This causes some i2c drivers to load and tons of error messages
being created in syslog. So we skip searching for any sensors
that do not exist.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If Tor is operating in relay mode, it has to open a lot of outgoing
TCP connections. These should be separated from any other outgoing
connections, as allowing _all_ outgoing traffic will be unwanted and
risky in most cases.
Thereof, Tor will be running as a dedicated user (see second patch),
allowing usage of user-based IPtables rulesets.
Partially fixes#11779.
Singed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.
Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.
Then, no other application has to worry about suricata.
Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.
See commit: f5ad510e3c
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.
There is no strong reason to use self-signed certificates for extra
security here.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.
Fixes#11989
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This is a more general name for a script that will be extended
soon to do more than just add blocking rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The setting cannot be set on the default system because the ip_vs
module is not loaded by default and there is no reason to load it
just because we would be able to set the setting.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This path to keepalived was just incorrect and therefore
the daemon could not easily be reloaded.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This change is necessary to make sure that the script prefers
are link with internet access. That would usually be red (after
the second boot) or eth* (on the first boot).
That allows (and ensures) that we can install packages in
the user-data script.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The clamav database is quite large and occupies valuable
space on the root partition that on older systems is only
2GB large. This change moves the virus definition database
to the /var partition which is larger and supposed to hold
data like this anyway.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
