webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-16 14:03:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,536 Commits 2 Branches 1 Tag
1722701a9aab07e1a96ae25d2cedcbac403ddb76
Commit Graph

13536 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alexander Marx
1722701a9a BUG12015: Redirecting to Captive portal does not work after IPFire restart 
When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.

Fixes: #12015

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-21 01:39:18 +01:00
Arne Fitzenreiter
744f16e45a core134: ship core133 late fixes again 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-21 11:58:58 +02:00
Arne Fitzenreiter
70dd356329 Merge remote-tracking branch 'origin/master' into next 2019-06-20 09:35:59 +02:00
Arne Fitzenreiter
3a8fef331d kernel: remove RPi DMA allignment revert 
TODO: test if RPi works without now or if we need to
revert more of the allignment patches.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-20 09:33:17 +02:00
Arne Fitzenreiter
70590cef48 Kernel: update to 4.14.128 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-19 21:01:29 +02:00
Michael Tremer
4b64da2914 core134: Ship updated vim 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 22:35:23 +01:00
Matthias Fischer
beac384541 Remove old vim 7.4 data 
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 22:35:07 +01:00
Matthias Fischer
98f55e136f vim: Update to 8.1 
Please note:
If this gets merged, the update process must deal with the otherwise remaining
files in '/usr/share/vim74' (~16 MB).

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 22:34:55 +01:00
Stéphane Pautrel
d3e8820330 Update French translation 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 20:02:28 +01:00
Arne Fitzenreiter
a04eedfe7d core134: add kernel to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-18 18:55:11 +02:00
Arne Fitzenreiter
15ca18a3d9 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next 2019-06-18 18:42:02 +02:00
Arne Fitzenreiter
82c279a518 kernel: update to 4.14.127 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-18 18:41:19 +02:00
Arne Fitzenreiter
1a129822af linux-pae: fix grub.conf creation on pv machines 
on some systems it seems that grub2 and it config also exist.
 2019-06-18 14:36:02 +02:00
Michael Tremer
7516e8b7f1 core134: Ship changed general-functions.pl 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 09:13:21 +01:00
Alexander Marx
cc724c142a BUG12070: Its not possible to use the underscore in email addresses 
Using IPFire's Mailservice does not allow to enter a senders mail address with the underscore.
The function used to verify that is used from general-functions.pl.
Now the function 'validemail' allows the underscore in the address.

Fixes: #12070

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 09:12:49 +01:00
Michael Tremer
82899ad1ce core134: Ship updated unbound 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 09:11:18 +01:00
Matthias Fischer
2f278de868 unbound: Update to 1.9.2 
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-June/011632.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-17 17:39:37 +01:00
Peter Müller
0dd16f4047 vpnmain.cgi: Fix writing ESP settings for PFS ciphers 
The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.

Fixes #12099

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-17 16:14:27 +01:00
Arne Fitzenreiter
1307df2257 Merge branch 'master' into next 2019-06-15 18:10:35 +02:00
Arne Fitzenreiter
faec909e1a vpnmain.cgi: remove wrongh "shift-space" 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-15 17:38:47 +02:00
Arne Fitzenreiter
f5662122b5 hyperscan: increase min RAM per buildprocess to 1GB 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-14 22:09:47 +02:00
Michael Tremer
bc051eac54 core133: Ship jansson in update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-14 06:22:52 +01:00
Arne Fitzenreiter
f081e454a6 finish core133 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-12 19:57:21 +02:00
Michael Tremer
527078e439 core134: Ship updated OpenSSL 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:25:13 +01:00
Peter Müller
69772b7dda OpenSSL: lower priority for CBC ciphers in default cipherlist 
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:24:00 +01:00
Michael Tremer
ce46df9b83 Start Core Update 134 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:18:23 +01:00
Michael Tremer
e263c29c92 unbound: Make some zones type-transparent 
If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:14:28 +01:00
Michael Tremer
91056adea5 unbound: Add yandex.com to safe search feature 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:11:32 +01:00
Michael Tremer
043e7aa50f unbound: safe search: Resolve hosts at startup 
unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-13 11:12:07 +01:00
Peter Müller
fa7de475fe Tor: fix permissions after updating, too 
Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 05:45:42 +01:00
Michael Tremer
5d65813aa3 core133: Ship updated wpa_supplicant 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 07:00:38 +01:00
Matthias Fischer
33fb0c91ec wpa_supplicant: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 07:00:05 +01:00
Michael Tremer
894eaf5184 smt: Only disable SMT when the kernel thinks it is vulnerable 
On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 17:07:23 +00:00
Peter Müller
8e101c0bda ship language files in Core Update 133 
These were missing in Core Update 132, and some strings
(especially on the "CPU vulnerabilities" page) missed translations.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 19:44:59 +01:00
Michael Tremer
35f12f2998 Rootfile update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:58:15 +01:00
Stefan Schantl
33afb0681f convert-ids-modifysids-file: Fix check if the ids is running. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:46:00 +01:00
Matthias Fischer
3f7cec61c9 hostapd: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:45:54 +01:00
Michael Tremer
28093c8376 Rootfile update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-08 11:34:37 +01:00
Michael Tremer
09b9910696 Rootfile update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-07 11:14:11 +01:00
Michael Tremer
c0fc25861f core133: Ship updated knot package 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-07 11:13:01 +01:00
Matthias Fischer
d52b5a4c22 knot: Update to 2.8.2 
For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-07 11:12:35 +01:00
Michael Tremer
171512b7a7 Update contributors 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:46:37 +01:00
Erik Kapfer
21a8382383 suricata: Enable EVE logging 
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:44:49 +01:00
Stefan Schantl
3c91ee8092 convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:43:09 +01:00
Michael Tremer
e1f8f870ea core133: Ship snort configuration converter 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:42:53 +01:00
Stefan Schantl
f1add9a8dd convert-snort: Adjust code to use changed modify_sids_file function. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:42:00 +01:00
Stefan Schantl
81bae51f61 ids-functions.pl: Rework function write_modify_sids_file(). 
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.

This helps to prevent from doing this stuff at several places again and again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:41:49 +01:00
Michael Tremer
a40bcbb02c core133: Ship IPS changes 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:41:37 +01:00
Tim FitzGeorge
a5ba473c15 suricata: correct rule actions in IPS mode 
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate.  Also add
a script to be run on update to correct existing downloaded rules.

Fixes #12086

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:39:57 +01:00
Michael Tremer
9734a58faf core133: Ship IDS ruleset updater 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:34:44 +01:00