webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-11 11:35:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,469 Commits 2 Branches 1 Tag
f5dba19edfdbc8f925b7fced7782d7bc3c58d998
Commit Graph

14469 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Arne Fitzenreiter
f5dba19edf core144: add dhcpcd 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-12 08:18:51 +02:00
Arne Fitzenreiter
89445161b0 core144: start update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-12 08:14:26 +02:00
Arne Fitzenreiter
b14b37ba67 OpenSSH: fix login on i?86 
glibc calls clock_nanosleep_time64 syscall even if it not defined in
the headers for this arch and the seccomp filter kills the process
with because an unknown syscall.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-10 21:41:14 +02:00
Arne Fitzenreiter
975bd8bc17 Revert "Revert "OpenSSH: update to 8.2p1"" 
This reverts commit e7fcf874e7.
 2020-04-10 16:23:09 +02:00
Arne Fitzenreiter
e7fcf874e7 Revert "OpenSSH: update to 8.2p1" 
ssh skips login before asking for credentials at i586.

This reverts commit 3fd3f4de44.
 2020-04-09 20:26:33 +00:00
Michael Tremer
5947f92a5a unbound: skip empty domains at local-data import 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-09 20:24:42 +00:00
Arne Fitzenreiter
551bc48940 suricata: disable dns flood protection 
this causes errors in unbound and also other linux clients if
a dns rule triggers.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-08 15:48:20 +00:00
Arne Fitzenreiter
b8fcb49567 suricata: update ET rulesets sources for suricata 5 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-08 15:43:35 +00:00
Arne Fitzenreiter
b518bee95c icinga: bump PAKVER 
some installations has a copy installed that still try to include
perl-5.12.3 libs.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-08 07:44:45 +02:00
Arne Fitzenreiter
e049d6fcbe core143: touch need reboot flag 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-08 07:43:50 +02:00
Arne Fitzenreiter
9246069398 pcengines-apu-firmware: update rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 15:14:39 +02:00
Arne Fitzenreiter
16b499c4b9 pcengines-apu-firmware: fix lfs file 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 11:15:03 +02:00
Arne Fitzenreiter
21be3871b9 core143: add zoneconf.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 08:59:32 +00:00
Michael Tremer
bb90622c2c zoneconf.cgi: Skip checks for non-existing zones 
On systems with RED on PPP and no BLUE or ORANGE zones,
there would always be an error when handling non-existant input.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 08:58:48 +00:00
Arne Fitzenreiter
154bb705b1 pcengines-apu-firmware: update to v4.11.0.5 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 08:58:34 +00:00
Arne Fitzenreiter
cce7aa9bb8 core143: add unbmound initskript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 08:57:50 +00:00
Michael Tremer
1b6b8d97aa unbound: Set domains with local data into type transparent mode 
Records which are from the same domain than the IPFire hostname
might not be returned by unbound. This change explicitely instructs
unbound to check local data before checking the global DNS.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 08:55:31 +00:00
Arne Fitzenreiter
e4013c9dab core143: add suricata http port changes 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-07 08:54:27 +00:00
Stefan Schantl
e698090e7f IDS: Dynamically generate and import the HTTP ports. 
With this commit suricata reads the HTTP port declarations from a newly
introduced external file
(/var/ipfire/suricata/suricata-http-ports.yaml).

This file dynamically will be generated. HTTP ports always are the
default port "80" and "81" for update Accelerator and HTTP access to the
WUI. In case the Web-proxy is used, the configured proxy port and/or Transparent
Proxy port also will be declared as a HTTP port and written to that file.

In case one of the proxy ports will be changed, the HTTP port file will
be re-generated and suricate restarted if launched. Also if an old
backup with snort will be restored the convert script handles the
generation of the HTTP ports file.

Finally the suricata-generate-http-ports-file as a tiny script which
simply generates the http ports file and needs to be launched during the
installation of a core update. (The script will no be required
anymore, so it could be deleted afterwards.)

Fixes #12308.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-06 14:04:00 +00:00
Stefan Schantl
6084e66e70 suricata.yaml: Re-add EVE log section. 
Hopefully the EVE log will display some more content when trying to
debug suricata events and rules.

Fixes #12315.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-06 14:03:26 +00:00
Stefan Schantl
1622e5c1f3 ids.cgi: Fix logic if suricata needs to be restarted. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-06 14:02:59 +00:00
Arne Fitzenreiter
b563d5bd69 core143: add backup include and ids-functions 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-05 07:58:07 +00:00
Stefan Schantl
7b97359b99 IDS: Add GREEN and BLUE addresses to the list of DNS servers. 
Fixes #12349.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-05 07:35:08 +00:00
Stefan Schantl
92206da35a Backup: Add idsrules tarball. 
The tarball is required to generate and restore the IDS ruleset.

Fixes #12319.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-05 07:34:07 +00:00
Stefan Schantl
00a083aaf2 Backup: Add suricata rules-settings file. 
This file contains the configured ruleset and oinkcode settings and
therefore needs to be backuped and restored.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-05 07:33:45 +00:00
Arne Fitzenreiter
2f8a33e182 suricata: increase dns flood trigger 
on slow lines unbound trigger the floodprotection at init.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-02 16:31:18 +00:00
Arne Fitzenreiter
702b59cd02 paks: fix meta size entry 
remove the doublequotes around the size because pakfire not
accept this.

fixes: #12348

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-02 16:28:39 +00:00
Arne Fitzenreiter
0b0a3634cd core143: stop/start updated services 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:59:42 +00:00
Arne Fitzenreiter
55f4de214f core143: add suricata.yaml 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:50:47 +00:00
Peter Müller
8bf1c9f65d OpenSSL: update to 1.1.1f 
Fixes #12345 (yes, that's the real bug ID :-) )

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:46:55 +00:00
Stefan Schantl
d383248063 Suricata: Add port 81 (UpdateAccelerator) to group of HTTP ports. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:46:27 +00:00
Arne Fitzenreiter
006b79aaa9 core143: add ids.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:42:55 +00:00
Stefan Schantl
af8e5145fa ids.cgi: Restart suricata if necessary when altering the ruleset. 
Suricata does support re-reading it's configuration files and therfore
we need to restart it, if one or more ruleset files should be loaded or
not loaded anymore.

If simple some rules inside the same files are activated or deactivated
we are still fine to call the reload method to send suricata the signal
to reload its ruleset.

Fixes #12340.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:41:51 +00:00
Michael Tremer
2ff56df4e0 strongswan: Build sha3 plugin 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:40:39 +00:00
Michael Tremer
dce34b2dcb strongswan: Update to 5.8.4 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-04-01 14:40:02 +00:00
Arne Fitzenreiter
3c90dd92a5 core143: add dma, mail.cgi and vpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 19:13:08 +00:00
Michael Tremer
0c466599d0 amazon-ssm-agent: Allow to overcommit memory 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 17:28:40 +00:00
Michael Tremer
229a6dffd7 amazon-ssm-agent: Update to 2.3.930.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 17:28:38 +00:00
Arne Fitzenreiter
81ebfac70d vpnmain.cgi: fix string 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 17:25:08 +00:00
Michael Tremer
610108ffbd Fix accidentially reverted IKE lifetime limit to 24 hours 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 17:21:25 +00:00
Arne Fitzenreiter
37533b0dea core143: apply changed sysctl settings 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 17:09:34 +00:00
Peter Müller
29a8992b72 sysctl.conf: Turn on hard- and symlink protection 
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 17:07:26 +00:00
Peter Müller
6075720c48 update language files for mail.cgi changes 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:49:22 +00:00
Peter Müller
d07286de46 mail.cgi: add support for implicit TLS usage 
The second version of this patchset fixes reading empty configuration
files and superseds the first version (duh!).

Fixes #12161

Reported-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Tested-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:45:11 +00:00
Peter Müller
59b2a70f7a dma: update to 0.12 
All of the dma patches in src/patches/ were merged into its upstream
repository by now, thus becoming obsolete and deleted by this patch.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:44:35 +00:00
Arne Fitzenreiter
2d599cca34 core143: add oinkmaster.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:43:50 +00:00
Stefan Schantl
1d84b352df oinkmaster: Do not skip threshold.conf 
Fixes #12096.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:41:25 +00:00
Arne Fitzenreiter
2480c416d6 core143: set user of /var/spool/cron to cron 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:39:06 +00:00
Michael Tremer
e4a0b55881 fcron: Fix reloading crontab 
fcrontab -z fails on a freshly installed system since
/var/spool/cron is now owned by cron:cron and a temporary
file cannot be created.

This will have to be manually changed in the updater by
calling:

  chown cron:cron /var/spool/cron

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:37:38 +00:00
Peter Müller
8f4ed62fa8 spectre-meltdown-checker: update to 0.43 
Please refer to https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.43
for release notes.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-03-30 16:33:57 +00:00