Awesome Privacy

Recent Commits

• Michael Tremer (09 Apr 24)

  suricata: Change midstream policy to "pass-flow" Pass packet isn't allowed here. Signed-off-by: Michael Tremer <[email protected]>

• Adolf Belka (08 Apr 24)

  configroot: Add in LOGDROPHOSTILExxx values - I checked out doing a fresh install of CU184 and found that although the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not in the /var/ipfire/optionsfw/settings file. - After some investigfation I realised that when I created the LOGDROPHOSTILE split into incoming and outgoing I had not added them into the configroot lfs file. - This patch adds the two entries and this was tested out with a fresh install and confirmed to update the settings file. Tested-by: Adolf Belka <[email protected]> Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (08 Apr 24)

  suricata: Disable Landlock support See #13645 for details. Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (08 Apr 24)

  suricata: Update require paths for Landlock Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (08 Apr 24)

  suricata: Enable midstream scanning We require this because Suricata might be restarted due to development or rule refreshment purposes. We should then try to resume any decoders/app-layers wherever possible. Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (05 Apr 24)

  suricata: Set midstream-policy to pass-packet Set this value to the same as the exception-policy to keep in sync and hopefully have the same behaviour. In case this option is not set an ugly message about a not correctly set value will be logged to syslog during startup. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (05 Apr 24)

  suricata: Enable landlock security feature This will limit the suricata process to only read and write to a certain files/directories. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (05 Apr 24)

  suricata: Set exception-policy to pass-packet This simply will skip processing a packet that caused an exception and will allow Suricata to process all following packets of a flow. Reference: #13638 Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (05 Apr 24)

  suricata: Update suricata.yaml Updata the configuration file for suricata 7. This includes: * Default values for newly introduced features and parsers * Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent * Update of URL for documentation * Fixes of various typos and other clarifications Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (03 Apr 24)

  suricata: Disable fail-open on NFQUEUE This change causes that if suricata crashes, the NFQUEUE will no longer fall into a mode where ALL packets are being accepted. This used the be the case before which opened the entire firewall. If suricata randomly crashes, we will fall back to the "bypass" mode where packets will bypass suricata, but nothing else. Fixes: #13642 Signed-off-by: Michael Tremer <[email protected]>

• Arne Fitzenreiter (31 Mar 24)

  core185: excplicit erase liblzma.so.5.6.* because if this file exist the cleanap script will remove the older version after downgrade and the system still use the malewared version. Signed-off-by: Arne Fitzenreiter <[email protected]>

• Michael Tremer (30 Mar 24)

  frr: Bump release version Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (28 Mar 24)

  frr: Update reloading all services Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (28 Mar 24)

  frr: Start the management daemon, too This daemon is running the configuration validation and required to run at all times. Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (28 Mar 24)

  protobuf-c: Ship libraries FRR links against this and fails to start without. Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (30 Mar 24)

  make.sh: Update contributors Signed-off-by: Michael Tremer <[email protected]>

• Rico Hoppe (28 Mar 24)

  README.md: fix minor typo Signed-off-by: Rico Hoppe <[email protected]> Reviewed-by: Michael Tremer <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Rico Hoppe (28 Mar 24)

  README.md: update text & adjust links to new URLs - links for: about, documentation, help - wording: wiki to documentation Signed-off-by: Rico Hoppe <[email protected]> Reviewed-by: Michael Tremer <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (30 Mar 24)

  core185: Ship new perl modules for libarchive Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (30 Mar 24)

  ids-functions.pl: Use libarchive to extract archives This gives us a lot of benefits: * Speed up the extraction process * More supported archive types due the power of libarchive * Support of passphrase protected archives It also fixes a problem with non extracted files next to a zero sized file inside an archive. Fixes #13632. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (30 Mar 24)

  perl-Archive-Peek-Libarchive: New package As very simple XS based perl binding for libarchive to get header data and extract files. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (30 Mar 24)

  perl-Object-Tiny: New package This is a runtime dependency of perl-Archive-Peek-Libarchive Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (30 Mar 24)

  perl-Config-AutoConf: New package This is only a build dependency for perl-Arhive-Peek-Libarchive and will not be installed on a system Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Stefan Schantl (30 Mar 24)

  perl-Capture-Tiny: New package This is only a build dependency for perl-Config-AutoConf and will not be installed on a system Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (30 Mar 24)

  core185: Ship everything that is linked against XZ This is a precautionary step to avoid that we have any issues to face because of a downgrade as new symbols have been added to liblzma 5.6.0. Furthermore, this should avoid shipping any traces of any other potential malware in XZ that has been added in 5.6.0 or after. Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (30 Mar 24)

  xz: Remove excess whitespace Signed-off-by: Michael Tremer <[email protected]>

• Adolf Belka (30 Mar 24)

  xz: Revert back to version 5.4.5 due to backdoor issue - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have been one of the xz devs. - IPFire looks not to be affected by the problem as we don't patch openssh to be linked with liblzma - However due to question marks about what else might be in these 5.6.x versions it is better to revert back to a version that did not have the build-to-host.m4 file with the code that modifies the build if it meets certain criteria. Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (26 Mar 24)

  IPS: Fix how we show EOL providers There is no need to add a legend as I find it confusing. The change that people are using an EOL is rather slim and so I don't to waste space. Signed-off-by: Michael Tremer <[email protected]>

• Michael Tremer (26 Mar 24)

  core185: Fix update.sh syntax issues Signed-off-by: Michael Tremer <[email protected]>

• Adolf Belka (25 Mar 24)

  CU185-update.sh: Add drop hostile in & out logging entries if not already present - This v2 patch corrects that the previous script was looking for =on. If a user had modified the preferences to change it to =off then the script would have resulted in both =on and =off versions being in the settings file. - This patch ensures that those people who updated to CU184 before the CU184-update.sh patch fix to add the logging entries was added will get their optionsfw settings file correctly updated with CU185 - This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already exist in the optionsfw settings file. - This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two separate checks and then runs the firewall update command Tested-by: Adolf Belka <[email protected]> Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>