webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-12 12:15:52 +02:00
Code Issues Packages Projects Releases Wiki Activity
6,428 Commits 2 Branches 1 Tag
815eaff433559a26418be66f6400929d8ce3f0ef
Commit Graph

1927 Commits

Author SHA1 Message Date
Michael Tremer
815eaff433 iptables: Create guardian's chains after the CUSTOM* chains. 2013-08-09 14:15:32 +02:00
Michael Tremer
1e55533052 iptables: Cleanup creating the OVPNBLOCK chain. 
This should happen after the CUSTOM* chains.
 2013-08-09 14:15:32 +02:00
Michael Tremer
3b9a23ce07 iptables: Block all loopback packets on non-loopback interfaces. 2013-08-09 14:15:32 +02:00
Michael Tremer
afc611d448 iptables: Create LOOPBACK chain. 
This chain accepts all communication on the loopback
interface without running it through the entire connection
tracking first.

Packets on lo can never be blocked and must always be
accepted. The firewall has to trust itself anyway.
 2013-08-09 14:15:32 +02:00
Michael Tremer
c0359d6dfb iptables: Only jump into BADTCP for TCP packets. 
This saves us from evaluating lots of rules for non-TCP
packets.
 2013-08-09 14:15:32 +02:00
Michael Tremer
b85d2a9819 iptables: Replace state module by conntrack module. 
The state module is deprecated in recent releases of iptables
and should not be used any more.

Additionally, this patch adds an extra chain for all
connection tracking rules, so we can keep the entire ruleset
more small and clean.
 2013-08-09 14:15:32 +02:00
Alexander Marx
c12392c0ef Forward Firewall: removed NAT table and txt file. 2013-08-09 14:15:29 +02:00
Alexander Marx
ff4770c79b Forward Firewall: changed /etc/init.d/firewall. deleted stop routine and rearranged iptables_init and restart routine 
Now it should be possible to use /etc/init.d/firewall restart without errors
 2013-08-09 14:15:29 +02:00
Alexander Marx
e41b651b4a Forward Firewall: changed order of LOG and DROP rules for INPUT Chain 2013-08-09 14:15:28 +02:00
Alexander Marx
ed9ab82c61 Forward Firewall 0.9.9.7: reordered INPUT POLICY. 2013-08-09 14:15:28 +02:00
Alexander Marx
690b0bd761 Forward Firewall: added OVPNBLOCK and fixed rules.pl to correctly get ip address of red iface 2013-08-09 14:15:28 +02:00
Michael Tremer
d2c4a3cab9 openvpnctrl: Cleanup flushChain functions. 2013-08-09 14:15:28 +02:00
Michael Tremer
2181b55552 openvpnctl: Flush BLOCK and SNAT chain when needed. 2013-08-09 14:15:28 +02:00
Michael Tremer
c31f18b6a9 openvpnctrl: Block all transfer subnets. 2013-08-09 14:15:27 +02:00
Michael Tremer
7c50b04834 openvpnctrl: Remove unneeded code. 2013-08-09 14:15:27 +02:00
Alexander Marx
e1eef9d53e Forward Firewall: BUGFIX: When creating DMZ Rules with MANUAL IP as source and afterwards editing the rule, the rule was copied and not just edited. 
BUGFIX: When using SNAT (outbound) the rule does not seem to work. The NAT_SOURCE chain was on wron position in POSTROUTING
 2013-08-09 14:13:12 +02:00
Alexander Marx
c400fe4c84 Forward Firewall: fixed wrong log Entries INPUT_DROP when connected via Web or ssh 2013-08-09 14:13:12 +02:00
Alexander Marx
3e79f33fc2 Forward Firewall: reordered some rules to get rid of INPUT_DROP messages in log when connected to webinterface 2013-08-09 14:13:11 +02:00
Alexander Marx
dc82656bf9 Forward Firewall: 0.9.9.4a - Bugfix typo in firewallscript, DMZ Link on startpage now leads to firewall instead of dmzpinholes 2013-08-09 14:13:10 +02:00
Alexander Marx
aff15defbc Forward Firewall: rules for collectd now in firewall-policy instead of /etc/init.d/firewall 2013-08-09 14:13:10 +02:00
Alexander Marx
53f4c74d9b Forward Firewall: some changes in firewall script to make collectd work 2013-08-09 14:13:10 +02:00
Alexander Marx
ed31c098f5 Forward Firewall: added drop rules to firewall's stop script so that collectd is working 2013-08-09 14:13:10 +02:00
Alexander Marx
94ea1f0346 Forward Firewall: fixed firewall hits statistik and extended it to show input,output,forward,newnotsyn and portscan seperately. 2013-08-09 14:13:10 +02:00
Alexander Marx
218b3341b6 Forward Firewall: cleanup of initscript. Fixes double log entries when INPUT is set to REJECT 2013-08-09 14:11:57 +02:00
Alexander Marx
93b75f31ad Forward Firewall: clean up some files 
Fix iptables loop wirelessctrl
Fix firewall chain order
Fix policies (added comment for statistic)
 2013-08-09 14:11:56 +02:00
Alexander Marx
9efd8d1c7e Forward Firewall: delete old portforwarding from system and fix for wlan-firewall part 1 (loop) 2013-08-09 14:11:56 +02:00
Alexander Marx
ef6f983b17 Forward Firewall: put rule OUTGOING ACCEPT Related, established into /etc/init.d/firewall 
deleted ACCEPT OUTGOINGFW related,established from POLICYOUT
 2013-08-09 14:11:55 +02:00
Alexander Marx
dc33c23b1f Forward Firewall: Updated strongswan patch provided my Michael. (Changes _updown script from FORWARD ACCEPT to RETURN) 2013-08-09 14:11:52 +02:00
Alexander Marx
a9b3ae26a3 Forward Firewall: /etc/init.d/firewall now creates POLICYIN 2013-08-09 14:11:09 +02:00
Alexander Marx
fd4d137dbe Forward Firewall: deleted outgoingfwmac, is now useless 2013-08-09 14:10:16 +02:00
Alexander Marx
443a6e8a5f Forward Firewall: deleted creation of OVPNFORWARD and the accept rule. 2013-08-09 14:09:17 +02:00
Alexander Marx
b324de14db Forward Firewall: fix wlan clients now working with forwardfw 2013-08-09 14:08:23 +02:00
Alexander Marx
5d7faa4518 Forward Firewall: First part of adding OUTGOING to th efirewall 2013-08-09 14:08:20 +02:00
Alexander Marx
12dcfbbdbe Forward Firewall: Portfw now working and firewall closed correctly 2013-08-09 14:08:19 +02:00
Alexander Marx
d6bdebd47d Forward Firewall: fixed icmp-types and deleted dmzholes chain 2013-08-09 14:08:17 +02:00
Alexander Marx
0b14d3d9b1 Forward Firewall: fixed portforward rules. Now possible even if firewall in mode1 2013-08-09 14:08:16 +02:00
Alexander Marx
6adcf1569c Forward Firewall: set standard rules for blue in mode 2 2013-08-09 14:08:16 +02:00
Alexander Marx
210ee67b53 Forward Firewall: deleted mode0, added default Mode2 and fixed /etc/init.d/firewall to reload the rules correctly on reload. Also made it possible to create broadcastrules (To drop broadcastpackets) 2013-08-09 14:08:15 +02:00
Alexander Marx
e44fa0792b Forward Firewall: BUGFIX: When editing a rule and changing position, no other changes where saved. 
added the DMZHOLES Rule to init.d/firewall (but chnaged DMZHOLES to FORWARDFW
 2013-08-09 14:08:10 +02:00
Alexander Marx
8dc23ff4fc Forward Firewall: adapted initscripts/firewall and wirelessctrl.c 
Now the Wirelesschains should work with new firewall.
 2013-08-09 14:08:09 +02:00
Alexander Marx
8139398721 Forward Firewall: edited /src/initscripts/init.d/firewall and misc-progs/wirelessctrl.c 
added WIRELESSFORWARD to FORWARDFW (instead of FORWARD) so that rules work
commented out DMZHOLES lines in wirelessctrl.c to get rid of booterrormessages (There's no DMZHOLES anymore)
 2013-08-09 14:08:09 +02:00
Alexander Marx
62fc851166 Forward Firewall: fixed 12 Bugs from forum. 
1) Added more possible chars in remark: : / .
2) Added "Internet" to std networks to be able to define internetaccess
3) When renaming a custom address, the firewallrules get updated
4) Ports are now ignored when using GRE as Protocol
5) When saving a customservice, the cursor is now in first textfield
6) Added a customservices file to installation with predefined services
7) Added ESP as protocol
8) Fixed counterproblem
9) Dropdownboxes for customservices and groups now sorted
10) Firewallrules now sorted in right order
11) fixed a Bug when defining manual address in source and target, the hint message is no longer displayed
12) When defining an external access rule, the last forwardrule was deleted
 2013-08-09 14:08:04 +02:00
Alexander Marx
fd10a52ca2 Forward firewall: commented out line in init.d/firewall that all Forward traffic from green is allowed and put it in rules.pl. Now rules.pl allows this traffic when firewall is set to Mode0 or Mode2 2013-08-09 14:07:15 +02:00
Alexander Marx
6be0579b18 Forward Firewall: replaced Outgoing-Logging with ForwardFW Logging. And changed Options in optionsfw.cgi from outgoing to forward 2013-08-09 14:05:22 +02:00
Alexander Marx
231499fcc8 Forward Firewall: build iso with new firewall 2013-08-09 14:04:38 +02:00
Michael Tremer
111c99ddfa Forward Firewall: applied all changes as diff and added new files. Also deleted c files from xtaccess and setdmzholes. 
Signed-off-by: Alexander Marx <amarx@ipfire.org>

Conflicts:
	config/backup/include
	lfs/configroot
	lfs/usb-stick
 2013-08-09 14:02:02 +02:00
Michael Tremer
7323724196 squid: Fix two security issues. 
* CVE-2013-4115
* CVE-2013-4123

http://www.squid-cache.org/Versions/v3/3.1/changesets/
 2013-08-07 22:15:31 +02:00
Michael Tremer
dfdda7588d DDNS: Use HTTPS for all-inkl.com. 2013-08-03 13:36:19 +02:00
Michael Tremer
9e4cb00b42 tor: Fix path to readhash in initscript. 2013-08-02 10:42:08 +02:00
Michael Tremer
52a2f02f41 Merge branch 'ddns-all-inkl' into next 
Conflicts:
	config/rootfiles/core/72/filelists/files
 2013-08-02 10:41:27 +02:00