webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-24 18:03:06 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,912 Commits 2 Branches 1 Tag
cdf373c8fc1c9262afc0954816c2244006c8a4e2
Commit Graph

146 Commits

Author SHA1 Message Date
Stefan Schantl
af0065691c suricata: Do not display messages when starting up 
Fixes #11979.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-05 13:57:40 +01:00
Michael Tremer
68e69b676f network: Create IPsec interfaces when network is brought up 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-04 18:20:36 +00:00
Michael Tremer
6c920b19cd IPsec: Rename ipsec-block script to ipsec-policy 
This is a more general name for a script that will be extended
soon to do more than just add blocking rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-04 18:20:36 +00:00
Stefan Schantl
c9b07d6a0c initscripts/suricata: Generate firewall rules on start and reload 
Fixes #11978

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-01-30 13:47:07 +01:00
Michael Tremer
17c2c09bcc suricata: Scan outgoing traffic, too 
Connections from the firewall and through the proxy must be filtered, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-01-29 14:08:51 +01:00
Stefan Schantl
c1a3401235 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2019-01-21 13:04:13 +01:00
Michael Tremer
7d5caee6bd Add initscript for conntrackd 
The daemon will be started by default when a configuration
file exists.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-06 08:59:25 +00:00
Stefan Schantl
7b6f8596ed Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2018-12-28 07:36:59 +01:00
Michael Tremer
f33d28978d unbound: Use correct parameter for IP addresses and hostnames 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-19 21:00:21 +01:00
Michael Tremer
c9ae511ecf unbound: Allow forwarding to multiple servers at the same time 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-19 20:23:59 +01:00
Stefan Schantl
f5ad510e3c suricata: Use "2" as repeat-mark and repeat-mask. 
The previous used "1" was already used to mark source-natted
packets.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-12-17 15:04:48 +01:00
Michael Tremer
81e1e80e38 AWS: Prefer red* or eth* when importing configuration 
This change is necessary to make sure that the script prefers
are link with internet access. That would usually be red (after
the second boot) or eth* (on the first boot).

That allows (and ensures) that we can install packages in
the user-data script.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-12 11:36:44 +00:00
Stefan Schantl
a13ddf04d9 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-12-12 09:27:59 +01:00
Arne Fitzenreiter
56726ed954 rngd: update initskript and add hwrngtty support 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-12-06 22:33:05 +01:00
Michael Tremer
95c60d31aa udev: Do not try to change kernel hotplug handler any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-07 20:27:35 +00:00
Michael Tremer
e300a3d138 udev: Do no try to install any device nodes any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-07 20:26:34 +00:00
Michael Tremer
9f60aa9679 syslog: Listen to network and block access from anywhere but localhost 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-07 20:07:53 +00:00
Stefan Schantl
2d475a3c6c Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2018-09-26 14:49:34 +02:00
Michael Tremer
b8fdc7398c static-routes: Make it clear that we are reloading routes 
When RED is brought down, we will reload all static routes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-09-13 15:03:59 +01:00
Stefan Schantl
5f63067385 suricata: Fix initscript when using a single core machine 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-24 10:04:33 +02:00
Michael Tremer
95b87f39ac localnet: Set FQDN without using domainname command 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-23 10:18:59 +01:00
Stefan Schantl
cb52183c6a Fix merge conflicts during merge of next and the suricata branch 2018-08-23 10:34:17 +02:00
Michael Tremer
84cd9b9162 Drop the network-trigger script 
This is done at boot time and doesn't normally need to be done again.

On AWS or in the setup, renaming any network interfaces is being
handled automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-22 14:05:43 +01:00
Michael Tremer
f3d59d2c94 firstsetup: There is no need to restart udev here 
All network interfaces are renamed accordingly in setup

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-22 14:02:43 +01:00
Michael Tremer
c5465a9453 aws: Let udev rename all network interfaces 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-22 14:00:39 +01:00
Stefan Schantl
55658ee381 suricata: Fix detection of enabled IDS on zone in initscript 
I accidently commited the wrong file in the previous commit.
This is the fixed and working version.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-17 08:45:47 +02:00
Stefan Schantl
00a031145e suricata: Give 644 permissions to the suricata pidfile 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-17 08:24:19 +02:00
Stefan Schantl
3c2c54831f suricata: Add code to create iptables rules to the initscript 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-16 18:51:13 +02:00
Stefan Schantl
7c82ee6165 firewall: Add chains for IPS (suricata) 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-16 18:50:39 +02:00
Michael Tremer
046ef135e6 Merge remote-tracking branch 'origin/efi' into next 2018-08-16 12:49:13 +01:00
Michael Tremer
242cfc3395 localnet: Properly format and quote variables 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-16 12:42:25 +01:00
Michael Tremer
5b9f387d59 localnet: Correctly set domain name 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-16 12:41:52 +01:00
Michael Tremer
3eeff87fe6 Fix typo in unbound initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-15 11:51:53 +01:00
Michael Tremer
8defa50e73 aws: Execute user-data script while we have networking up 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-08-13 12:14:49 +01:00
Stefan Schantl
6187da5055 IDS: Add reload option to initscript 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-11 22:28:07 +02:00
Arne Fitzenreiter
79bcc6f769 collectd: fix cpufreq plugin enable 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-08-03 16:13:12 +02:00
Stefan Schantl
843a8c570c snort: Drop package 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-03 10:19:35 +02:00
Stefan Schantl
d72b3e64c2 suricata: Introduce basic initscript 
Add a very basic initscript, which currently allows to start/stop/restart suricata and
check if the daemon is running.

The script will detect when starting suricata how many CPU cores are present on the system and
will launch suricata in inline mode (NFQUEUE) and listen to as much queues as CPU cores are
detected.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2018-08-02 19:54:22 +02:00
Michael Tremer
4e4c122c58 aws: Add support for a script that can be executed at first boot 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-20 16:19:46 +01:00
Michael Tremer
ba06294341 aws: Always exit the init script cleanly 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-20 16:05:15 +01:00
Michael Tremer
6cf5a533f5 partresize: Remove debugging line 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-20 12:03:10 +00:00
Michael Tremer
43829df3bb partresize: Only regenerate configuration instead of re-installing GRUB 
This should not be necessary

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-20 12:03:09 +00:00
Arne Fitzenreiter
37458540bf collect: fix cpufreq graph on some machines. 
the file cpuinfo_cur_freq does not exist on all systems that support collect
cpufreq data.

fixes #11739
 2018-07-03 15:09:40 +02:00
Arne Fitzenreiter
1ac0d5c598 Merge branch 'aarch64' into next 
Conflicts:
	config/rootfiles/core/121/filelists/acpid
	config/rootfiles/core/121/filelists/apache2
	config/rootfiles/core/121/filelists/apr
	config/rootfiles/core/121/filelists/aprutil
	config/rootfiles/core/121/filelists/armv5tel/files
	config/rootfiles/core/121/filelists/armv5tel/linux-initrd-kirkwood
	config/rootfiles/core/121/filelists/armv5tel/linux-initrd-multi
	config/rootfiles/core/121/filelists/armv5tel/linux-kirkwood
	config/rootfiles/core/121/filelists/armv5tel/linux-multi
	config/rootfiles/core/121/filelists/armv5tel/rpi-firmware
	config/rootfiles/core/121/filelists/armv5tel/u-boot
	config/rootfiles/core/121/filelists/armv5tel/u-boot-kirkwood
	config/rootfiles/core/121/filelists/armv5tel/u-boot-mkimage
	config/rootfiles/core/121/filelists/beep
	config/rootfiles/core/121/filelists/cmake
	config/rootfiles/core/121/filelists/crda
	config/rootfiles/core/121/filelists/dhcp
	config/rootfiles/core/121/filelists/flex
	config/rootfiles/core/121/filelists/i586/grub
	config/rootfiles/core/121/filelists/i586/intel-microcode
	config/rootfiles/core/121/filelists/i586/linux
	config/rootfiles/core/121/filelists/i586/linux-initrd
	config/rootfiles/core/121/filelists/iw
	config/rootfiles/core/121/filelists/jwhois
	config/rootfiles/core/121/filelists/libidn
	config/rootfiles/core/121/filelists/multipath-tools
	config/rootfiles/core/121/filelists/pcre
	config/rootfiles/core/121/filelists/tar
	config/rootfiles/core/121/filelists/unbound
	config/rootfiles/core/121/filelists/wget
	config/rootfiles/core/121/filelists/x86_64/grub
	config/rootfiles/core/121/filelists/x86_64/intel-microcode
	config/rootfiles/core/121/filelists/x86_64/linux
	config/rootfiles/core/121/filelists/x86_64/linux-initrd
	config/rootfiles/core/122/filelists/aarch64/files
	config/rootfiles/core/122/filelists/acpid
	config/rootfiles/core/122/filelists/apache2
	config/rootfiles/core/122/filelists/apr
	config/rootfiles/core/122/filelists/aprutil
	config/rootfiles/core/122/filelists/armv5tel/linux-initrd-kirkwood
	config/rootfiles/core/122/filelists/armv5tel/linux-initrd-multi
	config/rootfiles/core/122/filelists/armv5tel/linux-kirkwood
	config/rootfiles/core/122/filelists/armv5tel/linux-multi
	config/rootfiles/core/122/filelists/armv5tel/rpi-firmware
	config/rootfiles/core/122/filelists/armv5tel/u-boot
	config/rootfiles/core/122/filelists/armv5tel/u-boot-kirkwood
	config/rootfiles/core/122/filelists/armv5tel/u-boot-mkimage
	config/rootfiles/core/122/filelists/beep
	config/rootfiles/core/122/filelists/cmake
	config/rootfiles/core/122/filelists/crda
	config/rootfiles/core/122/filelists/dhcp
	config/rootfiles/core/122/filelists/flex
	config/rootfiles/core/122/filelists/i586/grub
	config/rootfiles/core/122/filelists/i586/intel-microcode
	config/rootfiles/core/122/filelists/i586/linux
	config/rootfiles/core/122/filelists/i586/linux-initrd
	config/rootfiles/core/122/filelists/iw
	config/rootfiles/core/122/filelists/jwhois
	config/rootfiles/core/122/filelists/libidn
	config/rootfiles/core/122/filelists/multipath-tools
	config/rootfiles/core/122/filelists/pcre
	config/rootfiles/core/122/filelists/tar
	config/rootfiles/core/122/filelists/unbound
	config/rootfiles/core/122/filelists/wget
	config/rootfiles/core/122/filelists/x86_64/grub
	config/rootfiles/core/122/filelists/x86_64/intel-microcode
	config/rootfiles/core/122/filelists/x86_64/linux
	config/rootfiles/core/122/filelists/x86_64/linux-initrd
	config/rootfiles/core/123/filelists/unbound
	config/rootfiles/oldcore/121/filelists/acpid
	config/rootfiles/oldcore/121/filelists/apache2
	config/rootfiles/oldcore/121/filelists/apr
	config/rootfiles/oldcore/121/filelists/aprutil
	config/rootfiles/oldcore/121/filelists/armv5tel/files
	config/rootfiles/oldcore/121/filelists/armv5tel/linux-initrd-kirkwood
	config/rootfiles/oldcore/121/filelists/armv5tel/linux-initrd-multi
	config/rootfiles/oldcore/121/filelists/armv5tel/linux-initrd-rpi
	config/rootfiles/oldcore/121/filelists/armv5tel/linux-kirkwood
	config/rootfiles/oldcore/121/filelists/armv5tel/linux-multi
	config/rootfiles/oldcore/121/filelists/armv5tel/linux-rpi
	config/rootfiles/oldcore/121/filelists/armv5tel/rpi-firmware
	config/rootfiles/oldcore/121/filelists/armv5tel/u-boot
	config/rootfiles/oldcore/121/filelists/armv5tel/u-boot-kirkwood
	config/rootfiles/oldcore/121/filelists/armv5tel/u-boot-mkimage
	config/rootfiles/oldcore/121/filelists/beep
	config/rootfiles/oldcore/121/filelists/cmake
	config/rootfiles/oldcore/121/filelists/crda
	config/rootfiles/oldcore/121/filelists/dhcp
	config/rootfiles/oldcore/121/filelists/flex
	config/rootfiles/oldcore/121/filelists/i586/grub
	config/rootfiles/oldcore/121/filelists/i586/intel-microcode
	config/rootfiles/oldcore/121/filelists/i586/linux
	config/rootfiles/oldcore/121/filelists/i586/linux-initrd
	config/rootfiles/oldcore/121/filelists/iw
	config/rootfiles/oldcore/121/filelists/jwhois
	config/rootfiles/oldcore/121/filelists/libidn
	config/rootfiles/oldcore/121/filelists/multipath-tools
	config/rootfiles/oldcore/121/filelists/pcre
	config/rootfiles/oldcore/121/filelists/tar
	config/rootfiles/oldcore/121/filelists/wget
	config/rootfiles/oldcore/121/filelists/x86_64/grub
	config/rootfiles/oldcore/121/filelists/x86_64/intel-microcode
	config/rootfiles/oldcore/121/filelists/x86_64/linux
	config/rootfiles/oldcore/121/filelists/x86_64/linux-initrd
	make.sh
 2018-07-03 11:52:05 +01:00
Arne Fitzenreiter
cf7a7a874f Merge remote-tracking branch 'origin/master' into aarch64 2018-07-02 19:07:22 +01:00
Michael Tremer
464c27554c aws: Re-enable check if we are actually running on EC2 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-01 11:52:54 +01:00
Michael Tremer
9a56118b61 aws: Suppress any output from ending dhclient 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-01 11:51:39 +01:00
Michael Tremer
787469ebd6 aws: No need to wake up udev again 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-01 11:51:18 +01:00
Michael Tremer
48a7737fdd firewall: Allow starting without a green interface 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-07-01 10:32:31 +01:00
Michael Tremer
4c0bd63ea4 localnet: Don't write local hostname to /etc/hosts 
This is now being provided by nss-myhostname

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-06-30 19:58:42 +01:00