webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 02:55:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' of https://github.com/ipfire/ipfire-2.x into feature_firewalllog_first_last

Browse Source
This commit is contained in:
Alf Høgemark
2014-02-15 15:13:16 +01:00
parent a1219d9600 e3cbe60f5d
commit 10dfb491b1
27 changed files with 3648 additions and 7129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
config/etc/sysctl.conf
View File

@@ -28,3 +28,6 @@ vm.min_free_kbytes = 8192
# Disable IPv6 by default.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Enable netfilter accounting
net.netfilter.nf_conntrack_acct=1

40
config/firewall/firewall-policy
View File

@@ -23,6 +23,10 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
function iptables() {
/sbin/iptables --wait "$@"
}
iptables -F POLICYFWD
iptables -F POLICYOUT
iptables -F POLICYIN
@@ -52,15 +56,15 @@ esac
case "${FWPOLICY2}" in
REJECT)
if [ "${DROPINPUT}" = "on" ]; then
/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
fi
/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
;;
*) # DROP
if [ "${DROPINPUT}" = "on" ]; then
/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
;;
esac
@@ -70,15 +74,15 @@ case "${POLICY}" in
case "${FWPOLICY}" in
REJECT)
if [ "${DROPFORWARD}" = "on" ]; then
/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
fi
/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
;;
*) # DROP
if [ "${DROPFORWARD}" = "on" ]; then
/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
;;
esac
;;
@@ -86,14 +90,14 @@ case "${POLICY}" in
*)
if [ -n "${IFACE}" ]; then
if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
/sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
fi
if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
/sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
fi
fi
/sbin/iptables -A POLICYFWD -j ACCEPT
/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
iptables -A POLICYFWD -j ACCEPT
iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
;;
esac
@@ -103,21 +107,21 @@ case "${POLICY1}" in
case "${FWPOLICY1}" in
REJECT)
if [ "${DROPOUTGOING}" = "on" ]; then
/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
fi
/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
;;
*) # DROP
if [ "${DROPOUTGOING}" == "on" ]; then
/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
fi
/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
;;
esac
;;
*)
/sbin/iptables -A POLICYOUT -j ACCEPT
/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
iptables -A POLICYOUT -j ACCEPT
iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
;;
esac

34
config/firewall/rules.pl
View File

@@ -60,7 +60,7 @@ my $blue = '';
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN = "FORWARDFW";
my $conexists = 'off';
my $command = 'iptables -A';
my $command = 'iptables --wait -A';
my $dnat ='';
my $snat ='';
@@ -111,7 +111,7 @@ if($param eq 'flush'){
system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
&p2pblock;
system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("iptables --wait -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
system ("/etc/sysconfig/firewall.local reload");
}
@@ -119,11 +119,11 @@ if($param eq 'flush'){
}
sub flush
{
system ("iptables -F FORWARDFW");
system ("iptables -F INPUTFW");
system ("iptables -F OUTGOINGFW");
system ("iptables -t nat -F NAT_DESTINATION");
system ("iptables -t nat -F NAT_SOURCE");
system ("iptables --wait -F FORWARDFW");
system ("iptables --wait -F INPUTFW");
system ("iptables --wait -F OUTGOINGFW");
system ("iptables --wait -t nat -F NAT_DESTINATION");
system ("iptables --wait -t nat -F NAT_SOURCE");
}
sub preparerules
{
@@ -150,9 +150,9 @@ sub buildrules
my $icmptype;
foreach my $key (sort {$a <=> $b} keys %$hash){
next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
$command="iptables -A";
$command="iptables --wait -A";
if ($$hash{$key}[28] eq 'ON'){
$command='iptables -t nat -A';
$command='iptables --wait -t nat -A';
$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
if($$hash{$key}[31] eq 'dnat'){
$nat='DNAT';
@@ -303,7 +303,7 @@ sub buildrules
}
}
}
print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
print "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
next;
#PROCESS SNAT RULE
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
@@ -318,14 +318,14 @@ sub buildrules
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
#PROCESS Prot ICMP and type = All ICMP-Types
if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
@@ -387,7 +387,7 @@ sub buildrules
}
}
}
system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
system "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
next;
#PROCESS SNAT RULE
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
@@ -402,14 +402,14 @@ sub buildrules
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
#PROCESS Prot ICMP and type = All ICMP-Types
if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
@@ -504,11 +504,11 @@ sub p2pblock
}
if ($MODE eq 1){
if($P2PSTRING){
print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
}
}else{
if($P2PSTRING){
system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
}
}
}

9
config/kernel/kernel.config.i586-ipfire
View File

@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86 3.10.11-ipfire Kernel Configuration
# Linux/x86 3.10.30 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -1093,7 +1093,7 @@ CONFIG_L2TP_V3=y
CONFIG_L2TP_IP=m
CONFIG_L2TP_ETH=m
CONFIG_STP=y
CONFIG_GARP=y
CONFIG_GARP=m
CONFIG_BRIDGE=y
CONFIG_BRIDGE_IGMP_SNOOPING=y
CONFIG_BRIDGE_VLAN_FILTERING=y
@@ -1715,6 +1715,7 @@ CONFIG_BCACHE=m
# CONFIG_BCACHE_DEBUG is not set
# CONFIG_BCACHE_EDEBUG is not set
# CONFIG_BCACHE_CLOSURES_DEBUG is not set
CONFIG_BLK_DEV_DM_BUILTIN=y
CONFIG_BLK_DEV_DM=y
# CONFIG_DM_DEBUG is not set
CONFIG_DM_BUFIO=m
@@ -2818,7 +2819,7 @@ CONFIG_GPIO_ICH=m
#
# PCI GPIO expanders:
#
# CONFIG_GPIO_CS5535 is not set
CONFIG_GPIO_CS5535=m
# CONFIG_GPIO_AMD8111 is not set
# CONFIG_GPIO_LANGWELL is not set
# CONFIG_GPIO_PCH is not set
@@ -3905,6 +3906,7 @@ CONFIG_BACKLIGHT_APPLE=m
# CONFIG_BACKLIGHT_LM3630 is not set
# CONFIG_BACKLIGHT_LM3639 is not set
# CONFIG_BACKLIGHT_LP855X is not set
# CONFIG_BACKLIGHT_OT200 is not set
#
# Console display driver support
@@ -4623,7 +4625,6 @@ CONFIG_DMA_ACPI=y
#
# DMA Clients
#
CONFIG_NET_DMA=y
CONFIG_ASYNC_TX_DMA=y
# CONFIG_DMATEST is not set
CONFIG_DCA=m

3
config/rootfiles/common/armv5tel/initscripts
View File

@@ -212,6 +212,7 @@ etc/rc.d/rc6.d/S90localnet
etc/rc.d/rc6.d/S99reboot
#etc/rc.d/rcsysinit.d
etc/rc.d/rcsysinit.d/S00mountkernfs
etc/rc.d/rcsysinit.d/S01sysctl
etc/rc.d/rcsysinit.d/S05modules
etc/rc.d/rcsysinit.d/S10udev
etc/rc.d/rcsysinit.d/S19waitdrives
@@ -224,7 +225,7 @@ etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S90sysctl
etc/rc.d/rcsysinit.d/S85firewall
etc/rc.d/rcsysinit.d/S91network-vlans
etc/rc.d/rcsysinit.d/S92rngd
etc/rc.d/rc3.d/S15fireinfo

3
config/rootfiles/common/i586/initscripts
View File

@@ -218,6 +218,7 @@ etc/rc.d/rc6.d/S90localnet
etc/rc.d/rc6.d/S99reboot
#etc/rc.d/rcsysinit.d
etc/rc.d/rcsysinit.d/S00mountkernfs
etc/rc.d/rcsysinit.d/S01sysctl
etc/rc.d/rcsysinit.d/S05modules
etc/rc.d/rcsysinit.d/S10udev
etc/rc.d/rcsysinit.d/S19checkfstab
@@ -231,7 +232,7 @@ etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S90sysctl
etc/rc.d/rcsysinit.d/S85firewall
etc/rc.d/rcsysinit.d/S91network-vlans
etc/rc.d/rcsysinit.d/S92rngd
etc/rc.d/rc3.d/S15fireinfo

1
config/rootfiles/core/76/update.sh
View File

@@ -238,6 +238,7 @@ rm -rf /usr/lib/engines
rm -f /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
rm -f /etc/rc.d/init.d/networking/red.up/25-portfw
rm -f /etc/rc.d/init.d/networking/red.up/26-xtaccess
rm -f /etc/rc.d/rcsysinit.d/S90sysctl
# Remove old firewallscripts
rm -f /usr/local/bin/setportfw

1
doc/language_issues.de
View File

@@ -598,7 +598,6 @@ WARNING: translation string unused: year-graph
WARNING: translation string unused: yearly firewallhits
WARNING: untranslated string: Scan for Songs
WARNING: untranslated string: addons
WARNING: untranslated string: advproxy cache-digest
WARNING: untranslated string: bytes
WARNING: untranslated string: community rules
WARNING: untranslated string: dead peer detection

1
doc/language_issues.en
View File

@@ -631,7 +631,6 @@ WARNING: translation string unused: xtaccess bad transfert
WARNING: translation string unused: year-graph
WARNING: translation string unused: yearly firewallhits
WARNING: untranslated string: Scan for Songs
WARNING: untranslated string: advproxy cache-digest
WARNING: untranslated string: bytes
WARNING: untranslated string: fwhost err hostip
WARNING: untranslated string: route config changed

4
doc/language_missings
View File

@@ -13,6 +13,7 @@
# Checking cgi-bin translations for language: fr #
############################################################################
< addon
< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal
@@ -452,6 +453,7 @@
# Checking cgi-bin translations for language: es #
############################################################################
< addon
< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal
@@ -884,6 +886,7 @@
# Checking cgi-bin translations for language: pl #
############################################################################
< addon
< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal
@@ -1292,6 +1295,7 @@
############################################################################
< Add a route
< addon
< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal

25
html/cgi-bin/index.cgi
View File

@@ -201,21 +201,20 @@ END
chomp($DNS2);
close DNS2;
if ( $DNS1 ) { print <<END;
<tr><td><b>$Lang::tr{'dns server'}1:</b></td><td align='center'>$DNS1</td><td></td></tr>
END
}
if ( $DNS2 ) { print <<END;
<tr><td><b>$Lang::tr{'dns server'}2:</b></td><td align='center'>$DNS2</td><td></td></tr>
print <<END;
<tr>
<td>
<b>$Lang::tr{'dns server'}</b>
</td>
<td align="center">
$DNS1
</td>
<td align="center">
$DNS2
</td>
</tr>
</table>
END
} else { print <<END;
<td></td>
</tr>
</table>
END
}
#Dial profiles
if ( $netsettings{'RED_TYPE'} ne "STATIC" && $netsettings{'RED_TYPE'} ne "DHCP" ){

4
html/cgi-bin/netexternal.cgi
View File

@@ -83,8 +83,8 @@ if ( $querry[0] ne~ ""){
&General::readhash("${General::swroot}/dhcpc/dhcpcd-$netsettings{'RED_DEV'}.info", \%dhcpinfo);
my $DNS1=`echo $dhcpinfo{'domain_name_servers'} | cut -f 1 -d ,`;
my $DNS2=`echo $dhcpinfo{'domain_name_servers'} | cut -f 2 -d ,`;
my $DNS1=`echo $dhcpinfo{'domain_name_servers'} | cut -f 1 -d " "`;
my $DNS2=`echo $dhcpinfo{'domain_name_servers'} | cut -f 2 -d " "`;
my $lsetme=0;
my $leasetime="";

1
langs/de/cgi-bin/de.pl
View File

@@ -188,6 +188,7 @@
'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)',
'advproxy cache management' => 'Cacheverwaltung',
'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie',
'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren',
'advproxy chgwebpwd ERROR' => 'F E H L E R :',
'advproxy chgwebpwd SUCCESS' => 'E R F O L G :',
'advproxy chgwebpwd change password' => 'Passwort ändern',

1
langs/en/cgi-bin/en.pl
View File

@@ -188,6 +188,7 @@
'advproxy banned mac clients' => 'Banned MAC addresses (one per line)',
'advproxy cache management' => 'Cache management',
'advproxy cache replacement policy' => 'Cache replacement policy',
'advproxy cache-digest' => 'Enable Cache-Digest Generation',
'advproxy chgwebpwd ERROR' => 'E R R O R :',
'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :',
'advproxy chgwebpwd change password' => 'Change password',

5
lfs/fireinfo
View File

@@ -24,7 +24,7 @@
include Config
VER = 2.1.8
VER = 2.1.9
THISAPP = fireinfo-v$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 594702e88a729ae0f35ef35d0786e22f
$(DL_FILE)_MD5 = a4dbb3a4111f263b5059b2f76b14b32c
install : $(TARGET)
@@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/fireinfo-2.1.8-Revert-Read-mounted-filesystems-from-proc-mounts-ins.patch
cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh
cd $(DIR_APP) && ./configure --prefix=/usr
cd $(DIR_APP) && make $(MAKETUNING)

3
lfs/initscripts
View File

@@ -157,6 +157,7 @@ $(TARGET) :
ln -sf ../init.d/leds /etc/rc.d/rc6.d/K79leds
ln -sf ../init.d/fireinfo /etc/rc.d/rc3.d/S15fireinfo
ln -sf ../init.d/mountkernfs /etc/rc.d/rcsysinit.d/S00mountkernfs
ln -sf ../init.d/sysctl /etc/rc.d/rcsysinit.d/S01sysctl
ln -sf ../init.d/modules /etc/rc.d/rcsysinit.d/S05modules
ln -sf ../init.d/udev /etc/rc.d/rcsysinit.d/S10udev
ln -sf ../init.d/waitdrives /etc/rc.d/rcsysinit.d/S19waitdrives
@@ -171,7 +172,7 @@ $(TARGET) :
ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console
ln -sf ../init.d/firstsetup /etc/rc.d/rcsysinit.d/S75firstsetup
ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet
ln -sf ../init.d/sysctl /etc/rc.d/rcsysinit.d/S90sysctl
ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall
ln -sf ../init.d/network-vlans /etc/rc.d/rcsysinit.d/S91network-vlans
ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd
ln -sf ../init.d/wlanclient /etc/rc.d/rc0.d/K82wlanclient

13
lfs/linux
View File

@@ -24,10 +24,10 @@
include Config
VER = 3.10.29
VER = 3.10.30
RPI_PATCHES = linux-3.10.27-grsec-943b563
GRS_PATCHES = grsecurity-2.9.1-3.10.29-ipfire1.patch.xz
GRS_PATCHES = grsecurity-2.9.1-3.10.30-ipfire1.patch.xz
THISAPP = linux-$(VER)
DL_FILE = linux-$(VER).tar.xz
@@ -36,7 +36,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)
CFLAGS =
CXXFLAGS =
PAK_VER = 34
PAK_VER = 35
DEPS = ""
VERSUFIX=ipfire$(KCFG)
@@ -74,9 +74,9 @@ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
rpi-patches-$(RPI_PATCHES).patch.xz = $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES).patch.xz
$(GRS_PATCHES) = $(URL_IPFIRE)/$(GRS_PATCHES)
$(DL_FILE)_MD5 = 59e4f495b1302f2bca0e72d204c5fd0b
$(DL_FILE)_MD5 = f48ca7dd9f2eb14a2903cb6a4fbe07ed
rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = 8cf81f48408306d93ccee59b58af2e92
$(GRS_PATCHES)_MD5 = b39b69eb7439141621ecf0221b3bd29e
$(GRS_PATCHES)_MD5 = 044e29280d4717441e89e8d80abba563
install : $(TARGET)
@@ -112,7 +112,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
ln -svf linux-$(VER) $(DIR_SRC)/linux
# Linux Intermediate Queueing Device
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.10.25-imq.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.10.30-imq.patch
# ipp2p 0.8.2-ipfire
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.10-ipp2p-0.8.2-ipfire.patch
@@ -124,7 +124,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
ifneq "$(KCFG)" "-headers"
cd $(DIR_APP) && xz -c -d $(DIR_DL)/$(GRS_PATCHES) | patch -Np1
cd $(DIR_APP) && rm localversion-grsec
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grsecurity-haswell-32bit-fix.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.7-disable-compat_vdso.patch
endif

2
lfs/tor
View File

@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
PAK_VER = 5
PAK_VER = 6
DEPS = "libevent2"

310
src/initscripts/init.d/firewall
View File

@@ -1,5 +1,8 @@
#!/bin/sh
. /etc/sysconfig/rc
. ${rc_functions}
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
@@ -9,206 +12,205 @@ if [ -f /var/ipfire/red/device ]; then
DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
fi
function iptables() {
/sbin/iptables --wait "$@"
}
iptables_init() {
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Empty LOG_DROP and LOG_REJECT chains
/sbin/iptables -N LOG_DROP
/sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
/sbin/iptables -A LOG_DROP -j DROP
/sbin/iptables -N LOG_REJECT
/sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
/sbin/iptables -A LOG_REJECT -j REJECT
iptables -N LOG_DROP
iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
iptables -A LOG_DROP -j DROP
iptables -N LOG_REJECT
iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
iptables -A LOG_REJECT -j REJECT
# This chain will log, then DROPs packets with certain bad combinations
# of flags might indicate a port-scan attempt (xmas, null, etc)
/sbin/iptables -N PSCAN
iptables -N PSCAN
if [ "$DROPPORTSCAN" == "on" ]; then
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
fi
/sbin/iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
# New tcp packets without SYN set - could well be an obscure type of port scan
# that's not covered above, may just be a broken windows machine
/sbin/iptables -N NEWNOTSYN
iptables -N NEWNOTSYN
if [ "$DROPNEWNOTSYN" == "on" ]; then
/sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN "
iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN "
fi
/sbin/iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
# Chain to contain all the rules relating to bad TCP flags
/sbin/iptables -N BADTCP
iptables -N BADTCP
#Don't check loopback
/sbin/iptables -A BADTCP -i lo -j RETURN
# Don't check loopback
iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
# nmap xmas
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# Null
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# FIN
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
/sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
/sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
/sbin/iptables -A INPUT -p tcp -j BADTCP
/sbin/iptables -A FORWARD -p tcp -j BADTCP
iptables -A INPUT -p tcp -j BADTCP
iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chain
/sbin/iptables -N CONNTRACK
/sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
iptables -N CUSTOMINPUT
iptables -A INPUT -j CUSTOMINPUT
iptables -N CUSTOMFORWARD
iptables -A FORWARD -j CUSTOMFORWARD
iptables -N CUSTOMOUTPUT
iptables -A OUTPUT -j CUSTOMOUTPUT
iptables -t nat -N CUSTOMPREROUTING
iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
iptables -t nat -N CUSTOMPOSTROUTING
iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
# Guardian (IPS) chains
/sbin/iptables -N GUARDIAN
/sbin/iptables -A INPUT -j GUARDIAN
/sbin/iptables -A FORWARD -j GUARDIAN
iptables -N GUARDIAN
iptables -A INPUT -j GUARDIAN
iptables -A FORWARD -j GUARDIAN
# Block OpenVPN transfer networks
/sbin/iptables -N OVPNBLOCK
iptables -N OVPNBLOCK
for i in INPUT FORWARD; do
/sbin/iptables -A ${i} -j OVPNBLOCK
iptables -A ${i} -j OVPNBLOCK
done
# OpenVPN transfer network translation
/sbin/iptables -t nat -N OVPNNAT
/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
iptables -t nat -N OVPNNAT
iptables -t nat -A POSTROUTING -j OVPNNAT
# IPTV chains for IGMPPROXY
/sbin/iptables -N IPTVINPUT
/sbin/iptables -A INPUT -j IPTVINPUT
/sbin/iptables -N IPTVFORWARD
/sbin/iptables -A FORWARD -j IPTVFORWARD
iptables -N IPTVINPUT
iptables -A INPUT -j IPTVINPUT
iptables -N IPTVFORWARD
iptables -A FORWARD -j IPTVFORWARD
# filtering from GUI
/sbin/iptables -N GUIINPUT
/sbin/iptables -A INPUT -j GUIINPUT
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -N GUIINPUT
iptables -A INPUT -j GUIINPUT
iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
/sbin/iptables -N LOOPBACK
/sbin/iptables -A LOOPBACK -i lo -j ACCEPT
/sbin/iptables -A LOOPBACK -o lo -j ACCEPT
iptables -N LOOPBACK
iptables -A LOOPBACK -i lo -j ACCEPT
iptables -A LOOPBACK -o lo -j ACCEPT
# Filter all packets with loopback addresses on non-loopback interfaces.
/sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
/sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j LOOPBACK
iptables -A ${i} -j LOOPBACK
done
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j CONNTRACK
iptables -A ${i} -j CONNTRACK
done
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD
/sbin/iptables -N IPSECOUTPUT
/sbin/iptables -A INPUT -j IPSECINPUT
/sbin/iptables -A FORWARD -j IPSECFORWARD
/sbin/iptables -A OUTPUT -j IPSECOUTPUT
/sbin/iptables -t nat -N IPSECNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
iptables -N IPSECINPUT
iptables -N IPSECFORWARD
iptables -N IPSECOUTPUT
iptables -A INPUT -j IPSECINPUT
iptables -A FORWARD -j IPSECFORWARD
iptables -A OUTPUT -j IPSECOUTPUT
iptables -t nat -N IPSECNAT
iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet.
/sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
iptables -N DHCPBLUEINPUT
iptables -A INPUT -j DHCPBLUEINPUT
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
iptables -N WIRELESSINPUT
iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
iptables -N WIRELESSFORWARD
iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
# OpenVPN
/sbin/iptables -N OVPNINPUT
/sbin/iptables -A INPUT -j OVPNINPUT
iptables -N OVPNINPUT
iptables -A INPUT -j OVPNINPUT
# TOR
/sbin/iptables -N TOR_INPUT
/sbin/iptables -A INPUT -j TOR_INPUT
iptables -N TOR_INPUT
iptables -A INPUT -j TOR_INPUT
# Jump into the actual firewall ruleset.
/sbin/iptables -N INPUTFW
/sbin/iptables -A INPUT -j INPUTFW
iptables -N INPUTFW
iptables -A INPUT -j INPUTFW
/sbin/iptables -N OUTGOINGFW
/sbin/iptables -A OUTPUT -j OUTGOINGFW
iptables -N OUTGOINGFW
iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -N FORWARDFW
/sbin/iptables -A FORWARD -j FORWARDFW
iptables -N FORWARDFW
iptables -A FORWARD -j FORWARDFW
# SNAT rules
/sbin/iptables -t nat -N NAT_SOURCE
/sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
iptables -t nat -N NAT_SOURCE
iptables -t nat -A POSTROUTING -j NAT_SOURCE
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -A INPUT -j REDINPUT
/sbin/iptables -N REDFORWARD
/sbin/iptables -A FORWARD -j REDFORWARD
/sbin/iptables -t nat -N REDNAT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables -N REDINPUT
iptables -A INPUT -j REDINPUT
iptables -N REDFORWARD
iptables -A FORWARD -j REDFORWARD
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
# Custom prerouting chains (for transparent proxy)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
iptables -t nat -N SQUID
iptables -t nat -A PREROUTING -j SQUID
# DNAT rules
/sbin/iptables -t nat -N NAT_DESTINATION
/sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
iptables -t nat -N NAT_DESTINATION
iptables -t nat -A PREROUTING -j NAT_DESTINATION
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
/sbin/iptables -N UPNPFW
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
iptables -t nat -N UPNPFW
iptables -t nat -A PREROUTING -j UPNPFW
iptables -N UPNPFW
iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
@@ -216,13 +218,13 @@ iptables_init() {
# run wirelessctrl
/usr/local/bin/wirelessctrl
#POLICY CHAIN
/sbin/iptables -N POLICYIN
/sbin/iptables -A INPUT -j POLICYIN
/sbin/iptables -N POLICYFWD
/sbin/iptables -A FORWARD -j POLICYFWD
/sbin/iptables -N POLICYOUT
/sbin/iptables -A OUTPUT -j POLICYOUT
# POLICY CHAIN
iptables -N POLICYIN
iptables -A INPUT -j POLICYIN
iptables -N POLICYFWD
iptables -A FORWARD -j POLICYFWD
iptables -N POLICYOUT
iptables -A OUTPUT -j POLICYOUT
/usr/sbin/firewall-policy
@@ -230,37 +232,37 @@ iptables_init() {
/usr/local/bin/firewallctrl
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
if [ "$DROPFORWARD" == "on" ]; then
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
}
iptables_red() {
/sbin/iptables -F REDINPUT
/sbin/iptables -F REDFORWARD
/sbin/iptables -t nat -F REDNAT
iptables -F REDINPUT
iptables -F REDFORWARD
iptables -t nat -F REDNAT
# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
/sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
iptables -A REDINPUT -i $DEVICE -j ACCEPT
fi
if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT
iptables -A REDINPUT -i $RED_DEV -j ACCEPT
fi
fi
fi
# PPTP over DHCP
if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
/sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
fi
# Orange pinholes
@@ -268,24 +270,24 @@ iptables_red() {
# This rule enables a host on ORANGE network to connect to the outside
# (only if we have a red connection)
if [ "$IFACE" != "" ]; then
/sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
fi
fi
if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
/sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
/sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
}
@@ -293,10 +295,38 @@ iptables_red() {
# See how we were called.
case "$1" in
start)
boot_mesg "Loading firewall modules into the kernel"
modprobe iptable_nat || failed=1
for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
modprobe $(basename $i | cut -d. -f1) || failed=1
done
for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
modprobe $(basename $i | cut -d. -f1) || failed=1
done
(exit ${failed})
evaluate_retval
if [ -e /var/ipfire/main/disable_nf_sip ]; then
rmmod nf_nat_sip
rmmod nf_conntrack_sip
rmmod nf_nat_h323
rmmod nf_conntrack_h323
fi
boot_mesg "Setting up firewall"
iptables_init
evaluate_retval
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
;;
reload)
boot_mesg "Reloading firewall"
iptables_red
evaluate_retval
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local reload

36
src/initscripts/init.d/network
View File

@@ -17,42 +17,6 @@
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
init_networking() {
boot_mesg "Loading firewall modules into the kernel"
modprobe iptable_nat || failed=1
for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
modprobe $(basename $i | cut -d. -f1) || failed=1
done
for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
modprobe $(basename $i | cut -d. -f1) || failed=1
done
(exit ${failed})
evaluate_retval
# Enable netfilter accounting
sysctl net.netfilter.nf_conntrack_acct=1 > /dev/null
if [ -e /var/ipfire/main/disable_nf_sip ]; then
rmmod nf_nat_sip
rmmod nf_conntrack_sip
rmmod nf_nat_h323
rmmod nf_conntrack_h323
fi
boot_mesg "Setting up firewall"
/etc/rc.d/init.d/firewall start; evaluate_retval
# boot_mesg "Setting up traffic accounting"
# /etc/rc.d/helper/writeipac.pl || failed=1
# /usr/sbin/fetchipac -S || failed=1
# (exit ${failed})
# evaluate_retval
if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
boot_mesg "Setting up wireless firewall rules"
/usr/local/bin/wirelessctrl; evaluate_retval
fi
/etc/rc.d/init.d/dnsmasq start
/etc/rc.d/init.d/static-routes start
}

27
src/paks/tor/install.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
extract_files
restore_backup ${NAME}
start_service --background ${NAME}

27
src/paks/tor/uninstall.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
stop_service ${NAME}
make_backup ${NAME}
remove_files

37
src/paks/tor/update.sh Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
# Create backup include file if it is missing.
if [ ! -e "/var/ipfire/backup/addons/includes/tor" ]; then
cat <<EOF > /var/ipfire/backup/addons/includes/tor
/etc/tor
/var/ipfire/tor
/var/lib/tor/fingerprint
/var/lib/tor/keys
EOF
fi
./uninstall.sh
./install.sh

30
src/patches/fireinfo-2.1.8-Revert-Read-mounted-filesystems-from-proc-mounts-ins.patch
View File

@@ -1,30 +0,0 @@
From 758f624a9862b214f39c9106137a61e2d6b14544 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 7 Feb 2014 14:56:14 +0100
Subject: [PATCH] Revert "Read mounted filesystems from /proc/mounts instead of
/etc/mtab."
This reverts commit c916f644c57b638b3128d0e882c32bf50ea29631.
For some reason, the output of /etc/mtab and /proc/mounts is not
identical and the root device is missing in /proc/mounts on IPFire.
---
src/fireinfo/system.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/fireinfo/system.py b/src/fireinfo/system.py
index 800032e..40ff7b0 100644
--- a/src/fireinfo/system.py
+++ b/src/fireinfo/system.py
@@ -364,7 +364,7 @@ class System(object):
"""
Return the dev node of the root disk.
"""
- with open("/proc/mounts", "r") as f:
+ with open("/etc/mtab", "r") as f:
dev, mountpoint, fs, rest = f.readline().split(" ", 3)
if mountpoint == "/" and not fs == "rootfs":
# Cut off /dev
--
1.8.3.1

53
src/patches/grsecurity-haswell-32bit-fix.patch
View File

@@ -1,53 +0,0 @@
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 7430027..2124e35 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -80,7 +80,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
if (static_cpu_has(X86_FEATURE_PCID)) {
if (static_cpu_has(X86_FEATURE_INVPCID)) {
- unsigned long descriptor[2];
+ u64 descriptor[2];
descriptor[0] = PCID_USER;
asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
} else {
@@ -144,7 +144,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
if (static_cpu_has(X86_FEATURE_PCID)) {
if (static_cpu_has(X86_FEATURE_INVPCID)) {
- unsigned long descriptor[2];
+ u64 descriptor[2];
descriptor[0] = PCID_USER;
asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
} else {
diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
index 45844c0..ada2172 100644
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -18,7 +18,7 @@
static inline void __native_flush_tlb(void)
{
if (static_cpu_has(X86_FEATURE_INVPCID)) {
- unsigned long descriptor[2];
+ u64 descriptor[2];
descriptor[0] = PCID_KERNEL;
asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_MONGLOBAL) : "memory");
@@ -42,7 +42,7 @@ static inline void __native_flush_tlb(void)
static inline void __native_flush_tlb_global_irq_disabled(void)
{
if (static_cpu_has(X86_FEATURE_INVPCID)) {
- unsigned long descriptor[2];
+ u64 descriptor[2];
descriptor[0] = PCID_KERNEL;
asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
@@ -77,7 +77,7 @@ static inline void __native_flush_tlb_single(unsigned long addr)
{
if (static_cpu_has(X86_FEATURE_INVPCID)) {
- unsigned long descriptor[2];
+ u64 descriptor[2];
descriptor[0] = PCID_KERNEL;
descriptor[1] = addr;

6800
src/patches/linux-3.10.25-imq.patch
View File

File diff suppressed because it is too large Load Diff

3304
src/patches/linux-3.10.30-imq.patch Normal file
View File

File diff suppressed because it is too large Load Diff