These changes will allow snort to also inspect the traffic for
one or more configured alias addresses, which has not been done in the past.
The current situation is, that snort if enabled on red, only inspects
the traffic which is desired to the statically configured red address.
If some alias addresses have been assigned to the red interface the
traffic to these addresses will not be checked by snort and
completely bypasses the IDS.
There is no user interaction required, nor visible-effects or any
backward-compatiblity required, only a restart of snort after the
update process to protect all red addresses.
To do this we will now check if, the RED interface has been set to STATIC (which
is required to use the aliases function) and any aliases have been configured. In
case of this, the modified code will add all enabled alias addresses to the HOMENET
variable in which snort is storing all the monitored addresses.
Fixes#10619.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
using MASQERADE_GREEN="off" will not work because "NETWORK_GREEN" is
not correctly defined in green only mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
If an IPsec VPN connections is not established, there are
rare cases when packets are supposed to be sent through
that said tunnel and incorrectly handled.
Those packets are sent to the default gateway an entry
for this connection is created in the connection tracking
table (usually only happens to UDP). All following packets
are sent the same route even after the tunnel has been
brought up. That leads to SIP phones not being able to
register among other things.
This patch adds firewall rules that these packets are
rejected. That will sent a notification to the client
that the tunnel is not up and avoid the connection to
be added to the connection tracking table.
Apart from a small performance penalty there should
be no other side-effects.
Fixes: #10908
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: tomvend@rymes.com
Cc: daniel.weismueller@ipfire.org
Cc: morlix@morlix.de
Reviewed-by: Timo Eissler <timo.eissler@ipfire.org>
nfsd requires a mounted nfsd filesystem which has been introduced in
the kernel 2.6 tree. To determine the current running kernel, a check
was included in the initscript which works fine until we switched to a kernel
version 3.x.
This commit fixes this check, so the nfs-server will startup again.
Fixes#10760.
This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.
This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.
Instead of creating a copy of the configuration values and
for better extensibility, we will have udev execute a script
that parses /var/ipfire/ethernet/settings and will return the
correct name of the corresponding device (green0, blue0, ...).
