]>
git.ipfire.org Git - ipfire-2.x.git/log
Stefan Schantl [Sun, 19 May 2019 16:52:23 +0000 (18:52 +0200)]
suricata: Limit to a maximum of "16" netfilter queues.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 18 May 2019 08:25:54 +0000 (09:25 +0100)]
Update contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 May 2019 22:36:53 +0000 (23:36 +0100)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Thu, 24 May 2018 10:38:39 +0000 (12:38 +0200)]
BUG11505: Captive Portal: no way to remove an uploaded logo
added a delete button
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 May 2019 19:30:13 +0000 (20:30 +0100)]
core132: Ship updated apache configuration
A reload would be sufficient.
I could not find why apache needs to be restarted.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 15 May 2019 17:01:00 +0000 (17:01 +0000)]
httpd: prefer AES-GCM ciphers over AES-CBC
CBC ciphers are vulnerable to a bunch of attacks (being
rather academic so far) such as MAC-then-encrypt or
padding oracle.
These seem to be more serious (see
https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
for further readings) which is why they should be used
for interoperability purposes only.
I plan to remove AES-CBC ciphers for the WebUI at the
end of the year, provided overall security landscape
has not changed until that.
This patch changes the WebUI cipherlist to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
(AES-CBC + ECDSA will be preferred over RSA for performance
reasons. As this cipher order cannot be trivially rebuilt with
OpenSSL cipher stings, it has to be hard-coded.)
All working clients will stay compatible.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 May 2019 18:52:27 +0000 (19:52 +0100)]
Fix version information in backupiso script
Fixes: #12083
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Fri, 17 May 2019 05:10:52 +0000 (07:10 +0200)]
kernel: update to 4.14.120
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 16 May 2019 12:26:04 +0000 (14:26 +0200)]
kernel: update to 4.14.119
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 15 May 2019 11:17:26 +0000 (13:17 +0200)]
intel-microcode: update to
20190514
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 11 May 2019 03:24:29 +0000 (04:24 +0100)]
core132: Ship changes to unbound
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)]
unbound: Add Safe Search
This is a feature that will filter adult content from search
engine's results.
The old method of rewriting the HTTP request no longer works.
This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.
However, there is no better solution available to this and this
an optional feature, too.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Sat, 11 May 2019 03:18:08 +0000 (04:18 +0100)]
core132: Ship updated urlfilter.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Apr 2019 16:06:08 +0000 (17:06 +0100)]
URL Filter: Drop Safe Search feature
This is not working for quite some time now because all search
engines have moved over to HTTPS. Therefore we no longer can
manipulate the URL query string.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 May 2019 01:20:15 +0000 (02:20 +0100)]
igmpproxy: Update to 0.2.1
This updates the package to its latest upstream version and should
be able to support IGMPv3.
Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Koch [Thu, 9 May 2019 21:55:58 +0000 (23:55 +0200)]
Pakfire: Add Core-Version to "status"
Add the IPFire-Core-Version to the status message.
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 9 May 2019 20:06:00 +0000 (20:06 +0000)]
Tor: update to 0.4.0.5
See https://blog.torproject.org/new-release-tor-0405 for release
announcements.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 03:20:17 +0000 (04:20 +0100)]
core132: Ship updated hwdata
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 9 May 2019 13:40:00 +0000 (13:40 +0000)]
hwdata: update PCI/USB databases
PCI IDs: 2019-05-03 03:15:03
USB IDs: 2019-05-08 20:34:05
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 03:19:05 +0000 (04:19 +0100)]
core132: Ship updated ca-certificates
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 9 May 2019 13:24:00 +0000 (13:24 +0000)]
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 03:16:39 +0000 (04:16 +0100)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 02:36:58 +0000 (03:36 +0100)]
Config: Disable XZ parallelism by default
Exporting XZ_OPT caused that every time xz was called, it automatically
enabled parallelism. The make systemm also launches multiple processes
at the same time to use more processor cores at the same time.
The combination of this causes memory exhaustion even on large systems
and has no performance gain. Therefore this is disabled by default
and only enabled where we need it which is already the case.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Florian Bührle [Sat, 11 May 2019 12:38:39 +0000 (14:38 +0200)]
zoneconf: Fix bug that resultet from last fix
Fix bug that prevents users from assigning NIC to RED if RED is in PPP
mode
Florian Bührle [Sat, 11 May 2019 11:28:12 +0000 (13:28 +0200)]
zoneconf: Fix bug in NIC assignment; Change visibility of unused zones
Fix a bug that allows users to add multiple NICs to non-bridged zones.
This fix includes a new error message.
Unused zones are now invisible instead of grey.
Michael Tremer [Thu, 9 May 2019 13:51:40 +0000 (14:51 +0100)]
routing: Fix potential authenticated XSS in input processing
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.
An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 15:16:35 +0000 (17:16 +0200)]
zoneconf: Remove red warning
This is a bit shouty and there are various places where we do not
warn about this problem, so this patch makes it more consistent.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 15:13:52 +0000 (17:13 +0200)]
zoneconf: Fix spelling
This patch mainly changes "Macvtap" to the branded spelling and removes
short forms as well as hyphenation in German compound nouns.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 15:11:24 +0000 (17:11 +0200)]
zoneconf: Move "None" option to the top
This is a more natural order of the options to me
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 14:43:04 +0000 (15:43 +0100)]
web-user-interface: Ship new zoneconf.cgi file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 12:17:16 +0000 (13:17 +0100)]
core132: Ship updated captive.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 20:36:21 +0000 (21:36 +0100)]
captive: Fix potential authenticated XSS in title processing
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
"Title of Login Page" text box or "TITLE" parameter. This is due to
a lack of user input validation in "Title of Login Page" text box
or "TITLE" parameter. It allows an authenticated WebGUI user with
privileges for the affected page to execute Stored Cross-site
Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
helps attacker to redirect the victim to a attacker's page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Captive Portal page.
An attacker get access to the victim's session by performing the
CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12071
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 8 May 2019 11:14:46 +0000 (12:14 +0100)]
core132: Ship VLAN GUI
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Florian Bührle [Wed, 8 May 2019 10:56:18 +0000 (11:56 +0100)]
webif: Add a GUI for configuring VLAN interfaces
This patch adds a new CGI file which allows users to edit the
VLAN configuration as well as configuring zones as bridges.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Florian Bührle [Wed, 8 May 2019 10:43:11 +0000 (11:43 +0100)]
udev: Accept MAC addresses for PARENT_DEV
This allows us to create VLAN interfaces even when the
name of the parent interface might vary.
This patch also appends the VLAN tag to interfaces
when the zone is in bridge mode.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 7 May 2019 17:17:16 +0000 (19:17 +0200)]
guardian: Remove snort related options.
IPFire has moved to suricata as IDS/IPS system, therefore all snort related
options has become obsolete.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 7 May 2019 21:54:11 +0000 (22:54 +0100)]
squid: Link against libatomic on ARM
This package failed to build on ARM because atomic functions
are being emulated on ARM32 and the required library was not
linked.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 20:19:53 +0000 (21:19 +0100)]
xfsprogs: Disable LTO on armv5tel
LTO fails on ARM, but since we do not require it, we can
disable it here.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 22:53:43 +0000 (23:53 +0100)]
core132: Ship updated pakfire files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Koch [Sat, 27 Apr 2019 19:26:46 +0000 (21:26 +0200)]
zabbix_agentd: Add UserParameter for Pakfire Status
Ship the UserParameter for monitoring the status of pakfire for keeping track of available updates etc.
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Koch [Sat, 27 Apr 2019 19:26:45 +0000 (21:26 +0200)]
Pakfire: Add new command line argument "status"
This enables Pakfire to return a Status-Summary for the Current Core-Update-Level, time since last updates, the availability of a core-/packet-update and if a reboot is required to complete an update. This can be used by monitoring agents (e.g. zabbix_agentd) to monitor the update status of the IPFire device.
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Koch [Sat, 27 Apr 2019 19:26:44 +0000 (21:26 +0200)]
zabbix_agentd: update to 4.2.1
Release notes: https://www.zabbix.com/rn/rn4.2.1
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 22:50:26 +0000 (23:50 +0100)]
core132: Ship updated libedit
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 1 May 2019 17:32:15 +0000 (19:32 +0200)]
libedit: Update to
20190324 -3.1
For details see:
https://thrysoee.dk/editline/
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 22:49:47 +0000 (23:49 +0100)]
core132: Ship updated knot
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 1 May 2019 17:28:16 +0000 (19:28 +0200)]
knot: Update to 2.8.1
For details see:
https://www.knot-dns.cz/2019-04-09-version-281.html
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 22:48:41 +0000 (23:48 +0100)]
core132: Ship updated bind
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 27 Apr 2019 00:19:34 +0000 (02:19 +0200)]
bind: Update to 9.11.6-P1
For details see:
http://ftp.isc.org/isc/bind9/9.11.6-P1/RELEASE-NOTES-bind-9.11.6-P1.html
"Security Fixes
The TCP client quota set using the tcp-clients option could be exceeded in some cases.
This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743.
[GL #615]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 22:46:36 +0000 (23:46 +0100)]
core132: Ship updated dhcpcd
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 4 May 2019 19:59:15 +0000 (21:59 +0200)]
dhcpcd: Update to 7.2.2
For details see:
https://roy.marples.name/
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 May 2019 22:44:44 +0000 (23:44 +0100)]
firewall: Allow SNAT rules with RED interface
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 1 May 2019 18:19:01 +0000 (20:19 +0200)]
suricata: Update to 4.1.4
This is a minor update to the latest available version from
the suricata 4.1 series.
Fixes #12068.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 1 May 2019 16:04:36 +0000 (18:04 +0200)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Stefan Schantl [Wed, 1 May 2019 15:03:06 +0000 (17:03 +0200)]
suricata: Remove PID file on stop
Force the initscript to remove the PID file when calling "stop" section.
If suricata crashes during startup, the PID file still remains and the service
cannot be started anymore until the file has been deleted.
Now when calling "stop" or "restart" the PID file will be deleted and the service
can be used again.
Fixes #12067.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 1 May 2019 14:49:25 +0000 (16:49 +0200)]
update-ids-ruleset: Set correct ownership for the rulestarball.
The script usualy will be executed by cron which will start it with
root permissions, so the downloaded tarball is owned by this user.
This has to be changed to the user which runs the WUI (nobody:nobody) to
allow, changing the ruleset to an other one and to display the ruleset area.
Fixes #12066
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 30 Apr 2019 09:58:31 +0000 (10:58 +0100)]
core132: Ship updated firewall rules generator
This patch also requires a reboot after installing this update
so that the changed ruleset is being applied.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Apr 2019 09:56:05 +0000 (10:56 +0100)]
firewall: Fix source/destination interface settings
When a forwarding rule is being created, we sometimes create
INPUT/OUTPUT rules, too. Those were slightly invalid because
the source and destination interfaces where passed, too.
This could render some rules in certain circumstances useless.
This patch fixes this and only adds -i for INPUT and -o for
OUTPUT rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Apr 2019 09:45:34 +0000 (10:45 +0100)]
firewall: Add more rules to input/output when adding rules to forward
The special_input/output_targets array assumed that firewall access
will always be denied. However, rules also need to be created when
access is granted. Therefore the ACCEPT target needs to be included
in this list and rules must be created in INPUTFW/OUTGOINGFW too
when ACCEPT rules are created in FORWARDFW.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Apr 2019 09:45:02 +0000 (10:45 +0100)]
grub: Update rootfile on i586
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 28 Apr 2019 08:41:50 +0000 (09:41 +0100)]
grub: Fix rootfile
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 27 Apr 2019 02:58:44 +0000 (03:58 +0100)]
grub: Fix relocation type issue
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 27 Apr 2019 00:40:43 +0000 (01:40 +0100)]
ipfire-netboot: Fix compiling and linking with new GCC & binutils
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 26 Apr 2019 23:21:39 +0000 (00:21 +0100)]
sarg: Fix build with newer GCCs
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Fri, 26 Apr 2019 17:39:55 +0000 (19:39 +0200)]
Merge branch 'master' into next
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 26 Apr 2019 15:11:17 +0000 (16:11 +0100)]
grub: Fix build error with GCC 8
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 26 Apr 2019 15:10:25 +0000 (16:10 +0100)]
grub: Disable efiemu on PC builds
This won't compile with GCC 8 and we do not need it
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 26 Apr 2019 15:05:20 +0000 (16:05 +0100)]
nasm: Update to 2.14.02
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 26 Apr 2019 15:06:10 +0000 (16:06 +0100)]
ltrace: Bump package version
This package needs to be rebuilt because it uses elfutils
which has had an soname bump.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 26 Apr 2019 15:04:48 +0000 (16:04 +0100)]
elfutils: Update to 0.176
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Fri, 26 Apr 2019 15:08:35 +0000 (17:08 +0200)]
OpenVPN: Fixed certificate generation in French
Fixes #12060
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 25 Apr 2019 17:31:48 +0000 (19:31 +0200)]
initscripts/suricata: Rework creation of firewall rules.
The script now will use the previously introduced seperate firewall chains called
IPS_INPUT, IPS_FORWARD and IPS_OUTPUT.
The commit also creates an AND connection between the choosen network zones in the UI and
the final firwall rules.
Fixes #12062.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Thu, 25 Apr 2019 17:31:47 +0000 (19:31 +0200)]
initscripts/suricata: Move functions order and always use flush_fw_chain function
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Thu, 25 Apr 2019 17:31:46 +0000 (19:31 +0200)]
firewall: Use seperate firewall chains for passing traffic to the IPS
Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.
Reference #12062
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 26 Apr 2019 05:43:21 +0000 (07:43 +0200)]
hostapd: bump package version
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 24 Apr 2019 10:24:33 +0000 (11:24 +0100)]
hostap: Fix wiring of checkboxes for client isolation
The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Apr 2019 10:31:28 +0000 (11:31 +0100)]
hostap: Translate configuration settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Apr 2019 10:24:33 +0000 (11:24 +0100)]
hostap: Fix wiring of checkboxes for client isolation
The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Apr 2019 10:08:36 +0000 (11:08 +0100)]
hostap: Remove deprecated directive
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Apr 2019 09:43:50 +0000 (10:43 +0100)]
hostap: Enable 80MHz bandwidth by default (when using ACS)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Apr 2019 09:39:25 +0000 (10:39 +0100)]
hostap: Enable option to force clients to use 802.11w
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Apr 2019 09:12:29 +0000 (10:12 +0100)]
hostap: Allow to use Automatic Channel Selection (ACS)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 23 Apr 2019 18:33:02 +0000 (20:33 +0200)]
convert-snort: Fix ownership of the generated homenet file.
Fixes #12059.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 23 Apr 2019 19:27:53 +0000 (21:27 +0200)]
suricata: Use device ppp0 if PPPoE dialin is used.
Fixes #12058.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 23 Apr 2019 19:45:42 +0000 (20:45 +0100)]
suricata: EXTERNAL_NET should equal any
This enables that we scan servers in ORANGE for clients in
GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 21 Apr 2019 00:32:07 +0000 (01:32 +0100)]
suricata: Do not always convert rules to be bi-directional
This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 23 Apr 2019 19:56:07 +0000 (20:56 +0100)]
core132: Ship updated suricata initscript
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 23 Apr 2019 19:55:22 +0000 (20:55 +0100)]
core132: Ship updated convert-snort script
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 23 Apr 2019 18:33:02 +0000 (20:33 +0200)]
convert-snort: Fix ownership of the generated homenet file.
Fixes #12059.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Koch [Tue, 23 Apr 2019 18:46:11 +0000 (20:46 +0200)]
core132: Bugfix for typo in filelist
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 23 Apr 2019 19:27:53 +0000 (21:27 +0200)]
suricata: Use device ppp0 if PPPoE dialin is used.
Fixes #12058.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 23 Apr 2019 19:45:42 +0000 (20:45 +0100)]
suricata: EXTERNAL_NET should equal any
This enables that we scan servers in ORANGE for clients in
GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 23 Apr 2019 19:20:14 +0000 (20:20 +0100)]
core132: Ship updated list of mime types
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Koch [Wed, 17 Apr 2019 23:54:18 +0000 (01:54 +0200)]
apache / WPAD: Add correct MIME type for wpad.dat and proxy.pac
Some clients require the correct MIME type to be set for accepting/handling the Proxy-Settings properly.
See: http://findproxyforurl.com/deploying-wpad/
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 21 Apr 2019 00:32:07 +0000 (01:32 +0100)]
suricata: Do not always convert rules to be bi-directional
This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Tue, 23 Apr 2019 17:21:30 +0000 (19:21 +0200)]
core131: add services.cgi to update
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 20 Apr 2019 16:12:21 +0000 (18:12 +0200)]
finish core131
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 20 Apr 2019 15:35:54 +0000 (17:35 +0200)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sat, 20 Apr 2019 15:21:03 +0000 (17:21 +0200)]
kernel: update 4.14.113
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 20 Apr 2019 13:21:46 +0000 (14:21 +0100)]
Update contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 20 Apr 2019 13:20:06 +0000 (14:20 +0100)]
core132: Ship WPAD/proxy changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>