Stefan Schantl [Mon, 14 Nov 2016 11:10:11 +0000 (12:10 +0100)]
guardian.cgi: Add colorized zone name for ignored and blocked hosts.
This will help to easily identfy if an IP-address which has been blocked
is part of a local network zone, VPN connection or the Internet. The same
improvement is given for addresses which are part of the ignore list.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Horace [Thu, 3 Nov 2016 12:41:15 +0000 (13:41 +0100)]
ipinfo.cgi: Add flag icon and IP reputational URL's.
* Use the GeoIP backend to obtain the country code of the given
IP-address and to display the flag icon and country name, when
moving the mouse pointer over the flag icon.
* Add various URL (IPVoid, Virustotal and MultiRBL) for gaining
reputational informations for the given IP-address.
Signed-off-by: Michael Horace <horace.michael@gmx.com> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Horace [Wed, 2 Nov 2016 13:35:49 +0000 (14:35 +0100)]
guardian.cgi: Add flag icons and country names to block and ignore list.
Add the corresponding flag icons and full country names in front
of the IP-addresses which are stored in the ignore list and for
all currenty blocked addresses.
Signed-off-by: Michael Horace <horace.michael@gmx.com> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
It appears that htpasswd is not salting any passwords that are
stored with the SHA (-s) algorithm. MD5 passwords however are
salted.
That leads us to the conclusion that the "MD5 algorithm" in htpasswd
is more secure than the "SHA algorithm" although the hash function
itself should be stronger.
With a rainbow table, cracking "SHA" is easily done.
A rainbow table for "MD5" + salt would be way too large to be
efficiently stored.
Hence this commit is reverted to old behaviour to avoid the clear
failure of design in SHA.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Michael Tremer [Sat, 15 Oct 2016 17:08:22 +0000 (19:08 +0200)]
unbound-dhcp-bridge: Rewrite update algorithm
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 15 Oct 2016 17:08:22 +0000 (19:08 +0200)]
unbound-dhcp-bridge: Rewrite update algorithm
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Marcel Lorenz [Fri, 7 Oct 2016 16:26:38 +0000 (18:26 +0200)]
netpbm: update to 10.47.61
To keep the files in the right place, the files are installed into the build directory
and only the files which are useful are copied to the usual places in /usr.
Since the first three columns of 'iptables.cgi' gave a nearly unreadable output
with large numbers, so I made 'pkts', 'bytes' and 'target'-columns a bit wider.
BEFORE - it was something like this:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytestarget proc opt in out source destination
32M38G BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
32M38G CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
00 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
32M38G IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M38G LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
21M21G CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
393873484KDHCPGREENINPUTall -- green0 * 0.0.0.0/0 0.0.0.0/0
645153642KGEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
386592304KIPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
386592304KGUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KWIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
368332209KOVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KTOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
368332209KINPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0
309641833KREDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
309641833KPOLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0
AFTER - somehow better readable - I think: ;-)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target proc opt in out source destination
32M 38G BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
32M 38G IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
32M 38G LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
21M 21G CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
39387 3484K DHCPGREENINPUT all -- green0 * 0.0.0.0/0 0.0.0.0/0
64515 3642K GEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
38659 2304K IPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
38659 2304K GUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K WIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
36833 2209K OVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K TOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
36833 2209K INPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0
30964 1833K REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
30964 1833K POLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Rearranged the fields on 'guardian.cgi' a bit - in a (hopefully) logical manner,
so that they don't need so much room.
- Added some translation-strings and explanations to (revised) 'guardian.cgi'.
- Added missing language string(s), deleted obsolete.
- Deleted all guardian entries from standard language files in
'/var/ipfire/langs'-directory.
- Added (upgraded) addon-specific language files to '/var/ipfire/addon-lang'-directory.
I hope, I didn't forget something...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
unbound has some trouble with validating DNSSEC-enabled
domains when the upstream name server is stripping signatures
from the authoritative responses.
This script now checks that, removes any broken upstream
name servers from the list and prints a warning.
If all name servers fail the test, unbound falls back
into recursor mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 1 Oct 2016 17:37:28 +0000 (18:37 +0100)]
shadow-utils: Create standard set of configuration files
Previously we copied the default configuration from the upstream
package and modified that. Unfortunately a patch and a sed command
changed the file which resulted in unwanted changes.
This patch removes the patch and sed command and adds a new set
of configuration files that just need to be copied to the system.
Fixes #11195
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit updates krb5 to version 1.14.4
The patch is removed, because he is upstream since 1.12.2.
The samba version is incremented, to link samba against the new krb5
version. Otherwise samba for example is linked against
/usr/lib/libkdb5.so.7 but the current version is /usr/lib/libkdb5.so.8
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
OpenSSL 1.0.2i users should upgrade to 1.0.2j
The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development
team.
projects / people / stevee / ipfire-2.x.git / log
