Guardian does not longer require the information for the red interface from
the configfile.
Guardian does not longer support a targetfile.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit allows to enable or disable the monitoring of the snort alertfile
and to switch off the blocking of SSH and HTTPD Brute-force attempts.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The correct case for "kilobit" is "kilobit", not "kiloBit".
And the same applies for Mbit, Gbit etc.
Reference is https://en.wikipedia.org/wiki/Kilobit
This commit changes the texts used in the web UI, so
that it correctly displays as "bit", "kbit", "Mbit" etc.
This fixes bugzilla item 10918.
Signed-off-by: Alf Høgemark <alf@i100.no>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Added 'squid' and 'snort' to section dropdown in LOGS / SYSTEM LOGS,
added translations.
Added translation string for 'web proxy' in '30-network.menu'.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Release notes:
2016-03-09 - Snort 2.9.8.2
[*] New additions
* Future-flow and DNS API exposed to lua detector.
* Double VLAN tagging support.
[*] Improvements
* Performance improvements to AppID.
* Stability improvements to file and ftp_telnet preprocessor.
* Fixed several issues with SDF and obfuscation.
* Resolved an issue of improper handling of malformed DNS host
in AppID.
* HTTP PAF accepts all tokens between method and version strings
in a request URI.
* Resolved snort build issue with "--disable-perfprofiling" configure
option.
* Enhanced mime parsing by adding support for detecting files
after unknown headers and no headers.
* Fixed issue with gzip decompression. If the server response specifies
Content-Encoding as GZIP, but no Content-Length field for HTTP ver 1.0.
* End of Header(EOH) identification for HTTP response header spanning multiple
packets.
* Improved packet reassembly for HTTP.
* Fixed Flash LZMA decompression issue.
For details see:
https://www.snort.org/downloads/snort/changelog_2.9.8.2.txt
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
GRE connections were not correctly forwarded without the helper
being enabled. Choosing the wrong protocol here did not allow
us to load it properly.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Handcrafted requests with shell commands could be sent to these
CGI files and gain shell access as unprivileged user.
References: #11087
Reported-by: Yann Cam <yann.cam@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If bridged ipv6 is used, $iface is taken from PHYSIN
In the log line the order of fields is "... IN=XY OUT=XY PHYSIN=XY ..."
Signed-off-by: Michael Eitelwein <michael@eitelwein.net>
3 main changes:
- Fill $iface and $out from PHYSIN and PHYSOUT when looking at bridged packets, othwerwise fill from IN and OUT
- Recognize ipv4 and ipv6 address style for $srcaddr and $dstaddr
- Match color coding of tables to pie charts (see seperate patch sent earlier)
I am using the bridged ipv6 setup as proposed in the wiki. I do not think this breaks anything when not using ipv6. So it would be nice to include this even if ipv6 is not officially supported yet. It is quite useful when using the ipv6 setup.
Signed-off-by: Michael Eitelwein <michael@eitelwein.net>
---
The tls-remote directive is deprecated and will be removed with
OpenVPN version 2.4 . Added instead --verify-x509-name HOST name
into ovpnmain.cgi.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When editing existing static routes and clicking on apply button, there
was an errormessage saying that this route is already in use.
Now the errormessage is only displayed if a new route has the same ip
than an existing one.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When entring wrong values in the fields and saving the site, there comes
an errormessage and all fields except mailserver and port are blanked.
Now the fileds are preserved and all data is displayed even after an
errormessage
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
in firewallgroups (hosts) an error was created when using ip adresses
like 192.168.000.008. Now all leading zeros are deleted in
firewallgroups and in the firewall itself when using single ip addresses
as source or target.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
auth.conf was always written, even if no username/password provided.
In this case only the ip or Hostname of the mailserver was written into
auth.conf. Now the file is only filled if username/password are filled.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Tested-by: Timo Eissler <timo.eissler@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will allow to import just the configuration file
into iOS and establish the VPN connection. Also works
with many other OpenVPN clients.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds the option to download a client package
that comes with a regular PEM and key file instead of a
PKCS12 file which is easier to use with clients that
don't support PKCS12 (like iOS) opposed to converting
the file manually.
This requires that the connection is created without
using a password for the certificate. Then the certificate
is already stored in an insecure way.
This patch also adds this to the Core Update 95 updater.
Fixes: #10966
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
CC: Alexander Marx <alexander.marx@ipfire.org>
Promotes Alexander Marx to the group of Core Developers.
Also lots of reformatting of old HTML code.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Some functions when adding a new route where senseless.
Now the ip address is checked and in case of a missing / wrong
subnetmask an errormessage is raised. The ip address is preserved.
ELSE
we convert the subnetmask to cidr notation and calculate the network ip
correctly.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
