/CHANGELOG |
---|
2,8 → 2,8 |
************ CHANGELOG *********** |
---- svn ---- |
---- 2.5 ---- |
Bug |
---------------------- 2.5 -------------------- |
Bugs |
- watchdog (and script alcasar-logout.sh) doesn't logout the macallowed addresses |
- reading of alcasar.conf file parameters more securely |
- don't download RPMs twice |
17,53 → 17,65 |
- import users via text file with or without password |
Improve security |
- The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side |
- ANSSI code review (sql escape string) |
- ANSSI code review (sql escape string in PHP) |
- remove the apache unused modules |
- the blacklist is no more update automaticly |
Improve installation |
- control eth0 config on startup (no dhcp) |
- don't dowload the last BL version |
- remove unused RPM before update the system |
Improve Alcasar Control Center (ACC) |
- |
---- 2.4 ---- |
- Bug : some minor bugs (log rotate, intercept page, squid, ...) |
- Bug : ACC - correction of the Internet connectivity test flag |
- Bug : ACC - correction of the network filtering flag |
- Bug : core : ip filtering exception changes doesn't active protocols exception filter |
- Bug : core : remove dual log archive |
- Bug : correction of "bypass" mode |
- Bug : correction of squid cache |
- Core : The blacklist is automaticly updated once a month |
- Core : The distribution is automaticly updated every day |
News |
- allow/deny access to the LAN located between ALCASAR and the Internet gateway (box) |
---- 2.3 ---- |
- Bug : group properties are now written on the voucher |
- Bug : hold the state of network filter when update |
- ACC : group member is added in user list |
- Core : simplify official certificate import process |
- Core : update with the last version of Coova (1.2.8) |
- Core : End of implementation of ANSSI rules for netfilter |
- Core : allow exception of IP addresses (or network addresses) in the authentication process |
---------------------- 2.4 -------------------- |
Bugs |
- some minor bugs (log rotate, intercept page, squid, ...) |
- ACC : correction of the Internet connectivity test flag |
- correction of the network filtering flag |
- ip filtering exception changes doesn't active protocols exception filter |
- remove dual log archive |
- correction in "bypass" mode |
- correction with squid cache |
- The blacklist is automaticly updated once a month |
- The distribution is automaticly updated every day |
---- 2.2 ---- |
- blacklist category "ip" is added for url that contains only an ip address (no FQDN) |
- IP parameters can be change in central conf file. Apply with the script "alcasar-conf.sh -apply" |
- 'alcasar-nf.sh' and 'alcasar-bl.sh' scripts now use the global parameters file (alcasar.conf) |
- allow LDAP/AD connections both on WAN and LAN servers |
- Add a LDAP connectivity test |
- possibility to redirect users on a specific URL after login process |
- A bug with "sudo" is bypassed |
- close all accounting session when the system goes down or up |
- if activate, sshd listen both on LAN and on WAN |
- add a central conf file (/usr/local/etc/alcasar.conf) |
- add the equipment name in the activity window when MAC authenticate |
- improve the script which display and close users open sessions |
- allow change of alcasar IP private address during install stage |
- improve the script which managed the trusted sites and urls |
- no more question, when upgrating |
- some minor bugs |
---------------------- 2.3 -------------------- |
Bugs |
- group properties are now written on the voucher |
- hold the state of network filter when update |
Improve core |
- simplify official certificate import process |
- update with the last version of Coova (1.2.8) |
Improve security |
- end of implementation of ANSSI rules for netfilter |
News |
- allow exception of IP addresses (or network addresses) in the authentication process |
- ACC : group member is added in user list |
---- 2.1 ---- |
---------------------- 2.2 -------------------- |
Bugs |
- A bug with "sudo" is bypassed |
- improve the script which display and close users open sessions |
- some minor bugs |
Improve core |
- add a central conf file (/usr/local/etc/alcasar.conf) |
- IP parameters can be change in central conf file. Apply with the script "alcasar-conf.sh -apply" |
- 'alcasar-nf.sh' and 'alcasar-bl.sh' scripts now use the global parameters file (alcasar.conf) |
- improve the script which managed the trusted sites and urls |
Improve security |
- close all accounting session when the system goes down or up |
Improve install process |
- allow change of alcasar IP private address during install stage |
- no more question, when upgrating |
News |
- blacklist category "ip" is added for url that contains only an ip address (no FQDN) |
- allow LDAP/AD connections both on WAN and LAN |
- Add a LDAP connectivity test |
- possibility to redirect users on a specific URL after login process |
- if activate, sshd listen both on LAN and on WAN |
- ACC : add the equipment name in the activity window when MAC authenticate |
---------------------- 2.2 -------------------- |
- mise en conformité du parefeu avec les préco ANSSI (politiques à DROP + sysctrl) |
- amélioration de la fonction bastion en limitant la charge sur l'interface externe (thanks to CPN) |
- amélioration de la gestion des RPM 'wget' au lieu de 'curl' et changement de repository en 'live' |
/scripts/alcasar-iptables.sh |
---|
135,13 → 135,21 |
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
# Filtrage de l'accès au LAN connecté sur EXTIF (eth0) |
# EXTIF (eth0) connected LAN filtering |
if [ $EXT_LAN_FILTERING = on ]; then |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $public_ip_mask -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
else |
# Autorisation des connexions légitimes à DansGuardian |
# Allow connections for DansGuardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
fi |
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable |
# autorisation des connexion légitime à DNSMASQ (avec blackhole) |
# Allow connections for DNSMASQ (with blackhole) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
189,9 → 197,6 |
############################# |
# FORWARD # |
############################# |
# Autorisation des retours de connexions légitimes |
# Allow conntrack |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
# Rejet des requêtes DNS vers Internet |
# Deny forward DNS |
256,10 → 261,11 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT |
fi |
# Autorisation des retours de connexions légitimes |
# Allow conntrack |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
######################## |
# If QOS is activate # |
######################## |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then |
. /usr/local/etc/alcasar-iptables-qos.sh |
fi |
/scripts/sbin/alcasar-nf.sh |
---|
13,7 → 13,7 |
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions" |
FIC_CONF="/usr/local/etc/alcasar.conf" |
usage="Usage: alcasar-nf.sh {--on | -on} | {--off | -off}" |
usage="Usage: alcasar-nf.sh {--on | -on} | {--off | -off} | {--lan_ext_filter_on | -lan_ext_filter_on} | {--lan_ext_filter_off | -lan_ext_filter_off}" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
44,6 → 44,14 |
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=off?g" $FIC_CONF |
/usr/local/bin/alcasar-iptables.sh |
;; |
--lan_ext_filter_on|-lan_ext_filter_on) # allow external LAN access (LAN located between ALCASAR and the Internet gateway) |
$SED "s?^EXT_LAN_FILTERING.*?EXT_LAN_FILTERING=on?g" $FIC_CONF |
/usr/local/bin/alcasar-iptables.sh |
;; |
--lan_ext_filter_off|-lan_ext_filter_off) # allow external LAN access (LAN located between ALCASAR and the Internet gateway) |
$SED "s?^EXT_LAN_FILTERING.*?EXT_LAN_FILTERING=off?g" $FIC_CONF |
/usr/local/bin/alcasar-iptables.sh |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
/web/acc/admin/net_filter.php |
---|
15,11 → 15,16 |
$Language = strtolower(substr(chop($Langue[0]),0,2)); } |
if($Language == 'fr'){ |
$l_title_antivir = "Antivirus de flux WEB"; |
$l_title_proto = "Filtrage de protocoles réseau"; |
$l_antivir_on="L'antivirus de flux WEB est actuellement activé"; |
$l_antivir_off="L'antivirus de flux WEB est actuellement désactivé"; |
$l_switch_antivir_on="Activer l'antivirus"; |
$l_switch_antivir_off="Désactiver l'antivirus"; |
$l_title_lan_ext = "Filtrage de l'accès au LAN extérieur"; |
$l_lan_ext_on="L'accès au réseau situé entre ALCASAR et le routeur Internet (box) est actuellement autorisé"; |
$l_lan_ext_off="L'accès au réseau situé entre ALCASAR et le routeur Internet (box) est actuellement interdit"; |
$l_switch_lan_ext_on="Autoriser l'accès"; |
$l_switch_lan_ext_off="Interdire l'accès"; |
$l_title_proto = "Filtrage de protocoles réseau"; |
$l_netfilter_on="Le filtrage de protocoles réseau est actuellement activé"; |
$l_netfilter_off="Le filtrage de protocoles réseau est actuellement désactivé"; |
$l_switch_on="Activer le filtrage"; |
36,11 → 41,16 |
} |
else { |
$l_title_antivir = "WEB antivirus"; |
$l_title_proto = "Network protocols filter"; |
$l_antivir_on="Actually, the WEB antivirus is on"; |
$l_antivir_off="Actually, the WEB antivirus is off"; |
$l_switch_antivir_on="Switch the antivirus on"; |
$l_switch_antivir_off="Switch the antivirus off"; |
$l_title_lan_ext = "External LAN access filtering"; |
$l_lan_ext_on="The access to the LAN located between ALCASAR and the Internet Gateway (box) is allowed"; |
$l_lan_ext_off="The access to the LAN located between ALCASAR and the Internet Gateway (box) is forbidden"; |
$l_switch_lan_ext_on="Allow access"; |
$l_switch_lan_ext_off="Deny access"; |
$l_title_proto = "Network protocols filter"; |
$l_netfilter_on="Actually, the network protocols filter is enable"; |
$l_netfilter_off="Actually, the network protocols filter is disable"; |
$l_switch_on="Switch the Filter on"; |
66,6 → 76,12 |
case 'AV_Off' : |
exec ("sudo /usr/local/sbin/alcasar-havp.sh -off"); |
break; |
case 'Lan_Ext_Filter_Off' : |
exec ("sudo /usr/local/sbin/alcasar-nf.sh -lan_ext_filter_off"); |
break; |
case 'Lan_Ext_Filter_On' : |
exec ("sudo /usr/local/sbin/alcasar-nf.sh -lan_ext_filter_on"); |
break; |
case 'NF_On' : |
exec ("sudo /usr/local/sbin/alcasar-nf.sh -on"); |
break; |
187,7 → 203,7 |
</td></tr> |
</table> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=0> |
<tr><th><?echo "$l_title_proto";?></th></tr> |
<tr><th><?echo "$l_title_lan_ext";?></th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr> |
</table> |
<TABLE width="100%" border=1 cellspacing=0 cellpadding=0> |
195,17 → 211,17 |
<?php |
if ($EXT_LAN_FILTERING == "on") |
{ |
echo "<CENTER><H3>$l_antivir_on</H3></CENTER>"; |
echo "<CENTER><H3>$l_lan_ext_off</H3></CENTER>"; |
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>"; |
echo "<input type=hidden name='choix' value=\"AV_Off\">"; |
echo "<input type=submit value=\"$l_switch_antivir_off\">"; |
echo "<input type=hidden name='choix' value=\"Lan_Ext_Filter_Off\">"; |
echo "<input type=submit value=\"$l_switch_lan_ext_on\">"; |
} |
else |
{ |
echo "<CENTER><H3>$l_antivir_off</H3></CENTER>"; |
echo "<CENTER><H3>$l_lan_ext_on</H3></CENTER>"; |
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>"; |
echo "<input type=hidden name='choix' value=\"AV_On\">"; |
echo "<input type=submit value=\"$l_switch_antivir_on\">"; |
echo "<input type=hidden name='choix' value=\"Lan_Ext_Filter_On\">"; |
echo "<input type=submit value=\"$l_switch_lan_ext_off\">"; |
} |
?> |
</FORM> |