From patchwork Sun Oct 10 17:43:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4780 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HS8RK6h7Yz3wbT for ; Sun, 10 Oct 2021 17:43:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HS8RG5y8rz35q; Sun, 10 Oct 2021 17:43:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HS8RG4nRrz2xy1; Sun, 10 Oct 2021 17:43:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HS8RF6JZyz2xJj for ; Sun, 10 Oct 2021 17:43:21 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HS8RD1S86z14p for ; Sun, 10 Oct 2021 17:43:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1633887800; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=A/vXf9DmHS39gmzp6IOcGFq6hf1m/R5xLFwLfnDORuY=; b=TMRsjlpbps9QRnqWyhPnP0fqkT+cXK1ISPE4STQvu5+J5T0UULBT6Cmx602uhfop+qgPha 9mmmvRr6XRy+olDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1633887800; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=A/vXf9DmHS39gmzp6IOcGFq6hf1m/R5xLFwLfnDORuY=; b=S6QwOkAgJc81LWVrMci4nD9ieq+YgZ4EoPM13WMZcAgKumjPu4XMId1LTRWnVL6kGN4Vpr mhtmb4Lv8fITv4338O9GM8ZZGU75OAP+9QK3rTA3TGKbg9gjKoSOSLxq9YrrADI10Mfvhz Q1kLKXthO05LwrPb/9zRHQOV/hXAXUg1KJvmYdVVznh5y7fFEz9goyRNfZVgLKki+hKl43 +cDKmwt42GW3pGQJUdFKVgDVQWTikHBJwNpGkyW6KRfE0va86neJwyikEzk29OdSuabE4U xME+/Z4OYmQqWmDV62pTe5rpNNyq79suQcn89nVloaMZ2Mm8j5meVVLvqOC4aw== To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH v2 1/3] squid-asnbl: New package Message-ID: Date: Sun, 10 Oct 2021 19:43:18 +0200 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This package adds an ASNBL helper for detecting Fast Flux setups and selectively announced networks (i. e. FQDNs resolving to IP addresses not being announced by an Autonomous System) to the distribution. Afterwards, the helper script is located at /usr/bin/asnbl-helper.py . The second version of this patch updates squid-asnbl to upstream version 0.2.2, improving logging in case of detected Fast Flux setups. Signed-off-by: Peter Müller --- config/rootfiles/common/squid-asnbl | 1 + lfs/squid-asnbl | 83 +++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 85 insertions(+) create mode 100644 config/rootfiles/common/squid-asnbl create mode 100644 lfs/squid-asnbl diff --git a/config/rootfiles/common/squid-asnbl b/config/rootfiles/common/squid-asnbl new file mode 100644 index 000000000..f129f441e --- /dev/null +++ b/config/rootfiles/common/squid-asnbl @@ -0,0 +1 @@ +usr/bin/asnbl-helper.py diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl new file mode 100644 index 000000000..3fc001768 --- /dev/null +++ b/lfs/squid-asnbl @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2021 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.2.2 + +THISAPP = squid-asnbl-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) + +DIR_APP = $(DIR_SRC)/$(THISAPP) + +TARGET = $(DIR_INFO)/$(THISAPP) + +DEPS = libloc squid python3 + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zvxf $(DIR_DL)/$(DL_FILE) + + # Install ASNBL helper script + cd $(DIR_APP) && install -o root -g root -m 0755 asnbl-helper.py /usr/bin/asnbl-helper.py + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index dabed5aa5..215e5c633 100755 --- a/make.sh +++ b/make.sh @@ -1613,6 +1613,7 @@ buildipfire() { lfsmake2 socat lfsmake2 libcdada lfsmake2 pmacct + lfsmake2 squid-asnbl } buildinstaller() { From patchwork Sun Oct 10 17:43:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4781 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HS8Rj3CFPz3wbT for ; Sun, 10 Oct 2021 17:43:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HS8Rh6lwtz4RR; Sun, 10 Oct 2021 17:43:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HS8Rh5z1rz2xYj; Sun, 10 Oct 2021 17:43:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HS8Rg5jH9z2xJj for ; Sun, 10 Oct 2021 17:43:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HS8Rf3KNpz35q for ; Sun, 10 Oct 2021 17:43:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1633887822; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GBfMo5CSLtsZwrv9qKTWnAXEggAPL/ze/HMa4szuKC4=; b=lSUmeIra3X0YwzAPk6gmFJqS7LqqPOYhNMziQRzNTthsDY14f5+SQpXTtlKbNpZ9Hl+zEA +X8lcez4nGuHXoBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1633887822; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GBfMo5CSLtsZwrv9qKTWnAXEggAPL/ze/HMa4szuKC4=; b=Opf7ueI8ZEFxBHBwLnrZjOd8bjoTepZfPEjJatwD3Ucf542fRJzND4XVtShqSG68FRK16K 0Z62dBUknZjIFmpJ/Sy2YvYoUta90mcXdhWi8OtZ3ypt3n0oaDzjppev5lY/98SaKY3Bjg 6+69nWuFVzj4jhD83A/PiORKdVh0FauGOtYLLcnchPNJk1995z8uLlAEnTMJUr2YGCTERt 9ZaERRNRyFQD3fHG02DlXTpBdfE4NI/SzEXch1lOTMgWDKpqJK0IwZAF1NInXHmMpStwkI bK0s4WKIfK112H7dwJsaSaOtmI5zZjW5s0/eiBxh7n9zh4Rk2w2fm1neQxjI7w== Subject: [PATCH v2 2/3] proxy.cgi: Implement proactive Fast Flux detection and detection for selectively announced destinations To: development@lists.ipfire.org References: From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <4b9c5dc3-2bd7-2616-82da-971465a6aa9d@ipfire.org> Date: Sun, 10 Oct 2021 19:43:41 +0200 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This patch adds two new features to IPFire's web proxy: (a) Proactive Fast Flux detection FQDNs are resolved to their IP addresses, which are then resolved to corresponding Autonomous System Numbers using IPFire's location database. Most destinations will scatter across a very low number of ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast Flux setups have a significantly higher ASN diversity (5 is usually a good threshold), so they can be proactively detected. (b) Detection for selectively announced destinations Especially in targeted operations, miscreants host FQDNs for exfiltrating data or malware distributions on ASNs not announced globally, but only to the intended victim or it's upstream ISPs. That way, security researchers located in other parts of the internet have no insights into these attacks, hence not being able to publish listings or send take down notices for the domains used. While RPKI made this attack harder, it can still be observed every now and then. This feature also protects against accessing FQDNs resolving to IP addresses not being globally routeable, hence providing a trivial mitigation for so-called "rebound attacks" - which we cannot filter at DNS level currently. The second version of this patch consumes the user-defined whitelist for the URL filter (if present and populated) for the ASNBL helper as well, to make exceptions for funny destinations such as fedoraproject.org possible. In addition, the ASNBL helper's sanity tests no longer include publicly routable IP addresses, so failures on location01 cannot brick IPFire installations in the field. Thanks to Michael Tremer and Adolf Belka for these suggestions. Signed-off-by: Peter Müller Reviewed-by: Michael Tremer --- html/cgi-bin/proxy.cgi | 98 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 966593e4d..202a8f3bc 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -21,6 +21,7 @@ use strict; use Apache::Htpasswd; +use Scalar::Util qw(looks_like_number); # enable only the following on debugging purpose #use warnings; @@ -229,6 +230,9 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited'; +$proxysettings{'ASNBL_FASTFLUX_DETECTION'} = 'off'; +$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} = '5'; +$proxysettings{'ASNBL_SELECANN_DETECTION'} = 'off'; $proxysettings{'ENABLE_MIME_FILTER'} = 'off'; $proxysettings{'AUTH_METHOD'} = 'none'; $proxysettings{'AUTH_REALM'} = ''; @@ -418,6 +422,21 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; } + if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) + { + if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) { + $errormessage = $Lang::tr{'advproxy fastflux no threshold given'}; + goto ERROR; + } + if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) { + $errormessage = $Lang::tr{'advproxy fastflux threshold invalid'}; + goto ERROR; + } + if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} > 10)) { + $errormessage = $Lang::tr{'advproxy fastflux threshold out of bounds'}; + goto ERROR; + } + } if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { unless (($proxysettings{'AUTH_METHOD'} eq 'ident') && @@ -801,6 +820,14 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THROTTLING_GREEN_HOST'}} = "s $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'"; $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'"; +$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECTION'}} = "checked='checked'"; + +$checked{'ASNBL_SELECANN_DETECTION'}{'off'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{'on'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECTION'}} = "checked='checked'"; + $checked{'ENABLE_MIME_FILTER'}{'off'} = ''; $checked{'ENABLE_MIME_FILTER'}{'on'} = ''; $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'"; @@ -1633,6 +1660,24 @@ END print < +
+ + + + + + + + + + + + + + + +
$Lang::tr{'advproxy asbased anomaly detection'}
$Lang::tr{'advproxy fastflux detection'}:$Lang::tr{'advproxy fastflux detection threshold'}:
$Lang::tr{'advproxy selectively announcements detection'}:
+
END ; @@ -3525,6 +3570,59 @@ if (@ssl_ports) { print FILE "http_access deny CONNECT !SSL_ports\n"; } + if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) { + print FILE "external_acl_type asnblhelper children-max=10 children-startup=2 ttl=86400 %DST /usr/bin/asnbl-helper.py ${General::swroot}/proxy/asnbl-helper.conf\n"; + print FILE "acl asnbl external asnblhelper\n"; + + # Use the user-defined URL filter whitelist (if present and populated) for the ASNBL helper as well + # Necessary for destinations such as fedoraproject.org, but we do not want to maintain a dedicated + # or hardcoded list for such FQDNs. + if ((-e "${General::swroot}/urlfilter/blacklists/custom/allowed/domains") && (!-z "${General::swroot}/urlfilter/blacklists/custom/allowed/domains")) { + print FILE "acl asnbl_whitelisted_destinations dstdomain \"${General::swroot}/urlfilter/blacklists/custom/allowed/domains\"\n"; + print FILE "http_access deny asnbl !asnbl_whitelisted_destinations\n\n"; + } else { + print FILE "http_access deny asnbl\n\n"; + } + + # Write ASNBL helper configuration file... + open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf"); + flock(ASNBLFILE, 2); + + print ASNBLFILE< X-Patchwork-Id: 4782 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HS8S92DNvz3wbT for ; Sun, 10 Oct 2021 17:44:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HS8S90W0Sz4RP; Sun, 10 Oct 2021 17:44:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HS8S86rJdz2yWh; Sun, 10 Oct 2021 17:44:08 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HS8S81g1Rz2xYj for ; Sun, 10 Oct 2021 17:44:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HS8S73Kj5z35q for ; Sun, 10 Oct 2021 17:44:07 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1633887847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bme1E4GJHs+H5NW+5sRcZPRFea/XjdaCJrWTGWT/upk=; b=bAyxqS282VIgyZw+tlKzPU55Wt1SA7g9dxCB60F91WRoBZaWXgSzkCidkkWRmUgtuXzMCG svlZxuArSyzyNMAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1633887847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bme1E4GJHs+H5NW+5sRcZPRFea/XjdaCJrWTGWT/upk=; b=MUh2pCZ31pHiCBhQROXNNBZ7bVOOnXM/9L3tRtUwRXkzK1WTJG0mgvVc9yeWxlpREdLlFH QRWYJpclW9fmNwxaRiS7e3CVN6KvssDSB9tkZxpiFoeJeTk+PvX+TEGbZly9Nh283g+txK Bai6jMvfye59bgIeOrdQKfuNWb7q9UGQD7vzrZcDcoKM0Q0InfKyZIuw0vIxK0Km9IfQsy GTMtihMzkfrEAWR2Jj2DfchywlzzCUetD0eDPZhRBuu/jSCqsb/T1OVNUamL5m9w4aUGei 5xnXIBcnkhkEitNtK2KbCMlZ43g7HqCYwummTRzqJA1FbeM5jwzIuJVw0aQvOg== Subject: [PATCH v2 3/3] langs: Add English and German translations for newly added web proxy features To: development@lists.ipfire.org References: <4b9c5dc3-2bd7-2616-82da-971465a6aa9d@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sun, 10 Oct 2021 19:44:06 +0200 MIME-Version: 1.0 In-Reply-To: <4b9c5dc3-2bd7-2616-82da-971465a6aa9d@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller Reviewed-by: Michael Tremer --- langs/de/cgi-bin/de.pl | 7 +++++++ langs/en/cgi-bin/en.pl | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 70dcb10a6..d8254c698 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -255,6 +255,7 @@ 'advproxy advanced web proxy configuration' => 'Proxy-Konfiguration', 'advproxy allowed subnets' => 'Erlaubte Subnetze (eins pro Zeile)', 'advproxy allowed web browsers' => 'Zulässige Clients für Web-Zugriffe', +'advproxy asbased anomaly detection' => 'Anomalieerkennungen auf Basis Autonomer Systeme', 'advproxy back to main page' => 'Zurück zur Hauptseite', 'advproxy banned ip clients' => 'Gesperrte IP-Adressen (eine pro Zeile)', 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', @@ -326,6 +327,11 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Ungültige IP oder Subnetz für ausgenommenes IP-Subnetz', 'advproxy error design' => 'Design der Fehlermeldungen', 'advproxy error language' => 'Sprache der Fehlermeldungen', +'advproxy fastflux detection' => 'Verbindungen zu auf Fast Flux-Setups gehosteten Zielen verweigern', +'advproxy fastflux no threshold given' => 'Kein Schwellwert für Fast Flux-Erkennung angegeben', +'advproxy fastflux detection threshold' => 'Schwellwert', +'advproxy fastflux threshold invalid' => 'Eingegebener Schwellwert für Fast Flux-Erkennung ist ungültig', +'advproxy fastflux threshold out of bounds' => 'Eingegebener Schwellwert für Fast Flux-Erkennung befindet sich außerhalb zulässiger Grenzwerte', 'advproxy friday' => 'Fr', 'advproxy from' => 'Von', 'advproxy group access control' => 'Gruppenbasierte Zugriffskontrolle', @@ -362,6 +368,7 @@ 'advproxy reset' => 'Zurücksetzen', 'advproxy saturday' => 'Sa', 'advproxy save and restart' => 'Speichern und Neustart', +'advproxy selectively announcements detection' => 'Verbindungen zu Zielen in selektiv propagierten Netzen verweigern', 'advproxy squid version' => 'Squid Versionsnummer', 'advproxy squidclamav' => 'SquidClamav', 'advproxy ssadvanced proxy' => 'advanced proxy', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 679588940..644d348ea 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -252,6 +252,7 @@ 'advproxy advanced web proxy configuration' => 'Advanced web proxy configuration', 'advproxy allowed subnets' => 'Allowed subnets (one per line)', 'advproxy allowed web browsers' => 'Allowed clients for web access', +'advproxy asbased anomaly detection' => 'Anomaly detections based on Autonomous Systems information', 'advproxy back to main page' => 'Back to main page', 'advproxy banned ip clients' => 'Banned IP addresses (one per line)', 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', @@ -323,6 +324,11 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Invalid IP or subnet for excluded IP subnet', 'advproxy error design' => 'Error messages design', 'advproxy error language' => 'Error messages language', +'advproxy fastflux detection' => 'Deny access to destinations hosted on fast flux setups', +'advproxy fastflux no threshold given' => 'No threshold was given for fast flux detection', +'advproxy fastflux detection threshold' => 'Threshold', +'advproxy fastflux threshold invalid' => 'Supplied fast flux detection threshold is invalid', +'advproxy fastflux threshold out of bounds' => 'Supplied fast flux detection threshold is out of bounds', 'advproxy friday' => 'Fri', 'advproxy from' => 'From', 'advproxy group access control' => 'Group based access control', @@ -359,6 +365,7 @@ 'advproxy reset' => 'Reset', 'advproxy saturday' => 'Sat', 'advproxy save and restart' => 'Save and Restart', +'advproxy selectively announcements detection' => 'Deny access to destinations hosted on selectively announced networks', 'advproxy squid version' => 'Squid cache version', 'advproxy squidclamav' => 'SquidClamav', 'advproxy ssadvanced proxy' => 'advanced proxy',