This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 93899a216f7f03b8e1d5092fdd20afd07b0bedae (commit)
via 156311fbcd67f00002fe658e1ee4b20154bf014a (commit)
from 06dbe99dbb1c37de8fc94b6f2dc6e53ef1d7d022 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 93899a216f7f03b8e1d5092fdd20afd07b0bedae
Author: Arne Fitzenreiter <arne_f(a)git.ipfire.org>
Date: Tue Jul 29 21:57:07 2014 +0200
firewall: add more pscan matches and filter INVALID conntrack packages.
commit 156311fbcd67f00002fe658e1ee4b20154bf014a
Author: Erik Kapfer <erik.kapfer(a)ipfire.org>
Date: Thu Jul 31 08:43:24 2014 +0200
OpenVPN: Added a check for empty 'CERT_NAME' field.
Fixes: #10581
-----------------------------------------------------------------------
Summary of changes:
html/cgi-bin/ovpnmain.cgi | 4 +---
src/initscripts/init.d/firewall | 15 ++++++++++-----
2 files changed, 11 insertions(+), 8 deletions(-)
Difference in files:
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 927616a..14308e5 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -3968,10 +3968,8 @@ if ($cgiparams{'TYPE'} eq 'net') {
$errormessage = $Lang::tr{'name too long'};
goto VPNCONF_ERROR;
}
- if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
$errormessage = $Lang::tr{'invalid input for name'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 97186c3..23d0c23 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -64,16 +64,20 @@ iptables_init() {
iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
- # nmap xmas
- iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
- # Null
- iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
- # FIN
+ # NMAP FIN/URG/PSH (XMAS scan)
+ iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+ # SYN/RST/ACK/FIN/URG
+ iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
+ # ALL/ALL
+ iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
+ # FIN Stealth
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+ # Null
+ iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# NEW TCP without SYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
@@ -83,6 +87,7 @@ iptables_init() {
# Connection tracking chain
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
hooks/post-receive
--
IPFire 2.x development tree