Go leaves temporary build files in the directory
which we do not need and we should clean up after
every build.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
AWS Systems Manager Agent (SSM Agent) is Amazon software that can be
installed and configured on an Amazon EC2 instance, an on-premises
server, or a virtual machine (VM). SSM Agent makes it possible for
Systems Manager to update, manage, and configure these resources. The
agent processes requests from the Systems Manager service in the AWS
Cloud, and then runs them as specified in the request. SSM Agent then
sends status and execution information back to the Systems Manager
service by using the Amazon Message Delivery Service.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This file is no longer generated and therefore cannot
be imported any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes#11594
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Otherwise it may happen, that the created config files have wrong
permissions and the WUI will break.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
When the DNS configuration of the system is changed,
we need to re-generate the file which contains the DNS Server
details for suricata and to restart the service.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The function now uses the newly introduced get_nameservers() function
while generating the DNS servers file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function simply return an array of all used nameservers.
It also takes care if the usage of ISP assigned nameservers
is enabled or not and if user-added nameservers are enabled or not.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
In the past this code was used to add the DNS servers
to the ignore list and prevent them from being blocked by
guardian.
Because of the switch to suricata as IPS, guardian now prevents
from password brute-forcing on SSH and/or the webserver, so this
code is not longer needed and safly can be removed.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
For this, a test query to the local unbound instance will be
sent and if the DNS system work properly can be answerd.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Since DNSSEC relies on time to validate its signatures,
a common problem is that some systems (usually those without
a working RTC) are not being able to reach their time server.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When the system comes online, we must update entries
in the unbound cache to point to the "safe" IP addresses.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Those checks have caused us a lot of trouble and are now being dropped.
Users must make sure to choose servers that support DNSSEC or enable
any of the tunneling mechanisms to be able to reach them.
Fixes: #12239
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The old configuration file in /etc/sysconfig/unbound is no
longer being used and all settings should be in
/var/ipfire/dns/settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
