This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via fabe150953b5cacf1a1879c7d92bd47bb06a2869 (commit) via a1cd844f71649aea07346a590df1eedf3d253f1c (commit) via 25d424387e5897515ab78da902bf18d50701326a (commit) via 6088176639c8f11012e55ae2430a113d6936652e (commit) via 372975ed0c9f1a32d673d6f34217af530375354f (commit) via 50612920913946b77505459af671d572332a5137 (commit) from f27bac491a8012b8dc014dfcf1bc5e11248692c2 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit fabe150953b5cacf1a1879c7d92bd47bb06a2869 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 23 20:56:07 2019 +0100
core132: Ship updated suricata initscript
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a1cd844f71649aea07346a590df1eedf3d253f1c Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 23 20:55:22 2019 +0100
core132: Ship updated convert-snort script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 25d424387e5897515ab78da902bf18d50701326a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 23 20:33:02 2019 +0200
convert-snort: Fix ownership of the generated homenet file.
Fixes #12059.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6088176639c8f11012e55ae2430a113d6936652e Author: Alexander Koch ipfire@starkstromkonsument.de Date: Tue Apr 23 20:46:11 2019 +0200
core132: Bugfix for typo in filelist
Signed-off-by: Alexander Koch ipfire@starkstromkonsument.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 372975ed0c9f1a32d673d6f34217af530375354f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 23 21:27:53 2019 +0200
suricata: Use device ppp0 if PPPoE dialin is used.
Fixes #12058.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 50612920913946b77505459af671d572332a5137 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 23 20:45:42 2019 +0100
suricata: EXTERNAL_NET should equal any
This enables that we scan servers in ORANGE for clients in GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/132/filelists/files | 4 +++- config/suricata/convert-snort | 3 +++ config/suricata/suricata.yaml | 3 +-- src/initscripts/system/suricata | 16 +++++++++++++--- 4 files changed, 20 insertions(+), 6 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files index 402ced7ca..346b79c91 100644 --- a/config/rootfiles/core/132/filelists/files +++ b/config/rootfiles/core/132/filelists/files @@ -1,8 +1,10 @@ etc/system-release etc/issue etc/mime.types +etc/rc.d/init.d/suricata etc/suricata/suricata.yaml srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/proxy.cgi +usr/sbin/convert-snort var/ipfire/ids-functions.pl -var/ipfire/lang +var/ipfire/langs diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 0ad2942b1..83931fa5b 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -259,6 +259,9 @@ if (-f $IDS::rulestarball) { # Call subfunction to generate the file. &IDS::generate_home_net_file();
+# Set correct ownership for the homenet file. +&IDS::set_ownership("$IDS::homenet_file"); + # ## Step 9: Setup automatic ruleset updates. # diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index cb4f33865..e921781cf 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,8 +11,7 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml
- EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" + EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 16548753e..ecd693054 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -18,6 +18,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
# Name of the firewall chain. FW_CHAIN="IPS" @@ -65,9 +66,18 @@ function generate_fw_rules {
# Check if the IDS is enabled for this network zone. if [ "${!enable_ids_zone}" == "on" ]; then - # Generate name of the network interface. - network_device=$zone - network_device+="0" + # Check if the current processed zone is "red" and the configured type is PPPoE dialin. + if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then + # Set device name to ppp0. + network_device="ppp0" + else + # Generate variable name which contains the device name. + zone_name="$zone_upper" + zone_name+="_DEV" + + # Grab device name. + network_device=${!zone_name} + fi
# Assign NFQ_OPTS NFQ_OPTIONS=$NFQ_OPTS
hooks/post-receive -- IPFire 2.x development tree