Update to 6.5.1, sslproxy 0.7.0, libevent 2.1.11, and e2guardian 5.3.3

Doxyfile

@@ -5,7 +5,7 @@
 #---------------------------------------------------------------------------
 DOXYFILE_ENCODING      = UTF-8
 PROJECT_NAME           = "UTM Firewall"
-PROJECT_NUMBER         = 6.5
+PROJECT_NUMBER         = 6.5.1
 PROJECT_BRIEF          =
 PROJECT_LOGO           =
 OUTPUT_DIRECTORY       = ./src/View/docs

README.md

@@ -6,7 +6,7 @@ You can find a couple of screenshots on the [wiki](https://github.com/sonertari/
 
 The installation iso file for the amd64 arch is available for download at [utmfw65\_20190506\_amd64.iso](https://drive.google.com/file/d/1djOr_Mc3NEt-nmnMbm1jtmJhHlF3Jy9z/view?usp=sharing). Make sure the SHA256 checksum is correct: f6c9ac66b328a1efcbda34df123cfa01f9cbdfbe9a0aac04ccb20ee7a065fc68.
 
-UTMFW is an updated version of ComixWall. However, there are a few major changes, such as SSLproxy, Snort Inline IPS, PFRE, E2Guardian, many fixes and improvements to the system and the WUI, Firebase push notifications, and network user authentication. Also note that UTMFW 6.5 comes with OpenBSD 6.5-stable including all updates until May 6th, 2019.
+UTMFW is an updated version of ComixWall. However, there are a few major changes, such as SSLproxy, Snort Inline IPS, PFRE, E2Guardian, many fixes and improvements to the system and the WUI, Firebase push notifications, and network user authentication. Also note that UTMFW 6.5.1 comes with OpenBSD 6.5-stable including all updates until August 13th, 2019.
 
 UTMFW supports deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL/TLS encrypted traffic is decrypted by [SSLproxy](https://github.com/sonertari/SSLproxy) and fed into the UTM services: Web Filter, POP3 Proxy, SMTP Proxy, and Inline IPS (and indirectly into Virus Scanner and Spam Filter through those UTM software). These UTM software have been modified to support the mode of operation required by SSLproxy.
 
@@ -104,7 +104,7 @@ However, the source tree has links to OpenBSD install sets and packages, which s
 	+ Copy the required install sets to the appropriate locations to fix the broken links in the sources.
 - Packages:
 	+ Download the required packages available on the OpenBSD mirrors.
-	+ Create the packages which are not available on the OpenBSD mirrors and/or have been modified for UTMFW: sslproxy, e2guardian, p3scan, smtp-gated, snort, imspector, snortips, and libevent 2.1.8 (see `ports` and `ports/distfiles`).
+	+ Create the packages which are not available on the OpenBSD mirrors and/or have been modified for UTMFW: sslproxy, e2guardian, p3scan, smtp-gated, snort, imspector, snortips, and libevent 2.1.11 (see `ports` and `ports/distfiles`).
 	+ Copy them to the appropriate locations to fix the broken links in the sources.
 
 Note that you can strip down xbase and xfont install sets to reduce the size of the iso file. Copy or link them to the appropriate locations under `openbsd/utmfw`.

cd/amd64/packages/e2guardian-5.3.3.tgz

@@ -0,0 +1 @@
+../../../docs/e2guardian/packages/amd64/e2guardian-5.3.3.tgz

cd/amd64/packages/libevent-2.1.11.tgz

@@ -0,0 +1 @@
+../../../docs/libevent/packages/amd64/libevent-2.1.11.tgz

cd/amd64/packages/sslproxy-0.7.0.tgz

@@ -0,0 +1 @@
+../../../docs/sslproxy/packages/amd64/sslproxy-0.7.0.tgz

config/etc/e2guardian/e2guardian.conf

@@ -1,4 +1,4 @@
-# e2guardian config file for version 5.3.2
+# e2guardian config file for version 5.3.3
 
 #NOTE This file is only read at start-up
 #
@@ -142,6 +142,16 @@ logsyslog = on
 # it has a different port.
 filterip = 127.0.0.1
 
+# loop prevention
+#
+# For loop prevention purposes list all IPs e2g can be reached on
+# Include all e2g host server IPs and any VIP used when when in an array.
+# Specify each IP on an individual checkip line.
+#
+# Defaults: Not set - no loop prevention 
+#         
+#checkip = 127.0.0.1
+
 # the ports that e2guardian listens to.  Specify one line per filterip
 # line.  If both mapportstoips and mapauthtoports are set to 'on'
 # you can specify different authentication mechanisms per port but
@@ -176,7 +186,7 @@ filterports = 8080
  # This is a connection timeout
  # If proxy is remote you may need to increase this to 10 or more.
 # Min 5 - Max 100
-proxytimeout = 20
+proxytimeout = 5
 
 # Connect timeout 
 # Set tcp timeout between the e2guardian and upstream service (proxy or target host)
@@ -651,6 +661,18 @@ enablessl = off
 #genratedcertend =
 # generatedcertstart =
 
+#Use openssl configuration file
+# switch this on if you want e2g to read in openssl configuration
+# This is useful if you want to use a hardware acceleration engine.
+# default is off
+#useopensslconf = off
+
+#Alternate openssl configuration file
+# only used if useopensslconf = on
+# default is to use standard openssl configuration file
+# only use this if an alternate openssl configuration file is used for e2g
+# opensslconffile = '/home/e2/openssl.conf'
+
 # monitor helper path 
 # If defined this script/binary will be called with start or stop appended as follows:-
 # Note change in V4!!! - No longer detects cache failure

config/etc/e2guardian/e2guardianf1.conf

@@ -1,4 +1,4 @@
-# e2guardian filter group config file for version 5.3.2
+# e2guardian filter group config file for version 5.3.3
 
 # This file is re-read on gentle restart and any changes actioned
 
@@ -303,9 +303,9 @@ bypasskey = ''
 #cgikey = 'you must change this text in order to be secure'
 
 #  Users will not be able to bypass sites/urls in these lists
-sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass'
-#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsiteiplistwithbypass'
-#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/bannedurllistwithbypass'
+sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass'
+#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/ipnobypass'
+#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/urlnobypass'
 
 # Infection/Scan Error Bypass
 # Similar to the 'bypass' setting, but specifically for bypassing files scanned and found

config/etc/e2guardian/e2guardianf2.conf

@@ -1,4 +1,4 @@
-# e2guardian filter group config file for version 5.3.2
+# e2guardian filter group config file for version 5.3.3
 
 # This file is re-read on gentle restart and any changes actioned
 
@@ -49,7 +49,7 @@ sitelist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfilesitelist2
 urllist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfileurllist2'
 sitelist = 'name=exception,messageno=602,path=/etc/e2guardian/lists/exceptionsitelist2'
 urllist = 'name=exception,messageno=603,path=/etc/e2guardian/lists/exceptionurllist2'
-sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass2'
+sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass2'
 urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist2'
 sitelist = 'name=grey,path=/etc/e2guardian/lists/greysitelist2'
 urllist = 'name=grey,path=/etc/e2guardian/lists/greyurllist2'

config/etc/e2guardian/e2guardianf3.conf

@@ -1,4 +1,4 @@
-# e2guardian filter group config file for version 5.3.2
+# e2guardian filter group config file for version 5.3.3
 
 # This file is re-read on gentle restart and any changes actioned
 
@@ -50,7 +50,7 @@ sitelist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfilesitelist3
 urllist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfileurllist3'
 sitelist = 'name=exception,messageno=602,path=/etc/e2guardian/lists/exceptionsitelist3'
 urllist = 'name=exception,messageno=603,path=/etc/e2guardian/lists/exceptionurllist3'
-sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass3'
+sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass3'
 urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist3'
 sitelist = 'name=grey,path=/etc/e2guardian/lists/greysitelist3'
 urllist = 'name=grey,path=/etc/e2guardian/lists/greyurllist3'

config/etc/e2guardian/e2guardianf4.conf

@@ -1,4 +1,4 @@
-# e2guardian filter group config file for version 5.3.2
+# e2guardian filter group config file for version 5.3.3
 
 # This file is re-read on gentle restart and any changes actioned
 
@@ -303,9 +303,9 @@ bypasskey = ''
 #cgikey = 'you must change this text in order to be secure'
 
 #  Users will not be able to bypass sites/urls in these lists
-sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass'
-#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsiteiplistwithbypass'
-#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/bannedurllistwithbypass'
+sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass'
+#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/ipnobypass'
+#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/urlnobypass'
 
 # Infection/Scan Error Bypass
 # Similar to the 'bypass' setting, but specifically for bypassing files scanned and found

config/etc/motd

@@ -1,5 +1,5 @@
-UTMFW 6.5
+UTMFW 6.5.1
 
-Welcome to UTMFW 6.5: May 2019
-UTMFW 6.5'e hosgeldiniz: May 2019
+Welcome to UTMFW 6.5.1: Aug 2019
+UTMFW 6.5.1'e hosgeldiniz: Agu 2019
 

config/etc/sslproxy/sslproxy.conf

@@ -1,4 +1,4 @@
-# Sample configuration for sslproxy v0.6.0
+# Sample configuration for sslproxy v0.7.0
 #
 # Use the -f command line option to start sslproxy with a config file.
 # See sslproxy.conf(5) and sslproxy(1) for documentation.
@@ -79,13 +79,21 @@ CAKey /etc/sslproxy/ca.key
 # (default: none)
 #DisableSSLProto tls10
 
+# Min SSL/TLS protocol version.
+# (default: tls10)
+#MinSSLProto tls10
+
+# Max SSL/TLS protocol version.
+# (default: tls12)
+#MaxSSLProto tls12
+
 # Use the given OpenSSL cipher suite spec.
 # Equivalent to -s command line option.
 # (default: ALL:-aNULL)
 Ciphers ALL:!RC4
 
 # Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
-# (default: 1024)
+# (default: 2048)
 LeafKeyRSABits 2048
 
 # OpenSSL engine to activate, either ID or full path to shared library

config/utmfw.files

@@ -13,9 +13,9 @@ etc/e2guardian/lists/bannedregexpurllist3,644,root,wheel
 etc/e2guardian/lists/bannedsitelist,644,root,wheel
 etc/e2guardian/lists/bannedsitelist2,644,root,wheel
 etc/e2guardian/lists/bannedsitelist3,644,root,wheel
-etc/e2guardian/lists/bannedsitelistwithbypass,644,root,wheel
-etc/e2guardian/lists/bannedsitelistwithbypass2,644,root,wheel
-etc/e2guardian/lists/bannedsitelistwithbypass3,644,root,wheel
+etc/e2guardian/lists/domainsnobypass,644,root,wheel
+etc/e2guardian/lists/domainsnobypass2,644,root,wheel
+etc/e2guardian/lists/domainsnobypass3,644,root,wheel
 etc/e2guardian/lists/bannedurllist,644,root,wheel
 etc/e2guardian/lists/bannedurllist2,644,root,wheel
 etc/e2guardian/lists/bannedurllist3,644,root,wheel

config/utmfw.mtree

@@ -126,9 +126,9 @@ bannedregexpurllist3	type=file mode=0644 uname=root gname=wheel
 bannedsitelist	type=file mode=0644 uname=root gname=wheel
 bannedsitelist2	type=file mode=0644 uname=root gname=wheel
 bannedsitelist3	type=file mode=0644 uname=root gname=wheel
-bannedsitelistwithbypass	type=file mode=0644 uname=root gname=wheel
-bannedsitelistwithbypass2	type=file mode=0644 uname=root gname=wheel
-bannedsitelistwithbypass3	type=file mode=0644 uname=root gname=wheel
+domainsnobypass	type=file mode=0644 uname=root gname=wheel
+domainsnobypass2	type=file mode=0644 uname=root gname=wheel
+domainsnobypass3	type=file mode=0644 uname=root gname=wheel
 bannedurllist	type=file mode=0644 uname=root gname=wheel
 bannedurllist2	type=file mode=0644 uname=root gname=wheel
 bannedurllist3	type=file mode=0644 uname=root gname=wheel

meta/install.sub

@@ -1105,13 +1105,13 @@ CDDEVS=$(scan_dmesg "${MDCDDEVS:-/^cd[0-9][0-9]* /s/ .*//p}")
 
 # Selected sets will be installed in the order they are listed in $THESETS.
 THESETS="isc-bind-9.11.6v0.tgz \
-		sslproxy-0.6.0.tgz \
+		sslproxy-0.7.0.tgz \
 		clamav-0.101.2.tgz \
 		clamavdb.tar.gz \
 		p5-Mail-SpamAssassin-3.4.2p1.tgz \
 		p3scan-2.3.2.tgz \
 		smtp-gated-1.4.20.0.tgz \
-		e2guardian-5.3.2.tgz \
+		e2guardian-5.3.3.tgz \
 		blacklists.tar.gz \
 		snort-2.9.13.tgz \
 		snortrules.tar.gz \

meta/root.mail

@@ -1,14 +1,11 @@
-From [email protected] Mon May  6 06:50:00 EET 2019
+From [email protected] Tue Aug 13 06:50:10 EET 2019
 Return-Path: root
-Date: May  6 06:50:00 EET 2019
+Date: Aug 13 06:50:10 EET 2019
 From: [email protected] (Soner Tari)
 To: root
-Subject: Welcome to UTMFW 6.5!
+Subject: Welcome to UTMFW 6.5.1!
 
 Highlights of this release are:
-- User authentication by SSLproxy 0.6.0
-- User-based web filtering and user statistics for http/pop3/smtp
-- OpenBSD 6.5
-- PHP 7.3, E2Guardian 5.3.2 with support for SSLproxy users
-- Variety of other updates and improvements
+- SSLproxy 0.7.0 and Libevent 2.1.11
+- E2Guardian 5.3.3
 

ports/e2guardian/Makefile

@@ -1,5 +1,5 @@
 COMMENT =	content scanning web filter
-DISTNAME =	e2guardian-5.3.2
+DISTNAME =	e2guardian-5.3.3
 CATEGORIES =	www net
 
 HOMEPAGE =	http://www.e2guardian.org/
@@ -13,7 +13,7 @@ WANTLIB =               c m pcre pcreposix stdc++ z
 
 # You may need to download the source package yourself,
 # and copy it under /usr/ports/distfiles/
-MASTER_SITES=	https://github.com/e2guardian/e2guardian/releases/tag/v5.3.2/
+MASTER_SITES=	https://github.com/e2guardian/e2guardian/releases/tag/v5.3.3/
 
 LIB_DEPENDS =           devel/pcre
 

ports/e2guardian/distinfo

@@ -1,2 +1,2 @@
-SHA256 (e2guardian-5.3.2.tar.gz) = /xUJAVe46nt5EKiTuzv1grVljNK0qUF4Bb1cjMG6Xik=
-SIZE (e2guardian-5.3.2.tar.gz) = 2009156
+SHA256 (e2guardian-5.3.3.tar.gz) = nYj30sM54BWG0mfyWjAYaC0RW4qq3Bi+2uke+rUchbQ=
+SIZE (e2guardian-5.3.3.tar.gz) = 2009254

ports/e2guardian/patches/patch-src_ConnectionHandler_cpp

@@ -2,7 +2,7 @@ $OpenBSD$
 Index: src/ConnectionHandler.cpp
 --- src/ConnectionHandler.cpp.orig
 +++ src/ConnectionHandler.cpp
-@@ -473,8 +473,13 @@ ConnectionHandler::connectUpstream(Socket &sock, Naugh
+@@ -485,8 +485,14 @@ ConnectionHandler::connectUpstream(Socket &sock, Naugh
          cm.upfailure = false;
          if (cm.isdirect) {
              String des_ip;
@@ -15,10 +15,11 @@ Index: src/ConnectionHandler.cpp
 +                } else {
 +                    des_ip = cm.urldomain;
 +                }
-                 sock.setTimeout(o.connect_timeout);
- #ifdef DGDEBUG
-                 std::cerr << thread_id << "Connecting to IPHost " << des_ip << " port " << port << std::endl;
-@@ -692,8 +697,9 @@ int ConnectionHandler::handleConnection(Socket &peerco
++
+                 if (may_be_loop) {  // check check_ip list
+                     bool do_break = false;
+                     if (o.check_ip.size() > 0) {
+@@ -735,8 +741,9 @@ int ConnectionHandler::handleConnection(Socket &peerco
                      //int pport = peerconn.getPeerSourcePort();
                      std::string peerIP = peerconn.getPeerIP();
 
@@ -30,7 +31,7 @@ Index: src/ConnectionHandler.cpp
  #ifdef DGDEBUG
                      std::cerr << thread_id << " No header recd from client - errno: " << err << std::endl;
  #endif
-@@ -781,6 +787,23 @@ int ConnectionHandler::handleConnection(Socket &peerco
+@@ -824,6 +831,23 @@ int ConnectionHandler::handleConnection(Socket &peerco
 
              }
  //
@@ -54,7 +55,7 @@ Index: src/ConnectionHandler.cpp
              // do this normalisation etc just the once at the start.
              checkme.setURL(ismitm);
 
-@@ -2376,7 +2399,7 @@ bool ConnectionHandler::getdnstxt(std::string &clienti
+@@ -2421,7 +2445,7 @@ bool ConnectionHandler::getdnstxt(std::string &clienti
      // get info from DNS
      union {
          HEADER hdr;
@@ -63,7 +64,7 @@ Index: src/ConnectionHandler.cpp
      } response;
      int responseLen;
      ns_msg handle; /* handle for response message */
-@@ -2924,7 +2947,7 @@ bool ConnectionHandler::checkByPass(NaughtyFilter &che
+@@ -2972,7 +2996,7 @@ bool ConnectionHandler::checkByPass(NaughtyFilter &che
              }
          } else if (ldl->fg[filtergroup]->bypass_mode != 0) {
              if (header.isBypassCookie(checkme.urldomain, ldl->fg[filtergroup]->cookie_magic.c_str(),

ports/e2guardian/patches/patch-src_FOptionContainer_cpp

@@ -2,7 +2,7 @@ $OpenBSD$
 Index: src/FOptionContainer.cpp
 --- src/FOptionContainer.cpp.orig
 +++ src/FOptionContainer.cpp
-@@ -378,7 +378,7 @@ bool FOptionContainer::read(const char *filename) {
+@@ -376,7 +376,7 @@ bool FOptionContainer::read(const char *filename) {
 
          if (reporting_level == 0) {
              std::cerr << thread_id << "Reporting_level is : " << reporting_level << " file " << filename << std::endl;

ports/e2guardian/patches/patch-src_FatController_cpp

@@ -3,7 +3,7 @@ $OpenBSD$
 Index: src/FatController.cpp
 --- src/FatController.cpp.orig
 +++ src/FatController.cpp
-@@ -1036,7 +1036,7 @@ void log_listener(std::string log_location, bool logco
+@@ -1037,7 +1037,7 @@ void log_listener(std::string log_location, bool logco
                              postdata + "\"";
                  break;
              case 1:
@@ -12,7 +12,7 @@ Index: src/FatController.cpp
                              + how + " " + ssize + " " + sweight + " " + cat + " " + stringgroup + " "
                              + stringcode + " " + mimetype + " " + clienthost + " " + ldl->fg[filtergroup]->name + " "
                              + useragent + " " + params + " " + o.logid_1 + " " + o.logid_2 + " " + postdata;
-@@ -1077,7 +1077,7 @@ void log_listener(std::string log_location, bool logco
+@@ -1078,7 +1078,7 @@ void log_listener(std::string log_location, bool logco
          if (!logsyslog)
              *logfile << builtline << std::endl; // append the line
          else
@@ -21,7 +21,7 @@ Index: src/FatController.cpp
  #ifdef DGDEBUG
          std::cerr << itemcount << " " << builtline << std::endl;
  #endif
-@@ -1673,12 +1673,11 @@ int fc_controlit()   //
+@@ -1694,12 +1694,11 @@ int fc_controlit()   //
              gentlereload = false;
              continue;        //  OK to continue even if gentle failed - just continue to use previous lists
          }
@@ -38,7 +38,7 @@ Index: src/FatController.cpp
              }
          } else {
              if (rc == SIGUSR1)
-@@ -1691,7 +1690,7 @@ int fc_controlit()   //
+@@ -1712,7 +1711,7 @@ int fc_controlit()   //
              std::cerr << "signal:" << rc << std::endl;
  #endif
              if (o.logconerror) {

ports/e2guardian/patches/patch-src_Socket_hpp

@@ -17,6 +17,6 @@ Index: src/Socket.hpp
      int my_port;
 +    std::string actualPeerAddr;
 +    int actualPeerPort;
-     bool ieof;
+     bool ieof = false;
  };
 

ports/e2guardian/pkg/PLIST

@@ -235,7 +235,6 @@ share/examples/e2guardian/lists/bannedsiteiplist
 @sample ${SYSCONFDIR}/e2guardian/lists/bannedsiteiplist
 share/examples/e2guardian/lists/bannedsitelist
 @sample ${SYSCONFDIR}/e2guardian/lists/bannedsitelist
-share/examples/e2guardian/lists/bannedsitelistwithbypass
 share/examples/e2guardian/lists/bannedsslsiteiplist
 @sample ${SYSCONFDIR}/e2guardian/lists/bannedsslsiteiplist
 share/examples/e2guardian/lists/bannedsslsitelist