With this commit suricata reads the HTTP port declarations from a newly
introduced external file
(/var/ipfire/suricata/suricata-http-ports.yaml).
This file dynamically will be generated. HTTP ports always are the
default port "80" and "81" for update Accelerator and HTTP access to the
WUI. In case the Web-proxy is used, the configured proxy port and/or Transparent
Proxy port also will be declared as a HTTP port and written to that file.
In case one of the proxy ports will be changed, the HTTP port file will
be re-generated and suricate restarted if launched. Also if an old
backup with snort will be restored the convert script handles the
generation of the HTTP ports file.
Finally the suricata-generate-http-ports-file as a tiny script which
simply generates the http ports file and needs to be launched during the
installation of a core update. (The script will no be required
anymore, so it could be deleted afterwards.)
Fixes#12308.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Suricata does support re-reading it's configuration files and therfore
we need to restart it, if one or more ruleset files should be loaded or
not loaded anymore.
If simple some rules inside the same files are activated or deactivated
we are still fine to call the reload method to send suricata the signal
to reload its ruleset.
Fixes#12340.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since IPsec routing information do not show up in the normal routing
table, also displaying the contents of table 220 on netother.cgi might
be useful for debugging purposes.
The second version of this patch omits the output if routing table 220
is empty and introduces a custom translation for IPsec routing table
entries instead of just adding the table number to the generic translation.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The cgi support only rfcomm modem dialup. This is not used by modern hardware.
Also the used bluez stack version is outdated long time.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
if unbound is reloaded it start a bunch of dns queries
so suricata needs to now which servers should used.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The former used default Crypt algorithmus only supports passwords up to
eight signs wheater MD5 does not have any limitation here.
Fixes 12290.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
These can no longer be modified in the GUI and are used nowhere.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Because the ISP-assigned nameservers do not have any TLS-hostname
information they cannot be used, when TLS is activated.
They only can be used if they will be added as "regular" DNS servers
with a TLS-hostname.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
I do not know why perl when using "le" which means "less-or-equal"
defines a "10" as "1".
This commit fixes the issue that it was not possible to add more than 8
nameservers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes#11594
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When the DNS configuration of the system is changed,
we need to re-generate the file which contains the DNS Server
details for suricata and to restart the service.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
In the past this code was used to add the DNS servers
to the ignore list and prevent them from being blocked by
guardian.
Because of the switch to suricata as IPS, guardian now prevents
from password brute-forcing on SSH and/or the webserver, so this
code is not longer needed and safly can be removed.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
For this, a test query to the local unbound instance will be
sent and if the DNS system work properly can be answerd.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
