Autor Thema: Firewall-Distributionen diverses  (Gelesen 5621 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 106
« Antwort #30 am: 03 November, 2016, 17:00 »
Release Notes

This is the official release announcement for IPFire 2.19 – Core Update 106 which comes with a number of exciting new features, many bug fixes and a few security improvements.
Change of the DNS Proxy

IPFire used dnsmasq as DNS proxy before which is now replaced by unbound. The latter is in contrast to the former software that is specifically designed as an DNS forwarding proxy or DNS recursor and implemented DNSSEC from early on.

Because of our decision to enable DNSSEC by default and various problems in dnsmasq we have been toying with the idea of replacing it for a very long time. Unfortunately development resources are tight and because of this being a substantial part of the system and hooked into many other things, this was a very time-consuming project.

Finally, this new solution should now bring various advantages:
Performance

unbound is multi-threaded and IPFire will start one thread per CPU core that is available. That will allow execution of multiple queries in parallel which should increase responsiveness and throughput.

The cache size is adjusted based on memory available on the system. Bigger systems will have a significantly bigger DNS cache which will speed up browsing especially in larger environments like universities with a large number of clients.
Better DNSSEC reliability

DNSSEC is enabled by default (as it was before). However, unbound does not rely on the upstream servers being validating resolvers, too. This will bring DNSSEC to many more users. DNS servers are now tested before being passed on for use and any malfunctioning DNS servers won’t be used. Status of this can be seen on the user web interface.

Please see this list of various DNS services on the Internet for more details.

If none of the DNS servers configured or received from the provider can be used, unbound will fall back to full recursor mode.

With the next key rollover of the DNS root zone, IPFire will automatically download and validate the new key according to RFC5011.
Enhanced Features

DHCP leases will be published into the local DNS zone as before. Static leases are imported as well which is a new feature. Everything IP address will resolve to its hostname by publishing PTR records.
Misc

    Passwords are now saved with a stronger hash (SHA512) which was MD5 before. Please change the root password using the setup tools to store your passwords with the improved hash.
    Firewall: An incorrect validation of destination IP addresses for rules that use Destination NAT caused that some valid addresses were not accepted. This is fixed now.
    PPP connections no longer require a password being set (some providers require these being empty)
    The NTP client now waits correctly for WiFi connections being established before continuing to boot
    The samba add-on enables SMBv2 by default
    IPFire now ships the firmware for MediaTek 7601 series devices
    Various old software components that are not used any more are cleaned up from the systems
    The iptables page on the web user interface has been improved to be more readable

Updated Packages

This update installs a large number of updated packages:

    openssl 1.0.2j which fixes some implementation errors and DoS introduced in the 1.0.2i update
    strongswan has been updated to version 5.5.0
    attr 2.4.47, dejagnu 1.6, diffutils 3.5, expat 2.2.0, file 5.28, flex 2.6.1, gettext 0.19.8.1, gnupg 1.4.21, iproute2 4.7.0, ipset 6.29, libassuan 2.4.3, libgcrypt 1.7.3, libidn 1.33, libgpg-error 1.24, libnetfilter_conntrack 1.0.6, libmnl 1.0, make 4.2.1, smartmontools 6.5, squid 3.5.21, usb_modeswitch 2.4.0, usb_modeswitch_data 20160803

Add-ons

    The new Guardian 2.0 add-on’s user interface received some cosmetic changes

Updated Packages

    asterisk 11.23.1
    krb 1.14.4
    Midnight Commander 4.8.18
    monit 5.19.0
    nano 2.6.3
    transmission 2.92

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 108
« Antwort #31 am: 23 Dezember, 2016, 13:00 »
Changelog

Asynchronous Logging:

Asynchronous logging is now enabled by default and not configurable any more. This made some programs that wrote an extensive amount of log messages slow down and possible unresponsive over the network which causes various problems. This was seen on systems with very slow flash media and virtual environments.

Miscellaneous:

The check that tests DNS servers for any misconfiguration assumed some name servers being validating although they were not and very likely not working at all. This has been fixed now and systems using these broken name servers should fall back to recursor mode.
A problem in the firewall GUI was fixed that prohibited adding an IPsec VPN connection and OpenVPN connection with the same name to a firewall group.

Updated Core Packages:

strongswan was updated to version 5.5.1 which fixes various bugs
ntp was updated to version 4.2.8p9 which fixes various security issues
ddns was updated to version 008

Updated Add-ons:

nano, the text editor, was updated to version 2.7.1
tor, the anonymity network, was updated to version 0.2.8.10

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 109
« Antwort #32 am: 20 Februar, 2017, 17:00 »
Changelog

DNS Fixes:

The DNS proxy which is working inside IPFire has been updated to unbound 1.6.0 which brings various bug fixes. Therefore, QNAME minimisation and hardening below NX domains have been re-activated.
At start time, IPFire now also checks if a router in front of IPFire drops DNS responses which are longer than a certain threshold (some Cisco devices do this to “harden” DNS). If this is detected, the EDNS buffer size if reduced which makes unbound fall back to TCP for larger responses. This might slow down DNS slightly, but keeps it working after all in those misconfigured environments.

Misc:

openssl has been updated to 1.0.2k which fixes a number of security vulnerabilities with “moderate” severity
The kernel is now supporting some newer eMMC modules
The backup script is now working more reliably on all architectures
The network scripts that created MACVTAP bridges for virtualisation among other things now support standard 802.3 bridges, too
The firewall GUI denied creating subnets which were a subnet of any of the standard networks which has been fixed
Matthias Fischer submitted package updates for: bind 9.11.0-P2 with some security fixes, libpcap 1.8.1, logrotate 3.9.1, perl-GeoIP module 1.25, snort 2.9.9.0, squid 3.5.24 which fixes various bugs, sysklogd 1.5.1, zlib 1.2.11
Furthermore, libpng has been updated to 1.2.57 which fixes some security vulnerabilities

Add-ons:

Jonatan Schlag packaged Python 3 for IPFire
He also updated libvirt to version 2.5 and qemu to version 2.8
Matthias Fischer submitted a number of updates for the following packages: nano 2.7.2, tcpdump 4.8.1, tmux 2.3
tor has been updated to 0.2.9.9 which fixes a number of denial-of-service vulnerabilities
sarg has been updated to 2.3.10

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 110
« Antwort #33 am: 03 Mai, 2017, 20:00 »
Changelog

On-Demand IPsec VPNs:

IPFire used to keep IPsec VPNs up all the time. This wastes resources if a connection is not used very often for example for a daily backup only.
Core Update 110 allows to configure IPsec VPNs in an On-Demand mode which will establish the connection as soon as it is needed and will close it after 15 minutes of inactivity to save resources.
This is especially handy for people who have a large number of IPsec net-to-net connections on either weak hardware or connections that are not required all the time like maintenance or backup connections, etc.

Performance Enhancements for DNS:

unbound, the DNS resolver working inside IPFire, has been tuned to allow more concurrent queries and assigned more memory to keep a larger DNS cache.
Especially in large networks or when a burst of DNS queries needs to be handled, there is a notable increase of performance.

Misc.:

Graphs in the web user interface are now larger to show more detail
Packets that are received from a bridge interface are not passed through the firewall engine any more
Apache allows more concurrent connections now, which speeds up distributing proxy.pac, updates from Update Accelerator and more
The GeoIP database is now regularly updated over HTTPS
Gabriel Rolland has updated the Italian translation
Jonatan Schlag reorganised all initscripts in the build system which makes packaging add-ons easier
setup allows now to set the subnet mask of the RED interface to 255.255.255.255. This is required with some web hosting companies which are trying to save IPv4 addresses and then need a host route for the default gateway.

Updated Packages:

apcupsd 3.14.14, bind 9.11.0-P3, cairo 1.14.8, conntrack-tools 1.4.4, fontconfig 2.12.1, freetype 2.7.1, lm_sensors 3.4.0, nettle 3.3, ntp 4.2.8p10, openssh 7.4p1 – for PCI compliance, pixman 0.34.0, squid 3.5.25, unbound 1.6.1, wget 1.19.1

Add-ons:

cups 2.2.2 & cups-filter, ffmpeg 3.2.4, ghostscript 9.20, mc 4.8.19, motion 4.0.1, tcpdump 4.9.0

New Packages:

gnutls, an SSL library
epson-inkjet-printer-escpr for EPSON printers
lcms2, an image library
qpdf and poppler PDF rendering libraries

Dropped Packages:

Avahi has been dropped because of lack of a maintainer

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 111
« Antwort #34 am: 15 Juni, 2017, 18:00 »
Changelog

WPA Enterprise Authentication in Client Mode:

The firewall can now authenticate itself with a wireless network that uses Extensible Authentication Protocol (EAP). These are commonly used in enterprises and require a username and password in order to connect to the network.
IPFire supports PEAP and TTLS which are the two most common ones. They can be found in the configured on the “WiFi Client” page which only shows up when the RED interface is a wireless device. This page also shows the status and protocols used to establish the connection.
The index page also shows various information about the status, bandwidth and quality of the connection to a wireless network. That also works for wireless networks that use WPA/WPA2-PSK or WEP.

QoS Multi-Queueing:

The Quality of Service is now using all CPU cores to balance traffic. Before, only one processor core was used which caused a slower connection on systems with weaker processors like the Intel Atom series, etc. but fast Ethernet adapters. This has now been changed so that one processor is no longer a bottle neck any more.
New crypto defaults:

In many parts of IPFire cryptographic algorithms play a huge role. However, they age. Hence we changed the defaults on new systems and for new VPN connections to something that is newer and considered to be more robust.

IPsec:

The latest version of strongSwan supports Curve 25519 for the IKE and ESP proposals which is also available in IPFire now and enabled by default.
The default proposal for new connections now only allows the explicitly selected algorithms which maximises security but might have a compatibility impact on older peers: SHA1 is dropped, SHA2 256 or higher must be used; the group type must use a key with length of 2048 bit or larger
Since some people use IPFire in association with ancient equipment, it is now allowed to select MODP-768 in the IKE and ESP proposals. This is considered broken and marked so.

OpenVPN:

OpenVPN used SHA1 for integrity by default which has now been changed to SHA512 for new installations. Unfortunately OpenVPN cannot negotiate this over the connection. So if you want to use SHA512 on an existing system, you will have to re-download all client connections as well.
Various markers have been added to highlight that certain algorithms (e.g. MD5 and SHA1) are considered broken or cryptographically weak.

Misc.:

IPsec VPNs will be shown as “Connecting” when they are not established, but the system is trying to
A shutdown bug has been fixed that delayed the system shutting down when the RED interface was configured as static
The DNSSEC status is now shown correctly on all systems
The following packages have been updated: acpid 2.0.28, bind 9.11.1, coreutils 8.27, cpio 2.12, dbus 1.11.12, file 5.30, gcc 4.9.4, gdbm 1.13, gmp 6.1.2, gzip 1.8, logrotate 3.12.1, logwatch 7.4.3, m4 1.4.18, mpfr 3.1.5, openssl 1.0.2l (only bug fixes), openvpn 2.3.16 which fixes CVE-2017-7479 and CVE-2017-7478, pcre 8.40, pkg-config 0.29.1, rrdtool 1.6.0, strongswan 5.5.2, unbound 1.6.2, unzip 60, vnstat 1.17
Matthias Fischer contributed some cosmetic changes for the firewall log section
Gabriel Rolland improved the Italian translation
Various parts of the build system have been cleaned up

Add-ons:

New Add-ons:

ltrace: A tool to trace library calls of a binary

Updated Add-ons:

The samba addon has been patched for a security vulnerability (CVE-2017-7494) which allowed a remote code executing on writable shares.
ipset 6.32
libvirt 3.1.0 + python3-libvirt 3.6.1
git 2.12.1
nano 2.8.1
netsnmpd which now supports reading temperature sensors with help of lm_sensors
nmap 7.40
tor 0.3.0.7

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 112
« Antwort #35 am: 13 August, 2017, 21:00 »
Changelog

This Core Update mainly comes with updates under the hood. Core system libraries have been updated to new major versions and the build toolchain got major updates.

These are:

glibc 2.25
GNU Compiler Collection 6.3.0
binutils 2.29
Python 2.7.13
ccache 3.3.4, bc 1.07.1, cmake 3.8.1, flex 2.6.4, fuse 2.9.7, boost 1.64.0, gawk 4.1.4, gnutls 3.5.11, grep 2.27, libarchive 3.3.1, libgcrypt 1.7.7, libgpg-error 1.27, libxml2 2.9.4, mdadm 4.0, openssl 1.0.2l, pkg-config 2.29.2, reiserfsprogs 3.6.25, SDL 1.2.15, squid 3.5.26, strongswan 5.5.3, unbound 1.6.3, util-linux 2.28.2

Misc:

openvpn (2.3.17) has received some security updates that have been discovered recently.
A remote command execution vulnerarbility in ids.cgi has been closed with could be used by authenticated users to run shell commands with non-superuser rights.
It is now possible to create networks in the firewall that are a subnet of any of the internal zones.
The toolchain and build scripts have also been cleaned up and improved.
The IPFire netboot has been updated so that always the best architecture for a system is used (i.e. the 64 bit version is installed when the system supports it).

Add-ons:

Updated:

7zip 16.02
bird 1.6.3
cyrus-imapd 2.5.11
iperf 2.0.9
directfb 1.7.7
freeradius 3.0.14
monit 5.23.0
miniupnpd is now listening on GREEN by default
tmux 2.5
tor 3.0.8

Dropped:

imspector and tcpick are not maintained upstream any more

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 113
« Antwort #36 am: 04 September, 2017, 20:00 »
Changelog

Who Is Online?:

Who Is Online? (or WIO in short) has finally arrived on IPFire. It has been ported by the original author Stephan Feddersen and Alex Marx and is available as a usual add-on package called wio.
It is a builtin monitoring service for the local network showing what devices are connected, which ones are online and can also send alarms on various events. Give it a try!

Misc.:

The DNS root keys have been updated to make DNS work beyond October 2017 after the DNSSEC key rollover has been performed
Serial consoles now automatically detect the baudrate after the kernel has been booted
Package updates by Matthias Fischer: bind 9.11.2, gnutls 3.5.14, libgcrypt 1.8.0, logrotate 3.12.3, nano 2.8.6, pcre 8.41, squid 3.5.26, unbound 1.6.4

Add-Ons:

iftop has been updated to 1.0pre4 by Erik Kapfer
Matthias Fischer updated: hostapd 2.6, tor 0.3.0.10

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
pfSense 2.4.1
« Antwort #37 am: 28 Oktober, 2017, 21:00 »
Changelog

Fixes for the set of WPA2 Key Reinstallation Attack issues commonly known as KRACK
Fixed a VT console race condition panic at boot on VMware platforms (especially ESXi 6.5.0U1)
Fixed a bsnmpd problem that causes it to use excess CPU and RAM with the hostres module in cases where drives support removable media but have no media inserted
Fixed an upgrade problem due to FreeBSD 11 removing legacy ada aliases, which caused some older installs to fail when mounting root post-upgrade
Changed the boot-time fsck process the ensure the disk is mounted read-only before running fsck in preen mode
Changed the VLAN interface names to use the ‘dotted’ format now utilized by FreeBSD, which is shorter and helps to keep the interface name smaller than the limit (16) This fixes the 4 digit VLAN issues when the NIC name is 6 bytes long. This change was made not only to fix the name length issue, but also to reduce the differences between how FreeBSD uses VLANs and how they are used by pfSense interface functions.
These VLAN changes prevent PPP sessions from working on VLAN parent interfaces.
Fixed setting VLAN Priority in VLAN interface configuration

[close]

http://www.pfsense.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 115
« Antwort #38 am: 03 November, 2017, 17:00 »
Changelog

Hello Community,

finally, we are releasing the long-awaited IPFire 2.19 – Core Update 115 which brings the shiny new Captive Portal and various security and performance improvements as well as fixing security vulnerabilities.

This is a large Core Update with a huge number of changes and to support our efforts to develop new features and maintain the existing system as well as constantly improving it, we would like to ask you to donate!

Captive Portal

The new IPFire Captive Portal comes pre-installed on every IPFire system and allows easy access control for wireless and even wired networks. It is simple and very easy to set with only a few configuration options. That makes it versatile for many adminstrators and also very simple for all users.

It comes with two configuration modes: The default mode asks the user to accept terms and conditions. After doing so, access to the network is granted for a configurable time. After the time has expired, Internet access is blocked again immediately.

Optionally you can generate coupons that allow access for one device for a set time. Those coupons can also be exported as a PDF document and being printed so that they can be handed out easily at a hotel reception for example.

Although, Germany has just abolished the controversial law that made the subscriber of on Internet connection liable for everything anyone does over that connection (Störerhaftung), this is still a great feature for 2017 where WiFi networks in hotels, cafes and everywhere else are a must. It allows to only give access to the people who booked a room in your hotel, or bought a cup of coffee in your cafe. That will keep the WiFi from being overloaded and it will be fast for everyone.

The full documentation can be found on our wiki.

Thanks go to all the people of our community who have worked on this for a very long time.

Security Improvements

The web user interface has been hardened by a series of patches from Peter Müller:

    When establishing a new TLS connection, ECDSA is now preferred over RSA which makes the TLS handshake much faster and uses less resources on the client and server. It is also considered to be stronger to brute-force.
    An additional ECDSA key is now generated in addition to the existing RSA key which improves security of any TLS connections to the web user interface.
    Previously, some attacks were possible to make the web browser submit login credentials via HTTP without encryption. The apache configuration has been changed to never ask for login without establishing a TLS connection before.
    A smaller information leak has also been fixed where anyone could access the credits.cgi page which revealed the version information of the installed system.

These changes require to restart the web server that runs the web user interface. This happens automatically during the installation of this Core Update but might render the web user interface unavailable for a short moment.

OpenVPN Configuration Updates

The OpenVPN project has deprecated some configuration options. This has been updated in IPFire as well which will now generate new configuration files when ever a new certificate has been issued. The old configuration files and certificates will remain but won’t be compatible with OpenVPN 2.5 any more. There is no need for action right now, but old connections might not work with clients that run a newer version of OpenVPN in the future. New connections will work fine with any recent and future version of OpenVPN.

Thanks for Erik for sending in a patch for this.

Misc

    The WiFi access point add-on has already been patched against the KRACK attacks on the day those were announced. The wpa_supplicant package which implements the WiFi client feature of IPFire has been patched in this release against those attacks.
    IPsec VPNs that use Curve25519 would not want to come up after installing the previous Core Update. This has been fixed now.
    Updated packages: logrotate 3.13.0, openvpn 2.3.18, unbound 1.6.7
    Some files that have been unused for a very long time have been cleaned up.
    All downloads of the project’s ISO files are now done over HTTPS.

Updated Add-Ons

    tor 3.1.7

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 116
« Antwort #39 am: 08 November, 2017, 21:00 »
Changelog

openssl 1.0.2m:

The OpenSSL project released version 1.0.2m and issued two security advisories in the last week. The two vulnerabilities that were discovered were of moderate and low security, but we have decided to ship you this update as soon as possible. Hence it is recommended to update as soon as possible, too.
The more severe vulnerability referenced as CVE-2017-3736 fixes a problem with modern Intel Broadwell and AMD Ryzen processors where OpenSSL uses some modern DMI1, DMI2 and ADX extensions and calculates the square root incorrectly. This could be exploited by an attacker who is able to put significant resources into recover a private key more easy alas this attack is still considered virtually unfeasible by the OpenSSL security team.
The less severe vulnerability was caused by overreading certificate data when a certificate has a malformed IPAddressFamily extension. This could lead lead to erroneous display of the certificate in text format. This vulnerability is tracked under CVE-2017-3735.

Misc:

wget also suffered from two security vulnerabilities that allowed an attacker to execute arbitrary code. They are referenced under CVE-2017-13089 and CVE-2017-13090.
apache was updated to version 2.4.29 which fixes a number of bugs.
snort has been updated to version 2.9.11.
xz has also been updated to version 5.2.3 which brings various improvements.

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 117
« Antwort #40 am: 05 Januar, 2018, 20:00 »
Changelog

OpenSSL 1.0.2n:

One moderate and one low security vulnerability have been patched in OpenSSL 1.0.2n. The official security advisory can be found here.

IPsec:

It is now possible to define the inactivity timeout time when an idle IPsec VPN tunnel is being closed
Support for MODP groups with subgroups has been dropped
Compression is now disabled by default because it is not very effective at all
strongswan has been updated to 5.6.1

OpenVPN:

It is now easier to route OpenVPN Roadwarrior Clients to IPsec VPN networks by choosing routes in each client’s configuration. This makes hub-and-spoke designs easier to configure.

Build toolchain:

Some build scripts have been refactored to clean up the build process and the toolchain has been moved from /tools to /tools_< arch >.
nasm, the Net Assembler, has been updated to 2.13.2

Misc:

SSL compression and SSL session tickets have been disabled in Apache. This will improve the security of the web user interface.
At various places, GeoIP information is available where IP addresses are shown and that information is useful to know
Adding static routes over the web user interface has been fixed
Some aesthetic issues on the captive portal configuration pages have been fixed and the captive portal is now working together with the proxy in transparent mode
Syslogging to a remove server can now be configured to either use TCP or UDP

Add-ons:

Samba has been updated to fix several security issues
mc has been updated to 4.8.20
nano has been updated to 2.9.1
sslscan, vsftpd and Pound have been dropped because they are not maintained upstream any more and incompatible with OpenSSL 1.1.0

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 119
« Antwort #41 am: 14 März, 2018, 19:00 »
Release Notes

This is the release announcement for IPFire 2.19 – Core Update 119. It updates the toolchain of the distribution and fixes a number of smaller bug and security issues. Therefore this update is another one of a series of general housekeeping updates to make IPFire better, faster and of course more secure!

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Toolchain Updates

The toolchain is a collection of programs that is used to build the distribution. One of the most important one is the compiler GCC which has been updated to version 7.3.0 which mainly adds support for retpoline. This is needed to build protection against Spectre into newer kernels.

The main C library, glibc, has been updated to version 2.27 and brings various stability fixes, performance improvents and bug fixes.

Other toolchain packages that have been updated: binutils 2.30, ccache 3.4.1, diffutils 3.1.6, swig 3.0.12

Security-Relevant Changes

    On the OpenVPN configuration page, ciphers that are considered weak are now marked as such and we do not recommend using any of these.
    strongswan’s certificate parser had a vulnerability (CVE-2018-6459)
    Programs that use the C++ standard library are being recompiled to perform extra out-of-bounds checks that are cheap, but add some extra security.
    dma, the Dragonfly Mail Agent, was hardcoded to only use TLSv1.0 which has been patched to always use the best available protocol version of TLS that is available.
    The Apache server signature is now fully hidden

Misc

    Reverse lookup zones did not work and have been fixed
    IPsec subnets for tunnels that route multiple networks are now shown correctly on the start page
    Updated packages: hostname 3.20, iproute2 4.14.1, pam 1.30.0
    Support for ISDN was removed
    Userspace tools for I2C busses have been added

Add-Ons

The following packages have been updated: asterisk 13.18.5, bacula 9.0.6, bwm-ng 0.6.1-f54b3fa, flac 1.3.2, haproxy 1.8.0, nginx 1.13.7, nut 2.7.4, openvmtools 10.2.0, postfix 3.2.4, powertop 2.9, sarg 2.3.11, stunnel 5.44

These packages have been dropped and will be removed with this Core Update: lcr, mysql which was very outdated and is not needed by any add-ons.

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
pfSense 2.4.3
« Antwort #42 am: 31 März, 2018, 15:00 »
Release Notes

This release includes several important security patches:

    Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
    IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc
    Fixes for FreeBSD-SA-18:01.ipsec
    Fixed three potential XSS vectors, and two potential CSRF issues
    CSRF protection for all dashboard widgets
    Updated several base system packages to address CVEs

In addition to security fixes, pfSense software version 2.4.3 also includes important bug fixes.

Notable bug fixes in 2.4.3 include:

    Fixed hangs due to Limiters and pfsync in High Availability configurations
    Imported a netstat fix to improve performance and reduce CPU usage, especially on the Dashboard and ARM platforms
    Fixed a memory leak in the pfSense PHP module
    Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database
    Fixed issues on assign_interfaces.php with large numbers of interfaces
    Fixed multiple issues that could result in an invalid ruleset being generated
    Fixed multiple Captive Portal voucher synchronization issues with HA
    Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes
    … and many more!

There are several new features in 2.4.3, some of the more important ones are:

    Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family
    Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups
    Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time
    Added options to RFC 2136 Dynamic DNS for server key algorithm and to change the source address used to send updates
    Added VLAN priority tagging for DHCPv6 client requests
    Hardware support for the new XG-7100 including C3000 SoC support, C3000 NIC support, and Marvell 88E6190 switch support (Factory installations only)
    … and more!

[close]

http://www.pfsense.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.19 Core 120
« Antwort #43 am: 02 Mai, 2018, 20:00 »
Release Notes

RAM-only Proxy:

In some installations it might be desirable to only let the proxy cache objects in memory and not on disk. Especially when Internet connectivity is fast and storage is slow this is most useful.
The web UI now allows to set the disk cache size to zero which will disable the disk cache entirely. Thanks to Daniel for working on this.

OpenVPN 2.4:

IPFire has migrated to OpenVPN 2.4 which introduces new ciphers of the AES-GCM class which will increase throughput on systems that have hardware acceleration for it. The update also brings various other smaller improvements.
Erik has been working on integration this which has required some work under the hood but is compatible with any previous configurations for both roadwarrior connections and net-to-net connections.

Improved Cryptography:

Cryptography is one of the foundations to a secure system. We have updated the distribution to use the latest version of the OpenSSL cryptography library (version 1.1.0). This comes with a number of new ciphers and major refacturing of the code base has been conducted.
With this change, we have decided to entirely deprecate SSLv3 and the web user interface will require TLSv1.2 which is also the default for many other services. We have configured a hardened list of ciphers which only uses recent algorithms and entirely removes broken or weak algorithms like RC4, MD5 and so on.
Please check before this update if you are relying on any of those, and upgrade your dependent systems.
Various packages in IPFire had to be patched to be able to use the new library. This major work was necessary to provide IPFire with the latest cryptography, migrate away from deprecated algorithms and take advantage of new technology. For example the ChaCha20-Poly1305 ciphersuite is available which performs faster on mobile devices.
The old version of the OpenSSL library (1.0.2) is still left in the system for compatibility reasons and will continue to be maintained by us for a short while. Eventually, this will be removed entirely, so please migrate any custom-built add-ons away from using OpenSSL 1.0.2.

Misc:

Pakfire has now learned which mirror servers support HTTPS and will automatically contact them over HTTPS. This improves privacy.
We have also started phase one of our planned Pakfire key rollover.
Path MTU Discovery has been disabled in the system. This has continuously created issues with the stability of IPsec tunnels that have chosen paths over networks that were incorrectly configured.
The QoS template could miscalculate the bandwidth which has now been fixed that the sum of the guaranteed bandwidth over all classes does not exceed 100%

Updated packages:

bind 9.11.3, curl 7.59.0, dmidecode 3.1, gnupg 1.4.22, hdparm 9.55, logrotate 3.14.0, Net-SSLeay 1.82, ntp 4.2.8p11, openssh 7.6p1, python-m2crypto 0.27.0, unbound 1.7.0, vnstat 1.18

Add-ons:

These add-ons have been updated: clamav 0.99.4, htop 2.1.0, krb5 1.15.2, ncat 7.60, nano 2.9.4, rsync 3.1.3, tor 0.3.2.10, wio 1.3.2

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
pfSense 2.4.3-p1
« Antwort #44 am: 18 Mai, 2018, 18:00 »
Release Notes

This release includes several important security patches, including the issues discussed last week:

    FreeBSD Security Advisory for CVE-2018-8897 FreeBSD-SA-18:06.debugreg
    FreeBSD Errata Notice for CVE-2018-6920 and CVE-2018-6921 FreeBSD-EN-18:05.mem
    Fixed a potential LFI in pkg_mgr_install.php #8485 pfSense-SA-18_04.webgui
    Fixed a potential XSS in pkg_mgr_install.php #8486 pfSense-SA-18_05.webgui

Additionally, 2.3.5-p2 includes corrections for items already addressed in the 2.4.x release branch:

    Fixed a potential XSS vector in RRD error output encoding #8269 pfSense-SA-18_01.packages
    Fixed a potential XSS vector in diag_system_activity.php output encoding #8300 pfSense-SA-18_02.webgui
    Changed sshd to use delayed compression #8245
    Added encoding for firewall schedule range descriptions #8259

Aside from security updates, the new versions include a handful of beneficial bug fixes for various minor issues.

For a complete list of changes, see the 2.4.3-p1 Release Notes and 2.3.5-p2 Release Notes.
Important Information

At this time, pfSense 2.3.x is a Security and Errata maintenance branch only. pfSense 2.4.x is the primary stable supported branch. If the firewall hardware is capable of running pfSense 2.4.x, consider upgrading to that release instead.

If you have not yet upgraded to pfSense version 2.4.0 or later, read the information in the 2.4.0 Release Announcement before updating for important information that may impact the ability of a firewall to upgrade to pfSense version 2.4.x.

If either by choice or by hardware limitations a firewall cannot be upgraded to pfSense 2.4.x, see the pfSense 2.3.5-RELEASE announcement for information on obtaining the latest 2.3.x release.

[close]

http://www.pfsense.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )