webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-15 21:43:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,808 Commits 2 Branches 1 Tag
fe9fb3868241f671c6914962cc8564ec82504ab2
Commit Graph

2350 Commits

Author SHA1 Message Date
Arne Fitzenreiter
6f828b103e core137: add updated ruleset-sources 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:36:36 +00:00
Arne Fitzenreiter
ff42e56224 core137: add updated backup.pl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:30:37 +00:00
Arne Fitzenreiter
57ff953341 core137: add ipset to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:22:44 +00:00
peter.mueller@ipfire.org
5c0345f5c1 ship updated bash and readline 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:53 +00:00
Arne Fitzenreiter
fcb0e92dec core137: restart updated services 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-12 15:56:40 +00:00
Arne Fitzenreiter
2513c3bba9 core137: ship libpcap 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:05:50 +00:00
Arne Fitzenreiter
a647499b10 core137: ship unbound 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:03:50 +00:00
Arne Fitzenreiter
5fe5334daa core137: ship strongwan and vpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:56:47 +00:00
Arne Fitzenreiter
f1e1e9072d core137: ship updated unbound initskript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:50:04 +00:00
peter.mueller@ipfire.org
70cd5c42f0 firewall: always allow outgoing DNS traffic to root servers 
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:48:40 +00:00
Arne Fitzenreiter
c132fed64d core137: ship suricata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:38:52 +00:00
Arne Fitzenreiter
563ac9b13e core137: ship knot 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:36:24 +00:00
peter.mueller@ipfire.org
a85a7a60fc firewall: raise log rate limit for user generated rules, too 
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:30:31 +00:00
Arne Fitzenreiter
e60dde5f53 core137: ship Net_SSLeay 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:26:22 +00:00
Arne Fitzenreiter
0e081a25f7 core137: ship libssh 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:21:17 +00:00
Arne Fitzenreiter
dcf1a61f5b core137: ship updated logrotate.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:17:44 +00:00
Arne Fitzenreiter
dbcb1c99d2 core137: ship tzdata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:14:43 +00:00
Arne Fitzenreiter
c9ef22a019 core137: ship wpa_supplicant 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:10:23 +00:00
Arne Fitzenreiter
6499bd0d50 core137: ship bind 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:08:04 +00:00
Arne Fitzenreiter
2a0edc08bf core137: ship changed ovpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:06:13 +00:00
Arne Fitzenreiter
5907bc5d5e core137: add pcre 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:02:23 +00:00
Arne Fitzenreiter
c0fe5525ce core137: add dhcpcd 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:59:39 +00:00
Arne Fitzenreiter
6c84c53803 core137: add iproute2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:57:32 +00:00
Arne Fitzenreiter
6bc008fc8f core137: add iptables and collectd 
collectd is linked to libip4tc so we need to ship this also

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:53:36 +00:00
Arne Fitzenreiter
4e6c66b525 core137: add libnetfilter_queue 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:49:09 +00:00
Arne Fitzenreiter
968af91f62 core137: add libhtp 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:46:29 +00:00
Arne Fitzenreiter
593a9326d8 start core137 and add kernel and IO-Socket-SSL to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-21 09:52:02 +00:00
Arne Fitzenreiter
d952d6d735 core136: apply local sshd config and restart sshd at update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-14 18:13:21 +00:00
Arne Fitzenreiter
4f84bf4074 core136: fix typo at GeoIP update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-14 16:20:27 +00:00
Arne Fitzenreiter
9ab4e56aa9 core136: ship perl-CGI and perl-Switch 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-14 15:21:41 +00:00
Arne Fitzenreiter
f7eb5925d2 core136: ship updated perl scripts 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-14 15:18:29 +00:00
Arne Fitzenreiter
43be529d2d core136: ship updated zoneconf.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-12 10:20:45 +00:00
Arne Fitzenreiter
ece63aa950 openssl: update to 1.1.1d 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-12 05:52:47 +00:00
Arne Fitzenreiter
d3d959851a core136: update logwatch crontab entry 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-11 17:38:32 +00:00
Arne Fitzenreiter
be8c539905 core136: ship logrotate 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-11 16:57:20 +00:00
Arne Fitzenreiter
a86febdc22 core136: ship changed log.dat 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-11 16:52:23 +00:00
Arne Fitzenreiter
81d5af569b core136: ship openssh 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-11 16:46:19 +00:00
Arne Fitzenreiter
bd44f7b763 core136: ship usb_modswitch and data 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-04 14:17:19 +00:00
Arne Fitzenreiter
136ade454b core136: ship unbound 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-02 20:21:27 +00:00
Arne Fitzenreiter
07a67eed52 core136: touch "need reboot" flag 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 17:11:29 +02:00
Arne Fitzenreiter
51a7871a35 core136: run xt_geoip_update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 17:10:44 +02:00
Arne Fitzenreiter
ffb5a1535e core136: restart apache2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 17:09:03 +02:00
Arne Fitzenreiter
18ec6097c3 core136: remove old perl files 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 17:05:55 +02:00
Arne Fitzenreiter
b0a8548bda core136: ship geoip-generator 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 16:40:49 +02:00
Arne Fitzenreiter
5c2fd2d388 core136: ship hwdata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 16:37:19 +02:00
Arne Fitzenreiter
605fbc59a4 core136: ship knot 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 16:35:45 +02:00
Arne Fitzenreiter
7c53ccc757 core136: ship bind 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 16:34:37 +02:00
Arne Fitzenreiter
e2cfdbec31 core136: ship apache2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 16:33:30 +02:00
Arne Fitzenreiter
906aa4741f core136: ship dhcpcd 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 16:31:29 +02:00
Arne Fitzenreiter
2777bc0ac4 core136: ship patch 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-25 16:28:41 +02:00