add firewall bridge mode so it can be used as
layer 2 inline bridge for either DDoS protection
or firewall filter by iptable rules configured in
netfilter filter table forward chain.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add ddos init to load/attach XDP DDoS main
program with empty tail call table as place
holder for tcp, udp, icmp...etc XDP DDoS program
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
- I checked out doing a fresh install of CU184 and found that although the
LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not
in the /var/ipfire/optionsfw/settings file.
- After some investigfation I realised that when I created the LOGDROPHOSTILE split into
incoming and outgoing I had not added them into the configroot lfs file.
- This patch adds the two entries and this was tested out with a fresh install and
confirmed to update the settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
This has been removed a long time ago and we should probably spend a
little bit more time on keeping the networking code tidy :)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since these files are static, there is no legitimate reason why they
should be owned (hence writable) by "nobody". Also, according to
configroot's LFS file, this is the intended behaviour for the *.user
files, which is then overwritten by the backup LFS file. Therefore, set
the file mode of these statically - configroot does not feature other
files in /var/ipfire/backup/ anyway.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
The third version of this patch conducts the necessary changes in
configroot. Previously, they took place in ipblocklist itself, which
would have caused user settings to be overwritten, should ipblocklist be
shipped in future Core Updates.
Fixes: #12917
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.
However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.
This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.
Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
that it is about toggling _logging_, not the actual _dropping_. Other
variables are still in need of being renamed to clarify this, which
will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
config/rootfiles/core/164/update.sh for "master", since this patch has
been developed against "next". Kindly cherry-pick the necessary
changes.
Partially fixes: #12778
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This converter does all the magic to convert any suricata
based IPFire version to work with the new multiple providers
IDS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
this fix the 500 internal server error becuase this file
was not installed by the patch that add the wiki links.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This patch removes translations, directives in LFS files, and ALG shared
object files which all became orphaned after we disabled ALGs due to NAT
Slipstreaming vulnerability in Core Update 155.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This library has received no attention within the last three years. By
design, UPnP is a security risk on any firewall, and and outdated
version of a UPnP library definitely is.
This patch therefore drops libupnp completely.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Otherwise the WUI is not allowed to put and release the nobeep file in
this folder and the desired functionality does not work.
Fixes#12385.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There is not enough stuff that it is justified to have an own file.
This patch therefore merges everything into general-functions.pl.
There are no functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will configure Pakfire that people who install a nightly
build will also get the packages for this build, etc.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes#12086
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes#11904
Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.
index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Create /var/ipfire/suricata and /var/ipfire/suricata/settings instead of
/var/ipfire/snort and /var/ipfire/snort/settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
