From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. b8c898b4824624b802ffda8b92c7009ea5a9db46
Date: Wed, 07 Feb 2024 11:10:22 +0000 [thread overview]
Message-ID: <4TVHTW11xkz2xlt@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 65861 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via b8c898b4824624b802ffda8b92c7009ea5a9db46 (commit)
via 9f01011570be542e394503cb8a4c5184eb9be8d1 (commit)
via aa07e1bb3eba3606a0b8e647180e0926a411016b (commit)
via 182743310ce47d9a78d5fd6d32c510bcbb163762 (commit)
via 08c20b8457ec8c8fe24dda561b8d28a6f6b584a3 (commit)
via 3dfc7489461d52321bf6cb6a342b15416fd362bb (commit)
via 7c9a6cf1631cd68970762cbb61056618f6de4c2e (commit)
via b4f6962c4dd5ddd18a376e4acec6a861cf870fa1 (commit)
via 216d4bfc3d42bb280ed4f88e066d9147b0f5b5c2 (commit)
via d2b423b1dc866dccf70dba93d779da36871c1b84 (commit)
via 6aa450ec3b4ab8a9a9ed37c710321c19b4db104d (commit)
via 37c5b4b62eb0e6bfb617a7173dd07d473c34f6a5 (commit)
via f23555a1c6acb12fbb626a27c2189dee4cb45c0c (commit)
via 89645d1bbfbb26bdf0351fe01b69978f73fc0074 (commit)
via 7d0f48668b681b4b788f8adffd5a6d0ad56d02a5 (commit)
via fb7d13725fc3d16eeddad73e5cfa86a15bc58408 (commit)
via 0e16c27908960fd911efe8193489a16eb970455f (commit)
via 4b1254520ab884792aa41a342a7e2e31320519db (commit)
via c09d2324479fa2fceec9eb5166b5e8e7af45fb0a (commit)
via 30dc4c0248a65b70baf89cb46cc5b18993788501 (commit)
via 816af4dfb78eb5f7b95390d1bd3e444f7fbb42fe (commit)
from 437bfd678013cf2b56b673b67a3eb6d68a0831cd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b8c898b4824624b802ffda8b92c7009ea5a9db46
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Feb 7 11:09:50 2024 +0000
core184: Ship vpnmain.cgi
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9f01011570be542e394503cb8a4c5184eb9be8d1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 17:45:44 2024 +0000
vpnmain.cgi: Add option to regenerate the host certificate
This is necessary since we now have a much shorter lifetime for the host
certificate. However, it is complicated to do this is which is why we
are copying the previous certificate and generate a new CSR. This is
then signed.
A caveat of this patch is that we do not rollover the key.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit aa07e1bb3eba3606a0b8e647180e0926a411016b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 17:45:43 2024 +0000
vpnmain.cgi: Return the entire error message if OpenSSL fails
The function did not evaluate the return code which is why it used a
hack to figure out if some output is an error or not.
This is being fixed in this commit and the entire output is being
returned if the return code is non-zero.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 182743310ce47d9a78d5fd6d32c510bcbb163762
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 17:45:42 2024 +0000
vpnmain.cgi: Do not use a bad source for randomness
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 08c20b8457ec8c8fe24dda561b8d28a6f6b584a3
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Feb 7 11:05:08 2024 +0000
core184: Ship HOSTILE IN/OUT changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3dfc7489461d52321bf6cb6a342b15416fd362bb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Feb 6 18:17:26 2024 +0000
firewall: Improve labelling of hostile networks hits
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7c9a6cf1631cd68970762cbb61056618f6de4c2e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Feb 6 18:11:48 2024 +0000
firewall: graphs: Add a line for the total number of hostile hits
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b4f6962c4dd5ddd18a376e4acec6a861cf870fa1
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jan 21 12:45:53 2024 +0100
optionsfw.cgi: Move Firewall Options Drop commands to before the logging section
- Moved the Firewall Options Drop commands to before the logging section, as discussed
at January 2024 Video Call.
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 216d4bfc3d42bb280ed4f88e066d9147b0f5b5c2
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jan 21 12:45:52 2024 +0100
graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries
- This v3 version of the patch set splits the single hostile networks graph entry into
incoming hostile networks and outgoing hostile networks entries.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d2b423b1dc866dccf70dba93d779da36871c1b84
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jan 21 12:45:51 2024 +0100
collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection
- In this v3 version of the patch set the splitting of drop hostile logging into incoming
and outgoing logging means that the data collection and graphs need to have drop hostile
also split into incoming and outgoing.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6aa450ec3b4ab8a9a9ed37c710321c19b4db104d
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jan 21 12:45:50 2024 +0100
en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging
- In this v3 version have added translations for hostile networks in and hostile
networks out and log drop hostile in and log drop hostile out.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 37c5b4b62eb0e6bfb617a7173dd07d473c34f6a5
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jan 21 12:45:49 2024 +0100
firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic
- This v3 version now has two if loops allowing logging of incoming drop hostile or
outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
dropped hostile traffic.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f23555a1c6acb12fbb626a27c2189dee4cb45c0c
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jan 21 12:45:48 2024 +0100
rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
independently.
Fixes: bug12981
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Acked-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 89645d1bbfbb26bdf0351fe01b69978f73fc0074
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jan 21 12:45:47 2024 +0100
optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic
- This v3 version has split the logging choice for drop hostile to separate the logging of
incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
However the logs were being swamped by the logging of drop hostile making analysis
difficult. So incoming drop hostile was desired to not be logged. However logging of
outgoing drop hostile was desired to identify if clients on the internal lan were
infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
logged or not.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7d0f48668b681b4b788f8adffd5a6d0ad56d02a5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Feb 7 11:01:25 2024 +0000
elfutils: Don't ship tools
I don't think there is any point that we ship these.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit fb7d13725fc3d16eeddad73e5cfa86a15bc58408
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Feb 7 10:58:21 2024 +0000
core184: Remove elfutils pakfire metadata (if installed)
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0e16c27908960fd911efe8193489a16eb970455f
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Feb 6 22:27:39 2024 +0100
strace: elfutils moved from addon dependency to core program
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4b1254520ab884792aa41a342a7e2e31320519db
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Feb 6 22:27:38 2024 +0100
qemu: elfutils moved from addon dependency to core program
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c09d2324479fa2fceec9eb5166b5e8e7af45fb0a
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Feb 6 22:27:37 2024 +0100
ltrace: elfutils moved from addon dependency to core program
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 30dc4c0248a65b70baf89cb46cc5b18993788501
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Feb 6 22:27:36 2024 +0100
frr: elfutils moved from addon dependency to core program
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 816af4dfb78eb5f7b95390d1bd3e444f7fbb42fe
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Feb 6 22:27:35 2024 +0100
elfutils: Move from addon to core program. Required by suricata-7.0.2 for execution
- Updated lfs file to core program type
- Moved rootfile from packages to common
- Older suricata versions required elfutils only for building but suricata-7.0.2 fails to
start if elfutils is not present due to libelf.so.1 being missing.
- The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/graphs.pl | 23 ++++++++-
config/collectd/collectd.conf | 3 +-
config/firewall/rules.pl | 6 +--
config/rootfiles/{packages => common}/elfutils | 36 +++++++-------
config/rootfiles/core/184/filelists/files | 5 ++
config/rootfiles/core/184/update.sh | 25 ++++++++++
config/ssl/openssl.cnf | 1 +
doc/language_issues.de | 7 +++
doc/language_issues.en | 7 ++-
doc/language_issues.es | 7 +++
doc/language_issues.fr | 7 +++
doc/language_issues.it | 7 ++-
doc/language_issues.nl | 7 ++-
doc/language_issues.pl | 7 ++-
doc/language_issues.ru | 7 ++-
doc/language_issues.tr | 7 ++-
doc/language_missings | 53 ++++++++++++++++++--
html/cgi-bin/optionsfw.cgi | 65 +++++++++++++++++-------
html/cgi-bin/vpnmain.cgi | 69 +++++++++++++++++++++++---
langs/en/cgi-bin/en.pl | 7 ++-
lfs/elfutils | 11 +---
lfs/frr | 4 +-
lfs/ltrace | 6 +--
lfs/qemu | 6 +--
lfs/strace | 6 +--
src/initscripts/system/firewall | 15 ++++--
26 files changed, 317 insertions(+), 87 deletions(-)
rename config/rootfiles/{packages => common}/elfutils (76%)
Difference in files:
diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
index 9803dd124..a23e49c98 100644
--- a/config/cfgroot/graphs.pl
+++ b/config/cfgroot/graphs.pl
@@ -693,7 +693,16 @@ sub updatefwhitsgraph {
"DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
"DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
"DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
- "DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
+ "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
+ "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
+ "DEF:hostilelegacy=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
+
+ # This creates a new combined hostile segment.
+ # Previously we did not split into incoming/outgoing, but we cannot go back in time. This CDEF will take the values
+ # from the old RRD database unless those are UNKNOWN (i.e. we started collected IN/OUT). If the values are unknown,
+ # we replace them with them sum of IN + OUT.
+ "CDEF:hostile=hostilelegacy,UN,hostilein,hostileout,+,hostilelegacy,IF",
+
"COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
"COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
"COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
@@ -729,7 +738,17 @@ sub updatefwhitsgraph {
"GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
"GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
"GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
- "STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}),
+ "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
+ "GPRINT:hostilein:MAX:%8.1lf %sBps",
+ "GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
+ "GPRINT:hostilein:MIN:%8.1lf %sBps",
+ "GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
+ "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
+ "GPRINT:hostileout:MAX:%8.1lf %sBps",
+ "GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
+ "GPRINT:hostileout:MIN:%8.1lf %sBps",
+ "GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
+ "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}),
"GPRINT:hostile:MAX:%8.1lf %sBps",
"GPRINT:hostile:AVERAGE:%8.1lf %sBps",
"GPRINT:hostile:MIN:%8.1lf %sBps",
diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
index 4ef34ea07..cc49f0ba7 100644
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -51,7 +51,8 @@ include "/etc/collectd.precache"
Chain filter POLICYOUT DROP_OUTPUT
Chain filter POLICYIN DROP_INPUT
Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN
- Chain filter HOSTILE_DROP DROP_HOSTILE
+ Chain filter HOSTILE_DROP_IN DROP_HOSTILE
+ Chain filter HOSTILE_DROP_OUT DROP_HOSTILE
</Plugin>
#<Plugin logfile>
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 7edb910e2..a47c260a1 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -726,8 +726,8 @@ sub drop_hostile_networks () {
&ipset_restore($HOSTILE_CCODE);
# Check traffic in incoming/outgoing direction and drop if it matches
- run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
- run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
+ run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN");
+ run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT");
}
sub ipblocklist () {
diff --git a/config/rootfiles/packages/elfutils b/config/rootfiles/common/elfutils
similarity index 76%
rename from config/rootfiles/packages/elfutils
rename to config/rootfiles/common/elfutils
index f7d56ad89..830638e2b 100644
--- a/config/rootfiles/packages/elfutils
+++ b/config/rootfiles/common/elfutils
@@ -1,21 +1,21 @@
-usr/bin/eu-addr2line
-usr/bin/eu-ar
-usr/bin/eu-elfclassify
-usr/bin/eu-elfcmp
-usr/bin/eu-elfcompress
-usr/bin/eu-elflint
-usr/bin/eu-findtextrel
-usr/bin/eu-make-debug-archive
-usr/bin/eu-nm
-usr/bin/eu-objdump
-usr/bin/eu-ranlib
-usr/bin/eu-readelf
-usr/bin/eu-size
-usr/bin/eu-srcfiles
-usr/bin/eu-stack
-usr/bin/eu-strings
-usr/bin/eu-strip
-usr/bin/eu-unstrip
+#usr/bin/eu-addr2line
+#usr/bin/eu-ar
+#usr/bin/eu-elfclassify
+#usr/bin/eu-elfcmp
+#usr/bin/eu-elfcompress
+#usr/bin/eu-elflint
+#usr/bin/eu-findtextrel
+#usr/bin/eu-make-debug-archive
+#usr/bin/eu-nm
+#usr/bin/eu-objdump
+#usr/bin/eu-ranlib
+#usr/bin/eu-readelf
+#usr/bin/eu-size
+#usr/bin/eu-srcfiles
+#usr/bin/eu-stack
+#usr/bin/eu-strings
+#usr/bin/eu-strip
+#usr/bin/eu-unstrip
#usr/include/dwarf.h
#usr/include/elfutils
#usr/include/elfutils/elf-knowledge.h
diff --git a/config/rootfiles/core/184/filelists/files b/config/rootfiles/core/184/filelists/files
index 4f1c7ed98..dc8a1b28f 100644
--- a/config/rootfiles/core/184/filelists/files
+++ b/config/rootfiles/core/184/filelists/files
@@ -1 +1,6 @@
etc/rc.d/init.d/collectd
+etc/rc.d/init.d/firewall
+srv/web/ipfire/cgi-bin/optionsfw.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+usr/lib/firewall/rules.pl
+var/ipfire/graphs.pl
diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core/184/update.sh
index a5e53a564..d744b5119 100644
--- a/config/rootfiles/core/184/update.sh
+++ b/config/rootfiles/core/184/update.sh
@@ -37,6 +37,30 @@ done
# Extract files
extract_files
+# Remove dropped elfutils addon
+rm -vf \
+ /opt/pakfire/db/installed/meta-elfutils \
+ /opt/pakfire/db/meta/meta-elfutils \
+ /opt/pakfire/db/rootfiles/elfutils \
+ /usr/bin/eu-addr2line \
+ /usr/bin/eu-ar \
+ /usr/bin/eu-elfclassify \
+ /usr/bin/eu-elfcmp \
+ /usr/bin/eu-elfcompress \
+ /usr/bin/eu-elflint \
+ /usr/bin/eu-findtextrel \
+ /usr/bin/eu-make-debug-archive \
+ /usr/bin/eu-nm \
+ /usr/bin/eu-objdump \
+ /usr/bin/eu-ranlib \
+ /usr/bin/eu-readelf \
+ /usr/bin/eu-size \
+ /usr/bin/eu-srcfiles \
+ /usr/bin/eu-stack \
+ /usr/bin/eu-strings \
+ /usr/bin/eu-strip \
+ /usr/bin/eu-unstrip
+
# Remove files
# update linker config
@@ -54,6 +78,7 @@ ldconfig
# Start services
telinit u
/etc/init.d/vnstat start
+/etc/init.d/collectd restart
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
index 3b980fcd4..00c206ed8 100644
--- a/config/ssl/openssl.cnf
+++ b/config/ssl/openssl.cnf
@@ -23,6 +23,7 @@ default_md = sha256
preserve = no
policy = policy_match
email_in_dn = no
+copy_extensions = copyall
[ policy_match ]
countryName = optional
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4fd5a0819..46fb9ee5a 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -375,6 +375,7 @@ WARNING: translation string unused: host
WARNING: translation string unused: host allow
WARNING: translation string unused: host configuration
WARNING: translation string unused: host deny
+WARNING: translation string unused: hostile networks
WARNING: translation string unused: hostname and domain already in use
WARNING: translation string unused: hour-graph
WARNING: translation string unused: hours2
@@ -923,16 +924,22 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
WARNING: untranslated string: invalid input for subscription code = Invalid input for subscription code
WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
WARNING: untranslated string: no entries = No entries at the moment.
WARNING: untranslated string: optional = Optional
WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b4327cb78..86d5890f2 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1039,7 +1039,9 @@ WARNING: untranslated string: holdoff = Holdoff time (in seconds)
WARNING: untranslated string: host certificate = Host Certificate
WARNING: untranslated string: host ip = Host IP address
WARNING: untranslated string: host to net vpn = Host-to-Net Virtual Private Network (RoadWarrior)
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: hostname = Hostname
WARNING: untranslated string: hostname cant be empty = Hostname cannot be empty.
WARNING: untranslated string: hostname not set = Hostname not set.
@@ -1247,6 +1249,8 @@ WARNING: untranslated string: locationblock country is allowed = Incoming traffi
WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
WARNING: untranslated string: log = Log
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
WARNING: untranslated string: log lines per page = Lines per page
WARNING: untranslated string: log server address = Syslog server:
@@ -1578,6 +1582,7 @@ WARNING: untranslated string: red1 = RED
WARNING: untranslated string: references = References
WARNING: untranslated string: refresh = Refresh
WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 45ffdf5d7..30e20ae87 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -415,6 +415,7 @@ WARNING: translation string unused: host
WARNING: translation string unused: host allow
WARNING: translation string unused: host configuration
WARNING: translation string unused: host deny
+WARNING: translation string unused: hostile networks
WARNING: translation string unused: hostname and domain already in use
WARNING: translation string unused: hour-graph
WARNING: translation string unused: hours2
@@ -989,12 +990,18 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: openvpn cert expires soon = Expires Soon
WARNING: untranslated string: openvpn cert has expired = Expired
WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index cacfb1ec6..a53358147 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -402,6 +402,7 @@ WARNING: translation string unused: host
WARNING: translation string unused: host allow
WARNING: translation string unused: host configuration
WARNING: translation string unused: host deny
+WARNING: translation string unused: hostile networks
WARNING: translation string unused: hostname and domain already in use
WARNING: translation string unused: hour-graph
WARNING: translation string unused: hours2
@@ -947,7 +948,13 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 68ff12c86..24efece2b 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1068,7 +1068,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: ids add provider = Add provider
WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
WARNING: untranslated string: ids apply = Apply
@@ -1159,6 +1161,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: masquerade blue = Masquerade BLUE
@@ -1215,6 +1219,7 @@ WARNING: untranslated string: rdns = rDNS
WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index d1a637215..b6a65fad2 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1073,7 +1073,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: ids add provider = Add provider
WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
WARNING: untranslated string: ids apply = Apply
@@ -1166,6 +1168,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: masquerade blue = Masquerade BLUE
@@ -1237,6 +1241,7 @@ WARNING: untranslated string: ptr = PTR
WARNING: untranslated string: rdns = rDNS
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 893f73211..1a4f62870 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1213,7 +1213,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: ids add provider = Add provider
WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
WARNING: untranslated string: ids apply = Apply
@@ -1315,6 +1317,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
@@ -1418,6 +1422,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
WARNING: untranslated string: received = Received
WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 64c9b5095..8da6fe4b6 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1210,7 +1210,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: ids add provider = Add provider
WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
WARNING: untranslated string: ids apply = Apply
@@ -1313,6 +1315,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
@@ -1413,6 +1417,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
WARNING: untranslated string: received = Received
WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eadbd33c7..96fe71f7b 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1010,7 +1010,9 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = From Hostile Networks
+WARNING: untranslated string: hostile networks out = To Hostile Networks
+WARNING: untranslated string: hostile networks total = Total Hostile Networks
WARNING: untranslated string: ids add provider = Add provider
WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
WARNING: untranslated string: ids apply = Apply
@@ -1089,6 +1091,8 @@ WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: itlb multihit = iTLB MultiHit
WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
WARNING: untranslated string: meltdown = Meltdown
WARNING: untranslated string: mitigated = Mitigated
@@ -1125,6 +1129,7 @@ WARNING: untranslated string: ptr = PTR
WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
WARNING: untranslated string: release = Release
diff --git a/doc/language_missings b/doc/language_missings
index 28ae29c2b..c92e1e6a3 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -58,6 +58,9 @@
< extrahd because it it outside the allowed mount path
< g.dtm
< g.lite
+< hostile networks in
+< hostile networks out
+< hostile networks total
< ids automatic rules update
< ids subscription code required
< insert removable device
@@ -66,6 +69,8 @@
< ipsec invalid ip address or fqdn for rw endpoint
< ipsec roadwarrior endpoint
< link-layer encapsulation
+< log drop hostile in
+< log drop hostile out
< netbios nameserver daemon
< no entries
< notes
@@ -73,6 +78,7 @@
< optional
< quick control
< random number generator daemon
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< required
@@ -114,9 +120,15 @@
< extrahd not configured
< extrahd not mounted
< hardware vulnerabilities
+< hostile networks in
+< hostile networks out
+< hostile networks total
< invalid ip or hostname
+< log drop hostile in
+< log drop hostile out
< openvpn cert expires soon
< openvpn cert has expired
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< service boot setting unavailable
@@ -138,6 +150,12 @@
< extrahd not mounted
< g.dtm
< g.lite
+< hostile networks in
+< hostile networks out
+< hostile networks total
+< log drop hostile in
+< log drop hostile out
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< spec rstack overflow
@@ -361,7 +379,9 @@
< guaranteed bandwidth
< guardian
< hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
+< hostile networks total
< ids add provider
< ids adjust ruleset
< ids apply
@@ -464,6 +484,8 @@
< locationblock country name
< locationblock enable feature
< locationblock flag
+< log drop hostile in
+< log drop hostile out
< log dropped conntrack invalids
< log server protocol
< masquerade blue
@@ -523,6 +545,7 @@
< reboot fsck
< rebooting ipfire fsck
< received
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< release
@@ -880,7 +903,9 @@
< generate ptr
< guardian
< hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
+< hostile networks total
< ids add provider
< ids adjust ruleset
< ids apply
@@ -985,6 +1010,8 @@
< locationblock country name
< locationblock enable feature
< locationblock flag
+< log drop hostile in
+< log drop hostile out
< log dropped conntrack invalids
< log server protocol
< masquerade blue
@@ -1063,6 +1090,7 @@
< rdns
< rebooting ipfire fsck
< received
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< required
@@ -1704,7 +1732,9 @@
< grouptype
< guardian
< hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
+< hostile networks total
< ids add provider
< ids adjust ruleset
< ids apply
@@ -1819,6 +1849,8 @@
< locationblock country name
< locationblock enable feature
< locationblock flag
+< log drop hostile in
+< log drop hostile out
< log dropped conntrack invalids
< log server protocol
< mac filter
@@ -1943,6 +1975,7 @@
< rebooting ipfire fsck
< received
< red1
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< release
@@ -2695,7 +2728,9 @@
< grouptype
< guardian
< hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
+< hostile networks total
< hour-graph
< ids add provider
< ids adjust ruleset
@@ -2812,6 +2847,8 @@
< locationblock country name
< locationblock enable feature
< locationblock flag
+< log drop hostile in
+< log drop hostile out
< log dropped conntrack invalids
< log server protocol
< mac filter
@@ -2934,6 +2971,7 @@
< rebooting ipfire fsck
< received
< red1
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< release
@@ -3280,7 +3318,9 @@
< fw red
< generate ptr
< hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
+< hostile networks total
< ids add provider
< ids adjust ruleset
< ids apply
@@ -3368,6 +3408,8 @@
< legacy architecture warning
< link-layer encapsulation
< local ip address
+< log drop hostile in
+< log drop hostile out
< log dropped conntrack invalids
< meltdown
< mitigated
@@ -3405,6 +3447,7 @@
< reboot fsck
< rebooting ipfire fsck
< received
+< regenerate host certificate
< reiserfs warning1
< reiserfs warning2
< release
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index fbff67b2f..60b1bdd91 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) {
if (!$settings{'DROPHOSTILE'}) {
$settings{'DROPHOSTILE'} = 'off';
}
+if (!$settings{'LOGDROPHOSTILEIN'}) {
+ $settings{'LOGDROPHOSTILEIN'} = 'on';
+}
+if (!$settings{'LOGDROPHOSTILEOUT'}) {
+ $settings{'LOGDROPHOSTILEOUT'} = 'on';
+}
if (!$settings{'LOGDROPCTINVALID'}) {
$settings{'LOGDROPCTINVALID'} = 'on';
}
@@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
$checked{'DROPHOSTILE'}{'off'} = '';
$checked{'DROPHOSTILE'}{'on'} = '';
$checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEIN'}{'off'} = '';
+$checked{'LOGDROPHOSTILEIN'}{'on'} = '';
+$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEOUT'}{'off'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{'on'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'";
$checked{'LOGDROPCTINVALID'}{'off'} = '';
$checked{'LOGDROPCTINVALID'}{'on'} = '';
$checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
@@ -212,6 +224,29 @@ END
<br>
+<table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'>
+ <td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td>
+ </tr>
+ <tr>
+ <td align='left' width='60%'>$Lang::tr{'drop hostile'}</td>
+ <td align='left'>
+ $Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/
+ <input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
+ </td>
+ </tr>
+</table>
+<br>
+
+<table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+ <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+ <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
+</table>
+<br>
+
<table width='95%' cellspacing='0'>
<tr bgcolor='$color{'color20'}'>
<td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td>
@@ -279,31 +314,23 @@ END
<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
</td>
</tr>
-</table>
-<br/>
-
-<table width='95%' cellspacing='0'>
- <tr bgcolor='$color{'color20'}'>
- <td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td>
+ <tr>
+ <td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td>
+ <td align='left'>
+ $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/
+ <input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'}
+ </td>
</tr>
<tr>
- <td align='left' width='60%'>$Lang::tr{'drop hostile'}</td>
+ <td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td>
<td align='left'>
- $Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/
- <input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
+ $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/
+ <input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'}
</td>
</tr>
</table>
-<br>
+<br/>
-<table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
- <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
- <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br>
<table width='95%' cellspacing='0'>
<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 53507305f..9173a85d8 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -229,13 +229,14 @@ sub callssl ($) {
my $opt = shift;
my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
my $ret = '';
- foreach my $line (split (/\n/, $retssl)) {
- &General::log("ipsec", "$line") if (0); # 1 for verbose logging
- $ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
- }
- if ($ret) {
- $ret= &Header::cleanhtml($ret);
+
+ if ($?) {
+ foreach my $line (split (/\n/, $retssl)) {
+ &General::log("ipsec", "$line") if (0); # 1 for verbose logging
+ $ret .= '<br>' . &Header::escape($line);
+ }
}
+
return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ;
}
###
@@ -865,6 +866,12 @@ END
exit(0);
}
###
+### Regenerate the host certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) {
+ $errormessage = ®enerate_host_certificate();
+
+###
### Form for generating/importing the caroot+host certificate
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
@@ -2141,7 +2148,7 @@ END
&General::log("ipsec", "Creating a cert...");
if (open(STDIN, "-|")) {
- my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+ my $opt = " req -nodes";
$opt .= " -newkey rsa:4096";
$opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
@@ -3611,7 +3618,12 @@ END
<input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
</form>
</td>
- <td width='4%' $col2> </td></tr>
+ <td width='4%' align='center' $col2>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'regenerate host certificate'}' src='/images/reload.gif' alt='$Lang::tr{'regenerate host certificate'}' title='$Lang::tr{'regenerate host certificate'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'regenerate host certificate'}' />
+ </form>
+ </td></tr>
END
;
} else {
@@ -3781,3 +3793,44 @@ sub make_subnets($$) {
return join(",", @cidr_nets);
}
+
+sub regenerate_host_certificate() {
+ my $errormessage = "";
+
+ &General::log("ipsec", "Regenerating host certificate...");
+
+ # Create a CSR based on the existing certificate
+ my $opt = " x509 -x509toreq -copy_extensions copyall";
+ $opt .= " -signkey ${General::swroot}/certs/hostkey.pem";
+ $opt .= " -in ${General::swroot}/certs/hostcert.pem";
+ $opt .= " -out ${General::swroot}/certs/hostreq.pem";
+ $errormessage = &callssl($opt);
+
+ # Revoke the old certificate
+ if (!$errormessage) {
+ &General::log("ipsec", "Revoking the old host cert...");
+
+ my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem";
+ $errormessage = &callssl($opt);
+ }
+
+ # Sign the host certificate request
+ if (!$errormessage) {
+ &General::log("ipsec", "Self signing host cert...");
+
+ my $opt = " ca -md sha256 -days 825";
+ $opt .= " -batch -notext";
+ $opt .= " -in ${General::swroot}/certs/hostreq.pem";
+ $opt .= " -out ${General::swroot}/certs/hostcert.pem";
+ $errormessage = &callssl ($opt);
+
+ unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
+ }
+
+ # Reload the new certificate
+ if (!$errormessage) {
+ &General::system('/usr/local/bin/ipsecctrl', 'R');
+ }
+
+ return $errormessage;
+}
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 16a3061b4..3246102ba 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1409,7 +1409,9 @@
'host deny' => 'list with denied hosts',
'host ip' => 'Host IP address',
'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)',
-'hostile networks' => 'Hostile networks',
+'hostile networks in' => 'From Hostile Networks',
+'hostile networks out' => 'To Hostile Networks',
+'hostile networks total' => 'Total Hostile Networks',
'hostname' => 'Hostname',
'hostname and domain already in use' => 'Hostname and domain already in use.',
'hostname cant be empty' => 'Hostname cannot be empty.',
@@ -1686,6 +1688,8 @@
'locationblock enable feature' => 'Enable Location based blocking:',
'locationblock flag' => 'Flag',
'log' => 'Log',
+'log drop hostile in' => 'Log dropped packets FROM hostile networks',
+'log drop hostile out' => 'Log dropped packets TO hostile networks',
'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking',
'log enabled' => 'Log Enabled',
'log level' => 'Log Level',
@@ -2208,6 +2212,7 @@
'refresh' => 'Refresh',
'refresh index page while connected' => 'Refresh index.cgi page while connected',
'refresh update list' => 'Refresh update list',
+'regenerate host certificate' => 'Renew Host Certificate',
'registered user rules' => 'Talos VRT rules for registered users',
'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.',
'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',
diff --git a/lfs/elfutils b/lfs/elfutils
index 9fb69af62..7dd95caa2 100644
--- a/lfs/elfutils
+++ b/lfs/elfutils
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -33,12 +33,6 @@ DL_FILE = $(THISAPP).tar.bz2
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
-PROG = elfutils
-PAK_VER = 10
-
-DEPS =
-
-SERVICES =
###############################################################################
# Top-level Rules
@@ -58,9 +52,6 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects))
b2 : $(subst %,%_BLAKE2,$(objects))
-dist:
- @$(PAK)
-
###############################################################################
# Downloading, checking, b2sum
###############################################################################
diff --git a/lfs/frr b/lfs/frr
index a1555af64..f0954aae5 100644
--- a/lfs/frr
+++ b/lfs/frr
@@ -34,9 +34,9 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = frr
-PAK_VER = 7
+PAK_VER = 8
-DEPS = elfutils
+DEPS =
SERVICES = frr
diff --git a/lfs/ltrace b/lfs/ltrace
index 3d1fdee3f..f3f07c0b1 100644
--- a/lfs/ltrace
+++ b/lfs/ltrace
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -35,9 +35,9 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = ltrace
-PAK_VER = 2
+PAK_VER = 3
-DEPS = elfutils
+DEPS =
SERVICES =
diff --git a/lfs/qemu b/lfs/qemu
index 2c45d7156..d65282743 100644
--- a/lfs/qemu
+++ b/lfs/qemu
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -35,9 +35,9 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = qemu
-PAK_VER = 41
+PAK_VER = 42
-DEPS = alsa elfutils libusbredir spice libseccomp libslirp
+DEPS = alsa libusbredir spice libseccomp libslirp
SERVICES =
diff --git a/lfs/strace b/lfs/strace
index 2ce9b26d8..97253340a 100644
--- a/lfs/strace
+++ b/lfs/strace
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -35,9 +35,9 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = strace
-PAK_VER = 10
+PAK_VER = 11
-DEPS = elfutils
+DEPS =
SERVICES =
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 3aab7dd75..69bdcb594 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -179,9 +179,18 @@ iptables_init() {
iptables -A FORWARD -j HOSTILE
iptables -A OUTPUT -j HOSTILE
- iptables -N HOSTILE_DROP
- iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
- iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+ iptables -N HOSTILE_DROP_IN
+ if [ "$LOGDROPHOSTILEIN" == "on" ]; then
+ iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+ fi
+ iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE"
+
+ iptables -N HOSTILE_DROP_OUT
+ if [ "$LOGDROPHOSTILEOUT" == "on" ]; then
+ iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+ fi
+ iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE"
+
# IP Address Blocklist chains
iptables -N BLOCKLISTIN
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2024-02-07 11:10 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4TVHTW11xkz2xlt@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox