IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024
when initiating a connection. These are considered weak although
many off-the-shelf hardware is still using this as defaults.
This patch disables those algorithms and additionally changes
default behaviour to only accept the configured cipher suites.
This might create some interoperability issues, but increases
security of IPFire-to-IPFire IPsec connections.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The images are now a little bigger and will be scaled down
here, but the iframe box never grows bigger than the max.
size of the container.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The graphs are using an iframe and PNG images where the resolution
did often not fit and the browser had to resize the image. That
led to blurred fonts and hard to read graphs.
This patch increases the size of the box and the image. With that
higher resolution resizing should not be too much of an issue, but
since the sizes of the iframe and image have been aligned should
not even be necessary.
Reported-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will create IPsec VPN connections with auto=route set
instead of auto=start which will cause the connection being
created, but not brought up yet.
As soon as the first packet is received, the connection will
be established and data will be passed through it.
This allows IPFire to handle more VPN connections on weaker
systems and avoids negotiating many connections which are
rarely used.
Suggested-by: Tom Rymes <tomvend@rymes.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #10733
This patch always enables asynchronous logging which slows
down the system a lot on slow storage and some virtual environments.
It also removes the configuration options in the web
user interface, since this is not configurable any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If one has an IPSec network named "aaa" and an OpenVPn Host with the same name
it was not possible to group them together because of the same name.
Now the Network type is also checked wich allows Entries with same name, but different networks.
Fixes: #11242
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
I did the following:
- Rearranged the fields on 'guardian.cgi' a bit - in a (hopefully) logical manner,
so that they don't need so much room.
- Added some translation-strings and explanations to (revised) 'guardian.cgi'.
- Added missing language string(s), deleted obsolete.
- Deleted all guardian entries from standard language files in
'/var/ipfire/langs'-directory.
- Added (upgraded) addon-specific language files to '/var/ipfire/addon-lang'-directory.
I hope, I didn't forget something...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
We have only one english wiki, so the link to the list of public
dns servers can point directly to the right page.
(The link was also not correct).
Fixes: #11191
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When using dnat addresses, it is possible to use big subnets and host addresses like 172.16.0.0/12.
These addresses where rejected because it was recognised as network address.
The check is now removed.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
fixes: #11177
There are providers which do not use passwords anymore.
For this reason the password field is no longer mandatory.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The options for configuring the log file location and
snort alert priority level now dynamically will be
displayed or hidden if the desired options or feature
is not used.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will allow to choose between DROP and REJECT if guardian blocks an
attackers address.
Fixes #10xxx.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Add support and usage of the recently introduced feature of
including other files in the ignore file to add
the red related IP-addresses to the ignore list on IPFire
systems.
Also use reload-ignore-list feature instead of reloading the
whole configuration on ignore list modifications.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is responsible for collecting all required data,
like the green, blue, orange (if the interfaces are available),
red, gateway and used DNS server IP-addresses.
It will add als these addresses and the configured and enabled
user-defined ignored addresses/networks to the ignore file of
guardian to prevent from blocking any of them.
Note:
The IPFire and RED inteface related addresses also will be added
to the ignore file, even if there is no user-defined entry in the
list.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The CGI now uses an own ignored configuration file for
storing host addresses and/or subnets which should be
ignored by guardian.
This allows to add remarks for them and to enable or disable
each entry individally at any time.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Rework the GetBlockedHosts() to use the "getipstat" binary
instead of the not longer available "guardianctrl" binary.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The guardianctrl binary does not longer exists, use
the Guardian::Socket module to send various commands
by using the provided socket client.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The config file format and values have been changed, so the
code to do the generation has to be adjusted.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Rename the hash key names of enabled parser modules,
(services which should be monitored by guardian) to
keep the same name sheme than in the guardian config
file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
When the owncloud addon is not installed, this value was not
initialized correctly.
Reference #10748.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
