This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 93899a216f7f03b8e1d5092fdd20afd07b0bedae (commit) via 156311fbcd67f00002fe658e1ee4b20154bf014a (commit) from 06dbe99dbb1c37de8fc94b6f2dc6e53ef1d7d022 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 93899a216f7f03b8e1d5092fdd20afd07b0bedae Author: Arne Fitzenreiter arne_f@git.ipfire.org Date: Tue Jul 29 21:57:07 2014 +0200
firewall: add more pscan matches and filter INVALID conntrack packages.
commit 156311fbcd67f00002fe658e1ee4b20154bf014a Author: Erik Kapfer erik.kapfer@ipfire.org Date: Thu Jul 31 08:43:24 2014 +0200
OpenVPN: Added a check for empty 'CERT_NAME' field.
Fixes: #10581
-----------------------------------------------------------------------
Summary of changes: html/cgi-bin/ovpnmain.cgi | 4 +--- src/initscripts/init.d/firewall | 15 ++++++++++----- 2 files changed, 11 insertions(+), 8 deletions(-)
Difference in files: diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 927616a..14308e5 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3968,10 +3968,8 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'name too long'}; goto VPNCONF_ERROR; } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { + if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { $errormessage = $Lang::tr{'invalid input for name'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; } if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 97186c3..23d0c23 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -64,16 +64,20 @@ iptables_init() { iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners - # nmap xmas - iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN - # Null - iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN - # FIN + # NMAP FIN/URG/PSH (XMAS scan) + iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN + # SYN/RST/ACK/FIN/URG + iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN + # ALL/ALL + iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN + # FIN Stealth iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN # SYN/RST (also catches xmas variants that set SYN+RST+...) iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN # SYN/FIN (QueSO or nmap OS probe) iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN + # Null + iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN # NEW TCP without SYN iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
@@ -83,6 +87,7 @@ iptables_init() { # Connection tracking chain iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
hooks/post-receive -- IPFire 2.x development tree