bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-26 19:00:34 +02:00

Author	SHA1	Message	Date
Michael Tremer	1ececb67a1	unbound: Mark domains as insecure from DNS forwarding Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-05 16:58:29 +00:00
Matthias Fischer	d6d5999af1	hostapd: Update to 2.7 For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog This patch sticks to 'wpa_supplicant: Update to 2.7'. Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-04 09:26:58 +00:00
Erik Kapfer	5a3c9ef298	netsnmpd: OpenSSL patch is incl. in new version Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-04 09:26:58 +00:00
Matthias Fischer	aa88b2ef59	squid: Update to 4.6 For details see: http://www.squid-cache.org/Versions/v4/changesets/ The 'configure'-option "--disable-ipv6" was removed, it is no longer necessary. See: https://lists.ipfire.org/pipermail/development/2016-April/002046.html "The --disable-ipv6 build option is now deprecated. ... Squid-3.5.7 and later will perform IPv6 availability tests on startup in all builds. - Where IPv6 is unavailable Squid will continue exactly as it would have had the build option not been used. These Squid can have the build option removed now." The warning message concerning a "BCP 177 violation" while starting 'squid' can be ignored. Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-02 14:07:38 +00:00
Michael Tremer	5d04cfe7d5	suricata: Use highest bit to mark packets We are using the netfilter MARK in IPsec & QoS and this is causing conflicts. Therefore, we use the highest bit in the IPS chain now and clear it afterwards because we do not really care about this after the packets have been passed through suricata. Then, no other application has to worry about suricata. Fixes: #12010 Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-03-01 17:56:48 +01:00
Michael Tremer	50d1bbf0f5	Merge branch 'ipsec' into next	2019-02-25 00:48:08 +00:00
Arne Fitzenreiter	c09758302b	kernel: update to 4.14.103 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-23 15:56:21 +01:00
Arne Fitzenreiter	173844d352	kernel: import cve-2019-8912 patch Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-22 21:20:57 +01:00
Arne Fitzenreiter	6957b699b3	kernel: apu leds: add more id's Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-22 18:02:45 +01:00
Arne Fitzenreiter	710153a89c	partresize: add "apu1" for apus with new bios.	2019-02-22 18:01:18 +01:00
Arne Fitzenreiter	a2d49659f3	kernel: cleanup unused rpi patch Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-21 19:13:27 +01:00
Arne Fitzenreiter	8f49959d70	partresize: enable serial console on PC Engines APU Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-19 15:26:41 +01:00
Arne Fitzenreiter	17872019ba	kernel: update apu led patch for apu3 and 4 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-19 01:04:19 +01:00
Stefan Schantl	20b4c4d863	suricata: Swith to "16" as repeat-mark and repeat-mask. Marks "1-3" are used for marking source-natted packets on the interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec. See commit: `f5ad510e3c` Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-02-18 10:02:29 +01:00
Michael Tremer	9bc1760052	unbound: Drop certificates for local control connection These are a cause of worry because they are sometimes generated with an invalid timestamp and therefore render unbound being unusable. There is no strong reason to use self-signed certificates for extra security here. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-17 13:46:51 +00:00
Stefan Schantl	77c07352a5	Suricata: Start service on red.up event if requested Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-02-15 13:26:55 +01:00
Stefan Schantl	c1c754a121	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2019-02-08 09:59:31 +01:00
Peter Müller	e01e07ec8b	apply default firewall policy for ORANGE, too If firewall default policy is set to DROP, this setting was not applied to outgoing ORANGE traffic as well, which was misleading. Fixes #11973 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-07 15:15:32 +00:00
Stefan Schantl	5206a3358d	update-ids-ruleset: Lock and Unlock the IDS page during runtime Reference #11991 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-02-07 08:06:49 +01:00
Stefan Schantl	8117fff863	IDS: Call helper script when red interface gets up The helper script will be automatically called when the red interface gets up and will re-generate the HOME_NET file, to take care if the IP-address of this interface has changed. Fixes #11989 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-02-06 15:40:19 +01:00
Stefan Schantl	af0065691c	suricata: Do not display messages when starting up Fixes #11979. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-02-05 13:57:40 +01:00
Michael Tremer	8be516b3bc	strongswan: Do not create any NAT rules when using VTI/GRE Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:38:24 +00:00
Michael Tremer	f9dd134645	ipsec-interfaces: Resolve any remote hostnames Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	d985ce5ae9	ipsec-interfaces: Move conditional block into the loop Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	38f6bdb740	ipsec: Drop delayed restart setting This is a very bad race-condition situation and is not solved by an unintuitive setting. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	517683eeb1	ipsec: Drop VPN_IP setting This is now a per-connection setting Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6826364580	ipsec-*: Name some more configuration variables Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	1ca2f88a74	ipsec-interfaces: Uses local IP address from connection first, then default Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	c94aa25475	ipsec-interfaces: Fix typo in variable name Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	c821440ced	ipsec: Filter better for GRE/VTI interfaces This tried to delete the GREEN interface before Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6a45a1f101	ipsec: TTL only applies for GRE interfaces and not VTI Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	54bac01402	ipsec: Find correct RED IP address when using %defaultroute Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	3dc21d43bf	ipsec: Log a message when an interface could not be created Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	1a45f9a70a	ipsec-interfaces: Don't add any interfaces when IPsec is disabled Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	a56357b8be	Revert "ipsec-interfaces: Run when IPsec is disabled" This reverts commit 3c3a1cfdb9b473fae9b792e8c211c9940fafc658. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	4cf038dcfe	ipsec-interfaces: Run when IPsec is disabled This needs to run even when IPsec is disable to remove and interfaces Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	05af70c2f3	ipsec-interfaces: Use correct righthost variable Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	68e69b676f	network: Create IPsec interfaces when network is brought up Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	3446a17293	ipsecctrl: Call ipsec-interfaces script when turning up/shutting down connections Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	b8c153bca5	IPsec: Add (experimental) script that creates GRE/VTI interfaces Signed-off-by: root <root@interim-edge-a.ec2.internal>	2019-02-04 18:20:36 +00:00
Michael Tremer	b89ae1a4e3	ipsecctrl: Don't wait when a connection is to be started Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6cf8bc9161	IPsec: Move opening ports from ipsecctrl into ipsec-policy script Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6c920b19cd	IPsec: Rename ipsec-block script to ipsec-policy This is a more general name for a script that will be extended soon to do more than just add blocking rules. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Stefan Schantl	c9b07d6a0c	initscripts/suricata: Generate firewall rules on start and reload Fixes #11978 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-30 13:47:07 +01:00
Stefan Schantl	d6f725e185	update-ids-ruleset: Improve error reporting if the system is offline Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-30 10:57:31 +01:00
Michael Tremer	17c2c09bcc	suricata: Scan outgoing traffic, too Connections from the firewall and through the proxy must be filtered, too Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-29 14:08:51 +01:00
Stefan Schantl	ca8c92108a	update-ids-ruleset: Set correct ownership for rulesdir and files Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-29 09:09:11 +01:00
Stefan Schantl	39155be805	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2019-01-26 12:40:04 +01:00
Peter Müller	fee8b1c504	OpenSSH: update to 7.9p1 Update OpenSSH to 7.9p1 (release note is available at https://www.openssh.com/txt/release-7.9). Patching support for OpenSSL 1.1.0 is no longer required, thus the orphaned patchfile has been deleted. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-23 05:13:47 +00:00
Arne Fitzenreiter	be838808e1	Merge remote-tracking branch 'origin/master' into next	2019-01-23 21:19:01 +01:00

1 2 3 4 5 ...

3505 Commits