This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 84b04cb6d38eb0ca0fca426e4d6e0c0a2c467d9e (commit) via d99826dc71146a6d019341892d6f2d7b69ee2407 (commit) via e5da7dea66167602b9255ac6b77d9ab32398a23d (commit) via db151ad716beefcb9ab9fadd2bb3ac9934748793 (commit) via 09831e9ca9c27b024d305f40655298d8106cdf5c (commit) via 75a89ddf4aaccaf397e320a98bf1ecf65c78cff4 (commit) via 6826eed0a4a892bf6ef24abd312bad474568c988 (commit) via 4efa4c4b714f117cb561201f7f6c122cb7da624a (commit) via 0c5a683b7ed3cb268648c573bcbeead20f824e95 (commit) via d98d10f7df7bd8715b338c6c3b30801f65243977 (commit) via cf44d8d149dbda8aa8dccd89dd5e3ff75af628b9 (commit) via 5da15c5d3b1772f133d10a309d99b3588b98be0f (commit) via 4721fac3c88069d5ca426f6be750f9b860efecaa (commit) via a85924cc2534c65eb10b800375ade8a5bb311dc1 (commit) via 8b73307b15a74b3e0781cfb3430298403e849ed6 (commit) via 63f4b3a7bc4bd80b036c02f2483fd82ac5810aca (commit) via 0d38ebeb059cca9f97316f4980ee4437110ddf55 (commit) via 525ff6d74dac833854dde69a152e98f1b5fd14d2 (commit) via 2438c6c2497015e92e823ecd2fbe9071a2cda575 (commit) via d3db0465703fe15855b02c3487859c8ca5a0db2b (commit) via d2f7d18e338975fa5d6a6f89b3eb86378e124612 (commit) via 891702cad16def266ab4ab1e8dde79367dd3d140 (commit) via 119cb837067ab16f6bf6ea88f512f8f8c38ea49c (commit) via 50f3e2a534d99ad4606535709e02f40ac89260fd (commit) via 1b7d1abdf0978be4dfd57f339313ce811322aaf9 (commit) via 72d501f9235e290c974b2e4207b822b164d3a2fc (commit) via eb3156ed6b4a1de646259295db47c6cbeaa438ae (commit) via 79cce701a94fb903e94838faf4c2e1016a24ba62 (commit) via 7e1c564ec8f25cb00c49a5ceecdb004c0b186555 (commit) via 17887e69a82dc92880136940ccdff1254c612233 (commit) via e088c2115843cb6d70ea5bc21af818f5dbd7e822 (commit) via 54a58a2891910ece5174ec8f20504ae2f80841e2 (commit) via 84a73d5f3997be2f1907c5eb4ad7a7069611ab4a (commit) via 655a95803a2fdc16ed7541b0c368620bb23d7740 (commit) via 50d987cc2194945be50030fde179e293f692135d (commit) via 7e5ec5699886664686d05ef3d7dc3006d162b5a7 (commit) via 558dcc66e632fe12b566edc4e39c519cdbc1b6a0 (commit) from fc1537434f007977161c2ba46b823d276b8c5d7c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 84b04cb6d38eb0ca0fca426e4d6e0c0a2c467d9e Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 24 08:53:40 2024 +0000
core189: Ship suricata changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d99826dc71146a6d019341892d6f2d7b69ee2407 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 24 10:33:22 2024 +0200
suricata: Enable scanning IPsec packets
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e5da7dea66167602b9255ac6b77d9ab32398a23d Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Sep 22 17:22:48 2024 +0200
ids.cgi: Add UI to enable scanning on IPsec
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit db151ad716beefcb9ab9fadd2bb3ac9934748793 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Sep 22 17:08:03 2024 +0200
suricata: Add support for zones having multiple interfaces
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 09831e9ca9c27b024d305f40655298d8106cdf5c Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Sep 22 17:06:21 2024 +0200
suricata: Split marking packets off into a separate chain
This is required so that we can have different policies for incoming and outgoing packets.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 75a89ddf4aaccaf397e320a98bf1ecf65c78cff4 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 21 17:55:09 2024 +0200
suricata: Clear IPS bits after use
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6826eed0a4a892bf6ef24abd312bad474568c988 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 21 12:39:32 2024 +0200
suricata: Always count the whitelisted packets
Even if there are no rules, if this does not exist, collectd will be unhappy and we cannot generate the graph.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4efa4c4b714f117cb561201f7f6c122cb7da624a Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 21 12:37:09 2024 +0200
ids.cgi: Don't show the graph if there is no RRD data
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0c5a683b7ed3cb268648c573bcbeead20f824e95 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 21 12:34:56 2024 +0200
ids.cgi: Fix empty states of tables
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d98d10f7df7bd8715b338c6c3b30801f65243977 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 21 12:28:50 2024 +0200
graphs.pl: Fix suricata graph name
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cf44d8d149dbda8aa8dccd89dd5e3ff75af628b9 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 17 04:04:07 2024 +0200
firewall: Move the IPS back to INPUT/FORWARD/OUTPUT
We cannot use the PREROUTING/POSTROUTING chains here because Suricata will fail to track NAT-ed connections.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5da15c5d3b1772f133d10a309d99b3588b98be0f Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 13 10:12:30 2024 +0200
suricata: Track whitelisted traffic and add it to the IPS graph
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4721fac3c88069d5ca426f6be750f9b860efecaa Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Sep 11 00:43:59 2024 +0200
IPS: Ada a graph that shows the IPS throughput
This graph is split into three parts. One shows bypassed packets, the next one shows the actually scanned packets and lastly we show the total throughput.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a85924cc2534c65eb10b800375ade8a5bb311dc1 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 23:45:53 2024 +0200
suricata: Collect metrics on scanned and bypassed packets
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8b73307b15a74b3e0781cfb3430298403e849ed6 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 23:23:38 2024 +0200
suricata: Force Suricata to write a PID file again
The PID file does not get written when Suricata is not being started in daemon mode and therefore we need to pass it as a command line parameter.
The initscript should not deal with the PID file when starting but needs it to terminate the process and to check the process status.
The web UI can use the PID file again.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 63f4b3a7bc4bd80b036c02f2483fd82ac5810aca Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 23:23:18 2024 +0200
suricata: Fix syntax error in watcher script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0d38ebeb059cca9f97316f4980ee4437110ddf55 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 23:17:20 2024 +0200
suricata: Remove debugging code
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 525ff6d74dac833854dde69a152e98f1b5fd14d2 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 11:37:38 2024 +0200
firewall: Move the IPS after the NAT marking
This is because we might still land in the scenario where Suricata crashes and NFQUEUE will simply ACCEPT all packets which will terminate the processing of the mangle table.
Therefore the NFQUEUE rule should be the last one so that we never skip any of the other processing.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2438c6c2497015e92e823ecd2fbe9071a2cda575 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 11:35:18 2024 +0200
ids.cgi: Fix detection for the Suricata process
We don't seem to have a PID file any more.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d3db0465703fe15855b02c3487859c8ca5a0db2b Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 11:24:01 2024 +0200
ids.cgi: Remove box from the top section
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d2f7d18e338975fa5d6a6f89b3eb86378e124612 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 11:22:59 2024 +0200
ids.cgi: Sort whitelist entries
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 891702cad16def266ab4ab1e8dde79367dd3d140 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 11:17:33 2024 +0200
ids.cgi: Use new-style table for whitelist entries
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 119cb837067ab16f6bf6ea88f512f8f8c38ea49c Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 11:09:58 2024 +0200
ids.cgi: Use new style tables for rulesets
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 50f3e2a534d99ad4606535709e02f40ac89260fd Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 11:01:52 2024 +0200
suricata: Fix broken spacing in the settings section
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1b7d1abdf0978be4dfd57f339313ce811322aaf9 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 10:50:15 2024 +0200
suricata: Add option to scan WireGuard
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 72d501f9235e290c974b2e4207b822b164d3a2fc Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 10:42:11 2024 +0200
suricata: Don't load /var/ipfire/ethernet/settings
We no longer need this directly as it is being pulled in from the network functions.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit eb3156ed6b4a1de646259295db47c6cbeaa438ae Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 10:41:19 2024 +0200
suricata: Remove superfluous bits from the initscript
I don't know why these hacks are here.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 79cce701a94fb903e94838faf4c2e1016a24ba62 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 10 10:40:28 2024 +0200
suricata: Restore the interface selection
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7e1c564ec8f25cb00c49a5ceecdb004c0b186555 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 23:08:11 2024 +0200
suricata: Start the new watcher in the background
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 17887e69a82dc92880136940ccdff1254c612233 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 20:09:22 2024 +0200
suricata: Add a watcher to restart on unexpected termination
This patch adds a watcher process that will restart suricata when it is being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e088c2115843cb6d70ea5bc21af818f5dbd7e822 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 19:38:47 2024 +0200
suricata: Be more efficient with marks
This patch changes that we introduce a new mark which allows us to identify any newly bypassed connections and permanently store the bypass flag.
We also only restore marks from the connection tracking when a packet has no marks, yet.
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 54a58a2891910ece5174ec8f20504ae2f80841e2 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 19:37:56 2024 +0200
suricata: Replace removed CPU count function
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 84a73d5f3997be2f1907c5eb4ad7a7069611ab4a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 12:46:23 2024 +0200
suricata: Add whitelist to iptables
This allows us to workaround better against any problems in Suricata because we never send any whitelisted packets to the IPS in the first place.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 655a95803a2fdc16ed7541b0c368620bb23d7740 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 11:58:50 2024 +0200
suricata: Remove some unused constants
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 50d987cc2194945be50030fde179e293f692135d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 11:55:34 2024 +0200
suricata: Use getconf to determine the number of processors
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7e5ec5699886664686d05ef3d7dc3006d162b5a7 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 11:54:04 2024 +0200
initscripts: Fix bash function definitions in suricata
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 558dcc66e632fe12b566edc4e39c519cdbc1b6a0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 9 11:49:30 2024 +0200
suricata: Move the IPS into the mangle table
This should make the IPS more efficient, we should have fewer rules and the IPS will now sit at the edge of the networking stack as it will see packets immediately when they come and and just before they leave.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/graphs.pl | 87 ++++++++ config/collectd/collectd.conf | 5 + config/rootfiles/common/suricata | 1 + config/rootfiles/core/189/filelists/files | 8 + config/rootfiles/core/189/update.sh | 1 + .../execute.sh => config/suricata/suricata-watcher | 45 +++- doc/language_issues.de | 1 + doc/language_issues.en | 8 +- doc/language_issues.es | 8 + doc/language_issues.fr | 8 + doc/language_issues.it | 8 +- doc/language_issues.nl | 8 +- doc/language_issues.pl | 8 +- doc/language_issues.ru | 8 +- doc/language_issues.tr | 8 +- doc/language_missings | 57 +++++ html/cgi-bin/getrrdimage.cgi | 10 +- html/cgi-bin/ids.cgi | 145 +++++++------ langs/de/cgi-bin/de.pl | 7 + langs/en/cgi-bin/en.pl | 8 + lfs/suricata | 3 + src/initscripts/networking/functions.network | 80 +++++++ src/initscripts/system/firewall | 42 ++-- src/initscripts/system/suricata | 240 ++++++++++----------- 24 files changed, 572 insertions(+), 232 deletions(-) copy tools/execute.sh => config/suricata/suricata-watcher (68%) mode change 100755 => 100644
Difference in files: diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 2439c5bf6..f07214cf8 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -1189,3 +1189,90 @@ sub updateconntrackgraph {
return "Error in RRD::Graph for conntrack: " . $ERROR . "\n" if $ERROR; } + +sub updateipsthroughputgraph { + my $period = $_[0]; + + my @command = ( + @GRAPH_ARGS, + "-", + "--start", + "-1" . $period, + "-r", + "--lower-limit","0", + "-v $Lang::tr{'bytes per second'}", + "--color=BACK" . $color{"color21"}, + + # Read bypassed packets + "DEF:bypassed_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-BYPASSED.rrd:value:AVERAGE", + #"DEF:bypassed_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-BYPASSED.rrd:value:AVERAGE", + + "VDEF:bypassed_bytes_avg=bypassed_bytes,AVERAGE", + "VDEF:bypassed_bytes_min=bypassed_bytes,MINIMUM", + "VDEF:bypassed_bytes_max=bypassed_bytes,MAXIMUM", + + # Read scanned packets + "DEF:scanned_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-SCANNED.rrd:value:AVERAGE", + #"DEF:scanned_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-SCANNED.rrd:value:AVERAGE", + + "VDEF:scanned_bytes_avg=scanned_bytes,AVERAGE", + "VDEF:scanned_bytes_min=scanned_bytes,MINIMUM", + "VDEF:scanned_bytes_max=scanned_bytes,MAXIMUM", + + # Read whitelisted packets + "DEF:whitelisted_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-WHITELISTED.rrd:value:AVERAGE", + #"DEF:whitelisted_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-WHITELISTED.rrd:value:AVERAGE", + + "VDEF:whitelisted_bytes_avg=whitelisted_bytes,AVERAGE", + "VDEF:whitelisted_bytes_min=whitelisted_bytes,MINIMUM", + "VDEF:whitelisted_bytes_max=whitelisted_bytes,MAXIMUM", + + # Total + "CDEF:total_bytes=bypassed_bytes,scanned_bytes,ADDNAN,whitelisted_bytes,ADDNAN", + #"CDEF:total_packets=bypassed_packets,scanned_packets,ADDNAN,whitelisted_packets,ADDNAN", + + "VDEF:total_bytes_avg=total_bytes,AVERAGE", + "VDEF:total_bytes_min=total_bytes,MINIMUM", + "VDEF:total_bytes_max=total_bytes,MAXIMUM", + + # Add some space below the graph + "COMMENT: \n", + + # Headline + "COMMENT:" . sprintf("%32s", ""), + "COMMENT:" . sprintf("%16s", $Lang::tr{'average'}), + "COMMENT:" . sprintf("%16s", $Lang::tr{'minimum'}), + "COMMENT:" . sprintf("%16s", $Lang::tr{'maximum'}) . "\j", + + # Whitelisted Packets + "AREA:whitelisted_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'whitelisted'}), + "GPRINT:whitelisted_bytes_avg:%9.2lf %sbps", + "GPRINT:whitelisted_bytes_min:%9.2lf %sbps", + "GPRINT:whitelisted_bytes_max:%9.2lf %sbps\j", + + # Bypassed Packets + "STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}), + "GPRINT:bypassed_bytes_avg:%9.2lf %sbps", + "GPRINT:bypassed_bytes_min:%9.2lf %sbps", + "GPRINT:bypassed_bytes_max:%9.2lf %sbps\j", + + # Scanned Packets + "STACK:scanned_bytes$color{'color13'}A0:" . sprintf("%-30s", $Lang::tr{'scanned'}), + "GPRINT:scanned_bytes_avg:%9.2lf %sbps", + "GPRINT:scanned_bytes_min:%9.2lf %sbps", + "GPRINT:scanned_bytes_max:%9.2lf %sbps\j", + + "COMMENT: \n", + + # Total Packets + "COMMENT:" . sprintf("%-32s", $Lang::tr{'total'}), + "GPRINT:total_bytes_avg:%9.2lf %sbps", + "GPRINT:total_bytes_min:%9.2lf %sbps", + "GPRINT:total_bytes_max:%9.2lf %sbps\j", + ); + + RRDs::graph(@command); + $ERROR = RRDs::error; + + return "Error in RRD::Graph for suricata: " . $ERROR . "\n" if $ERROR; +} diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 27e1fe984..a90331f21 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -52,6 +52,11 @@ include "/etc/collectd.precache" Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN Chain filter HOSTILE_DROP_IN DROP_HOSTILE Chain filter HOSTILE_DROP_OUT DROP_HOSTILE + + # IPS + Chain mangle IPS BYPASSED + Chain mangle IPS SCANNED + Chain mangle IPS WHITELISTED </Plugin>
#<Plugin logfile> diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 53224d006..8fe53f7e6 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,6 +1,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata +usr/bin/suricata-watcher usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS diff --git a/config/rootfiles/core/189/filelists/files b/config/rootfiles/core/189/filelists/files index 2586805ea..7afa1ac2e 100644 --- a/config/rootfiles/core/189/filelists/files +++ b/config/rootfiles/core/189/filelists/files @@ -1,4 +1,12 @@ +etc/collectd.conf +etc/rc.d/init.d/firewall etc/rc.d/init.d/functions +etc/rc.d/init.d/networking/functions.network +etc/rc.d/init.d/suricata +srv/web/ipfire/cgi-bin/getrrdimage.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/html/include/rrdimage.js +usr/bin/suricata-watcher +var/ipfire/graphs.pl var/ipfire/header.pl var/ipfire/ids-functions.pl diff --git a/config/rootfiles/core/189/update.sh b/config/rootfiles/core/189/update.sh index f2c8863d6..43323f38a 100644 --- a/config/rootfiles/core/189/update.sh +++ b/config/rootfiles/core/189/update.sh @@ -349,6 +349,7 @@ ldconfig telinit u
# Start services +/etc/init.d/collectd restart /usr/local/bin/openvpnctrl -s /usr/local/bin/openvpnctrl -sn2n
diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watcher new file mode 100644 index 000000000..d937ef8cc --- /dev/null +++ b/config/suricata/suricata-watcher @@ -0,0 +1,58 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A Linux-based Firewall # +# Copyright (C) 2024 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +PIDFILE="/var/run/suricata.pid" + +main() { + local ret + + # Suricata becomes unhappy if the PID file exists + unlink "${PIDFILE}" &>/dev/null + + while :; do + # Launch suricata + /usr/bin/suricata --pidfile "${PIDFILE}" "$@" &>/dev/null + + # Wait until suricata is done + ret=$? + + case "${ret}" in + # If suricata has been killed by SIGKILL (e.g. by + # the OOM killer, or if it ran into a SEGV, we will + # restart the process. + 137|139) + # Remove the PID file + unlink "${PIDFILE}" 2>/dev/null + + sleep 1 + continue + ;; + + *) + break + ;; + esac + done + + return ${ret} +} + +main "$@" || exit $? diff --git a/doc/language_issues.de b/doc/language_issues.de index b3d7082df..bd335de41 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -400,6 +400,7 @@ WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids oinkcode required WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ids unsupported provider WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype diff --git a/doc/language_issues.en b/doc/language_issues.en index 3aa4e9bd8..c762cc6f7 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -361,6 +361,7 @@ WARNING: untranslated string: broken = Broken WARNING: untranslated string: broken pipe = Broken pipe WARNING: untranslated string: buffered memory = Buffered Memory WARNING: untranslated string: buffers = buffers +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: bytes per second = Bytes per Second WARNING: untranslated string: bytes received = Bytes Received WARNING: untranslated string: bytes sent = Bytes Sent @@ -1070,7 +1071,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1191,6 +1192,7 @@ WARNING: untranslated string: ipfire has now shutdown = IPFire is shutting down WARNING: untranslated string: ipfire side is invalid = IPFire side is invalid. WARNING: untranslated string: ipfires hostname = IPFire's Hostname WARNING: untranslated string: ipinfo = IP info +WARNING: untranslated string: ips throughput = Throughput WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) @@ -1217,6 +1219,7 @@ WARNING: untranslated string: lan = LAN WARNING: untranslated string: languagepurpose = Select the language you wish IPFire to display in: WARNING: untranslated string: last = Last WARNING: untranslated string: last activity = Last Activity +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: lease expires = Lease expires WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: legend = Legend @@ -1612,6 +1615,7 @@ WARNING: untranslated string: samba server role standalone = Standalone WARNING: untranslated string: saturday = Saturday WARNING: untranslated string: save = Save WARNING: untranslated string: save-adv-options = Save advanced options +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: script name = Script name: WARNING: untranslated string: search = Search WARNING: untranslated string: secondary dns = Secondary DNS: @@ -1802,6 +1806,7 @@ WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reac WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one fingerprint per line) WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line) +WARNING: untranslated string: total = Total WARNING: untranslated string: total connection time = Total Connection Time WARNING: untranslated string: total hits for log section = Total hits for log section WARNING: untranslated string: traffic stat in = In @@ -2156,6 +2161,7 @@ WARNING: untranslated string: webradio playlist = Webradio Playlist WARNING: untranslated string: website = Website WARNING: untranslated string: wednesday = Wednesday WARNING: untranslated string: weeks = Weeks +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.es b/doc/language_issues.es index fbbcd1e74..67f82a450 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -444,6 +444,7 @@ WARNING: translation string unused: ids rules license1 WARNING: translation string unused: ids rules license2 WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -979,6 +980,7 @@ WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: access point name = Access Point Name WARNING: untranslated string: access point name is invalid = Access Point Name is invalid WARNING: untranslated string: access point name is required = Access Point Name is required +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: cpu frequency = CPU frequency WARNING: untranslated string: data transfer = Data Transfer WARNING: untranslated string: dhcp fixed ip address in dynamic range = Fixed IP Address in dynamic range @@ -1028,8 +1030,11 @@ WARNING: untranslated string: hostile networks in = From Hostile Networks WARNING: untranslated string: hostile networks out = To Hostile Networks WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids provider eol = (EOL) +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: ips throughput = Throughput +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: load average = Load Average WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks @@ -1048,12 +1053,15 @@ WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: service boot setting unavailable = No valid runlevel symlink was found for the initscript of this service. WARNING: untranslated string: spec rstack overflow = Speculative Return Stack Overflow WARNING: untranslated string: system time = System Time (as of last page load) WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z +WARNING: untranslated string: total = Total WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: wio = unknown string WARNING: untranslated string: wio checked = unknown string WARNING: untranslated string: wio cron = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 25193da6a..db8b6071e 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -428,6 +428,7 @@ WARNING: translation string unused: id WARNING: translation string unused: ids automatic rules update WARNING: translation string unused: ids oinkcode required WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -942,6 +943,7 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: core notice 3 = available. WARNING: untranslated string: data transfer = Data Transfer WARNING: untranslated string: enable disable client = unknown string @@ -981,6 +983,9 @@ WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids provider eol = (EOL) +WARNING: untranslated string: ids rulesets = Rulesets +WARNING: untranslated string: ips throughput = Throughput +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: load average = Load Average WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server @@ -989,9 +994,12 @@ WARNING: untranslated string: processors = Processors WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: system time = System Time (as of last page load) WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z +WARNING: untranslated string: total = Total WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: wio = unknown string WARNING: untranslated string: wio checked = unknown string WARNING: untranslated string: wio cron = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index f00d959d5..553417e59 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -948,6 +948,7 @@ WARNING: untranslated string: autonomous system = Autonomous System WARNING: untranslated string: available = available WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes) @@ -1132,7 +1133,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1173,6 +1174,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs WARNING: untranslated string: ipblocklist name = Name WARNING: untranslated string: ipblocklist output = Packets dropped (OUT) WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists +WARNING: untranslated string: ips throughput = Throughput WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE @@ -1185,6 +1187,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address @@ -1272,6 +1275,7 @@ WARNING: untranslated string: samba join a domain = Join a domain WARNING: untranslated string: samba join domain = Join domain WARNING: untranslated string: samba server role member = Domain Member WARNING: untranslated string: samba server role standalone = Standalone +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: search = Search WARNING: untranslated string: secret = Secret WARNING: untranslated string: sent = Sent @@ -1309,6 +1313,7 @@ WARNING: untranslated string: token not set = No Token has been given. WARNING: untranslated string: tor guard country any = Any country WARNING: untranslated string: tor guard nodes = Guard Nodes WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line) +WARNING: untranslated string: total = Total WARNING: untranslated string: traffic stat in = In WARNING: untranslated string: traffic stat out = Out WARNING: untranslated string: traffic stat title = RED Traffic @@ -1342,6 +1347,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 9607f98af..0b16d098d 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -950,6 +950,7 @@ WARNING: untranslated string: autonomous system = Autonomous System WARNING: untranslated string: available = available WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes) @@ -1138,7 +1139,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1181,6 +1182,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs WARNING: untranslated string: ipblocklist name = Name WARNING: untranslated string: ipblocklist output = Packets dropped (OUT) WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists +WARNING: untranslated string: ips throughput = Throughput WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE @@ -1193,6 +1195,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address @@ -1295,6 +1298,7 @@ WARNING: untranslated string: samba join a domain = Join a domain WARNING: untranslated string: samba join domain = Join domain WARNING: untranslated string: samba server role member = Domain Member WARNING: untranslated string: samba server role standalone = Standalone +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: search = Search WARNING: untranslated string: secret = Secret WARNING: untranslated string: sent = Sent @@ -1335,6 +1339,7 @@ WARNING: untranslated string: token not set = No Token has been given. WARNING: untranslated string: tor guard country any = Any country WARNING: untranslated string: tor guard nodes = Guard Nodes WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line) +WARNING: untranslated string: total = Total WARNING: untranslated string: transfers = Transfers WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours @@ -1365,6 +1370,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 92ad3b7be..a3acd734f 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -875,6 +875,7 @@ WARNING: untranslated string: available = available WARNING: untranslated string: bit = bit WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes) @@ -1276,7 +1277,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1323,6 +1324,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs WARNING: untranslated string: ipblocklist name = Name WARNING: untranslated string: ipblocklist output = Packets dropped (OUT) WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists +WARNING: untranslated string: ips throughput = Throughput WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) @@ -1338,6 +1340,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: last = Last +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation @@ -1474,6 +1477,7 @@ WARNING: untranslated string: samba join a domain = Join a domain WARNING: untranslated string: samba join domain = Join domain WARNING: untranslated string: samba server role member = Domain Member WARNING: untranslated string: samba server role standalone = Standalone +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: search = Search WARNING: untranslated string: secret = Secret WARNING: untranslated string: sent = Sent @@ -1568,6 +1572,7 @@ WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reac WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one fingerprint per line) WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line) +WARNING: untranslated string: total = Total WARNING: untranslated string: traffic stat in = In WARNING: untranslated string: traffic stat out = Out WARNING: untranslated string: traffic stat title = RED Traffic @@ -1606,6 +1611,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 35a590b6b..66b6cae13 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -870,6 +870,7 @@ WARNING: untranslated string: available = available WARNING: untranslated string: bit = bit WARNING: untranslated string: block = Block WARNING: untranslated string: broken = Broken +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes) @@ -1271,7 +1272,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1319,6 +1320,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs WARNING: untranslated string: ipblocklist name = Name WARNING: untranslated string: ipblocklist output = Packets dropped (OUT) WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists +WARNING: untranslated string: ips throughput = Throughput WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) @@ -1334,6 +1336,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: last = Last +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation @@ -1467,6 +1470,7 @@ WARNING: untranslated string: samba join a domain = Join a domain WARNING: untranslated string: samba join domain = Join domain WARNING: untranslated string: samba server role member = Domain Member WARNING: untranslated string: samba server role standalone = Standalone +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: search = Search WARNING: untranslated string: secret = Secret WARNING: untranslated string: sent = Sent @@ -1561,6 +1565,7 @@ WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reac WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one fingerprint per line) WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line) +WARNING: untranslated string: total = Total WARNING: untranslated string: traffic stat in = In WARNING: untranslated string: traffic stat out = Out WARNING: untranslated string: traffic stat title = RED Traffic @@ -1599,6 +1604,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 3bf595efe..ec657539f 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -935,6 +935,7 @@ WARNING: untranslated string: asn lookup failed = AS lookup failed WARNING: untranslated string: autonomous system = Autonomous System WARNING: untranslated string: available = available WARNING: untranslated string: broken = Broken +WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes) WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes) WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes) @@ -1074,7 +1075,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1110,6 +1111,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs WARNING: untranslated string: ipblocklist name = Name WARNING: untranslated string: ipblocklist output = Packets dropped (OUT) WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists +WARNING: untranslated string: ips throughput = Throughput WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE @@ -1122,6 +1124,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address @@ -1179,6 +1182,7 @@ WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string WARNING: untranslated string: samba server role member = Domain Member WARNING: untranslated string: samba server role standalone = Standalone +WARNING: untranslated string: scanned = Scanned WARNING: untranslated string: secret = Secret WARNING: untranslated string: sent = Sent WARNING: untranslated string: service boot setting unavailable = No valid runlevel symlink was found for the initscript of this service. @@ -1212,6 +1216,7 @@ WARNING: untranslated string: token not set = No Token has been given. WARNING: untranslated string: tor guard country any = Any country WARNING: untranslated string: tor guard nodes = Guard Nodes WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line) +WARNING: untranslated string: total = Total WARNING: untranslated string: traffic stat in = In WARNING: untranslated string: traffic stat out = Out WARNING: untranslated string: traffic stat title = RED Traffic @@ -1226,6 +1231,7 @@ WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_missings b/doc/language_missings index 98856b0e8..6a44630bd 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -103,6 +103,7 @@ < upload fcdsl.o < user management < vpn configuration main +< wg < winbind daemon < wireguard < wlanap 802.11w disabled @@ -120,6 +121,7 @@ < access point name is invalid < access point name is required < addon +< bypassed < cpu frequency < data transfer < dhcp fixed ip address in dynamic range @@ -136,8 +138,11 @@ < hostile networks out < hostile networks total < ids provider eol +< ids rulesets < ids unsupported provider < invalid ip or hostname +< ips throughput +< last updated < load average < log drop hostile in < log drop hostile out @@ -150,12 +155,16 @@ < reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 +< scanned < service boot setting unavailable < spec rstack overflow < system time < timeformat +< total < transport mode does not support vti < warning +< wg +< whitelisted < wireguard < wlanap < wlanap psk @@ -168,6 +177,7 @@ < ansi t1.483 < bewan adsl pci st < bewan adsl usb +< bypassed < data transfer < extrahd because it it outside the allowed mount path < fwdfw syn flood protection @@ -175,16 +185,23 @@ < g.lite < hostile networks total < ids provider eol +< ids rulesets < ids unsupported provider +< ips throughput +< last updated < load average < oops something went wrong < ovpn roadwarrior server < processors < reg_file_data_sampling +< scanned < system time < timeformat +< total < upload fcdsl.o < warning +< wg +< whitelisted < wireguard < wlanap psk < wlanap wireless mode @@ -226,6 +243,7 @@ < available < block < broken +< bypassed < cake profile bridged-llcsnap 32 < cake profile bridged-ptm 19 < cake profile bridged-vcmux 24 @@ -444,6 +462,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -503,7 +522,9 @@ < ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings +< ips throughput < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average @@ -595,6 +616,7 @@ < samba join domain < samba server role member < samba server role standalone +< scanned < search < secret < sent @@ -633,6 +655,7 @@ < tor guard country any < tor guard nodes < tor use guard nodes +< total < traffic stat in < traffic stat out < traffic stat title @@ -668,6 +691,8 @@ < vulnerable < warning < Weekly +< wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -761,6 +786,7 @@ < available < block < broken +< bypassed < cake profile bridged-llcsnap 32 < cake profile bridged-ptm 19 < cake profile bridged-vcmux 24 @@ -984,6 +1010,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -1045,7 +1072,9 @@ < ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings +< ips throughput < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average @@ -1155,6 +1184,7 @@ < samba join domain < samba server role member < samba server role standalone +< scanned < search < secret < sent @@ -1197,6 +1227,7 @@ < tor guard country any < tor guard nodes < tor use guard nodes +< total < transfers < transport mode does not support vti < twelve hours @@ -1229,6 +1260,8 @@ < vulnerable < warning < Weekly +< wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -1336,6 +1369,7 @@ < bit < block < broken +< bypassed < cake profile bridged-llcsnap 32 < cake profile bridged-ptm 19 < cake profile bridged-vcmux 24 @@ -1829,6 +1863,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -1897,8 +1932,10 @@ < ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings +< ips throughput < itlb multihit < last +< last updated < least preferred < legacy architecture warning < lifetime @@ -2057,6 +2094,7 @@ < samba join domain < samba server role member < samba server role standalone +< scanned < search < secret < sent @@ -2160,6 +2198,7 @@ < tor traffic read written < tor use exit nodes < tor use guard nodes +< total < traffic stat in < traffic stat out < traffic stat title @@ -2205,6 +2244,8 @@ < vulnerable < warning < Weekly +< wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -2344,6 +2385,7 @@ < bit < block < broken +< bypassed < cake profile bridged-llcsnap 32 < cake profile bridged-ptm 19 < cake profile bridged-vcmux 24 @@ -2842,6 +2884,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -2911,8 +2954,10 @@ < ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings +< ips throughput < itlb multihit < last +< last updated < least preferred < legacy architecture warning < lifetime @@ -3069,6 +3114,7 @@ < samba join domain < samba server role member < samba server role standalone +< scanned < search < secret < sent @@ -3172,6 +3218,7 @@ < tor traffic read written < tor use exit nodes < tor use guard nodes +< total < traffic stat in < traffic stat out < traffic stat title @@ -3218,6 +3265,8 @@ < warning < week-graph < Weekly +< wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -3333,6 +3382,7 @@ < autonomous system < available < broken +< bypassed < cake profile bridged-llcsnap 32 < cake profile bridged-ptm 19 < cake profile bridged-vcmux 24 @@ -3447,6 +3497,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -3501,7 +3552,9 @@ < ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings +< ips throughput < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average @@ -3558,6 +3611,7 @@ < runmode < samba server role member < samba server role standalone +< scanned < secret < sent < service boot setting unavailable @@ -3592,6 +3646,7 @@ < tor guard country any < tor guard nodes < tor use guard nodes +< total < traffic stat in < traffic stat out < traffic stat title @@ -3608,6 +3663,8 @@ < vulnerable < warning < Weekly +< wg +< whitelisted < whois results from < winbind daemon < wireguard diff --git a/html/cgi-bin/getrrdimage.cgi b/html/cgi-bin/getrrdimage.cgi index f80f0138f..77556217d 100644 --- a/html/cgi-bin/getrrdimage.cgi +++ b/html/cgi-bin/getrrdimage.cgi @@ -35,7 +35,7 @@ require "${General::swroot}/graphs.pl";
# List of graph origins that getrrdimage.cgi can process directly # (unknown origins are forwarded to ensure compatibility) -my @supported_origins = ("hardwaregraphs.cgi", "media.cgi", +my @supported_origins = ("ids.cgi", "hardwaregraphs.cgi", "media.cgi", "memory.cgi", "netexternal.cgi", "netinternal.cgi", "netother.cgi", "netovpnrw.cgi", "netovpnsrv.cgi", "qos.cgi", "services.cgi", "system.cgi");
@@ -80,7 +80,13 @@ _start_svg_output(); # Graphs are first grouped by their origin. # This is because some graph categories require special parameter handling. my $graphstatus = ''; -if($origin eq "hardwaregraphs.cgi") { ## hardwaregraphs.cgi +if ($origin eq "ids.cgi") { ## ids.cgi + if ($graph eq "ips-throughput") { + $graphstatus = Graphs::updateipsthroughputgraph($range); + } else { + $graphstatus = "Unknown graph name."; + } +} elsif($origin eq "hardwaregraphs.cgi") { ## hardwaregraphs.cgi if($graph eq "hwtemp") { $graphstatus = Graphs::updatehwtempgraph($range); } elsif($graph eq "hwfan") { diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 502e2a125..4eaf4911d 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -53,6 +53,9 @@ my %ignored=(); # the list of zones in an array. my @network_zones = &Network::get_available_network_zones();
+# Always show IPsec & Wireguard +push(@network_zones, "ipsec", "wg"); + # Check if openvpn is started and add it to the array of network zones. if ( -e "/var/run/openvpn.pid") { push(@network_zones, "ovpn"); @@ -69,7 +72,9 @@ my %colourhash = ( 'green' => $Header::colourgreen, 'blue' => $Header::colourblue, 'orange' => $Header::colourorange, - 'ovpn' => $Header::colourovpn + 'ipsec' => $Header::colourvpn, + 'ovpn' => $Header::colourovpn, + 'wg' => $Header::colourwg, );
&Header::showhttpheaders(); @@ -1003,7 +1008,7 @@ sub show_mainpage() { $checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";
# Draw current state of the IDS - &Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'}); + &Header::opensection();
&Header::ServiceStatus({ $Lang::tr{'intrusion prevention system'} => { @@ -1013,30 +1018,29 @@ sub show_mainpage() {
# Only show this area, if at least one ruleset provider is configured. if (%used_providers) { + my $num_zones = scalar @network_zones;
print <<END - - <br><br><h2>$Lang::tr{'settings'}</h2> + <br>
<form method='post' action='$ENV{'SCRIPT_NAME'}'> <table width='100%' border='0'> <tr> - <td class='base' colspan='2'> + <td colspan='$num_zones'> <input type='checkbox' name='ENABLE_IDS' $checked{'ENABLE_IDS'}{'on'}> $Lang::tr{'ids enable'} </td> - - </td> </tr>
- <tr> - <td><br><br></td> - <td><br><br></td> - <td><br><br></td> - <td><br><br></td> + <tr> <!-- empty row for spacing --> + <td colspan='$num_zones'> + + </td> </tr>
<tr> - <td colspan='4'><b>$Lang::tr{'ids monitored interfaces'}</b><br></td> + <td colspan='$num_zones'> + <b>$Lang::tr{'ids monitored interfaces'}</b> + </td> </tr>
<tr> @@ -1064,21 +1068,29 @@ END $checked_input = "checked = 'checked'"; }
- print "<td class='base' width='20%'>\n"; - print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n"; - print " $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n"; - print "</td>\n"; + print <<END; + <td> + <label> + <input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input> + $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font> + </label> + </td> +END }
print <<END </tr> - </table>
- <br><br> + <tr> <!-- empty row for spacing --> + <td colspan='$num_zones'> + + </td> + </tr>
- <table width='100%'> <tr> - <td align='right'><input type='submit' name='IDS' value='$Lang::tr{'save'}' /></td> + <td colspan='$num_zones' align='right'> + <input type='submit' name='IDS' value='$Lang::tr{'save'}' /> + </td> </tr> </table> </form> @@ -1087,21 +1099,25 @@ END
}
- &Header::closebox(); + &Header::closesection(); + + # Throughput Graph + if (-e "/var/log/rrd/collectd/localhost/iptables-mangle-IPS/ipt_bytes-BYPASSED.rrd") { + &Header::graph("$Lang::tr{'ips throughput'}", "ids.cgi", "ips-throughput", "day"); + }
# # Used Ruleset Providers section. # - &Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'}); + &Header::openbox('100%', 'center', $Lang::tr{'ids rulesets'});
print <<END; - <table width='100%' border='0'> + <table width='100%' border='0' class='tbl'> <tr> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ids provider'}</b></td> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'date'}</b></td> - <td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'ids autoupdates'}</b></td> - <td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'action'}</b></td> - <td class='base' colspan='3' bgcolor='$color{'color20'}'></td> + <th>$Lang::tr{'ids provider'}</td> + <th>$Lang::tr{'last updated'}</td> + <th align='center'>$Lang::tr{'ids autoupdates'}</td> + <th align='center' colspan='3'>$Lang::tr{'action'}</td> </tr> END my $line = 1; @@ -1122,13 +1138,6 @@ END my $status = $used_providers{$id}[3]; my $unsupported;
- # Check if the item number is even or not. - if ($line % 2) { - $col="bgcolor='$color{'color22'}'"; - } else { - $col="bgcolor='$color{'color20'}'"; - } - # Handle providers which are not longer supported. unless ($IDS::Ruleset::Providers{$provider}{'dl_url'}) { $col = "bgcolor='$Header::colouryellow'"; @@ -1161,8 +1170,8 @@ END
print <<END; <tr> - <td width='33%' class='base' $col>$provider_name $unsupported</td> - <td width='30%' class='base' $col>$rulesetdate</td> + <th scope='row' width='33%' $col>$provider_name $unsupported</th> + <td width='30%' $col align='center'>$rulesetdate</td>
<td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> @@ -1205,7 +1214,7 @@ END } else { # Print notice that currently no hosts are ignored. print "<tr>\n"; - print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n"; + print "<td class='base' colspan='6'>$Lang::tr{'guardian no entries'}</td>\n"; print "</tr>\n"; }
@@ -1214,8 +1223,6 @@ END # Section to add new elements or edit existing ones. print <<END; <br> - <hr> - <br>
<form method='post' action='$ENV{'SCRIPT_NAME'}'> <div align='right'> @@ -1240,11 +1247,11 @@ END &Header::openbox('100%', 'center', $Lang::tr{'ids ignored hosts'});
print <<END; - <table width='100%'> + <table class='tbl'> <tr> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td> - <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td> - <td class='base' colspan='3' bgcolor='$color{'color20'}'></td> + <th>$Lang::tr{'ip address'}</td> + <th>$Lang::tr{'remark'}</td> + <th colspan='3'></td> </tr> END # Check if some hosts have been added to be ignored. @@ -1252,7 +1259,7 @@ END my $col = "";
# Loop through all entries of the hash. - while( (my $key) = each %ignored) { + foreach my $key (sort { $ignored{$a}[0] <=> $ignored{$b}[0] } keys %ignored) { # Assign data array positions to some nice variable names. my $address = $ignored{$key}[0]; my $remark = $ignored{$key}[1]; @@ -1261,10 +1268,6 @@ END # Check if the key (id) number is even or not. if ($cgiparams{'ID'} eq $key) { $col="bgcolor='${Header::colouryellow}'"; - } elsif ($key % 2) { - $col="bgcolor='$color{'color22'}'"; - } else { - $col="bgcolor='$color{'color20'}'"; }
# Choose icon for the checkbox. @@ -1282,8 +1285,8 @@ END
print <<END; <tr> - <td width='20%' class='base' $col>$address</td> - <td width='65%' class='base' $col>$remark</td> + <td width='20%' $col>$address</td> + <td width='65%' $col>$remark</td>
<td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> @@ -1314,7 +1317,7 @@ END } else { # Print notice that currently no hosts are ignored. print "<tr>\n"; - print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n"; + print "<td class='base' colspan='5'>$Lang::tr{'guardian no entries'}</td>\n"; print "</tr>\n"; }
@@ -1322,12 +1325,10 @@ END
# Section to add new elements or edit existing ones. print <<END; - <br> - <hr> - <br> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ID' value='$cgiparams{'ID'}'>
- <div align='center'> - <table width='100%'> + <table class='form'> END
# Assign correct headline and button text. @@ -1338,30 +1339,36 @@ END # Check if an ID (key) has been given, in this case an existing entry should be edited. if ($cgiparams{'ID'} ne '') { $buttontext = $Lang::tr{'update'}; - print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n"; + print "<tr><td colspan='2'><h6>$Lang::tr{'update'}</h6></td></tr>\n";
# Grab address and remark for the given key. $entry_address = $ignored{$cgiparams{'ID'}}[0]; $entry_remark = $ignored{$cgiparams{'ID'}}[1]; } else { $buttontext = $Lang::tr{'add'}; - print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n"; + print "<tr><td colspan='2'><h6>$Lang::tr{'dnsforward add a new entry'}</h6></td></tr>\n"; }
print <<END; - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ID' value='$cgiparams{'ID'}'> <tr> - <td width='30%'>$Lang::tr{'ip address'}: </td> - <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td> + <td>$Lang::tr{'ip address'}</td> + <td> + <input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /> + </td> + </tr> + + <tr> + <td>$Lang::tr{'remark'}</td> + <td> + <input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /> + </td> + </tr>
- <td width='30%'>$Lang::tr{'remark'}: </td> - <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td> - <td align='center' width='20%'><input type='submit' name='WHITELIST' value='$buttontext' /></td> + <tr class='action'> + <td colspan='2'><input type='submit' name='WHITELIST' value='$buttontext' /></td> </tr> - </form> </table> - </div> + </form> END
&Header::closebox(); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index a718228bc..0598952ca 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -503,6 +503,7 @@ 'broken pipe' => 'Zerbrochene Pipe', 'buffered memory' => 'Pufferspeicher ', 'buffers' => 'Puffer', +'bypassed' => 'Übersprungen', 'bytes' => 'Bytes', 'bytes per second' => 'Bytes pro Sekunde', 'bytes received' => 'Bytes empfangen', @@ -1413,6 +1414,7 @@ 'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...', 'ids ruleset is up to date' => 'Regelset ist aktuell - Keine Aktualisierung notwendig.', 'ids ruleset settings' => 'Regelsatzeinstellungen', +'ids rulesets' => 'Regelsätze', 'ids show' => 'Anzeigen', 'ids the choosen provider is already in use' => 'Der gewhählte Provider wird bereits verwendet.', 'ids unable to download the ruleset' => 'Das Regelset konnte nicht heruntergeladen werden.', @@ -1571,6 +1573,7 @@ 'ipfire side is invalid' => 'IPFire Seite ist ungültig.', 'ipfires hostname' => 'IPFire's Hostname', 'ipinfo' => 'IP-Info', +'ips throughput' => 'Durchsatz', 'ipsec' => 'IPsec', 'ipsec connection' => 'IPsec-Verbindung', 'ipsec interface mode gre' => 'GRE', @@ -1603,6 +1606,7 @@ 'languagepurpose' => 'Wählen Sie eine Sprache, in der IPFire angezeigt werden soll:', 'last' => 'Letzte', 'last activity' => 'Letzte Aktivität', +'last updated' => 'Zuletzt Aktualisiert', 'lateprompting' => 'Late prompting', 'lease expires' => 'Zuordnung verfällt', 'least preferred' => 'weniger präferiert', @@ -2218,6 +2222,7 @@ 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden', 'save settings' => 'Einstellungen speichern', 'save-adv-options' => 'Erweiterte Optionen speichern', +'scanned' => 'Gescannt', 'script name' => 'Skriptname:', 'search' => 'Suchen', 'secondary dns' => 'Sekundärer DNS-Server:', @@ -2493,6 +2498,7 @@ 'tor traffic read written' => 'Gesamter Traffic (empfangen/gesendet)', 'tor use exit nodes' => 'Nur diese Exitknoten benutzen (ein Fingerabdruck pro Zeile)', 'tor use guard nodes' => 'Nur diese Guardknoten benutzen (ein Fingerabdruck pro Zeile)', +'total' => 'Gesamt', 'total connection time' => 'Gesamte Verbindungszeit', 'total hits for log section' => 'Gesamte Treffer für Protokollsektion', 'traffic back' => 'Zurück', @@ -2936,6 +2942,7 @@ 'week-graph' => 'Woche', 'weekly firewallhits' => 'wöchentliche Firewalltreffer', 'weeks' => 'Wochen', +'whitelisted' => 'Ausgenommen', 'whois results from' => 'WHOIS-Ergebnisse von', 'wildcards' => 'Wildcards', 'wins server' => 'WINS-Server', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index dca9f1645..91ea2e64a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -524,6 +524,7 @@ 'broken pipe' => 'Broken pipe', 'buffered memory' => 'Buffered Memory', 'buffers' => 'buffers', +'bypassed' => 'Bypassed', 'bytes per second' => 'Bytes per Second', 'bytes received' => 'Bytes Received', 'bytes sent' => 'Bytes Sent', @@ -1466,6 +1467,7 @@ 'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...', 'ids ruleset is up to date' => 'No update required - The ruleset is up to date.', 'ids ruleset settings' => 'Ruleset Settings', +'ids rulesets' => 'Rulesets', 'ids show' => 'Show', 'ids subscription code required' => 'The selected ruleset requires a subscription code', 'ids the choosen provider is already in use' => 'The choosen provider is already in use.', @@ -1625,6 +1627,7 @@ 'ipfire side is invalid' => 'IPFire side is invalid.', 'ipfires hostname' => 'IPFire's Hostname', 'ipinfo' => 'IP info', +'ips throughput' => 'Throughput', 'ipsec' => 'IPsec', 'ipsec connection' => 'IPsec Connection', 'ipsec dns server address is invalid' => 'Invalid DNS server IP address(es)', @@ -1660,6 +1663,7 @@ 'languagepurpose' => 'Select the language you wish IPFire to display in:', 'last' => 'Last', 'last activity' => 'Last Activity', +'last updated' => 'Last Updated', 'lateprompting' => 'Lateprompting', 'lease expires' => 'Lease expires', 'least preferred' => 'least preferred', @@ -2289,6 +2293,7 @@ 'save error' => 'Unable to save configuration archive file', 'save settings' => 'Save settings', 'save-adv-options' => 'Save advanced options', +'scanned' => 'Scanned', 'script name' => 'Script name:', 'search' => 'Search', 'secondary dns' => 'Secondary DNS:', @@ -2573,6 +2578,7 @@ 'tor traffic read written' => 'Total traffic (read/written)', 'tor use exit nodes' => 'Use only these exit nodes (one fingerprint per line)', 'tor use guard nodes' => 'Use only these guard nodes (one fingerprint per line)', +'total' => 'Total', 'total connection time' => 'Total Connection Time', 'total hits for log section' => 'Total hits for log section', 'traffic back' => 'Back', @@ -3020,6 +3026,8 @@ 'week-graph' => 'Week', 'weekly firewallhits' => 'weekly firewallhits', 'weeks' => 'Weeks', +'wg' => 'WireGuard', +'whitelisted' => 'Whitelisted', 'whois results from' => 'WHOIS results from', 'wildcards' => 'Wildcards', 'winbind daemon' => 'Winbind Daemon', diff --git a/lfs/suricata b/lfs/suricata index 88f3c4575..dcee61ea1 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install converter script needed for Core Update 167 install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files
+ # Install the watcher + install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network index e134d0cce..eb83b183d 100644 --- a/src/initscripts/networking/functions.network +++ b/src/initscripts/networking/functions.network @@ -54,6 +54,86 @@ bin2ip() { echo "${address[*]}" }
+network_get_intfs() { + local zone="${1}" + + case "${zone^^}" in + RED) + # For PPPoE, the RED interface is called ppp0 (unless we use QMI) + if [ "${RED_TYPE}" = "PPPOE" ] && [ "${RED_DRIVER}" != "qmi_wwan" ]; then + echo "ppp0" + return 0 + + # Otherwise we return RED_DEV + elif [ -n "${RED_DEV}" ]; then + echo "${RED_DEV}" + return 0 + fi + ;; + + GREEN) + if [ -n "${GREEN_DEV}" ]; then + echo "${GREEN_DEV}" + return 0 + fi + ;; + + ORANGE) + if [ -n "${ORANGE_DEV}" ]; then + echo "${ORANGE_DEV}" + return 0 + fi + ;; + + BLUE) + if [ -n "${BLUE_DEV}" ]; then + echo "${BLUE_DEV}" + return 0 + fi + ;; + + IPSEC) + local VARS=( + id status x1 x2 type x3 x4 x5 x6 x7 x8 x9 x10 + x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 + x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 + x31 x32 x33 x34 interface_mode rest + ) + + while IFS="," read -r "${VARS[@]}"; do + # Check if the connection is enabled + [ "${status}" = "on" ] || continue + + # Check if this a net-to-net connection + [ "${type}" = "net" ] || continue + + # Determine the interface name + case "${interface_mode}" in + gre|vti) + echo "${interface_mode}${id}" + ;; + esac + done < /var/ipfire/vpn/config + + return 0 + ;; + + WIREGUARD|WG) + echo "wg+" + return 0 + ;; + + OPENVPN|OVPN) + # OpenVPN is using all tun devices + echo "tun+" + return 0 + ;; + esac + + # Not found + return 1 +} + network_get_address() { local network="${1}"
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 6727e4a20..139d94aa0 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -39,11 +39,6 @@ fi
NAT_MASK="0x0f000000"
-IPS_REPEAT_MARK="0x80000000" -IPS_REPEAT_MASK="0x80000000" -IPS_BYPASS_MARK="0x40000000" -IPS_BYPASS_MASK="0x40000000" - IPSET_DB_DIR="/var/lib/location/ipset"
SYNPROXY_OPTIONS=( @@ -84,16 +79,6 @@ iptables_init() { modprobe nf_log_ipv4 sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
- # IPS Bypass Chain which stores the BYPASS bit in connection tracking - iptables -N IPSBYPASS - iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))" - - # Jump into bypass chain when the BYPASS bit is set - for chain in INPUT FORWARD OUTPUT; do - iptables -A "${chain}" -m mark \ - --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS - done - # Empty LOG_DROP and LOG_REJECT chains iptables -N LOG_DROP iptables -A LOG_DROP -m limit --limit 10/second -j LOG @@ -175,7 +160,7 @@ iptables_init() { iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Restore any connection marks - iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark + iptables -t mangle -A PREROUTING -m mark --mark 0 -j CONNMARK --restore-mark
# Fix for braindead ISPs iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -236,15 +221,6 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK
- # IPS (Suricata) chains - iptables -N IPS_INPUT - iptables -N IPS_FORWARD - iptables -N IPS_OUTPUT - - for chain in INPUT FORWARD OUTPUT; do - iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" - done - # OpenVPN transfer network translation iptables -t nat -N OVPNNAT iptables -t nat -A POSTROUTING -j OVPNNAT @@ -399,6 +375,22 @@ iptables_init() { -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi
+ # IPS (Suricata) chains + iptables -t mangle -N IPS + iptables -t mangle -N IPS_CLEAR + iptables -t mangle -N IPS_SCAN_IN + iptables -t mangle -N IPS_SCAN_OUT + + iptables -t mangle -A INPUT -j IPS_SCAN_IN + iptables -t mangle -A FORWARD -j IPS_SCAN_IN + iptables -t mangle -A FORWARD -j IPS_SCAN_OUT + iptables -t mangle -A OUTPUT -j IPS_SCAN_OUT + + for chain in INPUT FORWARD OUTPUT; do + iptables -t mangle -A "${chain}" -j IPS + iptables -t mangle -A "${chain}" -j IPS_CLEAR + done + # RED chain, used for the red interface iptables -N REDINPUT iptables -A INPUT -j REDINPUT diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 79f9478c3..a753e32e6 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -21,140 +21,150 @@
. /etc/sysconfig/rc . ${rc_functions} - -PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH +. /etc/init.d/networking/functions.network
eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) -eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) - -# Name of the firewall chains. -IPS_INPUT_CHAIN="IPS_INPUT" -IPS_FORWARD_CHAIN="IPS_FORWARD" -IPS_OUTPUT_CHAIN="IPS_OUTPUT"
-# Optional options for the Netfilter queue. -NFQ_OPTS="--queue-bypass " +IPS_REPEAT_MARK="0x80000000" +IPS_REPEAT_MASK="0x80000000"
-# Array containing the 4 possible network zones. -network_zones=( red green blue orange ovpn ) +# The IPS requested that this connection is being bypassed +IPS_BYPASS_REQUESTED_MARK="0x40000000" +IPS_BYPASS_REQUESTED_MASK="0x40000000"
-# Array to store the network zones weather the IPS is enabled for. -enabled_ips_zones=() +# Marks a connection to be bypassed +IPS_BYPASS_MARK="0x20000000" +IPS_BYPASS_MASK="0x20000000"
-# PID file of suricata. -PID_FILE="/var/run/suricata.pid" +# Set if we request to scan this packet +IPS_SCAN_MARK="0x10000000" +IPS_SCAN_MASK="0x10000000"
-# Function to get the amount of CPU cores of the system. -function get_cpu_count { - CPUCOUNT=0 +# Set if a packet has been whitelisted +IPS_WHITELISTED_MARK="0x08000000" +IPS_WHITELISTED_MASK="0x08000000"
- # Loop through "/proc/cpuinfo" and count the amount of CPU cores. - while read line; do - [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++)) - done </proc/cpuinfo +# Supported network zones +NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "IPSEC" "WG" "OVPN" )
- # Limit to a maximum of 16 cores, because suricata does not support more than - # 16 netfilter queues at the moment. - if [ $CPUCOUNT -gt "16" ]; then - echo "16" - else - echo $CPUCOUNT - fi -} +# Optional options for the Netfilter queue. +NFQ_OPTS=( + "--queue-bypass" +)
# Function to flush the firewall chains. -function flush_fw_chain { - # Call iptables and flush the chains - iptables -w -F "$IPS_INPUT_CHAIN" - iptables -w -F "$IPS_FORWARD_CHAIN" - iptables -w -F "$IPS_OUTPUT_CHAIN" +flush_fw_chain() { + iptables -w -t mangle -F IPS + iptables -w -t mangle -F IPS_CLEAR + iptables -w -t mangle -F IPS_SCAN_IN + iptables -w -t mangle -F IPS_SCAN_OUT }
# Function to create the firewall rules to pass the traffic to suricata. -function generate_fw_rules { - cpu_count=$(get_cpu_count) - - # Loop through the array of network zones. - for zone in "${network_zones[@]}"; do - # Convert zone into upper case. - zone_upper=${zone^^} - - # Generate variable name for checking if the IDS is - # enabled on the zone. - enable_ids_zone="ENABLE_IDS_$zone_upper" - - # Check if the IDS is enabled for this network zone. - if [ "${!enable_ids_zone}" == "on" ]; then - # Check if the current processed zone is "red" and the configured type is PPPoE dialin. - if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ] && [ "$RED_DRIVER" != "qmi_wwan" ]; then - # Set device name to ppp0. - network_device="ppp0" - elif [ "$zone" == "ovpn" ]; then - # Get all virtual net devices because the RW server and each - # N2N connection creates it's own tun device. - for virt_dev in /sys/devices/virtual/net/*; do - # Cut-off the directory. - dev="${virt_dev##*/}" - - # Only process tun devices. - if [[ $dev =~ "tun" ]]; then - # Add the network device to the array of enabled zones. - enabled_ips_zones+=( "$dev" ) - fi - done - - # Process next zone. - continue - else - # Generate variable name which contains the device name. - zone_name="$zone_upper" - zone_name+="_DEV" - - # Grab device name. - network_device=${!zone_name} - fi - - # Add the network device to the array of enabled zones. - enabled_ips_zones+=( "$network_device" ) - fi - done - +generate_fw_rules() { # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS + local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" ) + + local cpu_count="$(getconf _NPROCESSORS_ONLN)"
# Check if there are multiple cpu cores available. if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" + # Balance beetween all queues + NFQ_OPTIONS+=( + "--queue-balance" "0:$(($cpu_count-1))" + "--queue-cpu-fanout" + ) else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" + # Send all packets to queue 0 + NFQ_OPTIONS+=( + "--queue-num" "0" + ) fi
# Flush the firewall chains. flush_fw_chain
- # Check if the array of enabled_ips_zones contains any elements. - if [[ ${enabled_ips_zones[@]} ]]; then - # Loop through the array and create firewall rules. - for enabled_ips_zone in "${enabled_ips_zones[@]}"; do - # Create rules queue input and output related traffic and pass it to the IPS. - iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS - iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS - - # Create rules which are required to handle forwarded traffic. - for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS + # Don't process packets where the IPS has requested to bypass the stream + iptables -w -t mangle -A IPS \ + -m comment --comment "BYPASSED" \ + -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN + + # If suricata decided to bypass a stream, we will store the mark in the connection tracking table + iptables -w -t mangle -A IPS \ + -m mark --mark "$(( IPS_BYPASS_REQUESTED_MARK ))/$(( IPS_BYPASS_REQUESTED_MASK ))" \ + -j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" + + # Don't process packets that have already been seen by the IPS + for chain in IPS IPS_SCAN_IN IPS_SCAN_OUT; do + iptables -w -t mangle -A "${chain}" \ + -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN + done + + local zone + local status + local intf + + # Mark packets for all zones that we want to scan + for zone in "${NETWORK_ZONES[@]}"; do + status="ENABLE_IDS_${zone}" + + if [ "${!status}" = "on" ]; then + # Handle IPsec packets + case "${zone}" in + IPSEC) + iptables -w -t mangle -A IPS_SCAN_IN \ + -m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" + iptables -w -t mangle -A IPS_SCAN_OUT \ + -m policy --pol ipsec --dir out -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" + ;; + esac + + # Add interfaces + for intf in $(network_get_intfs "${zone}"); do + iptables -w -t mangle -A IPS_SCAN_IN \ + -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" + iptables -w -t mangle -A IPS_SCAN_OUT \ + -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" done - done + fi + done + + # Don't keep processing packets we don't want to scan + iptables -w -t mangle -A IPS -m mark ! --mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" -j RETURN + + # Never send any whitelisted packets to the IPS + if [ -r "/var/ipfire/suricata/ignored" ]; then + local id network remark enabled rest + + while IFS=',' read -r id network remark enabled rest; do + # Skip disabled entries + [ "${enabled}" = "enabled" ] || continue + + iptables -w -t mangle -A IPS -s "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" + iptables -w -t mangle -A IPS -d "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" + done < "/var/ipfire/suricata/ignored" fi + + # Count and skip the whitelisted packets + iptables -w -t mangle -A IPS \ + -m comment --comment "WHITELISTED" \ + -m mark --mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" -j RETURN + + # Send packets to suricata + iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}" + + # Clear all bits again after packets have been sent to the IPS + # This is required so that encapsulated packets can't inherit any set bits here and won't be scanned. + iptables -w -t mangle -A IPS_CLEAR \ + -j MARK --set-mark "0/$(( IPS_BYPASS_MASK | IPS_BYPASS_REQUESTED_MASK | IPS_REPEAT_MASK | IPS_SCAN_MASK ))" + + return 0 }
case "$1" in start) - # Get amount of CPU cores. - cpu_count=$(get_cpu_count) + # Get amount of CPU cores + cpu_count="$(getconf _NPROCESSORS_ONLN)"
# Numer of NFQUES. NFQUEUES="-q 0" @@ -167,11 +177,7 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null - evaluate_retval - - # Allow reading the pidfile. - chmod 644 $PID_FILE + loadproc -b /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES
# Flush the firewall chain flush_fw_chain @@ -183,32 +189,24 @@ case "$1" in
stop) boot_mesg "Stopping Intrusion Detection System..." - killproc -p $PID_FILE /var/run + killproc -p /var/run/suricata.pid /usr/bin/suricata
# Flush firewall chain. flush_fw_chain
- # Sometimes suricata not correct shutdown. So killall. - killall -KILL /usr/bin/suricata 2>/dev/null - - # Remove suricata control socket. - rm /var/run/suricata/* >/dev/null 2>/dev/null - - # Trash remain pid file if still exists. - rm -f $PID_FILE >/dev/null 2>/dev/null - # Don't report returncode of rm if suricata was not started exit 0 ;;
status) - statusproc /usr/bin/suricata + PIDFILE="/var/run/suricata.pid" statusproc /usr/bin/suricata ;;
restart) $0 stop $0 start ;; + reload) # Send SIGUSR2 to the suricata process to perform a reload # of the ruleset. @@ -226,5 +224,3 @@ case "$1" in exit 1 ;; esac - -chmod 644 /var/log/suricata/* 2>/dev/null
hooks/post-receive -- IPFire 2.x development tree