IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024
when initiating a connection. These are considered weak although
many off-the-shelf hardware is still using this as defaults.
This patch disables those algorithms and additionally changes
default behaviour to only accept the configured cipher suites.
This might create some interoperability issues, but increases
security of IPFire-to-IPFire IPsec connections.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Hi,
One missing '#' and all underlying 'services' in 'usr/share/logwatch/scripts/services'
are installed. 147 files are active, but it should be only 33.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Some hosters have their gateway in a different subnet than
the RED interface is to save IPv4 address space.
This patch sets a host route to that gateway so that
IPFire can be installed in data centres that use such
technique.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Some hosters require that the subnet mask of the RED network
is set to 255.255.255.255. This was not possible to save before.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When an on-demand VPN connection is not up, the packets will
traverse the firewall and be rejected by the IPSECBLOCK chain
which will cause that an ICMP error message will be sent to
the client. If that does not happen and the packet is being
silently dropped, the client will retransmit and by then
the VPN connection will hopefully be up.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The images are now a little bigger and will be scaled down
here, but the iframe box never grows bigger than the max.
size of the container.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This reverts commit ff6cc71107.
This patch causes that no new networks can be created and
an error message is shown that the created network is the GREEN
network which is incorrect.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The graphs are using an iframe and PNG images where the resolution
did often not fit and the browser had to resize the image. That
led to blurred fonts and hard to read graphs.
This patch increases the size of the box and the image. With that
higher resolution resizing should not be too much of an issue, but
since the sizes of the iframe and image have been aligned should
not even be necessary.
Reported-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
IPFire 2 does not have IPv6 connectivity with exception of a
few systems for testing where IPsec connections become a little
bit unstable when trying to connect over IPv6.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We need the directory /etc/rc.d/init.d earlier in the build process
because the initscripts are copied in the lfs files like in lfs/mysql
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
It is not necessary to copy the init scripts and remove the symlinks for
runnlevel interaction.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
