From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 36d44213e93fadcd3fac982f14bacc61f4ce977d
Date: Fri, 14 Feb 2014 13:50:25 +0100 [thread overview]
Message-ID: <20140214125046.31791208EF@argus.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 47636 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 36d44213e93fadcd3fac982f14bacc61f4ce977d (commit)
via a211fee393fc05119710f9db83511085786010f1 (commit)
via cdb725da872d076f3731537bfd2f4a435f01feb1 (commit)
via 1108a15cc6d6da291fa6039ae92b3922dd8a2577 (commit)
via 7d7740a46769d6a45668182cebb86275960f212a (commit)
via e7c5b9dabb9dbd724b04b01a627573727c6d23f2 (commit)
via 4bc91affe00eb06142c914ac9f1686f2473cf471 (commit)
via 159c55c5c89938ade27c0fcabc21e40da0e1a122 (commit)
via c581b670ef383fe566075abe0a7df300b7da537c (commit)
via f3511161525d125621467ee2cc7b1319fc07cb83 (commit)
via 501e7b8654263f6758e273162f09183661d40303 (commit)
via da9e4e8ed90aae3fc6100bd21cd49804fca6c9bf (commit)
via f4e869ffb42c717167478fc75b993f9903298e15 (commit)
from 125b6fcd66a2eb42ae773f66811c89959c7a2b77 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 36d44213e93fadcd3fac982f14bacc61f4ce977d
Merge: a211fee 125b6fc
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 13:50:01 2014 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit a211fee393fc05119710f9db83511085786010f1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 13:04:18 2014 +0100
firewall: Use --wait for all iptables commands.
commit cdb725da872d076f3731537bfd2f4a435f01feb1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:54:08 2014 +0100
firewall: Load conntrack modules in firewall script.
commit 1108a15cc6d6da291fa6039ae92b3922dd8a2577
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:52:28 2014 +0100
Move enabling nf_conntrack_acct where it should be.
commit 7d7740a46769d6a45668182cebb86275960f212a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:48:11 2014 +0100
firewall: Initialize basic ruleset before entering runlevel 3.
commit e7c5b9dabb9dbd724b04b01a627573727c6d23f2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:41:23 2014 +0100
network: Remove redundant insertion of wireless rules.
commit 4bc91affe00eb06142c914ac9f1686f2473cf471
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:40:57 2014 +0100
network: Remove old accounting code.
commit 159c55c5c89938ade27c0fcabc21e40da0e1a122
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:40:11 2014 +0100
firewall: Call firewall.local start at the very end.
commit c581b670ef383fe566075abe0a7df300b7da537c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:35:40 2014 +0100
firewall: Use --wait for every iptables call.
commit f3511161525d125621467ee2cc7b1319fc07cb83
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 14 12:15:37 2014 +0100
Fix missing string in proxy.cgi (Cache-Digest creation).
commit 501e7b8654263f6758e273162f09183661d40303
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 13 15:39:35 2014 +0100
tor: Bump package version to 6 and fix backup.
The backup include file is missing in older releases
and will be created on the fly when updating old packages.
commit da9e4e8ed90aae3fc6100bd21cd49804fca6c9bf
Merge: f4e869f d2b1aa0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 13 15:31:25 2014 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit f4e869ffb42c717167478fc75b993f9903298e15
Author: Alf Høgemark <alf(a)i100.no>
Date: Sat Feb 8 07:32:08 2014 +0100
netexternal.cgi: Fix display of DNS1 and DNS2
-----------------------------------------------------------------------
Summary of changes:
config/etc/sysctl.conf | 3 +
config/firewall/firewall-policy | 40 ++--
config/firewall/rules.pl | 34 +--
config/rootfiles/common/armv5tel/initscripts | 1 +
config/rootfiles/common/i586/initscripts | 1 +
doc/language_issues.de | 1 -
doc/language_issues.en | 1 -
doc/language_missings | 4 +
html/cgi-bin/netexternal.cgi | 4 +-
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
lfs/initscripts | 1 +
lfs/tor | 2 +-
src/initscripts/init.d/firewall | 307 +++++++++++++++------------
src/initscripts/init.d/network | 36 ----
src/paks/{default => tor}/install.sh | 0
src/paks/{cacti => tor}/uninstall.sh | 0
src/paks/{vdr => tor}/update.sh | 21 +-
18 files changed, 232 insertions(+), 226 deletions(-)
copy src/paks/{default => tor}/install.sh (100%)
copy src/paks/{cacti => tor}/uninstall.sh (100%)
copy src/paks/{vdr => tor}/update.sh (87%)
Difference in files:
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index df3ef5f..d6a2f75 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -28,3 +28,6 @@ vm.min_free_kbytes = 8192
# Disable IPv6 by default.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
+
+# Enable netfilter accounting
+net.netfilter.nf_conntrack_acct=1
diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 6d26d5b..773e5ce 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -23,6 +23,10 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+function iptables() {
+ /sbin/iptables --wait "$@"
+}
+
iptables -F POLICYFWD
iptables -F POLICYOUT
iptables -F POLICYIN
@@ -52,15 +56,15 @@ esac
case "${FWPOLICY2}" in
REJECT)
if [ "${DROPINPUT}" = "on" ]; then
- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
+ iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
fi
- /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
+ iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
;;
*) # DROP
if [ "${DROPINPUT}" = "on" ]; then
- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
- /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
+ iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
;;
esac
@@ -70,15 +74,15 @@ case "${POLICY}" in
case "${FWPOLICY}" in
REJECT)
if [ "${DROPFORWARD}" = "on" ]; then
- /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+ iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
fi
- /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+ iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
;;
*) # DROP
if [ "${DROPFORWARD}" = "on" ]; then
- /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
- /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
;;
esac
;;
@@ -86,14 +90,14 @@ case "${POLICY}" in
*)
if [ -n "${IFACE}" ]; then
if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
- /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
+ iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
fi
if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
- /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
+ iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
fi
fi
- /sbin/iptables -A POLICYFWD -j ACCEPT
- /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+ iptables -A POLICYFWD -j ACCEPT
+ iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
;;
esac
@@ -103,21 +107,21 @@ case "${POLICY1}" in
case "${FWPOLICY1}" in
REJECT)
if [ "${DROPOUTGOING}" = "on" ]; then
- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+ iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
fi
- /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+ iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
;;
*) # DROP
if [ "${DROPOUTGOING}" == "on" ]; then
- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+ iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
fi
- /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
;;
esac
;;
*)
- /sbin/iptables -A POLICYOUT -j ACCEPT
- /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
+ iptables -A POLICYOUT -j ACCEPT
+ iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
;;
esac
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 4380764..09e8ae6 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -60,7 +60,7 @@ my $blue = '';
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN = "FORWARDFW";
my $conexists = 'off';
-my $command = 'iptables -A';
+my $command = 'iptables --wait -A';
my $dnat ='';
my $snat ='';
@@ -111,7 +111,7 @@ if($param eq 'flush'){
system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
&p2pblock;
- system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
+ system ("iptables --wait -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
system ("/etc/sysconfig/firewall.local reload");
}
@@ -119,11 +119,11 @@ if($param eq 'flush'){
}
sub flush
{
- system ("iptables -F FORWARDFW");
- system ("iptables -F INPUTFW");
- system ("iptables -F OUTGOINGFW");
- system ("iptables -t nat -F NAT_DESTINATION");
- system ("iptables -t nat -F NAT_SOURCE");
+ system ("iptables --wait -F FORWARDFW");
+ system ("iptables --wait -F INPUTFW");
+ system ("iptables --wait -F OUTGOINGFW");
+ system ("iptables --wait -t nat -F NAT_DESTINATION");
+ system ("iptables --wait -t nat -F NAT_SOURCE");
}
sub preparerules
{
@@ -150,9 +150,9 @@ sub buildrules
my $icmptype;
foreach my $key (sort {$a <=> $b} keys %$hash){
next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
- $command="iptables -A";
+ $command="iptables --wait -A";
if ($$hash{$key}[28] eq 'ON'){
- $command='iptables -t nat -A';
+ $command='iptables --wait -t nat -A';
$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
if($$hash{$key}[31] eq 'dnat'){
$nat='DNAT';
@@ -303,7 +303,7 @@ sub buildrules
}
}
}
- print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ print "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
next;
#PROCESS SNAT RULE
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
@@ -318,14 +318,14 @@ sub buildrules
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
#PROCESS Prot ICMP and type = All ICMP-Types
if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
@@ -387,7 +387,7 @@ sub buildrules
}
}
}
- system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ system "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
next;
#PROCESS SNAT RULE
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
@@ -402,14 +402,14 @@ sub buildrules
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
#PROCESS Prot ICMP and type = All ICMP-Types
if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
@@ -504,11 +504,11 @@ sub p2pblock
}
if ($MODE eq 1){
if($P2PSTRING){
- print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
+ print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
}
}else{
if($P2PSTRING){
- system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
+ system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
}
}
}
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 0933ca8..ba32ec8 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -224,6 +224,7 @@ etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
+etc/rc.d/rcsysinit.d/S85firewall
etc/rc.d/rcsysinit.d/S90sysctl
etc/rc.d/rcsysinit.d/S91network-vlans
etc/rc.d/rcsysinit.d/S92rngd
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 727cc7a..c95f496 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -231,6 +231,7 @@ etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
+etc/rc.d/rcsysinit.d/S85firewall
etc/rc.d/rcsysinit.d/S90sysctl
etc/rc.d/rcsysinit.d/S91network-vlans
etc/rc.d/rcsysinit.d/S92rngd
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 2376b0e..11b6336 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -598,7 +598,6 @@ WARNING: translation string unused: year-graph
WARNING: translation string unused: yearly firewallhits
WARNING: untranslated string: Scan for Songs
WARNING: untranslated string: addons
-WARNING: untranslated string: advproxy cache-digest
WARNING: untranslated string: bytes
WARNING: untranslated string: community rules
WARNING: untranslated string: dead peer detection
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 5e3eef1..017a2c4 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -631,7 +631,6 @@ WARNING: translation string unused: xtaccess bad transfert
WARNING: translation string unused: year-graph
WARNING: translation string unused: yearly firewallhits
WARNING: untranslated string: Scan for Songs
-WARNING: untranslated string: advproxy cache-digest
WARNING: untranslated string: bytes
WARNING: untranslated string: fwhost err hostip
WARNING: untranslated string: route config changed
diff --git a/doc/language_missings b/doc/language_missings
index 02de34a..677ae1d 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -13,6 +13,7 @@
# Checking cgi-bin translations for language: fr #
############################################################################
< addon
+< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal
@@ -452,6 +453,7 @@
# Checking cgi-bin translations for language: es #
############################################################################
< addon
+< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal
@@ -884,6 +886,7 @@
# Checking cgi-bin translations for language: pl #
############################################################################
< addon
+< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal
@@ -1292,6 +1295,7 @@
############################################################################
< Add a route
< addon
+< advproxy cache-digest
< advproxy errmsg cache
< advproxy errmsg invalid upstream proxy
< advproxy errmsg proxy ports equal
diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
index cd29d5d..156ef24 100644
--- a/html/cgi-bin/netexternal.cgi
+++ b/html/cgi-bin/netexternal.cgi
@@ -83,8 +83,8 @@ if ( $querry[0] ne~ ""){
&General::readhash("${General::swroot}/dhcpc/dhcpcd-$netsettings{'RED_DEV'}.info", \%dhcpinfo);
- my $DNS1=`echo $dhcpinfo{'domain_name_servers'} | cut -f 1 -d ,`;
- my $DNS2=`echo $dhcpinfo{'domain_name_servers'} | cut -f 2 -d ,`;
+ my $DNS1=`echo $dhcpinfo{'domain_name_servers'} | cut -f 1 -d " "`;
+ my $DNS2=`echo $dhcpinfo{'domain_name_servers'} | cut -f 2 -d " "`;
my $lsetme=0;
my $leasetime="";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index e32ee94..10ffed3 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -188,6 +188,7 @@
'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)',
'advproxy cache management' => 'Cacheverwaltung',
'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie',
+'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren',
'advproxy chgwebpwd ERROR' => 'F E H L E R :',
'advproxy chgwebpwd SUCCESS' => 'E R F O L G :',
'advproxy chgwebpwd change password' => 'Passwort ändern',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index d3c8774..653edc4 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -188,6 +188,7 @@
'advproxy banned mac clients' => 'Banned MAC addresses (one per line)',
'advproxy cache management' => 'Cache management',
'advproxy cache replacement policy' => 'Cache replacement policy',
+'advproxy cache-digest' => 'Enable Cache-Digest Generation',
'advproxy chgwebpwd ERROR' => 'E R R O R :',
'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :',
'advproxy chgwebpwd change password' => 'Change password',
diff --git a/lfs/initscripts b/lfs/initscripts
index 6968ede..0b5d8f4 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -171,6 +171,7 @@ $(TARGET) :
ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console
ln -sf ../init.d/firstsetup /etc/rc.d/rcsysinit.d/S75firstsetup
ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet
+ ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall
ln -sf ../init.d/sysctl /etc/rc.d/rcsysinit.d/S90sysctl
ln -sf ../init.d/network-vlans /etc/rc.d/rcsysinit.d/S91network-vlans
ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd
diff --git a/lfs/tor b/lfs/tor
index 9669ea7..7956736 100644
--- a/lfs/tor
+++ b/lfs/tor
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
-PAK_VER = 5
+PAK_VER = 6
DEPS = "libevent2"
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index be0c8b0..1d4146d 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -9,206 +9,205 @@ if [ -f /var/ipfire/red/device ]; then
DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
fi
+function iptables() {
+ /sbin/iptables --wait "$@"
+}
+
iptables_init() {
# Flush all rules and delete all custom chains
- /sbin/iptables -F
- /sbin/iptables -t nat -F
- /sbin/iptables -t mangle -F
- /sbin/iptables -X
- /sbin/iptables -t nat -X
- /sbin/iptables -t mangle -X
+ iptables -F
+ iptables -t nat -F
+ iptables -t mangle -F
+ iptables -X
+ iptables -t nat -X
+ iptables -t mangle -X
# Set up policies
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P FORWARD DROP
- /sbin/iptables -P OUTPUT ACCEPT
+ iptables -P INPUT DROP
+ iptables -P FORWARD DROP
+ iptables -P OUTPUT ACCEPT
# Empty LOG_DROP and LOG_REJECT chains
- /sbin/iptables -N LOG_DROP
- /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
- /sbin/iptables -A LOG_DROP -j DROP
- /sbin/iptables -N LOG_REJECT
- /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
- /sbin/iptables -A LOG_REJECT -j REJECT
+ iptables -N LOG_DROP
+ iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
+ iptables -A LOG_DROP -j DROP
+ iptables -N LOG_REJECT
+ iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
+ iptables -A LOG_REJECT -j REJECT
# This chain will log, then DROPs packets with certain bad combinations
# of flags might indicate a port-scan attempt (xmas, null, etc)
- /sbin/iptables -N PSCAN
+ iptables -N PSCAN
if [ "$DROPPORTSCAN" == "on" ]; then
- /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
- /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
- /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
- /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
+ iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
+ iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
+ iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
+ iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
fi
- /sbin/iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
+ iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
# New tcp packets without SYN set - could well be an obscure type of port scan
# that's not covered above, may just be a broken windows machine
- /sbin/iptables -N NEWNOTSYN
+ iptables -N NEWNOTSYN
if [ "$DROPNEWNOTSYN" == "on" ]; then
- /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN "
+ iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN "
fi
- /sbin/iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
+ iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
# Chain to contain all the rules relating to bad TCP flags
- /sbin/iptables -N BADTCP
+ iptables -N BADTCP
- #Don't check loopback
- /sbin/iptables -A BADTCP -i lo -j RETURN
+ # Don't check loopback
+ iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
# nmap xmas
- /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+ iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# Null
- /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
+ iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# FIN
- /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
+ iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
- /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
+ iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
- /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+ iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
- /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
+ iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
- /sbin/iptables -A INPUT -p tcp -j BADTCP
- /sbin/iptables -A FORWARD -p tcp -j BADTCP
+ iptables -A INPUT -p tcp -j BADTCP
+ iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chain
- /sbin/iptables -N CONNTRACK
- /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -N CONNTRACK
+ iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Fix for braindead ISP's
- /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# CUSTOM chains, can be used by the users themselves
- /sbin/iptables -N CUSTOMINPUT
- /sbin/iptables -A INPUT -j CUSTOMINPUT
- /sbin/iptables -N CUSTOMFORWARD
- /sbin/iptables -A FORWARD -j CUSTOMFORWARD
- /sbin/iptables -N CUSTOMOUTPUT
- /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
- /sbin/iptables -t nat -N CUSTOMPREROUTING
- /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
- /sbin/iptables -t nat -N CUSTOMPOSTROUTING
- /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ iptables -N CUSTOMINPUT
+ iptables -A INPUT -j CUSTOMINPUT
+ iptables -N CUSTOMFORWARD
+ iptables -A FORWARD -j CUSTOMFORWARD
+ iptables -N CUSTOMOUTPUT
+ iptables -A OUTPUT -j CUSTOMOUTPUT
+ iptables -t nat -N CUSTOMPREROUTING
+ iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
+ iptables -t nat -N CUSTOMPOSTROUTING
+ iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
# Guardian (IPS) chains
- /sbin/iptables -N GUARDIAN
- /sbin/iptables -A INPUT -j GUARDIAN
- /sbin/iptables -A FORWARD -j GUARDIAN
+ iptables -N GUARDIAN
+ iptables -A INPUT -j GUARDIAN
+ iptables -A FORWARD -j GUARDIAN
# Block OpenVPN transfer networks
- /sbin/iptables -N OVPNBLOCK
+ iptables -N OVPNBLOCK
for i in INPUT FORWARD; do
- /sbin/iptables -A ${i} -j OVPNBLOCK
+ iptables -A ${i} -j OVPNBLOCK
done
# OpenVPN transfer network translation
- /sbin/iptables -t nat -N OVPNNAT
- /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
+ iptables -t nat -N OVPNNAT
+ iptables -t nat -A POSTROUTING -j OVPNNAT
# IPTV chains for IGMPPROXY
- /sbin/iptables -N IPTVINPUT
- /sbin/iptables -A INPUT -j IPTVINPUT
- /sbin/iptables -N IPTVFORWARD
- /sbin/iptables -A FORWARD -j IPTVFORWARD
+ iptables -N IPTVINPUT
+ iptables -A INPUT -j IPTVINPUT
+ iptables -N IPTVFORWARD
+ iptables -A FORWARD -j IPTVFORWARD
# filtering from GUI
- /sbin/iptables -N GUIINPUT
- /sbin/iptables -A INPUT -j GUIINPUT
- /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ iptables -N GUIINPUT
+ iptables -A INPUT -j GUIINPUT
+ iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
- /sbin/iptables -N LOOPBACK
- /sbin/iptables -A LOOPBACK -i lo -j ACCEPT
- /sbin/iptables -A LOOPBACK -o lo -j ACCEPT
+ iptables -N LOOPBACK
+ iptables -A LOOPBACK -i lo -j ACCEPT
+ iptables -A LOOPBACK -o lo -j ACCEPT
# Filter all packets with loopback addresses on non-loopback interfaces.
- /sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
- /sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
+ iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
+ iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
for i in INPUT FORWARD OUTPUT; do
- /sbin/iptables -A ${i} -j LOOPBACK
+ iptables -A ${i} -j LOOPBACK
done
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
- /sbin/iptables -A ${i} -j CONNTRACK
+ iptables -A ${i} -j CONNTRACK
done
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
- /sbin/iptables -N IPSECINPUT
- /sbin/iptables -N IPSECFORWARD
- /sbin/iptables -N IPSECOUTPUT
- /sbin/iptables -A INPUT -j IPSECINPUT
- /sbin/iptables -A FORWARD -j IPSECFORWARD
- /sbin/iptables -A OUTPUT -j IPSECOUTPUT
- /sbin/iptables -t nat -N IPSECNAT
- /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+ iptables -N IPSECINPUT
+ iptables -N IPSECFORWARD
+ iptables -N IPSECOUTPUT
+ iptables -A INPUT -j IPSECINPUT
+ iptables -A FORWARD -j IPSECFORWARD
+ iptables -A OUTPUT -j IPSECOUTPUT
+ iptables -t nat -N IPSECNAT
+ iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet.
- /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+ iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
# allow DHCP on BLUE to be turned on/off
- /sbin/iptables -N DHCPBLUEINPUT
- /sbin/iptables -A INPUT -j DHCPBLUEINPUT
+ iptables -N DHCPBLUEINPUT
+ iptables -A INPUT -j DHCPBLUEINPUT
# WIRELESS chains
- /sbin/iptables -N WIRELESSINPUT
- /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
- /sbin/iptables -N WIRELESSFORWARD
- /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
+ iptables -N WIRELESSINPUT
+ iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
+ iptables -N WIRELESSFORWARD
+ iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
# OpenVPN
- /sbin/iptables -N OVPNINPUT
- /sbin/iptables -A INPUT -j OVPNINPUT
+ iptables -N OVPNINPUT
+ iptables -A INPUT -j OVPNINPUT
# TOR
- /sbin/iptables -N TOR_INPUT
- /sbin/iptables -A INPUT -j TOR_INPUT
+ iptables -N TOR_INPUT
+ iptables -A INPUT -j TOR_INPUT
# Jump into the actual firewall ruleset.
- /sbin/iptables -N INPUTFW
- /sbin/iptables -A INPUT -j INPUTFW
+ iptables -N INPUTFW
+ iptables -A INPUT -j INPUTFW
- /sbin/iptables -N OUTGOINGFW
- /sbin/iptables -A OUTPUT -j OUTGOINGFW
+ iptables -N OUTGOINGFW
+ iptables -A OUTPUT -j OUTGOINGFW
- /sbin/iptables -N FORWARDFW
- /sbin/iptables -A FORWARD -j FORWARDFW
+ iptables -N FORWARDFW
+ iptables -A FORWARD -j FORWARDFW
# SNAT rules
- /sbin/iptables -t nat -N NAT_SOURCE
- /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
+ iptables -t nat -N NAT_SOURCE
+ iptables -t nat -A POSTROUTING -j NAT_SOURCE
# RED chain, used for the red interface
- /sbin/iptables -N REDINPUT
- /sbin/iptables -A INPUT -j REDINPUT
- /sbin/iptables -N REDFORWARD
- /sbin/iptables -A FORWARD -j REDFORWARD
- /sbin/iptables -t nat -N REDNAT
- /sbin/iptables -t nat -A POSTROUTING -j REDNAT
+ iptables -N REDINPUT
+ iptables -A INPUT -j REDINPUT
+ iptables -N REDFORWARD
+ iptables -A FORWARD -j REDFORWARD
+ iptables -t nat -N REDNAT
+ iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
# Custom prerouting chains (for transparent proxy)
- /sbin/iptables -t nat -N SQUID
- /sbin/iptables -t nat -A PREROUTING -j SQUID
+ iptables -t nat -N SQUID
+ iptables -t nat -A PREROUTING -j SQUID
# DNAT rules
- /sbin/iptables -t nat -N NAT_DESTINATION
- /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
+ iptables -t nat -N NAT_DESTINATION
+ iptables -t nat -A PREROUTING -j NAT_DESTINATION
# upnp chain for our upnp daemon
- /sbin/iptables -t nat -N UPNPFW
- /sbin/iptables -t nat -A PREROUTING -j UPNPFW
- /sbin/iptables -N UPNPFW
- /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
-
- # run local firewall configuration, if present
- if [ -x /etc/sysconfig/firewall.local ]; then
- /etc/sysconfig/firewall.local start
- fi
+ iptables -t nat -N UPNPFW
+ iptables -t nat -A PREROUTING -j UPNPFW
+ iptables -N UPNPFW
+ iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
@@ -216,13 +215,13 @@ iptables_init() {
# run wirelessctrl
/usr/local/bin/wirelessctrl
- #POLICY CHAIN
- /sbin/iptables -N POLICYIN
- /sbin/iptables -A INPUT -j POLICYIN
- /sbin/iptables -N POLICYFWD
- /sbin/iptables -A FORWARD -j POLICYFWD
- /sbin/iptables -N POLICYOUT
- /sbin/iptables -A OUTPUT -j POLICYOUT
+ # POLICY CHAIN
+ iptables -N POLICYIN
+ iptables -A INPUT -j POLICYIN
+ iptables -N POLICYFWD
+ iptables -A FORWARD -j POLICYFWD
+ iptables -N POLICYOUT
+ iptables -A OUTPUT -j POLICYOUT
/usr/sbin/firewall-policy
@@ -230,37 +229,37 @@ iptables_init() {
/usr/local/bin/firewallctrl
if [ "$DROPINPUT" == "on" ]; then
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+ iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
if [ "$DROPFORWARD" == "on" ]; then
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+ iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
}
iptables_red() {
- /sbin/iptables -F REDINPUT
- /sbin/iptables -F REDFORWARD
- /sbin/iptables -t nat -F REDNAT
+ iptables -F REDINPUT
+ iptables -F REDFORWARD
+ iptables -t nat -F REDNAT
# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
- /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
+ iptables -A REDINPUT -i $DEVICE -j ACCEPT
fi
if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
if [ "$RED_DEV" != "" ]; then
- /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT
+ iptables -A REDINPUT -i $RED_DEV -j ACCEPT
fi
fi
fi
# PPTP over DHCP
if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
+ iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
+ iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
fi
# Orange pinholes
@@ -268,24 +267,24 @@ iptables_red() {
# This rule enables a host on ORANGE network to connect to the outside
# (only if we have a red connection)
if [ "$IFACE" != "" ]; then
- /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
+ iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
fi
fi
if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+ iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+ iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+ iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+ iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
- /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
- /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+ iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+ iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
}
@@ -293,10 +292,38 @@ iptables_red() {
# See how we were called.
case "$1" in
start)
+ boot_mesg "Loading firewall modules into the kernel"
+ modprobe iptable_nat || failed=1
+ for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
+ modprobe $(basename $i | cut -d. -f1) || failed=1
+ done
+ for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
+ modprobe $(basename $i | cut -d. -f1) || failed=1
+ done
+ (exit ${failed})
+ evaluate_retval
+
+ if [ -e /var/ipfire/main/disable_nf_sip ]; then
+ rmmod nf_nat_sip
+ rmmod nf_conntrack_sip
+ rmmod nf_nat_h323
+ rmmod nf_conntrack_h323
+ fi
+
+ boot_mesg "Setting up firewall"
iptables_init
+ evaluate_retval
+
+ # run local firewall configuration, if present
+ if [ -x /etc/sysconfig/firewall.local ]; then
+ /etc/sysconfig/firewall.local start
+ fi
;;
reload)
+ boot_mesg "Reloading firewall"
iptables_red
+ evaluate_retval
+
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local reload
diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network
index 02df4bc..5aecd15 100644
--- a/src/initscripts/init.d/network
+++ b/src/initscripts/init.d/network
@@ -17,42 +17,6 @@
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
init_networking() {
- boot_mesg "Loading firewall modules into the kernel"
- modprobe iptable_nat || failed=1
- for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
- modprobe $(basename $i | cut -d. -f1) || failed=1
- done
- for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
- modprobe $(basename $i | cut -d. -f1) || failed=1
- done
- (exit ${failed})
- evaluate_retval
-
- # Enable netfilter accounting
- sysctl net.netfilter.nf_conntrack_acct=1 > /dev/null
-
- if [ -e /var/ipfire/main/disable_nf_sip ]; then
- rmmod nf_nat_sip
- rmmod nf_conntrack_sip
- rmmod nf_nat_h323
- rmmod nf_conntrack_h323
- fi
-
- boot_mesg "Setting up firewall"
- /etc/rc.d/init.d/firewall start; evaluate_retval
-
-# boot_mesg "Setting up traffic accounting"
-# /etc/rc.d/helper/writeipac.pl || failed=1
-# /usr/sbin/fetchipac -S || failed=1
-# (exit ${failed})
-# evaluate_retval
-
-
- if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
- boot_mesg "Setting up wireless firewall rules"
- /usr/local/bin/wirelessctrl; evaluate_retval
- fi
-
/etc/rc.d/init.d/dnsmasq start
/etc/rc.d/init.d/static-routes start
}
diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh
new file mode 100644
index 0000000..31c5fec
--- /dev/null
+++ b/src/paks/tor/install.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+extract_files
+restore_backup ${NAME}
+start_service --background ${NAME}
diff --git a/src/paks/tor/uninstall.sh b/src/paks/tor/uninstall.sh
new file mode 100644
index 0000000..a7b8a53
--- /dev/null
+++ b/src/paks/tor/uninstall.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+stop_service ${NAME}
+make_backup ${NAME}
+remove_files
diff --git a/src/paks/tor/update.sh b/src/paks/tor/update.sh
new file mode 100644
index 0000000..675e7f5
--- /dev/null
+++ b/src/paks/tor/update.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+
+# Create backup include file if it is missing.
+if [ ! -e "/var/ipfire/backup/addons/includes/tor" ]; then
+ cat <<EOF > /var/ipfire/backup/addons/includes/tor
+/etc/tor
+/var/ipfire/tor
+/var/lib/tor/fingerprint
+/var/lib/tor/keys
+EOF
+fi
+
+./uninstall.sh
+./install.sh
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2014-02-14 12:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140214125046.31791208EF@argus.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox