Autor Thema: Firewall-Distributionen diverses  (Gelesen 5620 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
SmoothWall 3.1
« Antwort #45 am: 19 Juli, 2018, 21:00 »
SmoothWall is a secure operating system that converts a redundant PC, workstation, fileserver, or rackmount device into a firewall and VPN gateway, but goes way beyond that remit. It is Webmanaged so no keyboard, monitor, or mouse on the device is needed. It supports Internal ISDN, all popular NICS, all popular connection types: Modem, ISDN, Cable, ADSL, USB ADSL, and Ethernet. It also features a fully logging firewall, DHCP server, IPSEC VPN capabilities, and much more.

Freeware

http://www.smoothwall.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 122
« Antwort #46 am: 30 Juli, 2018, 18:00 »
Release Notes

Highlight: Linux 4.14:

The distribution was rebased from our old long-term supported kernel to the new kernel 4.14.50.
Most importantly, this kernel improves the security of the system, increases performance and makes the core of IPFire more up to date and modern again. This update also enables mitigation against Meltdown and Spectre on some architectures. On Intel-based platforms, we update the microcode of the CPUs when the system boots up to avoid any performance penalties caused by the mitigation techniques.
Unfortunately, grsecurity is incompatible with any newer kernels and has been removed. This is connected to the decision of the grsecurity project to no longer open source their patches. Luckily the kernel developers have backported many features so that this kernel is still hardened and secure.
ARM systems won’t be able to install this update due to the kernel change which also requires changes on some bootloaders. For those users, we recommend to backup the system, reinstall and then restore the backup. The re-installed system will only come with a single ARM kernel instead of multiple for different platforms that we had before. It helps us to keep the distribution smaller and makes development efforts easier.

Misc:

Updated packages: apache 2.4, beep 1.3 with fixes for CVE-2018-0492, bwm-ng 0.6.1-f54b3fa, cmake 3.11.2, crda 3.18, ISC dhcp 4.4.1, dhcpcd 6.11.5, diffutils 3.1.6, gcc 7.3.0, grub 2.02, htop 2.2.0, iw 4.14, libidn 1.34, nano 2.9.7, nmap 7.70, openssh 7.7p1, pcre 8.42, powertop 2.9, rng-tools 6.2, sarg 2.3.11, tar 1.30, u-boot 2018.03, unbound 1.7.1, wget 1.19.5, xtables-addons 2.13, xz 5.2.4
The list of trusted Certificate Authorities has been updated and many have been removed
Also we updated firmware for various drivers and baseboards
The Web User Interface now shows any users logged in on the console

Smaller images due to more efficient compression:

We have tried to make the download of the distribution faster and make it use less space on our servers. As a first step, the flash images have been merged together and there is only one image that boots on systems with serial console and normal video output. Secondly, we now compress all images with the XZ algorithm so that they download faster and even decompress quicker, too.

New partition layout:

This release also changes the partition layout of the distribution. We have dropped the /var partition which was used for log files and data that the system collected. This data is now located on a single partition together with the OS. The size of the /boot partition has been increased to 128MB in the default partition layout.

Updated add-ons:

clamav 0.100.0
nagios-nrpe 3.2.1

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 123
« Antwort #47 am: 07 September, 2018, 20:00 »
Changelog

    OpenSSL has been updated to versions 1.1.0i and for legacy applications version 1.0.2p (CVE-2018-0732 and CVE-2018-0737)

    IPsec

    IPsec now supports ChaCha20/Poly1305 for encryption
    It also allows to configure a connection to passively wait until a peer initiates it. This is helpful in some environments where one peer is behind NAT.

    OpenVPN

    Creating Diffie-Hellman keys with length of 1024 bits is no longer possible because they are considered insecure and not being supported by OpenVPN any more
    There is better warnings about this and other cryptographic issues on the web user interface

    Intrusion Detection

    Links in the log files have been fixed to open the correct page with details about a certain attack
    Downloads of rulesets properly validate any TLS certificates
    The /proc filesystem has been hardened so that no kernel pointers are being exposed any more
    nss-myhostname is now being used to dynamically determine the hostname of the IPFire system. Before /etc/hosts was changed which is no longer required.
    collectd: The cpufreq plugin has been fixed
    Generating a backup ISO file has been fixed
    Updated packages: apache 2.4.34, conntrack-tools 1.4.5, coreutils 8.29, fireinfo, gnupg 1.4.23, iana-etc 2.30, iptables 1.6.2, libgcrypt 1.8.3, libnetfilter_conntrack 1.0.7, libstatgrab 0.91, multipath-tools 0.7.7, openvpn 2.4.6, postfix 3.2.6, rng-tools 6.3.1, smartmontools 6.6, squid 3.5.28, strongswan 5.6.3, tzdata 2018e, unbound 1.7.3

    Add-ons:

    Support for owncloud has been removed from guardian (version 2.0.2)
    Updates: clamav 0.100.1, fping 4.0, hplip 3.18.6, ipset 6.38, lynis 2.6.4, mtr 0.92, nginx 1.15.1, tmux 2.7, tor 0.3.3.9
    avahi has been brought back in version 0.7 as it is required as a dependency by cups which has been fixed to automatically find any printers on the local network automatically
    asterisk is now compiled with any optimisation for the build system which was accidentally enabled by the asterisk build system


[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 124
« Antwort #48 am: 15 Oktober, 2018, 21:30 »
Changelog

Kernel Hardening:

We have updated the Linux kernel to version 4.14.72 which comes with a large number of bug fixes, especially for network adapters. It has also been hardened against various attack vectors by enabling and testing built-in kernel security features that prohibit access to privileged memory by unprivileged users and similar mechanisms.

OpenSSH Hardening:

Peter has contributed a number of patches that improve security of the SSH daemon running inside IPFire. For those, who have SSH access enabled, it will now require latest ciphers and key exchange algorithms that make the key handshake and connection not only more secure, but also faster when transferring data.
For those admins who use the console: The SSH client has also been enabled to show a graphic representation of the SSH key presented by the server so that comparing those is easier and man-in-the-middle attacks can be spotted quickly and easily.

Unbound Hardening:

The settings of the IPFire DNS proxy unbound have been hardened to avoid and DNS cache poisoning and use aggressive NSEC by default. The latter will reduce the load on DNS servers on the internet through more aggressive caching and will make DNS resolution of DNSSEC-enabled domains faster.

EFI:

IPFire now supports booting in EFI mode on BIOSes that support it. Some newer hardware only supports EFI mode and booting IPFire on it was impossible before this update. EFI is only supported on x86_64.
Existing installations won’t be upgraded to use EFI. However, the flash image and systems installed with one of the installation images of this update are compatible to be booted in both, BIOS and EFI mode.
Although this change does not improve performance and potentially increases the attack vector on the whole firewall system because of software running underneath the IPFire operating system, we are bringing this change to you to support more hardware. It might be considered to disable EFI in the BIOS if your hardware allows for it.

Misc:

CVE-2018-16232: Remote shell command injection in backup.cgi: It has been brought to our attention that it was possible for an authenticated attacker to inject shell commands through the backup.cgi script of the web user interface. Those commands would have been executed as a non-priviledged user. Thanks to Reginald Dodd to spot this vulnerability and informing us through responsible disclosure.
The hostname of the system was set incorrectly in the kernel before and is now being set correctly
Firewall: Creating rules with the same network as source and destination is now possible and renaming a network/host group is now correctly updating all firewall rules
Cryptography: ChaCha20-Poly1305 is now working on ARM, too
IPsec: The status of connections in waiting state is now shown correctly at all times; before, they always showed up as enabled although they were disabled.
pakfire: Some old and unused code has been cleaned out and the mirror health check has been removed, because a download will fail-over to another available mirror anyways
Intrusion Detection: Emerging Threats rules are now being downloaded over HTTPS rather than HTTP
Updated packages: bind 9.11.4-P1, iproute2 4.18.0, ntp 4.2.8p12, openssh 7.8p1, parted 3.2, pciutils 3.5.6, rng-tools 6.4, syslinux 6.04-pre1, unbound 1.8.0

Add-Ons:

Updated packages: nano 3.1, postfix 3.3.1

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 125
« Antwort #49 am: 26 November, 2018, 21:00 »
Changelog

802.11ac WiFi:

The IPFire Access Point add-on now supports 802.11ac WiFi if the chipset supports it. This allows better coverage and higher network throughputs. Although IPFire might not be the first choice as a wireless access point in larger environments, it is perfect to run a single office or apartment.
Additionally, a new switch allows to disable the so called neighbourhood scan where the access point will search for other wireless networks in the area. If those are found, 40 MHz channel bandwidth is disabled leading to slower throughput.

Misc:

strongswan 5.7.1: This updated fixes various security vulnerabilities filed under CVE-2018-16151, CVE-2018-16152 and CVE-2018-17540. Several flaws in the implementation that parsed and verified RSA signatures in the gmp plugin may allow for Bleichenbacher-style low-exponent signature forgery in certificates and during IKE authentication.
The IO graphs now support NVMe disks
The SFTP subsystem is enabled again in the OpenSSH Server
Swap behaviour has been changed so that the kernel will make space for a large process when not enough physical memory is available. Before, sudden jumps in memory consumption where not possible and the process requesting that memory was terminated.
The backup scripts have been rewritten in Shell and now package all add-ons backups with the main backup. Now, it is no longer required to save any add-on configuration separately.
Updated packages: apache 2.4.35, bind 9.11.4-P2, coreutils 8.30, dhcpcd 7.0.8, e2fsprogs 1.44.4, eudev 3.2.6, glibc 2.28, gnutls 3.5.19, json-c 0.13.1, keyutils 1.5.11, kmod 25, LVM2 2.02.181, ntfs-3g 2017.3.23, reiserfsprogs 3.6.27, sqlite 3.25.2.0, squid 3.5.28, tzdata 2018g, xfsprogs 4.18.0

New Add-Ons:

dehydrated - A lightweight client to retrieve certificates from Let's Encrypt written in bash
frr, an IP routing protocol suite and BGP and OSPF are supported on IPFire. Find out more on their website.
observium-agent - An xinet.d-based agent for Observium, a network monitoring platform

Updated Add-Ons:

clamav has been updated to 0.100.2 and the virus database files have been moved to the /var partition. This makes more space available on the root partition.
nfs 2.3.3, haproxy 1.8.14, hostapd 2.6, libvirt 4.6.0, tor 0.3.4.9

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 126
« Antwort #50 am: 10 Januar, 2019, 21:00 »
Changelog

Linux 4.14.86:

The kernel has been updated to the latest version of the Linux 4.14.x branch which brings various improvements around stability, enhances performance and fixes some security vulnerabilities. This kernel also has major updates for the Spectre and Meltdown vulnerabilities that remove previously existent performance penalties in some use-cases.
The kernel's modules are now compressed with the XZ algorithm which will save some space on disk as the kernel is one of the largest components of IPFire.

Misc:

openssl has been updated to 1.1.0j and 1.0.2q which fixes some minor security issues and has various bug fixes
The bind package has now changed to ship shared libraries which it did not before. Those allow that commands like dig and host use those shared libraries and are no longer statically linked. This makes the files a lot smaller.
Stéphane Pautrel has substantially improved the French translation of IPFire. Thank you very much for that!

Add-ons:

Updated packages: bird 2.0.2, nano 3.2
New packages: shairport-sync

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 127
« Antwort #51 am: 06 Februar, 2019, 19:00 »
Changelog

Squid 4.5 - Making the web proxy faster and more secure:

We have finally updated to squid 4.5, the latest version of the web proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.
We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.
One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.
We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.
We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.
We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.
We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.
New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.
Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.

DNS Forwarding:

The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.
These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.

Misc:

Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
fireinfo now supports authentication against any upstream web proxies
Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
The description on which SSH port IPFire is listening has been fixed.
Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
GeoIP: Scripts have been updated to use a new format of the GeoIP database
Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1

Add-ons:

Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
The haproxy package now correctly handles its backup

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 129
« Antwort #52 am: 10 April, 2019, 18:00 »
Changelog

IPsec Reloaded:

IPsec has been massively extended. Although IPsec in IPFire is already quite versatile and delivered high performance, some features for experts were required and are now available through the web UI...
Routed VPNs with GRE & VTI [2]
Transport Mode for net-to-net tunnels
IPsec connections can now originate from any public IP address of the IPFire installation. This can be selected on a per-connection basis.
The code has also been cleaned up the UI has been made a little bit tidier to accommodate for the new settings.

Smaller changes include:

The "On-Demand" mode is finally the default setting. Tunnels will shut down when they are not used and they will be established again when they are required.

Misc:

DHCP: A crash has been fixed when filenames containing a slash have been entered for PXE boot.
DHCP: Editing static leases has been fixed
Domains in the "DNS Forwarding" section can now be disabled for DNSSEC validation. This is a dangerous change, but has been requested by many users.
Updated packages: bind 9.11.6, groff 1.22.4, ipset 7.1, iptables 1.8.2, less 530, libgcrypt 1.8.4, openssl 1.1.1b, openvpn 2.4.7, squid 4.6, tar 1.32, unbound 1.9.0, wpa_supplicant 2.7
New commands: kdig 2.8.0
The build system has been optimised to reduce build time of the whole distribution to around 4-5 hours on a fast machine.

Add-Ons:

Alexander Koch has contributed zabbix_agentd which is the agent that is installed on the monitored machine. With this [3], IPFire can now be integrated into an environment that is monitored by Zabbix.
On that note, the SNMP daemon has also been updated to version 5.8 for people who use the SNMP protocol for monitoring.
tor has been updated to 0.3.5.8 and some minor bugs have been fixed in the web user interface
The spectre-meltdown-checker script is available as an add-on which allows IPFire users to test their hardware for vulnerabilities
Other updates: amavisd 2.11.1, hostapd 2.7, postfix 3.4.3

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 130
« Antwort #53 am: 17 April, 2019, 20:00 »
Changelog

Apache 2.4.39: The Apache Web Server, which runs the IPFire Web User Interface, was vulnerable for various privilege escalations (CVE-2019-0211), access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-2019-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsistency (CVE-2019-0220). They are all regarded to be of "low" severity.
wget 1.20.3: wget has had multiple vulnerabilities that allowed an attacker to execute arbitrary code (CVE-2019-5953).
clamav 0.101.2: ClamAV, the virus scanner, has had multiple vulnerabilities that allowed DoS and a buffer overflow in a bundled third-party library.

IPsec Regression:

The last update introduced a regression in the IPsec stack that caused that the firewall could no longer access any hosts on the remote side when the tunnel was run in tunnel mode without any VTI/GRE interfaces. This update fixes that.

[close]

http://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 131
« Antwort #54 am: 16 Mai, 2019, 21:00 »
Release Notes



Finally, we are releasing another big release of IPFire. In IPFire 2.23 - Core Update 131, we are rolling out our new Intrusion Prevention System. On top of that, this update also contains a number of other bug fixes and enhancements.

Thank you very much to everyone who has contributed to this release. If you want to contribute, too, and if you want to support our team to have more new features in IPFire, please donate today!
A New Intrusion Prevention System

We are finally shipping our recently announced IPS - making all of your networks more secure by deeply inspecting packets and trying to identify threats.

This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.

We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need.
Migration from the older Intrusion Detection System

Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated. Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.

If you restore an old backup, the IDS settings won't be converted.

The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.
OS Updates

This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost.

Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1. The wireless regulatory database has also been updated.
Misc.

    SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server.
    When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox.
    A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before.
    On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimised to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances.
    Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default;
    We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log.

Add-ons

    Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0
    tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now.
    Wireless Access Point: It is now possible to enable client isolation so that wireless clients won't be able to communicate with each other through the access point.

New Packages

    flashrom - A tool to update firmware

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 132
« Antwort #55 am: 09 Juni, 2019, 00:00 »
Release Notes

    Intel Vulnerabilities: RIDL, Fallout & ZombieLoad:

    Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release.

    VLAN Configuration:

    Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.
    The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.

    Misc:

    The new IPS now starts on systems with more than 16 CPU cores
    For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
    OpenVPN has received some changes to the UI and improvements of its security.
    Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
    Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted
    The same type of stored cross-site scripting attack was resolved in the static routing UI
    Log entries for Suricata now properly show up in the system log section
    Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1

    Add-ons:

    Wireless AP:

    For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
    DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
    Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.

    Updates:

    igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1
    Qemu is now being hardened with libseccomp which is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default


[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 134
« Antwort #56 am: 05 Juli, 2019, 14:00 »
Release Notes

    SACK Panic (CVE-2019-11477 & CVE-2019-11478):

    The Linux kernel was vulnerable for two DoS attacks against its TCP stack. The first one made it possible for a remote attacker to panic the kernel and a second one could trick the system into transmitting very small packets so that a data transfer would have used the whole bandwidth but filled mainly with packet overhead.
    The IPFire kernel is now based on Linux 4.14.129, which fixes this vulnerability and fixes various other bugs.
    The microcode for some Intel processors has also been updated and includes fixes for some vulnerabilities of the Spectre/Meltdown class for some Intel Xeon processors.

    Misc:

    Package updates: bind 9.11.8, unbound 1.9.2, vim 8.1
    The French translation has been updated by Stéphane Pautrel and translates various strings as well as improving some others
    We now prefer other cipher modes over CBC when IPFire itself opens a TLS connection. CBC is now considered to be substantially weaker than GCM.
    Email addresses entered in the web UI can now contain underscores.
    The Captive Portal now comes up properly after IPFire is being rebooted.



[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 135
« Antwort #57 am: 19 September, 2019, 21:00 »
Release Notes

    Kernel Update:

    The IPFire Linux kernel has been rebased on 4.14.138 and various improvements have been added. Most notably, this kernel - once again - fixes CPU vulnerabilities.

    Misc:

    On x86_64, the effectiveness of KASLR has been improved which prevents attackers from executing exploits or injecting code
    DNS: unbound has been improved so that it will take much less time to start up in case a DNS server is unavailable.
    Scripts that boot up IPFire have been improved, rewritten and cleaned up for a faster boot and they now handle some error cases better
    Updated packages: dhcpcd 7.2.3, nettle 3.5.1, squid 4.8, tzdata 2019b

    Add-ons:

    bird 2.0.4
    clamav 0.101.3
    iperf 2.0.13
    iperf3 3.7
    mc 4.8.23
    pcengines-firmware 4.9.0.7

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 136
« Antwort #58 am: 11 Oktober, 2019, 21:00 »
Release Notes

    OpenSSL 1.1.1d:

    This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release...
    CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
    CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
    CVE-2019-1563: Another padding oracle for large PKCS7 messages
    All of these are classified as "low severity". However, we recommend to install this update as soon as possible.

    Perl 5.30:

    Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.

    GeoIP:

    Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.
    There is now a script that converts the current data into the old format which allows us to provide a recent database again.
    This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.

    Misc:

    The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
    Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch 1.5.2
    logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
    Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
    The toolchain now ships a compiler for Go

    Add-ons

    Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6
    dnsdist has had its limit of open connections increased to work better in bigger environments
    tor: A permission problem has been fixed so that the web UI can save settings again
    wio: The RRD files will now be included in the backup as well as various UI improvements have been done

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 137
« Antwort #59 am: 17 November, 2019, 10:00 »
Release Notes

    An improved and faster QoS:

    As explained in detail in a separate blog post from the engine room, we have been working hard on improving our Quality of Service (QoS).
    It allows to pass a lot more traffic on smaller systems as well as reduces packet latency on faster ones to create a more responsive and faster network.
    To take full advantage of these changes, we recommend to reboot the system after installing the update.

    Linux 4.14.150:

    The IPFire Kernel has been rebased on Linux 4.14.150 and equipped with our usual hardening and other patches.
    The kernel has been tuned to deliver more throughput for IP connections as well as reducing latency to a minimum to keep your network as responsive and fast as possible.
    An especially nasty bug that caused the system to drop DNS packets when the Intrusion Detection System was enabled has been tracked down by a large group of IPFire developers and additional help of the suricata team.

    Misc:

    Downloaded GeoIP databases were not always cleaned up from /tmp when a download was unsuccessful. This can cause that the script is filling up the root partition. You can reboot your system to free up space if this has happened to you, too. The script has now been cleaned up, and catches any errors to cleanup afterwards.
    IPsec now supports Curve 448 with 224 bit of security. It is a lightweight and slightly faster alternative to Curve25519 and enabled by default for new connections.
    Tim Fitzgeorge contributed a patch that restarts the syslog daemon after a backup is being restored to close old log files and write to the restored ones
    /var/log/mail is now being rotated
    Updated packages: bind 9.11.12, iptables 1.8.3, iproute2 5.3.0, knot 2.8.4, libhtp 0.5.30, libnetfilter_queue 1.0.4, libpcap 1.9.1, libssh 0.9.0, Net-SSLeay 1.88, pcre 8.43, strongswan 5.8.1, suricata 4.1.5, tzdata 2019c, unbound 1.9.4, wpa_supplicant 2.9

    Add-ons:

    New: speedtest-cli
    This is a handy tool to perform a regular speedtest on the console. It was packaged to test the QoS but is handy to test throughput of the firewall to and from the Internet on the console.

    Updated Packages:

    bird 2.0.6 now supports RPKI validation by connecting to a process that holds the key material either via TCP or using SSH
    sane has been updated to version 1.0.28 and now supports more hardware
    A French translation is now available for the Who is Online? add-on
    Others: clamav 0.102.0, hostapd 2.9, ipset 7.3, mtr 0.93, nano 4.5, ncat 7.80, nmap 7.80, shairport-sync 3.3.2, tcpdump 4.9.3, tor 0.4.1.6, tshark 3.0.5


[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )