3630 Commits

Author	SHA1	Message	Date
Michael Tremer	517683eeb1	ipsec: Drop VPN_IP setting ... This is now a per-connection setting Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6826364580	ipsec-*: Name some more configuration variables ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	1ca2f88a74	ipsec-interfaces: Uses local IP address from connection first, then default ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	c94aa25475	ipsec-interfaces: Fix typo in variable name ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	c821440ced	ipsec: Filter better for GRE/VTI interfaces ... This tried to delete the GREEN interface before Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6a45a1f101	ipsec: TTL only applies for GRE interfaces and not VTI ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	54bac01402	ipsec: Find correct RED IP address when using %defaultroute ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	3dc21d43bf	ipsec: Log a message when an interface could not be created ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	1a45f9a70a	ipsec-interfaces: Don't add any interfaces when IPsec is disabled ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	a56357b8be	Revert "ipsec-interfaces: Run when IPsec is disabled" ... This reverts commit 3c3a1cfdb9b473fae9b792e8c211c9940fafc658. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	4cf038dcfe	ipsec-interfaces: Run when IPsec is disabled ... This needs to run even when IPsec is disable to remove and interfaces Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	05af70c2f3	ipsec-interfaces: Use correct righthost variable ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	68e69b676f	network: Create IPsec interfaces when network is brought up ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	3446a17293	ipsecctrl: Call ipsec-interfaces script when turning up/shutting down connections ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	b8c153bca5	IPsec: Add (experimental) script that creates GRE/VTI interfaces ... Signed-off-by: root <root@interim-edge-a.ec2.internal>	2019-02-04 18:20:36 +00:00
Michael Tremer	b89ae1a4e3	ipsecctrl: Don't wait when a connection is to be started ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6cf8bc9161	IPsec: Move opening ports from ipsecctrl into ipsec-policy script ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	6c920b19cd	IPsec: Rename ipsec-block script to ipsec-policy ... This is a more general name for a script that will be extended soon to do more than just add blocking rules. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Stefan Schantl	c9b07d6a0c	initscripts/suricata: Generate firewall rules on start and reload ... Fixes #11978 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-30 13:47:07 +01:00
Stefan Schantl	d6f725e185	update-ids-ruleset: Improve error reporting if the system is offline ... Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-30 10:57:31 +01:00
Michael Tremer	17c2c09bcc	suricata: Scan outgoing traffic, too ... Connections from the firewall and through the proxy must be filtered, too Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-29 14:08:51 +01:00
Stefan Schantl	ca8c92108a	update-ids-ruleset: Set correct ownership for rulesdir and files ... Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-01-29 09:09:11 +01:00
Stefan Schantl	39155be805	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2019-01-26 12:40:04 +01:00
Peter Müller	fee8b1c504	OpenSSH: update to 7.9p1 ... Update OpenSSH to 7.9p1 (release note is available at https://www.openssh.com/txt/release-7.9). Patching support for OpenSSL 1.1.0 is no longer required, thus the orphaned patchfile has been deleted. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-23 05:13:47 +00:00
Arne Fitzenreiter	be838808e1	Merge remote-tracking branch 'origin/master' into next	2019-01-23 21:19:01 +01:00
Peter Müller	903052ddea	use HTTPS for downloading GeoIP database files ... Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-23 04:12:49 +00:00
Michael Tremer	480e301442	xtables-addons: Fix generating GeoIP database ... Perl seems to have a very funny feature where you cannot rely on how it formats IP addresses into a binary string. This seems to be 16 bytes long for IPv4 addresses when we (and the kernel) only expect 4. This patch changes this so that the last 12 bytes are just being dropped. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-23 04:12:41 +00:00
Peter Müller	d38e7e256d	use HTTPS for downloading GeoIP database files ... Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-21 21:03:38 +00:00
Stefan Schantl	c1a3401235	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2019-01-21 13:04:13 +01:00
Arne Fitzenreiter	9b86a7ec28	Merge remote-tracking branch 'origin/master' into next	2019-01-19 19:58:48 +01:00
Arne Fitzenreiter	271bac39a0	xt_geoip_updte: fix download url ... the maxmind server delivers an old version if there are two slashes before the database filename. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-01-19 15:16:43 +01:00
Peter Müller	47051c2a0a	drop orphaned OpenSSL patches ... Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-17 14:42:37 +00:00
Erik Kapfer	32ba431458	openssl: Update to version 1.1.1a ... Disabled MD2 and Aria cipher. TLSv1.3 is now available with: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 TLS_AES_256_GCM_SHA384 TLSv1.3 TLS_AES_128_GCM_SHA256 TLSv1.3 Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-17 14:33:20 +00:00
Michael Tremer	f0092a6e3e	keepalived: Move change of conntrack sysctl option into package ... The setting cannot be set on the default system because the ip_vs module is not loaded by default and there is no reason to load it just because we would be able to set the setting. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-13 12:50:26 +01:00
Matthias Fischer	042a5fe60a	tar: Update to 1.31, including fix for bug #11958 ... For details see: http://savannah.gnu.org/forum/forum.php?forum_id=9344 "- Fix heap-buffer-overrun with --one-top-level. - Support for zstd compression. - The -K option interacts properly with member names given in the command line. - Fix CVE-2018-20482" This patch was reverted because 'tar 1.31' crashed when installing PakFire packages with the option '--no-overwrite-dir'. See: https://bugzilla.ipfire.org/show_bug.cgi?id=11958 Included is now a patch from https://savannah.gnu.org/bugs/?55413, which seems to fix this issue. The test cases given in https://savannah.gnu.org/bugs/?55413#comment1 ran without problems. As always, please check and confirm. Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-07 01:31:43 +00:00
Stefan Schantl	b76a8a008d	xt_geoip_update: Adjust script to download and use the GeoLite2 database ... Fixes #11961. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-07 01:21:01 +00:00
Stefan Schantl	a77870146f	xtables-addons: Use shipped xt_geoip_build ... Use the shipped xt_geoip_build directly instead of holding a copy in our GIT. Reference #11959 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-07 01:20:22 +00:00
Michael Tremer	7d5caee6bd	Add initscript for conntrackd ... The daemon will be started by default when a configuration file exists. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-06 08:59:25 +00:00
Arne Fitzenreiter	5e6f343b7d	python: update to 2.7.15 ... Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-01-06 15:51:53 +01:00
Arne Fitzenreiter	b15309e9d1	transmission: update to 2.94 ... Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-01-05 13:47:31 +01:00
Matthias Fischer	c86d893830	squid: Update to 4.5 ... For details see: http://www.squid-cache.org/Versions/v4/changesets/ Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-31 00:37:51 +00:00
Stefan Schantl	7b6f8596ed	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata	2018-12-28 07:36:59 +01:00
Michael Tremer	e978f0429f	keepalived: Fix incorrect path in initscript ... This path to keepalived was just incorrect and therefore the daemon could not easily be reloaded. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-19 23:38:48 +00:00
Michael Tremer	f33d28978d	unbound: Use correct parameter for IP addresses and hostnames ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-19 21:00:21 +01:00
Michael Tremer	c9ae511ecf	unbound: Allow forwarding to multiple servers at the same time ... Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-19 20:23:59 +01:00
Matthias Fischer	a2bcb4135b	squid: Update to 4.4 (stable) ... For details see: http://www.squid-cache.org/Versions/v4/changesets/ In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4 "The features have been set and large code changes are reserved for later versions." I've tested almost all 4.x-versions and patch series before with good results. Right now, 4.4 is running here with no seen problems together with 'squidclamav', 'squidguard' and 'privoxy'. I too would declare this version stable. Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-18 22:30:51 +00:00
Stefan Schantl	f5ad510e3c	suricata: Use "2" as repeat-mark and repeat-mask. ... The previous used "1" was already used to mark source-natted packets. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-12-17 15:04:48 +01:00
Stefan Schantl	848ac69009	grub: xfs: Accept filesystem with sparse inodes ... Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-13 13:07:53 +00:00
Michael Tremer	81e1e80e38	AWS: Prefer red* or eth* when importing configuration ... This change is necessary to make sure that the script prefers are link with internet access. That would usually be red (after the second boot) or eth* (on the first boot). That allows (and ensures) that we can install packages in the user-data script. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-12-12 11:36:44 +00:00
Stefan Schantl	a13ddf04d9	Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata ... Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2018-12-12 09:27:59 +01:00