bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-23 09:22:59 +02:00

Author	SHA1	Message	Date
Michael Tremer	d56df86ce2	wlanap.cgi: Change broadcast SSID to hide SSID Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:46:09 +00:00
Michael Tremer	375d1dc6dd	wlanap.cgi: Default to channel 0 for ACS Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:45:47 +00:00
Michael Tremer	5474f9b32f	wlanap.cgi: Enable Neighbourhood Scan by default Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:45:41 +00:00
Michael Tremer	b165dcdd80	wlanap.cgi: Don't try to show status if there is no interface Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:45:34 +00:00
Michael Tremer	03a71cd521	wlanap.cgi: Correctly show broadcast SSID status Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:45:24 +00:00
Michael Tremer	69bb956729	wlanap.cgi: Disable generating Perl warnings Reported-by: Waynie <waynet@ucpix.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:44:07 +00:00
Michael Tremer	ff599dd2cb	core189: Ship rules.pl Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:43:39 +00:00
Michael Tremer	5cee03da1e	firewall: Flush SYN_FLOOD_PROTECTION This chain was not flushed when the firewall was being reloaded which made any ports appear as open when rules have been disabled or deleted. This has no security implications, but nevertheless isn't right. Reported-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-08 08:43:23 +00:00
Michael Tremer	01782a41f8	core189: Ship ncat This is required for the new Unbound/DHCP Leases bridge to work. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-07 10:22:33 +00:00
Michael Tremer	7eec7e2c8b	ncat: Make this package part of the core system The nc command is required for the Unbound/DHCP leases bridge. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-07 10:19:14 +00:00
Michael Tremer	74f5f41372	core189: Ship and restart Unbound Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-04 11:46:22 +00:00
Matthias Fischer	b38609d64d	unbound: Update to 1.21.1 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-1 "Fix CVE-2024-8508, unbounded name compression could lead to denial of service." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-10-04 11:45:37 +00:00
Michael Tremer	a7ac62f4a6	ovpnmain.cgi: Remove using dropped &General::getlastip() function Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-26 20:40:04 +00:00
Michael Tremer	0555434eff	header.pl: Force browsers to reload rrdimage.js Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-26 14:13:30 +00:00
Michael Tremer	d1a3fd9e0d	ovpnmain.cgi: Fix IP address calculation with static pools Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-26 14:11:46 +00:00
Michael Tremer	84b04cb6d3	core189: Ship suricata changes Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:53:40 +00:00
Michael Tremer	d99826dc71	suricata: Enable scanning IPsec packets Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:45:41 +00:00
Michael Tremer	e5da7dea66	ids.cgi: Add UI to enable scanning on IPsec Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:45:35 +00:00
Michael Tremer	db151ad716	suricata: Add support for zones having multiple interfaces Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:45:31 +00:00
Michael Tremer	09831e9ca9	suricata: Split marking packets off into a separate chain This is required so that we can have different policies for incoming and outgoing packets. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:45:26 +00:00
Michael Tremer	75a89ddf4a	suricata: Clear IPS bits after use Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:54 +00:00
Michael Tremer	6826eed0a4	suricata: Always count the whitelisted packets Even if there are no rules, if this does not exist, collectd will be unhappy and we cannot generate the graph. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:48 +00:00
Michael Tremer	4efa4c4b71	ids.cgi: Don't show the graph if there is no RRD data Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:42 +00:00
Michael Tremer	0c5a683b7e	ids.cgi: Fix empty states of tables Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:34 +00:00
Michael Tremer	d98d10f7df	graphs.pl: Fix suricata graph name Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:29 +00:00
Michael Tremer	cf44d8d149	firewall: Move the IPS back to INPUT/FORWARD/OUTPUT We cannot use the PREROUTING/POSTROUTING chains here because Suricata will fail to track NAT-ed connections. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:24 +00:00
Michael Tremer	5da15c5d3b	suricata: Track whitelisted traffic and add it to the IPS graph Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:18 +00:00
Michael Tremer	4721fac3c8	IPS: Ada a graph that shows the IPS throughput This graph is split into three parts. One shows bypassed packets, the next one shows the actually scanned packets and lastly we show the total throughput. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:12 +00:00
Michael Tremer	a85924cc25	suricata: Collect metrics on scanned and bypassed packets Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:07 +00:00
Michael Tremer	8b73307b15	suricata: Force Suricata to write a PID file again The PID file does not get written when Suricata is not being started in daemon mode and therefore we need to pass it as a command line parameter. The initscript should not deal with the PID file when starting but needs it to terminate the process and to check the process status. The web UI can use the PID file again. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:44:02 +00:00
Michael Tremer	63f4b3a7bc	suricata: Fix syntax error in watcher script Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:54 +00:00
Michael Tremer	0d38ebeb05	suricata: Remove debugging code Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:47 +00:00
Michael Tremer	525ff6d74d	firewall: Move the IPS after the NAT marking This is because we might still land in the scenario where Suricata crashes and NFQUEUE will simply ACCEPT all packets which will terminate the processing of the mangle table. Therefore the NFQUEUE rule should be the last one so that we never skip any of the other processing. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:41 +00:00
Michael Tremer	2438c6c249	ids.cgi: Fix detection for the Suricata process We don't seem to have a PID file any more. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:35 +00:00
Michael Tremer	d3db046570	ids.cgi: Remove box from the top section Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:30 +00:00
Michael Tremer	d2f7d18e33	ids.cgi: Sort whitelist entries Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:23 +00:00
Michael Tremer	891702cad1	ids.cgi: Use new-style table for whitelist entries Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:18 +00:00
Michael Tremer	119cb83706	ids.cgi: Use new style tables for rulesets Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:11 +00:00
Michael Tremer	50f3e2a534	suricata: Fix broken spacing in the settings section Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:43:06 +00:00
Michael Tremer	1b7d1abdf0	suricata: Add option to scan WireGuard Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:59 +00:00
Michael Tremer	72d501f923	suricata: Don't load /var/ipfire/ethernet/settings We no longer need this directly as it is being pulled in from the network functions. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:54 +00:00
Michael Tremer	eb3156ed6b	suricata: Remove superfluous bits from the initscript I don't know why these hacks are here. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:48 +00:00
Michael Tremer	79cce701a9	suricata: Restore the interface selection Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:43 +00:00
Michael Tremer	7e1c564ec8	suricata: Start the new watcher in the background Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:37 +00:00
Michael Tremer	17887e69a8	suricata: Add a watcher to restart on unexpected termination This patch adds a watcher process that will restart suricata when it is being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:32 +00:00
Michael Tremer	e088c21158	suricata: Be more efficient with marks This patch changes that we introduce a new mark which allows us to identify any newly bypassed connections and permanently store the bypass flag. We also only restore marks from the connection tracking when a packet has no marks, yet. Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:25 +00:00
Michael Tremer	54a58a2891	suricata: Replace removed CPU count function Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:19 +00:00
Michael Tremer	84a73d5f39	suricata: Add whitelist to iptables This allows us to workaround better against any problems in Suricata because we never send any whitelisted packets to the IPS in the first place. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:13 +00:00
Michael Tremer	655a95803a	suricata: Remove some unused constants Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:42:06 +00:00
Michael Tremer	50d987cc21	suricata: Use getconf to determine the number of processors Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-09-24 08:41:59 +00:00

1 2 3 4 5 ...

22608 Commits