]>
git.ipfire.org Git - ipfire-2.x.git/log
Matthias Fischer [Fri, 11 Jan 2019 00:32:37 +0000 (01:32 +0100)]
xtables-addons: Fix typo in lfs
Just some typos...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 10 Jan 2019 22:48:25 +0000 (22:48 +0000)]
Bump kernel version to ship a new PAE kernel
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 10 Jan 2019 22:46:31 +0000 (22:46 +0000)]
core127: Ship updated kernel modules for xtables
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 10 Jan 2019 22:43:45 +0000 (22:43 +0000)]
core127: Ship updated firewall functions library
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 19:40:04 +0000 (20:40 +0100)]
firewall-lib.pl: Use get_geoip_locations from geoip-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 19:40:03 +0000 (20:40 +0100)]
geoip-locations.pl: Add get_geoip_locations().
This function is used to get all available GeoIP locations.
The functions returns them as array, sorted in alphabetical order.
Reference #11959
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 10 Jan 2019 14:30:49 +0000 (15:30 +0100)]
clamav: Update to 0.101.1
For details see:
https://blog.clamav.net/2019/01/clamav-01011-patch-has-been-released.html
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 7 Jan 2019 01:32:46 +0000 (01:32 +0000)]
core127: Ship updated tar
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 10 Jan 2019 13:29:22 +0000 (14:29 +0100)]
tar: Update to 1.31, including fix for bug #11958
For details see:
http://savannah.gnu.org/forum/forum.php?forum_id=9344
"- Fix heap-buffer-overrun with --one-top-level.
- Support for zstd compression.
- The -K option interacts properly with member names given in the command line.
- Fix CVE-2018-20482"
This patch was reverted because 'tar 1.31' crashed when installing PakFire packages
with the option '--no-overwrite-dir'.
See: https://bugzilla.ipfire.org/show_bug.cgi?id=11958
Included is now a patch from https://savannah.gnu.org/bugs/?55413, which seems to fix this issue.
The test cases given in https://savannah.gnu.org/bugs/?55413#comment1 ran without problems.
As always, please check and confirm.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 7 Jan 2019 01:28:38 +0000 (01:28 +0000)]
core127: Ship updated GeoIP functions
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 12:00:17 +0000 (13:00 +0100)]
geoip-functions.pl: Re-write code to lookup the iso country code of a given IP-address.
Drop the usage of the old legacy GeoIP perl module which was not able to handle the
new GeoLite2 databases.
Write some code to directly access the databases and extract the required data.
Usage of the GeoIP2 perl module would provide a lot of more functionality which is not
used/needed. Unfortunately ir requires at lot of additional perl modules which are
not available on IPFire and would only be build and shipped for this module. Buildig all
of them will slow down the entire build process, mess up the system and requires a lot
more space on disk.
Fixes #11962.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 12:00:16 +0000 (13:00 +0100)]
GeoIP: Drop legacy GeoIP perl module.
The legacy GeoIP perl module cannot handle the new GeoLite2 databases
provided from maxmind and therefore needs to be dropped.
Reference #11960
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 12:00:15 +0000 (13:00 +0100)]
xt_geoip_update: Adjust script to download and use the GeoLite2 database
Fixes #11961.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 12:00:14 +0000 (13:00 +0100)]
xtables-addons: Use shipped xt_geoip_build
Use the shipped xt_geoip_build directly instead of holding a copy in our GIT.
Reference #11959
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 12:00:13 +0000 (13:00 +0100)]
xtables-addons: Update to 3.2
Reference #11959
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 7 Jan 2019 00:34:30 +0000 (00:34 +0000)]
perl-Net-CIDR-Lite: Make rootfile work on other arches
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 7 Jan 2019 00:31:46 +0000 (00:31 +0000)]
perl-Net-CIDR-Lite: Fix whitespace
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 12:00:12 +0000 (13:00 +0100)]
perl-Net-CIDR-Lite: New package.
This is a runtime dependency of the xt_geoip_build perl script
shipped by xtables-addons in version 3.2.
Reference #11960.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 6 Jan 2019 21:33:43 +0000 (21:33 +0000)]
IPVS: Enable connection tracking by default
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 6 Jan 2019 13:11:30 +0000 (14:11 +0100)]
ids-functions.pl: Downloader should reads settings from correct file
In commit
ea5c8eeb83a65791960d6cb5de6c7dc78db02fda the taken settings
for the ruleset have been stored into an own file.
The Downloader now uses this file to read-in which ruleset should be used
and downloaded.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Tremer [Sun, 6 Jan 2019 09:00:47 +0000 (09:00 +0000)]
Backup conntrackd's configuration file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 6 Jan 2019 08:59:25 +0000 (08:59 +0000)]
Add initscript for conntrackd
The daemon will be started by default when a configuration
file exists.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 6 Jan 2019 07:03:08 +0000 (07:03 +0000)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 8 Jan 2019 13:14:41 +0000 (14:14 +0100)]
Fix typo in 'html/cgi-bin/logs.cgi/log.dat'
Translation string uses capital letter: 'Captive' => 'Captive Portal',
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 15:14:01 +0000 (16:14 +0100)]
core127: Ship updated proxy.cgi and regenerate configuration
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 15:09:46 +0000 (16:09 +0100)]
proxy: Allow selecting throttled bandwidth in MBit/s
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 15:02:05 +0000 (16:02 +0100)]
proxy: Suggest modern defaults for cache memory and disk
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 15:00:05 +0000 (16:00 +0100)]
proxy: Drop support for throttling only certain mime types
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 14:54:56 +0000 (15:54 +0100)]
proxy: Drop web browser check
This is neither reliable nor up to date and is therefore removed
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 14:49:18 +0000 (15:49 +0100)]
proxy: Set authentication TTL for NTLM authentication also
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 14:48:32 +0000 (15:48 +0100)]
proxy: Use correct authentication cache TTL for AD
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 14:46:20 +0000 (15:46 +0100)]
proxy: Use entered setting for auth children for AD
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 14:44:19 +0000 (15:44 +0100)]
proxy: Use correct realm for AD authentication
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 14:37:00 +0000 (15:37 +0100)]
proxy: Remove AUTH_IPCACHE_TTL
This is potentially dangerous to set larger than zero.
Authentication is perfomed on basis of IP addresses which is
not a good idea at all.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 14:27:54 +0000 (15:27 +0100)]
proxy: Drop NTLM authentication
This is the authentication againt NT 4.0 style domain controllers.
squid has dropped support for this in the 4.5 release and nobody
should be using these old domain controllers any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jan 2019 02:33:37 +0000 (03:33 +0100)]
squid: Run as many redirectors as we have CPU cores
This makes sure that we use the optimal ratio of memory and
CPU usage.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Tested-by: Matthias Fischer <matthias.fischer@ipfire.org>
Daniel Weismüller [Tue, 30 Oct 2018 11:06:59 +0000 (12:06 +0100)]
BUG 11786 - squid: Remove setting for filter processes the number of Squid processes
I added a function to determine the number of cores.
Now the number of squid processes will be equal to the number of logical cores.
Further I removed the possibility of changing the number
of squid processes in the proxy.cgi
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: root <root@ipfire.test>
Michael Tremer [Sat, 5 Jan 2019 21:12:24 +0000 (21:12 +0000)]
Revert "core127: Ship updated tar"
This reverts commit
9ab1c9302c01f11010d0cb87a66366361465461e .
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 5 Jan 2019 21:11:44 +0000 (21:11 +0000)]
Revert "tar: Update to 1.31"
This reverts commit
bb473fd1d6e97785dee70ceb75f9b898f92fc507 .
tar crashes when used with --no-overwrite-dir. See #11958.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 5 Jan 2019 21:11:14 +0000 (21:11 +0000)]
core127: Ship updated snort
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 5 Jan 2019 09:40:08 +0000 (10:40 +0100)]
snort: Update to 2.9.12
For details see:
Release notes:
https://snort.org/downloads/snort/release_notes_2.9.12.txt
Changelog:
https://snort.org/downloads/snort/changelog_2.9.12.txt
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sun, 6 Jan 2019 15:29:57 +0000 (16:29 +0100)]
core127: ship framebuffer.conf blacklist
the file is generated at kernel build and in core126
the module commpression was changed to xz so the list was empty.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 6 Jan 2019 14:53:27 +0000 (15:53 +0100)]
core127: remove double files from armv5tel filelist
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 6 Jan 2019 14:51:53 +0000 (15:51 +0100)]
python: update to 2.7.15
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 5 Jan 2019 12:47:31 +0000 (13:47 +0100)]
transmission: update to 2.94
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 4 Jan 2019 02:43:06 +0000 (02:43 +0000)]
core127: Ship updated tar
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 4 Jan 2019 17:54:49 +0000 (18:54 +0100)]
tar: Update to 1.31
For details see:
http://savannah.gnu.org/forum/forum.php?forum_id=9344
"- Fix heap-buffer-overrun with --one-top-level.
- Support for zstd compression.
- The -K option interacts properly with member names given in the command line.
- Fix CVE-2018-20482"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 3 Jan 2019 16:28:00 +0000 (16:28 +0000)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 3 Jan 2019 16:57:32 +0000 (17:57 +0100)]
fix SSH port description in WebUI again
Fixes #11881.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 3 Jan 2019 15:12:39 +0000 (15:12 +0000)]
libvirt: The package no longer depends on jansson
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stéphane Pautrel [Thu, 3 Jan 2019 15:02:53 +0000 (15:02 +0000)]
Update of French translation
This improves the translation and enhances consistency in
many places.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 3 Jan 2019 14:58:47 +0000 (14:58 +0000)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 26 Dec 2018 13:37:25 +0000 (14:37 +0100)]
dnsforward.cgi: fix for language string
Hi,
In https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=
1a26564e95b5694337e51860544e7775d35055f3
the language string 'dnsforward forward_server' => 'DNS-Server', was deleted and replaced
by 'dnsforward forward_servers' => 'DNS-Server',
IMHO this leads to an empty string in 'dnsforward.cgi', line 223:
...
<td width='20%' class='base'>$Lang::tr{'dnsforward forward_server'}: <img src='/blob.gif' alt='*' /></td>
...
I changed this line...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 27 Dec 2018 00:57:18 +0000 (01:57 +0100)]
attr 2.4.47: Update for rootfile
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 3 Jan 2019 14:53:34 +0000 (14:53 +0000)]
core127: Ship updated VPN CGI files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 3 Jan 2019 02:57:16 +0000 (03:57 +0100)]
database_attribute: Deliver/create index.txt.attr
Fixes #11904
Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.
index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 2 Jan 2019 15:43:42 +0000 (16:43 +0100)]
mc: Update to 4.8.22
For details see:
http://midnight-commander.org/wiki/NEWS-4.8.22
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 2 Jan 2019 16:24:39 +0000 (16:24 +0000)]
libvirt: Bump package version
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 1 Jan 2019 17:39:03 +0000 (18:39 +0100)]
squid: Update to 4.5
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 31 Dec 2018 00:36:23 +0000 (00:36 +0000)]
core127: Ship updated wget
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 27 Dec 2018 17:16:35 +0000 (18:16 +0100)]
wget: Update to 1.20.1
This is a bugfix release:
"due to some privacy issues in default settings of Wget, we introduce
this bugfix release.
The --xattr option (saving original URL and Referer into extended file
attributes) was introduced and enabled by default since Wget 1.19.
It possibly saved - possibly unrecognized by the user - credentials,
access tokes etc that were included in the requested URL.
We changed three details as a countermeasure, see below in the NEWS section.
With Best Regards, Tim
...
NEWS
* Changes in Wget 1.20.1
** --xattr is no longer default since it introduces privacy issues.
** --xattr saves the Referer as scheme/host/port,
user/pw/path/query/fragment
are no longer saved to prevent privacy issues.
** --xattr saves the Original URL without user/password to prevent
privacy issues."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Wed, 2 Jan 2019 14:33:16 +0000 (15:33 +0100)]
kernel: fix generation of framebuffer blacklist
modules are now xz compressed.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 28 Dec 2018 15:05:38 +0000 (16:05 +0100)]
mpd: add soxr dependency
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Fri, 28 Dec 2018 06:36:59 +0000 (07:36 +0100)]
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
Stefan Schantl [Fri, 28 Dec 2018 06:36:19 +0000 (07:36 +0100)]
Ship update-ids-ruleset script also on x86_64 and aarch64
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 26 Dec 2018 15:33:54 +0000 (16:33 +0100)]
ids-functions.pl: Downloader now also uses upstream proxy for HTTPS
Fixes #11953
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 26 Dec 2018 15:05:46 +0000 (16:05 +0100)]
ids-functions.pl: Add function to get the version of suricata
The get_suricata_version() function is used to get the version
of the on the system installed version of suricata. You can
specify the how detailed the returned result should be "major" will
return only the major version, were "minor" will provide the major
and minor version (1.2 for example). All other calls will be answered
with the full version string (1.2.3).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Tue, 25 Dec 2018 19:19:12 +0000 (20:19 +0100)]
ids-functions.pl: Fix typo
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Tue, 25 Dec 2018 17:40:34 +0000 (18:40 +0100)]
ids-functions.pl: Introduce function write_modify_sids_file()
This function is used to write the corresponding file which
tells oinkmaster to alter the whole ruleset and finally
switches suricata into an IPS or IDS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Tue, 25 Dec 2018 17:26:21 +0000 (18:26 +0100)]
ids.cgi: Move variable declaration to ids-functions.pl
Also move some functions from the cgi file to the library file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Mon, 24 Dec 2018 12:19:06 +0000 (13:19 +0100)]
ids.cgi: Hack to use the correct language string for red network zone.
This hack is needed because "red" is used as "internet" in the language files
and "red1" contains the correct "red" translations.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Mon, 24 Dec 2018 12:18:14 +0000 (13:18 +0100)]
ids.cgi: Colourize network zones
Colourize the network with the proper colour.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Mon, 24 Dec 2018 09:03:18 +0000 (10:03 +0100)]
ids.cgi: Change RUN_MODE to MONITOR_TRAFFIC_ONLY
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sun, 23 Dec 2018 20:06:14 +0000 (21:06 +0100)]
ids.cgi: Seperate IPS and ruleset settings
Now each of both have their own corresponding configuration areas.
The taken settings will be saved in "/var/ipfire/suricata/settings" for
all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings" for
ruleset related settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sun, 23 Dec 2018 20:05:37 +0000 (21:05 +0100)]
langs/en.pl: Fix typo
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Arne Fitzenreiter [Sun, 23 Dec 2018 10:12:15 +0000 (11:12 +0100)]
u-boot: fix x86 builds
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Thu, 20 Dec 2018 12:18:48 +0000 (13:18 +0100)]
ids.cgi: Prevent from starting suricata without ruleset or selected network zone
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Thu, 20 Dec 2018 10:55:13 +0000 (11:55 +0100)]
ids.cgi: Access ruleset by its own name
This improves accessing the single rules of a rule category.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 23:38:48 +0000 (23:38 +0000)]
keepalived: Fix incorrect path in initscript
This path to keepalived was just incorrect and therefore
the daemon could not easily be reloaded.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Thu, 20 Dec 2018 07:04:22 +0000 (08:04 +0100)]
u-boot: fix typo in boot.scr
fix serial console output on RPi3 B+ at aarch64
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 20:01:20 +0000 (21:01 +0100)]
core127: Ship DNS forwarding settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 20:00:21 +0000 (21:00 +0100)]
unbound: Use correct parameter for IP addresses and hostnames
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 19:47:41 +0000 (20:47 +0100)]
DNS Forwarding: Let UI accept hostnames, too
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 19:42:46 +0000 (20:42 +0100)]
DNS Forwarding: Allow passing multiple name servers (separated by comma)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 19:23:59 +0000 (20:23 +0100)]
unbound: Allow forwarding to multiple servers at the same time
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 18:55:23 +0000 (18:55 +0000)]
ipvsadm: Update to 1.29
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 15:42:23 +0000 (15:42 +0000)]
pcre: Enable JIT
This is now possible because we no longer run grsecurity-enabled
kernels. The performance of PCRE increases dramatically and applications
like the IDS benefit hugely:
https://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Thu, 13 Dec 2018 17:02:44 +0000 (17:02 +0000)]
Update libvirt to version 4.10
This partially fixes #11941 as libvirt now states clearly that seccomp
needs to be disabled
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 18 Dec 2018 22:32:07 +0000 (22:32 +0000)]
core127: Ship updated squid
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 13 Dec 2018 17:40:24 +0000 (18:40 +0100)]
squid: Update to 4.4 (stable)
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
erik.kapfer [Fri, 14 Dec 2018 11:43:00 +0000 (12:43 +0100)]
unbound: Add TFO support for unbound
For further informations, see https://tools.ietf.org/html/rfc7413
Signed-off-by: erik.kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 14 Dec 2018 20:20:15 +0000 (21:20 +0100)]
bind: Update to 9.11.5-P1
For details see:
http://ftp.isc.org/isc/bind9/9.11.5-P1/RELEASE-NOTES-bind-9.11.5-P1.html
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 18 Dec 2018 22:28:59 +0000 (22:28 +0000)]
sqlite: Update to 3.26.0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 18 Dec 2018 14:19:30 +0000 (15:19 +0100)]
ids.cgi: Allways use the whitelist
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Tue, 18 Dec 2018 14:14:08 +0000 (15:14 +0100)]
ids-functions.pl: Use temporary file in downloader.
Download the requested rules tarball into a temporay file
and if every thing is fine, replace the old by the
downloaded one.
In addition with the previously implemented file size check,
we are saved now from a corrupt rules tarball on disk.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Tue, 18 Dec 2018 13:16:13 +0000 (14:16 +0100)]
ids-functions.pl: Introduce filesize check for downloader
The downloader now requests the html header for the rulestarball
and obtain the size of the file bevore downloading it.
After success the size of the downloaded file will be compared with
the requested one before. If they do not match, an error will be gained.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Tue, 18 Dec 2018 13:12:52 +0000 (14:12 +0100)]
ids-functions.pl: Fix sub _cleanup_rulesdir() function
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Mon, 17 Dec 2018 14:04:48 +0000 (15:04 +0100)]
suricata: Use "2" as repeat-mark and repeat-mask.
The previous used "1" was already used to mark source-natted
packets.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Mon, 17 Dec 2018 14:03:10 +0000 (15:03 +0100)]
suricata: Update to 4.0.6
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Tremer [Sun, 16 Dec 2018 22:23:50 +0000 (22:23 +0000)]
Revert "make.sh: Build in ramdisk"
This reverts commit
6174b7b1c72cd5141e04ac2621eef90d86987a91 .
This had absolutely no effect on build time or rather made it
slower. So this is being reverted to save ourselves the RAM.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>