This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via b8c898b4824624b802ffda8b92c7009ea5a9db46 (commit) via 9f01011570be542e394503cb8a4c5184eb9be8d1 (commit) via aa07e1bb3eba3606a0b8e647180e0926a411016b (commit) via 182743310ce47d9a78d5fd6d32c510bcbb163762 (commit) via 08c20b8457ec8c8fe24dda561b8d28a6f6b584a3 (commit) via 3dfc7489461d52321bf6cb6a342b15416fd362bb (commit) via 7c9a6cf1631cd68970762cbb61056618f6de4c2e (commit) via b4f6962c4dd5ddd18a376e4acec6a861cf870fa1 (commit) via 216d4bfc3d42bb280ed4f88e066d9147b0f5b5c2 (commit) via d2b423b1dc866dccf70dba93d779da36871c1b84 (commit) via 6aa450ec3b4ab8a9a9ed37c710321c19b4db104d (commit) via 37c5b4b62eb0e6bfb617a7173dd07d473c34f6a5 (commit) via f23555a1c6acb12fbb626a27c2189dee4cb45c0c (commit) via 89645d1bbfbb26bdf0351fe01b69978f73fc0074 (commit) via 7d0f48668b681b4b788f8adffd5a6d0ad56d02a5 (commit) via fb7d13725fc3d16eeddad73e5cfa86a15bc58408 (commit) via 0e16c27908960fd911efe8193489a16eb970455f (commit) via 4b1254520ab884792aa41a342a7e2e31320519db (commit) via c09d2324479fa2fceec9eb5166b5e8e7af45fb0a (commit) via 30dc4c0248a65b70baf89cb46cc5b18993788501 (commit) via 816af4dfb78eb5f7b95390d1bd3e444f7fbb42fe (commit) from 437bfd678013cf2b56b673b67a3eb6d68a0831cd (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit b8c898b4824624b802ffda8b92c7009ea5a9db46 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 7 11:09:50 2024 +0000
core184: Ship vpnmain.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9f01011570be542e394503cb8a4c5184eb9be8d1 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 30 17:45:44 2024 +0000
vpnmain.cgi: Add option to regenerate the host certificate
This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed.
A caveat of this patch is that we do not rollover the key.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit aa07e1bb3eba3606a0b8e647180e0926a411016b Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 30 17:45:43 2024 +0000
vpnmain.cgi: Return the entire error message if OpenSSL fails
The function did not evaluate the return code which is why it used a hack to figure out if some output is an error or not.
This is being fixed in this commit and the entire output is being returned if the return code is non-zero.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 182743310ce47d9a78d5fd6d32c510bcbb163762 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 30 17:45:42 2024 +0000
vpnmain.cgi: Do not use a bad source for randomness
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 08c20b8457ec8c8fe24dda561b8d28a6f6b584a3 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 7 11:05:08 2024 +0000
core184: Ship HOSTILE IN/OUT changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3dfc7489461d52321bf6cb6a342b15416fd362bb Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 6 18:17:26 2024 +0000
firewall: Improve labelling of hostile networks hits
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7c9a6cf1631cd68970762cbb61056618f6de4c2e Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 6 18:11:48 2024 +0000
firewall: graphs: Add a line for the total number of hostile hits
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b4f6962c4dd5ddd18a376e4acec6a861cf870fa1 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jan 21 12:45:53 2024 +0100
optionsfw.cgi: Move Firewall Options Drop commands to before the logging section
- Moved the Firewall Options Drop commands to before the logging section, as discussed at January 2024 Video Call.
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 216d4bfc3d42bb280ed4f88e066d9147b0f5b5c2 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jan 21 12:45:52 2024 +0100
graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries
- This v3 version of the patch set splits the single hostile networks graph entry into incoming hostile networks and outgoing hostile networks entries.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d2b423b1dc866dccf70dba93d779da36871c1b84 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jan 21 12:45:51 2024 +0100
collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection
- In this v3 version of the patch set the splitting of drop hostile logging into incoming and outgoing logging means that the data collection and graphs need to have drop hostile also split into incoming and outgoing.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6aa450ec3b4ab8a9a9ed37c710321c19b4db104d Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jan 21 12:45:50 2024 +0100
en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging
- In this v3 version have added translations for hostile networks in and hostile networks out and log drop hostile in and log drop hostile out.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 37c5b4b62eb0e6bfb617a7173dd07d473c34f6a5 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jan 21 12:45:49 2024 +0100
firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic
- This v3 version now has two if loops allowing logging of incoming drop hostile or outgoing drop hostile or both or neither. - Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f23555a1c6acb12fbb626a27c2189dee4cb45c0c Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jan 21 12:45:48 2024 +0100
rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each independently.
Fixes: bug12981 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org Acked-by: Bernhard Bitsch bbitsch@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 89645d1bbfbb26bdf0351fe01b69978f73fc0074 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jan 21 12:45:47 2024 +0100
optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic
- This v3 version has split the logging choice for drop hostile to separate the logging of incoming drop hostile and outgoing drop hostile. - The bug originator had no port forwards so all hostile would be dropped normally anyway. However the logs were being swamped by the logging of drop hostile making analysis difficult. So incoming drop hostile was desired to not be logged. However logging of outgoing drop hostile was desired to identify if clients on the internal lan were infected with malware trying to reach home. - Added option with drop hostile section to decide if the dropped traffic should be logged or not.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org Tested-by: Bernhard Bitsch bbitsch@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7d0f48668b681b4b788f8adffd5a6d0ad56d02a5 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 7 11:01:25 2024 +0000
elfutils: Don't ship tools
I don't think there is any point that we ship these.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fb7d13725fc3d16eeddad73e5cfa86a15bc58408 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 7 10:58:21 2024 +0000
core184: Remove elfutils pakfire metadata (if installed)
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0e16c27908960fd911efe8193489a16eb970455f Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Feb 6 22:27:39 2024 +0100
strace: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4b1254520ab884792aa41a342a7e2e31320519db Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Feb 6 22:27:38 2024 +0100
qemu: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c09d2324479fa2fceec9eb5166b5e8e7af45fb0a Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Feb 6 22:27:37 2024 +0100
ltrace: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 30dc4c0248a65b70baf89cb46cc5b18993788501 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Feb 6 22:27:36 2024 +0100
frr: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 816af4dfb78eb5f7b95390d1bd3e444f7fbb42fe Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Feb 6 22:27:35 2024 +0100
elfutils: Move from addon to core program. Required by suricata-7.0.2 for execution
- Updated lfs file to core program type - Moved rootfile from packages to common - Older suricata versions required elfutils only for building but suricata-7.0.2 fails to start if elfutils is not present due to libelf.so.1 being missing. - The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/graphs.pl | 23 ++++++++- config/collectd/collectd.conf | 3 +- config/firewall/rules.pl | 6 +-- config/rootfiles/{packages => common}/elfutils | 36 +++++++------- config/rootfiles/core/184/filelists/files | 5 ++ config/rootfiles/core/184/update.sh | 25 ++++++++++ config/ssl/openssl.cnf | 1 + doc/language_issues.de | 7 +++ doc/language_issues.en | 7 ++- doc/language_issues.es | 7 +++ doc/language_issues.fr | 7 +++ doc/language_issues.it | 7 ++- doc/language_issues.nl | 7 ++- doc/language_issues.pl | 7 ++- doc/language_issues.ru | 7 ++- doc/language_issues.tr | 7 ++- doc/language_missings | 53 ++++++++++++++++++-- html/cgi-bin/optionsfw.cgi | 65 +++++++++++++++++------- html/cgi-bin/vpnmain.cgi | 69 +++++++++++++++++++++++--- langs/en/cgi-bin/en.pl | 7 ++- lfs/elfutils | 11 +--- lfs/frr | 4 +- lfs/ltrace | 6 +-- lfs/qemu | 6 +-- lfs/strace | 6 +-- src/initscripts/system/firewall | 15 ++++-- 26 files changed, 317 insertions(+), 87 deletions(-) rename config/rootfiles/{packages => common}/elfutils (76%)
Difference in files: diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 9803dd124..a23e49c98 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -693,7 +693,16 @@ sub updatefwhitsgraph { "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE", - "DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostilelegacy=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + + # This creates a new combined hostile segment. + # Previously we did not split into incoming/outgoing, but we cannot go back in time. This CDEF will take the values + # from the old RRD database unless those are UNKNOWN (i.e. we started collected IN/OUT). If the values are unknown, + # we replace them with them sum of IN + OUT. + "CDEF:hostile=hostilelegacy,UN,hostilein,hostileout,+,hostilelegacy,IF", + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), @@ -729,7 +738,17 @@ sub updatefwhitsgraph { "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps", "GPRINT:spoofedmartian:MIN:%8.1lf %sBps", "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\j", - "STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}), + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}), + "GPRINT:hostilein:MAX:%8.1lf %sBps", + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps", + "GPRINT:hostilein:MIN:%8.1lf %sBps", + "GPRINT:hostilein:LAST:%8.1lf %sBps\j", + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}), + "GPRINT:hostileout:MAX:%8.1lf %sBps", + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps", + "GPRINT:hostileout:MIN:%8.1lf %sBps", + "GPRINT:hostileout:LAST:%8.1lf %sBps\j", + "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}), "GPRINT:hostile:MAX:%8.1lf %sBps", "GPRINT:hostile:AVERAGE:%8.1lf %sBps", "GPRINT:hostile:MIN:%8.1lf %sBps", diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 4ef34ea07..cc49f0ba7 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -51,7 +51,8 @@ include "/etc/collectd.precache" Chain filter POLICYOUT DROP_OUTPUT Chain filter POLICYIN DROP_INPUT Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN - Chain filter HOSTILE_DROP DROP_HOSTILE + Chain filter HOSTILE_DROP_IN DROP_HOSTILE + Chain filter HOSTILE_DROP_OUT DROP_HOSTILE </Plugin>
#<Plugin logfile> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2..a47c260a1 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -726,8 +726,8 @@ sub drop_hostile_networks () { &ipset_restore($HOSTILE_CCODE);
# Check traffic in incoming/outgoing direction and drop if it matches - run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP"); - run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP"); + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN"); + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT"); }
sub ipblocklist () { diff --git a/config/rootfiles/packages/elfutils b/config/rootfiles/common/elfutils similarity index 76% rename from config/rootfiles/packages/elfutils rename to config/rootfiles/common/elfutils index f7d56ad89..830638e2b 100644 --- a/config/rootfiles/packages/elfutils +++ b/config/rootfiles/common/elfutils @@ -1,21 +1,21 @@ -usr/bin/eu-addr2line -usr/bin/eu-ar -usr/bin/eu-elfclassify -usr/bin/eu-elfcmp -usr/bin/eu-elfcompress -usr/bin/eu-elflint -usr/bin/eu-findtextrel -usr/bin/eu-make-debug-archive -usr/bin/eu-nm -usr/bin/eu-objdump -usr/bin/eu-ranlib -usr/bin/eu-readelf -usr/bin/eu-size -usr/bin/eu-srcfiles -usr/bin/eu-stack -usr/bin/eu-strings -usr/bin/eu-strip -usr/bin/eu-unstrip +#usr/bin/eu-addr2line +#usr/bin/eu-ar +#usr/bin/eu-elfclassify +#usr/bin/eu-elfcmp +#usr/bin/eu-elfcompress +#usr/bin/eu-elflint +#usr/bin/eu-findtextrel +#usr/bin/eu-make-debug-archive +#usr/bin/eu-nm +#usr/bin/eu-objdump +#usr/bin/eu-ranlib +#usr/bin/eu-readelf +#usr/bin/eu-size +#usr/bin/eu-srcfiles +#usr/bin/eu-stack +#usr/bin/eu-strings +#usr/bin/eu-strip +#usr/bin/eu-unstrip #usr/include/dwarf.h #usr/include/elfutils #usr/include/elfutils/elf-knowledge.h diff --git a/config/rootfiles/core/184/filelists/files b/config/rootfiles/core/184/filelists/files index 4f1c7ed98..dc8a1b28f 100644 --- a/config/rootfiles/core/184/filelists/files +++ b/config/rootfiles/core/184/filelists/files @@ -1 +1,6 @@ etc/rc.d/init.d/collectd +etc/rc.d/init.d/firewall +srv/web/ipfire/cgi-bin/optionsfw.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/lib/firewall/rules.pl +var/ipfire/graphs.pl diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core/184/update.sh index a5e53a564..d744b5119 100644 --- a/config/rootfiles/core/184/update.sh +++ b/config/rootfiles/core/184/update.sh @@ -37,6 +37,30 @@ done # Extract files extract_files
+# Remove dropped elfutils addon +rm -vf \ + /opt/pakfire/db/installed/meta-elfutils \ + /opt/pakfire/db/meta/meta-elfutils \ + /opt/pakfire/db/rootfiles/elfutils \ + /usr/bin/eu-addr2line \ + /usr/bin/eu-ar \ + /usr/bin/eu-elfclassify \ + /usr/bin/eu-elfcmp \ + /usr/bin/eu-elfcompress \ + /usr/bin/eu-elflint \ + /usr/bin/eu-findtextrel \ + /usr/bin/eu-make-debug-archive \ + /usr/bin/eu-nm \ + /usr/bin/eu-objdump \ + /usr/bin/eu-ranlib \ + /usr/bin/eu-readelf \ + /usr/bin/eu-size \ + /usr/bin/eu-srcfiles \ + /usr/bin/eu-stack \ + /usr/bin/eu-strings \ + /usr/bin/eu-strip \ + /usr/bin/eu-unstrip + # Remove files
# update linker config @@ -54,6 +78,7 @@ ldconfig # Start services telinit u /etc/init.d/vnstat start +/etc/init.d/collectd restart
# This update needs a reboot... touch /var/run/need_reboot diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf index 3b980fcd4..00c206ed8 100644 --- a/config/ssl/openssl.cnf +++ b/config/ssl/openssl.cnf @@ -23,6 +23,7 @@ default_md = sha256 preserve = no policy = policy_match email_in_dn = no +copy_extensions = copyall
[ policy_match ] countryName = optional diff --git a/doc/language_issues.de b/doc/language_issues.de index 4fd5a0819..46fb9ee5a 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -375,6 +375,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -923,16 +924,22 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: invalid input for subscription code = Invalid input for subscription code WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional WARNING: untranslated string: pakfire invalid tree = Invalid repository selected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.en b/doc/language_issues.en index b4327cb78..86d5890f2 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1039,7 +1039,9 @@ WARNING: untranslated string: holdoff = Holdoff time (in seconds) WARNING: untranslated string: host certificate = Host Certificate WARNING: untranslated string: host ip = Host IP address WARNING: untranslated string: host to net vpn = Host-to-Net Virtual Private Network (RoadWarrior) -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: hostname = Hostname WARNING: untranslated string: hostname cant be empty = Hostname cannot be empty. WARNING: untranslated string: hostname not set = Hostname not set. @@ -1247,6 +1249,8 @@ WARNING: untranslated string: locationblock country is allowed = Incoming traffi WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: WARNING: untranslated string: log = Log +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log lines per page = Lines per page WARNING: untranslated string: log server address = Syslog server: @@ -1578,6 +1582,7 @@ WARNING: untranslated string: red1 = RED WARNING: untranslated string: references = References WARNING: untranslated string: refresh = Refresh WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.es b/doc/language_issues.es index 45ffdf5d7..30e20ae87 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -415,6 +415,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -989,12 +990,18 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index cacfb1ec6..a53358147 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -402,6 +402,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -947,7 +948,13 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 68ff12c86..24efece2b 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1068,7 +1068,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1159,6 +1161,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1215,6 +1219,7 @@ WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d1a637215..b6a65fad2 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1073,7 +1073,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1166,6 +1168,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1237,6 +1241,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 893f73211..1a4f62870 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1213,7 +1213,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1315,6 +1317,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter @@ -1418,6 +1422,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 64c9b5095..8da6fe4b6 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1210,7 +1210,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1313,6 +1315,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter @@ -1413,6 +1417,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.tr b/doc/language_issues.tr index eadbd33c7..96fe71f7b 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1010,7 +1010,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = From Hostile Networks +WARNING: untranslated string: hostile networks out = To Hostile Networks +WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1089,6 +1091,8 @@ WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: meltdown = Meltdown WARNING: untranslated string: mitigated = Mitigated @@ -1125,6 +1129,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_missings b/doc/language_missings index 28ae29c2b..c92e1e6a3 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -58,6 +58,9 @@ < extrahd because it it outside the allowed mount path < g.dtm < g.lite +< hostile networks in +< hostile networks out +< hostile networks total < ids automatic rules update < ids subscription code required < insert removable device @@ -66,6 +69,8 @@ < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < link-layer encapsulation +< log drop hostile in +< log drop hostile out < netbios nameserver daemon < no entries < notes @@ -73,6 +78,7 @@ < optional < quick control < random number generator daemon +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -114,9 +120,15 @@ < extrahd not configured < extrahd not mounted < hardware vulnerabilities +< hostile networks in +< hostile networks out +< hostile networks total < invalid ip or hostname +< log drop hostile in +< log drop hostile out < openvpn cert expires soon < openvpn cert has expired +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < service boot setting unavailable @@ -138,6 +150,12 @@ < extrahd not mounted < g.dtm < g.lite +< hostile networks in +< hostile networks out +< hostile networks total +< log drop hostile in +< log drop hostile out +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -361,7 +379,9 @@ < guaranteed bandwidth < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -464,6 +484,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -523,6 +545,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -880,7 +903,9 @@ < generate ptr < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -985,6 +1010,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -1063,6 +1090,7 @@ < rdns < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -1704,7 +1732,9 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -1819,6 +1849,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -1943,6 +1975,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -2695,7 +2728,9 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < hour-graph < ids add provider < ids adjust ruleset @@ -2812,6 +2847,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -2934,6 +2971,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -3280,7 +3318,9 @@ < fw red < generate ptr < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -3368,6 +3408,8 @@ < legacy architecture warning < link-layer encapsulation < local ip address +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < meltdown < mitigated @@ -3405,6 +3447,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fbff67b2f..60b1bdd91 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) { if (!$settings{'DROPHOSTILE'}) { $settings{'DROPHOSTILE'} = 'off'; } +if (!$settings{'LOGDROPHOSTILEIN'}) { + $settings{'LOGDROPHOSTILEIN'} = 'on'; +} +if (!$settings{'LOGDROPHOSTILEOUT'}) { + $settings{'LOGDROPHOSTILEOUT'} = 'on'; +} if (!$settings{'LOGDROPCTINVALID'}) { $settings{'LOGDROPCTINVALID'} = 'on'; } @@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec $checked{'DROPHOSTILE'}{'off'} = ''; $checked{'DROPHOSTILE'}{'on'} = ''; $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEIN'}{'off'} = ''; +$checked{'LOGDROPHOSTILEIN'}{'on'} = ''; +$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEOUT'}{'off'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{'on'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'"; $checked{'LOGDROPCTINVALID'}{'off'} = ''; $checked{'LOGDROPCTINVALID'}{'on'} = ''; $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'"; @@ -212,6 +224,29 @@ END
<br>
+<table width='95%' cellspacing='0'> + <tr bgcolor='$color{'color20'}'> + <td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop hostile'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/ + <input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> +</table> +<br> + +<table width='95%' cellspacing='0'> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> +</table> +<br> + <table width='95%' cellspacing='0'> <tr bgcolor='$color{'color20'}'> <td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td> @@ -279,31 +314,23 @@ END <input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'} </td> </tr> -</table> -<br/> - -<table width='95%' cellspacing='0'> - <tr bgcolor='$color{'color20'}'> - <td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td> + <tr> + <td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/ + <input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'} + </td> </tr> <tr> - <td align='left' width='60%'>$Lang::tr{'drop hostile'}</td> + <td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td> <td align='left'> - $Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/ - <input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'} + $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/ + <input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'} </td> </tr> </table> -<br> +<br/>
-<table width='95%' cellspacing='0'> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> -</table> -<br> <table width='95%' cellspacing='0'> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 53507305f..9173a85d8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -229,13 +229,14 @@ sub callssl ($) { my $opt = shift; my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr my $ret = ''; - foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); - } - if ($ret) { - $ret= &Header::cleanhtml($ret); + + if ($?) { + foreach my $line (split (/\n/, $retssl)) { + &General::log("ipsec", "$line") if (0); # 1 for verbose logging + $ret .= '<br>' . &Header::escape($line); + } } + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; } ### @@ -865,6 +866,12 @@ END exit(0); } ### +### Regenerate the host certificate +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) { + $errormessage = ®enerate_host_certificate(); + +### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || @@ -2141,7 +2148,7 @@ END &General::log("ipsec", "Creating a cert...");
if (open(STDIN, "-|")) { - my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + my $opt = " req -nodes"; $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; @@ -3611,7 +3618,12 @@ END <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> </form> </td> - <td width='4%' $col2> </td></tr> + <td width='4%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'regenerate host certificate'}' src='/images/reload.gif' alt='$Lang::tr{'regenerate host certificate'}' title='$Lang::tr{'regenerate host certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'regenerate host certificate'}' /> + </form> + </td></tr> END ; } else { @@ -3781,3 +3793,44 @@ sub make_subnets($$) {
return join(",", @cidr_nets); } + +sub regenerate_host_certificate() { + my $errormessage = ""; + + &General::log("ipsec", "Regenerating host certificate..."); + + # Create a CSR based on the existing certificate + my $opt = " x509 -x509toreq -copy_extensions copyall"; + $opt .= " -signkey ${General::swroot}/certs/hostkey.pem"; + $opt .= " -in ${General::swroot}/certs/hostcert.pem"; + $opt .= " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage = &callssl($opt); + + # Revoke the old certificate + if (!$errormessage) { + &General::log("ipsec", "Revoking the old host cert..."); + + my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl($opt); + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + my $opt = " ca -md sha256 -days 825"; + $opt .= " -batch -notext"; + $opt .= " -in ${General::swroot}/certs/hostreq.pem"; + $opt .= " -out ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl ($opt); + + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + } + + # Reload the new certificate + if (!$errormessage) { + &General::system('/usr/local/bin/ipsecctrl', 'R'); + } + + return $errormessage; +} diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 16a3061b4..3246102ba 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1409,7 +1409,9 @@ 'host deny' => 'list with denied hosts', 'host ip' => 'Host IP address', 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)', -'hostile networks' => 'Hostile networks', +'hostile networks in' => 'From Hostile Networks', +'hostile networks out' => 'To Hostile Networks', +'hostile networks total' => 'Total Hostile Networks', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname and domain already in use.', 'hostname cant be empty' => 'Hostname cannot be empty.', @@ -1686,6 +1688,8 @@ 'locationblock enable feature' => 'Enable Location based blocking:', 'locationblock flag' => 'Flag', 'log' => 'Log', +'log drop hostile in' => 'Log dropped packets FROM hostile networks', +'log drop hostile out' => 'Log dropped packets TO hostile networks', 'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking', 'log enabled' => 'Log Enabled', 'log level' => 'Log Level', @@ -2208,6 +2212,7 @@ 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', 'refresh update list' => 'Refresh update list', +'regenerate host certificate' => 'Renew Host Certificate', 'registered user rules' => 'Talos VRT rules for registered users', 'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.', 'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.', diff --git a/lfs/elfutils b/lfs/elfutils index 9fb69af62..7dd95caa2 100644 --- a/lfs/elfutils +++ b/lfs/elfutils @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -33,12 +33,6 @@ DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) -PROG = elfutils -PAK_VER = 10 - -DEPS = - -SERVICES =
############################################################################### # Top-level Rules @@ -58,9 +52,6 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects))
b2 : $(subst %,%_BLAKE2,$(objects))
-dist: - @$(PAK) - ############################################################################### # Downloading, checking, b2sum ############################################################################### diff --git a/lfs/frr b/lfs/frr index a1555af64..f0954aae5 100644 --- a/lfs/frr +++ b/lfs/frr @@ -34,9 +34,9 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = frr -PAK_VER = 7 +PAK_VER = 8
-DEPS = elfutils +DEPS =
SERVICES = frr
diff --git a/lfs/ltrace b/lfs/ltrace index 3d1fdee3f..f3f07c0b1 100644 --- a/lfs/ltrace +++ b/lfs/ltrace @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -35,9 +35,9 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = ltrace -PAK_VER = 2 +PAK_VER = 3
-DEPS = elfutils +DEPS =
SERVICES =
diff --git a/lfs/qemu b/lfs/qemu index 2c45d7156..d65282743 100644 --- a/lfs/qemu +++ b/lfs/qemu @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -35,9 +35,9 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = qemu -PAK_VER = 41 +PAK_VER = 42
-DEPS = alsa elfutils libusbredir spice libseccomp libslirp +DEPS = alsa libusbredir spice libseccomp libslirp
SERVICES =
diff --git a/lfs/strace b/lfs/strace index 2ce9b26d8..97253340a 100644 --- a/lfs/strace +++ b/lfs/strace @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -35,9 +35,9 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = strace -PAK_VER = 10 +PAK_VER = 11
-DEPS = elfutils +DEPS =
SERVICES =
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 3aab7dd75..69bdcb594 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -179,9 +179,18 @@ iptables_init() { iptables -A FORWARD -j HOSTILE iptables -A OUTPUT -j HOSTILE
- iptables -N HOSTILE_DROP - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " - iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" + iptables -N HOSTILE_DROP_IN + if [ "$LOGDROPHOSTILEIN" == "on" ]; then + iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE" + + iptables -N HOSTILE_DROP_OUT + if [ "$LOGDROPHOSTILEOUT" == "on" ]; then + iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE" +
# IP Address Blocklist chains iptables -N BLOCKLISTIN
hooks/post-receive -- IPFire 2.x development tree