This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.
Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.
Fixes#12111.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The safe search code relied on working DNS resolution, but
was executed before unbound was even started and no network
was brought up.
That resulted in no records being created and nothing being
filtered.
This will now set/reset safe search when the system connects
to the Internet.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
some nic's like Intel e1000e needs a reinit to change the
mtu. In this case the dhcp hook reinit the nic and terminate now
to let the dhcpcd reinit the card in backgrounnd without running the
rest of the hooks.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
I have been receiving a couple of emails recently directed
at info@ipfire.org with bug reports when a system did not
boot up or shut down properly.
This is obviously not the right way to report bugs, but
we are telling our users to do so.
This patch changes this to report bugs to Bugzilla like
it should be.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This script started a fresh download every time it was called,
which is unnecessary.
The check to skip the download did not work because it was
looking for the old data format.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.
Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.
There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.
The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.
Fixes#12183
Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Some users have problems to reach DNS servers. This change adds an option
which allows to force using TCP for upstream name servers.
This is a good workaround for users behind a broken Fritz!Box in modem
mode which does not allow resolving any records of the root zone.
The name server tests in the script will also only use TCP.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This patch updates the package and removes the sanedloop script
which was needed to launch saned, but that program can now run
in standalone mode.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
dnsdist might need to open large number of connections
and therefore the default limit of 1024 needs to be
raised.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Previous setting was to log 10 packets per minute for each
event logging is turned on. This made debugging much harder,
as the limit was rather strict and chances of dropping a
packet without logging it were good.
This patch changes the log rate limit to 10 packets per
second per event, to avoid DoS attacks against the log file.
I plan to drop log rate limit entirely in future changes,
if a better solution for this attack vector is available.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
I added this to partresize like the APU scon enable because this
is the only script that runs on flashimage at first boot only and
remount root writeable.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.
This also fix the hung at dhcpd shutdown.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This speed boot with static settings and no link and
dhcp on intel nics if the mtu is changed by the dhcp lease
because the nic loose the carrier and restart the dhcp action
at mtu set.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.
Fixes: #12015
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
SMT can be forced on.
By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.
Systems that are not vulnerable to that will keep SMT enabled.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a feature that will filter adult content from search
engine's results.
The old method of rewriting the HTTP request no longer works.
This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.
However, there is no better solution available to this and this
an optional feature, too.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Force the initscript to remove the PID file when calling "stop" section.
If suricata crashes during startup, the PID file still remains and the service
cannot be started anymore until the file has been deleted.
Now when calling "stop" or "restart" the PID file will be deleted and the service
can be used again.
Fixes#12067.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The script now will use the previously introduced seperate firewall chains called
IPS_INPUT, IPS_FORWARD and IPS_OUTPUT.
The commit also creates an AND connection between the choosen network zones in the UI and
the final firwall rules.
Fixes#12062.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.
Reference #12062
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
