Addressing #13764

List overview All Threads
Download

newer

older

[PATCH] zabbix_agentd: Update to...

[PATCH] openvpn: Update to version...

Michael Tremer

10 Sep 2024 10 Sep '24

2:37 p.m.

this a patchset that addresses a bug reported by Dan as #13764.

Suricata and/or NFQUEUE end up in some undefined behaviour where packets will be accepted when Suricata goes away (in this case it is being killed by the OOM killer). This results in the firewall exposing all ports on all interfaces which is a serious problem.

Although we actually configure the queue to simply bypass (as in no longer enqueue) packets when Suricata dies, the kernel always seems to end up in this scenario.

We cannot prevent that Suricata might die, but we will have to make sure that the firewall does not change behaviour. This is now being done by moving the IPS to the mangle table. The behaviour will be the same, but an ACCEPT action on the mangle table will not accept the packet, it will just terminate processing traffic in that table. We further ensure that this is not going to be a problem by moving the NFQUEUE rule to the end. If it is being skipped, this is not a problem as we will only stop processing packets which won't be a problem as Suricata has gone away anyways.

I believe that this is a better way to integrate Suricata, but it will change the behaviour of the firewall in that sense that the IPS is now the first thing that will see a packet. The location filter, IP blocklists and so on will all come after. I personally do not consider this a problem, but I wanted to make sure this is documented.

We now make more use of marking packets which might need to be benchmarked in order to ensure that this is not introducing any performance penalty.

Furthermore this patchset adds support for WireGuard and made some improvements on the web UI which used some broken tables and a lot of empty space on the screen.

Please test this and give me feedback if these changes introduce any regressions. I believe we want to release this with c189.

Best, -Michael

Show replies by date

Michael Tremer

10 Sep 10 Sep

2:37 p.m.

New subject: [PATCH 01/20] suricata: Move the IPS into the mangle table

This should make the IPS more efficient, we should have fewer rules and the IPS will now sit at the edge of the networking stack as it will see packets immediately when they come and and just before they leave.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/firewall | 23 +------ src/initscripts/system/suricata | 108 +++++++++++--------------------- 2 files changed, 39 insertions(+), 92 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 6727e4a20..39d9c0f23 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -39,11 +39,6 @@ fi

NAT_MASK="0x0f000000"

-IPS_REPEAT_MARK="0x80000000" -IPS_REPEAT_MASK="0x80000000" -IPS_BYPASS_MARK="0x40000000" -IPS_BYPASS_MASK="0x40000000" - IPSET_DB_DIR="/var/lib/location/ipset"

SYNPROXY_OPTIONS=( @@ -84,16 +79,6 @@ iptables_init() { modprobe nf_log_ipv4 sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4

- # IPS Bypass Chain which stores the BYPASS bit in connection tracking - iptables -N IPSBYPASS - iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))" - - # Jump into bypass chain when the BYPASS bit is set - for chain in INPUT FORWARD OUTPUT; do - iptables -A "${chain}" -m mark \ - --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS - done - # Empty LOG_DROP and LOG_REJECT chains iptables -N LOG_DROP iptables -A LOG_DROP -m limit --limit 10/second -j LOG @@ -237,12 +222,10 @@ iptables_init() { iptables -A FORWARD -o tun+ -j OVPNBLOCK

# IPS (Suricata) chains - iptables -N IPS_INPUT - iptables -N IPS_FORWARD - iptables -N IPS_OUTPUT + iptables -t mangle -N IPS

- for chain in INPUT FORWARD OUTPUT; do - iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" + for chain in PREROUTING POSTROUTING; do + iptables -t mangle -A "${chain}" -j IPS done

# OpenVPN transfer network translation diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 79f9478c3..253ece117 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -27,13 +27,20 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

+IPS_REPEAT_MARK="0x80000000" +IPS_REPEAT_MASK="0x80000000" +IPS_BYPASS_MARK="0x40000000" +IPS_BYPASS_MASK="0x40000000" + # Name of the firewall chains. IPS_INPUT_CHAIN="IPS_INPUT" IPS_FORWARD_CHAIN="IPS_FORWARD" IPS_OUTPUT_CHAIN="IPS_OUTPUT"

# Optional options for the Netfilter queue. -NFQ_OPTS="--queue-bypass " +NFQ_OPTS=( + "--queue-bypass" +)

# Array containing the 4 possible network zones. network_zones=( red green blue orange ovpn ) @@ -64,91 +71,48 @@ function get_cpu_count {

# Function to flush the firewall chains. function flush_fw_chain { - # Call iptables and flush the chains - iptables -w -F "$IPS_INPUT_CHAIN" - iptables -w -F "$IPS_FORWARD_CHAIN" - iptables -w -F "$IPS_OUTPUT_CHAIN" + iptables -w -t mangle -F IPS }

# Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { - cpu_count=$(get_cpu_count) - - # Loop through the array of network zones. - for zone in "${network_zones[@]}"; do - # Convert zone into upper case. - zone_upper=${zone^^} - - # Generate variable name for checking if the IDS is - # enabled on the zone. - enable_ids_zone="ENABLE_IDS_$zone_upper" - - # Check if the IDS is enabled for this network zone. - if [ "${!enable_ids_zone}" == "on" ]; then - # Check if the current processed zone is "red" and the configured type is PPPoE dialin. - if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ] && [ "$RED_DRIVER" != "qmi_wwan" ]; then - # Set device name to ppp0. - network_device="ppp0" - elif [ "$zone" == "ovpn" ]; then - # Get all virtual net devices because the RW server and each - # N2N connection creates it's own tun device. - for virt_dev in /sys/devices/virtual/net/*; do - # Cut-off the directory. - dev="${virt_dev##*/}" - - # Only process tun devices. - if [[ $dev =~ "tun" ]]; then - # Add the network device to the array of enabled zones. - enabled_ips_zones+=( "$dev" ) - fi - done - - # Process next zone. - continue - else - # Generate variable name which contains the device name. - zone_name="$zone_upper" - zone_name+="_DEV" - - # Grab device name. - network_device=${!zone_name} - fi - - # Add the network device to the array of enabled zones. - enabled_ips_zones+=( "$network_device" ) - fi - done - # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS + local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" ) + + local cpu_count="$(get_cpu_count)"

# Check if there are multiple cpu cores available. if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" + # Balance beetween all queues + NFQ_OPTIONS+=( + "--queue-balance" "0:$(($cpu_count-1))" + "--queue-cpu-fanout" + ) else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" + # Send all packets to queue 0 + NFQ_OPTIONS+=( + "--queue-num" "0" + ) fi

# Flush the firewall chains. flush_fw_chain

- # Check if the array of enabled_ips_zones contains any elements. - if [[ ${enabled_ips_zones[@]} ]]; then - # Loop through the array and create firewall rules. - for enabled_ips_zone in "${enabled_ips_zones[@]}"; do - # Create rules queue input and output related traffic and pass it to the IPS. - iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS - iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS - - # Create rules which are required to handle forwarded traffic. - for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS - done - done - fi + # Don't process packets where the IPS has requested to bypass the stream + iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN + + # Don't process packets that have already been seen by the IPS + iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN + + # Send packets to suricata + iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}" + + # If suricata decided to bypass a stream, we will store the mark in the connection tracking table + iptables -w -t mangle -A IPS \ + -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \ + -j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))" + + return 0 }

case "$1" in

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 02/20] initscripts: Fix bash function definitions in suricata

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 253ece117..0c60c5119 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -52,7 +52,7 @@ enabled_ips_zones=() PID_FILE="/var/run/suricata.pid"

# Function to get the amount of CPU cores of the system. -function get_cpu_count { +get_cpu_count() { CPUCOUNT=0

# Loop through "/proc/cpuinfo" and count the amount of CPU cores. @@ -70,12 +70,12 @@ function get_cpu_count { }

# Function to flush the firewall chains. -function flush_fw_chain { +flush_fw_chain() { iptables -w -t mangle -F IPS }

# Function to create the firewall rules to pass the traffic to suricata. -function generate_fw_rules { +generate_fw_rules() { # Assign NFQ_OPTS local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" )

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 03/20] suricata: Use getconf to determine the number of processors

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 0c60c5119..06ad21afa 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -51,24 +51,6 @@ enabled_ips_zones=() # PID file of suricata. PID_FILE="/var/run/suricata.pid"

-# Function to get the amount of CPU cores of the system. -get_cpu_count() { - CPUCOUNT=0 - - # Loop through "/proc/cpuinfo" and count the amount of CPU cores. - while read line; do - [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++)) - done </proc/cpuinfo - - # Limit to a maximum of 16 cores, because suricata does not support more than - # 16 netfilter queues at the moment. - if [ $CPUCOUNT -gt "16" ]; then - echo "16" - else - echo $CPUCOUNT - fi -} - # Function to flush the firewall chains. flush_fw_chain() { iptables -w -t mangle -F IPS @@ -79,7 +61,7 @@ generate_fw_rules() { # Assign NFQ_OPTS local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" )

- local cpu_count="$(get_cpu_count)" + local cpu_count="$(getconf _NPROCESSORS_ONLN)"

# Check if there are multiple cpu cores available. if [ "$cpu_count" -gt "1" ]; then

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 04/20] suricata: Remove some unused constants

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 11 ----------- 1 file changed, 11 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 06ad21afa..c307e358c 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -32,22 +32,11 @@ IPS_REPEAT_MASK="0x80000000" IPS_BYPASS_MARK="0x40000000" IPS_BYPASS_MASK="0x40000000"

-# Name of the firewall chains. -IPS_INPUT_CHAIN="IPS_INPUT" -IPS_FORWARD_CHAIN="IPS_FORWARD" -IPS_OUTPUT_CHAIN="IPS_OUTPUT" - # Optional options for the Netfilter queue. NFQ_OPTS=( "--queue-bypass" )

-# Array containing the 4 possible network zones. -network_zones=( red green blue orange ovpn ) - -# Array to store the network zones weather the IPS is enabled for. -enabled_ips_zones=() - # PID file of suricata. PID_FILE="/var/run/suricata.pid"

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 05/20] suricata: Add whitelist to iptables

This allows us to workaround better against any problems in Suricata because we never send any whitelisted packets to the IPS in the first place.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 15 +++++++++++++++ 1 file changed, 15 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index c307e358c..14b48b5bd 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -75,6 +75,21 @@ generate_fw_rules() { # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN

+ # Never send any whitelisted packets to the IPS + if [ -r "/var/ipfire/suricata/ignored" ]; then + local id network remark enabled rest + + while IFS=',' read -r id network remark enabled rest; do + echo "$network" + echo "$remark" + # Skip disabled entries + [ "${enabled}" = "enabled" ] || continue + + iptables -w -t mangle -A IPS -s "${network}" -j RETURN + iptables -w -t mangle -A IPS -d "${network}" -j RETURN + done < "/var/ipfire/suricata/ignored" + fi + # Send packets to suricata iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 06/20] suricata: Replace removed CPU count function

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 14b48b5bd..30a81333f 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -103,8 +103,8 @@ generate_fw_rules() {

case "$1" in start) - # Get amount of CPU cores. - cpu_count=$(get_cpu_count) + # Get amount of CPU cores + cpu_count="$(getconf _NPROCESSORS_ONLN)"

# Numer of NFQUES. NFQUEUES="-q 0"

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 07/20] suricata: Be more efficient with marks

This patch changes that we introduce a new mark which allows us to identify any newly bypassed connections and permanently store the bypass flag.

We also only restore marks from the connection tracking when a packet has no marks, yet.

Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/firewall | 2 +- src/initscripts/system/suricata | 20 +++++++++++++------- 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 39d9c0f23..5d37cffd7 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -160,7 +160,7 @@ iptables_init() { iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT

# Restore any connection marks - iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark + iptables -t mangle -A PREROUTING -m mark --mark 0 -j CONNMARK --restore-mark

# Fix for braindead ISPs iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 30a81333f..20afab130 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,8 +29,14 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

IPS_REPEAT_MARK="0x80000000" IPS_REPEAT_MASK="0x80000000" -IPS_BYPASS_MARK="0x40000000" -IPS_BYPASS_MASK="0x40000000" + +# The IPS requested that this connection is being bypassed +IPS_BYPASS_REQUESTED_MARK="0x40000000" +IPS_BYPASS_REQUESTED_MASK="0x40000000" + +# Marks a connection to be bypassed +IPS_BYPASS_MARK="0x20000000" +IPS_BYPASS_MASK="0x20000000"

# Optional options for the Netfilter queue. NFQ_OPTS=( @@ -72,6 +78,11 @@ generate_fw_rules() { # Don't process packets where the IPS has requested to bypass the stream iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN

+ # If suricata decided to bypass a stream, we will store the mark in the connection tracking table + iptables -w -t mangle -A IPS \ + -m mark --mark "$(( IPS_BYPASS_REQUESTED_MARK ))/$(( IPS_BYPASS_REQUESTED_MASK ))" \ + -j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" + # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN

@@ -93,11 +104,6 @@ generate_fw_rules() { # Send packets to suricata iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"

- # If suricata decided to bypass a stream, we will store the mark in the connection tracking table - iptables -w -t mangle -A IPS \ - -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \ - -j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))" - return 0 }

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 08/20] suricata: Add a watcher to restart on unexpected termination

This patch adds a watcher process that will restart suricata when it is being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/rootfiles/common/suricata | 1 + config/suricata/suricata-watcher | 55 ++++++++++++++++++++++++++++++++ lfs/suricata | 3 ++ src/initscripts/system/suricata | 16 ++-------- 4 files changed, 61 insertions(+), 14 deletions(-) create mode 100644 config/suricata/suricata-watcher

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 53224d006..8fe53f7e6 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,6 +1,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata +usr/bin/suricata-watcher usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watcher new file mode 100644 index 000000000..a1a13d40c --- /dev/null +++ b/config/suricata/suricata-watcher @@ -0,0 +1,55 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A Linux-based Firewall # +# Copyright (C) 2024 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +PIDFILE="/var/run/suricata.pid" + +main() { + local ret + + while :; do + # Launch suricata + /usr/bin/suricata "$@" &>/dev/null + + # Wait until suricata is done + ret=$? + + case "${ret}" in + # If suricata has been killed by SIGKILL (e.g. by + # the OOM killer, or if it ran into a SEGV, we will + # restart the process. + 137|139) + # Remove the PID file + unlink "${PIDFILE}" 2>/dev/null + + sleep 1 + continue + ;; + + *) + break + ;; + esac + done + + return ${ret} +} + +main "$@" || return $? diff --git a/lfs/suricata b/lfs/suricata index 88f3c4575..dcee61ea1 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install converter script needed for Core Update 167 install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files

+ # Install the watcher + install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 20afab130..40bd69c87 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -123,12 +123,9 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null + /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES evaluate_retval

- # Allow reading the pidfile. - chmod 644 $PID_FILE - # Flush the firewall chain flush_fw_chain

@@ -139,20 +136,11 @@ case "$1" in

stop) boot_mesg "Stopping Intrusion Detection System..." - killproc -p $PID_FILE /var/run + killproc /usr/bin/suricata

# Flush firewall chain. flush_fw_chain

- # Sometimes suricata not correct shutdown. So killall. - killall -KILL /usr/bin/suricata 2>/dev/null - - # Remove suricata control socket. - rm /var/run/suricata/* >/dev/null 2>/dev/null - - # Trash remain pid file if still exists. - rm -f $PID_FILE >/dev/null 2>/dev/null - # Don't report returncode of rm if suricata was not started exit 0 ;;

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 09/20] suricata: Start the new watcher in the background

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 40bd69c87..455715d1b 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -43,9 +43,6 @@ NFQ_OPTS=( "--queue-bypass" )

-# PID file of suricata. -PID_FILE="/var/run/suricata.pid" - # Function to flush the firewall chains. flush_fw_chain() { iptables -w -t mangle -F IPS @@ -123,8 +120,7 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES - evaluate_retval + loadproc -b /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES

# Flush the firewall chain flush_fw_chain

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 10/20] suricata: Restore the interface selection

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/networking/functions.network | 48 ++++++++++++++++++++ src/initscripts/system/suricata | 32 +++++++++++++ 2 files changed, 80 insertions(+)

diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network index e134d0cce..c189c2fbc 100644 --- a/src/initscripts/networking/functions.network +++ b/src/initscripts/networking/functions.network @@ -54,6 +54,54 @@ bin2ip() { echo "${address[*]}" }

+network_get_intf() { + local zone="${1}" + + case "${zone}" in + RED) + # For PPPoE, the RED interface is called ppp0 (unless we use QMI) + if [ "${RED_TYPE}" = "PPPOE" ] && [ "${RED_DRIVER}" != "qmi_wwan" ]; then + echo "ppp0" + return 0 + + # Otherwise we return RED_DEV + elif [ -n "${RED_DEV}" ]; then + echo "${RED_DEV}" + return 0 + fi + ;; + + GREEN) + if [ -n "${GREEN_DEV}" ]; then + echo "${GREEN_DEV}" + return 0 + fi + ;; + + ORANGE) + if [ -n "${ORANGE_DEV}" ]; then + echo "${ORANGE_DEV}" + return 0 + fi + ;; + + BLUE) + if [ -n "${BLUE_DEV}" ]; then + echo "${BLUE_DEV}" + return 0 + fi + ;; + + OPENVPN|OVPN) + # OpenVPN is using all tun devices + echo "tun+" + ;; + esac + + # Not found + return 1 +} + network_get_address() { local network="${1}"

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 455715d1b..8a1740528 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -21,6 +21,7 @@

. /etc/sysconfig/rc . ${rc_functions} +. /etc/init.d/networking/functions.network

PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH

@@ -38,6 +39,13 @@ IPS_BYPASS_REQUESTED_MASK="0x40000000" IPS_BYPASS_MARK="0x20000000" IPS_BYPASS_MASK="0x20000000"

+# Set if we request to scan this packet +IPS_SCAN_MARK="0x10000000" +IPS_SCAN_MASK="0x10000000" + +# Supported network zones +NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" ) + # Optional options for the Netfilter queue. NFQ_OPTS=( "--queue-bypass" @@ -83,6 +91,30 @@ generate_fw_rules() { # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN

+ local zone + local status + local intf + + # Mark packets for all zones that we want to scan + for zone in "${NETWORK_ZONES[@]}"; do + status="ENABLE_IDS_${zone}" + + if [ "${!status}" = "on" ]; then + intf="$(network_get_intf "${zone}")" + + # Skip if we could not determine an interface + if [ -z "${intf}" ]; then + continue + fi + + iptables -w -t mangle -A IPS -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" + iptables -w -t mangle -A IPS -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" + fi + done + + # Don't keep processing packets we don't want to scan + iptables -w -t mangle -A IPS -m mark ! --mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" -j RETURN + # Never send any whitelisted packets to the IPS if [ -r "/var/ipfire/suricata/ignored" ]; then local id network remark enabled rest

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 11/20] suricata: Remove superfluous bits from the initscript

I don't know why these hacks are here.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 4 ---- 1 file changed, 4 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 8a1740528..73b4fb523 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -23,8 +23,6 @@ . ${rc_functions} . /etc/init.d/networking/functions.network

-PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH - eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

@@ -198,5 +196,3 @@ case "$1" in exit 1 ;; esac - -chmod 644 /var/log/suricata/* 2>/dev/null

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 12/20] suricata: Don't load /var/ipfire/ethernet/settings

We no longer need this directly as it is being pulled in from the network functions.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 1 - 1 file changed, 1 deletion(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 73b4fb523..0447b7e8c 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -24,7 +24,6 @@ . /etc/init.d/networking/functions.network

eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) -eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

IPS_REPEAT_MARK="0x80000000" IPS_REPEAT_MASK="0x80000000"

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 13/20] suricata: Add option to scan WireGuard

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- doc/language_missings | 8 ++++++++ html/cgi-bin/ids.cgi | 6 +++++- langs/en/cgi-bin/en.pl | 1 + src/initscripts/networking/functions.network | 6 ++++++ src/initscripts/system/suricata | 2 +- 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/doc/language_missings b/doc/language_missings index 98856b0e8..94adb28d8 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -103,6 +103,7 @@ < upload fcdsl.o < user management < vpn configuration main +< wg < winbind daemon < wireguard < wlanap 802.11w disabled @@ -156,6 +157,7 @@ < timeformat < transport mode does not support vti < warning +< wg < wireguard < wlanap < wlanap psk @@ -185,6 +187,7 @@ < timeformat < upload fcdsl.o < warning +< wg < wireguard < wlanap psk < wlanap wireless mode @@ -668,6 +671,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -1229,6 +1233,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -2205,6 +2210,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -3218,6 +3224,7 @@ < warning < week-graph < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -3608,6 +3615,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 502e2a125..00cc502f1 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -53,6 +53,9 @@ my %ignored=(); # the list of zones in an array. my @network_zones = &Network::get_available_network_zones();

+# Always show Wireguard +push(@network_zones, "wg"); + # Check if openvpn is started and add it to the array of network zones. if ( -e "/var/run/openvpn.pid") { push(@network_zones, "ovpn"); @@ -69,7 +72,8 @@ my %colourhash = ( 'green' => $Header::colourgreen, 'blue' => $Header::colourblue, 'orange' => $Header::colourorange, - 'ovpn' => $Header::colourovpn + 'ovpn' => $Header::colourovpn, + 'wg' => $Header::colourwg, );

&Header::showhttpheaders(); diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index dca9f1645..6a455ab6d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -3020,6 +3020,7 @@ 'week-graph' => 'Week', 'weekly firewallhits' => 'weekly firewallhits', 'weeks' => 'Weeks', +'wg' => 'WireGuard', 'whois results from' => 'WHOIS results from', 'wildcards' => 'Wildcards', 'winbind daemon' => 'Winbind Daemon', diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network index c189c2fbc..02ac6b8fe 100644 --- a/src/initscripts/networking/functions.network +++ b/src/initscripts/networking/functions.network @@ -92,9 +92,15 @@ network_get_intf() { fi ;;

+ WIREGUARD|WG) + echo "wg+" + return 0 + ;; + OPENVPN|OVPN) # OpenVPN is using all tun devices echo "tun+" + return 0 ;; esac

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 0447b7e8c..6990b79ca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -41,7 +41,7 @@ IPS_SCAN_MARK="0x10000000" IPS_SCAN_MASK="0x10000000"

# Supported network zones -NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" ) +NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" )

# Optional options for the Netfilter queue. NFQ_OPTS=(

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 14/20] suricata: Fix broken spacing in the settings section

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/ids.cgi | 45 +++++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 19 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 00cc502f1..deebb3ad3 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1017,30 +1017,29 @@ sub show_mainpage() {

# Only show this area, if at least one ruleset provider is configured. if (%used_providers) { + my $num_zones = scalar @network_zones;

print <<END - - <br><br><h2>$Lang::tr{'settings'}</h2> + <br>

<form method='post' action='$ENV{'SCRIPT_NAME'}'> <table width='100%' border='0'> <tr> - <td class='base' colspan='2'> + <td colspan='$num_zones'> <input type='checkbox' name='ENABLE_IDS' $checked{'ENABLE_IDS'}{'on'}> $Lang::tr{'ids enable'} </td> - - </td> </tr>

- <tr> - <td><br><br></td> - <td><br><br></td> - <td><br><br></td> - <td><br><br></td> + <tr>  + <td colspan='$num_zones'> +   + </td> </tr>

<tr> - <td colspan='4'><b>$Lang::tr{'ids monitored interfaces'}</b><br></td> + <td colspan='$num_zones'> + <b>$Lang::tr{'ids monitored interfaces'}</b> + </td> </tr>

<tr> @@ -1068,21 +1067,29 @@ END $checked_input = "checked = 'checked'"; }

- print "<td class='base' width='20%'>\n"; - print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n"; - print " $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n"; - print "</td>\n"; + print <<END; + <td> + <label> + <input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input> +   $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font> + </label> + </td> +END }

print <<END </tr> - </table>

- <br><br> + <tr>  + <td colspan='$num_zones'> +   + </td> + </tr>

- <table width='100%'> <tr> - <td align='right'><input type='submit' name='IDS' value='$Lang::tr{'save'}' /></td> + <td colspan='$num_zones' align='right'> + <input type='submit' name='IDS' value='$Lang::tr{'save'}' /> + </td> </tr> </table> </form>

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 15/20] ids.cgi: Use new style tables for rulesets

diff --git a/doc/language_issues.de b/doc/language_issues.de index b3d7082df..bd335de41 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -400,6 +400,7 @@ WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids oinkcode required WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ids unsupported provider WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype diff --git a/doc/language_issues.en b/doc/language_issues.en index 3aa4e9bd8..5063749c4 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1070,7 +1070,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1217,6 +1217,7 @@ WARNING: untranslated string: lan = LAN WARNING: untranslated string: languagepurpose = Select the language you wish IPFire to display in: WARNING: untranslated string: last = Last WARNING: untranslated string: last activity = Last Activity +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: lease expires = Lease expires WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: legend = Legend diff --git a/doc/language_issues.es b/doc/language_issues.es index fbbcd1e74..7e76d5dcf 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -444,6 +444,7 @@ WARNING: translation string unused: ids rules license1 WARNING: translation string unused: ids rules license2 WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -1028,8 +1029,10 @@ WARNING: untranslated string: hostile networks in = From Hostile Networks WARNING: untranslated string: hostile networks out = To Hostile Networks WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids provider eol = (EOL) +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: load average = Load Average WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 25193da6a..ab6eb0478 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -428,6 +428,7 @@ WARNING: translation string unused: id WARNING: translation string unused: ids automatic rules update WARNING: translation string unused: ids oinkcode required WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -981,6 +982,8 @@ WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids provider eol = (EOL) +WARNING: untranslated string: ids rulesets = Rulesets +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: load average = Load Average WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server diff --git a/doc/language_issues.it b/doc/language_issues.it index f00d959d5..ab6c95d68 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1132,7 +1132,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1185,6 +1185,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 9607f98af..7f6c04e23 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1138,7 +1138,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1193,6 +1193,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 92ad3b7be..d073e30b1 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1276,7 +1276,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1338,6 +1338,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: last = Last +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 35a590b6b..651f5266a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1271,7 +1271,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1334,6 +1334,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: last = Last +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 3bf595efe..6c22f6d76 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1074,7 +1074,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1122,6 +1122,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address diff --git a/doc/language_missings b/doc/language_missings index 94adb28d8..7e3357df0 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -137,8 +137,10 @@ < hostile networks out < hostile networks total < ids provider eol +< ids rulesets < ids unsupported provider < invalid ip or hostname +< last updated < load average < log drop hostile in < log drop hostile out @@ -177,7 +179,9 @@ < g.lite < hostile networks total < ids provider eol +< ids rulesets < ids unsupported provider +< last updated < load average < oops something went wrong < ovpn roadwarrior server @@ -447,6 +451,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -507,6 +512,7 @@ < ipsec routing table entries < ipsec settings < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average @@ -988,6 +994,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -1050,6 +1057,7 @@ < ipsec routing table entries < ipsec settings < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average @@ -1834,6 +1842,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -1904,6 +1913,7 @@ < ipsec settings < itlb multihit < last +< last updated < least preferred < legacy architecture warning < lifetime @@ -2848,6 +2858,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -2919,6 +2930,7 @@ < ipsec settings < itlb multihit < last +< last updated < least preferred < legacy architecture warning < lifetime @@ -3454,6 +3466,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -3509,6 +3522,7 @@ < ipsec routing table entries < ipsec settings < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index deebb3ad3..737826580 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1103,16 +1103,15 @@ END # # Used Ruleset Providers section. # - &Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'}); + &Header::openbox('100%', 'center', $Lang::tr{'ids rulesets'});

print <<END; - <table width='100%' border='0'> + <table width='100%' border='0' class='tbl'> <tr> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ids provider'}</b></td> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'date'}</b></td> - <td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'ids autoupdates'}</b></td> - <td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'action'}</b></td> - <td class='base' colspan='3' bgcolor='$color{'color20'}'></td> + <th>$Lang::tr{'ids provider'}</td> + <th>$Lang::tr{'last updated'}</td> + <th align='center'>$Lang::tr{'ids autoupdates'}</td> + <th align='center' colspan='3'>$Lang::tr{'action'}</td> </tr> END my $line = 1; @@ -1133,13 +1132,6 @@ END my $status = $used_providers{$id}[3]; my $unsupported;

- # Check if the item number is even or not. - if ($line % 2) { - $col="bgcolor='$color{'color22'}'"; - } else { - $col="bgcolor='$color{'color20'}'"; - } - # Handle providers which are not longer supported. unless ($IDS::Ruleset::Providers{$provider}{'dl_url'}) { $col = "bgcolor='$Header::colouryellow'"; @@ -1172,8 +1164,8 @@ END

print <<END; <tr> - <td width='33%' class='base' $col>$provider_name $unsupported</td> - <td width='30%' class='base' $col>$rulesetdate</td> + <th scope='row' width='33%' $col>$provider_name $unsupported</th> + <td width='30%' $col align='center'>$rulesetdate</td>

<td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> @@ -1225,8 +1217,6 @@ END # Section to add new elements or edit existing ones. print <<END; <br> - <hr> - <br>

<form method='post' action='$ENV{'SCRIPT_NAME'}'> <div align='right'> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index a718228bc..b06ba6e91 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1413,6 +1413,7 @@ 'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...', 'ids ruleset is up to date' => 'Regelset ist aktuell - Keine Aktualisierung notwendig.', 'ids ruleset settings' => 'Regelsatzeinstellungen', +'ids rulesets' => 'Regelsätze', 'ids show' => 'Anzeigen', 'ids the choosen provider is already in use' => 'Der gewhählte Provider wird bereits verwendet.', 'ids unable to download the ruleset' => 'Das Regelset konnte nicht heruntergeladen werden.', @@ -1603,6 +1604,7 @@ 'languagepurpose' => 'Wählen Sie eine Sprache, in der IPFire angezeigt werden soll:', 'last' => 'Letzte', 'last activity' => 'Letzte Aktivität', +'last updated' => 'Zuletzt Aktualisiert', 'lateprompting' => 'Late prompting', 'lease expires' => 'Zuordnung verfällt', 'least preferred' => 'weniger präferiert', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 6a455ab6d..59da23c3a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1466,6 +1466,7 @@ 'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...', 'ids ruleset is up to date' => 'No update required - The ruleset is up to date.', 'ids ruleset settings' => 'Ruleset Settings', +'ids rulesets' => 'Rulesets', 'ids show' => 'Show', 'ids subscription code required' => 'The selected ruleset requires a subscription code', 'ids the choosen provider is already in use' => 'The choosen provider is already in use.', @@ -1660,6 +1661,7 @@ 'languagepurpose' => 'Select the language you wish IPFire to display in:', 'last' => 'Last', 'last activity' => 'Last Activity', +'last updated' => 'Last Updated', 'lateprompting' => 'Lateprompting', 'lease expires' => 'Lease expires', 'least preferred' => 'least preferred',

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 16/20] ids.cgi: Use new-style table for whitelist entries

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/ids.cgi | 52 ++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 737826580..08db95595 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1241,11 +1241,11 @@ END &Header::openbox('100%', 'center', $Lang::tr{'ids ignored hosts'});

print <<END; - <table width='100%'> + <table class='tbl'> <tr> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td> - <td class='base' colspan='3' bgcolor='$color{'color20'}'></td> + <th>$Lang::tr{'ip address'}</td> + <th>$Lang::tr{'remark'}</td> + <th colspan='3'></td> </tr> END # Check if some hosts have been added to be ignored. @@ -1262,10 +1262,6 @@ END # Check if the key (id) number is even or not. if ($cgiparams{'ID'} eq $key) { $col="bgcolor='${Header::colouryellow}'"; - } elsif ($key % 2) { - $col="bgcolor='$color{'color22'}'"; - } else { - $col="bgcolor='$color{'color20'}'"; }

# Choose icon for the checkbox. @@ -1283,8 +1279,8 @@ END

print <<END; <tr> - <td width='20%' class='base' $col>$address</td> - <td width='65%' class='base' $col>$remark</td> + <td width='20%' $col>$address</td> + <td width='65%' $col>$remark</td>

<td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> @@ -1323,12 +1319,10 @@ END

# Section to add new elements or edit existing ones. print <<END; - <br> - <hr> - <br> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ID' value='$cgiparams{'ID'}'>

- <div align='center'> - <table width='100%'> + <table class='form'> END

# Assign correct headline and button text. @@ -1339,30 +1333,36 @@ END # Check if an ID (key) has been given, in this case an existing entry should be edited. if ($cgiparams{'ID'} ne '') { $buttontext = $Lang::tr{'update'}; - print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n"; + print "<tr><td colspan='2'><h6>$Lang::tr{'update'}</h6></td></tr>\n";

# Grab address and remark for the given key. $entry_address = $ignored{$cgiparams{'ID'}}[0]; $entry_remark = $ignored{$cgiparams{'ID'}}[1]; } else { $buttontext = $Lang::tr{'add'}; - print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n"; + print "<tr><td colspan='2'><h6>$Lang::tr{'dnsforward add a new entry'}</h6></td></tr>\n"; }

print <<END; - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ID' value='$cgiparams{'ID'}'> <tr> - <td width='30%'>$Lang::tr{'ip address'}: </td> - <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td> + <td>$Lang::tr{'ip address'}</td> + <td> + <input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /> + </td> + </tr> + + <tr> + <td>$Lang::tr{'remark'}</td> + <td> + <input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /> + </td> + </tr>

- <td width='30%'>$Lang::tr{'remark'}: </td> - <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td> - <td align='center' width='20%'><input type='submit' name='WHITELIST' value='$buttontext' /></td> + <tr class='action'> + <td colspan='2'><input type='submit' name='WHITELIST' value='$buttontext' /></td> </tr> - </form> </table> - </div> + </form> END

&Header::closebox();

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 17/20] ids.cgi: Sort whitelist entries

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/ids.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 08db95595..b18f239e6 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1253,7 +1253,7 @@ END my $col = "";

# Loop through all entries of the hash. - while( (my $key) = each %ignored) { + foreach my $key (sort { $ignored{$a}[0] <=> $ignored{$b}[0] } keys %ignored) { # Assign data array positions to some nice variable names. my $address = $ignored{$key}[0]; my $remark = $ignored{$key}[1];

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 18/20] ids.cgi: Remove box from the top section

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/ids.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index b18f239e6..db05df98a 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1007,7 +1007,7 @@ sub show_mainpage() { $checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";

# Draw current state of the IDS - &Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'}); + &Header::opensection();

&Header::ServiceStatus({ $Lang::tr{'intrusion prevention system'} => { @@ -1098,7 +1098,7 @@ END

}

- &Header::closebox(); + &Header::closesection();

# # Used Ruleset Providers section.

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 19/20] ids.cgi: Fix detection for the Suricata process

We don't seem to have a PID file any more.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/ids.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index db05df98a..34e6bf233 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1011,7 +1011,7 @@ sub show_mainpage() {

&Header::ServiceStatus({ $Lang::tr{'intrusion prevention system'} => { - "pidfile" => "/var/run/suricata.pid", + "process" => "Suricata-Main", }, });

-- 2.39.2

Michael Tremer

2:37 p.m.

New subject: [PATCH 20/20] firewall: Move the IPS after the NAT marking

This is because we might still land in the scenario where Suricata crashes and NFQUEUE will simply ACCEPT all packets which will terminate the processing of the mangle table.

Therefore the NFQUEUE rule should be the last one so that we never skip any of the other processing.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/firewall | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 5d37cffd7..7dbbe38cb 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -221,13 +221,6 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK

- # IPS (Suricata) chains - iptables -t mangle -N IPS - - for chain in PREROUTING POSTROUTING; do - iptables -t mangle -A "${chain}" -j IPS - done - # OpenVPN transfer network translation iptables -t nat -N OVPNNAT iptables -t nat -A POSTROUTING -j OVPNNAT @@ -382,6 +375,13 @@ iptables_init() { -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi

+ # IPS (Suricata) chains + iptables -t mangle -N IPS + + for chain in PREROUTING POSTROUTING; do + iptables -t mangle -A "${chain}" -j IPS + done + # RED chain, used for the red interface iptables -N REDINPUT iptables -A INPUT -j REDINPUT

-- 2.39.2

Age (days ago)

Last active (days ago)

development@lists.ipfire.org

20 comments

1 participants

tags (0)

participants (1)

Michael Tremer