This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 5a4617a8711d69ba6ce19ca05a4fd21033dc72d1 (commit) via 249839b0ca06f81eaf3b75b03ac41ab2f7b6c352 (commit) via ae93dd3deb6524036943513e90d1fba84e3608bd (commit) via 68e0cf6714b4b2db76793bb36f5ccf11b76e5c02 (commit) from a7e185c5904d3dfc0f53d42ee539991b5bf193d1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 5a4617a8711d69ba6ce19ca05a4fd21033dc72d1 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 30 10:58:31 2019 +0100
core132: Ship updated firewall rules generator
This patch also requires a reboot after installing this update so that the changed ruleset is being applied.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 249839b0ca06f81eaf3b75b03ac41ab2f7b6c352 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 30 10:56:05 2019 +0100
firewall: Fix source/destination interface settings
When a forwarding rule is being created, we sometimes create INPUT/OUTPUT rules, too. Those were slightly invalid because the source and destination interfaces where passed, too.
This could render some rules in certain circumstances useless.
This patch fixes this and only adds -i for INPUT and -o for OUTPUT rules.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ae93dd3deb6524036943513e90d1fba84e3608bd Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 30 10:45:34 2019 +0100
firewall: Add more rules to input/output when adding rules to forward
The special_input/output_targets array assumed that firewall access will always be denied. However, rules also need to be created when access is granted. Therefore the ACCEPT target needs to be included in this list and rules must be created in INPUTFW/OUTGOINGFW too when ACCEPT rules are created in FORWARDFW.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 68e0cf6714b4b2db76793bb36f5ccf11b76e5c02 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 30 10:45:02 2019 +0100
grub: Update rootfile on i586
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/firewall/rules.pl | 49 +++++++++++++++---------------- config/rootfiles/common/i586/grub | 2 ++ config/rootfiles/core/132/filelists/files | 1 + config/rootfiles/core/132/update.sh | 2 +- 4 files changed, 28 insertions(+), 26 deletions(-)
Difference in files: diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 9817634c8..d2971566c 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -175,9 +175,9 @@ sub buildrules { }
if ($POLICY_INPUT_ACTION eq "DROP") { - push(@special_input_targets, "REJECT"); + push(@special_input_targets, ("ACCEPT", "REJECT")); } elsif ($POLICY_INPUT_ACTION eq "REJECT") { - push(@special_input_targets, "DROP"); + push(@special_input_targets, ("ACCEPT", "DROP")); }
my @special_output_targets = (); @@ -187,9 +187,9 @@ sub buildrules { push(@special_output_targets, "ACCEPT");
if ($POLICY_OUTPUT_ACTION eq "DROP") { - push(@special_output_targets, "REJECT"); + push(@special_output_targets, ("ACCEPT", "REJECT")); } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") { - push(@special_output_targets, "DROP"); + push(@special_output_targets, ("ACCEPT", "DROP")); } }
@@ -383,6 +383,19 @@ sub buildrules { push(@destination_options, ("-d", $destination)); }
+ # Add source and destination interface to the filter rules. + # These are supposed to help filtering forged packets that originate + # from BLUE with an IP address from GREEN for instance. + my @source_intf_options = (); + if ($source_intf) { + push(@source_intf_options, ("-i", $source_intf)); + } + + my @destination_intf_options = (); + if ($destination_intf) { + push(@destination_intf_options, ("-o", $destination_intf)); + } + # Add time constraint options. push(@options, @time_options);
@@ -467,10 +480,7 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options;
- if ($destination_intf) { - push(@nat_options, ("-o", $destination_intf)); - } - + push(@nat_options, @destination_intf_options); push(@nat_options, @source_options); push(@nat_options, @destination_options);
@@ -481,25 +491,14 @@ sub buildrules { } }
- # Add source and destination interface to the filter rules. - # These are supposed to help filtering forged packets that originate - # from BLUE with an IP address from GREEN for instance. - if ($source_intf) { - push(@source_options, ("-i", $source_intf)); - } - - if ($destination_intf) { - push(@destination_options, ("-o", $destination_intf)); - } - push(@options, @source_options); push(@options, @destination_options);
# Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); + run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '"); } - run("$IPTABLES -A $chain @options -j $target"); + run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
# Handle forwarding rules and add corresponding rules for firewall access. if ($chain eq $CHAIN_FORWARD) { @@ -508,17 +507,17 @@ sub buildrules { # for the firewall, too. if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { if ($LOG && !$NAT) { - run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); + run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); } - run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); + run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target"); }
# Likewise. if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { if ($LOG && !$NAT) { - run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); + run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); } - run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target"); + run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target"); } } } diff --git a/config/rootfiles/common/i586/grub b/config/rootfiles/common/i586/grub index d8bd62113..bc28d4593 100644 --- a/config/rootfiles/common/i586/grub +++ b/config/rootfiles/common/i586/grub @@ -146,6 +146,8 @@ usr/lib/grub/i386-pc #usr/lib/grub/i386-pc/drivemap.module #usr/lib/grub/i386-pc/echo.mod #usr/lib/grub/i386-pc/echo.module +#usr/lib/grub/i386-pc/efiemu.mod +#usr/lib/grub/i386-pc/efiemu.module #usr/lib/grub/i386-pc/ehci.mod #usr/lib/grub/i386-pc/ehci.module #usr/lib/grub/i386-pc/elf.mod diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files index 346b79c91..875dd3048 100644 --- a/config/rootfiles/core/132/filelists/files +++ b/config/rootfiles/core/132/filelists/files @@ -5,6 +5,7 @@ etc/rc.d/init.d/suricata etc/suricata/suricata.yaml srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/proxy.cgi +usr/lib/firewall/rules.pl usr/sbin/convert-snort var/ipfire/ids-functions.pl var/ipfire/langs diff --git a/config/rootfiles/core/132/update.sh b/config/rootfiles/core/132/update.sh index 53db5cb96..518c5b38c 100644 --- a/config/rootfiles/core/132/update.sh +++ b/config/rootfiles/core/132/update.sh @@ -46,7 +46,7 @@ ldconfig /etc/init.d/suricata restart
# This update needs a reboot... -#touch /var/run/need_reboot +touch /var/run/need_reboot
# Finish /etc/init.d/fireinfo start
hooks/post-receive -- IPFire 2.x development tree