This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core131 has been updated via 9cf253e150078852877f5ee530aeb3408fa4216b (commit) via 5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit) via 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit) via 31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit) via 1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit) from d4f315677777e4b819d82eadd14af6f4d20137e5 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 9cf253e150078852877f5ee530aeb3408fa4216b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 25 19:31:48 2019 +0200
initscripts/suricata: Rework creation of firewall rules.
The script now will use the previously introduced seperate firewall chains called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT.
The commit also creates an AND connection between the choosen network zones in the UI and the final firwall rules.
Fixes #12062.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5e3067cb52bdb613a193c2c0280e07d10c30f6de Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 25 19:31:47 2019 +0200
initscripts/suricata: Move functions order and always use flush_fw_chain function
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 25 19:31:46 2019 +0200
firewall: Use seperate firewall chains for passing traffic to the IPS
Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT to be more flexible which kind of traffic should be passed to suricata.
Reference #12062
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 31568a19824a5e0621cf6cb9297d2800e3b3f59e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Apr 26 07:43:21 2019 +0200
hostapd: bump package version
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 1f35114d7bc9e2941b15cb93bebc46f66a525e9f Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 24 11:24:33 2019 +0100
hostap: Fix wiring of checkboxes for client isolation
The checkboxes were swapped which lead to client isolation being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: html/cgi-bin/wlanap.cgi | 2 +- lfs/hostapd | 2 +- src/initscripts/system/firewall | 10 +++-- src/initscripts/system/suricata | 82 ++++++++++++++++++++++++++--------------- 4 files changed, 60 insertions(+), 36 deletions(-)
Difference in files: diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 44b0b4053..abee0c3cb 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -382,7 +382,7 @@ print <<END <tr><td width='25%' class='base'>SSID: </td><td class='base' colspan='3'><input type='text' name='SSID' size='30' value='$wlanapsettings{'SSID'}' /></td></tr> <!--SSID Broadcast: on => HIDESSID: off --> <tr><td width='25%' class='base'>SSID Broadcast: </td><td class='base' colspan='3'>on <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> off</td></tr> -<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> | <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> off</td></tr> +<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> off</td></tr>
<tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}: </td><td class='base' colspan='3'> diff --git a/lfs/hostapd b/lfs/hostapd index 64ff28e4b..c2830b88a 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 45 +PAK_VER = 46
DEPS = ""
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index be6c9169f..da89857d8 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -186,10 +186,12 @@ iptables_init() { iptables -A FORWARD -j GUARDIAN
# IPS (suricata) chains - iptables -N IPS - iptables -A INPUT -j IPS - iptables -A FORWARD -j IPS - iptables -A OUTPUT -j IPS + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT
# Block non-established IPsec networks iptables -N IPSECBLOCK diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index ecd693054..c9f131fca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl stefan.schantl@ipfire.org # -# Version : 01.00 +# Version : 01.01 # # Notes : # @@ -20,8 +20,10 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-# Name of the firewall chain. -FW_CHAIN="IPS" +# Name of the firewall chains. +IPS_INPUT_CHAIN="IPS_INPUT" +IPS_FORWARD_CHAIN="IPS_FORWARD" +IPS_OUTPUT_CHAIN="IPS_OUTPUT"
# Optional options for the Netfilter queue. NFQ_OPTS="--queue-bypass " @@ -29,6 +31,9 @@ NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. network_zones=( red green blue orange )
+# Array to store the network zones weather the IPS is enabled for. +enabled_ips_zones=() + # Mark and Mask options. MARK="0x70000000" MASK="0x70000000" @@ -48,13 +53,18 @@ function get_cpu_count { echo $CPUCOUNT }
+# Function to flush the firewall chains. +function flush_fw_chain { + # Call iptables and flush the chains + iptables -F "$IPS_INPUT_CHAIN" + iptables -F "$IPS_FORWARD_CHAIN" + iptables -F "$IPS_OUTPUT_CHAIN" +} + # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count)
- # Flush the firewall chain. - iptables -F "$FW_CHAIN" - # Loop through the array of network zones. for zone in "${network_zones[@]}"; do # Convert zone into upper case. @@ -79,34 +89,46 @@ function generate_fw_rules { network_device=${!zone_name} fi
- # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS - - # Check if there are multiple cpu cores available. - if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" - else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" - fi - - # Create firewall rules to queue the traffic and pass to - # the IDS. - iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$network_device" ) fi done
- # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" -} + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Flush the firewall chains. + flush_fw_chain + + # Check if the array of enabled_ips_zones contains any elements. + if [[ ${enabled_ips_zones[@]} ]]; then + # Loop through the array and create firewall rules. + for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Create rules queue input and output related traffic and pass it to the IPS. + iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + + # Create rules which are required to handle forwarded traffic. + for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + done + done
-# Function to flush the firewall chain. -function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + fi }
case "$1" in
hooks/post-receive -- IPFire 2.x development tree