This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core131 has been updated via d4f315677777e4b819d82eadd14af6f4d20137e5 (commit) via e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 (commit) via a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d (commit) via 56f6d107ff152748a0330a99ab39ad66880ff64b (commit) from 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit d4f315677777e4b819d82eadd14af6f4d20137e5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 23 20:33:02 2019 +0200
convert-snort: Fix ownership of the generated homenet file.
Fixes #12059.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 23 21:27:53 2019 +0200
suricata: Use device ppp0 if PPPoE dialin is used.
Fixes #12058.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 23 20:45:42 2019 +0100
suricata: EXTERNAL_NET should equal any
This enables that we scan servers in ORANGE for clients in GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 56f6d107ff152748a0330a99ab39ad66880ff64b Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Apr 21 01:32:07 2019 +0100
suricata: Do not always convert rules to be bi-directional
This creates some overhead that we do not need and rules need to be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/ids-functions.pl | 3 --- config/suricata/convert-snort | 3 +++ config/suricata/suricata.yaml | 3 +-- src/initscripts/system/suricata | 16 +++++++++++++--- 4 files changed, 17 insertions(+), 8 deletions(-)
Difference in files: diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 5496df1a9..deb287bb7 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -742,9 +742,6 @@ sub write_modify_sids_file($) { # Write file header. print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
- # Tune rules to monitor in both directions. - print FILE "modifysid * "->" | "<>"\n"; - # Check if the traffic only should be monitored. unless($ruleaction eq "alert") { # Tell oinkmaster to switch all rules from alert to drop. diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 0ad2942b1..83931fa5b 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -259,6 +259,9 @@ if (-f $IDS::rulestarball) { # Call subfunction to generate the file. &IDS::generate_home_net_file();
+# Set correct ownership for the homenet file. +&IDS::set_ownership("$IDS::homenet_file"); + # ## Step 9: Setup automatic ruleset updates. # diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e7e27c731..7252e10b9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,8 +11,7 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml
- EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" + EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 16548753e..ecd693054 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -18,6 +18,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
# Name of the firewall chain. FW_CHAIN="IPS" @@ -65,9 +66,18 @@ function generate_fw_rules {
# Check if the IDS is enabled for this network zone. if [ "${!enable_ids_zone}" == "on" ]; then - # Generate name of the network interface. - network_device=$zone - network_device+="0" + # Check if the current processed zone is "red" and the configured type is PPPoE dialin. + if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then + # Set device name to ppp0. + network_device="ppp0" + else + # Generate variable name which contains the device name. + zone_name="$zone_upper" + zone_name+="_DEV" + + # Grab device name. + network_device=${!zone_name} + fi
# Assign NFQ_OPTS NFQ_OPTIONS=$NFQ_OPTS
hooks/post-receive -- IPFire 2.x development tree