Development April 2019

development@lists.ipfire.org

12 participants
46 discussions

[PATCH] BUG11695: Adding/editing rules with preset broken
by Alexander Marx 15 Jul '21

15 Jul '21

added another check to fill same ports in source and destination when a custom service is selected. Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org> Reported-by: erik(a)vanlinsteeict.nl --- html/cgi-bin/firewall.cgi | 1 + 1 file changed, 1 insertion(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 499f279..d17afab 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -757,6 +757,7 @@ sub checkrule } } if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'cust_srv'){$fwdfwsettings{'dnatport'}=$custsrvport;} } #check if DNAT port is multiple if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ -- 2.7.4

3 2

[PATCH] firewall-lib.pl: Populate GeoIP rules only if location is available.
by Stefan Schantl 04 Jul '19

04 Jul '19

In case a GeoIP related firewall rule should be created, the script now will check if the given location is still available. Fixes #12054. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- config/firewall/firewall-lib.pl | 40 ++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 118744fd6..59ae096b0 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -70,6 +70,9 @@ my $netsettings = "${General::swroot}/ethernet/settings"; &General::readhasharray("$configsrvgrp", \%customservicegrp); &General::get_aliases(\%aliases); +# Get all available GeoIP locations. +my @available_geoip_locations = &get_geoip_locations(); + sub get_srv_prot { my $val=shift; @@ -456,17 +459,23 @@ sub get_address # Handle rule options with GeoIP as source. } elsif ($key eq "cust_geoip_src") { - # Get external interface. - my $external_interface = &get_external_interface(); + # Check if the given GeoIP location is available. + if(&geoip_location_is_available($value)) { + # Get external interface. + my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + } # Handle rule options with GeoIP as target. } elsif ($key eq "cust_geoip_tgt") { - # Get external interface. - my $external_interface = &get_external_interface(); + # Check if the given GeoIP location is available. + if(&geoip_location_is_available($value)) { + # Get external interface. + my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + } # If nothing was selected, we assume "any". } else { @@ -610,4 +619,23 @@ sub get_geoip_locations() { return &GeoIP::get_geoip_locations(); } +# Function to check if a database of a given GeoIP location is +# available. +sub geoip_location_is_available($) { + my ($location) = @_; + + # Loop through the global array of available GeoIP locations. + foreach my $geoip_location (@available_geoip_locations) { + # Check if the current processed location is the searched one. + if($location eq $geoip_location) { + # If it is part of the array, return "1" - True. + return 1; + } + } + + # If we got here, the given location is not part of the array of available + # zones. Return nothing. + return; +} + return 1; -- 2.20.1

3 3

OpenSSL-1.1.1a - No TLSv1.3 with unbound
by ummeegge 24 May '19

24 May '19

Hi all, did an fresh install from origin/next of Core 128 with the new OpenSSL- 1.1.1a . Have checked also DNS-over-TLS which works well but kdig points out that the TLS sessions operates only with TLSv1.2 instaed of the new delivered TLSv1.3 . A test with Cloudflair (which uses TLSv1.3) looks like this --> kdig Test: ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP) ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt' ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com ;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175 ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR ;; PADDING: 239 B ;; QUESTION SECTION: ;; www.isoc.org. IN A ;; ANSWER SECTION: www.isoc.org. 300 IN A 46.43.36.222 www.isoc.org. 300 IN RRSIG A 7 3 300 20190224085001 20190210085001 45830 isoc.org. g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ= ;; Received 468 B ;; Time 2019-02-10 12:40:19 CET ;; From 1.1.1.1@853(TCP) in 18.0 ms And a test with s_client: [root@ipfire tmp]# openssl s_client -connect 1.1.1.1:853 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6 Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/ Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7 AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1 pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ -----END CERTIFICATE----- subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2787 bytes and written 421 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 Session-ID: FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01 Session-ID-ctx: Resumption PSK: 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7 PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 21600 (seconds) TLS session ticket: 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 6b ...........}...k 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 23 ..1Uw..\.......# 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 3d ....3]...u.hg.W= 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 ff .qk."......7bi.. 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 d9 Zx).........c... 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e cb ;.p8V.jC....].~. 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 06 .c..1qa.D.....C. 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 0e .....>.2....F... 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 1b ty.$.\....,.K... 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 07 }.=.jX.NA..).... 00b0 - e1 92 dd 8d 44 69 ....Di Start Time: 1549799117 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK closed Which seems strange to me since Cloudflair offers TLSv1.3 but unbound initializes only TLSv1.2 . Have check all working DoT servers from here --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too, but no TLSv1.3 at all... Did someone have similar behaviors ? Best, Erik

3 19

[PATCH] Fix for Bug #12050: Adding fixed leases with one 'add' click
by Matthias Fischer 20 May '19

20 May '19

Signed-off-by: BeBiMa <bbitsch(a)ipfire.org> Reviewed-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- html/cgi-bin/dhcp.cgi | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi index 675d80012..ba5b54f84 100644 --- a/html/cgi-bin/dhcp.cgi +++ b/html/cgi-bin/dhcp.cgi @@ -412,12 +412,16 @@ if ($dhcpsettings{'ACTION'} eq $Lang::tr{'add'}.'2') { } my $key = 0; + my $szc = scalar(@current2); CHECK:foreach my $line (@current2) { my @temp = split(/\,/,$line); if($dhcpsettings{'KEY2'} ne $key) { # same MAC is OK on different subnets. This test is not complete because # if ip are not inside a known subnet, I don't warn. # Also it may be needed to put duplicate fixed lease in their right subnet definition.. + if ((lc($dhcpsettings{'FIX_MAC'}) eq lc($temp[0])) &&(lc($dhcpsettings{'FIX_ADDR'}) eq lc($temp[1]))) { + last CHECK; + } foreach my $itf (@ITFs) { my $scoped = &General::IpInSubnet($dhcpsettings{'FIX_ADDR'}, $netsettings{"${itf}_NETADDRESS"}, @@ -442,11 +446,19 @@ if ($dhcpsettings{'ACTION'} eq $Lang::tr{'add'}.'2') { $dhcpsettings{'FIX_FILENAME'} = &Header::cleanhtml($dhcpsettings{'FIX_FILENAME'}); $dhcpsettings{'FIX_ROOTPATH'} = &Header::cleanhtml($dhcpsettings{'FIX_ROOTPATH'}); if ($dhcpsettings{'KEY2'} eq '') { #add or edit ? + if($key == $szc) { #add + @current2[$key] = "$dhcpsettings{'FIX_MAC'},$dhcpsettings{'FIX_ADDR'},$dhcpsettings{'FIX_ENABLED'},$dhcpsettings{'FIX_NEXTADDR'},$dhcpsettings{'FIX_FILENAME'},$dhcpsettings{'FIX_ROOTPATH'},$dhcpsettings{'FIX_REMARK'}\n"; + # sort newly added/modified entry + &sortcurrent2; + &General::log($Lang::tr{'fixed ip lease added'}); + $dhcpsettings{'KEY2'} = ''; + } else { #edit unshift (@current2, "$dhcpsettings{'FIX_MAC'},$dhcpsettings{'FIX_ADDR'},$dhcpsettings{'FIX_ENABLED'},$dhcpsettings{'FIX_NEXTADDR'},$dhcpsettings{'FIX_FILENAME'},$dhcpsettings{'FIX_ROOTPATH'},$dhcpsettings{'FIX_REMARK'}\n"); &General::log($Lang::tr{'fixed ip lease added'}); # Enter edit mode $dhcpsettings{'KEY2'} = 0; + } } else { @current2[$dhcpsettings{'KEY2'}] = "$dhcpsettings{'FIX_MAC'},$dhcpsettings{'FIX_ADDR'},$dhcpsettings{'FIX_ENABLED'},$dhcpsettings{'FIX_NEXTADDR'},$dhcpsettings{'FIX_FILENAME'},$dhcpsettings{'FIX_ROOTPATH'},$dhcpsettings{'FIX_REMARK'}\n"; $dhcpsettings{'KEY2'} = ''; # End edit mode -- 2.18.0

4 27

[PATCH] sslh: Update to version 1.20
by Erik Kapfer 19 May '19

19 May '19

- Added USELIBCAP=1 to enable the possibility for transparent option. - Wrote configuration directives in initscript into variable for better overview. - Introduce chroot directive in start parameter. - Added new user and group sslh (will be deleted if uninstall). - Changed EXTERNAL_IP_FUNCT to serve data also for configuration block but use it also as check as before. - Added symlinks in sslh paks since the initscripts LFS do not serves it in old installation (a reboot does not started sslh again). - Deleted sslh symlinks in initscripts LFS since they are served via sslh paks and are not needed anymore. Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> --- lfs/initscripts | 3 -- lfs/sslh | 12 ++++---- src/initscripts/packages/sslh | 65 +++++++++++++++++++++++++++++++++---------- src/paks/sslh/install.sh | 13 +++++++++ src/paks/sslh/uninstall.sh | 9 ++++++ 5 files changed, 79 insertions(+), 23 deletions(-) diff --git a/lfs/initscripts b/lfs/initscripts index 055e106d0..3173a04e4 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -136,9 +136,6 @@ $(TARGET) : ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin diff --git a/lfs/sslh b/lfs/sslh index 100cec065..dedd10272 100644 --- a/lfs/sslh +++ b/lfs/sslh @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 1.7a +VER = 1.20 THISAPP = sslh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = sslh -PAK_VER = 5 +PAK_VER = 6 DEPS = "" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 install : $(TARGET) @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP= - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP= + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh #install initscripts $(call INSTALL_INITSCRIPT,sslh) diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh index 43e58f392..0935b1114 100644 --- a/src/initscripts/packages/sslh +++ b/src/initscripts/packages/sslh @@ -3,31 +3,68 @@ # Based on sysklogd script from LFS-3.1 and earlier. # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org +# +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ +# +############################################################# +# . /etc/sysconfig/rc . $rc_functions +DAEMON="/usr/sbin/sslh" + +# Check for external IP address and provide it to listening option +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" +EXTERNAL_IP_FUNCT() { + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then + echo_failure + boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE} + boot_mesg -n " your external IP address." + boot_mesg "" ${NORMAL} + exit 1 + fi +} + +# Loopback interface +LO="127.0.0.1" +# Used TCP ports +LISTENPORT="443" +SSHPORT="222" +TLSPORT="444" +OPENVPNPORT="1194" + +# Configuration options +DAEMON_OPTS=" +--user sslh +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} +--ssh ${LO}:${SSHPORT} +--tls ${LO}:${TLSPORT} +--openvpn ${LO}:${OPENVPNPORT} +--pidfile /var/run/sslh.pid +-C /var/empty +" + +# Check for binary +if ! [ -x "$(command -v ${DAEMON})" ]; then + echo "Error: could not find ${DAEMON}" >&2 + exit 1 +fi + +# Check for external IP +EXTERNAL_IP_FUNCT + case "$1" in start) boot_mesg "Starting SSLH Deamon..." - - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" - if [ -z "${LOCAL_IP_ADDRESS}" ]; then - echo_failure - boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE} - boot_mesg -n " your external IP address." - boot_mesg "" ${NORMAL} - exit 1 - fi - - loadproc /usr/sbin/sslh -u nobody \ - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444 + loadproc ${DAEMON} ${DAEMON_OPTS} evaluate_retval ;; stop) boot_mesg "Stopping SSLH Deamon..." - killproc /usr/sbin/sslh + killproc ${DAEMON} evaluate_retval ;; @@ -38,7 +75,7 @@ case "$1" in ;; status) - statusproc /usr/sbin/sslh + statusproc ${DAEMON} ;; *) diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh index 626884bdd..df7cafc78 100644 --- a/src/paks/sslh/install.sh +++ b/src/paks/sslh/install.sh @@ -23,5 +23,18 @@ # . /opt/pakfire/lib/functions.sh extract_files + +# Add user and group for sslh if not already done +if ! grep -q sslh /etc/passwd; then + groupadd sslh; + useradd -g sslh -M -s /sbin/nologin sslh +fi + ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh + +# Set symlink for runlevels +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh + start_service --background ${NAME} diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh index dca34ccbd..05bb27945 100644 --- a/src/paks/sslh/uninstall.sh +++ b/src/paks/sslh/uninstall.sh @@ -23,5 +23,14 @@ # . /opt/pakfire/lib/functions.sh stop_service ${NAME} + +# Delete user and group sslh +if grep -q sslh /etc/passwd; then + userdel sslh + groupdel sslh +fi + remove_files rm -f /etc/rc.d/init.d/networking/red.up/50-sslh +# Delete initscript symlinks +rm -f /etc/rc.d/rc?.d/???sslh -- 2.12.2

3 10

[PATCH 1/3] zabbix_agentd: update to 4.2.1
by Alexander Koch 09 May '19

09 May '19

Release notes: https://www.zabbix.com/rn/rn4.2.1 Signed-off-by: Alexander Koch <ipfire(a)starkstromkonsument.de> --- lfs/zabbix_agentd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 23b77b9..1dcf28c 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -24,7 +24,7 @@ include Config -VER = 4.2.0 +VER = 4.2.1 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 2 +PAK_VER = 3 DEPS = "" ############################################################################### @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 20f261708f95787f3dbea3eab89f804d +$(DL_FILE)_MD5 = e55ba94060ba2548ae8a1c29fd7cb7dd install : $(TARGET) -- 2.7.4

1 3

[RFC PATCH 0/8] Provide an easy way to use Safe Search
by Michael Tremer 03 May '19

03 May '19

For some users of IPFire, it makes a lot of sense to use Safe Search. Safe Search is a feature that some search engines provide to filter out pornography and other "adult" content from the search results. It makes sense to use this in schools or at home with smaller children. We used to have a checkbox in URL Filter which allowed to modify the search URL which no longer works because all search engines are using HTTPS. Some search engines provide a different way to enable Safe Search network wide by having special servers that can be contacted which always have Safe Search on. Those servers can be reached by changing the DNS response from the usual servers to those special ones. This patchset enables this for Google, Bing, DuckDuckGo and Yandex. These are all search engines I could find this support this. This patchset also removes the old URL Filter option. Please review and test. You can enable this by simply adding ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound. Michael Tremer (8): unbound: Add switch to enable Google Safe Search unbound: Enable Bing SafeSearch unbound: Enbale DuckDuckGo safe search unbound: Move Safe Search zone setup to configuration file unbound: Add Yandex Safe Search unbound: Fix Bing domain name for SafeSearch unbound: Fix domain name for Google Safe Search URL Filter: Drop Safe Search feature config/unbound/unbound.conf | 3 + doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 ++--------- src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ 12 files changed, 250 insertions(+), 54 deletions(-) -- 2.12.2

3 12

IPFire Developer Summit 2019
by Michael Tremer 28 Apr '19

28 Apr '19

Good morning, I would like to officially announce our this year’s IPFire Developer Summit. This year’s date is June 20-25th and we are going to be in London. We have settled on this date, because the Core Developers have little availability this year and this is the only date that would work, but we are hoping that many of you will join us then and there. We do not have a venue, yet, but as soon as we have a number of attendees I will start planning this. With this email, I would like to invite everyone to attend. This year, we are not planning to have any talks, but rather organise the event as a hackathon and planning meeting. If you would like to attend, or if you would like to sponsor us and help us with paying for this important event, please get on touch! Best, -Michael

1 0

[PATCH 1/3] ovpn_reorganize_encryption: Integrate HMAC selection to global section
by Erik Kapfer 27 Apr '19

27 Apr '19

Fixes: #12009 and #11824 - Since HMACs will be used in any configuration it is better placed in the global menu. - Adapted global section to advanced and marked sections with a headline for better overview. - Deleted old headline in advanced section cause it is not needed anymore. - Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file. Old configurations with SHA1 will be untouched. Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 88 ++++++++++++++++++++++------------------------- langs/de/cgi-bin/de.pl | 1 - langs/en/cgi-bin/en.pl | 1 - 3 files changed, 42 insertions(+), 48 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 812680328..80190dc34 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -332,11 +332,8 @@ sub writeserverconf { print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; - if ($sovpnsettings{'DAUTH'} eq '') { - print CONF ""; - } else { print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } @@ -793,7 +790,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); @@ -1204,6 +1200,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; #wrtie enable if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} @@ -2341,11 +2338,8 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; - if ($vpnsettings{'DAUTH'} eq '') { - print CLIENTCONF ""; - } else { print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; - } + if ($vpnsettings{'TLSAUTH'} eq 'on') { if ($cgiparams{'MODE'} eq 'insecure') { print CLIENTCONF ";"; @@ -2651,9 +2645,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; } @@ -2682,12 +2673,6 @@ ADV_ERROR: $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; @@ -2820,25 +2805,6 @@ print <<END; </table> <hr size='1'> -<table width='100%'> - <tr> - <td class'base'><b>$Lang::tr{'ovpn crypt options'}</b></td> - </tr> - <tr> - <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td> - </tr> - <tr><td class='base'>$Lang::tr{'ovpn ha'}</td> - <td><select name='DAUTH'> - <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> - <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> - <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> - <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> - <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - </select> - </td> - <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td> - </tr> -</table> <table width='100%'> <tr> @@ -4566,11 +4532,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; - # If no hash algorythm has been choosen yet, select - # the old default value (SHA1) for compatiblity reasons. - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; if (1) { @@ -5107,8 +5068,17 @@ END $cgiparams{'MSSFIX'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } + if (-z "${General::swroot}/ovpn/ovpnconfig") { + $cgiparams{'DAUTH'} = 'SHA512'; + } + foreach my $key (keys %confighash) { + if ($confighash{$key}[3] ne 'host') { + $cgiparams{'DAUTH'} = 'SHA512'; + } else { + $cgiparams{'DAUTH'} = 'SHA1'; + } + } + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5225,8 +5195,16 @@ END if (&haveOrangeNet()) { print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>"; print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>"; - } - print <<END; + } + + print <<END; + + <tr><td colspan='4'><br></td></tr> + <tr> + <td class'base'><b>$Lang::tr{'net config'}:</b></td> + </tr> + <tr><td colspan='1'><br></td></tr> + <tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td> <td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr> <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td> @@ -5236,6 +5214,24 @@ END <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr> <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'} </td> <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td> + </tr> + + <tr><td colspan='4'><br></td></tr> + <tr> + <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td> + </tr> + <tr><td colspan='1'><br></td></tr> + + <tr> + <td class='base'>$Lang::tr{'ovpn ha'}</td> + <td><select name='DAUTH'> + <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> + <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> + <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> + <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> + <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> + </select> + </td> <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td> <td><select name='DCIPHER'> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 90b1ada06..bea89fde3 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1856,7 +1856,6 @@ 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', -'ovpn hmac' => 'HMAC-Optionen', 'ovpn log' => 'OVPN-Protokoll', 'ovpn mgmt in root range' => 'Ein Port von 1024 oder höher ist erforderlich.', 'ovpn mtu-disc' => 'Path MTU Discovery', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 98e99f150..449370a89 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1895,7 +1895,6 @@ 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.', 'ovpn ha' => 'Hash algorithm', -'ovpn hmac' => 'HMAC options', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.', 'ovpn mtu-disc' => 'Path MTU Discovery', -- 2.12.2

1 2

[PATCH] bind: Update to 9.11.6-P1
by Matthias Fischer 27 Apr '19

27 Apr '19

For details see: http://ftp.isc.org/isc/bind9/9.11.6-P1/RELEASE-NOTES-bind-9.11.6-P1.html "Security Fixes The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]" Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/bind | 2 +- lfs/bind | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index 8c8a55d19..9164ff740 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -274,7 +274,7 @@ usr/lib/libdns.so.1105.0.0 #usr/lib/libisc.la #usr/lib/libisc.so usr/lib/libisc.so.1100 -usr/lib/libisc.so.1100.0.1 +usr/lib/libisc.so.1100.1.0 #usr/lib/libisccc.la #usr/lib/libisccc.so usr/lib/libisccc.so.161 diff --git a/lfs/bind b/lfs/bind index f2286fe1f..b0a513c5f 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.11.6 +VER = 9.11.6-P1 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 4882bd3eeef779e05b515b32354cc081 +$(DL_FILE)_MD5 = 8294f1a86f57a331379717d714e840e3 install : $(TARGET) -- 2.18.0

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development April 2019