Development November 2018

development@lists.ipfire.org

9 participants
25 discussions

[PATCH] BUG11695: Adding/editing rules with preset broken
by Alexander Marx 15 Jul '21

15 Jul '21

added another check to fill same ports in source and destination when a custom service is selected. Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org> Reported-by: erik(a)vanlinsteeict.nl --- html/cgi-bin/firewall.cgi | 1 + 1 file changed, 1 insertion(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 499f279..d17afab 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -757,6 +757,7 @@ sub checkrule } } if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'cust_srv'){$fwdfwsettings{'dnatport'}=$custsrvport;} } #check if DNAT port is multiple if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ -- 2.7.4

3 2

IPFire meets Suricata - Call for tester
by Stefan Schantl 05 Mar '19

05 Mar '19

Hello list followers, some time ago development for the new implementation of the Intrusion Detection functionality in IPFire has been started. The main goal, in a nutshell, was to give IPFire a modern, feature-rich and user-friendly Intrusion Detection Engine. During this progress, the detection framework has been replaced - now suricata is used instead of snort. Suricata uses a very modern and multi-threaded detection engine with support to perform actions on malicious traffic. So it provides the functionality of detecting any kind of intrusion attempts and the ability of guardian to block them under the same hood. It was a lot of work, but finaly I'm happy to announce the first test version. It is almost feature complete and without any kind of bigger issues. Because Intrusion Detection is a key feature of a firewall system, a lot of testing is required until the new implementation can become part of IPFire - therefore we need your help! Download the test image ( https://people.ipfire.org/~stevee/suricata/Images/), do a lot of hard testing and provide your feedback or suggestions on the develoment mailing list (https://lists.ipfire.org/mailman/listinfo/development). If you find any bugs please file them in the IPFire Bugtracker ( https://bugzilla.ipfire.org/). Many thanks in advance, -Stefan

7 49

[PATCH] BUG 11786 - squid: Remove setting for filter processes the number of Squid processes
by Daniel Weismüller 17 Dec '18

17 Dec '18

I added a function to determine the number of cores. Now the number of squid processes will be equal to the number of logical cores. Further I removed the possibility of changing the number of squid processes in the proxy.cgi Signed-off-by: Daniel Weismüller <daniel.weismueller(a)ipfire.org> --- config/cfgroot/general-functions.pl | 7 +++++++ html/cgi-bin/proxy.cgi | 16 ++-------------- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 0577afe28..e8495e885 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -1165,5 +1165,12 @@ sub dnssec_status() { return $status; } +sub number_cpu_cores() { + open my $cpuinfo, "/proc/cpuinfo" or die "Can't open cpuinfo: $!\n"; + my $cores = scalar (map /^processor/, <$cpuinfo>); + close $cpuinfo; + + return $cores; +} 1; diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 738425b9a..92bebfe18 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -287,7 +287,6 @@ $proxysettings{'IDENT_USER_ACL'} = 'positive'; $proxysettings{'ENABLE_FILTER'} = 'off'; $proxysettings{'ENABLE_UPDXLRATOR'} = 'off'; $proxysettings{'ENABLE_CLAMAV'} = 'off'; -$proxysettings{'CHILDREN'} = '10'; $ncsa_buttontext = $Lang::tr{'advproxy NCSA create user'}; @@ -437,11 +436,6 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; } - if (!($proxysettings{'CHILDREN'} =~ /^\d+$/) || ($proxysettings{'CHILDREN'} < 1)) - { - $errormessage = $Lang::tr{'advproxy invalid num of children'}; - goto ERROR; - } if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { $browser_regexp = ''; @@ -1034,12 +1028,8 @@ print <<END </table> <hr size='1'> <table width='100%'> -<tr><td class='base' colspan='4'><b>$Lang::tr{'advproxy redirector children'}</b></td></tr> -<tr><td class='base' >$Lang::tr{'processes'}: <img src='/blob.gif' alt='*' /><input type='text' name='CHILDREN' value='$proxysettings{'CHILDREN'}' size='5' /></td> END ; -my $count = `ip n| wc -l`; -if ( $count < 1 ){$count = 1;} if ( -e "/usr/bin/squidclamav" ) { print "<td class='base'><b>".$Lang::tr{'advproxy squidclamav'}."</b><br />"; if ( ! -e "/var/run/clamav/clamd.pid" ){ @@ -1048,18 +1038,16 @@ if ( -e "/usr/bin/squidclamav" ) { } else { print $Lang::tr{'advproxy enabled'}."<input type='checkbox' name='ENABLE_CLAMAV' ".$checked{'ENABLE_CLAMAV'}{'on'}." /><br />"; - print "+ ".int(( $count**(1/3)) * 8);} +} print "</td>"; } else { print "<td></td>"; } print "<td class='base'><a href='/cgi-bin/urlfilter.cgi'><b>".$Lang::tr{'advproxy url filter'}."</a></b><br />"; print $Lang::tr{'advproxy enabled'}."<input type='checkbox' name='ENABLE_FILTER' ".$checked{'ENABLE_FILTER'}{'on'}." /><br />"; -print "+ ".int(($count**(1/3)) * 6); print "</td>"; print "<td class='base'><a href='/cgi-bin/updatexlrator.cgi'><b>".$Lang::tr{'advproxy update accelerator'}."</a></b><br />"; print $Lang::tr{'advproxy enabled'}."<input type='checkbox' name='ENABLE_UPDXLRATOR' ".$checked{'ENABLE_UPDXLRATOR'}{'on'}." /><br />"; -print "+ ".int(($count**(1/3)) * 5); print "</td></tr>"; print <<END </table> @@ -4095,7 +4083,7 @@ END if (($proxysettings{'ENABLE_FILTER'} eq 'on') || ($proxysettings{'ENABLE_UPDXLRATOR'} eq 'on') || ($proxysettings{'ENABLE_CLAMAV'} eq 'on')) { print FILE "url_rewrite_program /usr/sbin/redirect_wrapper\n"; - print FILE "url_rewrite_children $proxysettings{'CHILDREN'}\n\n"; + print FILE "url_rewrite_children ", &General::number_cpu_cores(), "\n\n"; } # Include file with user defined settings. -- 2.12.2

3 10

[Fwd: Re: request for info: unbound via https / tls]
by Paul Simmons 13 Dec '18

13 Dec '18

Forgot the list cc :-(.

4 27

[PATCH v2] fireinfo: support upstream proxy with authentication
by Peter Müller 11 Dec '18

11 Dec '18

Fireinfo could not send its profile to https://fireinfo.ipfire.org/ if the machine is behind an upstream proxy which requires username and password. This is fixed by tweaking urllib2's opening handler. To apply this on existing installations, the fireinfo package needs to be shipped during an update. The second version of this patch fixes bogus indention, assembles proxy authentication string more readable and preserves HTTP proxy handler. Fixes #11905 Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> Cc: Michael Tremer <michael.tremer(a)ipfire.org> --- src/sendprofile | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) mode change 100644 => 100755 src/sendprofile diff --git a/src/sendprofile b/src/sendprofile old mode 100644 new mode 100755 index b836567..1f32440 --- a/src/sendprofile +++ b/src/sendprofile @@ -73,10 +73,21 @@ def send_profile(profile): request.add_header("User-Agent", "fireinfo/%s" % fireinfo.__version__) # Set upstream proxy if we have one. - # XXX this cannot handle authentication proxy = get_upstream_proxy() + if proxy["host"]: - request.set_proxy(proxy["host"], "http") + # handling upstream proxies with authentication is more tricky... + if proxy["user"] and proxy["pass"]: + prx_auth_string = "http://%s:%s@%s/" % (proxy["user"], proxy["pass"], proxy["host"]) + + proxy_handler = urllib2.ProxyHandler({'http': prx_auth_string}) + proxy_handler = urllib2.ProxyHandler({'https': prx_auth_string}) + auth = urllib2.HTTPBasicAuthHandler() + opener = urllib2.build_opener(proxy_handler, auth, urllib2.HTTPHandler) + urllib2.install_opener(opener) + else: + request.set_proxy(proxy["host"], "http") + request.set_proxy(proxy["host"], "https") try: urllib2.urlopen(request, timeout=60) -- 2.16.4

2 5

''backup.cgi' - new icons - new order - query for delete / translation strings
by Matthias Fischer 04 Dec '18

04 Dec '18

Hi, Something similar has been posted before ([PATCH] Cosmetics: New icons for backup.cgi), but unfortunately the discussion was not continued for very long. Triggered by: https://forum.ipfire.org/viewtopic.php?f=17&t=21372 and https://forum.ipfire.org/viewtopic.php?f=17&t=21882 I'd like to know whether there is any interest in developing this any further. In the meantime, patches were built for 'backup.cgi' which not only update the icons and their order of precedence for better readability and usability. In an additional step, the 'delete' icons got 'onclick'-confirmation boxes (by Erik!) to prevent accidental deletions. Another step could be to add this confirmation to other CGIs. This additional query could prevent some trouble in the future as it happened to the original poster of the second link above. He accidentally deleted an OVPN client. No query... I'm already testing this functionality in other contexts (e.g., firewall rules, dhcp, hosts) and it works. And the last question: each current lang file contains up to ~600 unused translation strings. These are summing up to about 5000 strings which are not used or duplicates and could be deleted. Current size of all lang files is 1.2MB - we actually need about 900KB. A current patch can be found here: https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=acbf320… At the beginning of this year I built some patches for these unused strings and some other corrections (https://patchwork.ipfire.org/patch/1605/) but sadly got no reaction at all. Is there any interest, should we re-edit the unused translations? What do you think? Opinions and comments are welcome... Best, Matthias

3 2

Status emails and IP Blocklists
by Tim FitzGeorge 02 Dec '18

02 Dec '18

I've written a couple of addons for my installations of IPFire. They're available on github and some other people have tried them; they seem to be fairly well received and it's been suggested that it may be worth making them available through pakfire as official addons. The first addon provides the ability to send status emails. You can define multiple schedules and the items to be included in each email. By choosing parameters carefully it's possible to get it to send emails on some error conditions. The emails can be encrypted with GPG. The architecture makes it easy to add further items to be reported on. The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates. Both include WUI pages for configuration and language files. They're fully functional, but would require some checking and minor updates. The source can be seen at https://github.com/timfprogs . I'm aware that there other people have made addons for both these purposes, which maybe suggests that it's functionality that is worth adding.

3 5

Building packages for IPFire 3.x
by Peter Müller 27 Nov '18

27 Nov '18

Hello *, sorry for being so quiet during the last weeks. Updating packages and provide some system hardening (kernel, SSH, et al.) for IPFire 3.x is on my todo list for a long time now. While searching for further information about how to build packages for this distribution, I came across https://wiki.ipfire.org/devel/build_package/start . As far as I understood, an instance of IPFire 3.x is needed to build packages on it; there is no other way documented. Is this correct? What happened to https://pakfire.ipfire.org/ ? Further, the *.nm files seem to be somewhat tricky. A quick lookup in the wiki did not show up any noob documentation. In case the is one available (man page, etc.), how do I find it? Thanks, and best regards, Peter Müller -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq

2 3

Question regarding AS205092 and AS210180
by Peter Müller 27 Nov '18

27 Nov '18

Hello, at some point since late summer this year, I observe an usual high amount of attacks (mainly SSH brute force) against several system I own or administer. Origin of these are AS205092 (OUTSOURCE GRID LIMITED) and AS210180 (PRISM BUSINESS SERVICES LTD). Both own just a single /24 IPv4 range each, and are connected to just one (little known) peer. AS205092 claims to be located in GB, and its postal address points to a dilapidated building somewhere in West Midlands (116 Bloomfield Road, Tipton, DY4 9ES). Only some of the assigned IPv4 addresses were conspicuous by attacks, and are mostly listed at Spamhaus XBL, too. The full range is 185.222.211.0/24 . AS210180 has set VE (Venezuela) as geographic location, which also matches the postal address. However, its full appeareance leaves doubts whether this is correct or not - a website mentioned in the RIR object claims an offshore location as office address, with telephone number in US. Its IPv4 range (185.222.210.0/24) is also listed as prefix for AS49877 (RM Engineering LLC). Both AS claim to provide hosting services, and look highly suspicious (bad upstream connectivity, dubious contact/postal addresses, similar BGP setup). While it is not mentioned anywhere they are just another two rogue ISPs, they would perfectly fit the bill. Is anybody observing attacks from these too or is in possession of further details (exact location, purpose, history, connection between AS210180 and AS49877)? Please drop me a line. :-) Thank you, and best regards, Peter Müller -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq

2 1

[PATCH] nano: Update to 3.2
by Matthias Fischer 26 Nov '18

26 Nov '18

Hi, Changed archive to 'xz' - this saves about 1.4MB (thanks Marcel ;-)) For further details see: https://www.nano-editor.org/news.php Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/nano | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lfs/nano b/lfs/nano index 671cf6731..4b636f4ea 100644 --- a/lfs/nano +++ b/lfs/nano @@ -24,15 +24,15 @@ include Config -VER = 3.1 +VER = 3.2 THISAPP = nano-$(VER) -DL_FILE = $(THISAPP).tar.gz +DL_FILE = $(THISAPP).tar.xz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nano -PAK_VER = 24 +PAK_VER = 25 DEPS = "" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 2fb85e86c5b14ac9e9465d3ba7506364 +$(DL_FILE)_MD5 = 2606dc0dc31a088f16c7d603b42d23d0 install : $(TARGET) @@ -76,7 +76,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc/nano \ -- 2.18.0

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development November 2018