 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
32M38G IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
21M21G CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
393873484KDHCPGREENINPUTall -- green0 * 0.0.0.0/0 0.0.0.0/0
645153642KGEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
386592304KIPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
386592304KGUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KWIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
368332209KOVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KTOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KINPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0
309641833KREDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
309641833KPOLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0
AFTER - somehow better readable - I think: ;-)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target proc opt in out source destination
32M 38G BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
32M 38G IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
21M 21G CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
39387 3484K DHCPGREENINPUT all -- green0 * 0.0.0.0/0 0.0.0.0/0
64515 3642K GEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
38659 2304K IPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
38659 2304K GUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K WIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
36833 2209K OVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K TOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K INPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0
30964 1833K REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
30964 1833K POLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Rearranged the fields on 'guardian.cgi' a bit - in a (hopefully) logical manner,
so that they don't need so much room.
- Added some translation-strings and explanations to (revised) 'guardian.cgi'.
- Added missing language string(s), deleted obsolete.
- Deleted all guardian entries from standard language files in
'/var/ipfire/langs'-directory.
- Added (upgraded) addon-specific language files to '/var/ipfire/addon-lang'-directory.
I hope, I didn't forget something...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
unbound has some trouble with validating DNSSEC-enabled
domains when the upstream name server is stripping signatures
from the authoritative responses.
This script now checks that, removes any broken upstream
name servers from the list and prints a warning.
If all name servers fail the test, unbound falls back
into recursor mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 1 Oct 2016 17:37:28 +0000 (18:37 +0100)]
shadow-utils: Create standard set of configuration files
Previously we copied the default configuration from the upstream
package and modified that. Unfortunately a patch and a sed command
changed the file which resulted in unwanted changes.
This patch removes the patch and sed command and adds a new set
of configuration files that just need to be copied to the system.
Fixes #11195
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>