Update script (fw_upgrade)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
Locked 136 messages Options
1234 ... 7
Reply | Threaded
Open this post in threaded view
|

Update script (fw_upgrade)

Hans
Administrator
This post was updated on .
This is a start post to keep track of changes to the FW_UPGRADE script. For any updates, please reply to this thread and I will update this first post.

VERSION 7.1

To update:
download the fw_upgrade script: fw_upgrade71.fw_upgrade71
copy fw_upgrade.txt to the /sbin folder and rename it to fw_upgrade
Job schedule: In LuCI System>Scheduled Job 31 03 * * 0 sh /sbin/fw_upgrade (default settings)
Tun manually: In CLI sh /sbin/fw_upgrade

Changes below:
----
################################################################################################
# File name  fw_upgrade                                                                        #
# Created by ITUS                                                                              #
# Original version from firmware 1.51 sp1              	                                       # 
# VERSION NUMBER 1.51 - 7.1                                                                    #
# Last Modified date 15th March 2016 							                               #
# Changes - roadrunnere42 - forgot to uncomment webfilter and one snort rule my mistake due to # 
#			    testing		                                                                   #
# Changes - roadrunnere42 - Checks for duplicate rules and removes, tidy code and bug fixes    #
#           removed drug rule because www.shallalist.de sit is too up and down causing script  #
#            to stall.									                                       #
# Changes - roadrunnere42 - Only new snort rules are added to the list instead of rewritting   #
#           the whole list, complete new snort list download ever 14 days. Malicious and       # 
#           ads list, downloaded in memory and duplicate ip's are removed before writting.     #
#	    Drug rules are now updated in memory from http://www.shallalist.de and added to        #
#	    original from Itus, only updated if selected in gui.	                   		       #
#											                                                   #
# Changes - Hans run webfilter based on ads/malicious settings in UCI                          #
#           Perform DNSMASQ restart / SNORT restart only in case of updates                    #
# Changes - Hans correction in line 17 based on Wisywig error                                  #
# Changes - Hans added rules function calls into scripts                                       #            
# Changes - roadrunnere42 added ramdisk and checks to see if files exist before removing       #
# Changes - user8446 added option switches to curl commands as follows: added -1 to force      #
# connections =/> TLS1.0 for IPS, -m to exit if connection drops or host is down to keep script#
# from hanging for all curl commands                                                           #
#                                                                                              #
# When changing the script please update WHAT YOU CHANGED OR ADDED, ADD 1 TO THE VERSION       #
# NUMBER AND DATE CHANGED.                                                                     #
# This will make it easied to time to come to identiy what your you have and who did what.     #
################################################################################################

Also my cron job to update these rules are not daily anymore, I've set it to weekly for now.
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Wisiwyg
Thank you!!

Will check it out.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Roadrunnere42
In reply to this post by Hans
Hi Hans
Have made a few change to the fw_upgrade script hope you don't mind, have add more comments but the main thing is now there is a ramdisk created in memory  just before downloading the rules, instead of downloading straight to disk, then sorted and put into the correct format (nothing changed there), them copied to the the original place, this will save a little wear on the eMMC memory. The ramdisk is then umount so free the memory back up.

Not sure how to do at present as i'm not a linux guy, but i want to compare the file thats downloaded into the ramdisk with the rules on the disk and only add the new rules, also the rules that have been removed from the download rules also.

roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Roadrunnere42
whoops forgot script
fw_upgrade.fw_upgrade

roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Hans
Administrator
In reply to this post by Roadrunnere42
Thanks Andy

I've updated the first post of this topic.

cheers,
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
CWS
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

CWS
In reply to this post by Roadrunnere42
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

stangrunner
In reply to this post by Roadrunnere42
Thank you all for the improvements.  I am running my Shield in Router mode and your fw_upgrade script works great.  

Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

StyxUT
Worked for me in router mode as well. Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

ericsante
In reply to this post by Hans
why don't we also create a GitHub account to track changes?
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Wisiwyg
Running the latest script...

One minor issue - line 17, expecting then

The 'then' statement was at the end of the line with the 'if' statement. Moved to next line - all works

Thanks again for all the updates!
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Roadrunnere42
Thanks Wisiwyg  for finding the syntax error ( just needed  to add a space)

updated script to version 1.1 to reflect change.

roadrunnere42fw_upgrade.fw_upgrade
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

user8446
Administrator
This post was updated on .
Nice updates and changes to the script everyone! Just updated mine and worked perfect
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Hans
Administrator
Updated script to run based on UCI settings for the webfilter (Ads / Malicious only0
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

user8446
Administrator
This post was updated on .
Hans - Nice little automation there!!

Also, if anyone is not running the web filter comment out the dnsmasq restart. It'll save more writes and sorting out the lists.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Roadrunnere42
In reply to this post by Hans
Nice addition

The command you used  ( uci get e2guardian.e2guardian.content_ads) is uci a Linux command or specific to shield?

I have another question at looking at the fw_upgrade code the shield gets all the ads and puts then into a single file, so where does all the lists come from in  /etc/itus/lists and how do these get updated?
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Hans
Administrator
Roadrunnere42 wrote
The command you used  ( uci get e2guardian.e2guardian.content_ads) is uci a Linux command or specific to shield?
this is OpenWRT specific - not sure if it is Linux specific

Roadrunnere42 wrote
I have another question at looking at the fw_upgrade code the shield gets all the ads and puts then into a single file, so where does all the lists come from in  /etc/itus/lists and how do these get updated?
Don't know about the others - good quesiton

user8446 wrote
Nice little automation there!!

Also, if anyone is not running the web filter comment out the dnsmasq restart. It'll save more writes and sorting out the lists.
Good idea - added it already to the script (var do_dnsmasq_restart)
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

Wisiwyg
Great stuff!! Gone for a day and Bam! good things happen!
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

user8446
Administrator
Nice job as usual!
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

user8446
Administrator
This post was updated on .
Update 1.51 - 5

fw_upgrade.fw_upgrade

Changelog:
Security & stability update

1. Added -1 option switch to cURL for IPS updates to force encrypted connections =/> TLS1.0 and not fallback to SSL 3.0 or lower. Mitigation against SSL downgrade attacks (SSL poodle attack) and help against DNS hijacking.
I tried to remove the -k option switch (which allows no cert verification) in the script but cURL can't verify the certificate so it exits.

2. Added -m option switch to all curl commands to exit in 40 seconds if connection drops or the host is down to keep script from hanging
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Update script (fw_upgrade)

breda
In reply to this post by Hans
Hi, Hans where can I find

Job schedule: In LuCI System>Scheduled Job 31 03 * * 0 sh /sbin/fw_upgrade (default settings)
Tun manually: In CLI sh /sbin/fw_upgrade



I have the file fw-upgrade name changed and copy in sbin
1234 ... 7