bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-16 22:13:01 +02:00

Author	SHA1	Message	Date
Michael Tremer	1ececb67a1	unbound: Mark domains as insecure from DNS forwarding Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-05 16:58:29 +00:00
Michael Tremer	5d04cfe7d5	suricata: Use highest bit to mark packets We are using the netfilter MARK in IPsec & QoS and this is causing conflicts. Therefore, we use the highest bit in the IPS chain now and clear it afterwards because we do not really care about this after the packets have been passed through suricata. Then, no other application has to worry about suricata. Fixes: #12010 Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-03-01 17:56:48 +01:00
Michael Tremer	50d1bbf0f5	Merge branch 'ipsec' into next	2019-02-25 00:48:08 +00:00
Arne Fitzenreiter	710153a89c	partresize: add "apu1" for apus with new bios.	2019-02-22 18:01:18 +01:00
Arne Fitzenreiter	8f49959d70	partresize: enable serial console on PC Engines APU Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-19 15:26:41 +01:00
Stefan Schantl	20b4c4d863	suricata: Swith to "16" as repeat-mark and repeat-mask. Marks "1-3" are used for marking source-natted packets on the interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec. See commit: `f5ad510e3c` Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-02-18 10:02:29 +01:00
Michael Tremer	9bc1760052	unbound: Drop certificates for local control connection These are a cause of worry because they are sometimes generated with an invalid timestamp and therefore render unbound being unusable. There is no strong reason to use self-signed certificates for extra security here. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-17 13:46:51 +00:00
Stefan Schantl	c1c754a121	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2019-02-08 09:59:31 +01:00
Peter Müller	e01e07ec8b	apply default firewall policy for ORANGE, too If firewall default policy is set to DROP, this setting was not applied to outgoing ORANGE traffic as well, which was misleading. Fixes #11973 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-07 15:15:32 +00:00
Stefan Schantl	af0065691c	suricata: Do not display messages when starting up Fixes #11979. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-02-05 13:57:40 +01:00
Michael Tremer	68e69b676f	network: Create IPsec interfaces when network is brought up Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6c920b19cd	IPsec: Rename ipsec-block script to ipsec-policy This is a more general name for a script that will be extended soon to do more than just add blocking rules. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Stefan Schantl	c9b07d6a0c	initscripts/suricata: Generate firewall rules on start and reload Fixes #11978 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-30 13:47:07 +01:00
Michael Tremer	17c2c09bcc	suricata: Scan outgoing traffic, too Connections from the firewall and through the proxy must be filtered, too Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-29 14:08:51 +01:00
Stefan Schantl	c1a3401235	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2019-01-21 13:04:13 +01:00
Michael Tremer	7d5caee6bd	Add initscript for conntrackd The daemon will be started by default when a configuration file exists. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-06 08:59:25 +00:00
Stefan Schantl	7b6f8596ed	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2018-12-28 07:36:59 +01:00
Michael Tremer	f33d28978d	unbound: Use correct parameter for IP addresses and hostnames Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-19 21:00:21 +01:00
Michael Tremer	c9ae511ecf	unbound: Allow forwarding to multiple servers at the same time Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-19 20:23:59 +01:00
Stefan Schantl	f5ad510e3c	suricata: Use "2" as repeat-mark and repeat-mask. The previous used "1" was already used to mark source-natted packets. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-12-17 15:04:48 +01:00
Michael Tremer	81e1e80e38	AWS: Prefer red* or eth* when importing configuration This change is necessary to make sure that the script prefers are link with internet access. That would usually be red (after the second boot) or eth* (on the first boot). That allows (and ensures) that we can install packages in the user-data script. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-12 11:36:44 +00:00
Stefan Schantl	a13ddf04d9	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-12-12 09:27:59 +01:00
Arne Fitzenreiter	56726ed954	rngd: update initskript and add hwrngtty support Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2018-12-06 22:33:05 +01:00
Michael Tremer	95c60d31aa	udev: Do not try to change kernel hotplug handler any more Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-11-07 20:27:35 +00:00
Michael Tremer	e300a3d138	udev: Do no try to install any device nodes any more Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-11-07 20:26:34 +00:00
Michael Tremer	9f60aa9679	syslog: Listen to network and block access from anywhere but localhost Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-11-07 20:07:53 +00:00
Stefan Schantl	2d475a3c6c	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2018-09-26 14:49:34 +02:00
Michael Tremer	b8fdc7398c	static-routes: Make it clear that we are reloading routes When RED is brought down, we will reload all static routes. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-09-13 15:03:59 +01:00
Stefan Schantl	5f63067385	suricata: Fix initscript when using a single core machine Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-24 10:04:33 +02:00
Michael Tremer	95b87f39ac	localnet: Set FQDN without using domainname command Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-23 10:18:59 +01:00
Stefan Schantl	cb52183c6a	Fix merge conflicts during merge of next and the suricata branch	2018-08-23 10:34:17 +02:00
Michael Tremer	84cd9b9162	Drop the network-trigger script This is done at boot time and doesn't normally need to be done again. On AWS or in the setup, renaming any network interfaces is being handled automatically. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-22 14:05:43 +01:00
Michael Tremer	f3d59d2c94	firstsetup: There is no need to restart udev here All network interfaces are renamed accordingly in setup Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-22 14:02:43 +01:00
Michael Tremer	c5465a9453	aws: Let udev rename all network interfaces Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-22 14:00:39 +01:00
Stefan Schantl	55658ee381	suricata: Fix detection of enabled IDS on zone in initscript I accidently commited the wrong file in the previous commit. This is the fixed and working version. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-17 08:45:47 +02:00
Stefan Schantl	00a031145e	suricata: Give 644 permissions to the suricata pidfile Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-17 08:24:19 +02:00
Stefan Schantl	3c2c54831f	suricata: Add code to create iptables rules to the initscript Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-16 18:51:13 +02:00
Stefan Schantl	7c82ee6165	firewall: Add chains for IPS (suricata) Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-16 18:50:39 +02:00
Michael Tremer	046ef135e6	Merge remote-tracking branch 'origin/efi' into next	2018-08-16 12:49:13 +01:00
Michael Tremer	242cfc3395	localnet: Properly format and quote variables Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-16 12:42:25 +01:00
Michael Tremer	5b9f387d59	localnet: Correctly set domain name Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-16 12:41:52 +01:00
Michael Tremer	3eeff87fe6	Fix typo in unbound initscript Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-15 11:51:53 +01:00
Michael Tremer	8defa50e73	aws: Execute user-data script while we have networking up Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-13 12:14:49 +01:00
Stefan Schantl	6187da5055	IDS: Add reload option to initscript Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-11 22:28:07 +02:00
Arne Fitzenreiter	79bcc6f769	collectd: fix cpufreq plugin enable Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2018-08-03 16:13:12 +02:00
Stefan Schantl	843a8c570c	snort: Drop package Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-03 10:19:35 +02:00
Stefan Schantl	d72b3e64c2	suricata: Introduce basic initscript Add a very basic initscript, which currently allows to start/stop/restart suricata and check if the daemon is running. The script will detect when starting suricata how many CPU cores are present on the system and will launch suricata in inline mode (NFQUEUE) and listen to as much queues as CPU cores are detected. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-08-02 19:54:22 +02:00
Michael Tremer	4e4c122c58	aws: Add support for a script that can be executed at first boot Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-20 16:19:46 +01:00
Michael Tremer	ba06294341	aws: Always exit the init script cleanly Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-20 16:05:15 +01:00
Michael Tremer	6cf5a533f5	partresize: Remove debugging line Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-20 12:03:10 +00:00

... 3 4 5 6 7

305 Commits