Since the first three columns of 'iptables.cgi' gave a nearly unreadable output
with large numbers, so I made 'pkts', 'bytes' and 'target'-columns a bit wider.
BEFORE - it was something like this:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytestarget proc opt in out source destination
32M38G BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
32M38G CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
00 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
32M38G IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
21M21G CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
393873484KDHCPGREENINPUTall -- green0 * 0.0.0.0/0 0.0.0.0/0
645153642KGEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
386592304KIPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
386592304KGUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KWIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
368332209KOVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KTOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KINPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0
309641833KREDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
309641833KPOLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0
AFTER - somehow better readable - I think: ;-)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target proc opt in out source destination
32M 38G BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
32M 38G IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
21M 21G CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
39387 3484K DHCPGREENINPUT all -- green0 * 0.0.0.0/0 0.0.0.0/0
64515 3642K GEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
38659 2304K IPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
38659 2304K GUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K WIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
36833 2209K OVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K TOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K INPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0
30964 1833K REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
30964 1833K POLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Rearranged the fields on 'guardian.cgi' a bit - in a (hopefully) logical manner,
so that they don't need so much room.
- Added some translation-strings and explanations to (revised) 'guardian.cgi'.
- Added missing language string(s), deleted obsolete.
- Deleted all guardian entries from standard language files in
'/var/ipfire/langs'-directory.
- Added (upgraded) addon-specific language files to '/var/ipfire/addon-lang'-directory.
I hope, I didn't forget something...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
unbound has some trouble with validating DNSSEC-enabled
domains when the upstream name server is stripping signatures
from the authoritative responses.
This script now checks that, removes any broken upstream
name servers from the list and prints a warning.
If all name servers fail the test, unbound falls back
into recursor mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 1 Oct 2016 17:37:28 +0000 (18:37 +0100)]
shadow-utils: Create standard set of configuration files
Previously we copied the default configuration from the upstream
package and modified that. Unfortunately a patch and a sed command
changed the file which resulted in unwanted changes.
This patch removes the patch and sed command and adds a new set
of configuration files that just need to be copied to the system.
Fixes #11195
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit updates krb5 to version 1.14.4
The patch is removed, because he is upstream since 1.12.2.
The samba version is incremented, to link samba against the new krb5
version. Otherwise samba for example is linked against
/usr/lib/libkdb5.so.7 but the current version is /usr/lib/libkdb5.so.8
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
OpenSSL 1.0.2i users should upgrade to 1.0.2j
The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development
team.
The virtlogd could only be restarted when the daemons run. The update.sh
script tried to restart the daemon no matter if the daemons run or not.
This behaviour produce problems.
An If statement now checks if the daemon runs or not and execute the
command that is suitable for the situation.
Fixes: #11172 Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Sun, 28 Aug 2016 17:59:19 +0000 (19:59 +0200)]
Update libvirt to 2.1
This is the update of libvirt to the latest version 2.1.
The most important change from a packager view is the new virtlogd
daemon.
This daemon handles the qemu output and wrote it to log files.
The require some changes:
- A new init script to start, stop restart the daemon called virtlogd.
The daemon is restart with SIGUSR1 (this is important because the daemon
keeps all pipelines etc. open).
This introduces a problem with the uninstall.sh install.sh script.
It is not possible to stop the daemon while virtual machines are
running, so the script update.sh execute from now not uninstall.sh and
install.sh instead it contains all steps from uninstall.sh install.sh
expect the start / stop routine for virtlogd. The daemon is just
restarted after the update, which makes sure that all changes take
effect.
- new symlinks in the uninstall.sh and install.sh script and some root
file changes because of the new virtlogd init script.
- the archive format changes from tar.gz to tar.xz
For Changelogs see:
https://libvirt.org/news-2015.html
https://libvirt.org/news.html (2017 and later:
https://libvirt.org/news-2016.html )
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Thu, 15 Sep 2016 13:31:48 +0000 (15:31 +0200)]
BUG11184: Error if DNAT address ends with 0 or 255 now disabled
When using dnat addresses, it is possible to use big subnets and host addresses like 172.16.0.0/12.
These addresses where rejected because it was recognised as network address.
The check is now removed.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>