Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into monit

2026-04-25 18:32:57 +02:00 · 2014-10-15 22:38:13 +02:00
parent 7ce49ff074 6c4319a1b8
commit 5ae99dd2d1
280 changed files with 29981 additions and 6966 deletions
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -64,16 +64,20 @@ iptables_init() {
 	iptables -A BADTCP -i lo -j RETURN

 	# Disallow packets frequently used by port-scanners
-	# nmap xmas
-	iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH  -j PSCAN
-	# Null
-	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
-	# FIN
+	# NMAP FIN/URG/PSH (XMAS scan)
+	iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+	# SYN/RST/ACK/FIN/URG
+	iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
+	# ALL/ALL
+	iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
+	# FIN Stealth
 	iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
 	# SYN/RST (also catches xmas variants that set SYN+RST+...)
 	iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
 	# SYN/FIN (QueSO or nmap OS probe)
 	iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+	# Null
+	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
 	# NEW TCP without SYN
 	iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN

@@ -83,6 +87,7 @@ iptables_init() {
 	# Connection tracking chain
 	iptables -N CONNTRACK
 	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP

 	# Fix for braindead ISP's
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -254,20 +259,6 @@ iptables_init() {
 	iptables -t nat -N REDNAT
 	iptables -t nat -A POSTROUTING -j REDNAT

-	# Filter logging of incoming broadcasts.
-	iptables -N BROADCAST_FILTER
-	iptables -A INPUT -j BROADCAST_FILTER
-
-	iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP
-
-	if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then
-		iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP
-	fi
-
-	if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then
-		iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP
-	fi
-
 	# Apply OpenVPN firewall rules
 	/usr/local/bin/openvpnctrl --firewall-rules

@@ -286,10 +277,16 @@ iptables_init() {
 	/usr/sbin/firewall-policy

 	# Install firewall rules for the red interface.
-	iptables_red
+	iptables_red_up
+
+	# If red has not been brought up yet, we will
+	# add the blocking rules for MASQUERADE
+	if [ ! -e "/var/ipfire/red/active" ]; then
+		iptables_red_down
+	fi
 }

-iptables_red() {
+iptables_red_up() {
 	iptables -F REDINPUT
 	iptables -F REDFORWARD
 	iptables -t nat -F REDNAT
@@ -336,10 +333,45 @@ iptables_red() {
 		# Outgoing masquerading (don't masqerade IPSEC (mark 50))
 		iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN

-		if [ "$IFACE" != "$GREEN_DEV" ]; then
-			iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+		if [ "$IFACE" = "$GREEN_DEV" ]; then
+			MASQUERADE_GREEN="off"
 		fi

+		local NO_MASQ_NETWORKS
+
+		if [ "${MASQUERADE_GREEN}" = "off" ]; then
+			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
+		fi
+
+		if [ "${MASQUERADE_BLUE}" = "off" ]; then
+			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
+		fi
+
+		if [ "${MASQUERADE_ORANGE}" = "off" ]; then
+			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
+		fi
+
+		local network
+		for network in ${NO_MASQ_NETWORKS}; do
+			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
+		done
+
+		# Masquerade everything else
+		iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+	fi
+
+	# Reload all rules.
+	/usr/local/bin/firewallctrl
+}
+
+iptables_red_down() {
+	# Prohibit packets to reach the masquerading rule
+	# while the wan interface is down - this is required to
+	# circumvent udp related NAT issues
+	# http://forum.ipfire.org/index.php?topic=11127.0
+	if [ -n "${IFACE}" ]; then
+		iptables -F REDFORWARD
+		iptables -A REDFORWARD -o "${IFACE}" -j DROP
 	fi

 	# Reload all rules.
@@ -370,27 +402,18 @@ case "$1" in
 	boot_mesg "Setting up firewall"
 	iptables_init
 	evaluate_retval
-
-	# run local firewall configuration, if present
-	if [ -x /etc/sysconfig/firewall.local ]; then
-		/etc/sysconfig/firewall.local start
-	fi
 	;;
-  reload)
+  reload|up)
 	boot_mesg "Reloading firewall"
-	iptables_red
+	iptables_red_up
+	evaluate_retval
+	;;
+  down)
+	boot_mesg "Disabling firewall access to RED"
+	iptables_red_down
 	evaluate_retval
-
-	# run local firewall configuration, if present
-	if [ -x /etc/sysconfig/firewall.local ]; then
-		/etc/sysconfig/firewall.local reload
-	fi
 	;;
  restart)
-	# run local firewall configuration, if present
-	if [ -x /etc/sysconfig/firewall.local ]; then
-		/etc/sysconfig/firewall.local stop
-	fi
 	$0 start
 	;;
  *)
--- a/src/initscripts/init.d/minidlna
+++ b/src/initscripts/init.d/minidlna
@@ -16,17 +16,17 @@
 case "${1}" in
 	start)
 		boot_mesg "Starting minidlna..."
-		loadproc /usr/sbin/minidlna
+		loadproc /usr/sbin/minidlnad
 		;;

 	stop)
 		boot_mesg "Stopping minidlna..."
-		killproc /usr/sbin/minidlna
+		killproc /usr/sbin/minidlnad
 		;;

 	reload)
 		boot_mesg "Reloading minidlna..."
-		reloadproc /usr/sbin/minidlna
+		reloadproc /usr/sbin/minidlnad
 		;;

 	restart)
@@ -36,7 +36,7 @@ case "${1}" in
 		;;

 	status)
-		statusproc /usr/sbin/minidlna
+		statusproc /usr/sbin/minidlnad
 		;;

 	*)
--- a/src/initscripts/init.d/network
+++ b/src/initscripts/init.d/network
@@ -18,7 +18,6 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

 init_networking() {
 	/etc/rc.d/init.d/dnsmasq start
-	/etc/rc.d/init.d/static-routes start
 }

 DO="${1}"
@@ -26,7 +25,7 @@ shift

 if [ -n "${1}" ]; then
 	ALL=0
-	for i in green red blue orange; do      
+	for i in green red blue orange; do
 		eval "${i}=0"
 	done
 else
@@ -68,7 +67,9 @@ case "${DO}" in
 				rm -f /var/ipfire/red/{active,device,dial-on-demand,dns1,dns2,local-ipaddress,remote-ipaddress,resolv.conf}
 				[ "$AUTOCONNECT" == "off" ] || /etc/rc.d/init.d/networking/red start
 			fi
-		fi                           
+		fi
+
+		/etc/rc.d/init.d/static-routes start
 		;;

 	stop)
--- a/src/initscripts/init.d/networking/red.down/20-firewall
+++ b/src/initscripts/init.d/networking/red.down/20-firewall
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/rc.d/init.d/firewall down
--- a/src/initscripts/init.d/networking/red.up/20-firewall
+++ b/src/initscripts/init.d/networking/red.up/20-firewall
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/rc.d/init.d/firewall up
--- a/src/initscripts/init.d/rngd
+++ b/src/initscripts/init.d/rngd
@@ -28,12 +28,18 @@ case "${1}" in
 		fi

 		boot_mesg "Starting Random Number Generator Daemon..."
-		loadproc /usr/sbin/rngd --no-tpm=1
+
+		if pidofproc /usr/sbin/rngd &>/dev/null; then
+			# Is already running.
+			echo_ok
+		else
+			loadproc /usr/sbin/rngd --no-tpm=1
+		fi
 		;;

 	stop)
 		boot_mesg "Stopping Random Number Generator Daemon..."
-		killproc /usr/sbin/rngd
+		killproc -p /var/run/rngd.pid /usr/sbin/rngd
 		;;

 	restart)
--- a/src/initscripts/init.d/samba
+++ b/src/initscripts/init.d/samba
@@ -4,19 +4,28 @@
 # Based on sysklogd script from LFS-3.1 and earlier.
 # Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org

-#$LastChangedBy: bdubbs $
-#$Date: 2005-08-01 14:29:19 -0500 (Mon, 01 Aug 2005) $
-
 . /etc/sysconfig/rc
 . $rc_functions

+function fix_permissions() {
+	local lockdir="/var/lib/samba/winbindd_privileged"
+
+	chmod 750 "${lockdir}"
+	chgrp wbpriv "${lockdir}"
+}
+
 case "$1" in
 	start)
+		fix_permissions
+
 		boot_mesg "Starting nmbd..."
 		loadproc /usr/sbin/nmbd -D

 		boot_mesg "Starting smbd..."
 		loadproc /usr/sbin/smbd -D
+
+		boot_mesg "Starting winbind..."
+		loadproc /usr/sbin/winbindd
 		;;

 	stop)
@@ -25,6 +34,9 @@ case "$1" in

 		boot_mesg "Stopping nmbd..."
 		killproc -p /var/run/nmbd.pid /usr/sbin/nmbd
+
+		boot_mesg "Stopping winbind..."
+		killproc -p /var/run/winbindd.pid /usr/sbin/winbindd
                ;;

 	reload)
@@ -33,6 +45,9 @@ case "$1" in

 		boot_mesg "Reloading nmbd..."
 		reloadproc /usr/sbin/nmbd
+
+		boot_mesg "Reloading winbind..."
+		reloadproc /usr/sbin/winbindd
 		;;

 	restart)
@@ -44,6 +59,7 @@ case "$1" in
 	status)
 		statusproc /usr/sbin/nmbd
 		statusproc /usr/sbin/smbd
+		statusproc /usr/sbin/winbindd
 		;;

 	*)
--- a/src/initscripts/init.d/winbind
+++ b/src/initscripts/init.d/winbind
@@ -1,50 +0,0 @@
-#!/bin/bash
-# Begin $rc_base/init.d/winbind
-
-# Based on sysklogd script from LFS-3.1 and earlier.
-# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
-
-#$LastChangedBy: bdubbs $
-#$Date: 2005-08-01 14:29:19 -0500 (Mon, 01 Aug 2005) $
-
-. /etc/sysconfig/rc
-. $rc_functions
-
-PIDFILE="/var/run/winbindd.pid"
-KILLDELAY="10"
-
-case "$1" in
-
-        start)
-                boot_mesg "Starting winbind..."
-                loadproc /usr/sbin/winbindd
-                ;;
-
-        stop)
-                boot_mesg "Stopping winbind..."
-		killproc -p ${PIDFILE} /usr/sbin/winbind
-		;;
-
-	reload)
-		boot_mesg "Reloading winbind..."
-		reloadproc /usr/sbin/winbindd
-		;;
-
-        restart)
-                $0 stop
-                sleep 1
-                $0 start
-                ;;
-
-        status)
-                statusproc /usr/sbin/winbindd
-                ;;
-
-        *)
-                echo "Usage: $0 {start|stop|reload|restart|status}"
-                exit 1
-                ;;
-
-esac
-
-# End $rc_base/init.d/winbind