This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via a0bfe960372b4343b42cfe405fe9140ce18c0326 (commit) via df09a64b08d101f7036b37c27da7bb9b06d307cc (commit) via 345edfb9b4d2ba3eb76f2ac06647ebd7b774d09a (commit) via 98f14a3863aa34b492c8f2d984895f5d837260cd (commit) via 64e39a2b970010d454dfb2069954b89cd498a05a (commit) via 3d20bc708dd24804d4da6ed311d5c04d91254a25 (commit) via 726d4078bb3798abd6bf793c553ab4598c0037fe (commit) via 3575c5935e9d672ad8325792f52853fceff17da9 (commit) via cf374c870b426f87419ba14237093df1acab5975 (commit) via 88f040b563225c164244ec1aa08b2e921b90eaa7 (commit) from 04ea3b953a933d9b7d7b08918a8f9866c4b5f2bb (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a0bfe960372b4343b42cfe405fe9140ce18c0326 Author: Michael Tremer Date: Tue Sep 30 08:57:04 2025 +0000 core199: Ship SSH configuration and restart the service Signed-off-by: Michael Tremer commit df09a64b08d101f7036b37c27da7bb9b06d307cc Author: Peter Müller Date: Sun Sep 28 21:06:00 2025 +0000 ssh_config: Fix indentation mangled by Vim Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 345edfb9b4d2ba3eb76f2ac06647ebd7b774d09a Author: Peter Müller Date: Sun Sep 28 21:06:00 2025 +0000 OpenSSH: Amend upstream default cipher changes This patch implements the following change made to OpenSSH server upstream in version 10.0: * sshd(8): this release disables finite field (a.k.a modp) Diffie-Hellman key exchange in sshd by default. Specifically, this removes the "diffie-hellman-group*" and "diffie-hellman-group-exchange-*" methods from the default KEXAlgorithms list. The client is unchanged and continues to support these methods by default. Finite field Diffie Hellman is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages. ECDH has been specified for the SSH protocol for 15 years and some form of ECDH has been the default key exchange in OpenSSH for the last 14 years. In addition, for both OpenSSH server and client, the following upstream change made in version 9.9 is implemented: * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. This algorithm is considered to be safe against attack by quantum computers, is guaranteed to be no less strong than the popular curve25519-sha256 algorithm, has been standardised by NIST and is considerably faster than the previous default. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 98f14a3863aa34b492c8f2d984895f5d837260cd Author: Peter Müller Date: Sun Sep 28 21:05:00 2025 +0000 OpenSSH: Prefer AES-GCM ciphers over AES-CTR This reflects the following change made upstream in OpenSSH 9.9: * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher for the connection. The default cipher preference list is now Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR (128/192/256). However, we keep preferring AES-GCM over Chacha/Poly, as hardware acceleration often grants the former a better performance, while there is no security advance of Chacha/Poly usage over 256 bit AES-GCM. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 64e39a2b970010d454dfb2069954b89cd498a05a Author: Michael Tremer Date: Tue Sep 30 08:53:58 2025 +0000 core199: Ship updated initscripts Signed-off-by: Michael Tremer commit 3d20bc708dd24804d4da6ed311d5c04d91254a25 Author: Peter Müller Date: Sun Sep 28 19:51:00 2025 +0000 initscripts: Always wait for xtables lock when running iptables commands If not explicitly instructed to do so, iptables by default aborts with an error message such as > Can't lock /run/xtables.lock: Resource temporarily unavailable > Another app is currently holding the xtables lock. Perhaps you want to use the -w option? if the Xtables lock is still set, i.e., another iptables operation is currently in progress. This causes iptables commands not to be executed at all if there are delays during the boot procedure, e.g. due to slow PPPoE dial-up procedure or similar. To ensure deterministic behavior, this match modifies initscripts to always execute iptables to wait for the Xtables lock to be removed, to make sure iptables rules are installed properly (the "firewall" initscript is doing so already). Fixes: #13896 - OpenVPN RW port not opened in firewall after reboot Signed-off-by: Peter Müller Tested-by: Peter Müller Signed-off-by: Michael Tremer commit 726d4078bb3798abd6bf793c553ab4598c0037fe Author: Peter Müller Date: Sun Sep 28 22:29:00 2025 +0000 Tor: Update to 0.4.8.18 Changes in version 0.4.8.18 - 2025-09-16 This is a minor release with a major onion service directory cache (HSDir) bug fix. A series of minor bugfixes as well. As always, we strongly recommend to upgrade as soon as possible. o Major bugfixes (onion service directory cache): - Preserve the download counter of an onion service descriptor across descriptor uploads, so that recently updated descriptors don't get pruned if there is memory pressure soon after update. Additionally, create a separate torrc option MaxHSDirCacheBytes that defaults to the former 20% of MaxMemInQueues threshold, but can be controlled by relay operators under DoS. Also enforce this theshold during HSDir uploads. Fixes bug 41006; bugfix on 0.4.8.14. o Minor feature (padding, logging): - Reduce the amount of messages being logged related to channel padding timeout when log level is "notice". o Minor features (fallbackdir): - Regenerate fallback directories generated on September 16, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/09/16. o Minor bugfix (conflux): - Remove the pending nonce if we realize that the nonce of the unlinked circuit is not tracked anymore. Should avoid the non fatal assert triggered with a control port circuit event. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Second fix attempt Fixes bug 41106; bugfix on 0.4.8.17 o Minor bugfixes (threads): - Make thread control POSIX compliant. Fixes bug 41109; bugfix on 0.4.8.17-dev. Changes in version 0.4.8.17 - 2025-06-30 This is a minor providing a series of minor features especially in the realm of TLS. It also brings a new set of recommended and required sub protocols. And finally, few minor bugfixes, nothing major. As always, we strongly recommend you upgrade as soon as possible. o Minor features (security, TLS): - When we are running with OpenSSL 3.5.0 or later, support using the ML-KEM768 for post-quantum key agreement. Closes ticket 41041. o Minor feature (client, TLS): - Set the TLS 1.3 cipher list instead of falling back on the default value. o Minor features (fallbackdir): - Regenerate fallback directories generated on June 30, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/06/30. o Minor features (hsdesc POW): - Tolerate multiple PoW schemes in onion service descriptors, for future extensibility. Implements torspec ticket 272. o Minor features (performance TLS): - When running with with OpenSSL 3.0.0 or later, support using X25519 for TLS key agreement. (This should slightly improve performance for TLS session establishment.) o Minor features (portability): - Fix warnings when compiling with GCC 15. Closes ticket 41079. o Minor features (recommended protocols): - Directory authorities now vote to recommend that clients support certain protocols beyond those that are required. These include improved support for connecting to relays on IPv6, NtorV3, and congestion control. Part of ticket 40836. o Minor features (required protocols): - Directory authorities now vote to require clients to support the authenticated SENDME feature, which was introduced in 0.4.1.1-alpha. Part of ticket 40836. - Directory authorities now vote to require relays to support certain protocols, all of which have been implemented since 0.4.7.4-alpha or earlier. These include improved support for connecting to relays on IPv6, NtorV3, running as a rate-limited introduction point, authenticated SENDMEs, and congestion control. Part of ticket 40836. o Minor bugfix (conflux): - Avoid a non fatal assert when describing a conflux circuit on the control port after being prepped to be freed. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev. o Minor bugfixes (compiler warnings): - Make sure the two bitfields in the half-closed edge struct are unsigned, as we're using them for boolean values and assign 1 to them. Fixes bug 40911; bugfix on 0.4.7.2-alpha. o Minor bugfixes (threads, memory): - Improvements in cleanup of resources used by threads. Fixes bug 40991; bugfix on 0.4.8.13-dev. - Rework start and exit of worker threads. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 3575c5935e9d672ad8325792f52853fceff17da9 Author: Michael Tremer Date: Tue Sep 30 08:51:37 2025 +0000 arpwatch: Bump release Signed-off-by: Michael Tremer commit cf374c870b426f87419ba14237093df1acab5975 Author: Michael Tremer Date: Tue Sep 30 08:50:38 2025 +0000 arpwatch: Add "status" command to the help text Reported-by: Jon Murphy Signed-off-by: Michael Tremer commit 88f040b563225c164244ec1aa08b2e921b90eaa7 Author: Michael Tremer Date: Tue Sep 30 08:49:53 2025 +0000 arpwatch: Zero-pad MAC addresses Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/core/199/filelists/files | 7 +++++++ config/rootfiles/core/199/update.sh | 1 + config/ssh/ssh_config | 30 +++++++++++++++--------------- config/ssh/sshd_config | 4 ++-- lfs/arpwatch | 6 ++++-- lfs/tor | 6 +++--- src/initscripts/networking/red | 4 ++-- src/initscripts/packages/arpwatch | 2 +- src/initscripts/packages/tor | 10 +++++----- src/initscripts/system/dhcp | 16 ++++++++-------- src/initscripts/system/openvpn-n2n | 10 +++++----- src/initscripts/system/openvpn-rw | 6 +++--- src/initscripts/system/wireguard | 20 ++++++++++---------- 13 files changed, 66 insertions(+), 56 deletions(-) Difference in files: diff --git a/config/rootfiles/core/199/filelists/files b/config/rootfiles/core/199/filelists/files index 9c54b971bb..10acc3fd41 100644 --- a/config/rootfiles/core/199/filelists/files +++ b/config/rootfiles/core/199/filelists/files @@ -1,2 +1,9 @@ +etc/rc.d/init.d/dhcp +etc/rc.d/init.d/networking/red +etc/rc.d/init.d/openvpn-n2n +etc/rc.d/init.d/openvpn-rw +etc/rc.d/init.d/wireguard +etc/ssh/ssh_config +etc/ssh/sshd_config srv/web/ipfire/cgi-bin/vulnerabilities.cgi usr/sbin/openvpn-authenticator diff --git a/config/rootfiles/core/199/update.sh b/config/rootfiles/core/199/update.sh index 7c34af7255..d0a4f23c05 100644 --- a/config/rootfiles/core/199/update.sh +++ b/config/rootfiles/core/199/update.sh @@ -52,6 +52,7 @@ ldconfig # Start services /etc/init.d/unbound restart +/etc/init.d/sshd restart # Build initial ramdisks (for dracut-ng update) dracut --regenerate-all --force diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index d5f63f315c..66cb0c2ccd 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,30 +5,30 @@ # Set some basic hardening options for all connections Host * - # Disable undocumented roaming feature as it is known to be vulnerable - UseRoaming no + # Disable undocumented roaming feature as it is known to be vulnerable + UseRoaming no - # Only use secure crypto algorithms - KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + # Only use secure crypto algorithms + KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - # Always visualise server host keys (helps to identify key based MITM attacks) - VisualHostKey yes + # Always visualise server host keys (helps to identify key based MITM attacks) + VisualHostKey yes - # Use SSHFP (might work on some up-to-date networks) to look up host keys - VerifyHostKeyDNS yes + # Use SSHFP (might work on some up-to-date networks) to look up host keys + VerifyHostKeyDNS yes - # Send SSH-based keep alive messages to connected server to avoid broken connections - ServerAliveInterval 10 - ServerAliveCountMax 30 + # Send SSH-based keep alive messages to connected server to avoid broken connections + ServerAliveInterval 10 + ServerAliveCountMax 30 # Disable TCP keep alive messages since they can be spoofed and we have SSH-based # keep alive messages enabled; there is no need to do things twice here TCPKeepAlive no - # Ensure only allowed authentication methods are used - PreferredAuthentications publickey,keyboard-interactive,password + # Ensure only allowed authentication methods are used + PreferredAuthentications publickey,keyboard-interactive,password # Prevent information leak by hashing ~/.ssh/known_hosts HashKnownHosts yes diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 7b687457c8..3e25e74e8c 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -20,8 +20,8 @@ LoginGraceTime 30s MaxStartups 5 # Only allow safe crypto algorithms -KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr +KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org +Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # Only allow cryptographically safe SSH host keys (adjust paths if needed) diff --git a/lfs/arpwatch b/lfs/arpwatch index 1b701cd4f2..46eac65026 100644 --- a/lfs/arpwatch +++ b/lfs/arpwatch @@ -37,7 +37,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = arpwatch -PAK_VER = 2 +PAK_VER = 3 DEPS = @@ -101,7 +101,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/arpwatch/fix-envelope-sender.patch # Build! - cd $(DIR_APP) && ./configure --prefix=/usr + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --enable-zeropad cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/lfs/tor b/lfs/tor index 0d57f5fed9..af16cc9824 100644 --- a/lfs/tor +++ b/lfs/tor @@ -26,7 +26,7 @@ include Config SUMMARY = Anonymizing overlay network for TCP (The onion router) -VER = 0.4.8.16 +VER = 0.4.8.18 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 89 +PAK_VER = 90 DEPS = libseccomp @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = fdaf3d124d3e1b11589a5219033c8d37d3e6c8986ff60e930d2bf80532dd6be4c7ee1634bd0806bd283a9954e4478f3be7b9b61abd13e3274fef3b8373df1b00 +$(DL_FILE)_BLAKE2 = 8a2ff369d3b29557a4bb3018dcc5c17b04e459626d23a44bed2968c938a4073ff85c88f734b8f732273197cbb173b70906b4f553db7a432cfbefad73329f6349 install : $(TARGET) diff --git a/src/initscripts/networking/red b/src/initscripts/networking/red index 6d779b3652..536fc972c9 100644 --- a/src/initscripts/networking/red +++ b/src/initscripts/networking/red @@ -162,8 +162,8 @@ case "${1}" in elif [ "${TYPE}" == "DHCP" ]; then # Add firewall rules to allow comunication with the dhcp server on red. - iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT - iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT + iptables --wait -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT + iptables --wait -A REDINPUT -p udp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT echo -n "${DEVICE}" > /var/ipfire/red/iface diff --git a/src/initscripts/packages/arpwatch b/src/initscripts/packages/arpwatch index 316cf3e71c..8c0ff6c521 100644 --- a/src/initscripts/packages/arpwatch +++ b/src/initscripts/packages/arpwatch @@ -86,7 +86,7 @@ case "${1}" in ;; *) - echo "Usage: ${0} {start|stop|restart}" + echo "Usage: ${0} {start|stop|restart|status}" exit 1 ;; esac diff --git a/src/initscripts/packages/tor b/src/initscripts/packages/tor index 47797265cf..eef9682f33 100644 --- a/src/initscripts/packages/tor +++ b/src/initscripts/packages/tor @@ -37,19 +37,19 @@ function setup_firewall() { # Allow incoming traffic to Tor relay (and directory) port and # all outgoing TCP connections from Tor user. if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then - iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT - iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT + iptables --wait -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT + iptables --wait -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT fi if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then - iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_DIRPORT}" -j ACCEPT + iptables --wait -A TOR_INPUT -p tcp --dport "${TOR_RELAY_DIRPORT}" -j ACCEPT fi } function flush_firewall() { # Flush all rules. - iptables -F TOR_INPUT - iptables -F TOR_OUTPUT + iptables --wait -F TOR_INPUT + iptables --wait -F TOR_OUTPUT } case "${1}" in diff --git a/src/initscripts/system/dhcp b/src/initscripts/system/dhcp index 61b9516588..826cd2dfe7 100644 --- a/src/initscripts/system/dhcp +++ b/src/initscripts/system/dhcp @@ -28,10 +28,10 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) function flush_chains() { - iptables -F DHCPGREENINPUT - iptables -F DHCPGREENOUTPUT - iptables -F DHCPBLUEINPUT - iptables -F DHCPBLUEOUTPUT + iptables --wait -F DHCPGREENINPUT + iptables --wait -F DHCPGREENOUTPUT + iptables --wait -F DHCPBLUEINPUT + iptables --wait -F DHCPBLUEOUTPUT } case "$1" in @@ -41,14 +41,14 @@ case "$1" in if [ -n "${GREEN_DEV}" -a -e "/var/ipfire/dhcp/enable_green" ]; then LISTEN_INTERFACES+=" ${GREEN_DEV}" - iptables -A DHCPGREENINPUT -i "${GREEN_DEV}" -j DHCPINPUT - iptables -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT + iptables --wait -A DHCPGREENINPUT -i "${GREEN_DEV}" -j DHCPINPUT + iptables --wait -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT fi if [ -n "${BLUE_DEV}" -a -e "/var/ipfire/dhcp/enable_blue" ]; then LISTEN_INTERFACES+=" ${BLUE_DEV}" - iptables -A DHCPBLUEINPUT -i "${BLUE_DEV}" -j DHCPINPUT - iptables -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT + iptables --wait -A DHCPBLUEINPUT -i "${BLUE_DEV}" -j DHCPINPUT + iptables --wait -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT fi boot_mesg "Starting DHCP Server..." diff --git a/src/initscripts/system/openvpn-n2n b/src/initscripts/system/openvpn-n2n index 9853983795..f6d554eaf1 100644 --- a/src/initscripts/system/openvpn-n2n +++ b/src/initscripts/system/openvpn-n2n @@ -63,10 +63,10 @@ update_firewall_rules() { local local_address # Flush the block chain - iptables -F OVPNBLOCK + iptables --wait -F OVPNBLOCK # Flush the NAT chain - iptables -t nat -F OVPNNAT + iptables --wait -t nat -F OVPNNAT local IFS=',' @@ -85,10 +85,10 @@ update_firewall_rules() { fi # Open port - iptables -A OVPNINPUTN2N -p "${proto}" --dport "${port}" -j ACCEPT + iptables --wait -A OVPNINPUTN2N -p "${proto}" --dport "${port}" -j ACCEPT # Block all communication from transfer networks - iptables -A OVPNBLOCK -s "${transfer_subnet}" -j DROP + iptables --wait -A OVPNBLOCK -s "${transfer_subnet}" -j DROP # Calculate NAT addresses transfer_address="$(calculate_transfer_address "${transfer_subnet}" "${role}")" @@ -96,7 +96,7 @@ update_firewall_rules() { # NAT all outgoing connections away from the transfer net if [ -n "${transfer_address}" -a -n "${local_address}" ]; then - iptables -t nat -A OVPNNAT -s "${transfer_address}" \ + iptables --wait -t nat -A OVPNNAT -s "${transfer_address}" \ -j SNAT --to-source "${local_address}" fi done < /var/ipfire/ovpn/ovpnconfig diff --git a/src/initscripts/system/openvpn-rw b/src/initscripts/system/openvpn-rw index 6359d0d08c..d506c8ebd8 100644 --- a/src/initscripts/system/openvpn-rw +++ b/src/initscripts/system/openvpn-rw @@ -38,10 +38,10 @@ case "${1}" in modprobe tun &>/dev/null # Flush all firewall rules - iptables -F OVPNINPUTRW + iptables --wait -F OVPNINPUTRW # Open the port - iptables -A OVPNINPUTRW \ + iptables --wait -A OVPNINPUTRW \ -p "${DPROTOCOL}" --dport "${DDEST_PORT}" -j ACCEPT boot_mesg "Starting OpenVPN Roadwarrior Server..." @@ -60,7 +60,7 @@ case "${1}" in killproc /usr/sbin/openvpn # Flush all firewall rules - iptables -F OVPNINPUTRW + iptables --wait -F OVPNINPUTRW ;; restart) diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard index caaa69cb96..ead1cdce88 100644 --- a/src/initscripts/system/wireguard +++ b/src/initscripts/system/wireguard @@ -216,7 +216,7 @@ generate_config() { ip addr add "${local_address}" dev "${intf}" # Apply MASQUERADE - iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE + iptables --wait -t nat -A WGNAT -o "${intf}" -j MASQUERADE fi echo "[Interface]" @@ -230,7 +230,7 @@ generate_config() { echo "ListenPort = ${port}" # Open the port - iptables -A WGINPUT -p udp --dport "${port}" -j ACCEPT + iptables --wait -A WGINPUT -p udp --dport "${port}" -j ACCEPT fi echo "[Peer]" @@ -285,7 +285,7 @@ generate_config() { # Set blocking rules for local_subnet in ${local_subnets//|/ }; do for remote_subnet in ${remote_subnets//|/ }; do - iptables -I WGBLOCK \ + iptables --wait -I WGBLOCK \ -s "${remote_subnet}" -d "${local_subnet}" -j RETURN done done @@ -297,23 +297,23 @@ generate_config() { reload_firewall() { # Flush all previous rules - iptables -F WGINPUT - iptables -t nat -F WGNAT + iptables --wait -F WGINPUT + iptables --wait -t nat -F WGNAT if [ "${ENABLED}" = "on" ]; then - iptables -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT + iptables --wait -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT fi - iptables -F WGBLOCK + iptables --wait -F WGBLOCK # Don't block any traffic from Roadwarrior peers if [ -n "${CLIENT_POOL}" ]; then - iptables -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN - iptables -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN + iptables --wait -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN + iptables --wait -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN fi # Block all other traffic - iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited + iptables --wait -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited # Flush any custom routes ip route flush table wg 2>/dev/null hooks/post-receive -- IPFire 2.x development tree