Adolf Belka [Mon, 21 Jul 2025 14:34:52 +0000 (16:34 +0200)]
ruleset-sources: Remove the abuse.ch SSL list from the suricata sources
- The abuse.ch ssl suricata list has stopped being updated since 2025-06-25
- Looking at all of the abuse.ch lists, none of them are being updated anymore so abuse.ch
becoming part of spamhaus looks to have stopped all work on free versions of the lists
- This change modifies the abuse.ch entry so that it no longer can be installed but also
if already installed it will remove it.
- The patch has also made a few minor typo corrections in comments.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.20.11/doc/arm/html/notes.html#notes-for-bind-9-20-11
"Notes for BIND 9.20.11
Security Fixes
Fix a possible assertion failure when stale-answer-client-timeout is
set to 0.
In specific circumstances the named resolver process could exit with an
assertion failure when stale answers were enabled and the
stale-answer-client-timeout configuration option was set to 0. This has
been fixed. (CVE-2025-40777) [GL #5372]
New Features
Add support for the CO flag to dig.
Add support for Compact Denial of Existence to dig. This includes
showing the CO (Compact Answers OK) flag when displaying messages and
adding an option to set the CO flag when making queries (dig +coflag).
[GL #5319]
Bug Fixes
Correct the default interface-interval from 60s to 60m.
When the interface-interval parser was changed from a uint32 parser to
a duration parser, the default value stayed at plain number 60 which
now means 60 seconds instead of 60 minutes. The documentation also
incorrectly states that the value is in minutes. That has been fixed.
[GL #5246]
Fix a purge-keys bug when using multiple views of a zone.
Previously, when a DNSSEC key was purged by one zone view, other zone
views would return an error about missing key files. This has been
fixed. [GL #5315]
Use IPv6 queries in delv +ns.
delv +ns invokes the same code to perform name resolution as named, but
it neglected to set up an IPv6 dispatch object first. Consequently, it
was behaving more like named -4. It now sets up dispatch objects for
both address families, and performs resolver queries to both IPv4 and
IPv6 addresses, except when one of the address families has been
suppressed by using delv -4 or delv -6. [GL #5352]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:03 +0000 (19:52 +0200)]
zabbix_agentd: Add LocationDB functionality
Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.locationdb.lookup[<ip>,<ip>,...]: Perform IPFire LocationDB lookups
from within Zabbix. Returns a JSON dict.
- ipfire.locationdb.version: Get LocationDB version timestamp in unixtime.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:02 +0000 (19:52 +0200)]
zabbix_agentd: Add WireGuard specific monitoring items
Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.wireguard.peers.discovery: Discovery of configured WireGuard
clients. Returns a JSON array.
- ipfire.wireguard.statusreport.get: Parses and returns output of
`wireguardctrl dump` as a JSON array.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:01 +0000 (19:52 +0200)]
zabbix_agentd: Add ARPing method for checking Internet Gateway
Since some ISP's block ICMP ping to their gateway ARPing can be an alternative.
This change adds arping alternatives for the regular (icmp) ping checks:
- ipfire.net.gateway.arping: Check if the Internet Gateway is reachable via ARPing
- ipfire.net.gateway.arpingtime: Measure the time it takes to ARPing the Internet Gateway
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:00 +0000 (19:52 +0200)]
zabbix_agentd: Update to 7.0.16 (LTS)
- Update from version 7.0.11 to 7.0.16
- Update of rootfile not required
Bugs fixed:
ZBX-26080 Fixed old file descriptors being held when external log rotation is used
ZBX-26121 Added default flags to net.dns.get arguments when none are specified
ZBX-26055 Fixed failure to refresh active checks when next refresh was faster than 60 seconds
Full changelogs since 7.0.11:
- https://www.zabbix.com/rn/rn7.0.12
- https://www.zabbix.com/rn/rn7.0.13
- https://www.zabbix.com/rn/rn7.0.14
- https://www.zabbix.com/rn/rn7.0.15
- https://www.zabbix.com/rn/rn7.0.16
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jul 2025 08:49:47 +0000 (10:49 +0200)]
openvpn: Ignore existing PID files when starting processes
This is all not very organised and tidy. The init process seems to be
too cautious if there is a PID file left but there should not be any
harm in trying to start the same process twice when in doubt because
after all only one can bind to the same port at a time.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 3 Jun 2025 15:04:50 +0000 (17:04 +0200)]
ovpnmain.cgi: Only load status when the server is running
Otherwise we would show the status if the service is no longer running
and show clients as connected which have only been connected when the
server was stopped.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 16 Apr 2024 12:01:31 +0000 (14:01 +0200)]
ovpnmain.cgi: Restart instead of reload
The option to reload the server does not seem to work well. The running
is process is performing a number of checks that make very little sense
and PID files get written by the user that launches the process (i.e.
root) instead of the user that the process is running as later on (i.e.
nobody). Since there is no chance to keep any existing connections alive
this way, we may just as well restart the service for now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
