From patchwork Tue Sep 10 14:37:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8085 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sV1Th2z3wyW for ; Tue, 10 Sep 2024 14:38:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sN54SJz2BQ; Tue, 10 Sep 2024 14:38:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sN4Zv4z34Gr; Tue, 10 Sep 2024 14:38:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH5cC8z340Q for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH1dgnzsY; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0FMxzTgkm; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 01/20] suricata: Move the IPS into the mangle table Date: Tue, 10 Sep 2024 14:37:14 +0000 Message-Id: <20240910143748.3469271-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: U3KMXY4UCLVMEZ3WUNR7REY3QPSIQ7FT X-Message-ID-Hash: U3KMXY4UCLVMEZ3WUNR7REY3QPSIQ7FT X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This should make the IPS more efficient, we should have fewer rules and the IPS will now sit at the edge of the networking stack as it will see packets immediately when they come and and just before they leave. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 23 +------ src/initscripts/system/suricata | 108 +++++++++++--------------------- 2 files changed, 39 insertions(+), 92 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 6727e4a20..39d9c0f23 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -39,11 +39,6 @@ fi NAT_MASK="0x0f000000" -IPS_REPEAT_MARK="0x80000000" -IPS_REPEAT_MASK="0x80000000" -IPS_BYPASS_MARK="0x40000000" -IPS_BYPASS_MASK="0x40000000" - IPSET_DB_DIR="/var/lib/location/ipset" SYNPROXY_OPTIONS=( @@ -84,16 +79,6 @@ iptables_init() { modprobe nf_log_ipv4 sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4 - # IPS Bypass Chain which stores the BYPASS bit in connection tracking - iptables -N IPSBYPASS - iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))" - - # Jump into bypass chain when the BYPASS bit is set - for chain in INPUT FORWARD OUTPUT; do - iptables -A "${chain}" -m mark \ - --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS - done - # Empty LOG_DROP and LOG_REJECT chains iptables -N LOG_DROP iptables -A LOG_DROP -m limit --limit 10/second -j LOG @@ -237,12 +222,10 @@ iptables_init() { iptables -A FORWARD -o tun+ -j OVPNBLOCK # IPS (Suricata) chains - iptables -N IPS_INPUT - iptables -N IPS_FORWARD - iptables -N IPS_OUTPUT + iptables -t mangle -N IPS - for chain in INPUT FORWARD OUTPUT; do - iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" + for chain in PREROUTING POSTROUTING; do + iptables -t mangle -A "${chain}" -j IPS done # OpenVPN transfer network translation diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 79f9478c3..253ece117 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -27,13 +27,20 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +IPS_REPEAT_MARK="0x80000000" +IPS_REPEAT_MASK="0x80000000" +IPS_BYPASS_MARK="0x40000000" +IPS_BYPASS_MASK="0x40000000" + # Name of the firewall chains. IPS_INPUT_CHAIN="IPS_INPUT" IPS_FORWARD_CHAIN="IPS_FORWARD" IPS_OUTPUT_CHAIN="IPS_OUTPUT" # Optional options for the Netfilter queue. -NFQ_OPTS="--queue-bypass " +NFQ_OPTS=( + "--queue-bypass" +) # Array containing the 4 possible network zones. network_zones=( red green blue orange ovpn ) @@ -64,91 +71,48 @@ function get_cpu_count { # Function to flush the firewall chains. function flush_fw_chain { - # Call iptables and flush the chains - iptables -w -F "$IPS_INPUT_CHAIN" - iptables -w -F "$IPS_FORWARD_CHAIN" - iptables -w -F "$IPS_OUTPUT_CHAIN" + iptables -w -t mangle -F IPS } # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { - cpu_count=$(get_cpu_count) - - # Loop through the array of network zones. - for zone in "${network_zones[@]}"; do - # Convert zone into upper case. - zone_upper=${zone^^} - - # Generate variable name for checking if the IDS is - # enabled on the zone. - enable_ids_zone="ENABLE_IDS_$zone_upper" - - # Check if the IDS is enabled for this network zone. - if [ "${!enable_ids_zone}" == "on" ]; then - # Check if the current processed zone is "red" and the configured type is PPPoE dialin. - if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ] && [ "$RED_DRIVER" != "qmi_wwan" ]; then - # Set device name to ppp0. - network_device="ppp0" - elif [ "$zone" == "ovpn" ]; then - # Get all virtual net devices because the RW server and each - # N2N connection creates it's own tun device. - for virt_dev in /sys/devices/virtual/net/*; do - # Cut-off the directory. - dev="${virt_dev##*/}" - - # Only process tun devices. - if [[ $dev =~ "tun" ]]; then - # Add the network device to the array of enabled zones. - enabled_ips_zones+=( "$dev" ) - fi - done - - # Process next zone. - continue - else - # Generate variable name which contains the device name. - zone_name="$zone_upper" - zone_name+="_DEV" - - # Grab device name. - network_device=${!zone_name} - fi - - # Add the network device to the array of enabled zones. - enabled_ips_zones+=( "$network_device" ) - fi - done - # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS + local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" ) + + local cpu_count="$(get_cpu_count)" # Check if there are multiple cpu cores available. if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" + # Balance beetween all queues + NFQ_OPTIONS+=( + "--queue-balance" "0:$(($cpu_count-1))" + "--queue-cpu-fanout" + ) else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" + # Send all packets to queue 0 + NFQ_OPTIONS+=( + "--queue-num" "0" + ) fi # Flush the firewall chains. flush_fw_chain - # Check if the array of enabled_ips_zones contains any elements. - if [[ ${enabled_ips_zones[@]} ]]; then - # Loop through the array and create firewall rules. - for enabled_ips_zone in "${enabled_ips_zones[@]}"; do - # Create rules queue input and output related traffic and pass it to the IPS. - iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS - iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS - - # Create rules which are required to handle forwarded traffic. - for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS - done - done - fi + # Don't process packets where the IPS has requested to bypass the stream + iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN + + # Don't process packets that have already been seen by the IPS + iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN + + # Send packets to suricata + iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}" + + # If suricata decided to bypass a stream, we will store the mark in the connection tracking table + iptables -w -t mangle -A IPS \ + -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \ + -j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))" + + return 0 } case "$1" in From patchwork Tue Sep 10 14:37:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8084 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sT3D2cz3wdh for ; Tue, 10 Sep 2024 14:38:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sN3rVSz5mj; Tue, 10 Sep 2024 14:38:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sN3Ltpz34Gb; Tue, 10 Sep 2024 14:38:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH5Jd6z33yr for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH1wHsz2c3; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0N36zThYk; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 02/20] initscripts: Fix bash function definitions in suricata Date: Tue, 10 Sep 2024 14:37:15 +0000 Message-Id: <20240910143748.3469271-3-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 3H55ANSQ7COAMIU3QBUYXUIIPPBGP2R6 X-Message-ID-Hash: 3H55ANSQ7COAMIU3QBUYXUIIPPBGP2R6 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 253ece117..0c60c5119 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -52,7 +52,7 @@ enabled_ips_zones=() PID_FILE="/var/run/suricata.pid" # Function to get the amount of CPU cores of the system. -function get_cpu_count { +get_cpu_count() { CPUCOUNT=0 # Loop through "/proc/cpuinfo" and count the amount of CPU cores. @@ -70,12 +70,12 @@ function get_cpu_count { } # Function to flush the firewall chains. -function flush_fw_chain { +flush_fw_chain() { iptables -w -t mangle -F IPS } # Function to create the firewall rules to pass the traffic to suricata. -function generate_fw_rules { +generate_fw_rules() { # Assign NFQ_OPTS local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" ) From patchwork Tue Sep 10 14:37:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8083 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sS20gdz3wdh for ; Tue, 10 Sep 2024 14:38:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sM4LTPz5mb; Tue, 10 Sep 2024 14:37:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sM1v4fz34Gn; Tue, 10 Sep 2024 14:37:59 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH5BQfz33yd for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH36yfz4PB; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0V9rzTj3t; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 03/20] suricata: Use getconf to determine the number of processors Date: Tue, 10 Sep 2024 14:37:16 +0000 Message-Id: <20240910143748.3469271-4-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: HYM6VEJ6XMKZGROONATXJ3ZVMEOG6HLY X-Message-ID-Hash: HYM6VEJ6XMKZGROONATXJ3ZVMEOG6HLY X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 0c60c5119..06ad21afa 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -51,24 +51,6 @@ enabled_ips_zones=() # PID file of suricata. PID_FILE="/var/run/suricata.pid" -# Function to get the amount of CPU cores of the system. -get_cpu_count() { - CPUCOUNT=0 - - # Loop through "/proc/cpuinfo" and count the amount of CPU cores. - while read line; do - [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++)) - done X-Patchwork-Id: 8086 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sW4Vjlz3wdh for ; Tue, 10 Sep 2024 14:38:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sP6VCRz5tH; Tue, 10 Sep 2024 14:38:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sP61ZCz340Q; Tue, 10 Sep 2024 14:38:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH5jJ6z33yr for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH3vL0z5MT; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0bYCzTkFC; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 04/20] suricata: Remove some unused constants Date: Tue, 10 Sep 2024 14:37:17 +0000 Message-Id: <20240910143748.3469271-5-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: JDHRNBLOTBC3ENXOZDEPZ5MZUNH34P72 X-Message-ID-Hash: JDHRNBLOTBC3ENXOZDEPZ5MZUNH34P72 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 06ad21afa..c307e358c 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -32,22 +32,11 @@ IPS_REPEAT_MASK="0x80000000" IPS_BYPASS_MARK="0x40000000" IPS_BYPASS_MASK="0x40000000" -# Name of the firewall chains. -IPS_INPUT_CHAIN="IPS_INPUT" -IPS_FORWARD_CHAIN="IPS_FORWARD" -IPS_OUTPUT_CHAIN="IPS_OUTPUT" - # Optional options for the Netfilter queue. NFQ_OPTS=( "--queue-bypass" ) -# Array containing the 4 possible network zones. -network_zones=( red green blue orange ovpn ) - -# Array to store the network zones weather the IPS is enabled for. -enabled_ips_zones=() - # PID file of suricata. PID_FILE="/var/run/suricata.pid" From patchwork Tue Sep 10 14:37:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8087 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sX4t4Lz3wdh for ; Tue, 10 Sep 2024 14:38:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sR1V12z2c3; Tue, 10 Sep 2024 14:38:03 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sR0yMhz34G3; Tue, 10 Sep 2024 14:38:03 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH5xQ3z33yr for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH4NCWz5mb; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0j7JzTkGw; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 05/20] suricata: Add whitelist to iptables Date: Tue, 10 Sep 2024 14:37:18 +0000 Message-Id: <20240910143748.3469271-6-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: QI5L5XZ22DB7O7RURWT3VTZD6ZHO7TAS X-Message-ID-Hash: QI5L5XZ22DB7O7RURWT3VTZD6ZHO7TAS X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This allows us to workaround better against any problems in Suricata because we never send any whitelisted packets to the IPS in the first place. Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index c307e358c..14b48b5bd 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -75,6 +75,21 @@ generate_fw_rules() { # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN + # Never send any whitelisted packets to the IPS + if [ -r "/var/ipfire/suricata/ignored" ]; then + local id network remark enabled rest + + while IFS=',' read -r id network remark enabled rest; do + echo "$network" + echo "$remark" + # Skip disabled entries + [ "${enabled}" = "enabled" ] || continue + + iptables -w -t mangle -A IPS -s "${network}" -j RETURN + iptables -w -t mangle -A IPS -d "${network}" -j RETURN + done < "/var/ipfire/suricata/ignored" + fi + # Send packets to suricata iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}" From patchwork Tue Sep 10 14:37:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8088 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sY5nV2z3wdh for ; Tue, 10 Sep 2024 14:38:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sS37kVz5VD; Tue, 10 Sep 2024 14:38:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sS2cr3z33yv; Tue, 10 Sep 2024 14:38:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH60hyz34G5 for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH4NVmz5mj; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0pZ4zTkHX; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 06/20] suricata: Replace removed CPU count function Date: Tue, 10 Sep 2024 14:37:19 +0000 Message-Id: <20240910143748.3469271-7-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ACBCBJRUKM5E4YI2RW6DQBNDQYP365JJ X-Message-ID-Hash: ACBCBJRUKM5E4YI2RW6DQBNDQYP365JJ X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 14b48b5bd..30a81333f 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -103,8 +103,8 @@ generate_fw_rules() { case "$1" in start) - # Get amount of CPU cores. - cpu_count=$(get_cpu_count) + # Get amount of CPU cores + cpu_count="$(getconf _NPROCESSORS_ONLN)" # Numer of NFQUES. NFQUEUES="-q 0" From patchwork Tue Sep 10 14:37:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8097 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sl16y6z3wdh for ; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sg6Nsdz67y; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sg3zBJz34GK; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ09n1z34Gb for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH4NmSz5nb; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0wYtzTkHp; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 07/20] suricata: Be more efficient with marks Date: Tue, 10 Sep 2024 14:37:20 +0000 Message-Id: <20240910143748.3469271-8-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: I5UFPBPVKQVFM7ZUVPZMCWA5XRRRSDGS X-Message-ID-Hash: I5UFPBPVKQVFM7ZUVPZMCWA5XRRRSDGS X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This patch changes that we introduce a new mark which allows us to identify any newly bypassed connections and permanently store the bypass flag. We also only restore marks from the connection tracking when a packet has no marks, yet. Tested-by: Adolf Belka Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 2 +- src/initscripts/system/suricata | 20 +++++++++++++------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 39d9c0f23..5d37cffd7 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -160,7 +160,7 @@ iptables_init() { iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks - iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark + iptables -t mangle -A PREROUTING -m mark --mark 0 -j CONNMARK --restore-mark # Fix for braindead ISPs iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 30a81333f..20afab130 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,8 +29,14 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) IPS_REPEAT_MARK="0x80000000" IPS_REPEAT_MASK="0x80000000" -IPS_BYPASS_MARK="0x40000000" -IPS_BYPASS_MASK="0x40000000" + +# The IPS requested that this connection is being bypassed +IPS_BYPASS_REQUESTED_MARK="0x40000000" +IPS_BYPASS_REQUESTED_MASK="0x40000000" + +# Marks a connection to be bypassed +IPS_BYPASS_MARK="0x20000000" +IPS_BYPASS_MASK="0x20000000" # Optional options for the Netfilter queue. NFQ_OPTS=( @@ -72,6 +78,11 @@ generate_fw_rules() { # Don't process packets where the IPS has requested to bypass the stream iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN + # If suricata decided to bypass a stream, we will store the mark in the connection tracking table + iptables -w -t mangle -A IPS \ + -m mark --mark "$(( IPS_BYPASS_REQUESTED_MARK ))/$(( IPS_BYPASS_REQUESTED_MASK ))" \ + -j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" + # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN @@ -93,11 +104,6 @@ generate_fw_rules() { # Send packets to suricata iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}" - # If suricata decided to bypass a stream, we will store the mark in the connection tracking table - iptables -w -t mangle -A IPS \ - -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \ - -j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))" - return 0 } From patchwork Tue Sep 10 14:37:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8098 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sm1Wgjz3wdh for ; Tue, 10 Sep 2024 14:38:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sg6rP4z6Bt; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sg5Fkdz34Gg; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0764z34GY for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH4N3Xz5Zb; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH12HtzTkg5; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 08/20] suricata: Add a watcher to restart on unexpected termination Date: Tue, 10 Sep 2024 14:37:21 +0000 Message-Id: <20240910143748.3469271-9-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: A2BLSJUCJQATFWSNX4YFZSPIACBF42XO X-Message-ID-Hash: A2BLSJUCJQATFWSNX4YFZSPIACBF42XO X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This patch adds a watcher process that will restart suricata when it is being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV. Signed-off-by: Michael Tremer --- config/rootfiles/common/suricata | 1 + config/suricata/suricata-watcher | 55 ++++++++++++++++++++++++++++++++ lfs/suricata | 3 ++ src/initscripts/system/suricata | 16 ++-------- 4 files changed, 61 insertions(+), 14 deletions(-) create mode 100644 config/suricata/suricata-watcher diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 53224d006..8fe53f7e6 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,6 +1,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata +usr/bin/suricata-watcher usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watcher new file mode 100644 index 000000000..a1a13d40c --- /dev/null +++ b/config/suricata/suricata-watcher @@ -0,0 +1,55 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A Linux-based Firewall # +# Copyright (C) 2024 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +PIDFILE="/var/run/suricata.pid" + +main() { + local ret + + while :; do + # Launch suricata + /usr/bin/suricata "$@" &>/dev/null + + # Wait until suricata is done + ret=$? + + case "${ret}" in + # If suricata has been killed by SIGKILL (e.g. by + # the OOM killer, or if it ran into a SEGV, we will + # restart the process. + 137|139) + # Remove the PID file + unlink "${PIDFILE}" 2>/dev/null + + sleep 1 + continue + ;; + + *) + break + ;; + esac + done + + return ${ret} +} + +main "$@" || return $? diff --git a/lfs/suricata b/lfs/suricata index 88f3c4575..dcee61ea1 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install converter script needed for Core Update 167 install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files + # Install the watcher + install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 20afab130..40bd69c87 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -123,12 +123,9 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null + /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES evaluate_retval - # Allow reading the pidfile. - chmod 644 $PID_FILE - # Flush the firewall chain flush_fw_chain @@ -139,20 +136,11 @@ case "$1" in stop) boot_mesg "Stopping Intrusion Detection System..." - killproc -p $PID_FILE /var/run + killproc /usr/bin/suricata # Flush firewall chain. flush_fw_chain - # Sometimes suricata not correct shutdown. So killall. - killall -KILL /usr/bin/suricata 2>/dev/null - - # Remove suricata control socket. - rm /var/run/suricata/* >/dev/null 2>/dev/null - - # Trash remain pid file if still exists. - rm -f $PID_FILE >/dev/null 2>/dev/null - # Don't report returncode of rm if suricata was not started exit 0 ;; From patchwork Tue Sep 10 14:37:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8089 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sZ1jvrz3wyW for ; Tue, 10 Sep 2024 14:38:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sV59vdz60R; Tue, 10 Sep 2024 14:38:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sV4dmvz34Gb; Tue, 10 Sep 2024 14:38:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH65dxz34GH for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH4bwMz5qT; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH17cqzTtkp; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 09/20] suricata: Start the new watcher in the background Date: Tue, 10 Sep 2024 14:37:22 +0000 Message-Id: <20240910143748.3469271-10-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: QTU3MK6ELZFHDB662AZWNBALUNBWNNM5 X-Message-ID-Hash: QTU3MK6ELZFHDB662AZWNBALUNBWNNM5 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 40bd69c87..455715d1b 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -43,9 +43,6 @@ NFQ_OPTS=( "--queue-bypass" ) -# PID file of suricata. -PID_FILE="/var/run/suricata.pid" - # Function to flush the firewall chains. flush_fw_chain() { iptables -w -t mangle -F IPS @@ -123,8 +120,7 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES - evaluate_retval + loadproc -b /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES # Flush the firewall chain flush_fw_chain From patchwork Tue Sep 10 14:37:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8090 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sc05c2z3wdh for ; Tue, 10 Sep 2024 14:38:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sW6wBcz5gj; Tue, 10 Sep 2024 14:38:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sW6R5Zz34GG; Tue, 10 Sep 2024 14:38:07 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH6M48z34GH for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH5C57z2fg; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH1G4LzTtl4; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 10/20] suricata: Restore the interface selection Date: Tue, 10 Sep 2024 14:37:23 +0000 Message-Id: <20240910143748.3469271-11-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: H4V2SSDZKFJ62427W4HGN6TN3F7MT7XQ X-Message-ID-Hash: H4V2SSDZKFJ62427W4HGN6TN3F7MT7XQ X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- src/initscripts/networking/functions.network | 48 ++++++++++++++++++++ src/initscripts/system/suricata | 32 +++++++++++++ 2 files changed, 80 insertions(+) diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network index e134d0cce..c189c2fbc 100644 --- a/src/initscripts/networking/functions.network +++ b/src/initscripts/networking/functions.network @@ -54,6 +54,54 @@ bin2ip() { echo "${address[*]}" } +network_get_intf() { + local zone="${1}" + + case "${zone}" in + RED) + # For PPPoE, the RED interface is called ppp0 (unless we use QMI) + if [ "${RED_TYPE}" = "PPPOE" ] && [ "${RED_DRIVER}" != "qmi_wwan" ]; then + echo "ppp0" + return 0 + + # Otherwise we return RED_DEV + elif [ -n "${RED_DEV}" ]; then + echo "${RED_DEV}" + return 0 + fi + ;; + + GREEN) + if [ -n "${GREEN_DEV}" ]; then + echo "${GREEN_DEV}" + return 0 + fi + ;; + + ORANGE) + if [ -n "${ORANGE_DEV}" ]; then + echo "${ORANGE_DEV}" + return 0 + fi + ;; + + BLUE) + if [ -n "${BLUE_DEV}" ]; then + echo "${BLUE_DEV}" + return 0 + fi + ;; + + OPENVPN|OVPN) + # OpenVPN is using all tun devices + echo "tun+" + ;; + esac + + # Not found + return 1 +} + network_get_address() { local network="${1}" diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 455715d1b..8a1740528 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -21,6 +21,7 @@ . /etc/sysconfig/rc . ${rc_functions} +. /etc/init.d/networking/functions.network PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH @@ -38,6 +39,13 @@ IPS_BYPASS_REQUESTED_MASK="0x40000000" IPS_BYPASS_MARK="0x20000000" IPS_BYPASS_MASK="0x20000000" +# Set if we request to scan this packet +IPS_SCAN_MARK="0x10000000" +IPS_SCAN_MASK="0x10000000" + +# Supported network zones +NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" ) + # Optional options for the Netfilter queue. NFQ_OPTS=( "--queue-bypass" @@ -83,6 +91,30 @@ generate_fw_rules() { # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN + local zone + local status + local intf + + # Mark packets for all zones that we want to scan + for zone in "${NETWORK_ZONES[@]}"; do + status="ENABLE_IDS_${zone}" + + if [ "${!status}" = "on" ]; then + intf="$(network_get_intf "${zone}")" + + # Skip if we could not determine an interface + if [ -z "${intf}" ]; then + continue + fi + + iptables -w -t mangle -A IPS -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" + iptables -w -t mangle -A IPS -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" + fi + done + + # Don't keep processing packets we don't want to scan + iptables -w -t mangle -A IPS -m mark ! --mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" -j RETURN + # Never send any whitelisted packets to the IPS if [ -r "/var/ipfire/suricata/ignored" ]; then local id network remark enabled rest From patchwork Tue Sep 10 14:37:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8091 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sd0Ljfz3wdh for ; Tue, 10 Sep 2024 14:38:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sX1BtKz689; Tue, 10 Sep 2024 14:38:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sX0gzbz34G5; Tue, 10 Sep 2024 14:38:08 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH6PdRz34GK for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH5Lncz4PB; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH1MftzTtmY; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 11/20] suricata: Remove superfluous bits from the initscript Date: Tue, 10 Sep 2024 14:37:24 +0000 Message-Id: <20240910143748.3469271-12-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: GF7U25TMMJZOTGTMFEUNZ5VHT2OONN7R X-Message-ID-Hash: GF7U25TMMJZOTGTMFEUNZ5VHT2OONN7R X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: I don't know why these hacks are here. Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 8a1740528..73b4fb523 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -23,8 +23,6 @@ . ${rc_functions} . /etc/init.d/networking/functions.network -PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH - eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) @@ -198,5 +196,3 @@ case "$1" in exit 1 ;; esac - -chmod 644 /var/log/suricata/* 2>/dev/null From patchwork Tue Sep 10 14:37:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8092 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sd6Y8pz3wyW for ; Tue, 10 Sep 2024 14:38:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sY3BgVz2XG; Tue, 10 Sep 2024 14:38:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sY2fn5z34G3; Tue, 10 Sep 2024 14:38:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH6V5kz34GM for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH5PNjzjV; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH1T0RzTtp5; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 12/20] suricata: Don't load /var/ipfire/ethernet/settings Date: Tue, 10 Sep 2024 14:37:25 +0000 Message-Id: <20240910143748.3469271-13-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: KG3DVZLSQWLEOO6NQJMCAECRXQ7OXRDU X-Message-ID-Hash: KG3DVZLSQWLEOO6NQJMCAECRXQ7OXRDU X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: We no longer need this directly as it is being pulled in from the network functions. Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 1 - 1 file changed, 1 deletion(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 73b4fb523..0447b7e8c 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -24,7 +24,6 @@ . /etc/init.d/networking/functions.network eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) -eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) IPS_REPEAT_MARK="0x80000000" IPS_REPEAT_MASK="0x80000000" From patchwork Tue Sep 10 14:37:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8094 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sg4TVkz3wyW for ; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sb6Wqzz4RY; Tue, 10 Sep 2024 14:38:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sb63ZGz34GK; Tue, 10 Sep 2024 14:38:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH6qvvz34GR for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH5kLLz5f7; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH1b6HzTvRn; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 13/20] suricata: Add option to scan WireGuard Date: Tue, 10 Sep 2024 14:37:26 +0000 Message-Id: <20240910143748.3469271-14-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: AUHV7RRNYNYZBNNMHO2CQQUMNMZ5DZMM X-Message-ID-Hash: AUHV7RRNYNYZBNNMHO2CQQUMNMZ5DZMM X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- doc/language_missings | 8 ++++++++ html/cgi-bin/ids.cgi | 6 +++++- langs/en/cgi-bin/en.pl | 1 + src/initscripts/networking/functions.network | 6 ++++++ src/initscripts/system/suricata | 2 +- 5 files changed, 21 insertions(+), 2 deletions(-) diff --git a/doc/language_missings b/doc/language_missings index 98856b0e8..94adb28d8 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -103,6 +103,7 @@ < upload fcdsl.o < user management < vpn configuration main +< wg < winbind daemon < wireguard < wlanap 802.11w disabled @@ -156,6 +157,7 @@ < timeformat < transport mode does not support vti < warning +< wg < wireguard < wlanap < wlanap psk @@ -185,6 +187,7 @@ < timeformat < upload fcdsl.o < warning +< wg < wireguard < wlanap psk < wlanap wireless mode @@ -668,6 +671,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -1229,6 +1233,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -2205,6 +2210,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -3218,6 +3224,7 @@ < warning < week-graph < Weekly +< wg < whois results from < winbind daemon < wireguard @@ -3608,6 +3615,7 @@ < vulnerable < warning < Weekly +< wg < whois results from < winbind daemon < wireguard diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 502e2a125..00cc502f1 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -53,6 +53,9 @@ my %ignored=(); # the list of zones in an array. my @network_zones = &Network::get_available_network_zones(); +# Always show Wireguard +push(@network_zones, "wg"); + # Check if openvpn is started and add it to the array of network zones. if ( -e "/var/run/openvpn.pid") { push(@network_zones, "ovpn"); @@ -69,7 +72,8 @@ my %colourhash = ( 'green' => $Header::colourgreen, 'blue' => $Header::colourblue, 'orange' => $Header::colourorange, - 'ovpn' => $Header::colourovpn + 'ovpn' => $Header::colourovpn, + 'wg' => $Header::colourwg, ); &Header::showhttpheaders(); diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index dca9f1645..6a455ab6d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -3020,6 +3020,7 @@ 'week-graph' => 'Week', 'weekly firewallhits' => 'weekly firewallhits', 'weeks' => 'Weeks', +'wg' => 'WireGuard', 'whois results from' => 'WHOIS results from', 'wildcards' => 'Wildcards', 'winbind daemon' => 'Winbind Daemon', diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network index c189c2fbc..02ac6b8fe 100644 --- a/src/initscripts/networking/functions.network +++ b/src/initscripts/networking/functions.network @@ -92,9 +92,15 @@ network_get_intf() { fi ;; + WIREGUARD|WG) + echo "wg+" + return 0 + ;; + OPENVPN|OVPN) # OpenVPN is using all tun devices echo "tun+" + return 0 ;; esac diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 0447b7e8c..6990b79ca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -41,7 +41,7 @@ IPS_SCAN_MARK="0x10000000" IPS_SCAN_MASK="0x10000000" # Supported network zones -NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" ) +NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" ) # Optional options for the Netfilter queue. NFQ_OPTS=( From patchwork Tue Sep 10 14:37:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8093 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sf5rLBz3wdh for ; Tue, 10 Sep 2024 14:38:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sY4Nj3z681; Tue, 10 Sep 2024 14:38:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sY3vy8z34GG; Tue, 10 Sep 2024 14:38:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH6njsz34GM for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH5w1bz5sH; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH1hjWzTvWh; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 14/20] suricata: Fix broken spacing in the settings section Date: Tue, 10 Sep 2024 14:37:27 +0000 Message-Id: <20240910143748.3469271-15-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: EY4T4PDCYVJGPH7HEUHRPCTIS4YSSVRU X-Message-ID-Hash: EY4T4PDCYVJGPH7HEUHRPCTIS4YSSVRU X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- html/cgi-bin/ids.cgi | 45 +++++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 00cc502f1..deebb3ad3 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1017,30 +1017,29 @@ sub show_mainpage() { # Only show this area, if at least one ruleset provider is configured. if (%used_providers) { + my $num_zones = scalar @network_zones; print <

$Lang::tr{'settings'}

+
- - - - - - - - + + - + @@ -1068,21 +1067,29 @@ END $checked_input = "checked = 'checked'"; } - print "\n"; + print < + + +END } print < -
+  $Lang::tr{'ids enable'}








+   +
$Lang::tr{'ids monitored interfaces'}
+ $Lang::tr{'ids monitored interfaces'} +
\n"; - print "\n"; - print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n"; - print "
-

+ + +   + + - - +
+ +
From patchwork Tue Sep 10 14:37:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8096 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sk18Q8z3wdh for ; Tue, 10 Sep 2024 14:38:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sg3thxz5Zb; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sg1zCxz34GQ; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH72Syz34GV for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH67qjz2c3; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH1pybzTvZ3; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 15/20] ids.cgi: Use new style tables for rulesets Date: Tue, 10 Sep 2024 14:37:28 +0000 Message-Id: <20240910143748.3469271-16-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: QBLGCHV6OGOSNEUVRZYZLVIKDS3GFOYU X-Message-ID-Hash: QBLGCHV6OGOSNEUVRZYZLVIKDS3GFOYU X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- doc/language_issues.de | 1 + doc/language_issues.en | 3 ++- doc/language_issues.es | 3 +++ doc/language_issues.fr | 3 +++ doc/language_issues.it | 3 ++- doc/language_issues.nl | 3 ++- doc/language_issues.pl | 3 ++- doc/language_issues.ru | 3 ++- doc/language_issues.tr | 3 ++- doc/language_missings | 14 ++++++++++++++ html/cgi-bin/ids.cgi | 26 ++++++++------------------ langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ 13 files changed, 45 insertions(+), 24 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index b3d7082df..bd335de41 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -400,6 +400,7 @@ WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids oinkcode required WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ids unsupported provider WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype diff --git a/doc/language_issues.en b/doc/language_issues.en index 3aa4e9bd8..5063749c4 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1070,7 +1070,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1217,6 +1217,7 @@ WARNING: untranslated string: lan = LAN WARNING: untranslated string: languagepurpose = Select the language you wish IPFire to display in: WARNING: untranslated string: last = Last WARNING: untranslated string: last activity = Last Activity +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: lease expires = Lease expires WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: legend = Legend diff --git a/doc/language_issues.es b/doc/language_issues.es index fbbcd1e74..7e76d5dcf 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -444,6 +444,7 @@ WARNING: translation string unused: ids rules license1 WARNING: translation string unused: ids rules license2 WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -1028,8 +1029,10 @@ WARNING: untranslated string: hostile networks in = From Hostile Networks WARNING: untranslated string: hostile networks out = To Hostile Networks WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids provider eol = (EOL) +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: load average = Load Average WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 25193da6a..ab6eb0478 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -428,6 +428,7 @@ WARNING: translation string unused: id WARNING: translation string unused: ids automatic rules update WARNING: translation string unused: ids oinkcode required WARNING: translation string unused: ids rules update +WARNING: translation string unused: ids ruleset settings WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -981,6 +982,8 @@ WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids provider eol = (EOL) +WARNING: untranslated string: ids rulesets = Rulesets +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: load average = Load Average WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server diff --git a/doc/language_issues.it b/doc/language_issues.it index f00d959d5..ab6c95d68 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1132,7 +1132,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1185,6 +1185,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 9607f98af..7f6c04e23 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1138,7 +1138,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1193,6 +1193,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 92ad3b7be..d073e30b1 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1276,7 +1276,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1338,6 +1338,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: last = Last +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 35a590b6b..651f5266a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1271,7 +1271,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1334,6 +1334,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: last = Last +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 3bf595efe..6c22f6d76 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1074,7 +1074,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc WARNING: untranslated string: ids reset provider = Reset provider WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date. -WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids rulesets = Rulesets WARNING: untranslated string: ids show = Show WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use. @@ -1122,6 +1122,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit +WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: load average = Load Average WARNING: untranslated string: local ip address = Local IP Address diff --git a/doc/language_missings b/doc/language_missings index 94adb28d8..7e3357df0 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -137,8 +137,10 @@ < hostile networks out < hostile networks total < ids provider eol +< ids rulesets < ids unsupported provider < invalid ip or hostname +< last updated < load average < log drop hostile in < log drop hostile out @@ -177,7 +179,9 @@ < g.lite < hostile networks total < ids provider eol +< ids rulesets < ids unsupported provider +< last updated < load average < oops something went wrong < ovpn roadwarrior server @@ -447,6 +451,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -507,6 +512,7 @@ < ipsec routing table entries < ipsec settings < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average @@ -988,6 +994,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -1050,6 +1057,7 @@ < ipsec routing table entries < ipsec settings < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average @@ -1834,6 +1842,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -1904,6 +1913,7 @@ < ipsec settings < itlb multihit < last +< last updated < least preferred < legacy architecture warning < lifetime @@ -2848,6 +2858,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -2919,6 +2930,7 @@ < ipsec settings < itlb multihit < last +< last updated < least preferred < legacy architecture warning < lifetime @@ -3454,6 +3466,7 @@ < ids reset provider < ids ruleset autoupdate in progress < ids ruleset is up to date +< ids rulesets < ids ruleset settings < ids show < ids subscription code required @@ -3509,6 +3522,7 @@ < ipsec routing table entries < ipsec settings < itlb multihit +< last updated < legacy architecture warning < link-layer encapsulation < load average diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index deebb3ad3..737826580 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1103,16 +1103,15 @@ END # # Used Ruleset Providers section. # - &Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'}); + &Header::openbox('100%', 'center', $Lang::tr{'ids rulesets'}); print < + - - - - - + END my $line = 1; @@ -1133,13 +1132,6 @@ END my $status = $used_providers{$id}[3]; my $unsupported; - # Check if the item number is even or not. - if ($line % 2) { - $col="bgcolor='$color{'color22'}'"; - } else { - $col="bgcolor='$color{'color20'}'"; - } - # Handle providers which are not longer supported. unless ($IDS::Ruleset::Providers{$provider}{'dl_url'}) { $col = "bgcolor='$Header::colouryellow'"; @@ -1172,8 +1164,8 @@ END print < - - + +
$Lang::tr{'ids provider'}$Lang::tr{'date'}$Lang::tr{'ids autoupdates'}$Lang::tr{'action'}$Lang::tr{'ids provider'} + $Lang::tr{'last updated'} + $Lang::tr{'ids autoupdates'} + $Lang::tr{'action'}
$provider_name $unsupported$rulesetdate$provider_name $unsupported$rulesetdate
@@ -1225,8 +1217,6 @@ END # Section to add new elements or edit existing ones. print < -
-
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index a718228bc..b06ba6e91 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1413,6 +1413,7 @@ 'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...', 'ids ruleset is up to date' => 'Regelset ist aktuell - Keine Aktualisierung notwendig.', 'ids ruleset settings' => 'Regelsatzeinstellungen', +'ids rulesets' => 'Regelsätze', 'ids show' => 'Anzeigen', 'ids the choosen provider is already in use' => 'Der gewhählte Provider wird bereits verwendet.', 'ids unable to download the ruleset' => 'Das Regelset konnte nicht heruntergeladen werden.', @@ -1603,6 +1604,7 @@ 'languagepurpose' => 'Wählen Sie eine Sprache, in der IPFire angezeigt werden soll:', 'last' => 'Letzte', 'last activity' => 'Letzte Aktivität', +'last updated' => 'Zuletzt Aktualisiert', 'lateprompting' => 'Late prompting', 'lease expires' => 'Zuordnung verfällt', 'least preferred' => 'weniger präferiert', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 6a455ab6d..59da23c3a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1466,6 +1466,7 @@ 'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...', 'ids ruleset is up to date' => 'No update required - The ruleset is up to date.', 'ids ruleset settings' => 'Ruleset Settings', +'ids rulesets' => 'Rulesets', 'ids show' => 'Show', 'ids subscription code required' => 'The selected ruleset requires a subscription code', 'ids the choosen provider is already in use' => 'The choosen provider is already in use.', @@ -1660,6 +1661,7 @@ 'languagepurpose' => 'Select the language you wish IPFire to display in:', 'last' => 'Last', 'last activity' => 'Last Activity', +'last updated' => 'Last Updated', 'lateprompting' => 'Lateprompting', 'lease expires' => 'Lease expires', 'least preferred' => 'least preferred', From patchwork Tue Sep 10 14:37:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8095 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sj0vYxz3wdh for ; Tue, 10 Sep 2024 14:38:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sg150kz5v4; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sg0bDTz34G5; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sH72Ygz34GX for ; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH6DH7z5sK; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH1wSkzTvZ4; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 16/20] ids.cgi: Use new-style table for whitelist entries Date: Tue, 10 Sep 2024 14:37:29 +0000 Message-Id: <20240910143748.3469271-17-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: TSD5TRAJESLFFFUL5GHLBC2ERNES2PE4 X-Message-ID-Hash: TSD5TRAJESLFFFUL5GHLBC2ERNES2PE4 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- html/cgi-bin/ids.cgi | 52 ++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 737826580..08db95595 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1241,11 +1241,11 @@ END &Header::openbox('100%', 'center', $Lang::tr{'ids ignored hosts'}); print < + - - - + END # Check if some hosts have been added to be ignored. @@ -1262,10 +1262,6 @@ END # Check if the key (id) number is even or not. if ($cgiparams{'ID'} eq $key) { $col="bgcolor='${Header::colouryellow}'"; - } elsif ($key % 2) { - $col="bgcolor='$color{'color22'}'"; - } else { - $col="bgcolor='$color{'color20'}'"; } # Choose icon for the checkbox. @@ -1283,8 +1279,8 @@ END print < - - + +
$Lang::tr{'ip address'}$Lang::tr{'remark'}$Lang::tr{'ip address'} + $Lang::tr{'remark'} +
$address$remark$address$remark @@ -1323,12 +1319,10 @@ END # Section to add new elements or edit existing ones. print < -
-
+ + -
- +
END # Assign correct headline and button text. @@ -1339,30 +1333,36 @@ END # Check if an ID (key) has been given, in this case an existing entry should be edited. if ($cgiparams{'ID'} ne '') { $buttontext = $Lang::tr{'update'}; - print "\n"; + print "\n"; # Grab address and remark for the given key. $entry_address = $ignored{$cgiparams{'ID'}}[0]; $entry_remark = $ignored{$cgiparams{'ID'}}[1]; } else { $buttontext = $Lang::tr{'add'}; - print "\n"; + print "\n"; } print < - - - + + + + + + + + - - - + + -
$Lang::tr{'update'}
$Lang::tr{'update'}
$Lang::tr{'dnsforward add a new entry'}
$Lang::tr{'dnsforward add a new entry'}
$Lang::tr{'ip address'}: $Lang::tr{'ip address'} + +
$Lang::tr{'remark'} + +
$Lang::tr{'remark'}:
-
+ END &Header::closebox(); From patchwork Tue Sep 10 14:37:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8099 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sm369Kz3wyW for ; Tue, 10 Sep 2024 14:38:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sk05DGz4YK; Tue, 10 Sep 2024 14:38:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sj6lLHz34GQ; Tue, 10 Sep 2024 14:38:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0Wybz34Gb for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH6gK0z5sy; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH21ffzTvbS; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 17/20] ids.cgi: Sort whitelist entries Date: Tue, 10 Sep 2024 14:37:30 +0000 Message-Id: <20240910143748.3469271-18-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: IGOZM2AYYQPUBINDG4SPYU3QFWBWYNGS X-Message-ID-Hash: IGOZM2AYYQPUBINDG4SPYU3QFWBWYNGS X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- html/cgi-bin/ids.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 08db95595..b18f239e6 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1253,7 +1253,7 @@ END my $col = ""; # Loop through all entries of the hash. - while( (my $key) = each %ignored) { + foreach my $key (sort { $ignored{$a}[0] <=> $ignored{$b}[0] } keys %ignored) { # Assign data array positions to some nice variable names. my $address = $ignored{$key}[0]; my $remark = $ignored{$key}[1]; From patchwork Tue Sep 10 14:37:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8101 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sp4yKpz3wyW for ; Tue, 10 Sep 2024 14:38:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sl2t6GzJH; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sl2NZRz34GQ; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0ZRsz34Gd for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH6ZNRzsY; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH272FzTvcF; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 18/20] ids.cgi: Remove box from the top section Date: Tue, 10 Sep 2024 14:37:31 +0000 Message-Id: <20240910143748.3469271-19-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: AO7PAGMLX757OMQCSWWUVETEZXHAU6A7 X-Message-ID-Hash: AO7PAGMLX757OMQCSWWUVETEZXHAU6A7 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- html/cgi-bin/ids.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index b18f239e6..db05df98a 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1007,7 +1007,7 @@ sub show_mainpage() { $checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'"; # Draw current state of the IDS - &Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'}); + &Header::opensection(); &Header::ServiceStatus({ $Lang::tr{'intrusion prevention system'} => { @@ -1098,7 +1098,7 @@ END } - &Header::closebox(); + &Header::closesection(); # # Used Ruleset Providers section. From patchwork Tue Sep 10 14:37:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8100 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sp09x2z3wdh for ; Tue, 10 Sep 2024 14:38:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sk3H4dz680; Tue, 10 Sep 2024 14:38:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sk0vFCz34GV; Tue, 10 Sep 2024 14:38:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0Wy0z34GY for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH6jXMz5VD; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH2D94zTvd2; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 19/20] ids.cgi: Fix detection for the Suricata process Date: Tue, 10 Sep 2024 14:37:32 +0000 Message-Id: <20240910143748.3469271-20-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: TDFCJHLEKRLB4NXHZ6FSR3R2KCP6MHTV X-Message-ID-Hash: TDFCJHLEKRLB4NXHZ6FSR3R2KCP6MHTV X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: We don't seem to have a PID file any more. Signed-off-by: Michael Tremer --- html/cgi-bin/ids.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index db05df98a..34e6bf233 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1011,7 +1011,7 @@ sub show_mainpage() { &Header::ServiceStatus({ $Lang::tr{'intrusion prevention system'} => { - "pidfile" => "/var/run/suricata.pid", + "process" => "Suricata-Main", }, }); From patchwork Tue Sep 10 14:37:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8102 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sq2XfCz3wdh for ; Tue, 10 Sep 2024 14:38:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sl4X1Fz6C8; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sl3zpjz34G3; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0g56z34Gg for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH71B9z5t1; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH2KXQzTvfm; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 20/20] firewall: Move the IPS after the NAT marking Date: Tue, 10 Sep 2024 14:37:33 +0000 Message-Id: <20240910143748.3469271-21-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: PVNPI75TQAWAW75SM5FRSICRAEZW4PID X-Message-ID-Hash: PVNPI75TQAWAW75SM5FRSICRAEZW4PID X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is because we might still land in the scenario where Suricata crashes and NFQUEUE will simply ACCEPT all packets which will terminate the processing of the mangle table. Therefore the NFQUEUE rule should be the last one so that we never skip any of the other processing. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 5d37cffd7..7dbbe38cb 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -221,13 +221,6 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK - # IPS (Suricata) chains - iptables -t mangle -N IPS - - for chain in PREROUTING POSTROUTING; do - iptables -t mangle -A "${chain}" -j IPS - done - # OpenVPN transfer network translation iptables -t nat -N OVPNNAT iptables -t nat -A POSTROUTING -j OVPNNAT @@ -382,6 +375,13 @@ iptables_init() { -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi + # IPS (Suricata) chains + iptables -t mangle -N IPS + + for chain in PREROUTING POSTROUTING; do + iptables -t mangle -A "${chain}" -j IPS + done + # RED chain, used for the red interface iptables -N REDINPUT iptables -A INPUT -j REDINPUT