my $configinput = "${General::swroot}/firewall/input";
my $configoutgoing = "${General::swroot}/firewall/outgoing";
my $p2pfile = "${General::swroot}/firewall/p2protocols";
+my $geoipfile = "${General::swroot}/firewall/geoipblock";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
# Load P2P block rules.
&p2pblock();
+ # Load GeoIP block rules.
+ &geoipblock();
+
# Reload firewall policy.
run("/usr/sbin/firewall-policy");
}
# Concurrent connection limit
my @ratelimit_options = ();
- if (($elements gt 34) && ($$hash{$key}[32] eq 'ON')) {
+ if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) {
my $conn_limit = $$hash{$key}[33];
if ($conn_limit ge 1) {
}
# Ratelimit
- if (($elements gt 37) && ($$hash{$key}[34] eq 'ON')) {
+ if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) {
my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
- if ($rate_limit) {
- push(@ratelimit_options, ("-m", "limit"));
- push(@ratelimit_options, ("--limit", $rate_limit));
- }
+ if ($rate_limit) {
+ push(@ratelimit_options, ("-m", "limit"));
+ push(@ratelimit_options, ("--limit", $rate_limit));
+ }
}
# Check which protocols are used in this rule and so that we can
push(@source_options, ("-s", $source));
}
- if ($source_intf) {
- push(@source_options, ("-i", $source_intf));
- }
-
# Prepare destination options.
my @destination_options = ();
if ($destination) {
push(@destination_options, ("-d", $destination));
}
- if ($destination_intf) {
- push(@destination_options, ("-o", $destination_intf));
- }
-
# Add time constraint options.
push(@options, @time_options);
}
}
+ # Add source and destination interface to the filter rules.
+ # These are supposed to help filtering forged packets that originate
+ # from BLUE with an IP address from GREEN for instance.
+ if ($source_intf) {
+ push(@source_options, ("-i", $source_intf));
+ }
+
+ if ($destination_intf) {
+ push(@destination_options, ("-o", $destination_intf));
+ }
+
push(@options, @source_options);
push(@options, @destination_options);
}
}
+sub geoipblock {
+ my %geoipsettings = ();
+
+ # Check if the geoip settings file exists
+ if (-e "$geoipfile") {
+ # Read settings file
+ &General::readhash("$geoipfile", \%geoipsettings);
+ } else {
+ # Exit submodule, go on processing the remaining script
+ return;
+ }
+
+ # If geoip blocking is not enabled, we are finished here.
+ if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+ # Exit submodule. Process remaining script.
+ return;
+ }
+
+ # Get supported locations.
+ my @locations = &fwlib::get_geoip_locations();
+
+ # Create iptables chain.
+ run("$IPTABLES -F GEOIPBLOCK");
+
+ # Loop through all supported geoip locations and
+ # create iptables rules, if blocking this country
+ # is enabled.
+ foreach my $location (@locations) {
+ if($geoipsettings{$location} eq "on") {
+ run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+ }
+ }
+}
+
sub get_protocols {
my $hash = shift;
my $key = shift;
etc/logrotate.conf
etc/mime.types
etc/modprobe.d
+ etc/modprobe.d/btmrvl_sdio.conf
etc/modprobe.d/cfg80211.conf
etc/modprobe.d/pcspeaker.conf
etc/modules.conf
#home
home/nobody
#lib
+ #lib/firmware
+ #lib/firmware/brcm
+ lib/firmware/brcm/brcmfmac4329-sdio.txt
+ lib/firmware/brcm/brcmfmac4330-sdio.txt
+ lib/firmware/brcm/brcmfmac43362-sdio.txt
#media
media/cdrom
media/floppy
root/.bash_profile
root/.bashrc
root/ipfire
+ run
#sbin
#srv
#usr/bin
usr/local/bin/settime
usr/local/bin/timecheck
usr/local/bin/timezone-transition
- #usr/local/bin/uname
+ usr/local/bin/update-bootloader
usr/local/bin/update-lang-cache
#usr/local/include
#usr/local/lib
#usr/share/man/man8
#usr/share/misc
#usr/share/terminfo
+#usr/share/xt_geoip
#usr/share/zoneinfo
- run
#var
#var/cache
var/empty
@$(PREBUILD)
# Create directories
- -mkdir -pv /{bin,boot,etc/opt,etc/modprobe.d,home,lib,mnt,opt,run}
+ -mkdir -pv /{bin,boot,etc/opt,etc/modprobe.d,home,lib/firmware/brcm,mnt,opt,run}
-mkdir -pv /{media/{floppy,cdrom,usbkey},sbin,srv,var}
-install -dv -m 0750 /root
-install -dv -m 1777 /tmp /var/tmp
-mkdir -pv /usr/{,local/}{bin,include,lib{,/sse2},sbin,src}
-mkdir -pv /usr/{,local/}share/{doc,info,locale,man}
- -mkdir -v /usr/{,local/}share/{misc,terminfo,zoneinfo}
+ -mkdir -v /usr/{,local/}share/{misc,terminfo,xt_geoip,zoneinfo}
-mkdir -pv /usr/{,local/}share/man/man{1..8}
#-for dir in /usr /usr/local; do \
# ln -sv share/{man,doc,info} $$dir; \
# Config files
cp -rvf $(DIR_SRC)/config/etc/* /etc;
+ cp -rvf $(DIR_SRC)/config/lib/* /lib;
touch /etc/{fs,m}tab
echo "$(NAME) v$(VERSION) - $(SLOGAN)" > /etc/issue
echo "===============================" >> /etc/issue
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.17" # Version number
- CORE="86" # Core Level (Filename)
- PAKFIRE_CORE="85" # Core Level (PAKFIRE)
+ CORE="87-rc1" # Core Level (Filename)
+ PAKFIRE_CORE="86" # Core Level (PAKFIRE)
GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
CONFIG_ROOT=/var/ipfire # Configuration rootdir
export LOGFILE
ipfiremake configroot
ipfiremake backup
+ ipfiremake pkg-config
ipfiremake libusb
ipfiremake libusbx
ipfiremake libpcap
ipfiremake multipath-tools
ipfiremake freetype
ipfiremake grub
+ ipfiremake libmnl
+ ipfiremake iptables
case "${TARGET_ARCH}" in
i586)
# x86-pae (Native and new XEN) kernel build
ipfiremake linux KCFG="-pae"
+ ipfiremake backports KCFG="-pae"
ipfiremake cryptodev KCFG="-pae"
ipfiremake e1000e KCFG="-pae"
ipfiremake igb KCFG="-pae"
ipfiremake ixgbe KCFG="-pae"
+ ipfiremake xtables-addons KCFG="-pae"
ipfiremake linux-initrd KCFG="-pae"
# x86 kernel build
ipfiremake linux KCFG=""
+ ipfiremake backports KCFG=""
ipfiremake cryptodev KCFG=""
ipfiremake e1000e KCFG=""
ipfiremake igb KCFG=""
ipfiremake ixgbe KCFG=""
+ ipfiremake xtables-addons KCFG=""
ipfiremake linux-initrd KCFG=""
;;
armv5tel)
# arm-rpi (Raspberry Pi) kernel build
ipfiremake linux KCFG="-rpi"
+ ipfiremake backports KCFG="-rpi"
ipfiremake cryptodev KCFG="-rpi"
+ ipfiremake xtables-addons KCFG="-rpi"
ipfiremake linux-initrd KCFG="-rpi"
# arm multi platform (Panda, Wandboard ...) kernel build
ipfiremake linux KCFG="-multi"
+ ipfiremake backports KCFG="-multi"
ipfiremake cryptodev KCFG="-multi"
ipfiremake e1000e KCFG="-multi"
ipfiremake igb KCFG="-multi"
ipfiremake ixgbe KCFG="-multi"
+ ipfiremake xtables-addons KCFG="-multi"
ipfiremake linux-initrd KCFG="-multi"
# arm-kirkwood (Dreamplug, ICY-Box ...) kernel build
ipfiremake linux KCFG="-kirkwood"
+ ipfiremake backports KCFG="-kirkwood"
ipfiremake cryptodev KCFG="-kirkwood"
ipfiremake e1000e KCFG="-kirkwood"
ipfiremake igb KCFG="-kirkwood"
ipfiremake ixgbe KCFG="-kirkwood"
+ ipfiremake xtables-addons KCFG="-kirkwood"
ipfiremake linux-initrd KCFG="-kirkwood"
;;
esac
- ipfiremake pkg-config
+ ipfiremake xtables-addons USPACE="1"
ipfiremake openssl
ipfiremake openssl-compat
ipfiremake libgpg-error
ipfiremake mtools
ipfiremake initscripts
ipfiremake whatmask
- ipfiremake libmnl
- ipfiremake iptables
ipfiremake conntrack-tools
ipfiremake libupnp
ipfiremake ipaddr
ipfiremake squid-accounting
ipfiremake pigz
ipfiremake tmux
+ ipfiremake perl-Text-CSV_XS
+ ipfiremake swconfig
}
buildinstaller() {