webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-21 16:32:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,917 Commits 2 Branches 1 Tag
856cdf15df30e3cab170581b2cd3e4c19fbb9170
Commit Graph

2375 Commits

Author SHA1 Message Date
Arne Fitzenreiter
856cdf15df core138: add openssl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:04:48 +00:00
Arne Fitzenreiter
1826c42b9e core138: add ovpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:55:53 +00:00
Arne Fitzenreiter
c86bf0bf24 core138: add unbound initscript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:54:28 +00:00
Arne Fitzenreiter
d93b76a00e core138: add openvpn 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:52:15 +00:00
Arne Fitzenreiter
64e0b8a5af core138: add init.d/functions 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:50:07 +00:00
Arne Fitzenreiter
eeb1a2a219 core138: add lz4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:44:36 +00:00
Arne Fitzenreiter
39bf8c6341 core138: add mail.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:42:17 +00:00
peter.mueller@ipfire.org
8f9c4081b4 Core Update 138: ship ca-certificates 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:40:04 +00:00
Arne Fitzenreiter
94c09bd9c4 core138: add firewall-lib.pl to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:25:55 +00:00
Arne Fitzenreiter
75612f0644 start core138 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:22:31 +00:00
Arne Fitzenreiter
41c242bff8 Revert "Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped""" 
This reverts commit e4d242da4a.

this fails because we let QoS running and it doesn't like if the imq0
device was removed. (why imq0 can removed when it is up?)
 2019-10-22 15:54:37 +00:00
Arne Fitzenreiter
e4d242da4a Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped"" 
This reverts commit 39c4ed4427.
 2019-10-21 19:00:19 +00:00
Arne Fitzenreiter
3670ac5622 core137: remove QoS stop at update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-20 20:29:50 +00:00
Arne Fitzenreiter
39c4ed4427 Revert "core137: Remove imq0 and unload imq module after QoS has been stopped" 
This reverts commit f48920d84f.
 2019-10-20 20:28:10 +00:00
Arne Fitzenreiter
6e414ea1e0 core137: don't start QoS 
QoS need to load kernel modules but the currect kernel
was removed so it cannot correct start without a reboot.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-20 09:51:04 +00:00
Daniel Weismüller
f48920d84f core137: Remove imq0 and unload imq module after QoS has been stopped 
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 21:09:04 +00:00
Arne Fitzenreiter
42c2acc218 core137: add path of qosctrl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:19:59 +02:00
Arne Fitzenreiter
0df4cf7105 core137: erase lm_sensors config after collectd start 
this is needed to research the sensors with updated kernel
after next reboot.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:18:24 +02:00
Arne Fitzenreiter
be967dc920 Revert "firewall: always allow outgoing DNS traffic to root servers" 
This reverts commit 70cd5c42f0.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:13:49 +02:00
Arne Fitzenreiter
aee52e38d0 Revert "ship updated bash and readline" 
there are missing files libs/bash/* in the rootfiles and there
are addons linked against readline-6.3 so we still need this
as readline-compat

This reverts commit 5c0345f5c1.
 2019-10-15 07:31:56 +00:00
Arne Fitzenreiter
0fb42e01c5 core137: add qos changes to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 18:09:39 +00:00
Arne Fitzenreiter
ec5b30f39b core137: add updated sysctl.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:57:58 +00:00
Arne Fitzenreiter
d3ef457692 core137: add updated 99-geoip-database 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:49:32 +00:00
Arne Fitzenreiter
bb64cd092c core137: add updated xt_geoip_update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:46:27 +00:00
Arne Fitzenreiter
efa43d82b5 core137: add dns.cgi to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:42:35 +00:00
Arne Fitzenreiter
6f828b103e core137: add updated ruleset-sources 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:36:36 +00:00
Arne Fitzenreiter
ff42e56224 core137: add updated backup.pl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:30:37 +00:00
Arne Fitzenreiter
57ff953341 core137: add ipset to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:22:44 +00:00
peter.mueller@ipfire.org
5c0345f5c1 ship updated bash and readline 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:53 +00:00
Arne Fitzenreiter
fcb0e92dec core137: restart updated services 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-12 15:56:40 +00:00
Arne Fitzenreiter
2513c3bba9 core137: ship libpcap 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:05:50 +00:00
Arne Fitzenreiter
a647499b10 core137: ship unbound 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:03:50 +00:00
Arne Fitzenreiter
5fe5334daa core137: ship strongwan and vpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:56:47 +00:00
Arne Fitzenreiter
f1e1e9072d core137: ship updated unbound initskript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:50:04 +00:00
peter.mueller@ipfire.org
70cd5c42f0 firewall: always allow outgoing DNS traffic to root servers 
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:48:40 +00:00
Arne Fitzenreiter
c132fed64d core137: ship suricata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:38:52 +00:00
Arne Fitzenreiter
563ac9b13e core137: ship knot 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:36:24 +00:00
peter.mueller@ipfire.org
a85a7a60fc firewall: raise log rate limit for user generated rules, too 
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:30:31 +00:00
Arne Fitzenreiter
e60dde5f53 core137: ship Net_SSLeay 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:26:22 +00:00
Arne Fitzenreiter
0e081a25f7 core137: ship libssh 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:21:17 +00:00
Arne Fitzenreiter
dcf1a61f5b core137: ship updated logrotate.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:17:44 +00:00
Arne Fitzenreiter
dbcb1c99d2 core137: ship tzdata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:14:43 +00:00
Arne Fitzenreiter
c9ef22a019 core137: ship wpa_supplicant 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:10:23 +00:00
Arne Fitzenreiter
6499bd0d50 core137: ship bind 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:08:04 +00:00
Arne Fitzenreiter
2a0edc08bf core137: ship changed ovpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:06:13 +00:00
Arne Fitzenreiter
5907bc5d5e core137: add pcre 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:02:23 +00:00
Arne Fitzenreiter
c0fe5525ce core137: add dhcpcd 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:59:39 +00:00
Arne Fitzenreiter
6c84c53803 core137: add iproute2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:57:32 +00:00
Arne Fitzenreiter
6bc008fc8f core137: add iptables and collectd 
collectd is linked to libip4tc so we need to ship this also

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:53:36 +00:00
Arne Fitzenreiter
4e6c66b525 core137: add libnetfilter_queue 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:49:09 +00:00