webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 02:55:55 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,861 Commits 2 Branches 1 Tag
323900264f78eb52204b84cfbbcd76ec04cbc822
Commit Graph

3578 Commits

Author SHA1 Message Date
Arne Fitzenreiter
be967dc920 Revert "firewall: always allow outgoing DNS traffic to root servers" 
This reverts commit 70cd5c42f0.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:13:49 +02:00
Arne Fitzenreiter
ea16154f5c Revert "bash: add patches 001 - 011 for 5.0 version" 
This reverts commit 2c0ee2b962.
 2019-10-15 07:36:47 +00:00
Arne Fitzenreiter
918a57cfeb Revert "readline: add patch 001 for version 8.0" 
This reverts commit c5f0c44451.
 2019-10-15 07:36:00 +00:00
Arne Fitzenreiter
d19c82678b Revert "bash/readline: drop orphaned patches" 
This reverts commit 95f1c332d8.
 2019-10-15 07:35:22 +00:00
Michael Tremer
59b9a6bd22 linux+iptables: Drop support for IMQ 
This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 18:02:55 +00:00
Michael Tremer
a3f4b8c6f7 99-geoip-database: Fix download 
This script started a fresh download every time it was called,
which is unnecessary.

The check to skip the download did not work because it was
looking for the old data format.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:47:31 +00:00
Daniel Weismüller
a18addb946 xt_geoip_update: Always call the cleanup function when some step fails 
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:45:29 +00:00
Daniel Weismüller
7b2d933055 xt_geoip_update: Do not create temporary directories again 
These already exist

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:45:27 +00:00
Daniel Weismüller
3cd8d55010 xt_geoip_update: Use /var/tmp for temporary data 
Since we have some systems that are restricted to only 2GB of
space on /, we need to move this to where we have enough space.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:45:23 +00:00
Daniel Weismüller
0df1839239 xt_geoip_update: Perform cleanup after successful operation 
The temporary files were never being cleaned up after the script
has finished compiling the database.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:45:20 +00:00
peter.mueller@ipfire.org
41fe437400 fix typo in hostapd initscript 
Fixes: #11237

Reported-by: Tom Rymes <tomvend@rymes.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:40:25 +00:00
peter.mueller@ipfire.org
95f1c332d8 bash/readline: drop orphaned patches 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:46 +00:00
peter.mueller@ipfire.org
c5f0c44451 readline: add patch 001 for version 8.0 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:38 +00:00
peter.mueller@ipfire.org
2c0ee2b962 bash: add patches 001 - 011 for 5.0 version 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:09 +00:00
Arne Fitzenreiter
7739cbf456 sane/stage2: remove sanedloop 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 08:37:23 +02:00
Stephan Feddersen
ff599b6767 WIO:Add fr language 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:52:17 +00:00
peter.mueller@ipfire.org
70cd5c42f0 firewall: always allow outgoing DNS traffic to root servers 
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:48:40 +00:00
Michael Tremer
974d86532f unbound: Add option to force using TCP for upstream servers 
Some users have problems to reach DNS servers. This change adds an option
which allows to force using TCP for upstream name servers.

This is a good workaround for users behind a broken Fritz!Box in modem
mode which does not allow resolving any records of the root zone.

The name server tests in the script will also only use TCP.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:42:18 +00:00
Michael Tremer
1ad45a5a09 sane: Update to 1.0.28 
This patch updates the package and removes the sanedloop script
which was needed to launch saned, but that program can now run
in standalone mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:39:47 +00:00
Matthias Fischer
2fc8d41915 hostapd: Update to 2.9 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:09:10 +00:00
Stefan Schantl
415969cc1b kernel: Backport patch to fix a netfilter contrack related issue. 
This fixes the packet drop issue when using suricata on IPFire.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-21 09:53:56 +00:00
peter.mueller@ipfire.org
9a0454cea2 Tor: fix permission of /var/ipfire/tor/settings 
The settings file must be writeable for group "nobody" so
users can change their Tor settings via WebUI. Since other
files in /var/ipfire/tor/ does not need this workaround, only
the settings file permissions are changed.

Sorry for the late fix; this was reported by various people
in the forum, too (I was unaware of so many Tor users in our
community).

Fixes #12117

Reported-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-11 16:54:11 +00:00
sfeddersen
93eff0dcb8 BUG12156: fixed wrong permissions in install script 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-04 14:35:24 +00:00
sfeddersen
3cefb59f71 BUG12156: added wio rrd files to backup 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-04 14:35:09 +00:00
sfeddersen
f928cc5a34 BUG12156: changed wio.cgi to fix broken Web GUI 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-04 14:35:07 +00:00
Michael Tremer
4f66bad488 dnsdist: Increase number of open files to 64k 
dnsdist might need to open large number of connections
and therefore the default limit of 1024 needs to be
raised.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-28 08:16:32 +00:00
Arne Fitzenreiter
9e20c024b0 xt_geoip_update: fix date and add maxmind copyright to GeoIP.dat 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-24 15:44:23 +02:00
Arne Fitzenreiter
392994dcfb geoip-generator: added to build legacy GeoIP.dat file 
program and scripts based on debian geoip packages.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-24 11:29:01 +02:00
Arne Fitzenreiter
fd24c5dcbd Merge remote-tracking branch 'arne_f/perl-5.30' into next 2019-08-20 17:43:53 +00:00
Peter Müller
66980c9e00 hwdata: update PCI/USB databases 
PCI IDs: 2019-07-25 03:15:02
USB IDs: 2019-07-27 20:34:05

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-20 17:38:48 +00:00
Peter Müller
8ee3a13552 firewall: raise log rate limit to 10 packets per second 
Previous setting was to log 10 packets per minute for each
event logging is turned on. This made debugging much harder,
as the limit was rather strict and chances of dropping a
packet without logging it were good.

This patch changes the log rate limit to 10 packets per
second per event, to avoid DoS attacks against the log file.
I plan to drop log rate limit entirely in future changes,
if a better solution for this attack vector is available.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-20 17:22:48 +00:00
Arne Fitzenreiter
c6277d3b10 perl: remove unused patches 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-16 21:33:52 +02:00
Arne Fitzenreiter
fa8b3ea7d3 installer: fix grub.conf root uuid entry 
grub-mkconfig has written the device name instead of uuid's
because the /dev/disk-by-uuid node of the new filesystem was missing
run "udevadm trigger" to create this nodes before install grub.

fixes: #12116

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-13 15:21:02 +02:00
Michael Tremer
6580bdeb6b freeradius: Build package without generating certificates 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-08-10 03:12:04 +01:00
Michael Tremer
1282a2e1af keepalived: Enable auto-start 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-08-10 03:12:04 +01:00
Arne Fitzenreiter
559e94bafb initskripts: smt: hide error on cpu's that not support smt at all 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-09 08:14:29 +02:00
Arne Fitzenreiter
99f2c69511 partresize: check for apu only if dmi is present 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-09 08:02:19 +02:00
Arne Fitzenreiter
10dd2afd6d sysctl: add seperate sysctl-x86_64.conf and move x86_64 only parameters 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-08 09:30:49 +02:00
Arne Fitzenreiter
dc362263f4 setup: add ignore to all no nic assigned errors 2019-08-06 10:51:45 +00:00
Arne Fitzenreiter
6836e528e5 u-boot-friendlyarm: add u-boot for nanopi-r1 to boot from eMMC 
this is a heavy patched version and should replaced when stock
u-boot is able to boot from h3 eMMC.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-06 04:32:22 +00:00
Arne Fitzenreiter
ca75ec5278 led initskript: add nanopi-r1 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-01 07:18:20 +00:00
Arne Fitzenreiter
fa5e921ccb partresize: add copy of broadcom firmware settings for nanopi-r1 
I added this to partresize like the APU scon enable because this
is the only script that runs on flashimage at first boot only and
remount root writeable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-01 07:09:34 +00:00
Arne Fitzenreiter
de8810fbaa iperf3: update to 3.7 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-17 13:15:33 +02:00
Arne Fitzenreiter
3ec3329dff unbound: rework dns-forwader handling 
add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.

This also fix the hung at dhcpd shutdown.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-16 19:20:48 +02:00
Arne Fitzenreiter
4cd82be05f unbound: check if red/iface exists before read it 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-04 20:42:47 +02:00
Michael Tremer
abccd997c0 azure: Do not drop last byte of MAC addresses 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
bc5037150a Enable serial console on all Azure instances 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
8bd0c4b17d cloud-init: Move detection functions into initscript function library 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
acf47bfa80 cloud-init: Import experimental configuration script for Azure 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
b9021f9277 cloud-init: Execute setup script for Azure if needed 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00