Adolf Belka [Fri, 19 Apr 2024 13:39:41 +0000 (15:39 +0200)]
backup.pl: removes any references to ALIENVAULT & SPAMHAUSEDROP from restores
- This patch ensures that if a restore is carried out from an earlier version that includes
ALIENVAULT and/or SPAMHAUS_EDROP that the references will be removed.
- This is the same code as was put into the update.sh file with the previous patch of this
set.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 19 Apr 2024 13:39:40 +0000 (15:39 +0200)]
update.sh: Remove existing entries for ALIENVAULT & SPAMHAUS_EDROP
- This removes any time entries in the modified file for either ALIENVAULT or
SPAMHAUS_EDROP.
- This also removes any blocklists for either of these sources from the /var/lib/ipblocklist
directory.
- This patch will ensure that any reference to either of these sources is removed from the
ipblocklist files.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 19 Apr 2024 13:39:39 +0000 (15:39 +0200)]
sources: Removal of ALIENVAULT and SPAMHAUS_EDROP from ipblocklist sources
- ALIENVAULT has not been updated since at least Nov 2022 but probably earlier. There is no
date for the file to be downloaded but a forum user has log messages from Nov 2022 that
indicate the file had not changed as therefore no download occurred.
- AT&T aquired AlienVault in August 2018. Somewhere between 2018 and 2022 the list stopped
getting updated. AlienVault references on the AT&T website are now for a different
product.
- Discussed in IPFire conf call of April 2024 and agreed to remove the ALIENVAULT
blocklist.
- On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP list. The eDROP
list is still available but is now empty. Trying to select the SPAMHAUS_EDROP list
gives an error message that the blocklist was found to be empty.
- This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists from the ipblocklist
sources file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:08 +0000 (17:01 +0200)]
oci-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:07 +0000 (17:01 +0200)]
gcp-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:06 +0000 (17:01 +0200)]
exoscale-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:05 +0000 (17:01 +0200)]
azure-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:04 +0000 (17:01 +0200)]
aws-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:03 +0000 (17:01 +0200)]
ip-up: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:02 +0000 (17:01 +0200)]
red: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:01 +0000 (17:01 +0200)]
static-routes: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot.
- Tested on my vm system and confirmed that the fix in ipsec-interfaces stops the "FIB
table does not exist" and "RTNETLINK answers: no such file or directory" messages during
boot.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:00 +0000 (17:01 +0200)]
ipsec-interfaces: Fixes bug12763
- Some of the ip route commands are not redirected to null. This causes the "FIB table does
not exist" message from bug12763
- This patch makes all ip route commands get redirected to null, preventing the error
message from being seen at boot.
- One of the ip rule commands is not redirected to null. This causes the "RTNETLINK
answers: no such file or directory" message.
- This patch makes all ip rule commands get redirected to null, preventing the error
message from being seen at boot.
- Additional patches in this set ensure that all ip route and ip rule commands in all
IPFire code is redirected to null unless the output of the ip route or ip rule command
is used in a variable for use elsewhere in the code.
- Tested on my vm system and confirmed that the fix in ipsec-interfaces stops the "FIB
table does not exist" and "RTNETLINK answers: no such file or directory" messages during
boot.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 10 Apr 2024 11:39:39 +0000 (13:39 +0200)]
icinga: Removal of icinga addon
- As discussed in the Dev conf call on 2024-Jan-08
- The 1.x version of Icinga has been EOL since 2018
- The 2.x version would require a complete new configuration approach as the settings
and options are completely different to 1.x and so would be a start from scratch.
- removal of icinga from make.sh file
- removal of lfs file
- removal of rootfile
- removal of configuration file
- removal of backup includes file
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 9 Apr 2024 14:07:08 +0000 (16:07 +0200)]
sslh: Removal of sslh addon
- As discussed in the Dev conf call on 2024-Apr-08
- sslh has not been functioning since last update ion Sep 2021. Configuration syntax
was radically changed somewhere in the update from 1.7a(2013) to 1.22c in Sep 2021
- removal of sslh from make file
- removal of lfs file
- removal of rootfile
- removal of paks files
- removal of initscript
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Sat, 23 Mar 2024 23:28:40 +0000 (00:28 +0100)]
bind: Update to 9.16.49
For details see:
https://downloads.isc.org/isc/bind9/9.16.49/doc/arm/html/notes.html#notes-for-bind-9-16-49
"Bug Fixes
A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed. [GL #4596]
Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed. [GL #4621]
The logic for cleaning up expired cached DNS records was tweaked to be
more aggressive. This change helps with enforcing max-cache-ttl and
max-ncache-ttl in a timely manner. [GL #4591]
It was possible to trigger a use-after-free assertion when the overmem
cache cleaning was initiated. This has been fixed. [GL #4595]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 8 Apr 2024 16:57:21 +0000 (18:57 +0200)]
configroot: Add in LOGDROPHOSTILExxx values
- I checked out doing a fresh install of CU184 and found that although the
LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not
in the /var/ipfire/optionsfw/settings file.
- After some investigfation I realised that when I created the LOGDROPHOSTILE split into
incoming and outgoing I had not added them into the configroot lfs file.
- This patch adds the two entries and this was tested out with a fresh install and
confirmed to update the settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 8 Apr 2024 14:57:49 +0000 (14:57 +0000)]
suricata: Enable midstream scanning
We require this because Suricata might be restarted due to development
or rule refreshment purposes. We should then try to resume any
decoders/app-layers wherever possible.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:40 +0000 (21:26 +0200)]
suricata: Set midstream-policy to pass-packet
Set this value to the same as the exception-policy to keep in sync and
hopefully have the same behaviour. In case this option is not set an
ugly message about a not correctly set value will be logged to syslog
during startup.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:37 +0000 (21:26 +0200)]
suricata: Update suricata.yaml
Updata the configuration file for suricata 7.
This includes:
* Default values for newly introduced features and parsers
* Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent
* Update of URL for documentation
* Fixes of various typos and other clarifications
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 3 Apr 2024 20:42:13 +0000 (21:42 +0100)]
suricata: Disable fail-open on NFQUEUE
This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.
If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.
Fixes: #13642 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
collectd: fix cpufreq graph if virtual cores are offline
the kernel doesn't allow to read the frequency of a offline virtual core
if smt is disabled so now no error is reported in this case and NaN submited to the
database.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:20 +0000 (20:39 +0100)]
grub-btrfsd: Drop redundant used PIDFILE mechanism
This case is already covered by the PID mechanism of the used functions
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:19 +0000 (20:39 +0100)]
grub-btrfsd: Adjust displayed starting message
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:18 +0000 (20:39 +0100)]
grub-btrfsd: Use generic volume_fs_type function for FS detection
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:17 +0000 (20:39 +0100)]
initscripts: Add generic function to get the filesystem type of a volume
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 30 Mar 2024 08:14:58 +0000 (09:14 +0100)]
xz: Revert back to version 5.4.5 due to backdoor issue
- xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
been one of the xz devs.
- IPFire looks not to be affected by the problem as we don't patch openssh to be linked
with liblzma
- However due to question marks about what else might be in these 5.6.x versions it is
better to revert back to a version that did not have the build-to-host.m4 file with the
code that modifies the build if it meets certain criteria.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Mar 2024 17:44:56 +0000 (18:44 +0100)]
CU185-update.sh: Add drop hostile in & out logging entries if not already present
- This v2 patch corrects that the previous script was looking for =on. If a user had
modified the preferences to change it to =off then the script would have resulted in
both =on and =off versions being in the settings file.
- This patch ensures that those people who updated to CU184 before the CU184-update.sh
patch fix to add the logging entries was added will get their optionsfw settings file
correctly updated with CU185
- This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already
exist in the optionsfw settings file.
- This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two
separate checks and then runs the firewall update command
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>