This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.
Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.
Fixes#12111.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
With this patch the clients are updated and those who are expired get deleted from the hash.
In addition the table of active clients is now sorted.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This will be done by the recently added generate_dns_servers_file()
function from ids-functions.pl.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
These checks did not do anything but clear all fields
when mailing was disabled.
It makes a lot more sense to retain people's settings,
even when they have been disabled.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is useless since no ISP will evaluate those settings
any more and it has a rather large impact on throughput.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
File uploads did not work since Perl was upgraded. This patch
fixes that problem by only checking if an object was returned
instead of performing a string comparison.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is useless since no ISP will evaluate those settings
any more and it has a rather large impact on throughput.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This feature was never properly implemented and the UI was dead
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is supported since strongswan 5.7.2 and is a good alternative
to Curve25519 because Curve448 is almost equally secure but performs
faster.
https://en.wikipedia.org/wiki/Curve448
This is enabled by default although we do not expect many other
implementations to be able to support this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since Core 132 the 'TLS Channel Protection' is part of the global settings,
the ta.key generation check should also be in the main section otherwise it
won´t be created if not present.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a
"Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished.
Since the ta.key are created after the DH-parameter, it won´t be produced in that case.
To prevent this, the DH-parameter will now be generated at the end.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The inputs for the vlanids are overlapping the borders of their cells (using a recent Firefox on Linux Mint, Android or Windows 7). This patch fixes this by limiting the width to a fixed value.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Expand the regex for the section dmi ("Mail") for /var/log/mail to include the log contents of postfix, in case the addon is installed.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The prefix for dmi in /var/log/mail seems to have changed from "dma[<PID>]: " to "dma: ". This results in a bug where no lines are being shown at all in the WUI.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.
Fixes#12099
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes#12086
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.
If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.
This a more natural flow that is expected by almost all users of this
feature.
Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
red - vulnerable
blue - mitigated
green - not affected
because we not really trust the mitigations so they shound not green.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
remove lf at the end for correct matching
and not strip "Mitigated:" if it was not full working and still
vulnerable.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
