webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-14 21:12:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,938 Commits 2 Branches 1 Tag
62e116567adf025d1ecc4e290b0dcbb3fb886fb2
Commit Graph

6991 Commits

Author SHA1 Message Date
Jonatan Schlag
62e116567a Libvirt: update to version 5.6.0 
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:39:20 +00:00
Jonatan Schlag
3e5d4e6f83 libvirt: use a custom config file 
The patch which adjusts the options for IPFire in the libvirtd.conf does
not apply in a newer version of libvirt. Creating this patch is harder
than to use a separate config file.

This separate config file also enables us to adjust options much faster.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:38:59 +00:00
Arne Fitzenreiter
df67c7a80e core138: add squid 2019-11-13 19:37:47 +00:00
Arne Fitzenreiter
590e4a38bf core138: add ddns 2019-11-13 19:33:53 +00:00
Arne Fitzenreiter
ca6dc5ad5e core138: add logwatch 2019-11-13 19:33:31 +00:00
Arne Fitzenreiter
42541ddb7e core138: add suricata changes 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:20:17 +00:00
Stefan Schantl
961a27b5e2 suricata: Use DNS_SERVERS declaration from external file. 
These settings now will be read from
/var/ipfire/suricata/suricata-dns-servers.yaml, which will be
generated by the generate_dns_servers_file() function, located in
ids-functions.pl and called by various scripts.

Fixes #12166.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:14:27 +00:00
Stefan Schantl
bb2696da35 convert-snort: Generate DNS servers file. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:14:03 +00:00
Stefan Schantl
30ee98e949 ids-functions.pl: Introduce generate_dns_servers_file() 
This function is used to generate a yaml file which take care of the
current used DNS configuration and should be included in the main
suricata config file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:13:09 +00:00
Matthias Fischer
e93959a7aa logwatch: Update to 7.5.2 
For details see:
https://build.opensuse.org/package/view_file/server:monitoring/logwatch/ChangeLog?expand=1

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:11:09 +00:00
peter.mueller@ipfire.org
be8afd151f Apache: deny framing of WebUI from different origins 
There is no legitimate reason to do this. Setting header X-Frame-Options
to "sameorigin" is necessary for displaying some collectd graphs on the
WebUI.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:10:33 +00:00
Arne Fitzenreiter
90582bb01e core138: add ipfire-interface.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:10:03 +00:00
peter.mueller@ipfire.org
583687a88d Apache: prevent Referrer leaks via WebUI 
By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:09:07 +00:00
Arne Fitzenreiter
1141bc69c9 core138: add ipfire-interface-ssl.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:08:02 +00:00
peter.mueller@ipfire.org
4636ed66c6 Apache: drop CBC ciphers for WebUI 
CBC ciphers contain some known vulnerabilities and should not be used
anymore. While dropping them for OpenSSL clients or public web servers
still causes interoperability problems with legacy setups, they can
be safely removed from IPFire's administrative UI.

This patch changes the used cipersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

Since TLS 1.3 ciphers will be added automatically by OpenSSL, mentioning
them in "SSLCipherSuite" is unnecessary. ECDSA is preferred over RSA for
performance reasons.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:05:54 +00:00
Arne Fitzenreiter
856cdf15df core138: add openssl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:04:48 +00:00
Arne Fitzenreiter
1826c42b9e core138: add ovpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:55:53 +00:00
Arne Fitzenreiter
c86bf0bf24 core138: add unbound initscript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:54:28 +00:00
Arne Fitzenreiter
d93b76a00e core138: add openvpn 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:52:15 +00:00
Arne Fitzenreiter
64e0b8a5af core138: add init.d/functions 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:50:07 +00:00
Erik Kapfer
cb41e4a9a9 libarchiv: Update to version 3.4.0 
Version 3.4.0 is a feature and security release. The changelog can be found in here --> https://github.com/libarchive/libarchive/releases .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:45:32 +00:00
Arne Fitzenreiter
eeb1a2a219 core138: add lz4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:44:36 +00:00
Erik Kapfer
bc456dd750 lz4: Update to version 1.9.2 
Several fixes and improvements has been integrated. The changes list through the different versions since
the current version 1.8.1.2 can be found in here --> https://github.com/lz4/lz4/releases

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:43:04 +00:00
Arne Fitzenreiter
39bf8c6341 core138: add mail.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:42:17 +00:00
peter.mueller@ipfire.org
8f9c4081b4 Core Update 138: ship ca-certificates 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:40:04 +00:00
peter.mueller@ipfire.org
d5ccd924e0 update ca-certificates CA bundle 
Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:39:50 +00:00
Arne Fitzenreiter
94c09bd9c4 core138: add firewall-lib.pl to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:25:55 +00:00
Stefan Schantl
dba780a784 firewall-lib.pl: Populate GeoIP rules only if location is available. 
In case a GeoIP related firewall rule should be created, the script
now will check if the given location is still available.

Fixes #12054.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:23:43 +00:00
Arne Fitzenreiter
75612f0644 start core138 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:22:31 +00:00
Michael Tremer
a42dfb216d speedtest-cli: Use Python 3 instead of Python 2 
This seems to be required although the documentation says
that Python 2 is supported.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:17:11 +00:00
Michael Tremer
d704e75d75 QoS: Do no classify as default when L7 filter isn't done 
We need to allow some more packets to pass through the
mangle chains so that the layer 7 filter can determine
what protocol it finds.

If L7 filter decides that a connection is of type "unknown",
we mark it as default, or it is marked with the correct class.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-22 15:57:01 +00:00
Arne Fitzenreiter
41c242bff8 Revert "Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped""" 
This reverts commit e4d242da4a.

this fails because we let QoS running and it doesn't like if the imq0
device was removed. (why imq0 can removed when it is up?)
 2019-10-22 15:54:37 +00:00
Matthias Fischer
4ba4645d12 bind: Update to 9.11.12 
For details see:
https://downloads.isc.org/isc/bind9/9.11.12/RELEASE-NOTES-bind-9.11.12.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 19:01:32 +00:00
Arne Fitzenreiter
e4d242da4a Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped"" 
This reverts commit 39c4ed4427.
 2019-10-21 19:00:19 +00:00
Michael Tremer
615bf6e0f0 QoS: Delete more unused iptables commands 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:36 +00:00
Michael Tremer
76bf53db8b QoS: Drop support for setting TOS bits per class 
This is useless since no ISP will evaluate those settings
any more and it has a rather large impact on throughput.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:31 +00:00
Michael Tremer
6f07564242 QoS: No longer set TOS bits for ACK packets 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:29 +00:00
Michael Tremer
1e35eeac59 QoS: Remove some IPsec rules which never worked 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:25 +00:00
Michael Tremer
fc09b98296 QoS: Classify incoming traffic in PREROUTING 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:23 +00:00
Daniel Weismüller
4b5aa97393 QoS: Use CONNMARK to mark connections in connection tracking 
This patch modifies the connection tracking in that ways that
it sets a connection mark which will be retrieved when a packet
is being redirected to the IFB interface.

This way, we can use classification without having the packet
being sent through iptables first.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:20 +00:00
Michael Tremer
7d770777e0 Revert "Make IMQ Switchable between PREROUTING and POSTROUTING" 
This reverts commit 88b8ffac6b.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:14 +00:00
Michael Tremer
afe23fbb52 QoS: Drop support for subclasses 
This feature was never properly implemented and the UI was dead

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:12 +00:00
Michael Tremer
8d6b654369 QoS: Suppress an error message when cleaning up from previous runs 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:10 +00:00
Michael Tremer
951a9f9ba0 linux+iptables: Drop support for IMQ 
This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:08 +00:00
Michael Tremer
50ed363e89 QoS: Do not delete egress qdisc after classes have been created 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:06 +00:00
Michael Tremer
677c1f47d7 QoS: Start qosd immediately 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:59 +00:00
Michael Tremer
96f16b8501 QoS: Tidy up qdiscs after QoS is being stopped 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:53 +00:00
Michael Tremer
0dfb3984d0 QoS: Use Intermediate Functional Block 
This is an alternative implementation to the Intermediate Queuing
Device (IMQ) which is an out-of-tree kernel patch and has been
criticised for being slow, especially with mutliple processors.

IFB is part of the mainline kernel and a lot less code.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:41 +00:00
Michael Tremer
c37af2f004 QoS: Do not manually load iptables modules 
This should not be necessary and causes the script to
wait for two seconds.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:14 +00:00
Arne Fitzenreiter
3670ac5622 core137: remove QoS stop at update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-20 20:29:50 +00:00