webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
f5b9dcd1ccc930255aca4992023097cf1ef496cf
bpfire/lfs/configroot
Peter Müller 9a7e4d8506 Switch checksums from MD5 to BLAKE2 
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.

While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.

Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.

In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
2022-04-02 14:19:25 +00:00

178 lines
9.3 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = ipfire
THISAPP = configroot
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
install : $(TARGET)
check :
download :
b2 :
###############################################################################
# Installation Details
###############################################################################
$(TARGET) :
@$(PREBUILD)
# Create all directories
for i in addon-lang auth backup ca captive certs connscheduler crls ddns dhcp dhcpc dns dnsforward \
ethernet extrahd/bin fwlogs fwhosts firewall isdn key langs logging mac main \
menu.d modem optionsfw \
ovpn patches pakfire portfw ppp private proxy/advanced/cre \
proxy/calamaris/bin qos/bin red remote sensors suricata time \
updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin vpn \
wakeonlan wireless ; do \
mkdir -p $(CONFIG_ROOT)/$$i; \
done
# Touch empty files
for i in auth/users backup/include.user backup/exclude.user \
captive/settings captive/agb.txt captive/clients captive/voucher_out certs/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp/settings \
dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/locationblock firewall/input firewall/outgoing \
fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings \
isdn/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
qos/tosconfig suricata/settings vpn/config vpn/settings vpn/ipsec.conf \
vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
touch $(CONFIG_ROOT)/$$i; \
done
# Copy initial configfiles
cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/network-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/location-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/ids-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/modem-lib.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list
cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl
cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler
cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/
cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings
cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/
cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults
cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings
cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4
cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
cp $(DIR_SRC)/config/cfgroot/main-settings $(CONFIG_ROOT)/main/settings
cp $(DIR_SRC)/config/cfgroot/manualpages $(CONFIG_ROOT)/main/
cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings
cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
cp $(DIR_SRC)/config/firewall/convert-xtaccess /usr/sbin/convert-xtaccess
cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoingfw
cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz
cp $(DIR_SRC)/config/firewall/convert-portfw /usr/sbin/convert-portfw
cp $(DIR_SRC)/config/firewall/firewall-policy /usr/sbin/firewall-policy
cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices
cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices.default
# Oneliner configfiles
echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings
echo "01" > $(CONFIG_ROOT)/certs/serial
echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf
echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPSAMBA=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPPROXY=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPSPOOFEDMARTIAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPHOSTILE=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "LOGDROPCTINVALID=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
echo "TREE=$(PAKFIRE_TREE)" >> $(CONFIG_ROOT)/pakfire/settings
# Install snort to suricata converter.
cp $(DIR_SRC)/config/suricata/convert-snort /usr/sbin/convert-snort
cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/convert-ids-modifysids-file
cp $(DIR_SRC)/config/suricata/convert-ids-multiple-providers /usr/sbin/convert-ids-multiple-providers
# set converters executable
chmod 755 /usr/sbin/convert-*
# Make extrahd.pl executable
chmod 755 /var/ipfire/extrahd/bin/extrahd.pl
# Modify variables in header.pl
sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
-e "s+VERSION+$(VERSION)+g" \
$(CONFIG_ROOT)/header.pl
# Modify variables in general-functions.pl
sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
-e "s+VERSION+$(VERSION)+g" \
$(CONFIG_ROOT)/general-functions.pl
# Modify CONFIG_ROOT in lang.pl
sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
$(CONFIG_ROOT)/lang.pl
# Language files
cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/
# Configroot permissions
chown -R nobody:nobody $(CONFIG_ROOT)
chown root:root $(CONFIG_ROOT)
for i in backup/ *.pl addon-lang/ langs/ ; do \
chown -R root:root $(CONFIG_ROOT)/$$i; \
done
chown -Rv root:root $(CONFIG_ROOT)/*/bin
chown root:nobody $(CONFIG_ROOT)/dhcpc
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink