This is a more general name for a script that will be extended
soon to do more than just add blocking rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This command allows to enable the automatic update
of the used IDS ruleset and to specify the update interval.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This command is used to set the ownership and permissions
back to nobody:nobdoy which is used by the WUI to write the
ruleset.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
When the firewall policy is blocked, no outgoing IPsec connections
can be established. That is slightly counter-intuitive since we
open ports in the incoming direction automatically.
Fixes: #11704
Reported-by: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Make syslogctrl.c use TCP as remote logging file if specified so.
Thanks to Michael for reviewing this.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When the expiry time equals zero, the lease will have
no time constraints. The IP address will also be removed
as it might probably change.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This wrapper reads the captive settings and clients and sets the
firewall access rules. It is called every time the config changed or
everytime that a client changes. Also this wrapper is later called once
hourly to flush the chains and rebuild rules for actual clients.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
For details see:
https://bugzilla.ipfire.org/show_bug.cgi?id=11318
Temporary files for 'iptables', 'iptablesmangle' and 'iptablesnat' created by
'iptables.cgi' were not deleted after use but stayed in '/srv/weg/ipfire/html/'.
As a workaround I changed 'getipstat.c' to create these files in '/var/tmp' and the
"open (file..." and "rm" commands in 'iptables.cgi'.
Works here.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch always enables asynchronous logging which slows
down the system a lot on slow storage and some virtual environments.
It also removes the configuration options in the web
user interface, since this is not configurable any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Packets destined for the firewall coming in from the blue
device where accepted too early to be processed by the
firewall input chain rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If an IPsec VPN connections is not established, there are
rare cases when packets are supposed to be sent through
that said tunnel and incorrectly handled.
Those packets are sent to the default gateway an entry
for this connection is created in the connection tracking
table (usually only happens to UDP). All following packets
are sent the same route even after the tunnel has been
brought up. That leads to SIP phones not being able to
register among other things.
This patch adds firewall rules that these packets are
rejected. That will sent a notification to the client
that the tunnel is not up and avoid the connection to
be added to the connection tracking table.
Apart from a small performance penalty there should
be no other side-effects.
Fixes: #10908
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: tomvend@rymes.com
Cc: daniel.weismueller@ipfire.org
Cc: morlix@morlix.de
Reviewed-by: Timo Eissler <timo.eissler@ipfire.org>
The hosts file was not regenerated when RED was not connected
which should not be happening.
This patch checks if the file exists. If not, the gateway
line will not be written to /etc/hosts.
