The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.
This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.
This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This filelist is there to ship files that contain the version number of
a release and *must* be shipped every time. For that, they will need to
be a part of the filelist.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If no settings for those features can be obtained from the settings
file, set them to the following defaults.
* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
do this)
* LOGDROPCTINVALID -> on (yes)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This file is a system configuration file and does not contain any
configruation from the user.
Since it can be overwritten in a backup and restored to an older state,
this can cause problems such as #12788.
Fixes: #12788
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when
the script exists.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We are almost running as an unprivileged user and therfore have not
the permissions to do this.
This will save us a lot of confusion error messages.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If no settings for those features can be obtained from the settings
file, set them to the following defaults.
* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
do this)
* LOGDROPCTINVALID -> on (yes)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes#12792.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes#12792.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit allows the ipset_restore() function to auto-detect
which set file needs to be restored.
Currently it is limitated to country codes only, because we currently
does not support anything else.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Instead of stupidly destroying all ipsets, we now grab the already loaded sets
and compare them with the loaded sets during runtime of the script.
So we are now able to determine which sets are not longer required and
safely can destroy (unload) at a later time.
This saves us from taking care about dropping/flushing rules which are
based on ipset before we can destroy them - because only unused sets are
affected.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Inspired-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.6.10 :
Changes in version 0.4.6.10 - 2022-02-04
This version contains minor bugfixes but one in particular is that relays
don't advertise onion service v2 support at the protocol version level.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 04, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/02/04.
o Minor bugfix (logging):
- Update a log notice dead URL to a working one. Fixes bug 40544;
bugfix on 0.3.5.1-alpha.
o Minor bugfix (relay):
- Remove the HSDir and HSIntro onion service v2 protocol versions so
relay stop advertising that they support them. Fixes bug 40509;
bugfix on 0.3.5.17.
o Minor bugfixes (MetricsPort, Prometheus):
- Add double quotes to the label values of the onion service
metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when
the script exists.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
We are almost running as an unprivileged user and therfore have not
the permissions to do this.
This will save us a lot of confusion error messages.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This file is a system configuration file and does not contain any
configruation from the user.
Since it can be overwritten in a backup and restored to an older state,
this can cause problems such as #12788.
Fixes: #12788
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
