From ccf19569ab72b6b53b9e5f89003f7af971fbe8ab Mon Sep 17 00:00:00 2001 From: Jon Murphy Date: Sun, 5 Dec 2021 00:46:20 +0100 Subject: [PATCH 1/5] manualpages: Complete the list of user manual pages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Jon Murphy gathered all the links and made the updated file available on the mailing list: https://lists.ipfire.org/pipermail/development/2021-October/011383.html https://lists.ipfire.org/pipermail/development/2021-December/011737.html With kind permission from him, this patch contains the completed list. The list was successfully checked with "./make.sh check-manualpages". Signed-off-by: Leo-Andres Hofmann Reported-by: Jon Murphy Reviewed-by: Peter Müller Signed-off-by: Arne Fitzenreiter --- config/cfgroot/manualpages | 83 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 79 insertions(+), 4 deletions(-) diff --git a/config/cfgroot/manualpages b/config/cfgroot/manualpages index e5ab1a13c..97246e6f0 100644 --- a/config/cfgroot/manualpages +++ b/config/cfgroot/manualpages @@ -1,7 +1,82 @@ -# User manual base URL (without trailing slash) -BASE_URL=https://wiki.ipfire.org +# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page]) -# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page]) +# Base URL (without trailing slash) +BASE_URL=https://wiki.ipfire.org index=configuration/system/startpage -pppsetup=configuration/system/dial + +# System menu +index=configuration/system/startpage +mail=configuration/system/mail_service +remote=configuration/system/ssh +backup=configuration/system/backup +gui=configuration/system/userinterface +fireinfo=fireinfo +vulnerabilities=configuration/system/vulnerabilities +shutdown=configuration/system/shutdown +credits=configuration/system/credits + +# Status menu +system=configuration/status/system +memory=configuration/status/memory +services=configuration/status/services +media=configuration/status/drives +netexternal=configuration/status/network_ext +netinternal=configuration/status/network_int +netother=configuration/status/network_int +netovpnrw=configuration/status/network_ovpnrw +#netovpnsrv= +hardwaregraphs=configuration/status/hardware_diagrams +entropy=configuration/status/entropy +connections=configuration/status/connections +traffic=configuration/status/nettraffic +#mdstat= + +# Network menu +zoneconf=configuration/network/zoneconf +dns=dns +proxy=configuration/network/proxy +urlfilter=configuration/network/proxy/url-filter +#updatexlrator=configuration/network/proxy/update_accelerator +dhcp=configuration/network/dhcp +captive=configuration/network/captive +connscheduler=configuration/network/connectionscheduler +hosts=configuration/network/hosts +dnsforward=configuration/network/dnsforward +routing=configuration/network/static +mac=configuration/network/mac-address +wakeonlan=configuration/network/wake-on-lan + +# Services menu +vpnmain=configuration/services/ipsec +ovpnmain=configuration/services/openvpn +ddns=configuration/services/dyndns +time=configuration/services/ntp qos=configuration/services/qos +extrahd=configuration/services/extrahd + +# Firewall menu +firewall=configuration/firewall +fwhosts=configuration/firewall/fwgroups +optionsfw=configuration/firewall/options +ids=configuration/firewall/ips +p2p-block=configuration/firewall/p2p-block +location-block=configuration/firewall/geoip-block +wireless=configuration/firewall/accesstoblue +iptables=configuration/firewall/iptables + +# IPfire menu +pakfire=configuration/ipfire/pakfire + +# Logs menu +summary=configuration/logs/summary +config=configuration/logs/logsettings +proxylog=configuration/logs/proxy +calamaris=configuration/logs/proxyreports +firewalllog=configuration/logs/firewall +firewalllogip=configuration/logs/firewall-ip +firewalllogport=configuration/logs/firewall-port +firewalllogcountry=configuration/logs/firewall-country +ids=configuration/logs/ips +#ovpnclients= +urlfilter=configuration/logs/url-filter +log=configuration/logs/system From 3b1482e9394447343a3a0cfb9e2f9ec9b5f95626 Mon Sep 17 00:00:00 2001 From: Adolf Belka Date: Mon, 6 Dec 2021 18:01:32 +0100 Subject: [PATCH 2/5] pcengines-apu-firmware: Update to version 4.15.0.1 - Update from 4.14.0.4 to 4.15.0.1 - Update of rootfile - Changelog v4.15.0.1 rebased with official coreboot repository commit 6973a3e7 v4.14.0.6 rebased with official coreboot repository commit d06c0917 Re-added GPIO bindings to fix LED and button functionality v4.14.0.5 rebased with official coreboot repository commit d4c55353 Updated CPU declarations in ACPI to comply with newer ACPI standard Removed GPIO bindings to fix conflict with OS drivers Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter --- config/rootfiles/packages/pcengines-apu-firmware | 12 ++++++------ lfs/pcengines-apu-firmware | 16 ++++++++-------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/config/rootfiles/packages/pcengines-apu-firmware b/config/rootfiles/packages/pcengines-apu-firmware index 3ae4e74e9..de4f03efa 100644 --- a/config/rootfiles/packages/pcengines-apu-firmware +++ b/config/rootfiles/packages/pcengines-apu-firmware @@ -1,8 +1,8 @@ #lib/firmware/pcengines #lib/firmware/pcengines/apu -lib/firmware/pcengines/apu/apu1_v4.14.0.4.rom -lib/firmware/pcengines/apu/apu2_v4.14.0.4.rom -lib/firmware/pcengines/apu/apu3_v4.14.0.4.rom -lib/firmware/pcengines/apu/apu4_v4.14.0.4.rom -lib/firmware/pcengines/apu/apu5_v4.14.0.4.rom -lib/firmware/pcengines/apu/apu6_v4.14.0.4.rom +lib/firmware/pcengines/apu/apu1_v4.15.0.1.rom +lib/firmware/pcengines/apu/apu2_v4.15.0.1.rom +lib/firmware/pcengines/apu/apu3_v4.15.0.1.rom +lib/firmware/pcengines/apu/apu4_v4.15.0.1.rom +lib/firmware/pcengines/apu/apu5_v4.15.0.1.rom +lib/firmware/pcengines/apu/apu6_v4.15.0.1.rom diff --git a/lfs/pcengines-apu-firmware b/lfs/pcengines-apu-firmware index 0224b028f..c6729772b 100644 --- a/lfs/pcengines-apu-firmware +++ b/lfs/pcengines-apu-firmware @@ -24,14 +24,14 @@ include Config -VER = 4.14.0.4 +VER = 4.15.0.1 THISAPP = pcengines-apu-firmware-$(VER) DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = pcengines-apu-firmware -PAK_VER = 9 +PAK_VER = 10 SUP_ARCH = i586 x86_64 DEPS = firmware-update @@ -55,12 +55,12 @@ apu4_v$(VER).rom = $(DL_FROM)/apu4_v$(VER).rom apu5_v$(VER).rom = $(DL_FROM)/apu5_v$(VER).rom apu6_v$(VER).rom = $(DL_FROM)/apu6_v$(VER).rom -apu1_v$(VER).rom_MD5 = e60ce8d903cb1e301aae1160aa8413cd -apu2_v$(VER).rom_MD5 = 00da67aecd00e7479f0194ccc4ee5739 -apu3_v$(VER).rom_MD5 = 4f935c61fc4274c0b427d16d6aa0049a -apu4_v$(VER).rom_MD5 = 3aed8f5e1e543a3912c808fe68067dde -apu5_v$(VER).rom_MD5 = c39dbf45aa630c273fcace35fbc6324e -apu6_v$(VER).rom_MD5 = b81f9da0f39b355344b602868b2ddcff +apu1_v$(VER).rom_MD5 = 6b53385232624d48ec7c8fc7f0390413 +apu2_v$(VER).rom_MD5 = 062b6fe09e22077b7155f3eb3bf8ec34 +apu3_v$(VER).rom_MD5 = caa7a5b8d4977de9e4135ab1bc1d15dd +apu4_v$(VER).rom_MD5 = ffc0f94f2d9c6c25e1d53e0386fbd20b +apu5_v$(VER).rom_MD5 = e63e1f3392a414942ca65cfa46868665 +apu6_v$(VER).rom_MD5 = 9264657ad3fca49101b28901cf65f4bf install : $(TARGET) From 74070fe153775dbe975e77fa54f0a9733cea8e50 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 8 Dec 2021 18:10:30 +0100 Subject: [PATCH 3/5] suricata: Move default loaded rulefiles to own included file. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stefan Schantl Acked-by: Michael Tremer Reviewed-by: Peter Müller Signed-off-by: Arne Fitzenreiter --- config/rootfiles/common/suricata | 1 + config/suricata/suricata-default-rules.yaml | 22 ++++++++++++++++++ config/suricata/suricata.yaml | 25 ++++----------------- lfs/suricata | 3 +++ 4 files changed, 30 insertions(+), 21 deletions(-) create mode 100644 config/suricata/suricata-default-rules.yaml diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index ff31ec7d2..41193f4ea 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -37,6 +37,7 @@ usr/share/suricata #usr/share/suricata/rules/smtp-events.rules #usr/share/suricata/rules/stream-events.rules #usr/share/suricata/rules/tls-events.rules +var/ipfire/suricata/suricata-default-rules.yaml var/lib/suricata var/lib/suricata/classification.config var/lib/suricata/reference.config diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/suricata-default-rules.yaml new file mode 100644 index 000000000..d13aa622a --- /dev/null +++ b/config/suricata/suricata-default-rules.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +# Default rules which helps + - /usr/share/suricata/rules/app-layer-events.rules + - /usr/share/suricata/rules/decoder-events.rules + - /usr/share/suricata/rules/dhcp-events.rules + - /usr/share/suricata/rules/dnp3-events.rules + - /usr/share/suricata/rules/dns-events.rules + - /usr/share/suricata/rules/files.rules + - /usr/share/suricata/rules/http2-events.rules + - /usr/share/suricata/rules/http-events.rules + - /usr/share/suricata/rules/ipsec-events.rules + - /usr/share/suricata/rules/kerberos-events.rules + - /usr/share/suricata/rules/modbus-events.rules + - /usr/share/suricata/rules/mqtt-events.rules + - /usr/share/suricata/rules/nfs-events.rules + - /usr/share/suricata/rules/ntp-events.rules + - /usr/share/suricata/rules/smb-events.rules + - /usr/share/suricata/rules/smtp-events.rules + - /usr/share/suricata/rules/stream-events.rules + - /usr/share/suricata/rules/tls-events.rules diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 0ad36e705..b4a188d40 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -46,28 +46,11 @@ vars: ## default-rule-path: /var/lib/suricata rule-files: - # Default rules - - /usr/share/suricata/rules/app-layer-events.rules - - /usr/share/suricata/rules/decoder-events.rules - - /usr/share/suricata/rules/dhcp-events.rules - - /usr/share/suricata/rules/dnp3-events.rules - - /usr/share/suricata/rules/dns-events.rules - - /usr/share/suricata/rules/files.rules - - /usr/share/suricata/rules/http2-events.rules - - /usr/share/suricata/rules/http-events.rules - - /usr/share/suricata/rules/ipsec-events.rules - - /usr/share/suricata/rules/kerberos-events.rules - - /usr/share/suricata/rules/modbus-events.rules - - /usr/share/suricata/rules/mqtt-events.rules - - /usr/share/suricata/rules/nfs-events.rules - - /usr/share/suricata/rules/ntp-events.rules - - /usr/share/suricata/rules/smb-events.rules - - /usr/share/suricata/rules/smtp-events.rules - - /usr/share/suricata/rules/stream-events.rules - - /usr/share/suricata/rules/tls-events.rules - # Include enabled ruleset files from external file - - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + + # Include default rules. + include: /var/ipfire/suricata/suricata-default-rules.yaml classification-file: /var/lib/suricata/classification.config reference-config-file: /var/lib/suricata/reference.config diff --git a/lfs/suricata b/lfs/suricata index f5b68da8f..96c2b33fe 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install IPFire related config file. install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata + # Install yaml file for loading default rules. + install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata + # Create emtpy rules directory. -mkdir -p /var/lib/suricata From f23e0e5a7f860f6c8c15a9cecacadc9fa745651e Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 8 Dec 2021 18:10:31 +0100 Subject: [PATCH 4/5] suricata: Cleanup default loaded rules file. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are no such rules file available and therefore cannot be loaded. Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer Reviewed-by: Peter Müller Signed-off-by: Arne Fitzenreiter --- config/suricata/suricata-default-rules.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/suricata-default-rules.yaml index d13aa622a..64493e462 100644 --- a/config/suricata/suricata-default-rules.yaml +++ b/config/suricata/suricata-default-rules.yaml @@ -8,12 +8,10 @@ - /usr/share/suricata/rules/dnp3-events.rules - /usr/share/suricata/rules/dns-events.rules - /usr/share/suricata/rules/files.rules - - /usr/share/suricata/rules/http2-events.rules - /usr/share/suricata/rules/http-events.rules - /usr/share/suricata/rules/ipsec-events.rules - /usr/share/suricata/rules/kerberos-events.rules - /usr/share/suricata/rules/modbus-events.rules - - /usr/share/suricata/rules/mqtt-events.rules - /usr/share/suricata/rules/nfs-events.rules - /usr/share/suricata/rules/ntp-events.rules - /usr/share/suricata/rules/smb-events.rules From 65d5ec52ce288bdffd9e989581e3b638dc948210 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 8 Dec 2021 18:18:05 +0100 Subject: [PATCH 5/5] suricata: Disable sid 2210059. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This rule emits a massive logspam and temporary will be disabled until a better solution is found. Fixes #12738. Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer Reviewed-by: Peter Müller Signed-off-by: Arne Fitzenreiter --- lfs/suricata | 1 + src/patches/suricata-disable-sid-2210059.patch | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 src/patches/suricata-disable-sid-2210059.patch diff --git a/lfs/suricata b/lfs/suricata index 96c2b33fe..6a24a02ab 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -71,6 +71,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-disable-sid-2210059.patch cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ --prefix=/usr \ --sysconfdir=/etc \ diff --git a/src/patches/suricata-disable-sid-2210059.patch b/src/patches/suricata-disable-sid-2210059.patch new file mode 100644 index 000000000..54747dfd2 --- /dev/null +++ b/src/patches/suricata-disable-sid-2210059.patch @@ -0,0 +1,12 @@ +diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules +--- a/rules/stream-events.rules 2021-11-17 16:55:12.000000000 +0100 ++++ b/rules/stream-events.rules 2021-12-08 18:12:39.850189502 +0100 +@@ -89,7 +89,7 @@ + # rule to alert if a stream has excessive retransmissions + alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;) + # Packet on wrong thread. Fires at most once per flow. +-alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;) ++#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;) + + # Packet with FIN+SYN set + alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)