From 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 23 Apr 2019 19:21:30 +0200 Subject: [PATCH 01/10] core131: add services.cgi to update Signed-off-by: Arne Fitzenreiter --- config/rootfiles/core/131/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/131/filelists/files b/config/rootfiles/core/131/filelists/files index 810c67b1e..aa842b73c 100644 --- a/config/rootfiles/core/131/filelists/files +++ b/config/rootfiles/core/131/filelists/files @@ -19,6 +19,7 @@ srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/remote.cgi +srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/ipsec-interfaces usr/local/bin/sshctrl From 56f6d107ff152748a0330a99ab39ad66880ff64b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 21 Apr 2019 01:32:07 +0100 Subject: [PATCH 02/10] suricata: Do not always convert rules to be bi-directional This creates some overhead that we do not need and rules need to be adjusted to match any direction they are supposed to match. Signed-off-by: Michael Tremer --- config/cfgroot/ids-functions.pl | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 5496df1a9..deb287bb7 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -742,9 +742,6 @@ sub write_modify_sids_file($) { # Write file header. print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; - # Tune rules to monitor in both directions. - print FILE "modifysid \* \"\-\>\" \| \"\<\>\"\n"; - # Check if the traffic only should be monitored. unless($ruleaction eq "alert") { # Tell oinkmaster to switch all rules from alert to drop. From a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 23 Apr 2019 20:45:42 +0100 Subject: [PATCH 03/10] suricata: EXTERNAL_NET should equal any This enables that we scan servers in ORANGE for clients in GREEN which absolutely makes sense. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e7e27c731..7252e10b9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,8 +11,7 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" + EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" From e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 23 Apr 2019 21:27:53 +0200 Subject: [PATCH 04/10] suricata: Use device ppp0 if PPPoE dialin is used. Fixes #12058. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 16548753e..ecd693054 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -18,6 +18,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) # Name of the firewall chain. FW_CHAIN="IPS" @@ -65,9 +66,18 @@ function generate_fw_rules { # Check if the IDS is enabled for this network zone. if [ "${!enable_ids_zone}" == "on" ]; then - # Generate name of the network interface. - network_device=$zone - network_device+="0" + # Check if the current processed zone is "red" and the configured type is PPPoE dialin. + if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then + # Set device name to ppp0. + network_device="ppp0" + else + # Generate variable name which contains the device name. + zone_name="$zone_upper" + zone_name+="_DEV" + + # Grab device name. + network_device=${!zone_name} + fi # Assign NFQ_OPTS NFQ_OPTIONS=$NFQ_OPTS From d4f315677777e4b819d82eadd14af6f4d20137e5 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 23 Apr 2019 20:33:02 +0200 Subject: [PATCH 05/10] convert-snort: Fix ownership of the generated homenet file. Fixes #12059. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- config/suricata/convert-snort | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 0ad2942b1..83931fa5b 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -259,6 +259,9 @@ if (-f $IDS::rulestarball) { # Call subfunction to generate the file. &IDS::generate_home_net_file(); +# Set correct ownership for the homenet file. +&IDS::set_ownership("$IDS::homenet_file"); + # ## Step 9: Setup automatic ruleset updates. # From 1f35114d7bc9e2941b15cb93bebc46f66a525e9f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 24 Apr 2019 11:24:33 +0100 Subject: [PATCH 06/10] hostap: Fix wiring of checkboxes for client isolation The checkboxes were swapped which lead to client isolation being enabled when the UI said disabled and vice-versa. Signed-off-by: Michael Tremer --- html/cgi-bin/wlanap.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 44b0b4053..abee0c3cb 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -382,7 +382,7 @@ print <SSID:  SSID Broadcast: on | off -Client Isolation: on | off +Client Isolation: on | off $Lang::tr{'wlanap country'}:  From 31568a19824a5e0621cf6cb9297d2800e3b3f59e Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 26 Apr 2019 07:43:21 +0200 Subject: [PATCH 07/10] hostapd: bump package version Signed-off-by: Arne Fitzenreiter --- lfs/hostapd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lfs/hostapd b/lfs/hostapd index 64ff28e4b..c2830b88a 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 45 +PAK_VER = 46 DEPS = "" From 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 25 Apr 2019 19:31:46 +0200 Subject: [PATCH 08/10] firewall: Use seperate firewall chains for passing traffic to the IPS Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT to be more flexible which kind of traffic should be passed to suricata. Reference #12062 Signed-off-by: Stefan Schantl Signed-off-by: Arne Fitzenreiter --- src/initscripts/system/firewall | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index be6c9169f..da89857d8 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -186,10 +186,12 @@ iptables_init() { iptables -A FORWARD -j GUARDIAN # IPS (suricata) chains - iptables -N IPS - iptables -A INPUT -j IPS - iptables -A FORWARD -j IPS - iptables -A OUTPUT -j IPS + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT # Block non-established IPsec networks iptables -N IPSECBLOCK From 5e3067cb52bdb613a193c2c0280e07d10c30f6de Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 25 Apr 2019 19:31:47 +0200 Subject: [PATCH 09/10] initscripts/suricata: Move functions order and always use flush_fw_chain function Signed-off-by: Stefan Schantl Signed-off-by: Arne Fitzenreiter --- src/initscripts/system/suricata | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index ecd693054..233cded53 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -48,12 +48,18 @@ function get_cpu_count { echo $CPUCOUNT } +# Function to flush the firewall chain. +function flush_fw_chain { + # Call iptables and flush the chain + iptables -F "$FW_CHAIN" +} + # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count) # Flush the firewall chain. - iptables -F "$FW_CHAIN" + flush_fw_chain # Loop through the array of network zones. for zone in "${network_zones[@]}"; do @@ -103,12 +109,6 @@ function generate_fw_rules { iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" } -# Function to flush the firewall chain. -function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" -} - case "$1" in start) # Get amount of CPU cores. From 9cf253e150078852877f5ee530aeb3408fa4216b Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 25 Apr 2019 19:31:48 +0200 Subject: [PATCH 10/10] initscripts/suricata: Rework creation of firewall rules. The script now will use the previously introduced seperate firewall chains called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT. The commit also creates an AND connection between the choosen network zones in the UI and the final firwall rules. Fixes #12062. Signed-off-by: Stefan Schantl Signed-off-by: Arne Fitzenreiter --- src/initscripts/system/suricata | 78 +++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 28 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 233cded53..c9f131fca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl # -# Version : 01.00 +# Version : 01.01 # # Notes : # @@ -20,8 +20,10 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -# Name of the firewall chain. -FW_CHAIN="IPS" +# Name of the firewall chains. +IPS_INPUT_CHAIN="IPS_INPUT" +IPS_FORWARD_CHAIN="IPS_FORWARD" +IPS_OUTPUT_CHAIN="IPS_OUTPUT" # Optional options for the Netfilter queue. NFQ_OPTS="--queue-bypass " @@ -29,6 +31,9 @@ NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. network_zones=( red green blue orange ) +# Array to store the network zones weather the IPS is enabled for. +enabled_ips_zones=() + # Mark and Mask options. MARK="0x70000000" MASK="0x70000000" @@ -48,19 +53,18 @@ function get_cpu_count { echo $CPUCOUNT } -# Function to flush the firewall chain. +# Function to flush the firewall chains. function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" + # Call iptables and flush the chains + iptables -F "$IPS_INPUT_CHAIN" + iptables -F "$IPS_FORWARD_CHAIN" + iptables -F "$IPS_OUTPUT_CHAIN" } # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count) - # Flush the firewall chain. - flush_fw_chain - # Loop through the array of network zones. for zone in "${network_zones[@]}"; do # Convert zone into upper case. @@ -85,28 +89,46 @@ function generate_fw_rules { network_device=${!zone_name} fi - # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS - - # Check if there are multiple cpu cores available. - if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" - else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" - fi - - # Create firewall rules to queue the traffic and pass to - # the IDS. - iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$network_device" ) fi done - # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Flush the firewall chains. + flush_fw_chain + + # Check if the array of enabled_ips_zones contains any elements. + if [[ ${enabled_ips_zones[@]} ]]; then + # Loop through the array and create firewall rules. + for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Create rules queue input and output related traffic and pass it to the IPS. + iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + + # Create rules which are required to handle forwarded traffic. + for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + done + done + + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + fi } case "$1" in