This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 4d2c384543fdd50b2471a5442f7f91361f6a74ff (commit) via 05375f12755c426d4153a3e93251cb26f4cd539c (commit) via 6cedc16d90cbce2d09c909d1dd79119bd161b344 (commit) via 54e3be22f263e7135c039b98744ecdfa694f53e9 (commit) via a44eed2536009e8e7c929eb9aa13ca9d730b627f (commit) via 9aeae881332edf777a7defe06260891d8d081ea5 (commit) via 352796cad7aa2f40ac983149d9fc9928fd1a0f1d (commit) via df5cc48dd685bc83e3196ef35ee9f507c66d79a2 (commit) via 0779907e1b8ba65516280234ff6d90aa244340f8 (commit) via 79d32988c52b65d5254c991e7a41367451af21a6 (commit) via 1ff69fca2a336c71ccd9d13846d0501f128d916e (commit) via c6e5fcdf127bac77d2b34d9e84dbb6eb5fdda146 (commit) via eeab80f8dcb7ad8564ac684e014f1a67be82923e (commit) via 733fae2abe50fb190ff1cd96c2de39558ed3ed9d (commit) via 46a5bac6ed7aa1e03200d26eeaaad65bd35ee5ef (commit) via 080e79f149257dd23fd25c35f498083fc1a862a1 (commit) via dc845b6c81cfd8622e4c060e08edf8c22ff68e1a (commit) via eb7ccf87c566f32557088d09fa69fdcdeef2a1be (commit) via 464c27554ced7b1d4fbb0d454bb7db2856d2af34 (commit) via 9a56118b61ae307e2cceac44df0ff867cc5bf6aa (commit) via 787469ebd6349c688443995146535de781f755de (commit) via 475ae4b3dbb29ba67a16e48910d3fa8130a8b2c3 (commit) via 470e85c3652ca52393fca8204a1052471753aa8b (commit) via 2e42a9eaa15d43885b46dd977c540293446d641a (commit) via 48a7737fdd50db0384e0c999a768c7cf3052200b (commit) via f487e373930472b234f637a03273604d3c7a241c (commit) via 4c0bd63ea4c21eb8140eb5a54b2eeda4b43b7e8e (commit) via a1c5ceeb347e75f03e042c2e90bb23d6024a4641 (commit) via 4e9000b4d8435d952cca982020ca70f8d64b45ec (commit) via c7141f04791dc1c3bf6799e260497be614201a75 (commit) via 8f2c3b49b6b12a1edad5e4f0cd3feb0beda22c21 (commit) via 16c31d10040db4f175642376b284a0f98609e19e (commit) via 7d06d0de7b7ec2f6a8ccf4b7c179f2538780beb1 (commit) via 0f224ad770d01494db31c875ef2e31a766735527 (commit) via 1a0d8b0573cd4cb573cf891f2ac26520fa5573bb (commit) via c86fd963d20b82593032c3c4b2d47dbdaa9def1a (commit) via 607240e28c4f1572b3d7735c6e2a45387a90ea6d (commit) via 3273ff48f04fe01364eb413966d7afb351a9cb41 (commit) via 0009de91e886514e05002eed1286f6007dea3876 (commit) via 8b59ef085e4de8ea38e0ac9859c72f5a93194c9d (commit) via 7fa83c2fe79fd2f3f32885707591637f559401a3 (commit) via fd52e82a7252a7559c694fce6570aab461c331e3 (commit) via d97ba75fe5634055850deda7a594d52e901dbe75 (commit) via 6723afef0922295dbd8ea66171270040b0edc002 (commit) via bd3bcb45d611f1e5f39fae07f6c5b189c1e64560 (commit) via 563c50216300ab2078fabfe305fea93aaeb2d5e5 (commit) via 348360292979236e94a8e44fa8c4668941ad95da (commit) via 1c21ebf8d5464d3d84e8d2dc247a77870f3961df (commit) via 1f2a90b5521eec74569c8d6f1a9902fc0aa44bbf (commit) from bc91a66281193d7fca60858e5efed5ec73ad9fe0 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 4d2c384543fdd50b2471a5442f7f91361f6a74ff Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 13:34:56 2018 +0100
core123: Ship changed vpnmain.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 05375f12755c426d4153a3e93251cb26f4cd539c Author: Peter Müller peter.mueller@link38.eu Date: Sat Jun 30 17:18:30 2018 +0200
add ChaCha20/Poly1305 to IPsec WebUI
The algorithm is selected by default since it is considered to be both secure and state-of-the-art. This required Linux kernel > 4.2, which is satisfied by Core Update 2.12 122.
Fixes #11549
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6cedc16d90cbce2d09c909d1dd79119bd161b344 Author: Peter Müller peter.mueller@link38.eu Date: Sat Jun 30 17:15:22 2018 +0200
update cryptography settings in StrongSwan LFS file
The RC2 plugin was never supported by the WebUI and is insecure, so it became obsolete here. To support new ChaCha20/Poly1305, the corresponding module needs to be enabled.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 54e3be22f263e7135c039b98744ecdfa694f53e9 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 13:34:19 2018 +0100
core123: Ship updated packages and files
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a44eed2536009e8e7c929eb9aa13ca9d730b627f Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 12:38:48 2018 +0100
proxy.cgi: The group name cannot be in quotes
Squid interprets the quotes as part of the group name, too
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9aeae881332edf777a7defe06260891d8d081ea5 Author: Peter Müller peter.mueller@link38.eu Date: Wed Jun 20 17:00:36 2018 +0200
smartmontools: update to 6.6.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 352796cad7aa2f40ac983149d9fc9928fd1a0f1d Author: Peter Müller peter.mueller@link38.eu Date: Wed Jun 20 17:04:26 2018 +0200
lynis: update to 2.6.4
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit df5cc48dd685bc83e3196ef35ee9f507c66d79a2 Author: Peter Müller peter.mueller@link38.eu Date: Sat Jun 30 17:16:37 2018 +0200
update StrongSwan to 5.6.3
This also takes advantage of changed crypto plugins (see first patch) and updates the rootfile.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0779907e1b8ba65516280234ff6d90aa244340f8 Author: Peter Müller peter.mueller@link38.eu Date: Sat Jun 30 12:07:15 2018 +0200
libgcrypt: update to 1.8.3
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 79d32988c52b65d5254c991e7a41367451af21a6 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Jun 25 17:31:01 2018 +0200
unbound: Update to 1.7.3
For details see: http://www.unbound.net/download.html
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1ff69fca2a336c71ccd9d13846d0501f128d916e Author: Erik Kapfer erik.kapfer@ipfire.org Date: Thu Jun 21 13:54:36 2018 +0200
OpenVPN: Update to version 2.4.6
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c6e5fcdf127bac77d2b34d9e84dbb6eb5fdda146 Author: Peter Müller peter.mueller@link38.eu Date: Wed Jun 20 17:13:01 2018 +0200
conntrack-tools: update to 1.4.5
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit eeab80f8dcb7ad8564ac684e014f1a67be82923e Author: Peter Müller peter.mueller@link38.eu Date: Wed Jun 20 17:11:28 2018 +0200
libnetfilter_conntrack: update to 1.0.7
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 733fae2abe50fb190ff1cd96c2de39558ed3ed9d Author: Peter Müller peter.mueller@link38.eu Date: Wed Jun 20 17:09:05 2018 +0200
iptables: update to 1.6.2
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 46a5bac6ed7aa1e03200d26eeaaad65bd35ee5ef Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 12:24:25 2018 +0100
vpnmain.cgi: Remove unused code that prevented the page from loading without GREEN
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 080e79f149257dd23fd25c35f498083fc1a862a1 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 12:21:59 2018 +0100
Don't show proxy configuration pages when GREEN is not available
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dc845b6c81cfd8622e4c060e08edf8c22ff68e1a Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 12:15:00 2018 +0100
AWS: Hide certain things on the web UI
Those are practically unusable on AWS.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit eb7ccf87c566f32557088d09fa69fdcdeef2a1be Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 11:54:51 2018 +0100
AWS: Store instance id
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 464c27554ced7b1d4fbb0d454bb7db2856d2af34 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 11:52:54 2018 +0100
aws: Re-enable check if we are actually running on EC2
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9a56118b61ae307e2cceac44df0ff867cc5bf6aa Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 11:51:39 2018 +0100
aws: Suppress any output from ending dhclient
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 787469ebd6349c688443995146535de781f755de Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 11:51:18 2018 +0100
aws: No need to wake up udev again
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 475ae4b3dbb29ba67a16e48910d3fa8130a8b2c3 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 11:49:57 2018 +0100
firewall: Suppress more warnings when initialising without GREEN
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 470e85c3652ca52393fca8204a1052471753aa8b Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 11:44:14 2018 +0100
AWS: Rename network interfaces only when necessary
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2e42a9eaa15d43885b46dd977c540293446d641a Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 11:43:35 2018 +0100
AWS: Import SSH keys before meddling with the network
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 48a7737fdd50db0384e0c999a768c7cf3052200b Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 1 10:32:31 2018 +0100
firewall: Allow starting without a green interface
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f487e373930472b234f637a03273604d3c7a241c Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jun 30 20:35:29 2018 +0100
AWS: No need to restart udev any more
The renames the network interfaces itself now
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4c0bd63ea4c21eb8140eb5a54b2eeda4b43b7e8e Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jun 30 19:58:42 2018 +0100
localnet: Don't write local hostname to /etc/hosts
This is now being provided by nss-myhostname
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a1c5ceeb347e75f03e042c2e90bb23d6024a4641 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jun 30 19:56:56 2018 +0100
nsswitch.conf: Use nss-myhostname to resolve local hostname
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4e9000b4d8435d952cca982020ca70f8d64b45ec Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jun 30 19:51:38 2018 +0100
nss-myhostname: New package
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c7141f04791dc1c3bf6799e260497be614201a75 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jun 30 19:40:31 2018 +0100
AWS: Rename all interfaces when booting up
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8f2c3b49b6b12a1edad5e4f0cd3feb0beda22c21 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jun 30 19:25:29 2018 +0100
aws: Apply SSH configuration changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 16c31d10040db4f175642376b284a0f98609e19e Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jun 30 19:25:15 2018 +0100
openssh: Write port 22 into the default configuration file
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7d06d0de7b7ec2f6a8ccf4b7c179f2538780beb1 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 28 11:15:29 2018 +0100
AWS: Restart udev to rename network interfaces
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0f224ad770d01494db31c875ef2e31a766735527 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 28 11:01:33 2018 +0100
AWS: Add support for ORANGE
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1a0d8b0573cd4cb573cf891f2ac26520fa5573bb Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 28 10:57:50 2018 +0100
AWS: Remove some debugging line
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c86fd963d20b82593032c3c4b2d47dbdaa9def1a Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 28 10:57:13 2018 +0100
AWS: Calculate gateway and DNS IP addresses only for RED
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 607240e28c4f1572b3d7735c6e2a45387a90ea6d Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 28 10:55:24 2018 +0100
AWS: Use correct IP address for the internal DNS
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3273ff48f04fe01364eb413966d7afb351a9cb41 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 27 10:05:55 2018 +0100
aws: Write HOSTNAME and DOMAINNAME when not set
Previously we expected the entire settings file to be empty but since we are now shipping some defaults for other settings.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0009de91e886514e05002eed1286f6007dea3876 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 27 09:59:47 2018 +0100
Ship default settings for language, theme, etc. in all images
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8b59ef085e4de8ea38e0ac9859c72f5a93194c9d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 27 09:56:32 2018 +0100
aws: Ensure that SSH checkbox is enabled, too
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7fa83c2fe79fd2f3f32885707591637f559401a3 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 27 09:55:09 2018 +0100
aws: Enable SSH on the first start
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fd52e82a7252a7559c694fce6570aab461c331e3 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 25 11:08:04 2018 +0100
setup: Write /etc/hosts in initscript
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d97ba75fe5634055850deda7a594d52e901dbe75 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 25 11:01:24 2018 +0100
setup: Don't write configuration files for TCP wrapper any more
This has been removed from the distribution a long time ago
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6723afef0922295dbd8ea66171270040b0edc002 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 25 10:59:49 2018 +0100
apache: Write hostname into configuration at boot time
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit bd3bcb45d611f1e5f39fae07f6c5b189c1e64560 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 25 10:55:39 2018 +0100
AWS: Import aws setup script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 563c50216300ab2078fabfe305fea93aaeb2d5e5 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 25 10:54:36 2018 +0100
dhcp: Ship dhclient
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 348360292979236e94a8e44fa8c4668941ad95da Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 25 10:53:53 2018 +0100
ssh: Update default configuration
This patch removes an old switch to enable SSH 1 and makes port 22 the default port.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1c21ebf8d5464d3d84e8d2dc247a77870f3961df Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 6 12:19:17 2018 +0100
Add initscript that automatically configures IPFire on AWS EC2
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1f2a90b5521eec74569c8d6f1a9902fc0aa44bbf Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 6 12:06:54 2018 +0100
flash-image: Make sure that GRUB boots the first entry
This is required when importing an image into AWS EC2 or the import of the image fails.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: .../cfgroot/aws-functions.pl | 18 +- config/cfgroot/header.pl | 24 ++ config/cfgroot/main-settings | 5 + config/cfgroot/ssh-settings | 3 +- config/etc/nsswitch.conf | 2 +- config/firewall/firewall-policy | 18 +- config/rootfiles/common/aarch64/initscripts | 3 + config/rootfiles/common/armv5tel/initscripts | 3 + config/rootfiles/common/configroot | 1 + config/rootfiles/common/conntrack-tools | 13 + config/rootfiles/common/dhcp | 2 +- config/rootfiles/common/i586/initscripts | 3 + config/rootfiles/common/iptables | 18 +- config/rootfiles/common/libgcrypt | 2 +- config/rootfiles/common/libnetfilter_conntrack | 3 +- config/rootfiles/common/nss-myhostname | 4 + config/rootfiles/common/strongswan | 6 +- config/rootfiles/common/unbound | 2 +- config/rootfiles/common/x86_64/initscripts | 3 + .../110 => core/123}/filelists/conntrack-tools | 0 config/rootfiles/core/123/filelists/files | 9 + .../{oldcore/28 => core/123}/filelists/iptables | 0 config/rootfiles/core/123/filelists/nss-myhostname | 1 + .../{oldcore/106 => core/123}/filelists/strongswan | 0 config/rootfiles/packages/lynis | 47 +++- html/cgi-bin/proxy.cgi | 4 +- html/cgi-bin/vpnmain.cgi | 22 +- lfs/apache2 | 2 +- lfs/configroot | 2 + lfs/conntrack-tools | 4 +- lfs/flash-images | 8 +- lfs/initscripts | 1 + lfs/iptables | 5 +- lfs/libgcrypt | 4 +- lfs/libnetfilter_conntrack | 4 +- lfs/lynis | 6 +- lfs/{libpcap => nss-myhostname} | 14 +- lfs/openssh | 2 +- lfs/openvpn | 4 +- lfs/smartmontools | 4 +- lfs/strongswan | 7 +- lfs/unbound | 4 +- make.sh | 1 + src/initscripts/helper/aws-setup | 276 +++++++++++++++++++++ src/initscripts/system/apache | 3 + src/initscripts/system/aws | 80 ++++++ src/initscripts/system/firewall | 10 +- src/initscripts/system/localnet | 9 + src/initscripts/system/udev | 10 +- src/setup/misc.c | 91 ------- 50 files changed, 585 insertions(+), 182 deletions(-) copy src/paks/wio/uninstall.sh => config/cfgroot/aws-functions.pl (89%) create mode 100644 config/cfgroot/main-settings create mode 100644 config/rootfiles/common/nss-myhostname copy config/rootfiles/{oldcore/110 => core/123}/filelists/conntrack-tools (100%) copy config/rootfiles/{oldcore/28 => core/123}/filelists/iptables (100%) create mode 120000 config/rootfiles/core/123/filelists/nss-myhostname copy config/rootfiles/{oldcore/106 => core/123}/filelists/strongswan (100%) copy lfs/{libpcap => nss-myhostname} (92%) create mode 100644 src/initscripts/helper/aws-setup create mode 100644 src/initscripts/system/aws
Difference in files: diff --git a/config/cfgroot/aws-functions.pl b/config/cfgroot/aws-functions.pl new file mode 100644 index 000000000..5fd97125c --- /dev/null +++ b/config/cfgroot/aws-functions.pl @@ -0,0 +1,34 @@ +#!/usr/bin/perl -w +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2018 IPFire Team info@ipfire.org. # +# # +############################################################################ + +package AWS; + +sub running_on_ec2() { + if (-e "/var/run/aws-instance-id") { + return 1; + } + + return 0; +} + +1; diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index 974c4d8b2..e8d9d377c 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -19,6 +19,8 @@ use Time::Local;
$|=1; # line buffering
+require "/var/ipfire/aws-functions.pl"; + $Header::revision = 'final'; $Header::swroot = '/var/ipfire'; $Header::graphdir='/srv/web/ipfire/html/graphs'; @@ -97,6 +99,14 @@ require "${swroot}/langs/en.pl"; require "${swroot}/langs/${language}.pl"; eval `/bin/cat /srv/web/ipfire/html/themes/$THEME_NAME/include/functions.pl`;
+sub green_used() { + if ($ethsettings{'GREEN_DEV'} && $ethsettings{'GREEN_DEV'} ne "") { + return 1; + } + + return 0; +} + sub orange_used () { if ($ethsettings{'CONFIG_TYPE'} =~ /^[24]$/) { return 1; @@ -161,6 +171,20 @@ sub genmenu { if ( $ethsettings{'RED_TYPE'} eq "PPPOE" && $pppsettings{'MONPORT'} ne "" ) { $menu->{'02.status'}{'subMenu'}->{'74.modem-status'}{'enabled'} = 1; } + + # Disbale unusable things on EC2 + if (&AWS::running_on_ec2()) { + $menu->{'03.network'}{'subMenu'}->{'30.dhcp'}{'enabled'} = 0; + $menu->{'03.network'}{'subMenu'}->{'80.macadressmenu'}{'enabled'} = 0; + $menu->{'03.network'}{'subMenu'}->{'90.wakeonlan'}{'enabled'} = 0; + } + + # Disable proxy when no GREEN is available + if (!&green_used()) { + $menu->{'03.network'}{'subMenu'}->{'20.proxy'}{'enabled'} = 0; + $menu->{'03.network'}{'subMenu'}->{'21.urlfilter'}{'enabled'} = 0; + $menu->{'03.network'}{'subMenu'}->{'22.updxlrator'}{'enabled'} = 0; + } } }
diff --git a/config/cfgroot/main-settings b/config/cfgroot/main-settings new file mode 100644 index 000000000..7d4e7fb79 --- /dev/null +++ b/config/cfgroot/main-settings @@ -0,0 +1,5 @@ +THEME=ipfire +LANGUAGE=en +RRDLOG=/var/log/rrd +KEYMAP=/lib/kbd/keymaps/i386/qwerty/us.map.gz +TIMEZONE=/usr/share/zoneinfo/posix/UTC diff --git a/config/cfgroot/ssh-settings b/config/cfgroot/ssh-settings index 83b8876dd..5741431c1 100644 --- a/config/cfgroot/ssh-settings +++ b/config/cfgroot/ssh-settings @@ -1,6 +1,5 @@ ENABLE_SSH_KEYS=off -ENABLE_SSH_PROTOCOL1=off ENABLE_SSH_PASSWORDS=on ENABLE_SSH_PORTFW=off ENABLE_SSH=off -__CGI__=CGI=HASH(0x840b7a0) +SSH_PORT=on diff --git a/config/etc/nsswitch.conf b/config/etc/nsswitch.conf index 067e63b48..468fd1c88 100644 --- a/config/etc/nsswitch.conf +++ b/config/etc/nsswitch.conf @@ -4,7 +4,7 @@ passwd: files group: files shadow: files
-hosts: files dns +hosts: files dns myhostname networks: files
protocols: files diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index cbba3b021..c0a526f22 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -58,7 +58,9 @@ HAVE_OPENVPN="true" # INPUT
# Allow access from GREEN -iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT +if [ -n "${GREEN_DEV}" ]; then + iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT +fi
# Allow access from BLUE if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then @@ -119,12 +121,14 @@ case "${POLICY}" in
*) # Access from GREEN is granted to everywhere - if [ "${IFACE}" = "${GREEN_DEV}" ]; then - # internet via green - # don't check source IP/NET if IFACE is GREEN - iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT - else - iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT + if [ -n "${GREEN_DEV}" ]; then + if [ "${IFACE}" = "${GREEN_DEV}" ]; then + # internet via green + # don't check source IP/NET if IFACE is GREEN + iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT + else + iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT + fi fi
# Grant access for IPsec VPN connections diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 9e9e1a71a..3cb05d95f 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -1,10 +1,12 @@ etc/init.d #etc/rc.d #etc/rc.d/helper +etc/rc.d/helper/aws-setup etc/rc.d/helper/getdnsfromdhcpc.pl #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache +etc/rc.d/init.d/aws etc/rc.d/init.d/beep etc/rc.d/init.d/checkfs etc/rc.d/init.d/cleanfs @@ -184,6 +186,7 @@ etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S73swconfig +etc/rc.d/rcsysinit.d/S74aws etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S81pakfire diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 9e9e1a71a..3cb05d95f 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -1,10 +1,12 @@ etc/init.d #etc/rc.d #etc/rc.d/helper +etc/rc.d/helper/aws-setup etc/rc.d/helper/getdnsfromdhcpc.pl #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache +etc/rc.d/init.d/aws etc/rc.d/init.d/beep etc/rc.d/init.d/checkfs etc/rc.d/init.d/cleanfs @@ -184,6 +186,7 @@ etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S73swconfig +etc/rc.d/rcsysinit.d/S74aws etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S81pakfire diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 73b7bc01f..87389915e 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -7,6 +7,7 @@ usr/sbin/firewall-policy var/ipfire/addon-lang var/ipfire/auth #var/ipfire/auth/users +var/ipfire/aws-functions.pl #var/ipfire/backup var/ipfire/backup/exclude.user var/ipfire/backup/include.user diff --git a/config/rootfiles/common/conntrack-tools b/config/rootfiles/common/conntrack-tools index 52b642abc..ef392df67 100644 --- a/config/rootfiles/common/conntrack-tools +++ b/config/rootfiles/common/conntrack-tools @@ -1,13 +1,26 @@ #usr/lib/conntrack-tools +#usr/lib/conntrack-tools/ct_helper_amanda.la +usr/lib/conntrack-tools/ct_helper_amanda.so +#usr/lib/conntrack-tools/ct_helper_dhcpv6.la +#usr/lib/conntrack-tools/ct_helper_dhcpv6.so #usr/lib/conntrack-tools/ct_helper_ftp.la usr/lib/conntrack-tools/ct_helper_ftp.so +#usr/lib/conntrack-tools/ct_helper_mdns.la +usr/lib/conntrack-tools/ct_helper_mdns.so #usr/lib/conntrack-tools/ct_helper_rpc.la usr/lib/conntrack-tools/ct_helper_rpc.so +#usr/lib/conntrack-tools/ct_helper_sane.la +usr/lib/conntrack-tools/ct_helper_sane.so +#usr/lib/conntrack-tools/ct_helper_ssdp.la +usr/lib/conntrack-tools/ct_helper_ssdp.so +#usr/lib/conntrack-tools/ct_helper_tftp.la +usr/lib/conntrack-tools/ct_helper_tftp.so #usr/lib/conntrack-tools/ct_helper_tns.la usr/lib/conntrack-tools/ct_helper_tns.so usr/sbin/conntrack usr/sbin/conntrackd usr/sbin/nfct +#usr/share/man/man5/conntrackd.conf.5 #usr/share/man/man8/conntrack.8 #usr/share/man/man8/conntrackd.8 #usr/share/man/man8/nfct.8 diff --git a/config/rootfiles/common/dhcp b/config/rootfiles/common/dhcp index 9e6d52e4e..03b076826 100644 --- a/config/rootfiles/common/dhcp +++ b/config/rootfiles/common/dhcp @@ -18,7 +18,7 @@ etc/dhcp/dhcpd.conf #usr/lib/libdhcp.a #usr/lib/libdhcpctl.a #usr/lib/libomapi.a -#usr/sbin/dhclient +usr/sbin/dhclient usr/sbin/dhcpd usr/sbin/dhcrelay #usr/share/man/man1/omshell.1 diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index cc0e4580d..2c2306975 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -1,10 +1,12 @@ etc/init.d #etc/rc.d #etc/rc.d/helper +etc/rc.d/helper/aws-setup etc/rc.d/helper/getdnsfromdhcpc.pl #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache +etc/rc.d/init.d/aws etc/rc.d/init.d/beep etc/rc.d/init.d/checkfs etc/rc.d/init.d/cleanfs @@ -182,6 +184,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S70console +etc/rc.d/rcsysinit.d/S74aws etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S81pakfire diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables index 09e827c2a..d0c1065cb 100644 --- a/config/rootfiles/common/iptables +++ b/config/rootfiles/common/iptables @@ -16,9 +16,13 @@ lib/libiptc.so.0 lib/libiptc.so.0.0.0 #lib/libxtables.la lib/libxtables.so -lib/libxtables.so.10 -lib/libxtables.so.10.0.0 -lib/xtables +lib/libxtables.so.12 +lib/libxtables.so.12.0.0 +#lib/xtables +#lib/xtables/libebt_802_3.so +#lib/xtables/libebt_ip.so +#lib/xtables/libebt_log.so +#lib/xtables/libebt_mark_m.so #lib/xtables/libip6t_DNAT.so #lib/xtables/libip6t_DNPT.so #lib/xtables/libip6t_HL.so @@ -39,16 +43,15 @@ lib/xtables #lib/xtables/libip6t_ipv6header.so #lib/xtables/libip6t_mh.so #lib/xtables/libip6t_rt.so +#lib/xtables/libip6t_srh.so #lib/xtables/libipt_CLUSTERIP.so #lib/xtables/libipt_DNAT.so #lib/xtables/libipt_ECN.so #lib/xtables/libipt_LOG.so #lib/xtables/libipt_MASQUERADE.so -#lib/xtables/libipt_MIRROR.so #lib/xtables/libipt_NETMAP.so #lib/xtables/libipt_REDIRECT.so #lib/xtables/libipt_REJECT.so -#lib/xtables/libipt_SAME.so #lib/xtables/libipt_SNAT.so #lib/xtables/libipt_TTL.so #lib/xtables/libipt_ULOG.so @@ -56,7 +59,6 @@ lib/xtables #lib/xtables/libipt_icmp.so #lib/xtables/libipt_realm.so #lib/xtables/libipt_ttl.so -#lib/xtables/libipt_unclean.so #lib/xtables/libxt_AUDIT.so #lib/xtables/libxt_CHECKSUM.so #lib/xtables/libxt_CLASSIFY.so @@ -84,6 +86,7 @@ lib/xtables #lib/xtables/libxt_TRACE.so #lib/xtables/libxt_addrtype.so #lib/xtables/libxt_bpf.so +#lib/xtables/libxt_cgroup.so #lib/xtables/libxt_cluster.so #lib/xtables/libxt_comment.so #lib/xtables/libxt_connbytes.so @@ -99,12 +102,14 @@ lib/xtables #lib/xtables/libxt_esp.so #lib/xtables/libxt_hashlimit.so #lib/xtables/libxt_helper.so +#lib/xtables/libxt_ipcomp.so #lib/xtables/libxt_iprange.so #lib/xtables/libxt_ipvs.so #lib/xtables/libxt_layer7.so #lib/xtables/libxt_length.so #lib/xtables/libxt_limit.so #lib/xtables/libxt_mac.so +#lib/xtables/libxt_mangle.so #lib/xtables/libxt_mark.so #lib/xtables/libxt_multiport.so #lib/xtables/libxt_nfacct.so @@ -172,5 +177,6 @@ sbin/xtables-multi #usr/share/man/man8/iptables-restore.8 #usr/share/man/man8/iptables-save.8 #usr/share/man/man8/iptables.8 +#usr/share/man/man8/nfnl_osf.8 #usr/share/xtables usr/share/xtables/pf.os diff --git a/config/rootfiles/common/libgcrypt b/config/rootfiles/common/libgcrypt index e67fae932..e46507d46 100644 --- a/config/rootfiles/common/libgcrypt +++ b/config/rootfiles/common/libgcrypt @@ -6,7 +6,7 @@ #usr/lib/libgcrypt.la #usr/lib/libgcrypt.so usr/lib/libgcrypt.so.20 -usr/lib/libgcrypt.so.20.2.2 +usr/lib/libgcrypt.so.20.2.3 #usr/share/aclocal/libgcrypt.m4 #usr/share/info/gcrypt.info #usr/share/man/man1/hmac256.1 diff --git a/config/rootfiles/common/libnetfilter_conntrack b/config/rootfiles/common/libnetfilter_conntrack index 03000ec01..f5c776359 100644 --- a/config/rootfiles/common/libnetfilter_conntrack +++ b/config/rootfiles/common/libnetfilter_conntrack @@ -7,9 +7,10 @@ #usr/include/libnetfilter_conntrack/libnetfilter_conntrack_sctp.h #usr/include/libnetfilter_conntrack/libnetfilter_conntrack_tcp.h #usr/include/libnetfilter_conntrack/libnetfilter_conntrack_udp.h +#usr/include/libnetfilter_conntrack/linux_nf_conntrack_common.h #usr/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h #usr/lib/libnetfilter_conntrack.la #usr/lib/libnetfilter_conntrack.so usr/lib/libnetfilter_conntrack.so.3 -usr/lib/libnetfilter_conntrack.so.3.6.0 +usr/lib/libnetfilter_conntrack.so.3.7.0 #usr/lib/pkgconfig/libnetfilter_conntrack.pc diff --git a/config/rootfiles/common/nss-myhostname b/config/rootfiles/common/nss-myhostname new file mode 100644 index 000000000..13f38ae42 --- /dev/null +++ b/config/rootfiles/common/nss-myhostname @@ -0,0 +1,4 @@ +lib/libnss_myhostname.so.2 +#usr/share/doc/nss-myhostname +#usr/share/doc/nss-myhostname/README.html +#usr/share/doc/nss-myhostname/style.css diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 0a0dd050e..6981a7ca8 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -17,6 +17,7 @@ etc/strongswan.d/charon.conf etc/strongswan.d/charon/aes.conf etc/strongswan.d/charon/attr.conf etc/strongswan.d/charon/ccm.conf +etc/strongswan.d/charon/chapoly.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/constraints.conf etc/strongswan.d/charon/counters.conf @@ -51,7 +52,6 @@ etc/strongswan.d/charon/pkcs7.conf etc/strongswan.d/charon/pkcs8.conf etc/strongswan.d/charon/pubkey.conf etc/strongswan.d/charon/random.conf -etc/strongswan.d/charon/rc2.conf etc/strongswan.d/charon/resolve.conf etc/strongswan.d/charon/revocation.conf etc/strongswan.d/charon/sha1.conf @@ -112,6 +112,7 @@ usr/lib/ipsec/libvici.so.0.0.0 usr/lib/ipsec/plugins/libstrongswan-aes.so usr/lib/ipsec/plugins/libstrongswan-attr.so usr/lib/ipsec/plugins/libstrongswan-ccm.so +usr/lib/ipsec/plugins/libstrongswan-chapoly.so usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-constraints.so usr/lib/ipsec/plugins/libstrongswan-counters.so @@ -146,7 +147,6 @@ usr/lib/ipsec/plugins/libstrongswan-pkcs7.so usr/lib/ipsec/plugins/libstrongswan-pkcs8.so usr/lib/ipsec/plugins/libstrongswan-pubkey.so usr/lib/ipsec/plugins/libstrongswan-random.so -usr/lib/ipsec/plugins/libstrongswan-rc2.so usr/lib/ipsec/plugins/libstrongswan-resolve.so usr/lib/ipsec/plugins/libstrongswan-revocation.so usr/lib/ipsec/plugins/libstrongswan-sha1.so @@ -197,6 +197,7 @@ usr/sbin/swanctl #usr/share/strongswan/templates/config/plugins/aes.conf #usr/share/strongswan/templates/config/plugins/attr.conf #usr/share/strongswan/templates/config/plugins/ccm.conf +#usr/share/strongswan/templates/config/plugins/chapoly.conf #usr/share/strongswan/templates/config/plugins/cmac.conf #usr/share/strongswan/templates/config/plugins/constraints.conf #usr/share/strongswan/templates/config/plugins/counters.conf @@ -231,7 +232,6 @@ usr/sbin/swanctl #usr/share/strongswan/templates/config/plugins/pkcs8.conf #usr/share/strongswan/templates/config/plugins/pubkey.conf #usr/share/strongswan/templates/config/plugins/random.conf -#usr/share/strongswan/templates/config/plugins/rc2.conf #usr/share/strongswan/templates/config/plugins/resolve.conf #usr/share/strongswan/templates/config/plugins/revocation.conf #usr/share/strongswan/templates/config/plugins/sha1.conf diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index af089054c..f3172f028 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.5.10 +usr/lib/libunbound.so.2.5.11 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index cc0e4580d..2c2306975 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -1,10 +1,12 @@ etc/init.d #etc/rc.d #etc/rc.d/helper +etc/rc.d/helper/aws-setup etc/rc.d/helper/getdnsfromdhcpc.pl #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache +etc/rc.d/init.d/aws etc/rc.d/init.d/beep etc/rc.d/init.d/checkfs etc/rc.d/init.d/cleanfs @@ -182,6 +184,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S70console +etc/rc.d/rcsysinit.d/S74aws etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S81pakfire diff --git a/config/rootfiles/core/123/filelists/conntrack-tools b/config/rootfiles/core/123/filelists/conntrack-tools new file mode 120000 index 000000000..88fbe061e --- /dev/null +++ b/config/rootfiles/core/123/filelists/conntrack-tools @@ -0,0 +1 @@ +../../../common/conntrack-tools \ No newline at end of file diff --git a/config/rootfiles/core/123/filelists/files b/config/rootfiles/core/123/filelists/files index 718af9eda..52586b9d4 100644 --- a/config/rootfiles/core/123/filelists/files +++ b/config/rootfiles/core/123/filelists/files @@ -1,7 +1,16 @@ etc/system-release etc/issue +etc/rc.d/helper/aws-setup +etc/rc.d/init.d/aws +etc/rc.d/rcsysinit.d/S74aws srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/sbin/dhclient var/ipfire/backup/exclude var/ipfire/langs +var/ipfire/aws-functions.pl +var/ipfire/header.pl +var/ipfire/general-functions.pl diff --git a/config/rootfiles/core/123/filelists/iptables b/config/rootfiles/core/123/filelists/iptables new file mode 120000 index 000000000..8caf12bcc --- /dev/null +++ b/config/rootfiles/core/123/filelists/iptables @@ -0,0 +1 @@ +../../../common/iptables \ No newline at end of file diff --git a/config/rootfiles/core/123/filelists/nss-myhostname b/config/rootfiles/core/123/filelists/nss-myhostname new file mode 120000 index 000000000..7d8203185 --- /dev/null +++ b/config/rootfiles/core/123/filelists/nss-myhostname @@ -0,0 +1 @@ +../../../common/nss-myhostname \ No newline at end of file diff --git a/config/rootfiles/core/123/filelists/strongswan b/config/rootfiles/core/123/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/123/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/packages/lynis b/config/rootfiles/packages/lynis index 6199853d3..9a2c21268 100644 --- a/config/rootfiles/packages/lynis +++ b/config/rootfiles/packages/lynis @@ -1,15 +1,43 @@ var/ipfire/lynis -#var/ipfire/lynis/CONTRIBUTORS +#var/ipfire/lynis/CHANGELOG.md +#var/ipfire/lynis/CODE_OF_CONDUCT.md +#var/ipfire/lynis/CONTRIBUTING.md +#var/ipfire/lynis/CONTRIBUTORS.md #var/ipfire/lynis/db var/ipfire/lynis/db/fileperms.db var/ipfire/lynis/db/hints.db var/ipfire/lynis/db/integrity.db +var/ipfire/lynis/db/languages +var/ipfire/lynis/db/languages/br +var/ipfire/lynis/db/languages/cn +var/ipfire/lynis/db/languages/de +var/ipfire/lynis/db/languages/en +var/ipfire/lynis/db/languages/en-GB +var/ipfire/lynis/db/languages/en-US +var/ipfire/lynis/db/languages/es +var/ipfire/lynis/db/languages/fi +var/ipfire/lynis/db/languages/fr +var/ipfire/lynis/db/languages/gr +var/ipfire/lynis/db/languages/he +var/ipfire/lynis/db/languages/hu +var/ipfire/lynis/db/languages/it +var/ipfire/lynis/db/languages/ja +var/ipfire/lynis/db/languages/nb-NO +var/ipfire/lynis/db/languages/nl +var/ipfire/lynis/db/languages/nl-BE +var/ipfire/lynis/db/languages/nl-NL +var/ipfire/lynis/db/languages/pl +var/ipfire/lynis/db/languages/pt +var/ipfire/lynis/db/languages/ru +var/ipfire/lynis/db/languages/se +var/ipfire/lynis/db/languages/tr var/ipfire/lynis/db/malware-susp.db var/ipfire/lynis/db/malware.db var/ipfire/lynis/db/sbl.db +var/ipfire/lynis/db/tests.db var/ipfire/lynis/default.prf +var/ipfire/lynis/developer.prf #var/ipfire/lynis/extras -var/ipfire/lynis/extras/.bzrignore #var/ipfire/lynis/extras/README #var/ipfire/lynis/extras/bash_completion.d var/ipfire/lynis/extras/bash_completion.d/lynis @@ -22,11 +50,18 @@ var/ipfire/lynis/extras/lynis.spec #var/ipfire/lynis/extras/systemd #var/ipfire/lynis/extras/systemd/lynis.service #var/ipfire/lynis/extras/systemd/lynis.timer +#var/ipfire/lynis/extras/travis-ci +#var/ipfire/lynis/extras/travis-ci/before_script.sh #var/ipfire/lynis/include var/ipfire/lynis/include/binaries var/ipfire/lynis/include/consts var/ipfire/lynis/include/data_upload var/ipfire/lynis/include/functions +var/ipfire/lynis/include/helper_audit_dockerfile +var/ipfire/lynis/include/helper_configure +var/ipfire/lynis/include/helper_show +var/ipfire/lynis/include/helper_system_remote_scan +var/ipfire/lynis/include/helper_update var/ipfire/lynis/include/osdetection var/ipfire/lynis/include/parameters var/ipfire/lynis/include/profiles @@ -35,15 +70,16 @@ var/ipfire/lynis/include/tests_accounting var/ipfire/lynis/include/tests_authentication var/ipfire/lynis/include/tests_banners var/ipfire/lynis/include/tests_boot_services +var/ipfire/lynis/include/tests_containers var/ipfire/lynis/include/tests_crypto var/ipfire/lynis/include/tests_custom.template var/ipfire/lynis/include/tests_databases +var/ipfire/lynis/include/tests_dns var/ipfire/lynis/include/tests_file_integrity var/ipfire/lynis/include/tests_file_permissions var/ipfire/lynis/include/tests_filesystems var/ipfire/lynis/include/tests_firewalls var/ipfire/lynis/include/tests_hardening -var/ipfire/lynis/include/tests_hardening_tools var/ipfire/lynis/include/tests_homedirs var/ipfire/lynis/include/tests_insecure_services var/ipfire/lynis/include/tests_kernel @@ -62,16 +98,17 @@ var/ipfire/lynis/include/tests_printers_spools var/ipfire/lynis/include/tests_scheduling var/ipfire/lynis/include/tests_shells var/ipfire/lynis/include/tests_snmp -#var/ipfire/lynis/include/tests_solaris var/ipfire/lynis/include/tests_squid var/ipfire/lynis/include/tests_ssh var/ipfire/lynis/include/tests_storage var/ipfire/lynis/include/tests_storage_nfs -var/ipfire/lynis/include/tests_tcpwrappers +var/ipfire/lynis/include/tests_system_integrity var/ipfire/lynis/include/tests_time var/ipfire/lynis/include/tests_tooling +var/ipfire/lynis/include/tests_usb var/ipfire/lynis/include/tests_virtualization var/ipfire/lynis/include/tests_webservers +var/ipfire/lynis/include/tool_tips var/ipfire/lynis/lynis var/ipfire/lynis/lynis.8 #var/ipfire/lynis/plugins diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index c36fc4e70..738425b9a 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -3428,7 +3428,7 @@ END my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'}; $ntlm_auth_group =~ s/\/+/;
- print FILE " --require-membership-of="$ntlm_auth_group""; + print FILE " --require-membership-of=$ntlm_auth_group"; } print FILE "\n";
@@ -3441,7 +3441,7 @@ END my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'}; $ntlm_auth_group =~ s/\/+/;
- print FILE " --require-membership-of="$ntlm_auth_group""; + print FILE " --require-membership-of=$ntlm_auth_group"; } print FILE "\n"; print FILE "auth_param basic children 10\n"; diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index eefe97599..e557122df 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -58,16 +58,6 @@ my %mainsettings = ();
&General::readhash("${General::swroot}/ethernet/settings", %netsettings);
-my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); -my $blue_cidr = "# Blue not defined"; -if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { - $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); -} -my $orange_cidr = "# Orange not defined"; -if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { - $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); -} - my %INACTIVITY_TIMEOUTS = ( 300 => $Lang::tr{'five minutes'}, 600 => $Lang::tr{'ten minutes'}, @@ -1919,11 +1909,11 @@ END $cgiparams{'REMOTE_ID'} = '';
#use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; @@ -2180,7 +2170,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2221,7 +2211,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2347,6 +2337,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || }
ADVANCED_ERROR: + $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; @@ -2385,6 +2376,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
+ $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; @@ -2497,6 +2489,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <td class='boldbase' width="15%">$Lang::tr{'encryption'}</td> <td class='boldbase'> <select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'> + <option value='chacha20poly1305' $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option> <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option> <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option> <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option> @@ -2517,6 +2510,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> <td class='boldbase'> <select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'> + <option value='chacha20poly1305' $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option> <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option> <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option> <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option> diff --git a/lfs/apache2 b/lfs/apache2 index 69b05341d..16dd101d7 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install apache config cp -rf $(DIR_CONF)/httpd/* /etc/httpd/conf - ln -sf $(CONFIG_ROOT)/main/hostname.conf /etc/httpd/conf/ + touch /etc/httpd/conf/hostname.conf
# Create captive logging directory -mkdir -pv /var/log/httpd/captive diff --git a/lfs/configroot b/lfs/configroot index 426b3a58d..c2833fd4a 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -79,6 +79,7 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/network-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/geoip-functions.pl $(CONFIG_ROOT)/ + cp $(DIR_SRC)/config/cfgroot/aws-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/ @@ -94,6 +95,7 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ + cp $(DIR_SRC)/config/cfgroot/main-settings $(CONFIG_ROOT)/main/settings cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings diff --git a/lfs/conntrack-tools b/lfs/conntrack-tools index d8a1099a7..f5c1dea66 100644 --- a/lfs/conntrack-tools +++ b/lfs/conntrack-tools @@ -24,7 +24,7 @@
include Config
-VER = 1.4.4 +VER = 1.4.5
THISAPP = conntrack-tools-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = acd9e0b27cf16ae3092ba900e4d7560e +$(DL_FILE)_MD5 = 9356a0cd4df81a597ac26d87ccfebac4
install : $(TARGET)
diff --git a/lfs/flash-images b/lfs/flash-images index f2ac6a34a..40aca5377 100644 --- a/lfs/flash-images +++ b/lfs/flash-images @@ -128,10 +128,6 @@ ifneq "$(BUILD_PLATFORM)" "arm" else tar -x -C $(MNThdd)/ -f /install/cdrom/distro.img endif - echo "LANGUAGE=en" >> $(MNThdd)/var/ipfire/main/settings - echo "HOSTNAME=$(SNAME)" >> $(MNThdd)/var/ipfire/main/settings - echo "THEME=ipfire" >> $(MNThdd)/var/ipfire/main/settings - -touch $(MNThdd)/lib/modules/$(KVER)-ipfire/modules.dep mkdir $(MNThdd)/proc mount --bind /proc $(MNThdd)/proc @@ -153,7 +149,6 @@ ifeq "$(BOOTLOADER)" "grub" # Enable also serial console on GRUB echo "GRUB_TERMINAL="serial console"" >> $(MNThdd)/etc/default/grub echo "GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200"" >> $(MNThdd)/etc/default/grub - echo "GRUB_TIMEOUT=-1" >> $(MNThdd)/etc/default/grub
# Add additional entry for Serial console cp $(DIR_SRC)/config/flash-images/grub/11_linux_scon \ @@ -163,6 +158,9 @@ ifeq "$(BOOTLOADER)" "grub" mkdir -pv $(MNThdd)/boot/grub chroot $(MNThdd) grub-mkconfig -o /boot/grub/grub.cfg
+ # Boot the first kernel by default + chroot $(MNThdd) grub-set-default 0 + # Insert the UUID because grub-mkconfig often fails to # detect that correctly sed -i $(MNThdd)/boot/grub/grub.cfg \ diff --git a/lfs/initscripts b/lfs/initscripts index 0d7f40cad..9b611a276 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -173,6 +173,7 @@ $(TARGET) : ln -sf ../init.d/setclock /etc/rc.d/rc0.d/K47setclock ln -sf ../init.d/setclock /etc/rc.d/rc6.d/K47setclock ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console + ln -sf ../init.d/aws /etc/rc.d/rcsysinit.d/S74aws ln -sf ../init.d/firstsetup /etc/rc.d/rcsysinit.d/S75firstsetup ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet ln -sf ../init.d/pakfire /etc/rc.d/rcsysinit.d/S81pakfire diff --git a/lfs/iptables b/lfs/iptables index b7ce9289a..35bb259ca 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -24,7 +24,7 @@
include Config
-VER = 1.4.21 +VER = 1.6.2
THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -41,7 +41,7 @@ objects = $(DL_FILE) \ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz
-$(DL_FILE)_MD5 = 536d048c8e8eeebcd9757d0863ebb0c0 +$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f
install : $(TARGET) @@ -92,6 +92,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --bindir=/sbin \ --sbindir=/sbin \ --mandir=/usr/share/man \ + --disable-nftables \ --with-pkgconfigdir=/usr/lib/pkgconfig
cd $(DIR_APP) && make $(MAKETUNING) diff --git a/lfs/libgcrypt b/lfs/libgcrypt index 3fba2797d..e7c387ceb 100644 --- a/lfs/libgcrypt +++ b/lfs/libgcrypt @@ -24,7 +24,7 @@
include Config
-VER = 1.8.2 +VER = 1.8.3
THISAPP = libgcrypt-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = cfb0b5c79eab07686b6898160a407139 +$(DL_FILE)_MD5 = 3139c2402e844985a67fb288a930534d
install : $(TARGET)
diff --git a/lfs/libnetfilter_conntrack b/lfs/libnetfilter_conntrack index 168f4277a..2095863ca 100644 --- a/lfs/libnetfilter_conntrack +++ b/lfs/libnetfilter_conntrack @@ -24,7 +24,7 @@
include Config
-VER = 1.0.6 +VER = 1.0.7
THISAPP = libnetfilter_conntrack-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 7139c5f408dd9606ffecfd5dcda8175b +$(DL_FILE)_MD5 = 013d182c2df716fcb5eb2a1fb7febd1f
install : $(TARGET)
diff --git a/lfs/lynis b/lfs/lynis index b3cabd752..8003a298e 100644 --- a/lfs/lynis +++ b/lfs/lynis @@ -24,7 +24,7 @@
include Config
-VER = 1.6.4 +VER = 2.6.4
THISAPP = lynis-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/lynis TARGET = $(DIR_INFO)/$(THISAPP)
PROG = lynis -PAK_VER = 5 +PAK_VER = 6 DEPS = ""
############################################################################### @@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = dfa946388af8926bd24f772d4fa4830a +$(DL_FILE)_MD5 = a5afd484b7aabf8af73adbc67a8f8756
install : $(TARGET)
diff --git a/lfs/nss-myhostname b/lfs/nss-myhostname new file mode 100644 index 000000000..9274e7588 --- /dev/null +++ b/lfs/nss-myhostname @@ -0,0 +1,77 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.3 + +THISAPP = nss-myhostname-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = d4ab9ac36c053ab8fb836db1cbd4a48f + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure --prefix=/usr --libdir=/lib + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/openssh b/lfs/openssh index 2db56b09c..9d551f198 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -82,7 +82,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - sed -i -e 's/^#?Port .*$$/Port 222/' \ + sed -i -e 's/^#?Port .*$$/Port 22/' \ -e 's/^#?Protocol .*$$/Protocol 2/' \ -e 's/^#?LoginGraceTime .*$$/LoginGraceTime 30s/' \ -e 's/^#?PubkeyAuthentication .*$$/PubkeyAuthentication yes/' \ diff --git a/lfs/openvpn b/lfs/openvpn index 5bd9da7a2..819ff05c5 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,7 +24,7 @@
include Config
-VER = 2.4.5 +VER = 2.4.6
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = c510ad3c8fce738c678dbcc54367c945 +$(DL_FILE)_MD5 = 3a1f3f63bdaede443b4df49957df9405
install : $(TARGET)
diff --git a/lfs/smartmontools b/lfs/smartmontools index 6c6d7db1d..a3c660a20 100644 --- a/lfs/smartmontools +++ b/lfs/smartmontools @@ -24,7 +24,7 @@
include Config
-VER = 6.5 +VER = 6.6
THISAPP = smartmontools-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 093aeec3f8f39fa9a37593c4012d3156 +$(DL_FILE)_MD5 = 9ae2c6e7131cd2813edcc65cbe5f223f
install : $(TARGET)
diff --git a/lfs/strongswan b/lfs/strongswan index 58f8c5e9b..102c24724 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.6.2 +VER = 5.6.3
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 46aa3aa18fbc4bd528f9a0345ce79913 +$(DL_FILE)_MD5 = a6a28eeb22aa58080a7581771a5b63f9
install : $(TARGET)
@@ -92,8 +92,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-eap-peap \ --enable-eap-mschapv2 \ --enable-eap-identity \ + --enable-chapoly \ --disable-padlock \ - --disable-chapoly \ + --disable-rc2 \ $(CONFIGURE_OPTIONS)
cd $(DIR_APP) && make $(MAKETUNING) diff --git a/lfs/unbound b/lfs/unbound index 4adc1a00c..b4c1b02f3 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@
include Config
-VER = 1.7.2 +VER = 1.7.3
THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 1f4fd7e5032a9c5658cbde2c83f5f3be +$(DL_FILE)_MD5 = ea45068fb27ef358f581227b99645525
install : $(TARGET)
diff --git a/make.sh b/make.sh index 0238cc387..948bc6ed3 100755 --- a/make.sh +++ b/make.sh @@ -1535,6 +1535,7 @@ buildipfire() { lfsmake2 iftop lfsmake2 mdns-repeater lfsmake2 i2c-tools + lfsmake2 nss-myhostname }
buildinstaller() { diff --git a/src/initscripts/helper/aws-setup b/src/initscripts/helper/aws-setup new file mode 100644 index 000000000..f4ec45d90 --- /dev/null +++ b/src/initscripts/helper/aws-setup @@ -0,0 +1,276 @@ +#!/bin/bash + +. /etc/sysconfig/rc +. ${rc_functions} + +get() { + local file="${1}" + + wget -qO - "http://169.254.169.254/latest/meta-data/$%7Bfile%7D" +} + +to_address() { + local n="${1}" + + local o1=$(( (n & 0xff000000) >> 24 )) + local o2=$(( (n & 0xff0000) >> 16 )) + local o3=$(( (n & 0xff00) >> 8 )) + local o4=$(( (n & 0xff) )) + + printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}" +} + +to_integer() { + local address="${1}" + + local integer=0 + + local i + for i in ${address//./ }; do + integer=$(( (integer << 8) + i )) + done + + printf "%d\n" "${integer}" +} + +prefix2netmask() { + local prefix=${1} + + local zeros=$(( 32 - prefix )) + local netmask=0 + + local i + for (( i=0; i<${zeros}; i++ )); do + netmask=$(( (netmask << 1) ^ 1 )) + done + + to_address "$(( netmask ^ 0xffffffff ))" +} + +find_interface() { + local mac="${1}" + + local path + for path in /sys/class/net/*; do + local address="$(<${path}/address)" + + if [ "${mac}" = "${address}" ]; then + basename "${path}" + return 0 + fi + done + + return 1 +} + +import_aws_configuration() { + local instance_id="$(get instance-id)" + + boot_mesg "Importing AWS configuration for instance ${instance_id}..." + + # Store instance ID + echo "${instance_id}" > /var/run/aws-instance-id + + # Initialise system settings + local hostname=$(get local-hostname) + + # Set hostname + if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then + echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings + fi + + # Set domainname + if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then + echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings + fi + + # Import SSH keys + local line + for line in $(get "public-keys/"); do + local key_no="${line%=*}" + + local key="$(get public-keys/${key_no}/openssh-key)" + if [ -n "${key}" ] && ! grep -q "^${key}$" /root/.ssh/authorized_keys 2>/dev/null; then + mkdir -p /root/.ssh + chmod 700 /root/.ssh + + echo "${key}" >> /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + fi + done + + # Import any DNS server settings + eval $(/usr/local/bin/readhash <(grep -E "^DNS([0-9])=" /var/ipfire/ethernet/settings 2>/dev/null)) + + # Import network configuration + # After this, no network connectivity will be available from this script due to the + # renaming of the network interfaces for which they have to be shut down + local config_type=1 + : > /var/ipfire/ethernet/settings + + local mac + for mac in $(get network/interfaces/macs/); do + # Remove trailing slash + mac="${mac////}" + + local device_number="$(get "network/interfaces/macs/${mac}/device-number")" + local interface_id="$(get "network/interfaces/macs/${mac}/interface-id")" + + # First IPv4 address + local ipv4_address="$(get "network/interfaces/macs/${mac}/local-ipv4s" | head -n1)" + local ipv4_address_num="$(to_integer "${ipv4_address}")" + + # Get VPC subnet + local vpc="$(get "network/interfaces/macs/${mac}/vpc-ipv4-cidr-block")" + local vpc_netaddress="${vpc%/*}" + local vpc_netaddress_num="$(to_integer "${vpc_netaddress}")" + + # Get subnet size + local subnet="$(get "network/interfaces/macs/${mac}/subnet-ipv4-cidr-block")" + + local prefix="${subnet#*/}" + local netmask="$(prefix2netmask "${prefix}")" + local netmask_num="$(to_integer "${netmask}")" + + # Calculate the network and broadcast addresses + local netaddress="${subnet%/*}" + local netaddress_num="$(to_integer "${netaddress}")" + local broadcast="$(to_address $(( ipv4_address_num | (0xffffffff ^ netmask_num) )))" + + case "${device_number}" in + # RED + 0) + local interface_name="red0" + + # The gateway is always the first IP address in the subnet + local gateway="$(to_address $(( netaddress_num + 1 )))" + + # The AWS internal DNS service is available on the second IP address of the VPC + local dns1="$(to_address $(( vpc_netaddress_num + 2 )))" + local dns2= + + ( + echo "RED_TYPE=STATIC" + echo "RED_DEV=${interface_name}" + echo "RED_MACADDR=${mac}" + echo "RED_DESCRIPTION='${interface_id}'" + echo "RED_ADDRESS=${ipv4_address}" + echo "RED_NETMASK=${netmask}" + echo "RED_NETADDRESS=${netaddress}" + echo "RED_BROADCAST=${broadcast}" + echo "DEFAULT_GATEWAY=${gateway}" + echo "DNS1=${DNS1:-${dns1}}" + echo "DNS2=${DNS2:-${dns2}}" + ) >> /var/ipfire/ethernet/settings + + # Import aliases for RED + for alias in $(get "network/interfaces/macs/${mac}/local-ipv4s" | tail -n +2); do + echo "${alias},on," + done > /var/ipfire/ethernet/aliases + ;; + + # GREEN + 1) + local interface_name="green0" + + ( + echo "GREEN_DEV=${interface_name}" + echo "GREEN_MACADDR=${mac}" + echo "GREEN_DESCRIPTION='${interface_id}'" + echo "GREEN_ADDRESS=${ipv4_address}" + echo "GREEN_NETMASK=${netmask}" + echo "GREEN_NETADDRESS=${netaddress}" + echo "GREEN_BROADCAST=${broadcast}" + ) >> /var/ipfire/ethernet/settings + ;; + + # ORANGE + 2) + local interface_name="orange0" + config_type=2 + + ( + echo "ORANGE_DEV=${interface_name}" + echo "ORANGE_MACADDR=${mac}" + echo "ORANGE_DESCRIPTION='${interface_id}'" + echo "ORANGE_ADDRESS=${ipv4_address}" + echo "ORANGE_NETMASK=${netmask}" + echo "ORANGE_NETADDRESS=${netaddress}" + echo "ORANGE_BROADCAST=${broadcast}" + ) >> /var/ipfire/ethernet/settings + ;; + esac + + # Rename interface + local interface="$(find_interface "${mac}")" + + if [ -n "${interface}" ] && [ -n "${interface_name}" ] && [ "${interface}" != "${interface_name}" ]; then + ip link set "${interface}" down + ip link set "${interface}" name "${interface_name}" + fi + done + + # Save CONFIG_TYPE + echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings + + # Actions performed only on the very first start + if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then + # Enable SSH + sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings + + touch /var/ipfire/remote/enablessh + chown nobody:nobody /var/ipfire/remote/enablessh + + # Enable SSH key authentication + sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings + + # Apply SSH settings + /usr/local/bin/sshctrl + + # Firewall rules for SSH and WEBIF + ( + echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" + echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" + ) >> /var/ipfire/firewall/input + + # This script has now completed the first steps of setup + touch /var/ipfire/main/firstsetup_ok + fi + + # All done + echo_ok +} + +case "${reason}" in + PREINIT) + # Bring up the interface + ip link set "${interface}" up + ;; + + BOUND|RENEW|REBIND|REBOOT) + # Remove any previous IP addresses + ip addr flush dev "${interface}" + + # Add (or re-add) the new IP address + ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}" + + # Add the default route + ip route add default via "${new_routers}" + + # Import AWS configuration + import_aws_configuration + ;; + + EXPIRE|FAIL|RELEASE|STOP) + # Remove all IP addresses + ip addr flush dev "${interface}" + ;; + + *) + echo "Unhandled reason: ${reason}" >&2 + exit 2 + ;; +esac + +# Terminate +exit 0 diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index f2a9fb872..d9cc7fa48 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -61,6 +61,9 @@ case "$1" in # Generate all required certificates generate_certificates
+ # Update hostname + echo "ServerName ${HOSTNAME}" > /etc/httpd/conf/hostname.conf + boot_mesg "Starting Apache daemon..." /usr/sbin/apachectl -k start evaluate_retval diff --git a/src/initscripts/system/aws b/src/initscripts/system/aws new file mode 100644 index 000000000..f2a5c7cb7 --- /dev/null +++ b/src/initscripts/system/aws @@ -0,0 +1,80 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/aws +######################################################################## + +. /etc/sysconfig/rc +. ${rc_functions} + +# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/identify_ec2_instances.h... +running_on_ec2() { + local uuid + + # Check if the hypervisor UUID starts with ec2 + if [ -r "/sys/hypervisor/uuid" ]; then + uuid=$(</sys/hypervisor/uuid) + + [ "${uuid:0:3}" = "ec2" ] && return 0 + fi + + # Check if the DMI product UUID starts with EC2 + if [ -r "/sys/devices/virtual/dmi/id/product_uuid" ]; then + uuid=$(</sys/devices/virtual/dmi/id/product_uuid) + + [ "${uuid:0:3}" = "EC2" ] && return 0 + fi + + # We are not running on AWS EC2 + return 1 +} + +case "${1}" in + start) + # Do nothing if we are not running on AWS EC2 + running_on_ec2 || exit 0 + + # Find the first interface to use + for i in /sys/class/net/*; do + [ -d "${i}" ] || continue + i=$(basename ${i}) + + # Skip loopback + [ "${i}" = "lo" ] && continue + + # Use whatever we have found + intf="${i}" + break + done + + # Check if we found a network interface + if [ ! -n "${intf}" ]; then + echo_failure + + boot_mesg -n "Could not find a network interface" ${FAILURE} + boot_mesg "" ${NORMAL} + fi + + # Run a DHCP client and set up the system accordingly + dhclient -sf /etc/rc.d/helper/aws-setup "${intf}" + + # End DHCP client immediately + dhclient -sf /etc/rc.d/helper/aws-setup -r "${intf}" &>/dev/null + ;; + + status) + if running_on_ec2; then + echo "This system is running on AWS EC2" + exit 0 + else + echo "This system is NOT running on AWS EC2" + exit 1 + fi + ;; + + *) + echo "Usage: ${0} {start|status}" + exit 1 + ;; +esac + +# End $rc_base/init.d/aws diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cab791c1f..707209987 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -280,7 +280,9 @@ iptables_init() { # Always allow accessing the web GUI from GREEN. iptables -N GUIINPUT iptables -A INPUT -j GUIINPUT - iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT + if [ -n "${GREEN_DEV}" ]; then + iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT + fi
# WIRELESS chains iptables -N WIRELESSINPUT @@ -329,8 +331,10 @@ iptables_init() { iptables -t nat -N NAT_DESTINATION_FIX iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX
- iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + if [ -n "${GREEN_ADDRESS}" ]; then + iptables -t nat -A NAT_DESTINATION_FIX \ + -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + fi
if [ -n "${BLUE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ diff --git a/src/initscripts/system/localnet b/src/initscripts/system/localnet index ff374bb2b..e071216fd 100644 --- a/src/initscripts/system/localnet +++ b/src/initscripts/system/localnet @@ -22,6 +22,12 @@ write_resolv_conf() { ) > /etc/resolv.conf }
+write_hosts() { + ( + echo "127.0.0.1 localhost.localdomain localhost" + ) > /etc/hosts +} + case "${1}" in start) eval $(/usr/local/bin/readhash /var/ipfire/main/settings) @@ -40,6 +46,9 @@ case "${1}" in evaluate_retval fi
+ # Update hosts + write_hosts + # Update resolv.conf write_resolv_conf ;; diff --git a/src/initscripts/system/udev b/src/initscripts/system/udev index 6cf8771ea..5e0d9bdfd 100644 --- a/src/initscripts/system/udev +++ b/src/initscripts/system/udev @@ -60,7 +60,8 @@ case "${1}" in
# Start the udev daemon to continually watch for, and act on, # uevents - /sbin/udevd --daemon + boot_mesg "Starting udev daemon..." + loadproc udevd --daemon
# Now traverse /sys in order to "coldplug" devices that have # already been discovered @@ -72,6 +73,13 @@ case "${1}" in
;;
+ restart) + boot_mesg "Stopping udev daemon..." + killproc udevd + + exec $0 start + ;; + *) echo "Usage ${0} {start}" exit 1 diff --git a/src/setup/misc.c b/src/setup/misc.c index a31b1d8a8..f9ba39b8c 100644 --- a/src/setup/misc.c +++ b/src/setup/misc.c @@ -19,31 +19,13 @@ extern char *mylog;
extern int automode;
-/* This will rewrite /etc/hosts, /etc/hosts.*, and the apache ServerName file. */ int writehostsfiles(void) { - char address[STRING_SIZE] = ""; - char netaddress[STRING_SIZE] = ""; - char netmask[STRING_SIZE] = ""; char message[1000]; - FILE *file, *hosts; struct keyvalue *kv; char hostname[STRING_SIZE]; char domainname[STRING_SIZE] = "localdomain"; char commandstring[STRING_SIZE]; - char buffer[STRING_SIZE]; - - kv = initkeyvalues(); - if (!(readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))) - { - freekeyvalues(kv); - errorbox(_("Unable to open settings file")); - return 0; - } - findkey(kv, "GREEN_ADDRESS", address); - findkey(kv, "GREEN_NETADDRESS", netaddress); - findkey(kv, "GREEN_NETMASK", netmask); - freekeyvalues(kv); kv = initkeyvalues(); if (!(readkeyvalues(kv, CONFIG_ROOT "/main/settings"))) @@ -57,79 +39,6 @@ int writehostsfiles(void) findkey(kv, "DOMAINNAME", domainname); freekeyvalues(kv); - if (!(file = fopen(CONFIG_ROOT "/main/hostname.conf", "w"))) - { - sprintf (message, _("Unable to write %s/main/hostname.conf"), CONFIG_ROOT); - errorbox(message); - return 0; - } - fprintf(file, "ServerName %s.%s\n", hostname,domainname); - fclose(file); - - if (!(file = fopen(CONFIG_ROOT "/main/hosts", "r"))) - { - errorbox(_("Unable to open main hosts file.")); - return 0; - } - if (!(hosts = fopen("/etc/hosts", "w"))) - { - errorbox(_("Unable to write /etc/hosts.")); - return 0; - } - fprintf(hosts, "127.0.0.1\tlocalhost\n"); - if (strlen(domainname)) - fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname); - else - fprintf(hosts, "%s\t%s\n",address,hostname); - while (fgets(buffer, STRING_SIZE, file)) - { - char *token, *ip, *host, *domain; - - buffer[strlen(buffer) - 1] = 0; - - token = strtok(buffer, ","); - - ip = strtok(NULL, ","); - host = strtok(NULL, ","); - domain = strtok(NULL, ","); - - if (!(ip && host)) - break; - - if (strlen(ip) < 7 || strlen(ip) > 15 - || strspn(ip, "0123456789.") != strlen(ip)) - break; - - if (strspn(host, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-") != strlen(host)) - break; - - if (domain) - fprintf(hosts, "%s\t%s.%s\t%s\n",ip,host,domain,host); - else - fprintf(hosts, "%s\t%s\n",ip,host); - } - fclose(file); - fclose(hosts); - - /* TCP wrappers stuff. */ - if (!(file = fopen("/etc/hosts.deny", "w"))) - { - errorbox(_("Unable to write /etc/hosts.deny.")); - return 0; - } - fprintf(file, "ALL : ALL\n"); - fclose(file); - - if (!(file = fopen("/etc/hosts.allow", "w"))) - { - errorbox(_("Unable to write /etc/hosts.allow.")); - return 0; - } - fprintf(file, "sshd : ALL\n"); - fprintf(file, "ALL : localhost\n"); - fprintf(file, "ALL : %s/%s\n", netaddress, netmask); - fclose(file); - sprintf(commandstring, "/bin/hostname %s.%s", hostname, domainname); if (mysystem(NULL, commandstring)) {
hooks/post-receive -- IPFire 2.x development tree