webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-23 17:32:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,808 Commits 2 Branches 1 Tag
fe9fb3868241f671c6914962cc8564ec82504ab2
Commit Graph

27 Commits

Author SHA1 Message Date
Arne Fitzenreiter
6f828b103e core137: add updated ruleset-sources 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:36:36 +00:00
Arne Fitzenreiter
ff42e56224 core137: add updated backup.pl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:30:37 +00:00
Arne Fitzenreiter
57ff953341 core137: add ipset to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:22:44 +00:00
peter.mueller@ipfire.org
5c0345f5c1 ship updated bash and readline 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:12:53 +00:00
Arne Fitzenreiter
fcb0e92dec core137: restart updated services 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-12 15:56:40 +00:00
Arne Fitzenreiter
2513c3bba9 core137: ship libpcap 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:05:50 +00:00
Arne Fitzenreiter
a647499b10 core137: ship unbound 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:03:50 +00:00
Arne Fitzenreiter
5fe5334daa core137: ship strongwan and vpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:56:47 +00:00
Arne Fitzenreiter
f1e1e9072d core137: ship updated unbound initskript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:50:04 +00:00
peter.mueller@ipfire.org
70cd5c42f0 firewall: always allow outgoing DNS traffic to root servers 
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:48:40 +00:00
Arne Fitzenreiter
c132fed64d core137: ship suricata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:38:52 +00:00
Arne Fitzenreiter
563ac9b13e core137: ship knot 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:36:24 +00:00
peter.mueller@ipfire.org
a85a7a60fc firewall: raise log rate limit for user generated rules, too 
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:30:31 +00:00
Arne Fitzenreiter
e60dde5f53 core137: ship Net_SSLeay 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:26:22 +00:00
Arne Fitzenreiter
0e081a25f7 core137: ship libssh 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:21:17 +00:00
Arne Fitzenreiter
dcf1a61f5b core137: ship updated logrotate.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:17:44 +00:00
Arne Fitzenreiter
dbcb1c99d2 core137: ship tzdata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:14:43 +00:00
Arne Fitzenreiter
c9ef22a019 core137: ship wpa_supplicant 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:10:23 +00:00
Arne Fitzenreiter
6499bd0d50 core137: ship bind 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:08:04 +00:00
Arne Fitzenreiter
2a0edc08bf core137: ship changed ovpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:06:13 +00:00
Arne Fitzenreiter
5907bc5d5e core137: add pcre 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:02:23 +00:00
Arne Fitzenreiter
c0fe5525ce core137: add dhcpcd 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:59:39 +00:00
Arne Fitzenreiter
6c84c53803 core137: add iproute2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:57:32 +00:00
Arne Fitzenreiter
6bc008fc8f core137: add iptables and collectd 
collectd is linked to libip4tc so we need to ship this also

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:53:36 +00:00
Arne Fitzenreiter
4e6c66b525 core137: add libnetfilter_queue 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:49:09 +00:00
Arne Fitzenreiter
968af91f62 core137: add libhtp 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 17:46:29 +00:00
Arne Fitzenreiter
593a9326d8 start core137 and add kernel and IO-Socket-SSL to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-09-21 09:52:02 +00:00