webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 19:15:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,668 Commits 2 Branches 1 Tag
438edc646af44d8dbf8b7ceecddc101d82ffc583
Commit Graph

3553 Commits

Author SHA1 Message Date
Michael Tremer
4f66bad488 dnsdist: Increase number of open files to 64k 
dnsdist might need to open large number of connections
and therefore the default limit of 1024 needs to be
raised.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-28 08:16:32 +00:00
Arne Fitzenreiter
9e20c024b0 xt_geoip_update: fix date and add maxmind copyright to GeoIP.dat 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-24 15:44:23 +02:00
Arne Fitzenreiter
392994dcfb geoip-generator: added to build legacy GeoIP.dat file 
program and scripts based on debian geoip packages.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-24 11:29:01 +02:00
Arne Fitzenreiter
fd24c5dcbd Merge remote-tracking branch 'arne_f/perl-5.30' into next 2019-08-20 17:43:53 +00:00
Peter Müller
66980c9e00 hwdata: update PCI/USB databases 
PCI IDs: 2019-07-25 03:15:02
USB IDs: 2019-07-27 20:34:05

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-20 17:38:48 +00:00
Peter Müller
8ee3a13552 firewall: raise log rate limit to 10 packets per second 
Previous setting was to log 10 packets per minute for each
event logging is turned on. This made debugging much harder,
as the limit was rather strict and chances of dropping a
packet without logging it were good.

This patch changes the log rate limit to 10 packets per
second per event, to avoid DoS attacks against the log file.
I plan to drop log rate limit entirely in future changes,
if a better solution for this attack vector is available.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-20 17:22:48 +00:00
Arne Fitzenreiter
c6277d3b10 perl: remove unused patches 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-16 21:33:52 +02:00
Arne Fitzenreiter
fa8b3ea7d3 installer: fix grub.conf root uuid entry 
grub-mkconfig has written the device name instead of uuid's
because the /dev/disk-by-uuid node of the new filesystem was missing
run "udevadm trigger" to create this nodes before install grub.

fixes: #12116

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-13 15:21:02 +02:00
Michael Tremer
6580bdeb6b freeradius: Build package without generating certificates 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-08-10 03:12:04 +01:00
Michael Tremer
1282a2e1af keepalived: Enable auto-start 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-08-10 03:12:04 +01:00
Arne Fitzenreiter
559e94bafb initskripts: smt: hide error on cpu's that not support smt at all 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-09 08:14:29 +02:00
Arne Fitzenreiter
99f2c69511 partresize: check for apu only if dmi is present 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-09 08:02:19 +02:00
Arne Fitzenreiter
10dd2afd6d sysctl: add seperate sysctl-x86_64.conf and move x86_64 only parameters 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-08 09:30:49 +02:00
Arne Fitzenreiter
dc362263f4 setup: add ignore to all no nic assigned errors 2019-08-06 10:51:45 +00:00
Arne Fitzenreiter
6836e528e5 u-boot-friendlyarm: add u-boot for nanopi-r1 to boot from eMMC 
this is a heavy patched version and should replaced when stock
u-boot is able to boot from h3 eMMC.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-06 04:32:22 +00:00
Arne Fitzenreiter
ca75ec5278 led initskript: add nanopi-r1 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-01 07:18:20 +00:00
Arne Fitzenreiter
fa5e921ccb partresize: add copy of broadcom firmware settings for nanopi-r1 
I added this to partresize like the APU scon enable because this
is the only script that runs on flashimage at first boot only and
remount root writeable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-01 07:09:34 +00:00
Arne Fitzenreiter
de8810fbaa iperf3: update to 3.7 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-17 13:15:33 +02:00
Arne Fitzenreiter
3ec3329dff unbound: rework dns-forwader handling 
add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.

This also fix the hung at dhcpd shutdown.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-16 19:20:48 +02:00
Arne Fitzenreiter
4cd82be05f unbound: check if red/iface exists before read it 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-04 20:42:47 +02:00
Michael Tremer
abccd997c0 azure: Do not drop last byte of MAC addresses 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
bc5037150a Enable serial console on all Azure instances 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
8bd0c4b17d cloud-init: Move detection functions into initscript function library 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
acf47bfa80 cloud-init: Import experimental configuration script for Azure 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
b9021f9277 cloud-init: Execute setup script for Azure if needed 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
d035f60c9f cloud-init: Add function to detect if we are running on Azure 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
ffb37e51d4 Rename AWS initscript to cloud-init 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Arne Fitzenreiter
4b75e9c92e unbound: use nic carrier instead of /var/ipfire/red/active 
This speed boot with static settings and no link and
dhcp on intel nics if the mtu is changed by the dhcp lease
because the nic loose the carrier and restart the dhcp action
at mtu set.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-29 11:36:49 +02:00
Alexander Marx
1722701a9a BUG12015: Redirecting to Captive portal does not work after IPFire restart 
When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.

Fixes: #12015

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-21 01:39:18 +01:00
Arne Fitzenreiter
1a129822af linux-pae: fix grub.conf creation on pv machines 
on some systems it seems that grub2 and it config also exist.
 2019-06-18 14:36:02 +02:00
Peter Müller
69772b7dda OpenSSL: lower priority for CBC ciphers in default cipherlist 
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:24:00 +01:00
Michael Tremer
e263c29c92 unbound: Make some zones type-transparent 
If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:14:28 +01:00
Michael Tremer
91056adea5 unbound: Add yandex.com to safe search feature 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:11:32 +01:00
Michael Tremer
043e7aa50f unbound: safe search: Resolve hosts at startup 
unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-13 11:12:07 +01:00
Peter Müller
fa7de475fe Tor: fix permissions after updating, too 
Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 05:45:42 +01:00
Michael Tremer
894eaf5184 smt: Only disable SMT when the kernel thinks it is vulnerable 
On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 17:07:23 +00:00
Matthias Fischer
3f7cec61c9 hostapd: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:45:54 +01:00
Stefan Schantl
72ab71969f update-ids-ruleset: Run as unprivileged user. 
Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:33:58 +01:00
Michael Tremer
0bb25a4f61 SMT: Disable when system is vulnerable to L1TF (Foreshadow) 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:55:17 +01:00
sfeddersen
2a1c173589 BUG 11487:solve problem with unexspected shutdown 
Solve problem with unexspected shutdown problem when checking a single client.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:31:07 +01:00
Michael Tremer
b0ec4158f3 miau: Drop package 
This is not maintained since 2010

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-29 15:24:29 +01:00
Michael Tremer
29fc1c8c3a ddns: Update to 011 
Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 16:25:01 +01:00
Michael Tremer
333125abf8 Merge branch 'toolchain' into next 2019-05-24 06:55:03 +01:00
Michael Tremer
9f0295a512 Merge remote-tracking branch 'ms/faster-build' into next 2019-05-24 06:54:16 +01:00
Matthias Fischer
d2b5f03631 squid: Update to 4.7 
For details see:

http://www.squid-cache.org/Versions/v4/changesets/

Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-24 06:37:50 +01:00
Michael Tremer
f617fd912b unbound: Safe Search: Enable Restrict-Moderate for YouTube 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-22 15:29:32 +01:00
Michael Tremer
6a83dbb451 SMT: Apply settings according to configuration 
SMT can be forced on.

By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.

Systems that are not vulnerable to that will keep SMT enabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 21:30:26 +01:00
Stefan Schantl
84227f7a1c update-ids-ruleset: Release ids_page_lock when the downloader fails. 
Fixes #12085.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 19:09:47 +01:00
Michael Tremer
715a269aa4 tshark: Drop special package scripts 
We are not doing anything different from the default here,
so we do not need an extra copy of them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 10:48:25 +01:00
Erik Kapfer
ffcef39d40 tshark: New addon 
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 10:44:04 +01:00