This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 9cf253e150078852877f5ee530aeb3408fa4216b (commit) via 5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit) via 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit) via 31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit) via 1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit) via d4f315677777e4b819d82eadd14af6f4d20137e5 (commit) via e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 (commit) via a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d (commit) via 56f6d107ff152748a0330a99ab39ad66880ff64b (commit) via 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 (commit) from c33a6e7103b191efbff2590976e36bb4cfde47e7 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 9cf253e150078852877f5ee530aeb3408fa4216b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 25 19:31:48 2019 +0200
initscripts/suricata: Rework creation of firewall rules.
The script now will use the previously introduced seperate firewall chains called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT.
The commit also creates an AND connection between the choosen network zones in the UI and the final firwall rules.
Fixes #12062.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5e3067cb52bdb613a193c2c0280e07d10c30f6de Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 25 19:31:47 2019 +0200
initscripts/suricata: Move functions order and always use flush_fw_chain function
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 25 19:31:46 2019 +0200
firewall: Use seperate firewall chains for passing traffic to the IPS
Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT to be more flexible which kind of traffic should be passed to suricata.
Reference #12062
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 31568a19824a5e0621cf6cb9297d2800e3b3f59e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Apr 26 07:43:21 2019 +0200
hostapd: bump package version
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 1f35114d7bc9e2941b15cb93bebc46f66a525e9f Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 24 11:24:33 2019 +0100
hostap: Fix wiring of checkboxes for client isolation
The checkboxes were swapped which lead to client isolation being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d4f315677777e4b819d82eadd14af6f4d20137e5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 23 20:33:02 2019 +0200
convert-snort: Fix ownership of the generated homenet file.
Fixes #12059.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 23 21:27:53 2019 +0200
suricata: Use device ppp0 if PPPoE dialin is used.
Fixes #12058.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 23 20:45:42 2019 +0100
suricata: EXTERNAL_NET should equal any
This enables that we scan servers in ORANGE for clients in GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 56f6d107ff152748a0330a99ab39ad66880ff64b Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Apr 21 01:32:07 2019 +0100
suricata: Do not always convert rules to be bi-directional
This creates some overhead that we do not need and rules need to be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Apr 23 19:21:30 2019 +0200
core131: add services.cgi to update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/ids-functions.pl | 3 - config/rootfiles/core/131/filelists/files | 1 + config/suricata/convert-snort | 3 + config/suricata/suricata.yaml | 3 +- html/cgi-bin/wlanap.cgi | 2 +- lfs/hostapd | 2 +- src/initscripts/system/firewall | 10 ++-- src/initscripts/system/suricata | 94 +++++++++++++++++++++---------- 8 files changed, 76 insertions(+), 42 deletions(-)
Difference in files: diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 5496df1a9..deb287bb7 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -742,9 +742,6 @@ sub write_modify_sids_file($) { # Write file header. print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
- # Tune rules to monitor in both directions. - print FILE "modifysid * "->" | "<>"\n"; - # Check if the traffic only should be monitored. unless($ruleaction eq "alert") { # Tell oinkmaster to switch all rules from alert to drop. diff --git a/config/rootfiles/core/131/filelists/files b/config/rootfiles/core/131/filelists/files index 810c67b1e..aa842b73c 100644 --- a/config/rootfiles/core/131/filelists/files +++ b/config/rootfiles/core/131/filelists/files @@ -19,6 +19,7 @@ srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/remote.cgi +srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/ipsec-interfaces usr/local/bin/sshctrl diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 0ad2942b1..83931fa5b 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -259,6 +259,9 @@ if (-f $IDS::rulestarball) { # Call subfunction to generate the file. &IDS::generate_home_net_file();
+# Set correct ownership for the homenet file. +&IDS::set_ownership("$IDS::homenet_file"); + # ## Step 9: Setup automatic ruleset updates. # diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e7e27c731..7252e10b9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,8 +11,7 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml
- EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" + EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 44b0b4053..abee0c3cb 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -382,7 +382,7 @@ print <<END <tr><td width='25%' class='base'>SSID: </td><td class='base' colspan='3'><input type='text' name='SSID' size='30' value='$wlanapsettings{'SSID'}' /></td></tr> <!--SSID Broadcast: on => HIDESSID: off --> <tr><td width='25%' class='base'>SSID Broadcast: </td><td class='base' colspan='3'>on <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> off</td></tr> -<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> | <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> off</td></tr> +<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> off</td></tr>
<tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}: </td><td class='base' colspan='3'> diff --git a/lfs/hostapd b/lfs/hostapd index 64ff28e4b..c2830b88a 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 45 +PAK_VER = 46
DEPS = ""
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index be6c9169f..da89857d8 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -186,10 +186,12 @@ iptables_init() { iptables -A FORWARD -j GUARDIAN
# IPS (suricata) chains - iptables -N IPS - iptables -A INPUT -j IPS - iptables -A FORWARD -j IPS - iptables -A OUTPUT -j IPS + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT
# Block non-established IPsec networks iptables -N IPSECBLOCK diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 16548753e..c9f131fca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl stefan.schantl@ipfire.org # -# Version : 01.00 +# Version : 01.01 # # Notes : # @@ -18,9 +18,12 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-# Name of the firewall chain. -FW_CHAIN="IPS" +# Name of the firewall chains. +IPS_INPUT_CHAIN="IPS_INPUT" +IPS_FORWARD_CHAIN="IPS_FORWARD" +IPS_OUTPUT_CHAIN="IPS_OUTPUT"
# Optional options for the Netfilter queue. NFQ_OPTS="--queue-bypass " @@ -28,6 +31,9 @@ NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. network_zones=( red green blue orange )
+# Array to store the network zones weather the IPS is enabled for. +enabled_ips_zones=() + # Mark and Mask options. MARK="0x70000000" MASK="0x70000000" @@ -47,13 +53,18 @@ function get_cpu_count { echo $CPUCOUNT }
+# Function to flush the firewall chains. +function flush_fw_chain { + # Call iptables and flush the chains + iptables -F "$IPS_INPUT_CHAIN" + iptables -F "$IPS_FORWARD_CHAIN" + iptables -F "$IPS_OUTPUT_CHAIN" +} + # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count)
- # Flush the firewall chain. - iptables -F "$FW_CHAIN" - # Loop through the array of network zones. for zone in "${network_zones[@]}"; do # Convert zone into upper case. @@ -65,38 +76,59 @@ function generate_fw_rules {
# Check if the IDS is enabled for this network zone. if [ "${!enable_ids_zone}" == "on" ]; then - # Generate name of the network interface. - network_device=$zone - network_device+="0" - - # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS - - # Check if there are multiple cpu cores available. - if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" + # Check if the current processed zone is "red" and the configured type is PPPoE dialin. + if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then + # Set device name to ppp0. + network_device="ppp0" else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" + # Generate variable name which contains the device name. + zone_name="$zone_upper" + zone_name+="_DEV" + + # Grab device name. + network_device=${!zone_name} fi
- # Create firewall rules to queue the traffic and pass to - # the IDS. - iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$network_device" ) fi done
- # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" -} + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Flush the firewall chains. + flush_fw_chain + + # Check if the array of enabled_ips_zones contains any elements. + if [[ ${enabled_ips_zones[@]} ]]; then + # Loop through the array and create firewall rules. + for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Create rules queue input and output related traffic and pass it to the IPS. + iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + + # Create rules which are required to handle forwarded traffic. + for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + done + done
-# Function to flush the firewall chain. -function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + fi }
case "$1" in
hooks/post-receive -- IPFire 2.x development tree