webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-11 11:35:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/next' into install-raid

Browse Source
This commit is contained in:
Michael Tremer
2014-08-20 21:46:49 +02:00
parent 8cd364b41c d2a08170b9
commit aa7f55b2df
273 changed files with 32959 additions and 2113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/initscripts/init.d/cleanfs
View File

@@ -71,6 +71,13 @@ create_files() {
case "${1}" in
start)
if [[ ! -L "/var/run" ]]; then
boot_mesg "Repair /var/run symlink to /run..."
mv -u /var/run/* /run/ 2>&1 > /dev/null
rm -rf /var/run
ln -s ../run /var/run
fi
boot_mesg -n "Cleaning file systems:" ${INFO}
boot_mesg -n " /tmp" ${NORMAL}

53
src/initscripts/init.d/dhcrelay Executable file
View File

@@ -0,0 +1,53 @@
#!/bin/sh
########################################################################
# Begin $rc_base/init.d/dhcrelay
#
# Description : The DHCP Relay Daemon
#
########################################################################
. /etc/sysconfig/rc
. ${rc_functions}
CONFIG_FILE="/var/ipfire/dhcp/relay"
if [ -r "${CONFIG_FILE}" ]; then
eval $(/usr/local/bin/readhash ${CONFIG_FILE})
fi
ARGS="-q"
for interface in ${INTERFACES}; do
ARGS="${ARGS} -i ${interface}"
done
ARGS="${ARGS} ${SERVERS}"
case "${1}" in
start)
boot_mesg "Starting DHCP Relay..."
loadproc /usr/sbin/dhcrelay ${ARGS}
;;
stop)
boot_mesg "Stopping DHCP Relay..."
killproc -p /var/run/dhcrelay.pid /usr/sbin/dhcrelay
;;
restart)
${0} stop
sleep 1
${0} start
;;
status)
statusproc /usr/sbin/dhcrelay
;;
*)
echo "Usage: ${0} {start|stop|restart|status}"
exit 1
;;
esac
# End $rc_base/init.d/dhcrelay

23
src/initscripts/init.d/dnsmasq
View File

@@ -20,7 +20,20 @@ if [ -e "/etc/sysconfig/dnsmasq" ]; then
. /etc/sysconfig/dnsmasq
fi
CACHE_SIZE=2500
ENABLE_DNSSEC=1
SHOW_SRV=1
TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
function dnssec_args() {
local cmdline="--dnssec"
if [ -n "${TRUST_ANCHOR}" ]; then
cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}"
fi
echo "${cmdline}"
}
function dns_forward_args() {
local file="${1}"
@@ -41,7 +54,6 @@ function dns_forward_args() {
echo "${cmdline}"
}
case "${1}" in
start)
# kill already running copy of dnsmasq...
@@ -73,6 +85,15 @@ case "${1}" in
# Add custom forward dns zones.
ARGS="${ARGS} $(dns_forward_args /var/ipfire/dnsforward/config)"
# Enabled DNSSEC validation
if [ "${ENABLE_DNSSEC}" -eq 1 ]; then
ARGS="${ARGS} $(dnssec_args)"
fi
if [ -n "${CACHE_SIZE}" ]; then
ARGS="${ARGS} --cache-size=${CACHE_SIZE}"
fi
loadproc /usr/sbin/dnsmasq -l /var/state/dhcp/dhcpd.leases $ARGS
if [ "${SHOW_SRV}" -eq 1 ] && [ "${DNS1}" != "" -o "${DNS2}" != "" ]; then

85
src/initscripts/init.d/firewall
View File

@@ -64,16 +64,20 @@ iptables_init() {
iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
# nmap xmas
iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# Null
iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# FIN
# NMAP FIN/URG/PSH (XMAS scan)
iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# SYN/RST/ACK/FIN/URG
iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
# ALL/ALL
iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
# FIN Stealth
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# Null
iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# NEW TCP without SYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
@@ -83,6 +87,7 @@ iptables_init() {
# Connection tracking chain
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -254,20 +259,6 @@ iptables_init() {
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
# Filter logging of incoming broadcasts.
iptables -N BROADCAST_FILTER
iptables -A INPUT -j BROADCAST_FILTER
iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP
if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then
iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP
fi
if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then
iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP
fi
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
@@ -286,10 +277,16 @@ iptables_init() {
/usr/sbin/firewall-policy
# Install firewall rules for the red interface.
iptables_red
iptables_red_up
# If red has not been brought up yet, we will
# add the blocking rules for MASQUERADE
if [ ! -e "/var/ipfire/red/active" ]; then
iptables_red_down
fi
}
iptables_red() {
iptables_red_up() {
iptables -F REDINPUT
iptables -F REDFORWARD
iptables -t nat -F REDNAT
@@ -336,16 +333,49 @@ iptables_red() {
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
if [ "$IFACE" != "$GREEN_DEV" ]; then
iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
if [ "$IFACE" = "$GREEN_DEV" ]; then
MASQUERADE_GREEN="off"
fi
local NO_MASQ_NETWORKS
if [ "${MASQUERADE_GREEN}" = "off" ]; then
NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
fi
if [ "${MASQUERADE_BLUE}" = "off" ]; then
NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
fi
if [ "${MASQUERADE_ORANGE}" = "off" ]; then
NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
fi
local network
for network in ${NO_MASQ_NETWORKS}; do
iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
done
# Masquerade everything else
iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
# Reload all rules.
/usr/local/bin/firewallctrl
}
iptables_red_down() {
# Prohibit packets to reach the masquerading rule
# while the wan interface is down - this is required to
# circumvent udp related NAT issues
# http://forum.ipfire.org/index.php?topic=11127.0
iptables -F REDFORWARD
iptables -A REDFORWARD -o $IFACE -j DROP
# Reload all rules.
/usr/local/bin/firewallctrl
}
# See how we were called.
case "$1" in
start)
@@ -376,9 +406,9 @@ case "$1" in
/etc/sysconfig/firewall.local start
fi
;;
reload)
reload|up)
boot_mesg "Reloading firewall"
iptables_red
iptables_red_up
evaluate_retval
# run local firewall configuration, if present
@@ -386,6 +416,11 @@ case "$1" in
/etc/sysconfig/firewall.local reload
fi
;;
down)
boot_mesg "Disabling firewall access to RED"
iptables_red_down
evaluate_retval
;;
restart)
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then

3
src/initscripts/init.d/networking/red.down/20-firewall Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
exec /etc/rc.d/init.d/firewall down

3
src/initscripts/init.d/networking/red.up/20-firewall Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
exec /etc/rc.d/init.d/firewall up

4
src/initscripts/init.d/networking/red.up/30-ddns
View File

@@ -1,5 +1,3 @@
#!/bin/bash
/usr/local/bin/setddns.pl -f
exit 0
exec /usr/bin/ddns update-all

10
src/initscripts/init.d/rngd
View File

@@ -28,12 +28,18 @@ case "${1}" in
fi
boot_mesg "Starting Random Number Generator Daemon..."
loadproc /usr/sbin/rngd --no-tpm=1
if pidofproc /usr/sbin/rngd &>/dev/null; then
# Is already running.
echo_ok
else
loadproc /usr/sbin/rngd --no-tpm=1
fi
;;
stop)
boot_mesg "Stopping Random Number Generator Daemon..."
killproc /usr/sbin/rngd
killproc -p /var/run/rngd.pid /usr/sbin/rngd
;;
restart)

22
src/initscripts/init.d/samba
View File

@@ -4,19 +4,28 @@
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
#$LastChangedBy: bdubbs $
#$Date: 2005-08-01 14:29:19 -0500 (Mon, 01 Aug 2005) $
. /etc/sysconfig/rc
. $rc_functions
function fix_permissions() {
local lockdir="/var/lib/samba/winbindd_privileged"
chmod 750 "${lockdir}"
chgrp wbpriv "${lockdir}"
}
case "$1" in
start)
fix_permissions
boot_mesg "Starting nmbd..."
loadproc /usr/sbin/nmbd -D
boot_mesg "Starting smbd..."
loadproc /usr/sbin/smbd -D
boot_mesg "Starting winbind..."
loadproc /usr/sbin/winbindd
;;
stop)
@@ -25,6 +34,9 @@ case "$1" in
boot_mesg "Stopping nmbd..."
killproc -p /var/run/nmbd.pid /usr/sbin/nmbd
boot_mesg "Stopping winbind..."
killproc -p /var/run/winbindd.pid /usr/sbin/winbindd
;;
reload)
@@ -33,6 +45,9 @@ case "$1" in
boot_mesg "Reloading nmbd..."
reloadproc /usr/sbin/nmbd
boot_mesg "Reloading winbind..."
reloadproc /usr/sbin/winbindd
;;
restart)
@@ -44,6 +59,7 @@ case "$1" in
status)
statusproc /usr/sbin/nmbd
statusproc /usr/sbin/smbd
statusproc /usr/sbin/winbindd
;;
*)

50
src/initscripts/init.d/winbind
View File

@@ -1,50 +0,0 @@
#!/bin/bash
# Begin $rc_base/init.d/winbind
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
#$LastChangedBy: bdubbs $
#$Date: 2005-08-01 14:29:19 -0500 (Mon, 01 Aug 2005) $
. /etc/sysconfig/rc
. $rc_functions
PIDFILE="/var/run/winbindd.pid"
KILLDELAY="10"
case "$1" in
start)
boot_mesg "Starting winbind..."
loadproc /usr/sbin/winbindd
;;
stop)
boot_mesg "Stopping winbind..."
killproc -p ${PIDFILE} /usr/sbin/winbind
;;
reload)
boot_mesg "Reloading winbind..."
reloadproc /usr/sbin/winbindd
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
statusproc /usr/sbin/winbindd
;;
*)
echo "Usage: $0 {start|stop|reload|restart|status}"
exit 1
;;
esac
# End $rc_base/init.d/winbind