Michael Tremer [Mon, 14 Oct 2019 16:46:22 +0000 (16:46 +0000)]
QoS: Use CLASSIFY iptables target instead of MARK
We have been running into loads of conflicts by using MARK for
various components on the OS (suricata, IPsec, QoS, ...) which
was sometimes hard to resolve.
iptables comes with a target which directly sorts packets into
the correct class which results in less code and not using the
mark.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 14 Oct 2019 16:46:12 +0000 (16:46 +0000)]
QoS: Use Intermediate Functional Block
This is an alternative implementation to the Intermediate Queuing
Device (IMQ) which is an out-of-tree kernel patch and has been
criticised for being slow, especially with mutliple processors.
IFB is part of the mainline kernel and a lot less code.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #11851 Reported-by: Dani W <assgex@gmail.com> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #11237 Reported-by: Tom Rymes <tomvend@rymes.com> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Fri, 11 Oct 2019 18:44:00 +0000 (20:44 +0200)]
ruleset-sources: Update snort dl urls.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Tim FitzGeorge [Fri, 11 Oct 2019 18:42:05 +0000 (19:42 +0100)]
Restart logging after restoring backup
Send SIGHUP to syslogd and suricata after restoring backup. This ensures that
if the restored backup includes log files that any new log messages get
appended to the restored log files. Otherwise they will be written to the
old log files which are pending deletion.
httpd is told to restart using apachectl, which is the equivalent of sending
a signal. 'graceful' (USR1) is used rather than 'restart' (HUP) because the
latter immediately kills the process restoring the backup, preventing
converters from running.
Fixes: 12196 Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Sat, 12 Oct 2019 23:05:57 +0000 (01:05 +0200)]
dhcpcd: Update to 8.1.0
For details see:
https://roy.marples.name/blog/dhcpcd-8-1-0-released
"DragonFlyBSD: Improved rc.d handling
Fix carrier status after a route socket overflow
Allow domain spaced options
DHCP: Allow not sending Force Renew Nonce or Reconf Accept
IPv4LL: Now passes Apple Bonjour test versions 1.4 and 1.5
ARP: Fix a typo and remove pragma (thus working with old gcc)
DHCP6: Fix a cosmetic issue with infinite leases
DHCP6: SLA 0 and Prefix Len 0 will now add a delegated /64 address
Ignore some virtual interfaces such as Tap and Bridge by default
BPF: Move validation logic out of BPF and back into dhcpcd"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sun, 6 Oct 2019 07:23:19 +0000 (09:23 +0200)]
ncat: Update to version 7.80
Several improvements has been added. This update is part of the nmap-7.80 update.
For the complete changelog take a look in here --> https://seclists.org/nmap-announce/2019/0 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sun, 6 Oct 2019 07:16:57 +0000 (09:16 +0200)]
nmap: Update to version 7.80
Several improvements, NSE scripts and libraries has been added.
The complete changelog can be found in here --> https://seclists.org/nmap-announce/2019/0 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Fri, 4 Oct 2019 17:26:26 +0000 (19:26 +0200)]
tshark: Update to version 3.0.5
The jump from 3.0.2 to 3.0.5 includes several bugfixes, updated protocols and new and updated capture support.
The complete release notes can be found in here --> https://www.wireshark.org/docs/relnotes/ .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
firewall: always allow outgoing DNS traffic to root servers
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.
Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.
There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.
The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.
Fixes #12183
Cc: Michael Tremer <michael.tremer@ipfire.org> Suggested-by: Horace Michael <horace.michael@gmx.com> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Please refer to https://blog.torproject.org/new-release-tor-0416 for
release notes. This patch has to be applied after applying 9fb607ef6
(https://patchwork.ipfire.org/patch/2407/), which was not merged at
the time of writing.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
firewall: raise log rate limit for user generated rules, too
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.
In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 25 Sep 2019 10:05:52 +0000 (12:05 +0200)]
Net-SSLeay: Update to version 1.88
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.11/RELEASE-NOTES-bind-9.11.11.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
...
Bug Fixes
Glue address records were not being returned in responses to root priming
queries; this has been corrected. [GL #1092]
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero.
[GL #1159]
named-checkconf could crash during configuration if configured to use "geoip
continent" ACLs with legacy GeoIP. [GL #1163]
named-checkconf now correctly reports missing dnstap-output option when dnstap
is set. [GL #1136]
Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 05:03:34 +0000 (07:03 +0200)]
ovpn: Add ta.key check to main settings
Since Core 132 the 'TLS Channel Protection' is part of the global settings,
the ta.key generation check should also be in the main section otherwise it
won´t be created if not present.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 05:03:33 +0000 (07:03 +0200)]
ovpn: Generate ta.key before dh-parameter
Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a
"Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished.
Since the ta.key are created after the DH-parameter, it won´t be produced in that case.
To prevent this, the DH-parameter will now be generated at the end.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>