webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-14 04:52:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
12,456 Commits 2 Branches 1 Tag
b59cdbeea5eb2a83ac5c0be51541c471bd1cd809
Commit Graph

117 Commits

Author SHA1 Message Date
Peter Müller
d5fe332283 do not expose kernel address spaces even to privileged users 
Change this setting from 1 to 2 so kernel addresses are not
displayed even if a user has CAPS_SYSLOG privileges.

See also:
- https://lwn.net/Articles/420403/
- https://tails.boum.org/contribute/design/kernel_hardening/

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-09-09 17:47:08 +01:00
Peter Müller
373590b7c3 hide kernel addresses in /proc 
Make sure kernel address space is hidden from files somewhere
in /proc . This reduces attack surface and partially addresses #11659.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-03 10:32:56 +01:00
Michael Tremer
a1c5ceeb34 nsswitch.conf: Use nss-myhostname to resolve local hostname 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-06-30 19:56:56 +01:00
Arne Fitzenreiter
302dba205b Merge remote-tracking branch 'origin/master' into kernel-4.14 2018-03-30 10:26:01 +02:00
Arne Fitzenreiter
ea9d53c822 inittab: change tty1 to console 
this reduce the differences between tty and scon installations
and make it easier to switch between.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-03-24 13:26:32 +01:00
Michael Tremer
1c0cfaa594 Disable Path MTU discovery 
This seems to be a failed concept and causes issues with transferring
large packets through an IPsec tunnel connection.

This configures the kernel to still respond to PMTU ICMP discovery
messages, but will not try this on its own.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-26 15:37:49 +00:00
Michael Tremer
2d5940daca Drop MySQL 
This is outdated and still on 5.0.x and nobody volunteered to
update this package.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-12 12:05:46 +00:00
Michael Tremer
56720befc7 Drop vsftpd which isn't actively maintained any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-11-28 17:30:08 +00:00
Arne Fitzenreiter
874eabd6f5 serial-console: remove baudrate from inittab 
new versions of agetty missinterpretes the baudrate and set it as TERM
without the parameter agetty use the previous rate that was set by the
kernel via console=XXX,Baudrate parameter.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2017-08-15 20:08:22 +02:00
Jonatan Schlag
0f1cda211c Disable netfilter on all bridges per default 
Fixes: #11301

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-03-11 10:08:16 +00:00
Michael Tremer
5056b4f104 Drop mldonkey files 
The packages has been dropped years ago. However, some
files remained in the source tree.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-01-16 16:53:35 +00:00
Michael Tremer
adb11e90df Always enable asynchronous logging 
This patch always enables asynchronous logging which slows
down the system a lot on slow storage and some virtual environments.

It also removes the configuration options in the web
user interface, since this is not configurable any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2016-11-29 12:18:41 +00:00
Michael Tremer
61b4250af5 Drop dnsmasq 
This will be replaced by unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2016-08-06 19:25:48 +01:00
Michael Tremer
8a1a3bf393 Merge remote-tracking branch 'ms/iptables-conntrack' into next 2016-01-22 00:54:14 +00:00
Lars Schuhmacher
18f4c007f1 fix typo in ipsec.user.secrets 
Fixes a little typo

Signed-off-by: Lars Schuhmacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-25 22:06:30 +01:00
Michael Tremer
b1109b8af5 Enhance the security of the netfilter conntrack helpers 
This is suggested here
  https://home.regit.org/netfilter-en/secure-use-of-helpers/
and deprecated in the kernel (#10665).
 2015-04-22 18:10:59 +02:00
Arne Fitzenreiter
a762fcd037 modprobe.d: blacklist btmrvl_sdio. 2015-01-20 09:14:23 +01:00
Michael Tremer
da840da867 Remove template of /etc/fstab 2014-08-24 16:09:54 +02:00
Michael Tremer
aa7f55b2df Merge remote-tracking branch 'origin/next' into install-raid 2014-08-20 21:46:49 +02:00
Michael Tremer
2deb75c0f3 Merge remote-tracking branch 'ms/squid-ad' into next 2014-07-27 12:01:50 +02:00
Michael Tremer
2c4536c75b fstab: Make auto attribute for filesystem type. 2014-07-22 00:34:42 +02:00
Dirk Wagner
23b8101718 logrotate: include logrotate.d by default. 2014-07-09 20:55:21 +02:00
Michael Tremer
603248db53 squid: Add NTLM authentication against Windows Active Directory servers. 2014-06-10 20:15:58 +02:00
Michael Tremer
1efa8995eb Add user nobody to group dialout. 
Those permissions are required for modem-status.cgi to
communicate with serial modems.
 2014-06-03 15:32:00 +02:00
Michael Tremer
d2d7a46b1e stunnel: New package. 2014-04-25 12:42:52 +02:00
Michael Tremer
32c6ebdced firewall: Make ICMP ratelimiting a bit saner again. 2014-03-05 12:31:36 +01:00
Michael Tremer
fa8229546b firewall: Extend rate limiting for ICMP error messages. 
Fixes #10489.
 2014-03-04 14:14:54 +01:00
Michael Tremer
1108a15cc6 Move enabling nf_conntrack_acct where it should be. 2014-02-14 12:52:28 +01:00
Arne Fitzenreiter
dd62fd25cd fifteen: remove /var/run from fstab. 2014-01-12 23:22:39 +01:00
Arne Fitzenreiter
ba109afd0d kmod: replace module-init-tools by kmod-13. 
newer udev depend on kmod.
 2013-11-18 19:00:51 +01:00
Arne Fitzenreiter
1ee33ddadf util-linux: update to 2.24. 
this is needed for newer udev versions but need some initskript
changes. The updater and arm rootfile is not finished yet.
 2013-11-17 18:51:04 +01:00
Michael Tremer
a19f33961c update accelerator: Don't change owner of ALL files in cache. 
When a file has been downloaded, all files in the update accelerator
cache directory have been chowned which causes huge IO load.
It is only required to set permissions that members of the group
can delete the files (purge function on the web user interface).

Changing the owner is completely unnecessary as only the squid
user needs write access and the web server is able to deliver
any file in the update cache anyways.
 2013-01-26 19:31:58 +01:00
Arne Fitzenreiter
07c9b89f86 modprobe.d condig: remove REGDOMAIN setting comment. 
If the regdomain was set here it cannot changed later with iw reg set.
 2012-12-29 16:34:31 +01:00
Michael Tremer
a30c7aa3be Compile-in IPv6 kernel module and disable all IPv6. 
It comes much more handy to compile in the IPv6 kernel module
(because it is loading almost everywhere) and disable the IPv6
functionality when the system starts up.

Therefore, IPv6 is not accidentially enabled at any time unless
someone wants to use it and disables the systcl options.
 2012-11-24 14:52:32 +01:00
Arne Fitzenreiter
fa5b71bf28 Revert "sysctl: activate conntrack accounting." 
This reverts commit 94ca39b479.
Cannot set this because nf_conntrack is not loaded yet.
 2012-11-17 20:04:53 +01:00
Arne Fitzenreiter
94ca39b479 sysctl: activate conntrack accounting. 2012-11-17 15:39:54 +01:00
Michael Tremer
3f35005766 bash startfiles: Add /sbin. 2012-11-15 13:49:51 +01:00
Michael Tremer
7a6448326f bash: Fix startfiles. 
Sanitize PATH variable and fix wrong path to hostname command.
 2012-11-13 22:27:49 +01:00
Michael Tremer
b21b0df6a6 Import bash startfiles from IPFire 3.x. 2012-11-11 23:28:52 +01:00
Michael Tremer
c611233b40 Remove mc alias (which disabled UTF-8). 2012-11-11 18:52:07 +01:00
Arne Fitzenreiter
d1605d0810 sysctl.conf: reserve 8MB free memory. 
Some driver like SMSC9500 need some free memory for network packet
recieve and produce kernel faults if this memory cant allocated fast
enough.
 2012-06-26 15:19:36 +02:00
Arne Fitzenreiter
397e40a33e securetty: add ttyO2 (serial console of pandaboard). 2012-03-14 16:51:11 +01:00
Arne Fitzenreiter
12522ba725 securetty: add ttyAMA0 for versatile serial console. 2011-10-18 15:56:20 +02:00
Arne Fitzenreiter
5537d89ab8 Revert "inittab: change serial device from ttyS0 to console." 
console doesnt react to CTRL+C.

This reverts commit 34d3bfb462.
 2011-10-16 18:41:42 +02:00
Arne Fitzenreiter
34d3bfb462 inittab: change serial device from ttyS0 to console. 2011-10-16 12:58:42 +02:00
Michael Tremer
7b321c2cbe Merge remote branch 'origin/next' into arm-port 
Conflicts:
	config/rootfiles/common/i586/gcc
	lfs/binutils
	lfs/cleanup-toolchain
	lfs/coreutils
	lfs/gcc
	lfs/glibc
	lfs/groff
	src/pakfire/pakfire.conf
	src/patches/gcc-4.1.2-specs-1.patch
 2011-09-18 02:58:34 +02:00
Michael Tremer
8cf5265a9a serial console: Change default baud rate to 115200. 2011-09-17 19:57:01 +02:00
Arne Fitzenreiter
7c5334e5a5 cfg80211: removed default regdomain (EU is not supported anymore). 2011-08-24 20:58:17 +02:00
Michael Tremer
22ad105d58 Remove old settings from sysctl.conf. 
This commits removes some settings from /etc/sysctl.conf that have
been there forever with no particular reason.
They could improve performance on internet connections, especially
on lines with massive packet lost.
 2011-07-29 00:08:47 +02:00
Michael Tremer
ed37f707f9 Remove old settings from sysctl.conf. 
This commits removes some settings from /etc/sysctl.conf that have
been there forever with no particular reason.
They could improve performance on internet connections, especially
on lines with massive packet lost.
 2011-06-25 22:02:08 +02:00