From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. b8c898b4824624b802ffda8b92c7009ea5a9db46 Date: Wed, 07 Feb 2024 11:10:22 +0000 Message-ID: <4TVHTW11xkz2xlt@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2734964651123687380==" List-Id: --===============2734964651123687380== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via b8c898b4824624b802ffda8b92c7009ea5a9db46 (commit) via 9f01011570be542e394503cb8a4c5184eb9be8d1 (commit) via aa07e1bb3eba3606a0b8e647180e0926a411016b (commit) via 182743310ce47d9a78d5fd6d32c510bcbb163762 (commit) via 08c20b8457ec8c8fe24dda561b8d28a6f6b584a3 (commit) via 3dfc7489461d52321bf6cb6a342b15416fd362bb (commit) via 7c9a6cf1631cd68970762cbb61056618f6de4c2e (commit) via b4f6962c4dd5ddd18a376e4acec6a861cf870fa1 (commit) via 216d4bfc3d42bb280ed4f88e066d9147b0f5b5c2 (commit) via d2b423b1dc866dccf70dba93d779da36871c1b84 (commit) via 6aa450ec3b4ab8a9a9ed37c710321c19b4db104d (commit) via 37c5b4b62eb0e6bfb617a7173dd07d473c34f6a5 (commit) via f23555a1c6acb12fbb626a27c2189dee4cb45c0c (commit) via 89645d1bbfbb26bdf0351fe01b69978f73fc0074 (commit) via 7d0f48668b681b4b788f8adffd5a6d0ad56d02a5 (commit) via fb7d13725fc3d16eeddad73e5cfa86a15bc58408 (commit) via 0e16c27908960fd911efe8193489a16eb970455f (commit) via 4b1254520ab884792aa41a342a7e2e31320519db (commit) via c09d2324479fa2fceec9eb5166b5e8e7af45fb0a (commit) via 30dc4c0248a65b70baf89cb46cc5b18993788501 (commit) via 816af4dfb78eb5f7b95390d1bd3e444f7fbb42fe (commit) from 437bfd678013cf2b56b673b67a3eb6d68a0831cd (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit b8c898b4824624b802ffda8b92c7009ea5a9db46 Author: Michael Tremer Date: Wed Feb 7 11:09:50 2024 +0000 core184: Ship vpnmain.cgi =20 Signed-off-by: Michael Tremer commit 9f01011570be542e394503cb8a4c5184eb9be8d1 Author: Michael Tremer Date: Tue Jan 30 17:45:44 2024 +0000 vpnmain.cgi: Add option to regenerate the host certificate =20 This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed. =20 A caveat of this patch is that we do not rollover the key. =20 Signed-off-by: Michael Tremer commit aa07e1bb3eba3606a0b8e647180e0926a411016b Author: Michael Tremer Date: Tue Jan 30 17:45:43 2024 +0000 vpnmain.cgi: Return the entire error message if OpenSSL fails =20 The function did not evaluate the return code which is why it used a hack to figure out if some output is an error or not. =20 This is being fixed in this commit and the entire output is being returned if the return code is non-zero. =20 Signed-off-by: Michael Tremer commit 182743310ce47d9a78d5fd6d32c510bcbb163762 Author: Michael Tremer Date: Tue Jan 30 17:45:42 2024 +0000 vpnmain.cgi: Do not use a bad source for randomness =20 Signed-off-by: Michael Tremer commit 08c20b8457ec8c8fe24dda561b8d28a6f6b584a3 Author: Michael Tremer Date: Wed Feb 7 11:05:08 2024 +0000 core184: Ship HOSTILE IN/OUT changes =20 Signed-off-by: Michael Tremer commit 3dfc7489461d52321bf6cb6a342b15416fd362bb Author: Michael Tremer Date: Tue Feb 6 18:17:26 2024 +0000 firewall: Improve labelling of hostile networks hits =20 Signed-off-by: Michael Tremer commit 7c9a6cf1631cd68970762cbb61056618f6de4c2e Author: Michael Tremer Date: Tue Feb 6 18:11:48 2024 +0000 firewall: graphs: Add a line for the total number of hostile hits =20 Signed-off-by: Michael Tremer commit b4f6962c4dd5ddd18a376e4acec6a861cf870fa1 Author: Adolf Belka Date: Sun Jan 21 12:45:53 2024 +0100 optionsfw.cgi: Move Firewall Options Drop commands to before the logging = section =20 - Moved the Firewall Options Drop commands to before the logging section,= as discussed at January 2024 Video Call. =20 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 216d4bfc3d42bb280ed4f88e066d9147b0f5b5c2 Author: Adolf Belka Date: Sun Jan 21 12:45:52 2024 +0100 graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph en= tries =20 - This v3 version of the patch set splits the single hostile networks gra= ph entry into incoming hostile networks and outgoing hostile networks entries. =20 Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d2b423b1dc866dccf70dba93d779da36871c1b84 Author: Adolf Belka Date: Sun Jan 21 12:45:51 2024 +0100 collectd.conf: Fix bug12981 - This creates in and out drop hostile data c= ollection =20 - In this v3 version of the patch set the splitting of drop hostile loggi= ng into incoming and outgoing logging means that the data collection and graphs need to= have drop hostile also split into incoming and outgoing. =20 Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6aa450ec3b4ab8a9a9ed37c710321c19b4db104d Author: Adolf Belka Date: Sun Jan 21 12:45:50 2024 +0100 en.pl: Fixes bug12981 - adds english language input for choice of drop ho= stile logging =20 - In this v3 version have added translations for hostile networks in and = hostile networks out and log drop hostile in and log drop hostile out. =20 Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 37c5b4b62eb0e6bfb617a7173dd07d473c34f6a5 Author: Adolf Belka Date: Sun Jan 21 12:45:49 2024 +0100 firewall: Fixes bug12981 - add if loop to log or not log dropped hostile = traffic =20 - This v3 version now has two if loops allowing logging of incoming drop = hostile or outgoing drop hostile or both or neither. - Dependent on the choice in optionsfw.cgi this loop will either log or n= ot log the dropped hostile traffic. =20 Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit f23555a1c6acb12fbb626a27c2189dee4cb45c0c Author: Adolf Belka Date: Sun Jan 21 12:45:48 2024 +0100 rules.pl: Fixes bug12981 - Add in and out specific actions for drop hosti= le =20 - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnomi= ng traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be= taken on each independently. =20 Fixes: bug12981 Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Acked-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 89645d1bbfbb26bdf0351fe01b69978f73fc0074 Author: Adolf Belka Date: Sun Jan 21 12:45:47 2024 +0100 optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostil= e traffic =20 - This v3 version has split the logging choice for drop hostile to separa= te the logging of incoming drop hostile and outgoing drop hostile. - The bug originator had no port forwards so all hostile would be dropped= normally anyway. However the logs were being swamped by the logging of drop hostile mak= ing analysis difficult. So incoming drop hostile was desired to not be logged. Howe= ver logging of outgoing drop hostile was desired to identify if clients on the intern= al lan were infected with malware trying to reach home. - Added option with drop hostile section to decide if the dropped traffic= should be logged or not. =20 Fixes: bug12981 Tested-by: Adolf Belka Reviewed-by: Bernhard Bitsch Tested-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 7d0f48668b681b4b788f8adffd5a6d0ad56d02a5 Author: Michael Tremer Date: Wed Feb 7 11:01:25 2024 +0000 elfutils: Don't ship tools =20 I don't think there is any point that we ship these. =20 Signed-off-by: Michael Tremer commit fb7d13725fc3d16eeddad73e5cfa86a15bc58408 Author: Michael Tremer Date: Wed Feb 7 10:58:21 2024 +0000 core184: Remove elfutils pakfire metadata (if installed) =20 Signed-off-by: Michael Tremer commit 0e16c27908960fd911efe8193489a16eb970455f Author: Adolf Belka Date: Tue Feb 6 22:27:39 2024 +0100 strace: elfutils moved from addon dependency to core program =20 Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4b1254520ab884792aa41a342a7e2e31320519db Author: Adolf Belka Date: Tue Feb 6 22:27:38 2024 +0100 qemu: elfutils moved from addon dependency to core program =20 Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c09d2324479fa2fceec9eb5166b5e8e7af45fb0a Author: Adolf Belka Date: Tue Feb 6 22:27:37 2024 +0100 ltrace: elfutils moved from addon dependency to core program =20 Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 30dc4c0248a65b70baf89cb46cc5b18993788501 Author: Adolf Belka Date: Tue Feb 6 22:27:36 2024 +0100 frr: elfutils moved from addon dependency to core program =20 Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 816af4dfb78eb5f7b95390d1bd3e444f7fbb42fe Author: Adolf Belka Date: Tue Feb 6 22:27:35 2024 +0100 elfutils: Move from addon to core program. Required by suricata-7.0.2 for= execution =20 - Updated lfs file to core program type - Moved rootfile from packages to common - Older suricata versions required elfutils only for building but suricat= a-7.0.2 fails to start if elfutils is not present due to libelf.so.1 being missing. - The requirement for elfutils is not mentioned at all in the changelog. =20 Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/cfgroot/graphs.pl | 23 ++++++++- config/collectd/collectd.conf | 3 +- config/firewall/rules.pl | 6 +-- config/rootfiles/{packages =3D> common}/elfutils | 36 +++++++------- config/rootfiles/core/184/filelists/files | 5 ++ config/rootfiles/core/184/update.sh | 25 ++++++++++ config/ssl/openssl.cnf | 1 + doc/language_issues.de | 7 +++ doc/language_issues.en | 7 ++- doc/language_issues.es | 7 +++ doc/language_issues.fr | 7 +++ doc/language_issues.it | 7 ++- doc/language_issues.nl | 7 ++- doc/language_issues.pl | 7 ++- doc/language_issues.ru | 7 ++- doc/language_issues.tr | 7 ++- doc/language_missings | 53 ++++++++++++++++++-- html/cgi-bin/optionsfw.cgi | 65 +++++++++++++++++------- html/cgi-bin/vpnmain.cgi | 69 +++++++++++++++++++++++-= -- langs/en/cgi-bin/en.pl | 7 ++- lfs/elfutils | 11 +--- lfs/frr | 4 +- lfs/ltrace | 6 +-- lfs/qemu | 6 +-- lfs/strace | 6 +-- src/initscripts/system/firewall | 15 ++++-- 26 files changed, 317 insertions(+), 87 deletions(-) rename config/rootfiles/{packages =3D> common}/elfutils (76%) Difference in files: diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 9803dd124..a23e49c98 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -693,7 +693,16 @@ sub updatefwhitsgraph { "DEF:newnotsyn=3D".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-f= ilter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=3D".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-fi= lter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", "DEF:spoofedmartian=3D".$mainsettings{'RRDLOG'}."/collectd/localhost/iptab= les-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE", - "DEF:hostile=3D".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-fil= ter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostilein=3D".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-f= ilter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostileout=3D".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-= filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostilelegacy=3D".$mainsettings{'RRDLOG'}."/collectd/localhost/iptabl= es-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + + # This creates a new combined hostile segment. + # Previously we did not split into incoming/outgoing, but we cannot go bac= k in time. This CDEF will take the values + # from the old RRD database unless those are UNKNOWN (i.e. we started coll= ected IN/OUT). If the values are unknown, + # we replace them with them sum of IN + OUT. + "CDEF:hostile=3Dhostilelegacy,UN,hostilein,hostileout,+,hostilelegacy,IF", + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), @@ -729,7 +738,17 @@ sub updatefwhitsgraph { "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps", "GPRINT:spoofedmartian:MIN:%8.1lf %sBps", "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j", - "STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile= networks'}), + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hosti= le networks in'}), + "GPRINT:hostilein:MAX:%8.1lf %sBps", + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps", + "GPRINT:hostilein:MIN:%8.1lf %sBps", + "GPRINT:hostilein:LAST:%8.1lf %sBps\\j", + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'host= ile networks out'}), + "GPRINT:hostileout:MAX:%8.1lf %sBps", + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps", + "GPRINT:hostileout:MIN:%8.1lf %sBps", + "GPRINT:hostileout:LAST:%8.1lf %sBps\\j", + "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total= '}), "GPRINT:hostile:MAX:%8.1lf %sBps", "GPRINT:hostile:AVERAGE:%8.1lf %sBps", "GPRINT:hostile:MIN:%8.1lf %sBps", diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 4ef34ea07..cc49f0ba7 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -51,7 +51,8 @@ include "/etc/collectd.precache" Chain filter POLICYOUT DROP_OUTPUT Chain filter POLICYIN DROP_INPUT Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN - Chain filter HOSTILE_DROP DROP_HOSTILE + Chain filter HOSTILE_DROP_IN DROP_HOSTILE + Chain filter HOSTILE_DROP_OUT DROP_HOSTILE =20 # diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2..a47c260a1 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -2,7 +2,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2020 IPFire Team = # +# Copyright (C) 2007-2024 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -726,8 +726,8 @@ sub drop_hostile_networks () { &ipset_restore($HOSTILE_CCODE); =20 # Check traffic in incoming/outgoing direction and drop if it matches - run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src= -j HOSTILE_DROP"); - run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst= -j HOSTILE_DROP"); + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src= -j HOSTILE_DROP_IN"); + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst= -j HOSTILE_DROP_OUT"); } =20 sub ipblocklist () { diff --git a/config/rootfiles/packages/elfutils b/config/rootfiles/common/elf= utils similarity index 76% rename from config/rootfiles/packages/elfutils rename to config/rootfiles/common/elfutils index f7d56ad89..830638e2b 100644 --- a/config/rootfiles/packages/elfutils +++ b/config/rootfiles/common/elfutils @@ -1,21 +1,21 @@ -usr/bin/eu-addr2line -usr/bin/eu-ar -usr/bin/eu-elfclassify -usr/bin/eu-elfcmp -usr/bin/eu-elfcompress -usr/bin/eu-elflint -usr/bin/eu-findtextrel -usr/bin/eu-make-debug-archive -usr/bin/eu-nm -usr/bin/eu-objdump -usr/bin/eu-ranlib -usr/bin/eu-readelf -usr/bin/eu-size -usr/bin/eu-srcfiles -usr/bin/eu-stack -usr/bin/eu-strings -usr/bin/eu-strip -usr/bin/eu-unstrip +#usr/bin/eu-addr2line +#usr/bin/eu-ar +#usr/bin/eu-elfclassify +#usr/bin/eu-elfcmp +#usr/bin/eu-elfcompress +#usr/bin/eu-elflint +#usr/bin/eu-findtextrel +#usr/bin/eu-make-debug-archive +#usr/bin/eu-nm +#usr/bin/eu-objdump +#usr/bin/eu-ranlib +#usr/bin/eu-readelf +#usr/bin/eu-size +#usr/bin/eu-srcfiles +#usr/bin/eu-stack +#usr/bin/eu-strings +#usr/bin/eu-strip +#usr/bin/eu-unstrip #usr/include/dwarf.h #usr/include/elfutils #usr/include/elfutils/elf-knowledge.h diff --git a/config/rootfiles/core/184/filelists/files b/config/rootfiles/cor= e/184/filelists/files index 4f1c7ed98..dc8a1b28f 100644 --- a/config/rootfiles/core/184/filelists/files +++ b/config/rootfiles/core/184/filelists/files @@ -1 +1,6 @@ etc/rc.d/init.d/collectd +etc/rc.d/init.d/firewall +srv/web/ipfire/cgi-bin/optionsfw.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/lib/firewall/rules.pl +var/ipfire/graphs.pl diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core/184/= update.sh index a5e53a564..d744b5119 100644 --- a/config/rootfiles/core/184/update.sh +++ b/config/rootfiles/core/184/update.sh @@ -37,6 +37,30 @@ done # Extract files extract_files =20 +# Remove dropped elfutils addon +rm -vf \ + /opt/pakfire/db/installed/meta-elfutils \ + /opt/pakfire/db/meta/meta-elfutils \ + /opt/pakfire/db/rootfiles/elfutils \ + /usr/bin/eu-addr2line \ + /usr/bin/eu-ar \ + /usr/bin/eu-elfclassify \ + /usr/bin/eu-elfcmp \ + /usr/bin/eu-elfcompress \ + /usr/bin/eu-elflint \ + /usr/bin/eu-findtextrel \ + /usr/bin/eu-make-debug-archive \ + /usr/bin/eu-nm \ + /usr/bin/eu-objdump \ + /usr/bin/eu-ranlib \ + /usr/bin/eu-readelf \ + /usr/bin/eu-size \ + /usr/bin/eu-srcfiles \ + /usr/bin/eu-stack \ + /usr/bin/eu-strings \ + /usr/bin/eu-strip \ + /usr/bin/eu-unstrip + # Remove files =20 # update linker config @@ -54,6 +78,7 @@ ldconfig # Start services telinit u /etc/init.d/vnstat start +/etc/init.d/collectd restart =20 # This update needs a reboot... touch /var/run/need_reboot diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf index 3b980fcd4..00c206ed8 100644 --- a/config/ssl/openssl.cnf +++ b/config/ssl/openssl.cnf @@ -23,6 +23,7 @@ default_md =3D sha256 preserve =3D no policy =3D policy_match email_in_dn =3D no +copy_extensions =3D copyall =20 [ policy_match ] countryName =3D optional diff --git a/doc/language_issues.de b/doc/language_issues.de index 4fd5a0819..46fb9ee5a 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -375,6 +375,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -923,16 +924,22 @@ WARNING: untranslated string: guardian logtarget_file = =3D unknown string WARNING: untranslated string: guardian logtarget_syslog =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: ids subscription code required =3D The selecte= d ruleset requires a subscription code WARNING: untranslated string: invalid input for subscription code =3D Invali= d input for subscription code WARNING: untranslated string: ipsec dns server address is invalid =3D Invali= d DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoi= nt =3D Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint =3D Host-to-Net End= point WARNING: untranslated string: link-layer encapsulation =3D Link-Layer Encaps= ulation +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: netbios nameserver daemon =3D NetBIOS Nameserv= er Daemon WARNING: untranslated string: no entries =3D No entries at the moment. WARNING: untranslated string: optional =3D Optional WARNING: untranslated string: pakfire invalid tree =3D Invalid repository se= lected +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required =3D Required diff --git a/doc/language_issues.en b/doc/language_issues.en index b4327cb78..86d5890f2 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1039,7 +1039,9 @@ WARNING: untranslated string: holdoff =3D Holdoff time = (in seconds) WARNING: untranslated string: host certificate =3D Host Certificate WARNING: untranslated string: host ip =3D Host IP address WARNING: untranslated string: host to net vpn =3D Host-to-Net Virtual Privat= e Network (RoadWarrior) -WARNING: untranslated string: hostile networks =3D Hostile networks +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: hostname =3D Hostname WARNING: untranslated string: hostname cant be empty =3D Hostname cannot be = empty. WARNING: untranslated string: hostname not set =3D Hostname not set. @@ -1247,6 +1249,8 @@ WARNING: untranslated string: locationblock country is = allowed =3D Incoming traffi WARNING: untranslated string: locationblock country is blocked =3D Incoming = traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature =3D Enable Locati= on based blocking: WARNING: untranslated string: log =3D Log +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: log dropped conntrack invalids =3D Log dropped= packets classified as INVALID by connection tracking WARNING: untranslated string: log lines per page =3D Lines per page WARNING: untranslated string: log server address =3D Syslog server: @@ -1578,6 +1582,7 @@ WARNING: untranslated string: red1 =3D RED WARNING: untranslated string: references =3D References WARNING: untranslated string: refresh =3D Refresh WARNING: untranslated string: refresh index page while connected =3D Refresh= index.cgi page while connected +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.es b/doc/language_issues.es index 45ffdf5d7..30e20ae87 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -415,6 +415,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -989,12 +990,18 @@ WARNING: untranslated string: guardian logtarget_syslog= =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string WARNING: untranslated string: hardware vulnerabilities =3D Hardware Vulnerab= ilities +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: info messages =3D unknown string WARNING: untranslated string: invalid ip or hostname =3D Invalid IP Address = or Hostname +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: no data =3D unknown string WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon WARNING: untranslated string: openvpn cert has expired =3D Expired WARNING: untranslated string: pakfire ago =3D ago. +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed =3D unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index cacfb1ec6..a53358147 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -402,6 +402,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -947,7 +948,13 @@ WARNING: untranslated string: guardian logtarget_file = =3D unknown string WARNING: untranslated string: guardian logtarget_syslog =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: pakfire ago =3D ago. +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed =3D unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 68ff12c86..24efece2b 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1068,7 +1068,9 @@ WARNING: untranslated string: guardian logtarget_syslog= =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string WARNING: untranslated string: hardware vulnerabilities =3D Hardware Vulnerab= ilities -WARNING: untranslated string: hostile networks =3D Hostile networks +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: ids add provider =3D Add provider WARNING: untranslated string: ids adjust ruleset =3D Adjust rules and add us= er defined customizations... WARNING: untranslated string: ids apply =3D Apply @@ -1159,6 +1161,8 @@ WARNING: untranslated string: locationblock configurati= on =3D Location Configurati WARNING: untranslated string: locationblock country is allowed =3D Incoming = traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked =3D Incoming = traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature =3D Enable Locati= on based blocking: +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: log dropped conntrack invalids =3D Log dropped= packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol =3D protocol: WARNING: untranslated string: masquerade blue =3D Masquerade BLUE @@ -1215,6 +1219,7 @@ WARNING: untranslated string: rdns =3D rDNS WARNING: untranslated string: reboot fsck =3D Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d1a637215..b6a65fad2 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1073,7 +1073,9 @@ WARNING: untranslated string: guardian logtarget_syslog= =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string WARNING: untranslated string: hardware vulnerabilities =3D Hardware Vulnerab= ilities -WARNING: untranslated string: hostile networks =3D Hostile networks +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: ids add provider =3D Add provider WARNING: untranslated string: ids adjust ruleset =3D Adjust rules and add us= er defined customizations... WARNING: untranslated string: ids apply =3D Apply @@ -1166,6 +1168,8 @@ WARNING: untranslated string: locationblock configurati= on =3D Location Configurati WARNING: untranslated string: locationblock country is allowed =3D Incoming = traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked =3D Incoming = traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature =3D Enable Locati= on based blocking: +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: log dropped conntrack invalids =3D Log dropped= packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol =3D protocol: WARNING: untranslated string: masquerade blue =3D Masquerade BLUE @@ -1237,6 +1241,7 @@ WARNING: untranslated string: ptr =3D PTR WARNING: untranslated string: rdns =3D rDNS WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required =3D Required diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 893f73211..1a4f62870 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1213,7 +1213,9 @@ WARNING: untranslated string: guardian logtarget_syslog= =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string WARNING: untranslated string: hardware vulnerabilities =3D Hardware Vulnerab= ilities -WARNING: untranslated string: hostile networks =3D Hostile networks +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: ids add provider =3D Add provider WARNING: untranslated string: ids adjust ruleset =3D Adjust rules and add us= er defined customizations... WARNING: untranslated string: ids apply =3D Apply @@ -1315,6 +1317,8 @@ WARNING: untranslated string: locationblock configurati= on =3D Location Configurati WARNING: untranslated string: locationblock country is allowed =3D Incoming = traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked =3D Incoming = traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature =3D Enable Locati= on based blocking: +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: log dropped conntrack invalids =3D Log dropped= packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol =3D protocol: WARNING: untranslated string: mac filter =3D MAC filter @@ -1418,6 +1422,7 @@ WARNING: untranslated string: reboot fsck =3D Reboot & = run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received WARNING: untranslated string: red1 =3D RED +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 64c9b5095..8da6fe4b6 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1210,7 +1210,9 @@ WARNING: untranslated string: guardian logtarget_syslog= =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string WARNING: untranslated string: hardware vulnerabilities =3D Hardware Vulnerab= ilities -WARNING: untranslated string: hostile networks =3D Hostile networks +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: ids add provider =3D Add provider WARNING: untranslated string: ids adjust ruleset =3D Adjust rules and add us= er defined customizations... WARNING: untranslated string: ids apply =3D Apply @@ -1313,6 +1315,8 @@ WARNING: untranslated string: locationblock configurati= on =3D Location Configurati WARNING: untranslated string: locationblock country is allowed =3D Incoming = traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked =3D Incoming = traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature =3D Enable Locati= on based blocking: +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: log dropped conntrack invalids =3D Log dropped= packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol =3D protocol: WARNING: untranslated string: mac filter =3D MAC filter @@ -1413,6 +1417,7 @@ WARNING: untranslated string: reboot fsck =3D Reboot & = run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received WARNING: untranslated string: red1 =3D RED +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.tr b/doc/language_issues.tr index eadbd33c7..96fe71f7b 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1010,7 +1010,9 @@ WARNING: untranslated string: guardian logtarget_syslog= =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string WARNING: untranslated string: hardware vulnerabilities =3D Hardware Vulnerab= ilities -WARNING: untranslated string: hostile networks =3D Hostile networks +WARNING: untranslated string: hostile networks in =3D From Hostile Networks +WARNING: untranslated string: hostile networks out =3D To Hostile Networks +WARNING: untranslated string: hostile networks total =3D Total Hostile Netwo= rks WARNING: untranslated string: ids add provider =3D Add provider WARNING: untranslated string: ids adjust ruleset =3D Adjust rules and add us= er defined customizations... WARNING: untranslated string: ids apply =3D Apply @@ -1089,6 +1091,8 @@ WARNING: untranslated string: ipsec settings =3D IPsec = Settings WARNING: untranslated string: itlb multihit =3D iTLB MultiHit WARNING: untranslated string: link-layer encapsulation =3D Link-Layer Encaps= ulation WARNING: untranslated string: local ip address =3D Local IP Address +WARNING: untranslated string: log drop hostile in =3D Log dropped packets FR= OM hostile networks +WARNING: untranslated string: log drop hostile out =3D Log dropped packets T= O hostile networks WARNING: untranslated string: log dropped conntrack invalids =3D Log dropped= packets classified as INVALID by connection tracking WARNING: untranslated string: meltdown =3D Meltdown WARNING: untranslated string: mitigated =3D Mitigated @@ -1125,6 +1129,7 @@ WARNING: untranslated string: ptr =3D PTR WARNING: untranslated string: reboot fsck =3D Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_missings b/doc/language_missings index 28ae29c2b..c92e1e6a3 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -58,6 +58,9 @@ < extrahd because it it outside the allowed mount path < g.dtm < g.lite +< hostile networks in +< hostile networks out +< hostile networks total < ids automatic rules update < ids subscription code required < insert removable device @@ -66,6 +69,8 @@ < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < link-layer encapsulation +< log drop hostile in +< log drop hostile out < netbios nameserver daemon < no entries < notes @@ -73,6 +78,7 @@ < optional < quick control < random number generator daemon +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -114,9 +120,15 @@ < extrahd not configured < extrahd not mounted < hardware vulnerabilities +< hostile networks in +< hostile networks out +< hostile networks total < invalid ip or hostname +< log drop hostile in +< log drop hostile out < openvpn cert expires soon < openvpn cert has expired +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < service boot setting unavailable @@ -138,6 +150,12 @@ < extrahd not mounted < g.dtm < g.lite +< hostile networks in +< hostile networks out +< hostile networks total +< log drop hostile in +< log drop hostile out +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -361,7 +379,9 @@ < guaranteed bandwidth < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -464,6 +484,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -523,6 +545,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -880,7 +903,9 @@ < generate ptr < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -985,6 +1010,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -1063,6 +1090,7 @@ < rdns < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -1704,7 +1732,9 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -1819,6 +1849,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -1943,6 +1975,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -2695,7 +2728,9 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < hour-graph < ids add provider < ids adjust ruleset @@ -2812,6 +2847,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -2934,6 +2971,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -3280,7 +3318,9 @@ < fw red < generate ptr < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out +< hostile networks total < ids add provider < ids adjust ruleset < ids apply @@ -3368,6 +3408,8 @@ < legacy architecture warning < link-layer encapsulation < local ip address +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < meltdown < mitigated @@ -3405,6 +3447,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fbff67b2f..60b1bdd91 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2022 IPFire Team = # +# Copyright (C) 2007-2024 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) { if (!$settings{'DROPHOSTILE'}) { $settings{'DROPHOSTILE'} =3D 'off'; } +if (!$settings{'LOGDROPHOSTILEIN'}) { + $settings{'LOGDROPHOSTILEIN'} =3D 'on'; +} +if (!$settings{'LOGDROPHOSTILEOUT'}) { + $settings{'LOGDROPHOSTILEOUT'} =3D 'on'; +} if (!$settings{'LOGDROPCTINVALID'}) { $settings{'LOGDROPCTINVALID'} =3D 'on'; } @@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMAR= TIAN'}} =3D "checked=3D'chec $checked{'DROPHOSTILE'}{'off'} =3D ''; $checked{'DROPHOSTILE'}{'on'} =3D ''; $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} =3D "checked=3D'checked'"; +$checked{'LOGDROPHOSTILEIN'}{'off'} =3D ''; +$checked{'LOGDROPHOSTILEIN'}{'on'} =3D ''; +$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} =3D "checked=3D'= checked'"; +$checked{'LOGDROPHOSTILEOUT'}{'off'} =3D ''; +$checked{'LOGDROPHOSTILEOUT'}{'on'} =3D ''; +$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} =3D "checked= =3D'checked'"; $checked{'LOGDROPCTINVALID'}{'off'} =3D ''; $checked{'LOGDROPCTINVALID'}{'on'} =3D ''; $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} =3D "checked=3D'= checked'"; @@ -212,6 +224,29 @@ END =20
=20 + + + + + + + + +
$Lang::tr{'fw red'}
$Lang::tr{'drop hostile'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
+
+ + + + + +
$Lang:= :tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / + $Lang::tr{'off'}
+
+ @@ -279,31 +314,23 @@ END $Lang::tr{'off'} -
$Lang::tr{'fw logging'}
-
- - - - + + + - +
$Lang::tr{'fw red'}
$Lang::tr{'log drop hostile in'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop hostile'}$Lang::tr{'log drop hostile out'} - $Lang::tr{'on'} / - $Lang::tr{'off'} + $Lang::tr{'on'} / + $Lang::tr{'off'}
-
+
=20 - - - - -
$Lang:= :tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / - $Lang::tr{'off'}
-
- + END ; } else { @@ -3781,3 +3793,44 @@ sub make_subnets($$) { =20 return join(",", @cidr_nets); } + +sub regenerate_host_certificate() { + my $errormessage =3D ""; + + &General::log("ipsec", "Regenerating host certificate..."); + + # Create a CSR based on the existing certificate + my $opt =3D " x509 -x509toreq -copy_extensions copyall"; + $opt .=3D " -signkey ${General::swroot}/certs/hostkey.pem"; + $opt .=3D " -in ${General::swroot}/certs/hostcert.pem"; + $opt .=3D " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage =3D &callssl($opt); + + # Revoke the old certificate + if (!$errormessage) { + &General::log("ipsec", "Revoking the old host cert..."); + + my $opt =3D " ca -revoke ${General::swroot}/certs/hostcert.pem"; + $errormessage =3D &callssl($opt); + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + my $opt =3D " ca -md sha256 -days 825"; + $opt .=3D " -batch -notext"; + $opt .=3D " -in ${General::swroot}/certs/hostreq.pem"; + $opt .=3D " -out ${General::swroot}/certs/hostcert.pem"; + $errormessage =3D &callssl ($opt); + + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + } + + # Reload the new certificate + if (!$errormessage) { + &General::system('/usr/local/bin/ipsecctrl', 'R'); + } + + return $errormessage; +} diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 16a3061b4..3246102ba 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1409,7 +1409,9 @@ 'host deny' =3D> 'list with denied hosts', 'host ip' =3D> 'Host IP address', 'host to net vpn' =3D> 'Host-to-Net Virtual Private Network (RoadWarrior)', -'hostile networks' =3D> 'Hostile networks', +'hostile networks in' =3D> 'From Hostile Networks', +'hostile networks out' =3D> 'To Hostile Networks', +'hostile networks total' =3D> 'Total Hostile Networks', 'hostname' =3D> 'Hostname', 'hostname and domain already in use' =3D> 'Hostname and domain already in us= e.', 'hostname cant be empty' =3D> 'Hostname cannot be empty.', @@ -1686,6 +1688,8 @@ 'locationblock enable feature' =3D> 'Enable Location based blocking:', 'locationblock flag' =3D> 'Flag', 'log' =3D> 'Log', +'log drop hostile in' =3D> 'Log dropped packets FROM hostile networks', +'log drop hostile out' =3D> 'Log dropped packets TO hostile networks', 'log dropped conntrack invalids' =3D> 'Log dropped packets classified as INV= ALID by connection tracking', 'log enabled' =3D> 'Log Enabled', 'log level' =3D> 'Log Level', @@ -2208,6 +2212,7 @@ 'refresh' =3D> 'Refresh', 'refresh index page while connected' =3D> 'Refresh index.cgi page while conn= ected', 'refresh update list' =3D> 'Refresh update list', +'regenerate host certificate' =3D> 'Renew Host Certificate', 'registered user rules' =3D> 'Talos VRT rules for registered users', 'reiserfs warning1' =3D> 'Reiserfs is deprecated and scheduled to be removed= from the kernel in 2025.', 'reiserfs warning2' =3D> 'Ensure a fresh installation is made using either e= xt4 or xfs filesystems before that date.', diff --git a/lfs/elfutils b/lfs/elfutils index 9fb69af62..7dd95caa2 100644 --- a/lfs/elfutils +++ b/lfs/elfutils @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2023 IPFire Team = # +# Copyright (C) 2007-2024 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -33,12 +33,6 @@ DL_FILE =3D $(THISAPP).tar.bz2 DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) -PROG =3D elfutils -PAK_VER =3D 10 - -DEPS =3D - -SERVICES =3D =20 ############################################################################= ### # Top-level Rules @@ -58,9 +52,6 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects)) =20 b2 : $(subst %,%_BLAKE2,$(objects)) =20 -dist: - @$(PAK) - ############################################################################= ### # Downloading, checking, b2sum ############################################################################= ### diff --git a/lfs/frr b/lfs/frr index a1555af64..f0954aae5 100644 --- a/lfs/frr +++ b/lfs/frr @@ -34,9 +34,9 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D frr -PAK_VER =3D 7 +PAK_VER =3D 8 =20 -DEPS =3D elfutils +DEPS =3D =20 SERVICES =3D frr =20 diff --git a/lfs/ltrace b/lfs/ltrace index 3d1fdee3f..f3f07c0b1 100644 --- a/lfs/ltrace +++ b/lfs/ltrace @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2021 IPFire Team = # +# Copyright (C) 2007-2024 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -35,9 +35,9 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D ltrace -PAK_VER =3D 2 +PAK_VER =3D 3 =20 -DEPS =3D elfutils +DEPS =3D =20 SERVICES =3D =20 diff --git a/lfs/qemu b/lfs/qemu index 2c45d7156..d65282743 100644 --- a/lfs/qemu +++ b/lfs/qemu @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2023 IPFire Team = # +# Copyright (C) 2007-2024 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -35,9 +35,9 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D qemu -PAK_VER =3D 41 +PAK_VER =3D 42 =20 -DEPS =3D alsa elfutils libusbredir spice libseccomp libslirp +DEPS =3D alsa libusbredir spice libseccomp libslirp =20 SERVICES =3D =20 diff --git a/lfs/strace b/lfs/strace index 2ce9b26d8..97253340a 100644 --- a/lfs/strace +++ b/lfs/strace @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2023 IPFire Team = # +# Copyright (C) 2007-2024 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -35,9 +35,9 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D strace -PAK_VER =3D 10 +PAK_VER =3D 11 =20 -DEPS =3D elfutils +DEPS =3D =20 SERVICES =3D =20 diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 3aab7dd75..69bdcb594 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -179,9 +179,18 @@ iptables_init() { iptables -A FORWARD -j HOSTILE iptables -A OUTPUT -j HOSTILE =20 - iptables -N HOSTILE_DROP - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DR= OP_HOSTILE " - iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" + iptables -N HOSTILE_DROP_IN + if [ "$LOGDROPHOSTILEIN" =3D=3D "on" ]; then + iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix= "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE" + + iptables -N HOSTILE_DROP_OUT + if [ "$LOGDROPHOSTILEOUT" =3D=3D "on" ]; then + iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefi= x "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE" + =20 # IP Address Blocklist chains iptables -N BLOCKLISTIN hooks/post-receive -- IPFire 2.x development tree --===============2734964651123687380==--
$Lang:= :tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 53507305f..9173a85d8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -229,13 +229,14 @@ sub callssl ($) { my $opt =3D shift; my $retssl =3D `/usr/bin/openssl $opt 2>&1`; #redirect stderr my $ret =3D ''; - foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging - $ret .=3D '
'.$line if ( $line =3D~ /error|unknown/ ); - } - if ($ret) { - $ret=3D &Header::cleanhtml($ret); + + if ($?) { + foreach my $line (split (/\n/, $retssl)) { + &General::log("ipsec", "$line") if (0); # 1 for verbose logging + $ret .=3D '
' . &Header::escape($line); + } } + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; } ### @@ -865,6 +866,12 @@ END exit(0); } ### +### Regenerate the host certificate +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) { + $errormessage =3D ®enerate_host_certificate(); + +### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'= } || @@ -2141,7 +2148,7 @@ END &General::log("ipsec", "Creating a cert..."); =20 if (open(STDIN, "-|")) { - my $opt =3D " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + my $opt =3D " req -nodes"; $opt .=3D " -newkey rsa:4096"; $opt .=3D " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .=3D " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; @@ -3611,7 +3618,12 @@ END 		 
+
+ + +
+