This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 36d44213e93fadcd3fac982f14bacc61f4ce977d (commit) via a211fee393fc05119710f9db83511085786010f1 (commit) via cdb725da872d076f3731537bfd2f4a435f01feb1 (commit) via 1108a15cc6d6da291fa6039ae92b3922dd8a2577 (commit) via 7d7740a46769d6a45668182cebb86275960f212a (commit) via e7c5b9dabb9dbd724b04b01a627573727c6d23f2 (commit) via 4bc91affe00eb06142c914ac9f1686f2473cf471 (commit) via 159c55c5c89938ade27c0fcabc21e40da0e1a122 (commit) via c581b670ef383fe566075abe0a7df300b7da537c (commit) via f3511161525d125621467ee2cc7b1319fc07cb83 (commit) via 501e7b8654263f6758e273162f09183661d40303 (commit) via da9e4e8ed90aae3fc6100bd21cd49804fca6c9bf (commit) via f4e869ffb42c717167478fc75b993f9903298e15 (commit) from 125b6fcd66a2eb42ae773f66811c89959c7a2b77 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 36d44213e93fadcd3fac982f14bacc61f4ce977d Merge: a211fee 125b6fc Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 13:50:01 2014 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit a211fee393fc05119710f9db83511085786010f1 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 13:04:18 2014 +0100
firewall: Use --wait for all iptables commands.
commit cdb725da872d076f3731537bfd2f4a435f01feb1 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:54:08 2014 +0100
firewall: Load conntrack modules in firewall script.
commit 1108a15cc6d6da291fa6039ae92b3922dd8a2577 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:52:28 2014 +0100
Move enabling nf_conntrack_acct where it should be.
commit 7d7740a46769d6a45668182cebb86275960f212a Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:48:11 2014 +0100
firewall: Initialize basic ruleset before entering runlevel 3.
commit e7c5b9dabb9dbd724b04b01a627573727c6d23f2 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:41:23 2014 +0100
network: Remove redundant insertion of wireless rules.
commit 4bc91affe00eb06142c914ac9f1686f2473cf471 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:40:57 2014 +0100
network: Remove old accounting code.
commit 159c55c5c89938ade27c0fcabc21e40da0e1a122 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:40:11 2014 +0100
firewall: Call firewall.local start at the very end.
commit c581b670ef383fe566075abe0a7df300b7da537c Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:35:40 2014 +0100
firewall: Use --wait for every iptables call.
commit f3511161525d125621467ee2cc7b1319fc07cb83 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 14 12:15:37 2014 +0100
Fix missing string in proxy.cgi (Cache-Digest creation).
commit 501e7b8654263f6758e273162f09183661d40303 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 13 15:39:35 2014 +0100
tor: Bump package version to 6 and fix backup.
The backup include file is missing in older releases and will be created on the fly when updating old packages.
commit da9e4e8ed90aae3fc6100bd21cd49804fca6c9bf Merge: f4e869f d2b1aa0 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 13 15:31:25 2014 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit f4e869ffb42c717167478fc75b993f9903298e15 Author: Alf Høgemark alf@i100.no Date: Sat Feb 8 07:32:08 2014 +0100
netexternal.cgi: Fix display of DNS1 and DNS2
-----------------------------------------------------------------------
Summary of changes: config/etc/sysctl.conf | 3 + config/firewall/firewall-policy | 40 ++-- config/firewall/rules.pl | 34 +-- config/rootfiles/common/armv5tel/initscripts | 1 + config/rootfiles/common/i586/initscripts | 1 + doc/language_issues.de | 1 - doc/language_issues.en | 1 - doc/language_missings | 4 + html/cgi-bin/netexternal.cgi | 4 +- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + lfs/initscripts | 1 + lfs/tor | 2 +- src/initscripts/init.d/firewall | 307 +++++++++++++++------------ src/initscripts/init.d/network | 36 ---- src/paks/{default => tor}/install.sh | 0 src/paks/{cacti => tor}/uninstall.sh | 0 src/paks/{vdr => tor}/update.sh | 21 +- 18 files changed, 232 insertions(+), 226 deletions(-) copy src/paks/{default => tor}/install.sh (100%) copy src/paks/{cacti => tor}/uninstall.sh (100%) copy src/paks/{vdr => tor}/update.sh (87%)
Difference in files: diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index df3ef5f..d6a2f75 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -28,3 +28,6 @@ vm.min_free_kbytes = 8192 # Disable IPv6 by default. net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 + +# Enable netfilter accounting +net.netfilter.nf_conntrack_acct=1 diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 6d26d5b..773e5ce 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -23,6 +23,10 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+function iptables() { + /sbin/iptables --wait "$@" +} + iptables -F POLICYFWD iptables -F POLICYOUT iptables -F POLICYIN @@ -52,15 +56,15 @@ esac case "${FWPOLICY2}" in REJECT) if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" + iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" fi - /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" + iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" ;; *) # DROP if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi - /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" + iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" ;; esac
@@ -70,15 +74,15 @@ case "${POLICY}" in case "${FWPOLICY}" in REJECT) if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" fi - /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" ;; *) # DROP if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi - /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" ;; esac ;; @@ -86,14 +90,14 @@ case "${POLICY}" in *) if [ -n "${IFACE}" ]; then if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP + iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP fi if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP + iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP fi fi - /sbin/iptables -A POLICYFWD -j ACCEPT - /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP + iptables -A POLICYFWD -j ACCEPT + iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP ;; esac
@@ -103,21 +107,21 @@ case "${POLICY1}" in case "${FWPOLICY1}" in REJECT) if [ "${DROPOUTGOING}" = "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" ;; *) # DROP if [ "${DROPOUTGOING}" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" fi - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" ;; esac ;; *) - /sbin/iptables -A POLICYOUT -j ACCEPT - /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP + iptables -A POLICYOUT -j ACCEPT + iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP ;; esac
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 4380764..09e8ae6 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -60,7 +60,7 @@ my $blue = ''; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN = "FORWARDFW"; my $conexists = 'off'; -my $command = 'iptables -A'; +my $command = 'iptables --wait -A'; my $dnat =''; my $snat ='';
@@ -111,7 +111,7 @@ if($param eq 'flush'){ system ("/usr/sbin/firewall-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ &p2pblock; - system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); + system ("iptables --wait -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); system ("/usr/sbin/firewall-policy"); system ("/etc/sysconfig/firewall.local reload"); } @@ -119,11 +119,11 @@ if($param eq 'flush'){ } sub flush { - system ("iptables -F FORWARDFW"); - system ("iptables -F INPUTFW"); - system ("iptables -F OUTGOINGFW"); - system ("iptables -t nat -F NAT_DESTINATION"); - system ("iptables -t nat -F NAT_SOURCE"); + system ("iptables --wait -F FORWARDFW"); + system ("iptables --wait -F INPUTFW"); + system ("iptables --wait -F OUTGOINGFW"); + system ("iptables --wait -t nat -F NAT_DESTINATION"); + system ("iptables --wait -t nat -F NAT_SOURCE"); } sub preparerules { @@ -150,9 +150,9 @@ sub buildrules my $icmptype; foreach my $key (sort {$a <=> $b} keys %$hash){ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); - $command="iptables -A"; + $command="iptables --wait -A"; if ($$hash{$key}[28] eq 'ON'){ - $command='iptables -t nat -A'; + $command='iptables --wait -t nat -A'; $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); if($$hash{$key}[31] eq 'dnat'){ $nat='DNAT'; @@ -303,7 +303,7 @@ sub buildrules } } } - print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + print "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; next; #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ @@ -318,14 +318,14 @@ sub buildrules if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -387,7 +387,7 @@ sub buildrules } } } - system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + system "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; next; #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ @@ -402,14 +402,14 @@ sub buildrules if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -504,11 +504,11 @@ sub p2pblock } if ($MODE eq 1){ if($P2PSTRING){ - print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; + print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; } }else{ if($P2PSTRING){ - system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); + system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO"); } } } diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 0933ca8..ba32ec8 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -224,6 +224,7 @@ etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet +etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90sysctl etc/rc.d/rcsysinit.d/S91network-vlans etc/rc.d/rcsysinit.d/S92rngd diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 727cc7a..c95f496 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -231,6 +231,7 @@ etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet +etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90sysctl etc/rc.d/rcsysinit.d/S91network-vlans etc/rc.d/rcsysinit.d/S92rngd diff --git a/doc/language_issues.de b/doc/language_issues.de index 2376b0e..11b6336 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -598,7 +598,6 @@ WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs WARNING: untranslated string: addons -WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes WARNING: untranslated string: community rules WARNING: untranslated string: dead peer detection diff --git a/doc/language_issues.en b/doc/language_issues.en index 5e3eef1..017a2c4 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -631,7 +631,6 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs -WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes WARNING: untranslated string: fwhost err hostip WARNING: untranslated string: route config changed diff --git a/doc/language_missings b/doc/language_missings index 02de34a..677ae1d 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -13,6 +13,7 @@ # Checking cgi-bin translations for language: fr # ############################################################################ < addon +< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < advproxy errmsg proxy ports equal @@ -452,6 +453,7 @@ # Checking cgi-bin translations for language: es # ############################################################################ < addon +< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < advproxy errmsg proxy ports equal @@ -884,6 +886,7 @@ # Checking cgi-bin translations for language: pl # ############################################################################ < addon +< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < advproxy errmsg proxy ports equal @@ -1292,6 +1295,7 @@ ############################################################################ < Add a route < addon +< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < advproxy errmsg proxy ports equal diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi index cd29d5d..156ef24 100644 --- a/html/cgi-bin/netexternal.cgi +++ b/html/cgi-bin/netexternal.cgi @@ -83,8 +83,8 @@ if ( $querry[0] ne~ ""){
&General::readhash("${General::swroot}/dhcpc/dhcpcd-$netsettings{'RED_DEV'}.info", %dhcpinfo);
- my $DNS1=`echo $dhcpinfo{'domain_name_servers'} | cut -f 1 -d ,`; - my $DNS2=`echo $dhcpinfo{'domain_name_servers'} | cut -f 2 -d ,`; + my $DNS1=`echo $dhcpinfo{'domain_name_servers'} | cut -f 1 -d " "`; + my $DNS2=`echo $dhcpinfo{'domain_name_servers'} | cut -f 2 -d " "`;
my $lsetme=0; my $leasetime=""; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index e32ee94..10ffed3 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -188,6 +188,7 @@ 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', 'advproxy cache management' => 'Cacheverwaltung', 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie', +'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren', 'advproxy chgwebpwd ERROR' => 'F E H L E R :', 'advproxy chgwebpwd SUCCESS' => 'E R F O L G :', 'advproxy chgwebpwd change password' => 'Passwort ändern', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index d3c8774..653edc4 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -188,6 +188,7 @@ 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', 'advproxy cache management' => 'Cache management', 'advproxy cache replacement policy' => 'Cache replacement policy', +'advproxy cache-digest' => 'Enable Cache-Digest Generation', 'advproxy chgwebpwd ERROR' => 'E R R O R :', 'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :', 'advproxy chgwebpwd change password' => 'Change password', diff --git a/lfs/initscripts b/lfs/initscripts index 6968ede..0b5d8f4 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -171,6 +171,7 @@ $(TARGET) : ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console ln -sf ../init.d/firstsetup /etc/rc.d/rcsysinit.d/S75firstsetup ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet + ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall ln -sf ../init.d/sysctl /etc/rc.d/rcsysinit.d/S90sysctl ln -sf ../init.d/network-vlans /etc/rc.d/rcsysinit.d/S91network-vlans ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd diff --git a/lfs/tor b/lfs/tor index 9669ea7..7956736 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 5 +PAK_VER = 6
DEPS = "libevent2"
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index be0c8b0..1d4146d 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -9,206 +9,205 @@ if [ -f /var/ipfire/red/device ]; then DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` fi
+function iptables() { + /sbin/iptables --wait "$@" +} + iptables_init() { # Flush all rules and delete all custom chains - /sbin/iptables -F - /sbin/iptables -t nat -F - /sbin/iptables -t mangle -F - /sbin/iptables -X - /sbin/iptables -t nat -X - /sbin/iptables -t mangle -X + iptables -F + iptables -t nat -F + iptables -t mangle -F + iptables -X + iptables -t nat -X + iptables -t mangle -X
# Set up policies - /sbin/iptables -P INPUT DROP - /sbin/iptables -P FORWARD DROP - /sbin/iptables -P OUTPUT ACCEPT + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT ACCEPT
# Empty LOG_DROP and LOG_REJECT chains - /sbin/iptables -N LOG_DROP - /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG - /sbin/iptables -A LOG_DROP -j DROP - /sbin/iptables -N LOG_REJECT - /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG - /sbin/iptables -A LOG_REJECT -j REJECT + iptables -N LOG_DROP + iptables -A LOG_DROP -m limit --limit 10/minute -j LOG + iptables -A LOG_DROP -j DROP + iptables -N LOG_REJECT + iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG + iptables -A LOG_REJECT -j REJECT
# This chain will log, then DROPs packets with certain bad combinations # of flags might indicate a port-scan attempt (xmas, null, etc) - /sbin/iptables -N PSCAN + iptables -N PSCAN if [ "$DROPPORTSCAN" == "on" ]; then - /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" - /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" - /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" - /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" + iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" + iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" + iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" + iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" fi - /sbin/iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" + iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
# New tcp packets without SYN set - could well be an obscure type of port scan # that's not covered above, may just be a broken windows machine - /sbin/iptables -N NEWNOTSYN + iptables -N NEWNOTSYN if [ "$DROPNEWNOTSYN" == "on" ]; then - /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " + iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " fi - /sbin/iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" + iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
# Chain to contain all the rules relating to bad TCP flags - /sbin/iptables -N BADTCP + iptables -N BADTCP
- #Don't check loopback - /sbin/iptables -A BADTCP -i lo -j RETURN + # Don't check loopback + iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners # nmap xmas - /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN + iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN # Null - /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN + iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN # FIN - /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN + iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN # SYN/RST (also catches xmas variants that set SYN+RST+...) - /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN + iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN # SYN/FIN (QueSO or nmap OS probe) - /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN + iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN # NEW TCP without SYN - /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN + iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
- /sbin/iptables -A INPUT -p tcp -j BADTCP - /sbin/iptables -A FORWARD -p tcp -j BADTCP + iptables -A INPUT -p tcp -j BADTCP + iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chain - /sbin/iptables -N CONNTRACK - /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -N CONNTRACK + iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Fix for braindead ISP's - /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# CUSTOM chains, can be used by the users themselves - /sbin/iptables -N CUSTOMINPUT - /sbin/iptables -A INPUT -j CUSTOMINPUT - /sbin/iptables -N CUSTOMFORWARD - /sbin/iptables -A FORWARD -j CUSTOMFORWARD - /sbin/iptables -N CUSTOMOUTPUT - /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT - /sbin/iptables -t nat -N CUSTOMPREROUTING - /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING - /sbin/iptables -t nat -N CUSTOMPOSTROUTING - /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + iptables -N CUSTOMINPUT + iptables -A INPUT -j CUSTOMINPUT + iptables -N CUSTOMFORWARD + iptables -A FORWARD -j CUSTOMFORWARD + iptables -N CUSTOMOUTPUT + iptables -A OUTPUT -j CUSTOMOUTPUT + iptables -t nat -N CUSTOMPREROUTING + iptables -t nat -A PREROUTING -j CUSTOMPREROUTING + iptables -t nat -N CUSTOMPOSTROUTING + iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
# Guardian (IPS) chains - /sbin/iptables -N GUARDIAN - /sbin/iptables -A INPUT -j GUARDIAN - /sbin/iptables -A FORWARD -j GUARDIAN + iptables -N GUARDIAN + iptables -A INPUT -j GUARDIAN + iptables -A FORWARD -j GUARDIAN
# Block OpenVPN transfer networks - /sbin/iptables -N OVPNBLOCK + iptables -N OVPNBLOCK for i in INPUT FORWARD; do - /sbin/iptables -A ${i} -j OVPNBLOCK + iptables -A ${i} -j OVPNBLOCK done
# OpenVPN transfer network translation - /sbin/iptables -t nat -N OVPNNAT - /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT + iptables -t nat -N OVPNNAT + iptables -t nat -A POSTROUTING -j OVPNNAT
# IPTV chains for IGMPPROXY - /sbin/iptables -N IPTVINPUT - /sbin/iptables -A INPUT -j IPTVINPUT - /sbin/iptables -N IPTVFORWARD - /sbin/iptables -A FORWARD -j IPTVFORWARD + iptables -N IPTVINPUT + iptables -A INPUT -j IPTVINPUT + iptables -N IPTVFORWARD + iptables -A FORWARD -j IPTVFORWARD
# filtering from GUI - /sbin/iptables -N GUIINPUT - /sbin/iptables -A INPUT -j GUIINPUT - /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT + iptables -N GUIINPUT + iptables -A INPUT -j GUIINPUT + iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback - /sbin/iptables -N LOOPBACK - /sbin/iptables -A LOOPBACK -i lo -j ACCEPT - /sbin/iptables -A LOOPBACK -o lo -j ACCEPT + iptables -N LOOPBACK + iptables -A LOOPBACK -i lo -j ACCEPT + iptables -A LOOPBACK -o lo -j ACCEPT
# Filter all packets with loopback addresses on non-loopback interfaces. - /sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP - /sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP + iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP + iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
for i in INPUT FORWARD OUTPUT; do - /sbin/iptables -A ${i} -j LOOPBACK + iptables -A ${i} -j LOOPBACK done
# Accept everything connected for i in INPUT FORWARD OUTPUT; do - /sbin/iptables -A ${i} -j CONNTRACK + iptables -A ${i} -j CONNTRACK done
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything - /sbin/iptables -N IPSECINPUT - /sbin/iptables -N IPSECFORWARD - /sbin/iptables -N IPSECOUTPUT - /sbin/iptables -A INPUT -j IPSECINPUT - /sbin/iptables -A FORWARD -j IPSECFORWARD - /sbin/iptables -A OUTPUT -j IPSECOUTPUT - /sbin/iptables -t nat -N IPSECNAT - /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT + iptables -N IPSECINPUT + iptables -N IPSECFORWARD + iptables -N IPSECOUTPUT + iptables -A INPUT -j IPSECINPUT + iptables -A FORWARD -j IPSECFORWARD + iptables -A OUTPUT -j IPSECOUTPUT + iptables -t nat -N IPSECNAT + iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet. - /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp + iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp # allow DHCP on BLUE to be turned on/off - /sbin/iptables -N DHCPBLUEINPUT - /sbin/iptables -A INPUT -j DHCPBLUEINPUT + iptables -N DHCPBLUEINPUT + iptables -A INPUT -j DHCPBLUEINPUT # WIRELESS chains - /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT - /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD + iptables -N WIRELESSINPUT + iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT + iptables -N WIRELESSFORWARD + iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
# OpenVPN - /sbin/iptables -N OVPNINPUT - /sbin/iptables -A INPUT -j OVPNINPUT + iptables -N OVPNINPUT + iptables -A INPUT -j OVPNINPUT
# TOR - /sbin/iptables -N TOR_INPUT - /sbin/iptables -A INPUT -j TOR_INPUT + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT # Jump into the actual firewall ruleset. - /sbin/iptables -N INPUTFW - /sbin/iptables -A INPUT -j INPUTFW + iptables -N INPUTFW + iptables -A INPUT -j INPUTFW
- /sbin/iptables -N OUTGOINGFW - /sbin/iptables -A OUTPUT -j OUTGOINGFW + iptables -N OUTGOINGFW + iptables -A OUTPUT -j OUTGOINGFW
- /sbin/iptables -N FORWARDFW - /sbin/iptables -A FORWARD -j FORWARDFW + iptables -N FORWARDFW + iptables -A FORWARD -j FORWARDFW
# SNAT rules - /sbin/iptables -t nat -N NAT_SOURCE - /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + iptables -t nat -N NAT_SOURCE + iptables -t nat -A POSTROUTING -j NAT_SOURCE
# RED chain, used for the red interface - /sbin/iptables -N REDINPUT - /sbin/iptables -A INPUT -j REDINPUT - /sbin/iptables -N REDFORWARD - /sbin/iptables -A FORWARD -j REDFORWARD - /sbin/iptables -t nat -N REDNAT - /sbin/iptables -t nat -A POSTROUTING -j REDNAT + iptables -N REDINPUT + iptables -A INPUT -j REDINPUT + iptables -N REDFORWARD + iptables -A FORWARD -j REDFORWARD + iptables -t nat -N REDNAT + iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
# Custom prerouting chains (for transparent proxy) - /sbin/iptables -t nat -N SQUID - /sbin/iptables -t nat -A PREROUTING -j SQUID + iptables -t nat -N SQUID + iptables -t nat -A PREROUTING -j SQUID
# DNAT rules - /sbin/iptables -t nat -N NAT_DESTINATION - /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + iptables -t nat -N NAT_DESTINATION + iptables -t nat -A PREROUTING -j NAT_DESTINATION
# upnp chain for our upnp daemon - /sbin/iptables -t nat -N UPNPFW - /sbin/iptables -t nat -A PREROUTING -j UPNPFW - /sbin/iptables -N UPNPFW - /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local start - fi + iptables -t nat -N UPNPFW + iptables -t nat -A PREROUTING -j UPNPFW + iptables -N UPNPFW + iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules @@ -216,13 +215,13 @@ iptables_init() { # run wirelessctrl /usr/local/bin/wirelessctrl
- #POLICY CHAIN - /sbin/iptables -N POLICYIN - /sbin/iptables -A INPUT -j POLICYIN - /sbin/iptables -N POLICYFWD - /sbin/iptables -A FORWARD -j POLICYFWD - /sbin/iptables -N POLICYOUT - /sbin/iptables -A OUTPUT -j POLICYOUT + # POLICY CHAIN + iptables -N POLICYIN + iptables -A INPUT -j POLICYIN + iptables -N POLICYFWD + iptables -A FORWARD -j POLICYFWD + iptables -N POLICYOUT + iptables -A OUTPUT -j POLICYOUT
/usr/sbin/firewall-policy
@@ -230,37 +229,37 @@ iptables_init() { /usr/local/bin/firewallctrl
if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" + iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" }
iptables_red() { - /sbin/iptables -F REDINPUT - /sbin/iptables -F REDFORWARD - /sbin/iptables -t nat -F REDNAT + iptables -F REDINPUT + iptables -F REDFORWARD + iptables -t nat -F REDNAT
# PPPoE / PPTP Device if [ "$IFACE" != "" ]; then # PPPoE / PPTP if [ "$DEVICE" != "" ]; then - /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT + iptables -A REDINPUT -i $DEVICE -j ACCEPT fi if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then if [ "$RED_DEV" != "" ]; then - /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT + iptables -A REDINPUT -i $RED_DEV -j ACCEPT fi fi fi
# PPTP over DHCP if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT + iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT + iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT fi
# Orange pinholes @@ -268,24 +267,24 @@ iptables_red() { # This rule enables a host on ORANGE network to connect to the outside # (only if we have a red connection) if [ "$IFACE" != "" ]; then - /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT + iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT fi fi
if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then # DHCP if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT fi if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT fi
# Outgoing masquerading (don't masqerade IPSEC (mark 50)) - /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi } @@ -293,10 +292,38 @@ iptables_red() { # See how we were called. case "$1" in start) + boot_mesg "Loading firewall modules into the kernel" + modprobe iptable_nat || failed=1 + for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do + modprobe $(basename $i | cut -d. -f1) || failed=1 + done + for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do + modprobe $(basename $i | cut -d. -f1) || failed=1 + done + (exit ${failed}) + evaluate_retval + + if [ -e /var/ipfire/main/disable_nf_sip ]; then + rmmod nf_nat_sip + rmmod nf_conntrack_sip + rmmod nf_nat_h323 + rmmod nf_conntrack_h323 + fi + + boot_mesg "Setting up firewall" iptables_init + evaluate_retval + + # run local firewall configuration, if present + if [ -x /etc/sysconfig/firewall.local ]; then + /etc/sysconfig/firewall.local start + fi ;; reload) + boot_mesg "Reloading firewall" iptables_red + evaluate_retval + # run local firewall configuration, if present if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local reload diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 02df4bc..5aecd15 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -17,42 +17,6 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
init_networking() { - boot_mesg "Loading firewall modules into the kernel" - modprobe iptable_nat || failed=1 - for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do - modprobe $(basename $i | cut -d. -f1) || failed=1 - done - for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do - modprobe $(basename $i | cut -d. -f1) || failed=1 - done - (exit ${failed}) - evaluate_retval - - # Enable netfilter accounting - sysctl net.netfilter.nf_conntrack_acct=1 > /dev/null - - if [ -e /var/ipfire/main/disable_nf_sip ]; then - rmmod nf_nat_sip - rmmod nf_conntrack_sip - rmmod nf_nat_h323 - rmmod nf_conntrack_h323 - fi - - boot_mesg "Setting up firewall" - /etc/rc.d/init.d/firewall start; evaluate_retval - -# boot_mesg "Setting up traffic accounting" -# /etc/rc.d/helper/writeipac.pl || failed=1 -# /usr/sbin/fetchipac -S || failed=1 -# (exit ${failed}) -# evaluate_retval - - - if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then - boot_mesg "Setting up wireless firewall rules" - /usr/local/bin/wirelessctrl; evaluate_retval - fi - /etc/rc.d/init.d/dnsmasq start /etc/rc.d/init.d/static-routes start } diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh new file mode 100644 index 0000000..31c5fec --- /dev/null +++ b/src/paks/tor/install.sh @@ -0,0 +1,27 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +extract_files +restore_backup ${NAME} +start_service --background ${NAME} diff --git a/src/paks/tor/uninstall.sh b/src/paks/tor/uninstall.sh new file mode 100644 index 0000000..a7b8a53 --- /dev/null +++ b/src/paks/tor/uninstall.sh @@ -0,0 +1,27 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +stop_service ${NAME} +make_backup ${NAME} +remove_files diff --git a/src/paks/tor/update.sh b/src/paks/tor/update.sh new file mode 100644 index 0000000..675e7f5 --- /dev/null +++ b/src/paks/tor/update.sh @@ -0,0 +1,37 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh + +# Create backup include file if it is missing. +if [ ! -e "/var/ipfire/backup/addons/includes/tor" ]; then + cat <<EOF > /var/ipfire/backup/addons/includes/tor +/etc/tor +/var/ipfire/tor +/var/lib/tor/fingerprint +/var/lib/tor/keys +EOF +fi + +./uninstall.sh +./install.sh
hooks/post-receive -- IPFire 2.x development tree