Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 790 → Rev 791

/CHANGELOG
2,8 → 2,8
 
************ CHANGELOG ***********
---- svn ----
---- 2.5 ----
Bug
---------------------- 2.5 --------------------
Bugs
- watchdog (and script alcasar-logout.sh) doesn't logout the macallowed addresses
- reading of alcasar.conf file parameters more securely
- don't download RPMs twice
17,53 → 17,65
- import users via text file with or without password
Improve security
- The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side
- ANSSI code review (sql escape string)
- ANSSI code review (sql escape string in PHP)
- remove the apache unused modules
- the blacklist is no more update automaticly
Improve installation
- control eth0 config on startup (no dhcp)
- don't dowload the last BL version
- remove unused RPM before update the system
Improve Alcasar Control Center (ACC)
-
---- 2.4 ----
- Bug : some minor bugs (log rotate, intercept page, squid, ...)
- Bug : ACC - correction of the Internet connectivity test flag
- Bug : ACC - correction of the network filtering flag
- Bug : core : ip filtering exception changes doesn't active protocols exception filter
- Bug : core : remove dual log archive
- Bug : correction of "bypass" mode
- Bug : correction of squid cache
- Core : The blacklist is automaticly updated once a month
- Core : The distribution is automaticly updated every day
News
- allow/deny access to the LAN located between ALCASAR and the Internet gateway (box)
 
---- 2.3 ----
- Bug : group properties are now written on the voucher
- Bug : hold the state of network filter when update
- ACC : group member is added in user list
- Core : simplify official certificate import process
- Core : update with the last version of Coova (1.2.8)
- Core : End of implementation of ANSSI rules for netfilter
- Core : allow exception of IP addresses (or network addresses) in the authentication process
---------------------- 2.4 --------------------
Bugs
- some minor bugs (log rotate, intercept page, squid, ...)
- ACC : correction of the Internet connectivity test flag
- correction of the network filtering flag
- ip filtering exception changes doesn't active protocols exception filter
- remove dual log archive
- correction in "bypass" mode
- correction with squid cache
- The blacklist is automaticly updated once a month
- The distribution is automaticly updated every day
 
---- 2.2 ----
- blacklist category "ip" is added for url that contains only an ip address (no FQDN)
- IP parameters can be change in central conf file. Apply with the script "alcasar-conf.sh -apply"
- 'alcasar-nf.sh' and 'alcasar-bl.sh' scripts now use the global parameters file (alcasar.conf)
- allow LDAP/AD connections both on WAN and LAN servers
- Add a LDAP connectivity test
- possibility to redirect users on a specific URL after login process
- A bug with "sudo" is bypassed
- close all accounting session when the system goes down or up
- if activate, sshd listen both on LAN and on WAN
- add a central conf file (/usr/local/etc/alcasar.conf)
- add the equipment name in the activity window when MAC authenticate
- improve the script which display and close users open sessions
- allow change of alcasar IP private address during install stage
- improve the script which managed the trusted sites and urls
- no more question, when upgrating
- some minor bugs
---------------------- 2.3 --------------------
Bugs
- group properties are now written on the voucher
- hold the state of network filter when update
Improve core
- simplify official certificate import process
- update with the last version of Coova (1.2.8)
Improve security
- end of implementation of ANSSI rules for netfilter
News
- allow exception of IP addresses (or network addresses) in the authentication process
- ACC : group member is added in user list
 
---- 2.1 ----
---------------------- 2.2 --------------------
Bugs
- A bug with "sudo" is bypassed
- improve the script which display and close users open sessions
- some minor bugs
Improve core
- add a central conf file (/usr/local/etc/alcasar.conf)
- IP parameters can be change in central conf file. Apply with the script "alcasar-conf.sh -apply"
- 'alcasar-nf.sh' and 'alcasar-bl.sh' scripts now use the global parameters file (alcasar.conf)
- improve the script which managed the trusted sites and urls
Improve security
- close all accounting session when the system goes down or up
Improve install process
- allow change of alcasar IP private address during install stage
- no more question, when upgrating
News
- blacklist category "ip" is added for url that contains only an ip address (no FQDN)
- allow LDAP/AD connections both on WAN and LAN
- Add a LDAP connectivity test
- possibility to redirect users on a specific URL after login process
- if activate, sshd listen both on LAN and on WAN
- ACC : add the equipment name in the activity window when MAC authenticate
 
---------------------- 2.2 --------------------
- mise en conformité du parefeu avec les préco ANSSI (politiques à DROP + sysctrl)
- amélioration de la fonction bastion en limitant la charge sur l'interface externe (thanks to CPN)
- amélioration de la gestion des RPM 'wget' au lieu de 'curl' et changement de repository en 'live'
/scripts/alcasar-iptables.sh
135,13 → 135,21
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
 
# Filtrage de l'accès au LAN connecté sur EXTIF (eth0)
# EXTIF (eth0) connected LAN filtering
if [ $EXT_LAN_FILTERING = on ]; then
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $public_ip_mask -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
else
# Autorisation des connexions légitimes à DansGuardian
# Allow connections for DansGuardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
fi
 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
 
# autorisation des connexion légitime à DNSMASQ (avec blackhole)
# Allow connections for DNSMASQ (with blackhole)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
189,9 → 197,6
#############################
# FORWARD #
#############################
# Autorisation des retours de connexions légitimes
# Allow conntrack
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Rejet des requêtes DNS vers Internet
# Deny forward DNS
256,10 → 261,11
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
fi
# Autorisation des retours de connexions légitimes
# Allow conntrack
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
########################
# If QOS is activate #
########################
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
. /usr/local/etc/alcasar-iptables-qos.sh
fi
/scripts/sbin/alcasar-nf.sh
13,7 → 13,7
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions"
FIC_CONF="/usr/local/etc/alcasar.conf"
 
usage="Usage: alcasar-nf.sh {--on | -on} | {--off | -off}"
usage="Usage: alcasar-nf.sh {--on | -on} | {--off | -off} | {--lan_ext_filter_on | -lan_ext_filter_on} | {--lan_ext_filter_off | -lan_ext_filter_off}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
44,6 → 44,14
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=off?g" $FIC_CONF
/usr/local/bin/alcasar-iptables.sh
;;
--lan_ext_filter_on|-lan_ext_filter_on) # allow external LAN access (LAN located between ALCASAR and the Internet gateway)
$SED "s?^EXT_LAN_FILTERING.*?EXT_LAN_FILTERING=on?g" $FIC_CONF
/usr/local/bin/alcasar-iptables.sh
;;
--lan_ext_filter_off|-lan_ext_filter_off) # allow external LAN access (LAN located between ALCASAR and the Internet gateway)
$SED "s?^EXT_LAN_FILTERING.*?EXT_LAN_FILTERING=off?g" $FIC_CONF
/usr/local/bin/alcasar-iptables.sh
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
/web/acc/admin/net_filter.php
15,11 → 15,16
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
if($Language == 'fr'){
$l_title_antivir = "Antivirus de flux WEB";
$l_title_proto = "Filtrage de protocoles réseau";
$l_antivir_on="L'antivirus de flux WEB est actuellement activé";
$l_antivir_off="L'antivirus de flux WEB est actuellement désactivé";
$l_switch_antivir_on="Activer l'antivirus";
$l_switch_antivir_off="Désactiver l'antivirus";
$l_title_lan_ext = "Filtrage de l'accès au LAN extérieur";
$l_lan_ext_on="L'accès au réseau situé entre ALCASAR et le routeur Internet (box) est actuellement autorisé";
$l_lan_ext_off="L'accès au réseau situé entre ALCASAR et le routeur Internet (box) est actuellement interdit";
$l_switch_lan_ext_on="Autoriser l'accès";
$l_switch_lan_ext_off="Interdire l'accès";
$l_title_proto = "Filtrage de protocoles réseau";
$l_netfilter_on="Le filtrage de protocoles réseau est actuellement activé";
$l_netfilter_off="Le filtrage de protocoles réseau est actuellement désactiv&eacute";
$l_switch_on="Activer le filtrage";
36,11 → 41,16
}
else {
$l_title_antivir = "WEB antivirus";
$l_title_proto = "Network protocols filter";
$l_antivir_on="Actually, the WEB antivirus is on";
$l_antivir_off="Actually, the WEB antivirus is off";
$l_switch_antivir_on="Switch the antivirus on";
$l_switch_antivir_off="Switch the antivirus off";
$l_title_lan_ext = "External LAN access filtering";
$l_lan_ext_on="The access to the LAN located between ALCASAR and the Internet Gateway (box) is allowed";
$l_lan_ext_off="The access to the LAN located between ALCASAR and the Internet Gateway (box) is forbidden";
$l_switch_lan_ext_on="Allow access";
$l_switch_lan_ext_off="Deny access";
$l_title_proto = "Network protocols filter";
$l_netfilter_on="Actually, the network protocols filter is enable";
$l_netfilter_off="Actually, the network protocols filter is disable";
$l_switch_on="Switch the Filter on";
66,6 → 76,12
case 'AV_Off' :
exec ("sudo /usr/local/sbin/alcasar-havp.sh -off");
break;
case 'Lan_Ext_Filter_Off' :
exec ("sudo /usr/local/sbin/alcasar-nf.sh -lan_ext_filter_off");
break;
case 'Lan_Ext_Filter_On' :
exec ("sudo /usr/local/sbin/alcasar-nf.sh -lan_ext_filter_on");
break;
case 'NF_On' :
exec ("sudo /usr/local/sbin/alcasar-nf.sh -on");
break;
187,7 → 203,7
</td></tr>
</table>
<TABLE width="100%" border=0 cellspacing=0 cellpadding=0>
<tr><th><?echo "$l_title_proto";?></th></tr>
<tr><th><?echo "$l_title_lan_ext";?></th></tr>
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</table>
<TABLE width="100%" border=1 cellspacing=0 cellpadding=0>
195,17 → 211,17
<?php
if ($EXT_LAN_FILTERING == "on")
{
echo "<CENTER><H3>$l_antivir_on</H3></CENTER>";
echo "<CENTER><H3>$l_lan_ext_off</H3></CENTER>";
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>";
echo "<input type=hidden name='choix' value=\"AV_Off\">";
echo "<input type=submit value=\"$l_switch_antivir_off\">";
echo "<input type=hidden name='choix' value=\"Lan_Ext_Filter_Off\">";
echo "<input type=submit value=\"$l_switch_lan_ext_on\">";
}
else
{
echo "<CENTER><H3>$l_antivir_off</H3></CENTER>";
echo "<CENTER><H3>$l_lan_ext_on</H3></CENTER>";
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>";
echo "<input type=hidden name='choix' value=\"AV_On\">";
echo "<input type=submit value=\"$l_switch_antivir_on\">";
echo "<input type=hidden name='choix' value=\"Lan_Ext_Filter_On\">";
echo "<input type=submit value=\"$l_switch_lan_ext_off\">";
}
?>
</FORM>