There is no sense in doing this only in /etc/init.d/network
and not in /etc/init.d/networking/red
This files should be always deleted before a startup
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This setting is also old (2007) and cannot be set via the webinterface
anymore. So why checking for something, which can only be true.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
A long time ago (2007) there were more config types possible then 1, 2, 3
and 4. As our installer currently only accepts config type out of the set
1, 2, 3 and 4 we do not need to check if our CONFIG_TYPE is in this set.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
/bin/sh is a symlink to /bin/bash on ipfire systems. Using /bin/sh in
the scripts as shebang hurts in two ways:
1. We use features which do not work with sh as shell. This is not
really a problem but if we rely on features of a real bash we can
state this clearly.
2. The syntay highlighting in vim does not work without a correct
shebang. As I want and need correct syntax highlighting I propose to
change the shebang.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The system should perform all write operations when sync is called and
only return when the write queues are empty.
There is no additional benefit for calling sync again as the buffers
should be empty. If data is still being lost, then that is a bug in
either the storage device or driver.
As the (re-)boot process is already so slow, I would like to get rid of
any unnecessary delays.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
mount -f does nothing and also the sync calls should do nothing
on a already ro mounted filesystem.
fixes: #13195
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
the flashimage is build without journal to not destroy
usb thumbdrives or sd cards. On real ssd's and virtual
machines it should enabled for higher data security.
So this patch add the journal is drive support smart.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- With the last update of lvm2 lvmetad was removed from lvm2. I did not recognise that
lvmetad had been setup as an automatic initscript, so it no longer works as the
binary is no longer provided.
- This patch removes the lvmetad initscript, the reference to lvmetad in the initscript
lfs file and the lvmetad initscript entries in the rootfile for each architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
These rules where created to permit any local traffic to the firewall
when using a PPP connection that utilised Ethernet as transport.
This is however nonsensical and a security issue for any other
connection methods that call the RED interface "red0" and use PPP (e.g.
QMI).
Since PPPoE packets do not flow through iptables, these rules can be
dropped safely. We do not know whether PPTP works at all these days.
Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This patch is to move the rng-tools package from a core package to an addon. With the
kernel changes from 5.6 rngd is no longer needed to create the required kernel entropy.
- The results from HRNG's via rngd are used with an XOR after the entropy is
collected by the kernel. So the HWRNG output is used to dilute the kernel random number
data, which is already merged from several sources.
- Based on the above and @Paul's request in the bug report to have rng-tools kept as an
addon this patch set is submitted for consideration to keep rng-tools but as an addon.
- move rng-tools rootfile from common to packages
- Modify rng-tools lfs from core package to addon package
- Create rng-tools pak to install and uninstall - creating rc.d links for start & stop.
- Move rngd initscript from system to packages directory.
- Installed into my vm testbed and confirmed that it works. No rngd daemon installed
from iso install. After addon install rngd is present and running. Added various files
to be able to test the services wui page. rngd shows up and can be turned off and on
Fixes: Bug#12900
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
This removes support for building IPFire for 32 bit ARM architectures.
This has been decided in August 2022 with six months notice as there are
not very many users and hardware is generally not available any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For reasons I have not been able to determine, the RTC
module for the Ten64 board (rtc-rx8025) is not automatically
loaded at startup, despite every other relevant modules being
loaded.
modprobe it manually if we are on a Ten64 board.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
This is no longer required because the kernel will now try to
generate some randomness in an easier way when needed.
This has been added in: b923dd3de0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Device time more accurate. (e.g., +/- 10 seconds per day to < 100 ms on some devices)
( I know we don't need the perfect time server )
- NTP and time will be accurate in manual mode (setting on Time Server > NTP Configuration WebGUI)
- Change NTP "prefer" server:
- The current preferred NTP server in an Undisciplined Local Clock.
- This is intended when no outside source of synchronized time is available.
- Change the "prefer" server from 127.127.1.0 to the Primary NTP server specified on
the Time Server > NTP Configuration WebGUI page.
- Change allows the drift file (located at /etc/ntp/drift) to be populated by ntpd.
- The drift file is updated about once per hour which helps correct the device time.
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
mount, as updated via util-linux, no longer writes /etc/mtab, causing
programs to rely on this file's content (such as the check_disk Nagios
plugin) to stop working.
/proc/self/mounts contains all the necessary information, so it is fine
to replace /etc/mtab by a symlink to it.
Fixes: #12843
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
They were mistakenly placed after the IPS chains in commit
7b529f5417, but should be placed after the
connection tracking and before the IPS.
Fixes: #12815
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
It is not necessary to have this key present on IPFire systems anymore,
since it has not been in use for years, and we can expect systems to be
sufficiently up-to-date, so they no longer need to rely on old updates
or add-ons signed with this key.
Also, given the current key was generated in 2018, we should consider a
Pakfire key rollover soon.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.
This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.
This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
pool.ipfire.org cannot resolved. Now try both default dns
servers. If one works dns is working.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.
However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.
This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.
Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
that it is about toggling _logging_, not the actual _dropping_. Other
variables are still in need of being renamed to clarify this, which
will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
config/rootfiles/core/164/update.sh for "master", since this patch has
been developed against "next". Kindly cherry-pick the necessary
changes.
Partially fixes: #12778
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.
However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.
This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.
Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
that it is about toggling _logging_, not the actual _dropping_. Other
variables are still in need of being renamed to clarify this, which
will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
config/rootfiles/core/164/update.sh for "master", since this patch has
been developed against "next". Kindly cherry-pick the necessary
changes.
Partially fixes: #12778
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
If the firewall is talking to itself using one of its private IP
addresses (e.g. the primary green interface IP address), it will use the
loopback interface.
This is due to the local routing table which will be looked up first:
[root@ipfire ~]# ip rule
0: from all lookup local
128: from all lookup 220
220: from all lookup 220
32765: from all lookup static
32766: from all lookup main
32767: from all lookup default
It contains:
[root@ipfire ~]# ip route show table local
local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1
broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1
Any lookup for the green IP address will show this:
local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0
cache <local>
A test ping shows this in tcpdump:
[root@ipfire ~]# tcpdump -i any icmp -nn
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64
17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64
17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64
17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64
For this reason, we will have to accept any source and destination IP
address on the loopback interface, which is what this patch does.
We can however, continue to check whether we received any packets with
the loopback address on any other interface.
This regression was introduced in commit a36cd34e.
Fixes: #12776 - New spoofed or martian filter block
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
If the firewall is talking to itself using one of its private IP
addresses (e.g. the primary green interface IP address), it will use the
loopback interface.
This is due to the local routing table which will be looked up first:
[root@ipfire ~]# ip rule
0: from all lookup local
128: from all lookup 220
220: from all lookup 220
32765: from all lookup static
32766: from all lookup main
32767: from all lookup default
It contains:
[root@ipfire ~]# ip route show table local
local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1
broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1
Any lookup for the green IP address will show this:
local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0
cache <local>
A test ping shows this in tcpdump:
[root@ipfire ~]# tcpdump -i any icmp -nn
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64
17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64
17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64
17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64
For this reason, we will have to accept any source and destination IP
address on the loopback interface, which is what this patch does.
We can however, continue to check whether we received any packets with
the loopback address on any other interface.
This regression was introduced in commit a36cd34e.
Fixes: #12776 - New spoofed or martian filter block
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this fix MAC address generation on R2S
and allow to use the new added overclocked dtb's for R2S and R4S.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For some reason, this module is not present after the very first boot of
an IPFire installation.
Fixes: #12767
Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
-update arm-trusted firmware to 2.6
-fix mac address generation on R2S because the CPUID fuses are not uniqe
-add support for NanoPi R4S
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
