webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-06 21:16:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
20,532 Commits 2 Branches 1 Tag
9cd5350f0a16c78886ebca6e9d95c849af04bb33
Commit Graph

1382 Commits

Author SHA1 Message Date
Michael Tremer
80fbd89949 ipsec: Add block rules to avoid conntrack entries 
If an IPsec VPN connections is not established, there are
rare cases when packets are supposed to be sent through
that said tunnel and incorrectly handled.

Those packets are sent to the default gateway an entry
for this connection is created in the connection tracking
table (usually only happens to UDP). All following packets
are sent the same route even after the tunnel has been
brought up. That leads to SIP phones not being able to
register among other things.

This patch adds firewall rules that these packets are
rejected. That will sent a notification to the client
that the tunnel is not up and avoid the connection to
be added to the connection tracking table.

Apart from a small performance penalty there should
be no other side-effects.

Fixes: #10908

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: tomvend@rymes.com
Cc: daniel.weismueller@ipfire.org
Cc: morlix@morlix.de
Reviewed-by: Timo Eissler <timo.eissler@ipfire.org>
 2015-10-15 22:44:47 +01:00
Michael Tremer
dfe630f77c Merge remote-tracking branch 'ms/experimental-vlan-hotplugging' into next 2015-09-28 14:33:49 +01:00
Matthias Fischer
7f263dc736 Fixed some typos in initscript 
"Createing= => "Creating"...

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-09-19 18:50:54 +01:00
Douglas Duckworth
6ee104aeb7 snort: Remove trailing slash in pid path 
Fixes: https://bugzilla.ipfire.org/show_bug.cgi?id=10924

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-09-14 23:19:50 +01:00
Michael Tremer
ea0033d962 SSH: Replace old RSA keys with a new set 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-20 23:26:49 +01:00
Michael Tremer
04da8aa70a Do not create any DSA keys any more 
DSA is considered weak cryptography

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-20 23:22:08 +01:00
Michael Tremer
2c4b9c5004 firewall: Fix amanda helper 
This helper requires setting a layer 4 protocol.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-12 12:44:26 +01:00
Michael Tremer
e2c723627c firewall: Fix H.323 helpers 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-12 12:18:18 +01:00
Michael Tremer
3db584817d Remove old VLAN initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-05 12:43:53 +01:00
Arne Fitzenreiter
7b9233935e core90: fix missing filename in metafile. 2015-05-13 19:44:15 +02:00
Michael Tremer
c8f8bf328f firewall: Add H.323 to the conntrack helpers 2015-05-12 13:33:27 +02:00
Michael Tremer
50354ffe3a firewall: Add IRC to the conntrack helpers 2015-05-12 13:27:24 +02:00
Michael Tremer
a93bf69617 firewall: Add amanda to the conntrack helpers 2015-05-12 13:25:04 +02:00
Michael Tremer
d57c6162cb firewall: Make conntrack helpers configurable 2015-05-12 13:16:40 +02:00
Michael Tremer
4071b2d61b firewall: iptables will load the conntrack modules automatically 2015-05-11 13:04:14 +02:00
Michael Tremer
0f5350608e firewall: Accept related ICMP packets again 
This rule is required to forward ICMP error messages for
aborted TCP connections and the like.
 2015-05-11 13:00:34 +02:00
Michael Tremer
a235f22952 firewall: Remove option to disable the SIP ALG 2015-04-22 18:13:56 +02:00
Michael Tremer
b1109b8af5 Enhance the security of the netfilter conntrack helpers 
This is suggested here
  https://home.regit.org/netfilter-en/secure-use-of-helpers/
and deprecated in the kernel (#10665).
 2015-04-22 18:10:59 +02:00
Arne Fitzenreiter
2e28ecea3e functions.network: update dhcp client commandline. 
this fix trailing space before hostname.
 2015-04-20 22:48:46 +02:00
Stefan Schantl
e6c4f090b6 Merge branch 'next-geoip' into core-90-geoip 2015-04-15 17:10:49 +02:00
Arne Fitzenreiter
040ec360f9 hostapd: remove MADWIFI from initskript 2015-04-11 22:23:31 +02:00
Arne Fitzenreiter
0fbba54e82 Merge branch 'master' into next 
Conflicts:
	lfs/monit
 2015-04-11 21:58:09 +02:00
Alexander Marx
7ca64c9f0b BUG10790: create dummy ovpnserver.log in /var/run 2015-04-09 14:43:12 +02:00
Arne Fitzenreiter
d2dabe5eba dnsmasq: fix initskript 
-add timestamp filename
-pull user config after define default parameter
 2015-04-09 14:36:45 +02:00
Stefan Schantl
2be0bc4410 nfs-server: Drop kernel version check from initscript. 
As suggested on the bugtracker, the kernel version check completely has been
removed.

Fixes #10760.
 2015-04-04 14:08:51 +02:00
Stefan Schantl
8f548dfe36 Merge branch 'nfs-server-fix' into next 2015-04-03 19:19:34 +02:00
Stefan Schantl
668ea5d311 nfs-server: Fix kernel version check in initscript. 
nfsd requires a mounted nfsd filesystem which has been introduced in
the kernel 2.6 tree. To determine the current running kernel, a check
was included in the initscript which works fine until we switched to a kernel
version 3.x.

This commit fixes this check, so the nfs-server will startup again.

Fixes #10760.
 2015-04-03 18:59:12 +02:00
Arne Fitzenreiter
0d573e226f dnsmasq: fix initskript 
-add timestamp filename
-pull user config after define default parameter
 2015-03-31 10:09:46 +02:00
Michael Tremer
28fee67640 dnsmasq: Disable parsing leases when DNS Update is enabled 2015-03-16 01:11:29 +01:00
Stefan Schantl
e24668f99a networking/red.up/99-geoip-database: Fix empty folder check. 2015-03-15 11:40:31 +01:00
Stefan Schantl
16bbdeb988 networking/red.up/99-geoip-database: Fix typo. 2015-03-15 11:39:55 +01:00
Stefan Schantl
93bfe63d55 Merge branch 'seventeen-geoip' into next-geoip 2015-03-15 11:38:45 +01:00
Michael Tremer
de7abd2cd5 dnsmasq: Enable DNSSEC timestamp feature 
This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.
 2015-03-12 12:59:24 +01:00
Michael Tremer
b8a97bd943 dnsmasq: Enable DNSSEC timestamp feature 
This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.
 2015-03-10 16:22:09 +01:00
Michael Tremer
600b99fb31 network: Configure device names from /var/ipfire/ethernet/settings 
Instead of creating a copy of the configuration values and
for better extensibility, we will have udev execute a script
that parses /var/ipfire/ethernet/settings and will return the
correct name of the corresponding device (green0, blue0, ...).
 2015-03-09 16:31:59 +01:00
Michael Tremer
0f0e30dced haproxy: New package 2015-03-05 14:48:16 +01:00
Michael Tremer
3ed94afdc8 teamspeak: Remove package 
This is an old version any way and just used to download the
pre-compiled data from the servers of the vendor.
 2015-03-03 21:11:34 +01:00
Stefan Schantl
bc9446c65f Merge branch 'master' of ssh://git.ipfire.org/pub/git/ipfire-2.x into seventeen-geoip 
Conflicts:
	make.sh
 2015-02-14 12:34:31 +01:00
Michael Tremer
aa2e56a531 Merge branch 'master' into next 2015-02-11 14:58:10 +01:00
Arne Fitzenreiter
309b7de86e swconfig: supress error on non dtb machines. 2015-02-11 08:07:49 +01:00
Michael Tremer
de0ccf8f8c Merge branch 'master' into next 
Conflicts:
	make.sh
 2015-02-04 13:24:05 +01:00
Arne Fitzenreiter
9c47987e25 hostapd: undo rename if dual interfaces are not supported. 2015-01-30 17:39:34 +01:00
Michael Tremer
06f451c0be Merge remote-tracking branch 'glotzi/monit' into next 2015-01-28 23:10:47 +01:00
Michael Tremer
fe53fa8dac Merge remote-tracking branch 'ummeegge/lynis' into next 
Conflicts:
	make.sh
 2015-01-28 22:49:36 +01:00
Arne Fitzenreiter
ffeb717f2d add swconfig for lamobo-r1 switch setup. 2015-01-27 20:21:17 +01:00
Arne Fitzenreiter
08215cb5d8 collectd: sync after cfg update and ramdisk backup. 2015-01-21 13:19:00 +01:00
Arne Fitzenreiter
893ef99ed4 collectd: fix disable swap plugin if no swap exist. 2015-01-21 13:16:09 +01:00
Arne Fitzenreiter
d595016bfb leds: add mirabox support. 2015-01-18 21:32:15 +01:00
Arne Fitzenreiter
d1b89a12f9 hostapd: create additional AP device if switch has failed. 2015-01-18 21:29:53 +01:00
Dirk Wagner
f0dd065425 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into monit 
Conflicts:
	config/etc/logrotate.conf
 2015-01-06 15:51:29 +01:00