From 4262c16b36f8d13a80cddff9b4c49a6bf0ab153f Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Sun, 5 Sep 2010 09:48:37 +0200 Subject: [PATCH 1/7] Remove from Input chain, changed order of the filters since the normal table contaings a drop rule and so the mac table would never be reached. Still need to check if input is necessary. --- src/initscripts/init.d/firewall | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index b9f390830..366ae071c 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -183,9 +183,8 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT # Outgoing Firewall - /sbin/iptables -A FORWARD -j OUTGOINGFW /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - /sbin/iptables -A INPUT -j OUTGOINGFWMAC + /sbin/iptables -A FORWARD -j OUTGOINGFW # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT From f2d2ce590242a64baff8343c6707944fef4dd7bb Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 5 Sep 2010 12:36:50 +0200 Subject: [PATCH 2/7] Add updated intel igb network driver (2.3.4). --- lfs/igb | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ make.sh | 2 ++ 2 files changed, 92 insertions(+) create mode 100644 lfs/igb diff --git a/lfs/igb b/lfs/igb new file mode 100644 index 000000000..522a80123 --- /dev/null +++ b/lfs/igb @@ -0,0 +1,90 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2010 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +ifeq "$(XEN)" "1" + VERSUFIX = ipfire-xen +else + VERSUFIX = ipfire +endif + +VER = 2.3.4 + +THISAPP = igb-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = b0ea2a70198746b69392ef935b61454a + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + $(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + #Save original igb module + -mv /lib/modules/$(KVER)-$(VERSUFIX)/kernel/drivers/net/igb/igb.ko \ + /lib/modules/$(KVER)-$(VERSUFIX)/kernel/drivers/net/igb/igb.ko.org + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP)/src && make -C /lib/modules/$(KVER)-$(VERSUFIX)/build/ \ + SUBDIRS=$(DIR_APP)/src modules + cd $(DIR_APP)/src && install -m 644 igb.ko \ + /lib/modules/$(KVER)-$(VERSUFIX)/kernel/drivers/net/igb + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 0dbb0982b..d2f00b75a 100755 --- a/make.sh +++ b/make.sh @@ -355,6 +355,7 @@ buildipfire() { ipfiremake r8101 XEN=1 ipfiremake e1000 XEN=1 ipfiremake e1000e XEN=1 + ipfiremake igb XEN=1 ipfiremake linux ipfiremake kqemu ipfiremake kvm-kmod @@ -370,6 +371,7 @@ buildipfire() { ipfiremake r8101 ipfiremake e1000 ipfiremake e1000e + ipfiremake igb ipfiremake pkg-config ipfiremake linux-atm ipfiremake cpio From 51dcdbc3b94ea73fddd77c73f1a54dded06db7c0 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 5 Sep 2010 12:38:12 +0200 Subject: [PATCH 3/7] Updated strongswan (4.4.1). --- config/rootfiles/common/strongswan | 10 ++++++++-- lfs/strongswan | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index bd0f1dee6..8b9ec78a6 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -1,5 +1,4 @@ etc/ipsec.conf -etc/ipsec.user.conf #etc/ipsec.d etc/ipsec.d/aacerts etc/ipsec.d/acerts @@ -10,7 +9,6 @@ etc/ipsec.d/ocspcerts etc/ipsec.d/private etc/ipsec.d/reqs etc/ipsec.secrets -etc/ipsec.user.secrets etc/strongswan.conf #usr/lib/libcharon.a #usr/lib/libcharon.la @@ -81,6 +79,9 @@ usr/libexec/ipsec/plugins/libstrongswan-random.so #usr/libexec/ipsec/plugins/libstrongswan-resolve.a #usr/libexec/ipsec/plugins/libstrongswan-resolve.la usr/libexec/ipsec/plugins/libstrongswan-resolve.so +#usr/libexec/ipsec/plugins/libstrongswan-revocation.a +#usr/libexec/ipsec/plugins/libstrongswan-revocation.la +usr/libexec/ipsec/plugins/libstrongswan-revocation.so #usr/libexec/ipsec/plugins/libstrongswan-sha1.a #usr/libexec/ipsec/plugins/libstrongswan-sha1.la usr/libexec/ipsec/plugins/libstrongswan-sha1.so @@ -99,6 +100,9 @@ usr/libexec/ipsec/plugins/libstrongswan-updown.so #usr/libexec/ipsec/plugins/libstrongswan-x509.a #usr/libexec/ipsec/plugins/libstrongswan-x509.la usr/libexec/ipsec/plugins/libstrongswan-x509.so +#usr/libexec/ipsec/plugins/libstrongswan-xauth.a +#usr/libexec/ipsec/plugins/libstrongswan-xauth.la +usr/libexec/ipsec/plugins/libstrongswan-xauth.so #usr/libexec/ipsec/plugins/libstrongswan-xcbc.a #usr/libexec/ipsec/plugins/libstrongswan-xcbc.la usr/libexec/ipsec/plugins/libstrongswan-xcbc.so @@ -136,3 +140,5 @@ usr/sbin/ipsec #usr/share/man/man8/pluto.8 #usr/share/man/man8/scepclient.8 #usr/share/man/man8/starter.8 +etc/ipsec.user.conf +etc/ipsec.user.secrets diff --git a/lfs/strongswan b/lfs/strongswan index 6e8c74780..51fae7773 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 4.4.0 +VER = 4.4.1 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = bfb0f1c8ef1344e1ae8157bdde060fed +$(DL_FILE)_MD5 = b5730083d8d98e71eada2f7aa93f74af install : $(TARGET) From bdc84c9f9221a31d11e364bdf28013ffc30d31a6 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 5 Sep 2010 14:02:26 +0200 Subject: [PATCH 4/7] Add latest changes to core40. --- config/rootfiles/core/40/exclude | 4 ++++ config/rootfiles/core/40/filelists/files | 4 ++++ config/rootfiles/core/40/filelists/strongswan | 1 + doc/packages-list.txt | 5 +++-- 4 files changed, 12 insertions(+), 2 deletions(-) create mode 120000 config/rootfiles/core/40/filelists/strongswan diff --git a/config/rootfiles/core/40/exclude b/config/rootfiles/core/40/exclude index e69de29bb..086e44529 100644 --- a/config/rootfiles/core/40/exclude +++ b/config/rootfiles/core/40/exclude @@ -0,0 +1,4 @@ +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets diff --git a/config/rootfiles/core/40/filelists/files b/config/rootfiles/core/40/filelists/files index 81d9d064c..aee6ea302 100644 --- a/config/rootfiles/core/40/filelists/files +++ b/config/rootfiles/core/40/filelists/files @@ -28,4 +28,8 @@ lib/modules/2.6.32.15-ipfire/kernel/drivers/usb/serial/option.ko lib/modules/2.6.32.15-ipfire-xen/kernel/drivers/usb/serial/option.ko lib/modules/2.6.32.15-ipfire/kernel/drivers/usb/serial/usbserial.ko lib/modules/2.6.32.15-ipfire-xen/kernel/drivers/usb/serial/usbserial.ko +lib/modules/2.6.32.15-ipfire/kernel/drivers/net/igb/igb.ko +lib/modules/2.6.32.15-ipfire/kernel/drivers/net/igb/igb.ko.org +lib/modules/2.6.32.15-ipfire-xen/kernel/drivers/net/igb/igb.ko +lib/modules/2.6.32.15-ipfire-xen/kernel/drivers/net/igb/igb.ko.org usr/sbin/openvpn diff --git a/config/rootfiles/core/40/filelists/strongswan b/config/rootfiles/core/40/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/40/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/doc/packages-list.txt b/doc/packages-list.txt index 5f3ac7ce9..1ffeced0d 100644 --- a/doc/packages-list.txt +++ b/doc/packages-list.txt @@ -148,6 +148,8 @@ * icecream-0.9.4.8 * icegenerator-0.5.5-pre2 * iftop-0.17 +* igb-2.3.4-kmod-2.6.32.15-ipfire +* igb-2.3.4-kmod-2.6.32.15-ipfire-xen * igmpproxy-0.1 * imspector-0.9 * inetutils-1.4.2 @@ -309,7 +311,6 @@ * shadow-4.0.15 * slang-1.4.9 * smartmontools-5.39.1 -* snort-2.8.6 * snort-2.8.6.1 * sox-12.18.1 * spandsp-0.0.6pre12 @@ -322,7 +323,7 @@ * sshfs-fuse-2.2 * sslh-1.7a * streamripper-1.63.5 -* strongswan-4.4.0 +* strongswan-4.4.1 * sudo-1.6.8p12 * sysfsutils-1.3.0 * sysklogd-1.5 From aa8245cbd54e3ba68903580381de4d60816606c5 Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Sun, 5 Sep 2010 17:18:43 +0200 Subject: [PATCH 5/7] Be a little more robust. --- config/outgoingfw/outgoingfw.pl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index e2f9093f0..8d4d27d31 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -153,12 +153,12 @@ foreach $configentry (sort @configs) } elsif ($configline[2] eq 'ip') { @SOURCE = ("$configline[5]"); $DEV = ""; - } elsif ($configline[2] eq 'all') { - @SOURCE = ("0/0"); - $DEV = ""; } elsif ($configline[2] eq 'mac') { @SOURCE = ("$configline[6]"); $DEV = ""; + } elsif ($configline[2] eq 'all') { + @SOURCE = ("0/0"); + $DEV = ""; } else { if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) { @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; @@ -189,7 +189,7 @@ foreach $configentry (sort @configs) if ( $SOURCE eq "" ){next;} - if ( $configline[6] ne "" || $configline[2] eq 'mac' ){ + if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){ $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; } else { From 7e5a976c9de73e5af2a29ec6bfae5d084f511fcd Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Mon, 6 Sep 2010 08:46:59 +0200 Subject: [PATCH 6/7] Remove SIP und SMAC if SNET is set to all, this avoids some false rules. --- html/cgi-bin/outgoingfw.cgi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi index 07fcb39cb..27a8927e6 100644 --- a/html/cgi-bin/outgoingfw.cgi +++ b/html/cgi-bin/outgoingfw.cgi @@ -310,6 +310,11 @@ if ($outfwsettings{'ACTION'} eq $Lang::tr{'delete'}) if ($outfwsettings{'ACTION'} eq $Lang::tr{'add'}) { if ( $outfwsettings{'VALID'} eq 'yes' ) { + + if ( $outfwsettings{'SNET'} eq "all" ) { + $outfwsettings{'SIP'} =""; + $outfwsettings{'SMAC'}=""; + } open( FILE, ">> $configfile" ) or die "Unable to write $configfile"; print FILE < Date: Mon, 6 Sep 2010 22:35:44 +0200 Subject: [PATCH 7/7] Increased /var/lock to 8MB. Fix typo at core uptater. --- config/etc/fstab | 2 +- config/rootfiles/core/40/update.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/etc/fstab b/config/etc/fstab index c0f98b3a4..4860d6f94 100644 --- a/config/etc/fstab +++ b/config/etc/fstab @@ -10,5 +10,5 @@ sysfs /sys sysfs defaults 0 0 devpts /dev/pts devpts gid=4,mode=620 0 0 #none /tmp tmpfs defaults 0 0 none /var/log/rrd tmpfs defaults,size=64M 0 0 -none /var/lock tmpfs defaults,size=2M 0 0 +none /var/lock tmpfs defaults,size=8M 0 0 none /var/run tmpfs defaults,size=2M 0 0 diff --git a/config/rootfiles/core/40/update.sh b/config/rootfiles/core/40/update.sh index 88c067dfd..fa420c16c 100644 --- a/config/rootfiles/core/40/update.sh +++ b/config/rootfiles/core/40/update.sh @@ -45,7 +45,7 @@ perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" # Change var lock size to 8MB grep -v "/var/lock" /etc/fstab > /tmp/fstab.tmp mv /tmp/fstab.tmp /etc/fstab -echo non /var/lock tmpfs defaults,size=8M 0 0 >> /etc/fstab +echo none /var/lock tmpfs defaults,size=8M 0 0 >> /etc/fstab #Rebuild module dep's