webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 02:55:55 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,381 Commits 2 Branches 1 Tag
40407aee99546b4f25632bcaeb796d2a53cb1bcb
Commit Graph

133 Commits

Author SHA1 Message Date
Alexander Koch
68d7ae338e apache / WPAD: Add correct MIME type for wpad.dat and proxy.pac 
Some clients require the correct MIME type to be set for accepting/handling the Proxy-Settings properly.

See: http://findproxyforurl.com/deploying-wpad/

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-04-23 20:19:43 +01:00
Michael Tremer
01604708c3 Merge remote-tracking branch 'stevee/next-suricata' into next 2019-03-14 13:19:35 +00:00
Stefan Schantl
fd378b3b08 Rename snort user and group to suricata 
This only affects new installations.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-10 18:50:37 +01:00
Michael Tremer
50fcec161c /etc/group: Order groups by ID 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-08 10:11:23 +00:00
Michael Tremer
3d0a190843 /etc/passwd: Order users by ID 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-08 10:08:02 +00:00
Alexander Koch
06fc6170a2 zabbix_agentd: New addon 
New addon for monitoring IPFire by Zabbix Monitoring (https://www.zabbix.com/features).
See https://forum.ipfire.org/viewtopic.php?f=52&t=22039 and https://lists.ipfire.org/pipermail/development/2019-February/005324.html for further details.

Best regards,
Alex

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-08 09:55:18 +00:00
Michael Tremer
0e28ea9f3e suricata: Log to syslog 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:46 +01:00
Michael Tremer
e37e796206 sysctl.conf: Revert enabling busy loop waiting on sockets 
This causes the firmware in my ath10k module to crash.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-28 18:53:22 +00:00
Stefan Schantl
1ef235f08d logrotate: Rotate suricata logs instead of snort ones 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-15 11:22:14 +01:00
Michael Tremer
d03916e558 Enable some performance tuning 
These parameters increase the throughput on various (large-ish)
systems by 5-10% on the slight expense of higher power consumption.

Socket buffers are increases and the system is configured to be
less aggressive when scheduling processes from one processor to
another one which ensures that the cache remains "hot" for longer.

On a slower system (apu1d) no performance improvement or loss
could have been measured.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-24 12:31:27 +00:00
Michael Tremer
93d516bd70 Revert "Disable Path MTU discovery" 
This reverts commit 1c0cfaa594.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-17 19:24:46 +00:00
Michael Tremer
f0092a6e3e keepalived: Move change of conntrack sysctl option into package 
The setting cannot be set on the default system because the ip_vs
module is not loaded by default and there is no reason to load it
just because we would be able to set the setting.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-13 12:50:26 +01:00
Michael Tremer
af2cc3be64 IPVS: Enable connection tracking by default 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-06 21:33:43 +00:00
Michael Tremer
3ed2de1251 Merge branch 'haproxy' into next 2018-10-29 11:59:18 +01:00
Michael Tremer
c5494ad098 haproxy: Log to syslog and install logrotate script 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-22 21:47:05 +02:00
Tim FitzGeorge
dfb985caa9 Allow kernel to swap memory on high demand 
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Fixes: Bug 11839
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-18 14:34:33 +01:00
Peter Müller
d5fe332283 do not expose kernel address spaces even to privileged users 
Change this setting from 1 to 2 so kernel addresses are not
displayed even if a user has CAPS_SYSLOG privileges.

See also:
- https://lwn.net/Articles/420403/
- https://tails.boum.org/contribute/design/kernel_hardening/

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-09-09 17:47:08 +01:00
Peter Müller
373590b7c3 hide kernel addresses in /proc 
Make sure kernel address space is hidden from files somewhere
in /proc . This reduces attack surface and partially addresses #11659.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-03 10:32:56 +01:00
Michael Tremer
a1c5ceeb34 nsswitch.conf: Use nss-myhostname to resolve local hostname 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-06-30 19:56:56 +01:00
Arne Fitzenreiter
302dba205b Merge remote-tracking branch 'origin/master' into kernel-4.14 2018-03-30 10:26:01 +02:00
Arne Fitzenreiter
ea9d53c822 inittab: change tty1 to console 
this reduce the differences between tty and scon installations
and make it easier to switch between.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-03-24 13:26:32 +01:00
Michael Tremer
1c0cfaa594 Disable Path MTU discovery 
This seems to be a failed concept and causes issues with transferring
large packets through an IPsec tunnel connection.

This configures the kernel to still respond to PMTU ICMP discovery
messages, but will not try this on its own.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-26 15:37:49 +00:00
Michael Tremer
2d5940daca Drop MySQL 
This is outdated and still on 5.0.x and nobody volunteered to
update this package.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-12 12:05:46 +00:00
Michael Tremer
56720befc7 Drop vsftpd which isn't actively maintained any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-11-28 17:30:08 +00:00
Arne Fitzenreiter
874eabd6f5 serial-console: remove baudrate from inittab 
new versions of agetty missinterpretes the baudrate and set it as TERM
without the parameter agetty use the previous rate that was set by the
kernel via console=XXX,Baudrate parameter.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2017-08-15 20:08:22 +02:00
Jonatan Schlag
0f1cda211c Disable netfilter on all bridges per default 
Fixes: #11301

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-03-11 10:08:16 +00:00
Michael Tremer
5056b4f104 Drop mldonkey files 
The packages has been dropped years ago. However, some
files remained in the source tree.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-01-16 16:53:35 +00:00
Michael Tremer
adb11e90df Always enable asynchronous logging 
This patch always enables asynchronous logging which slows
down the system a lot on slow storage and some virtual environments.

It also removes the configuration options in the web
user interface, since this is not configurable any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2016-11-29 12:18:41 +00:00
Michael Tremer
61b4250af5 Drop dnsmasq 
This will be replaced by unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2016-08-06 19:25:48 +01:00
Michael Tremer
8a1a3bf393 Merge remote-tracking branch 'ms/iptables-conntrack' into next 2016-01-22 00:54:14 +00:00
Lars Schuhmacher
18f4c007f1 fix typo in ipsec.user.secrets 
Fixes a little typo

Signed-off-by: Lars Schuhmacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-25 22:06:30 +01:00
Michael Tremer
b1109b8af5 Enhance the security of the netfilter conntrack helpers 
This is suggested here
  https://home.regit.org/netfilter-en/secure-use-of-helpers/
and deprecated in the kernel (#10665).
 2015-04-22 18:10:59 +02:00
Arne Fitzenreiter
a762fcd037 modprobe.d: blacklist btmrvl_sdio. 2015-01-20 09:14:23 +01:00
Michael Tremer
da840da867 Remove template of /etc/fstab 2014-08-24 16:09:54 +02:00
Michael Tremer
aa7f55b2df Merge remote-tracking branch 'origin/next' into install-raid 2014-08-20 21:46:49 +02:00
Michael Tremer
2deb75c0f3 Merge remote-tracking branch 'ms/squid-ad' into next 2014-07-27 12:01:50 +02:00
Michael Tremer
2c4536c75b fstab: Make auto attribute for filesystem type. 2014-07-22 00:34:42 +02:00
Dirk Wagner
23b8101718 logrotate: include logrotate.d by default. 2014-07-09 20:55:21 +02:00
Michael Tremer
603248db53 squid: Add NTLM authentication against Windows Active Directory servers. 2014-06-10 20:15:58 +02:00
Michael Tremer
1efa8995eb Add user nobody to group dialout. 
Those permissions are required for modem-status.cgi to
communicate with serial modems.
 2014-06-03 15:32:00 +02:00
Michael Tremer
d2d7a46b1e stunnel: New package. 2014-04-25 12:42:52 +02:00
Michael Tremer
32c6ebdced firewall: Make ICMP ratelimiting a bit saner again. 2014-03-05 12:31:36 +01:00
Michael Tremer
fa8229546b firewall: Extend rate limiting for ICMP error messages. 
Fixes #10489.
 2014-03-04 14:14:54 +01:00
Michael Tremer
1108a15cc6 Move enabling nf_conntrack_acct where it should be. 2014-02-14 12:52:28 +01:00
Arne Fitzenreiter
dd62fd25cd fifteen: remove /var/run from fstab. 2014-01-12 23:22:39 +01:00
Arne Fitzenreiter
ba109afd0d kmod: replace module-init-tools by kmod-13. 
newer udev depend on kmod.
 2013-11-18 19:00:51 +01:00
Arne Fitzenreiter
1ee33ddadf util-linux: update to 2.24. 
this is needed for newer udev versions but need some initskript
changes. The updater and arm rootfile is not finished yet.
 2013-11-17 18:51:04 +01:00
Michael Tremer
a19f33961c update accelerator: Don't change owner of ALL files in cache. 
When a file has been downloaded, all files in the update accelerator
cache directory have been chowned which causes huge IO load.
It is only required to set permissions that members of the group
can delete the files (purge function on the web user interface).

Changing the owner is completely unnecessary as only the squid
user needs write access and the web server is able to deliver
any file in the update cache anyways.
 2013-01-26 19:31:58 +01:00
Arne Fitzenreiter
07c9b89f86 modprobe.d condig: remove REGDOMAIN setting comment. 
If the regdomain was set here it cannot changed later with iw reg set.
 2012-12-29 16:34:31 +01:00
Michael Tremer
a30c7aa3be Compile-in IPv6 kernel module and disable all IPv6. 
It comes much more handy to compile in the IPv6 kernel module
(because it is loading almost everywhere) and disable the IPv6
functionality when the system starts up.

Therefore, IPv6 is not accidentially enabled at any time unless
someone wants to use it and disables the systcl options.
 2012-11-24 14:52:32 +01:00