webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-16 14:03:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,623 Commits 2 Branches 1 Tag
bdde6afa7659a0d8f2e06bed0bf96ca2728b624f
Commit Graph

3545 Commits

Author SHA1 Message Date
Arne Fitzenreiter
c6277d3b10 perl: remove unused patches 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-16 21:33:52 +02:00
Arne Fitzenreiter
fa8b3ea7d3 installer: fix grub.conf root uuid entry 
grub-mkconfig has written the device name instead of uuid's
because the /dev/disk-by-uuid node of the new filesystem was missing
run "udevadm trigger" to create this nodes before install grub.

fixes: #12116

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-13 15:21:02 +02:00
Arne Fitzenreiter
559e94bafb initskripts: smt: hide error on cpu's that not support smt at all 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-09 08:14:29 +02:00
Arne Fitzenreiter
99f2c69511 partresize: check for apu only if dmi is present 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-09 08:02:19 +02:00
Arne Fitzenreiter
10dd2afd6d sysctl: add seperate sysctl-x86_64.conf and move x86_64 only parameters 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-08 09:30:49 +02:00
Arne Fitzenreiter
dc362263f4 setup: add ignore to all no nic assigned errors 2019-08-06 10:51:45 +00:00
Arne Fitzenreiter
6836e528e5 u-boot-friendlyarm: add u-boot for nanopi-r1 to boot from eMMC 
this is a heavy patched version and should replaced when stock
u-boot is able to boot from h3 eMMC.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-06 04:32:22 +00:00
Arne Fitzenreiter
ca75ec5278 led initskript: add nanopi-r1 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-01 07:18:20 +00:00
Arne Fitzenreiter
fa5e921ccb partresize: add copy of broadcom firmware settings for nanopi-r1 
I added this to partresize like the APU scon enable because this
is the only script that runs on flashimage at first boot only and
remount root writeable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-01 07:09:34 +00:00
Arne Fitzenreiter
de8810fbaa iperf3: update to 3.7 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-17 13:15:33 +02:00
Arne Fitzenreiter
3ec3329dff unbound: rework dns-forwader handling 
add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.

This also fix the hung at dhcpd shutdown.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-16 19:20:48 +02:00
Arne Fitzenreiter
4cd82be05f unbound: check if red/iface exists before read it 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-04 20:42:47 +02:00
Michael Tremer
abccd997c0 azure: Do not drop last byte of MAC addresses 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
bc5037150a Enable serial console on all Azure instances 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
8bd0c4b17d cloud-init: Move detection functions into initscript function library 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
acf47bfa80 cloud-init: Import experimental configuration script for Azure 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
b9021f9277 cloud-init: Execute setup script for Azure if needed 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
d035f60c9f cloud-init: Add function to detect if we are running on Azure 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Michael Tremer
ffb37e51d4 Rename AWS initscript to cloud-init 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-07-01 07:53:58 +01:00
Arne Fitzenreiter
4b75e9c92e unbound: use nic carrier instead of /var/ipfire/red/active 
This speed boot with static settings and no link and
dhcp on intel nics if the mtu is changed by the dhcp lease
because the nic loose the carrier and restart the dhcp action
at mtu set.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-29 11:36:49 +02:00
Alexander Marx
1722701a9a BUG12015: Redirecting to Captive portal does not work after IPFire restart 
When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.

Fixes: #12015

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-21 01:39:18 +01:00
Arne Fitzenreiter
1a129822af linux-pae: fix grub.conf creation on pv machines 
on some systems it seems that grub2 and it config also exist.
 2019-06-18 14:36:02 +02:00
Peter Müller
69772b7dda OpenSSL: lower priority for CBC ciphers in default cipherlist 
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:24:00 +01:00
Michael Tremer
e263c29c92 unbound: Make some zones type-transparent 
If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:14:28 +01:00
Michael Tremer
91056adea5 unbound: Add yandex.com to safe search feature 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:11:32 +01:00
Michael Tremer
043e7aa50f unbound: safe search: Resolve hosts at startup 
unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-13 11:12:07 +01:00
Peter Müller
fa7de475fe Tor: fix permissions after updating, too 
Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 05:45:42 +01:00
Michael Tremer
894eaf5184 smt: Only disable SMT when the kernel thinks it is vulnerable 
On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 17:07:23 +00:00
Matthias Fischer
3f7cec61c9 hostapd: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:45:54 +01:00
Stefan Schantl
72ab71969f update-ids-ruleset: Run as unprivileged user. 
Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:33:58 +01:00
Michael Tremer
0bb25a4f61 SMT: Disable when system is vulnerable to L1TF (Foreshadow) 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:55:17 +01:00
sfeddersen
2a1c173589 BUG 11487:solve problem with unexspected shutdown 
Solve problem with unexspected shutdown problem when checking a single client.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:31:07 +01:00
Michael Tremer
b0ec4158f3 miau: Drop package 
This is not maintained since 2010

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-29 15:24:29 +01:00
Michael Tremer
29fc1c8c3a ddns: Update to 011 
Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 16:25:01 +01:00
Michael Tremer
333125abf8 Merge branch 'toolchain' into next 2019-05-24 06:55:03 +01:00
Michael Tremer
9f0295a512 Merge remote-tracking branch 'ms/faster-build' into next 2019-05-24 06:54:16 +01:00
Matthias Fischer
d2b5f03631 squid: Update to 4.7 
For details see:

http://www.squid-cache.org/Versions/v4/changesets/

Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-24 06:37:50 +01:00
Michael Tremer
f617fd912b unbound: Safe Search: Enable Restrict-Moderate for YouTube 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-22 15:29:32 +01:00
Michael Tremer
6a83dbb451 SMT: Apply settings according to configuration 
SMT can be forced on.

By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.

Systems that are not vulnerable to that will keep SMT enabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 21:30:26 +01:00
Stefan Schantl
84227f7a1c update-ids-ruleset: Release ids_page_lock when the downloader fails. 
Fixes #12085.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 19:09:47 +01:00
Michael Tremer
715a269aa4 tshark: Drop special package scripts 
We are not doing anything different from the default here,
so we do not need an extra copy of them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 10:48:25 +01:00
Erik Kapfer
ffcef39d40 tshark: New addon 
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 10:44:04 +01:00
Stefan Schantl
a8387f8d6e suricata: Limit to a maximum of "16" netfilter queues. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-05-20 07:09:25 +02:00
Michael Tremer
0aa21ad307 Fix version information in backupiso script 
Fixes: #12083
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-17 19:52:27 +01:00
Michael Tremer
661ab15389 unbound: Add Safe Search 
This is a feature that will filter adult content from search
engine's results.

The old method of rewriting the HTTP request no longer works.

This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.

However, there is no better solution available to this and this
an optional feature, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
 2019-05-11 04:19:37 +01:00
Michael Tremer
9d959ac151 igmpproxy: Update to 0.2.1 
This updates the package to its latest upstream version and should
be able to support IGMPv3.

Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-11 02:20:15 +01:00
Michael Tremer
3966b1e58f iptables: Fix build without kernel source 
The layer7 filter header files were not installed into /usr/include
and therefore we needed to keep the whole kernel source tree.

This is just a waste of space and this patch fixes this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-10 04:55:49 +01:00
Alexander Koch
8c072c5c43 Pakfire: Add Core-Version to "status" 
Add the IPFire-Core-Version to the status message.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-10 04:25:45 +01:00
Peter Müller
e05b7894d2 hwdata: update PCI/USB databases 
PCI IDs: 2019-05-03 03:15:03
USB IDs: 2019-05-08 20:34:05

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-10 04:19:25 +01:00
Alexander Koch
090af02e07 Pakfire: Add new command line argument "status" 
This enables Pakfire to return a Status-Summary for the Current Core-Update-Level, time since last updates, the availability of a core-/packet-update and if a reboot is required to complete an update. This can be used by monitoring agents (e.g. zabbix_agentd) to monitor the update status of the IPFire device.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-07 23:51:20 +01:00