webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-26 19:00:34 +02:00
Code Issues Packages Projects Releases Wiki Activity
17,123 Commits 2 Branches 1 Tag
c825fcef40f63c8ce39a50b7285dbca98e2db60b
Commit Graph

1283 Commits

Author SHA1 Message Date
Michael Tremer
56947acb12 Merge remote-tracking branch 'ms/dns-forwarding' into next 2019-03-11 15:57:15 +00:00
Michael Tremer
7996c5fee9 zabbix_agent: Create /var/run/zabbix in initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-08 10:04:28 +00:00
Alexander Koch
06fc6170a2 zabbix_agentd: New addon 
New addon for monitoring IPFire by Zabbix Monitoring (https://www.zabbix.com/features).
See https://forum.ipfire.org/viewtopic.php?f=52&t=22039 and https://lists.ipfire.org/pipermail/development/2019-February/005324.html for further details.

Best regards,
Alex

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-08 09:55:18 +00:00
Michael Tremer
1ececb67a1 unbound: Mark domains as insecure from DNS forwarding 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-05 16:58:29 +00:00
Michael Tremer
5d04cfe7d5 suricata: Use highest bit to mark packets 
We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.

Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.

Then, no other application has to worry about suricata.

Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:48 +01:00
Michael Tremer
50d1bbf0f5 Merge branch 'ipsec' into next 2019-02-25 00:48:08 +00:00
Arne Fitzenreiter
710153a89c partresize: add "apu1" for apus with new bios. 2019-02-22 18:01:18 +01:00
Arne Fitzenreiter
8f49959d70 partresize: enable serial console on PC Engines APU 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-19 15:26:41 +01:00
Stefan Schantl
20b4c4d863 suricata: Swith to "16" as repeat-mark and repeat-mask. 
Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.

See commit: f5ad510e3c

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-18 10:02:29 +01:00
Michael Tremer
9bc1760052 unbound: Drop certificates for local control connection 
These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.

There is no strong reason to use self-signed certificates for extra
security here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-17 13:46:51 +00:00
Stefan Schantl
77c07352a5 Suricata: Start service on red.up event if requested 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-15 13:26:55 +01:00
Stefan Schantl
c1c754a121 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2019-02-08 09:59:31 +01:00
Peter Müller
e01e07ec8b apply default firewall policy for ORANGE, too 
If firewall default policy is set to DROP, this setting was not
applied to outgoing ORANGE traffic as well, which was misleading.

Fixes #11973

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-07 15:15:32 +00:00
Stefan Schantl
8117fff863 IDS: Call helper script when red interface gets up 
The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.

Fixes #11989

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-06 15:40:19 +01:00
Stefan Schantl
af0065691c suricata: Do not display messages when starting up 
Fixes #11979.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-05 13:57:40 +01:00
Michael Tremer
38f6bdb740 ipsec: Drop delayed restart setting 
This is a very bad race-condition situation and is not solved by
an unintuitive setting.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-04 18:20:36 +00:00
Michael Tremer
68e69b676f network: Create IPsec interfaces when network is brought up 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-04 18:20:36 +00:00
Michael Tremer
6c920b19cd IPsec: Rename ipsec-block script to ipsec-policy 
This is a more general name for a script that will be extended
soon to do more than just add blocking rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-04 18:20:36 +00:00
Stefan Schantl
c9b07d6a0c initscripts/suricata: Generate firewall rules on start and reload 
Fixes #11978

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-01-30 13:47:07 +01:00
Michael Tremer
17c2c09bcc suricata: Scan outgoing traffic, too 
Connections from the firewall and through the proxy must be filtered, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-01-29 14:08:51 +01:00
Stefan Schantl
c1a3401235 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2019-01-21 13:04:13 +01:00
Michael Tremer
f0092a6e3e keepalived: Move change of conntrack sysctl option into package 
The setting cannot be set on the default system because the ip_vs
module is not loaded by default and there is no reason to load it
just because we would be able to set the setting.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-13 12:50:26 +01:00
Michael Tremer
7d5caee6bd Add initscript for conntrackd 
The daemon will be started by default when a configuration
file exists.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-06 08:59:25 +00:00
Stefan Schantl
7b6f8596ed Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2018-12-28 07:36:59 +01:00
Michael Tremer
e978f0429f keepalived: Fix incorrect path in initscript 
This path to keepalived was just incorrect and therefore
the daemon could not easily be reloaded.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-19 23:38:48 +00:00
Michael Tremer
f33d28978d unbound: Use correct parameter for IP addresses and hostnames 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-19 21:00:21 +01:00
Michael Tremer
c9ae511ecf unbound: Allow forwarding to multiple servers at the same time 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-19 20:23:59 +01:00
Stefan Schantl
f5ad510e3c suricata: Use "2" as repeat-mark and repeat-mask. 
The previous used "1" was already used to mark source-natted
packets.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-12-17 15:04:48 +01:00
Michael Tremer
81e1e80e38 AWS: Prefer red* or eth* when importing configuration 
This change is necessary to make sure that the script prefers
are link with internet access. That would usually be red (after
the second boot) or eth* (on the first boot).

That allows (and ensures) that we can install packages in
the user-data script.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-12 11:36:44 +00:00
Stefan Schantl
a13ddf04d9 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-12-12 09:27:59 +01:00
Arne Fitzenreiter
23a3aec100 cpufrequtils: update initskript for xz compressed modules 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-12-07 21:05:50 +01:00
Arne Fitzenreiter
56726ed954 rngd: update initskript and add hwrngtty support 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-12-06 22:33:05 +01:00
Michael Tremer
93363446e4 AWS: Add a timestamp to user-data.log 
This way, multiple (failed) runs of the script won't
overwrite the log file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-05 14:42:54 +00:00
Michael Tremer
1022b203ad AWS: Write user-data.log to /var/log 
This should not be in /root at all.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-05 14:38:28 +00:00
Michael Tremer
a4e3a76af9 bird: Add initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-01 16:13:25 +00:00
Michael Tremer
6dc7b04bea shairport-sync: Add initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-11 18:55:35 +00:00
Michael Tremer
95c60d31aa udev: Do not try to change kernel hotplug handler any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-07 20:27:35 +00:00
Michael Tremer
e300a3d138 udev: Do no try to install any device nodes any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-07 20:26:34 +00:00
Michael Tremer
c19d29f701 Revert "haproxy: Make /dev/log available in chroot" 
This reverts commit 699f0aa710.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-07 20:07:53 +00:00
Michael Tremer
9f60aa9679 syslog: Listen to network and block access from anywhere but localhost 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-07 20:07:53 +00:00
Michael Tremer
ed1349aa76 Merge remote-tracking branch 'ms/frr' into next 2018-10-31 09:31:38 +00:00
Michael Tremer
e1def10e29 frr: Set configuration file permissions correctly 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-30 17:32:48 +00:00
Michael Tremer
ebd6fe2b50 frr: Add initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-30 17:27:28 +00:00
Michael Tremer
aeefbca730 clamav: Move database directory to /var partition 
The clamav database is quite large and occupies valuable
space on the root partition that on older systems is only
2GB large. This change moves the virus definition database
to the /var partition which is larger and supposed to hold
data like this anyway.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-29 11:25:24 +00:00
Michael Tremer
699f0aa710 haproxy: Make /dev/log available in chroot 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-22 21:40:56 +02:00
Stefan Schantl
2d475a3c6c Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2018-09-26 14:49:34 +02:00
Michael Tremer
b8fdc7398c static-routes: Make it clear that we are reloading routes 
When RED is brought down, we will reload all static routes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-09-13 15:03:59 +01:00
Michael Tremer
3da2a66193 aws: Don't update the system on first boot 
This will violate AWS policy and therefore had to be removed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-31 11:08:53 +01:00
Stefan Schantl
5f63067385 suricata: Fix initscript when using a single core machine 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-24 10:04:33 +02:00
Michael Tremer
95b87f39ac localnet: Set FQDN without using domainname command 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-23 10:18:59 +01:00