ipfire-2.x.git
5 months agokernel: update to 4.14.120
Arne Fitzenreiter [Fri, 17 May 2019 05:10:52 +0000 (07:10 +0200)] 
kernel: update to 4.14.120

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 months agokernel: update to 4.14.119
Arne Fitzenreiter [Thu, 16 May 2019 12:26:04 +0000 (14:26 +0200)] 
kernel: update to 4.14.119

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 months agointel-microcode: update to 20190514
Arne Fitzenreiter [Wed, 15 May 2019 11:17:26 +0000 (13:17 +0200)] 
intel-microcode: update to 20190514

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agocore132: Ship changes to unbound
Michael Tremer [Sat, 11 May 2019 03:24:29 +0000 (04:24 +0100)] 
core132: Ship changes to unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agounbound: Add Safe Search
Michael Tremer [Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)] 
unbound: Add Safe Search

This is a feature that will filter adult content from search
engine's results.

The old method of rewriting the HTTP request no longer works.

This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.

However, there is no better solution available to this and this
an optional feature, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
6 months agocore132: Ship updated urlfilter.cgi
Michael Tremer [Sat, 11 May 2019 03:18:08 +0000 (04:18 +0100)] 
core132: Ship updated urlfilter.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoURL Filter: Drop Safe Search feature
Michael Tremer [Tue, 30 Apr 2019 16:06:08 +0000 (17:06 +0100)] 
URL Filter: Drop Safe Search feature

This is not working for quite some time now because all search
engines have moved over to HTTPS. Therefore we no longer can
manipulate the URL query string.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoigmpproxy: Update to 0.2.1
Michael Tremer [Sat, 11 May 2019 01:20:15 +0000 (02:20 +0100)] 
igmpproxy: Update to 0.2.1

This updates the package to its latest upstream version and should
be able to support IGMPv3.

Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoPakfire: Add Core-Version to "status"
Alexander Koch [Thu, 9 May 2019 21:55:58 +0000 (23:55 +0200)] 
Pakfire: Add Core-Version to "status"

Add the IPFire-Core-Version to the status message.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoTor: update to 0.4.0.5
Peter Müller [Thu, 9 May 2019 20:06:00 +0000 (20:06 +0000)] 
Tor: update to 0.4.0.5

See https://blog.torproject.org/new-release-tor-0405 for release
announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated hwdata
Michael Tremer [Fri, 10 May 2019 03:20:17 +0000 (04:20 +0100)] 
core132: Ship updated hwdata

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agohwdata: update PCI/USB databases
Peter Müller [Thu, 9 May 2019 13:40:00 +0000 (13:40 +0000)] 
hwdata: update PCI/USB databases

PCI IDs: 2019-05-03 03:15:03
USB IDs: 2019-05-08 20:34:05

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated ca-certificates
Michael Tremer [Fri, 10 May 2019 03:19:05 +0000 (04:19 +0100)] 
core132: Ship updated ca-certificates

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoupdate ca-certificates CA bundle
Peter Müller [Thu, 9 May 2019 13:24:00 +0000 (13:24 +0000)] 
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoUpdate translations
Michael Tremer [Fri, 10 May 2019 03:16:39 +0000 (04:16 +0100)] 
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoConfig: Disable XZ parallelism by default
Michael Tremer [Fri, 10 May 2019 02:36:58 +0000 (03:36 +0100)] 
Config: Disable XZ parallelism by default

Exporting XZ_OPT caused that every time xz was called, it automatically
enabled parallelism. The make systemm also launches multiple processes
at the same time to use more processor cores at the same time.

The combination of this causes memory exhaustion even on large systems
and has no performance gain. Therefore this is disabled by default
and only enabled where we need it which is already the case.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agozoneconf: Fix bug that resultet from last fix
Florian Bührle [Sat, 11 May 2019 12:38:39 +0000 (14:38 +0200)] 
zoneconf: Fix bug that resultet from last fix

Fix bug that prevents users from assigning NIC to RED if RED is in PPP
mode

6 months agozoneconf: Fix bug in NIC assignment; Change visibility of unused zones
Florian Bührle [Sat, 11 May 2019 11:28:12 +0000 (13:28 +0200)] 
zoneconf: Fix bug in NIC assignment; Change visibility of unused zones

Fix a bug that allows users to add multiple NICs to non-bridged zones.
This fix includes a new error message.

Unused zones are now invisible instead of grey.

6 months agorouting: Fix potential authenticated XSS in input processing
Michael Tremer [Thu, 9 May 2019 13:51:40 +0000 (14:51 +0100)] 
routing: Fix potential authenticated XSS in input processing

An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box  or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box  or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.

An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agozoneconf: Remove red warning
Michael Tremer [Thu, 9 May 2019 15:16:35 +0000 (17:16 +0200)] 
zoneconf: Remove red warning

This is a bit shouty and there are various places where we do not
warn about this problem, so this patch makes it more consistent.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agozoneconf: Fix spelling
Michael Tremer [Thu, 9 May 2019 15:13:52 +0000 (17:13 +0200)] 
zoneconf: Fix spelling

This patch mainly changes "Macvtap" to the branded spelling and removes
short forms as well as hyphenation in German compound nouns.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agozoneconf: Move "None" option to the top
Michael Tremer [Thu, 9 May 2019 15:11:24 +0000 (17:11 +0200)] 
zoneconf: Move "None" option to the top

This is a more natural order of the options to me

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoweb-user-interface: Ship new zoneconf.cgi file
Michael Tremer [Thu, 9 May 2019 14:43:04 +0000 (15:43 +0100)] 
web-user-interface: Ship new zoneconf.cgi file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated captive.cgi
Michael Tremer [Thu, 9 May 2019 12:17:16 +0000 (13:17 +0100)] 
core132: Ship updated captive.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocaptive: Fix potential authenticated XSS in title processing
Michael Tremer [Tue, 7 May 2019 20:36:21 +0000 (21:36 +0100)] 
captive: Fix potential authenticated XSS in title processing

An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
"Title of Login Page" text box or "TITLE" parameter. This is due to
a lack of user input validation in "Title of Login Page" text box
or "TITLE" parameter. It allows an authenticated WebGUI user with
privileges for the affected page to execute Stored Cross-site
Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
helps attacker to redirect the victim to a attacker's page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Captive Portal page.

An attacker get access to the victim's session by performing the
CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12071
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship VLAN GUI
Michael Tremer [Wed, 8 May 2019 11:14:46 +0000 (12:14 +0100)] 
core132: Ship VLAN GUI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agowebif: Add a GUI for configuring VLAN interfaces
Florian Bührle [Wed, 8 May 2019 10:56:18 +0000 (11:56 +0100)] 
webif: Add a GUI for configuring VLAN interfaces

This patch adds a new CGI file which allows users to edit the
VLAN configuration as well as configuring zones as bridges.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoudev: Accept MAC addresses for PARENT_DEV
Florian Bührle [Wed, 8 May 2019 10:43:11 +0000 (11:43 +0100)] 
udev: Accept MAC addresses for PARENT_DEV

This allows us to create VLAN interfaces even when the
name of the parent interface might vary.

This patch also appends the VLAN tag to interfaces
when the zone is in bridge mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoguardian: Remove snort related options.
Stefan Schantl [Tue, 7 May 2019 17:17:16 +0000 (19:17 +0200)] 
guardian: Remove snort related options.

IPFire has moved to suricata as IDS/IPS system, therefore all snort related
options has become obsolete.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agosquid: Link against libatomic on ARM
Michael Tremer [Tue, 7 May 2019 21:54:11 +0000 (22:54 +0100)] 
squid: Link against libatomic on ARM

This package failed to build on ARM because atomic functions
are being emulated on ARM32 and the required library was not
linked.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoxfsprogs: Disable LTO on armv5tel
Michael Tremer [Tue, 7 May 2019 20:19:53 +0000 (21:19 +0100)] 
xfsprogs: Disable LTO on armv5tel

LTO fails on ARM, but since we do not require it, we can
disable it here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated pakfire files
Michael Tremer [Tue, 7 May 2019 22:53:43 +0000 (23:53 +0100)] 
core132: Ship updated pakfire files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agozabbix_agentd: Add UserParameter for Pakfire Status
Alexander Koch [Sat, 27 Apr 2019 19:26:46 +0000 (21:26 +0200)] 
zabbix_agentd: Add UserParameter for Pakfire Status

Ship the UserParameter for monitoring the status of pakfire for keeping track of available updates etc.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoPakfire: Add new command line argument "status"
Alexander Koch [Sat, 27 Apr 2019 19:26:45 +0000 (21:26 +0200)] 
Pakfire: Add new command line argument "status"

This enables Pakfire to return a Status-Summary for the Current Core-Update-Level, time since last updates, the availability of a core-/packet-update and if a reboot is required to complete an update. This can be used by monitoring agents (e.g. zabbix_agentd) to monitor the update status of the IPFire device.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agozabbix_agentd: update to 4.2.1
Alexander Koch [Sat, 27 Apr 2019 19:26:44 +0000 (21:26 +0200)] 
zabbix_agentd: update to 4.2.1

Release notes: https://www.zabbix.com/rn/rn4.2.1

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated libedit
Michael Tremer [Tue, 7 May 2019 22:50:26 +0000 (23:50 +0100)] 
core132: Ship updated libedit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agolibedit: Update to 20190324-3.1
Matthias Fischer [Wed, 1 May 2019 17:32:15 +0000 (19:32 +0200)] 
libedit: Update to 20190324-3.1

For details see:
https://thrysoee.dk/editline/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated knot
Michael Tremer [Tue, 7 May 2019 22:49:47 +0000 (23:49 +0100)] 
core132: Ship updated knot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoknot: Update to 2.8.1
Matthias Fischer [Wed, 1 May 2019 17:28:16 +0000 (19:28 +0200)] 
knot: Update to 2.8.1

For details see:
https://www.knot-dns.cz/2019-04-09-version-281.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated bind
Michael Tremer [Tue, 7 May 2019 22:48:41 +0000 (23:48 +0100)] 
core132: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agobind: Update to 9.11.6-P1
Matthias Fischer [Sat, 27 Apr 2019 00:19:34 +0000 (02:19 +0200)] 
bind: Update to 9.11.6-P1

For details see:
http://ftp.isc.org/isc/bind9/9.11.6-P1/RELEASE-NOTES-bind-9.11.6-P1.html

"Security Fixes

 The TCP client quota set using the tcp-clients option could be exceeded in some cases.
 This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743.
 [GL #615]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated dhcpcd
Michael Tremer [Tue, 7 May 2019 22:46:36 +0000 (23:46 +0100)] 
core132: Ship updated dhcpcd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agodhcpcd: Update to 7.2.2
Matthias Fischer [Sat, 4 May 2019 19:59:15 +0000 (21:59 +0200)] 
dhcpcd: Update to 7.2.2

For details see:
https://roy.marples.name/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agofirewall: Allow SNAT rules with RED interface
Michael Tremer [Tue, 7 May 2019 22:44:44 +0000 (23:44 +0100)] 
firewall: Allow SNAT rules with RED interface

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosuricata: Update to 4.1.4
Stefan Schantl [Wed, 1 May 2019 18:19:01 +0000 (20:19 +0200)] 
suricata: Update to 4.1.4

This is a minor update to the latest available version from
the suricata 4.1 series.

Fixes #12068.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Wed, 1 May 2019 16:04:36 +0000 (18:04 +0200)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

6 months agosuricata: Remove PID file on stop
Stefan Schantl [Wed, 1 May 2019 15:03:06 +0000 (17:03 +0200)] 
suricata: Remove PID file on stop

Force the initscript to remove the PID file when calling "stop" section.

If suricata crashes during startup, the PID file still remains and the service
cannot be started anymore until the file has been deleted.

Now when calling "stop" or "restart" the PID file will be deleted and the service
can be used again.

Fixes #12067.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agoupdate-ids-ruleset: Set correct ownership for the rulestarball.
Stefan Schantl [Wed, 1 May 2019 14:49:25 +0000 (16:49 +0200)] 
update-ids-ruleset: Set correct ownership for the rulestarball.

The script usualy will be executed by cron which will start it with
root permissions, so the downloaded tarball is owned by this user.

This has to be changed to the user which runs the WUI (nobody:nobody) to
allow, changing the ruleset to an other one and to display the ruleset area.

Fixes #12066

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agocore132: Ship updated firewall rules generator
Michael Tremer [Tue, 30 Apr 2019 09:58:31 +0000 (10:58 +0100)] 
core132: Ship updated firewall rules generator

This patch also requires a reboot after installing this update
so that the changed ruleset is being applied.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agofirewall: Fix source/destination interface settings
Michael Tremer [Tue, 30 Apr 2019 09:56:05 +0000 (10:56 +0100)] 
firewall: Fix source/destination interface settings

When a forwarding rule is being created, we sometimes create
INPUT/OUTPUT rules, too. Those were slightly invalid because
the source and destination interfaces where passed, too.

This could render some rules in certain circumstances useless.

This patch fixes this and only adds -i for INPUT and -o for
OUTPUT rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agofirewall: Add more rules to input/output when adding rules to forward
Michael Tremer [Tue, 30 Apr 2019 09:45:34 +0000 (10:45 +0100)] 
firewall: Add more rules to input/output when adding rules to forward

The special_input/output_targets array assumed that firewall access
will always be denied. However, rules also need to be created when
access is granted. Therefore the ACCEPT target needs to be included
in this list and rules must be created in INPUTFW/OUTGOINGFW too
when ACCEPT rules are created in FORWARDFW.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agogrub: Update rootfile on i586
Michael Tremer [Tue, 30 Apr 2019 09:45:02 +0000 (10:45 +0100)] 
grub: Update rootfile on i586

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agogrub: Fix rootfile
Michael Tremer [Sun, 28 Apr 2019 08:41:50 +0000 (09:41 +0100)] 
grub: Fix rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agogrub: Fix relocation type issue
Michael Tremer [Sat, 27 Apr 2019 02:58:44 +0000 (03:58 +0100)] 
grub: Fix relocation type issue

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoipfire-netboot: Fix compiling and linking with new GCC & binutils
Michael Tremer [Sat, 27 Apr 2019 00:40:43 +0000 (01:40 +0100)] 
ipfire-netboot: Fix compiling and linking with new GCC & binutils

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosarg: Fix build with newer GCCs
Michael Tremer [Fri, 26 Apr 2019 23:21:39 +0000 (00:21 +0100)] 
sarg: Fix build with newer GCCs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoMerge branch 'master' into next
Arne Fitzenreiter [Fri, 26 Apr 2019 17:39:55 +0000 (19:39 +0200)] 
Merge branch 'master' into next

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agogrub: Fix build error with GCC 8
Michael Tremer [Fri, 26 Apr 2019 15:11:17 +0000 (16:11 +0100)] 
grub: Fix build error with GCC 8

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agogrub: Disable efiemu on PC builds
Michael Tremer [Fri, 26 Apr 2019 15:10:25 +0000 (16:10 +0100)] 
grub: Disable efiemu on PC builds

This won't compile with GCC 8 and we do not need it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agonasm: Update to 2.14.02
Michael Tremer [Fri, 26 Apr 2019 15:05:20 +0000 (16:05 +0100)] 
nasm: Update to 2.14.02

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoltrace: Bump package version
Michael Tremer [Fri, 26 Apr 2019 15:06:10 +0000 (16:06 +0100)] 
ltrace: Bump package version

This package needs to be rebuilt because it uses elfutils
which has had an soname bump.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoelfutils: Update to 0.176
Michael Tremer [Fri, 26 Apr 2019 15:04:48 +0000 (16:04 +0100)] 
elfutils: Update to 0.176

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoOpenVPN: Fixed certificate generation in French
Erik Kapfer [Fri, 26 Apr 2019 15:08:35 +0000 (17:08 +0200)] 
OpenVPN: Fixed certificate generation in French

Fixes #12060

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoinitscripts/suricata: Rework creation of firewall rules.
Stefan Schantl [Thu, 25 Apr 2019 17:31:48 +0000 (19:31 +0200)] 
initscripts/suricata: Rework creation of firewall rules.

The script now will use the previously introduced seperate firewall chains called
IPS_INPUT, IPS_FORWARD and IPS_OUTPUT.

The commit also creates an AND connection between the choosen network zones in the UI and
the final firwall rules.

Fixes #12062.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agoinitscripts/suricata: Move functions order and always use flush_fw_chain function
Stefan Schantl [Thu, 25 Apr 2019 17:31:47 +0000 (19:31 +0200)] 
initscripts/suricata: Move functions order and always use flush_fw_chain function

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agofirewall: Use seperate firewall chains for passing traffic to the IPS
Stefan Schantl [Thu, 25 Apr 2019 17:31:46 +0000 (19:31 +0200)] 
firewall: Use seperate firewall chains for passing traffic to the IPS

Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.

Reference #12062

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agohostapd: bump package version
Arne Fitzenreiter [Fri, 26 Apr 2019 05:43:21 +0000 (07:43 +0200)] 
hostapd: bump package version

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agohostap: Fix wiring of checkboxes for client isolation
Michael Tremer [Wed, 24 Apr 2019 10:24:33 +0000 (11:24 +0100)] 
hostap: Fix wiring of checkboxes for client isolation

The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agohostap: Translate configuration settings
Michael Tremer [Wed, 24 Apr 2019 10:31:28 +0000 (11:31 +0100)] 
hostap: Translate configuration settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agohostap: Fix wiring of checkboxes for client isolation
Michael Tremer [Wed, 24 Apr 2019 10:24:33 +0000 (11:24 +0100)] 
hostap: Fix wiring of checkboxes for client isolation

The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agohostap: Remove deprecated directive
Michael Tremer [Wed, 24 Apr 2019 10:08:36 +0000 (11:08 +0100)] 
hostap: Remove deprecated directive

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agohostap: Enable 80MHz bandwidth by default (when using ACS)
Michael Tremer [Wed, 24 Apr 2019 09:43:50 +0000 (10:43 +0100)] 
hostap: Enable 80MHz bandwidth by default (when using ACS)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agohostap: Enable option to force clients to use 802.11w
Michael Tremer [Wed, 24 Apr 2019 09:39:25 +0000 (10:39 +0100)] 
hostap: Enable option to force clients to use 802.11w

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agohostap: Allow to use Automatic Channel Selection (ACS)
Michael Tremer [Wed, 24 Apr 2019 09:12:29 +0000 (10:12 +0100)] 
hostap: Allow to use Automatic Channel Selection (ACS)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoconvert-snort: Fix ownership of the generated homenet file.
Stefan Schantl [Tue, 23 Apr 2019 18:33:02 +0000 (20:33 +0200)] 
convert-snort: Fix ownership of the generated homenet file.

Fixes #12059.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosuricata: Use device ppp0 if PPPoE dialin is used.
Stefan Schantl [Tue, 23 Apr 2019 19:27:53 +0000 (21:27 +0200)] 
suricata: Use device ppp0 if PPPoE dialin is used.

Fixes #12058.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosuricata: EXTERNAL_NET should equal any
Michael Tremer [Tue, 23 Apr 2019 19:45:42 +0000 (20:45 +0100)] 
suricata: EXTERNAL_NET should equal any

This enables that we scan servers in ORANGE for clients in
GREEN which absolutely makes sense.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosuricata: Do not always convert rules to be bi-directional
Michael Tremer [Sun, 21 Apr 2019 00:32:07 +0000 (01:32 +0100)] 
suricata: Do not always convert rules to be bi-directional

This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated suricata initscript
Michael Tremer [Tue, 23 Apr 2019 19:56:07 +0000 (20:56 +0100)] 
core132: Ship updated suricata initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated convert-snort script
Michael Tremer [Tue, 23 Apr 2019 19:55:22 +0000 (20:55 +0100)] 
core132: Ship updated convert-snort script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoconvert-snort: Fix ownership of the generated homenet file.
Stefan Schantl [Tue, 23 Apr 2019 18:33:02 +0000 (20:33 +0200)] 
convert-snort: Fix ownership of the generated homenet file.

Fixes #12059.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Bugfix for typo in filelist
Alexander Koch [Tue, 23 Apr 2019 18:46:11 +0000 (20:46 +0200)] 
core132: Bugfix for typo in filelist

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosuricata: Use device ppp0 if PPPoE dialin is used.
Stefan Schantl [Tue, 23 Apr 2019 19:27:53 +0000 (21:27 +0200)] 
suricata: Use device ppp0 if PPPoE dialin is used.

Fixes #12058.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosuricata: EXTERNAL_NET should equal any
Michael Tremer [Tue, 23 Apr 2019 19:45:42 +0000 (20:45 +0100)] 
suricata: EXTERNAL_NET should equal any

This enables that we scan servers in ORANGE for clients in
GREEN which absolutely makes sense.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship updated list of mime types
Michael Tremer [Tue, 23 Apr 2019 19:20:14 +0000 (20:20 +0100)] 
core132: Ship updated list of mime types

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoapache / WPAD: Add correct MIME type for wpad.dat and proxy.pac
Alexander Koch [Wed, 17 Apr 2019 23:54:18 +0000 (01:54 +0200)] 
apache / WPAD: Add correct MIME type for wpad.dat and proxy.pac

Some clients require the correct MIME type to be set for accepting/handling the Proxy-Settings properly.

See: http://findproxyforurl.com/deploying-wpad/

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosuricata: Do not always convert rules to be bi-directional
Michael Tremer [Sun, 21 Apr 2019 00:32:07 +0000 (01:32 +0100)] 
suricata: Do not always convert rules to be bi-directional

This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore131: add services.cgi to update
Arne Fitzenreiter [Tue, 23 Apr 2019 17:21:30 +0000 (19:21 +0200)] 
core131: add services.cgi to update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agofinish core131
Arne Fitzenreiter [Sat, 20 Apr 2019 16:12:21 +0000 (18:12 +0200)] 
finish core131

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sat, 20 Apr 2019 15:35:54 +0000 (17:35 +0200)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

6 months agokernel: update 4.14.113
Arne Fitzenreiter [Sat, 20 Apr 2019 15:21:03 +0000 (17:21 +0200)] 
kernel: update 4.14.113

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 months agoUpdate contributors
Michael Tremer [Sat, 20 Apr 2019 13:21:46 +0000 (14:21 +0100)] 
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship WPAD/proxy changes
Michael Tremer [Sat, 20 Apr 2019 13:20:06 +0000 (14:20 +0100)] 
core132: Ship WPAD/proxy changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoUpdate translation
Michael Tremer [Sat, 20 Apr 2019 13:18:17 +0000 (14:18 +0100)] 
Update translation

Fix some apostrophe and spelling errors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosquid / WPAD: Add Wiki-Link for required further adjustments to GUI
Alexander Koch [Sun, 21 Apr 2019 21:56:59 +0000 (23:56 +0200)] 
squid / WPAD: Add Wiki-Link for required further adjustments to GUI

This patch adds a notice with a link to the Wiki-page https://wiki.ipfire.org/configuration/network/proxy/extend/wpad to the new WebGUI-Setion to make the user aware of the fact, that WPAD will only work correctly if he makes further adjustments:

- Add DHCP-Options for WPAD via DHCP
- Add HOST-Entries to DNS and Apache-vhost or haproxy-frontend/backend or firewall-redirect for WPAD via DNS

These additional options depend on the users environment and can not be shipped by default as they might break the users setups.

Note: The translations are only done for "en" and "de" yet!

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosquid / WPAD: Add GUI for exception-files for generation of proxy.pac
Alexander Koch [Sun, 21 Apr 2019 21:56:58 +0000 (23:56 +0200)] 
squid / WPAD: Add GUI for exception-files for generation of proxy.pac

This patch adds the missing Web-GUI for the WPAD-Exceptions to proxy.cgi

Note: The translations are only done for "en" and "de" yet!

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agosquid / WPAD: Add exception-files for generation of proxy.pac
Alexander Koch [Sun, 14 Apr 2019 10:08:43 +0000 (12:08 +0200)] 
squid / WPAD: Add exception-files for generation of proxy.pac

This patch extends the script /srv/web/ipfire/cgi-bin/proxy.cgi by additional code for reading exceptions for URL's and IP's/Subnets from two new files:

- /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl
- /var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl

as described in: https://wiki.ipfire.org/configuration/network/proxy/extend/add_distri

These can be used to define additional URL's, IP's and Subnets that should be retrieved "DIRECT" and not via the proxy. The files have to be created by the user, as the WPAD-Feature is not enabled by default anyway. If the files are not present or their size is 0, nothing is done. I'll revise the wiki-page, after the patch is merged and the core update is released.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoEnable seccomp support for qemu
Jonatan Schlag [Sat, 13 Apr 2019 14:55:16 +0000 (15:55 +0100)] 
Enable seccomp support for qemu

Fixes: #11941

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agoAdd new package libseccomp
Jonatan Schlag [Sat, 13 Apr 2019 14:55:15 +0000 (15:55 +0100)] 
Add new package libseccomp

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 months agocore132: Ship changed suricata configuration
Michael Tremer [Sat, 20 Apr 2019 13:10:12 +0000 (14:10 +0100)] 
core132: Ship changed suricata configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>