This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 20c7552e0d1453e90cd069a83c712ff29fb1cbc7 (commit) via 9cf253e150078852877f5ee530aeb3408fa4216b (commit) via 5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit) via 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit) via 31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit) via 1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit) via d4f315677777e4b819d82eadd14af6f4d20137e5 (commit) via e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 (commit) via a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d (commit) via 56f6d107ff152748a0330a99ab39ad66880ff64b (commit) via 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 (commit) from 2cecfd0fdb1ab4b0b7c1b9468a61c8d1d7d06961 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 20c7552e0d1453e90cd069a83c712ff29fb1cbc7 Merge: 2cecfd0fd 9cf253e15 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Apr 26 19:39:55 2019 +0200
Merge branch 'master' into next
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/oldcore/131/filelists/files | 1 + html/cgi-bin/wlanap.cgi | 2 - lfs/hostapd | 2 +- src/initscripts/system/firewall | 10 ++-- src/initscripts/system/suricata | 82 ++++++++++++++++++---------- 5 files changed, 60 insertions(+), 37 deletions(-)
Difference in files: diff --git a/config/rootfiles/oldcore/131/filelists/files b/config/rootfiles/oldcore/131/filelists/files index 810c67b1e..aa842b73c 100644 --- a/config/rootfiles/oldcore/131/filelists/files +++ b/config/rootfiles/oldcore/131/filelists/files @@ -19,6 +19,7 @@ srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/remote.cgi +srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/ipsec-interfaces usr/local/bin/sshctrl diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 06ce05bfb..04b2a9491 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -388,8 +388,6 @@ print <<END <!--SSID Broadcast: on => HIDESSID: off --> <tr><td width='25%' class='base'>$Lang::tr{'wlanap broadcast ssid'}: </td><td class='base' colspan='3'>$Lang::tr{'on'} <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> $Lang::tr{'off'}</td></tr> <tr><td width='25%' class='base'>$Lang::tr{'wlanap client isolation'}: </td><td class='base' colspan='3'>$Lang::tr{'on'} <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> $Lang::tr{'off'}</td></tr> - - <tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}: </td><td class='base' colspan='3'> <select name='COUNTRY'> END diff --git a/lfs/hostapd b/lfs/hostapd index 14932cccb..ce399df75 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 48 +PAK_VER = 47
DEPS = ""
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index be6c9169f..da89857d8 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -186,10 +186,12 @@ iptables_init() { iptables -A FORWARD -j GUARDIAN
# IPS (suricata) chains - iptables -N IPS - iptables -A INPUT -j IPS - iptables -A FORWARD -j IPS - iptables -A OUTPUT -j IPS + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT
# Block non-established IPsec networks iptables -N IPSECBLOCK diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index ecd693054..c9f131fca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl stefan.schantl@ipfire.org # -# Version : 01.00 +# Version : 01.01 # # Notes : # @@ -20,8 +20,10 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-# Name of the firewall chain. -FW_CHAIN="IPS" +# Name of the firewall chains. +IPS_INPUT_CHAIN="IPS_INPUT" +IPS_FORWARD_CHAIN="IPS_FORWARD" +IPS_OUTPUT_CHAIN="IPS_OUTPUT"
# Optional options for the Netfilter queue. NFQ_OPTS="--queue-bypass " @@ -29,6 +31,9 @@ NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. network_zones=( red green blue orange )
+# Array to store the network zones weather the IPS is enabled for. +enabled_ips_zones=() + # Mark and Mask options. MARK="0x70000000" MASK="0x70000000" @@ -48,13 +53,18 @@ function get_cpu_count { echo $CPUCOUNT }
+# Function to flush the firewall chains. +function flush_fw_chain { + # Call iptables and flush the chains + iptables -F "$IPS_INPUT_CHAIN" + iptables -F "$IPS_FORWARD_CHAIN" + iptables -F "$IPS_OUTPUT_CHAIN" +} + # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count)
- # Flush the firewall chain. - iptables -F "$FW_CHAIN" - # Loop through the array of network zones. for zone in "${network_zones[@]}"; do # Convert zone into upper case. @@ -79,34 +89,46 @@ function generate_fw_rules { network_device=${!zone_name} fi
- # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS - - # Check if there are multiple cpu cores available. - if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" - else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" - fi - - # Create firewall rules to queue the traffic and pass to - # the IDS. - iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$network_device" ) fi done
- # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" -} + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Flush the firewall chains. + flush_fw_chain + + # Check if the array of enabled_ips_zones contains any elements. + if [[ ${enabled_ips_zones[@]} ]]; then + # Loop through the array and create firewall rules. + for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Create rules queue input and output related traffic and pass it to the IPS. + iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + + # Create rules which are required to handle forwarded traffic. + for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + done + done
-# Function to flush the firewall chain. -function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + fi }
case "$1" in
hooks/post-receive -- IPFire 2.x development tree