webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-22 00:42:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,881 Commits 2 Branches 1 Tag
afe23fbb52ff8a27b34df2bb21c6c39b5ceec817
Commit Graph

5418 Commits

Author SHA1 Message Date
Michael Tremer
951a9f9ba0 linux+iptables: Drop support for IMQ 
This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:08 +00:00
Arne Fitzenreiter
3670ac5622 core137: remove QoS stop at update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-20 20:29:50 +00:00
Arne Fitzenreiter
39c4ed4427 Revert "core137: Remove imq0 and unload imq module after QoS has been stopped" 
This reverts commit f48920d84f.
 2019-10-20 20:28:10 +00:00
Arne Fitzenreiter
c27fdd8697 Revert "linux+iptables: Drop support for IMQ" 
This reverts commit 59b9a6bd22.
 2019-10-20 20:20:26 +00:00
Arne Fitzenreiter
6e414ea1e0 core137: don't start QoS 
QoS need to load kernel modules but the currect kernel
was removed so it cannot correct start without a reboot.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-20 09:51:04 +00:00
Daniel Weismüller
f48920d84f core137: Remove imq0 and unload imq module after QoS has been stopped 
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 21:09:04 +00:00
Arne Fitzenreiter
cafef39aa2 Revert "suricata: Enable rust support" 
This reverts commit 5b87687cb1.
 2019-10-18 20:39:47 +02:00
Arne Fitzenreiter
42c2acc218 core137: add path of qosctrl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:19:59 +02:00
Arne Fitzenreiter
0df4cf7105 core137: erase lm_sensors config after collectd start 
this is needed to research the sensors with updated kernel
after next reboot.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:18:24 +02:00
Arne Fitzenreiter
be967dc920 Revert "firewall: always allow outgoing DNS traffic to root servers" 
This reverts commit 70cd5c42f0.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:13:49 +02:00
Arne Fitzenreiter
eb000cd787 Revert "update rootfiles for bash and readline" 
This reverts commit f41d936026.
 2019-10-15 07:37:23 +00:00
Arne Fitzenreiter
aee52e38d0 Revert "ship updated bash and readline" 
there are missing files libs/bash/* in the rootfiles and there
are addons linked against readline-6.3 so we still need this
as readline-compat

This reverts commit 5c0345f5c1.
 2019-10-15 07:31:56 +00:00
Arne Fitzenreiter
0fb42e01c5 core137: add qos changes to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 18:09:39 +00:00
Michael Tremer
59b9a6bd22 linux+iptables: Drop support for IMQ 
This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 18:02:55 +00:00
Arne Fitzenreiter
ec5b30f39b core137: add updated sysctl.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:57:58 +00:00
Arne Fitzenreiter
d3ef457692 core137: add updated 99-geoip-database 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:49:32 +00:00
Arne Fitzenreiter
bb64cd092c core137: add updated xt_geoip_update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:46:27 +00:00
Arne Fitzenreiter
efa43d82b5 core137: add dns.cgi to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:42:35 +00:00
Arne Fitzenreiter
6f828b103e core137: add updated ruleset-sources 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:36:36 +00:00
Arne Fitzenreiter
ff42e56224 core137: add updated backup.pl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:30:37 +00:00
Arne Fitzenreiter
57ff953341 core137: add ipset to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:22:44 +00:00
peter.mueller@ipfire.org
5c0345f5c1 ship updated bash and readline 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:53 +00:00
peter.mueller@ipfire.org
f41d936026 update rootfiles for bash and readline 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:06 +00:00
Arne Fitzenreiter
fcb0e92dec core137: restart updated services 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-12 15:56:40 +00:00
Arne Fitzenreiter
2fabddb44d rust: update armv5tel rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 20:23:05 +02:00
Arne Fitzenreiter
194c7b16e4 rust: add i586 and aarch64 rootfile 
todo: armv5tel is still missing...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:11:32 +02:00
Arne Fitzenreiter
f947ce9af1 sane: add special aarch64 rootfile 
libsane-qcam is not available for aarch64 so we need an extra rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:10:23 +02:00
Arne Fitzenreiter
c67519ac7c sane: rootfile update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:06:54 +02:00
Arne Fitzenreiter
3791a79239 tshark: rootfile update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:05:50 +02:00
Arne Fitzenreiter
e29eb3a6c1 speedtest-cli: add rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:04:30 +02:00
Stefan Schantl
5b87687cb1 suricata: Enable rust support 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:08:37 +00:00
Stefan Schantl
59fe973584 rust: New package. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:08:23 +00:00
Erik Kapfer
692d6e012b nmap: Update to version 7.80 
Several improvements, NSE scripts and libraries has been added.
The complete changelog can be found in here --> https://seclists.org/nmap-announce/2019/0 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:06:34 +00:00
Arne Fitzenreiter
2513c3bba9 core137: ship libpcap 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:05:50 +00:00
Matthias Fischer
64243e995b libpcap: Update to 1.9.1 
For details see:
https://www.tcpdump.org/libpcap-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:04:36 +00:00
Arne Fitzenreiter
a647499b10 core137: ship unbound 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:03:50 +00:00
Matthias Fischer
146c8a58ab unbound: Update to 1.9.4 
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html

"This release is a fix for vulnerability CVE-2019-16866 that causes a
failure when a specially crafted query is received."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:01:41 +00:00
Matthias Fischer
a92ede2487 clamav: Update to 0.102.0 
For details see:
https://blog.clamav.net/2019/10/clamav-01020-has-been-released.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:01:02 +00:00
Erik Kapfer
1da6583980 tshark: Update to version 3.0.5 
The jump from 3.0.2 to 3.0.5 includes several bugfixes, updated protocols and new and updated capture support.
The complete release notes can be found in here --> https://www.wireshark.org/docs/relnotes/ .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:57:43 +00:00
Arne Fitzenreiter
5fe5334daa core137: ship strongwan and vpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:56:47 +00:00
Stephan Feddersen
b64b3c110e WIO: Add french translation file 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:52:05 +00:00
Arne Fitzenreiter
f1e1e9072d core137: ship updated unbound initskript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:50:04 +00:00
peter.mueller@ipfire.org
70cd5c42f0 firewall: always allow outgoing DNS traffic to root servers 
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:48:40 +00:00
Michael Tremer
1ad45a5a09 sane: Update to 1.0.28 
This patch updates the package and removes the sanedloop script
which was needed to launch saned, but that program can now run
in standalone mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:39:47 +00:00
Arne Fitzenreiter
c132fed64d core137: ship suricata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:38:52 +00:00
Matthias Fischer
80d5bb76dd iproute2: Update to 5.3.0 
For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.3.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:37:03 +00:00
Arne Fitzenreiter
563ac9b13e core137: ship knot 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:36:24 +00:00
peter.mueller@ipfire.org
a85a7a60fc firewall: raise log rate limit for user generated rules, too 
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:30:31 +00:00
Arne Fitzenreiter
e60dde5f53 core137: ship Net_SSLeay 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:26:22 +00:00
Erik Kapfer
24f9c830eb Net-SSLeay: Update to version 1.88 
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:24:32 +00:00