a new script based package called "banIP" to block
incoming & outgoing ip adresses/subnets via ipset.
Features:
* a shell script which uses ipset and iptables
to ban a large number of IP addresses
published in various IP blacklists (bogon, firehol etc.)
* support blocking by ASN numbers
* support blocking by iso country codes
* support local white & blacklist (IPv4, IPv6 & CIDR notation)
* auto-add unsuccessful ssh login attempts to local blacklist
* auto-add the uplink subnet to local whitelist
* per source configuration of SRC (incoming) and DST (outgoing)
* supports IPv4 & IPv6
Strong LuCI support:
* easy interface to track & change all aspects of your ipset
configuration on the fly
* integrated IPSet-Lookup
* integrated RIPE-Lookup
* Log-Viewer & online configuration of white- & blacklist
LuCI-Screenshots will follow in the second post.
Forum discussion:
https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[correct configure flag from enable-ssl to enable-openssl]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Simple bump from 4.3 to 4.4
Changelog since 4.3:
netdb not saving to disk (#311)
Fix memory leak when parsing SNMP packet (#313)
Fix several windows build issues (#309)
Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
Allow compilation with minimal OpenSSL (#281)
Fixed %USER_CA_CERT_xx and %USER_CERT_xx crashes (#301)
Improve const correctness for hash_link (#300)
Bug #4893: Malformed %>ru URIs for CONNECT requests (#299)
Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
tor-fw-helper is a helper to automatically configuring port forwarding
for tor, using UPnP or NAT-PMP NAT traversal.
This is a tor-fw-helper rewrite in Go that functions as a drop in
replacement for the original C code.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This is the nftables implementation for qos on OpenWrt,
Currently, it has below features:
* Static QoS : setting limit rate for devices or global network.
* Dynamic/Auto QoS : setting limit rate according to the network
bandwidth and adjust itself automatically (hotplug event).
* Traffic Priority : this feature is like traffic shaping under tc,
it uses ingress hook to handle to packets here.
Signed-off-by: Rosy Song <rosysong@rosinson.com>
All of these are either not needed or not valid.
Added a patch to remove the OPENSSL_WITH_DEPRECATED dependency.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* proactively scan and switch to a higher prioritized uplink,
despite of an already existing connection,
this is configurable via 'trm_proactive' option
(default '1', enabled)
* fix some minor list trim issues
* optimize wlan scanning behavior
* refine debug messages
Signed-off-by: Dirk Brenken <dev@brenken.org>
A multi-year DNSSEC root key update is in progress, as described at
https://www.isc.org/downloads/bind/bind-keys/. This change refreshes the
bind.keys file, ensuring that the new key, in place as of 2018-10-11,
will be recognized and trusted.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
delv is a tool for sending DNS queries and validating the results, using the
same internal resolver and validator logic as named.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This includes the fix for CVE-2018-5738: When recursion is enabled but the
allow-recursion and allow-query-cache ACLs are not specified, they should be
limited to local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
- fix AXFR zones to delay a potentially large download with ntp-hotplug
- fix odhcpd link script to properly delete expired lease data from DNS
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
If we set the option "local_source" in the globals mwan3 section to "none",
traffic generated by the router it self will always use the default route from
the wan interface with the lowest metric. If this interface is down
the router traffic still uses the connection with the lowest metric but
this is disconnected. Load balancing and failover from the lan site is
still possible. Only router generated traffic is not load balanced and
could not use failover.
To solve this issue with router initiated traffic add the additional
option "online_metric" to the mwan3 interface section.
If the interface is connected then this lower "online metric" is set in the
default routing table.
With this change we have at least a failover with router initiated
traffic.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
During runntime of mwan3 we could add dynamicly networks to this ipset
which would then treated as connected networks by mwan3.
This is also usefull for ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
With the list param "rt_table_lookup" in the mwan3 section globals,
it is now possible to add a additional routing table numbers which would get
also parsed and will be added to the connected network.
So mwan3 will treat them as they are directly connected to this device.
This could be usefull if we use ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The generation for reporting the policies uses the same code add a
common function to reduce duplication.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Marko Ratkaj
Dan Lüdtke
Dirk Brenken
Yousong Zhou
Rosen Penev
Karl Palsson
Daniel Engberg
Florian Eckert
Jeffery To
Rosy Song
Peter Wagner
jonathanunderwood
Christian Lachner
W. van den Akker
Albert Lopez
Noah Meyerhans
Philip Prindeville
brv phoenix
Eric Luehrsen
Daniel Golle