Autor Thema: Firewall-Distributionen diverses  (Gelesen 5620 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 138
« Antwort #60 am: 19 November, 2019, 21:00 »
Release Notes

    Intel Vulnerabilities:

    Intel has blessed us again with a variety of hardware vulnerabilities which need to be mitigated in software. Unfortunately those will further decrease the performance of your IPFire systems due to changes in Intel's microcodes which are also shipped with this Core Update.

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.21 Core 139
« Antwort #61 am: 09 Januar, 2020, 18:00 »
Release Notes

    Improved Booting & Reconnecting:

    Dialup scripts have been cleaned up to avoid any unnecessary delays after the system has been handed a DHCP lease from the Internet Service Provider. This allows the system to reconnect quicker after loss of the Internet connection and booting up and connecting to the Internet is quicker, too.

    Improvements to the Intrusion Prevention System:

    Various smaller bug fixes have been applied in this Core Update which makes our IPS a little bit better with every release. To take advantage of deeper analysis of DNS packets, the IPS is now informed about which DNS servers are being used by the system.

    TLS:

    IPFire is configured as securely as possible. At the same time we focus on performance, too. For connections to the web user interface, we do not allow using CBC any more. This cipher mode is begin to crack and the more robust GCM is available.
    Whenever an SSL/TLS connection is being established to the firewall, we used to prefer ChaCha20/Poly1305 as a cipher. Since AESNI is becoming and more and more popular even on smaller hardware, it makes sense to prefer AES. A vast majority of client systems support this as well which will allow to communicate faster with IPFire systems and save battery power.

    Misc:

    The microcode for Intel processors has been updated again to mitigate vulnerabilities from the last Core Update
    PC Engines APU LEDs are now controlled using the ACPI subsystem which is made possible using the latest BIOS version 4.10.0.3
    Captive Portal: Expired clients are now automatically removed
    Dynamic DNS: Support for NoIP.com has been fixed in ddns 12
    Updated packages: Python 2.7.17, bash 5.0, bind 9.11.13, cpio 2.13, libarchive 3.4.0, logwatch 7.5.2, lz4 1.9.2, openvpn 2.4.8, openssh 8.1p1, readline 8.0 (and compat version 6.3), squid 4.9, unbound 1.9.5

    Add-Ons:

    clamav has been updated to 0.102.1 which include various security fixes
    libvirt has been updated to version 5.6.0 for various bug fixes or feature enhancements and support for LVM has been enabled.
    qemu has been updated to 4.1.0
    Various others: nano 4.6, postfix 3.4.8, spectre-meltdown-checker 0.42

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 146
« Antwort #66 am: 20 Juli, 2020, 14:00 »
Release Notes

Today, we have updated IPFire on AWS to IPFire 2.25 - Core Update 146 - the latest official release of IPFire.

Since IPFire is available on AWS, we are gaining more and more users who are securing their cloud infrastructure behind an easy to configure, yet fast and secure firewall.

This update brings a new kernel as well as many other exciting changes.

The most important change for the cloud is that on AWS, IPFire will now default to a MTU of 9001 bytes for all internal interfaces. The RED interface will remain on 1500 bytes, since this is the Internet defaults to that size and we prefer IPFire performing any fragmentation and reassembly of packets over Amazon’s network stack.

This allows more network throughput with less overhead.

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 147
« Antwort #67 am: 28 Juli, 2020, 18:00 »
Release Notes

Another update is available for IPFire: IPFire 2.25 - Core Update 147. It contains a vast amount of package updates and brings some security updates.

Security Updates

The squid web proxy had a number of security vulnerabilities that have been patched in version 4.12. Those are:

    CVE-2020-15049 - (SQUID-2020:7) - Cache Poisoning Issue in HTTP Request processing

There was a third vulnerability in the TLS component of squid which is not activated in IPFire and therefore IPFire is not vulnerable (CVE-2020-14058).

Misc.

    The Linux firmware package was updated to version 20200519 and brings various improvements to hardware components and adds support for more hardware.
    A long-standing issue with forwarding GRE connections has been resolved. It was absolutely impossible to get such connections through the firewall, because IPFire's internal connection tracking refused to handle them.
    Amazon Web Services: The firewall will now configure all zones to use jumbo frames by default. Since Amazon's network allows packets with up to 9001 bytes, this will increase bandwidth in the cloud. The RED interface is exempt, because the Internet still defaults to only 1500 bytes per packet.
    Updated packages: bind 9.11.20, dhcpcd 9.1.2, GnuTLS 3.6.14, gmp 6.2.0, iproute2 5.7.0, libassuan 2.5.3, libgcrypt 1.8.5, libgpg-error 1.38, OpenSSH 8.3p1, squidguard 1.6.0

Add-ons

Updates

    Bacula, a backup solution, was updated to version 9.6.5 by Adolf Belka
    borgbackup 1.1.13
    haproxy 2.1.7
    Joe 4.6

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 148
« Antwort #68 am: 02 August, 2020, 18:00 »
Release Notes

This is an update I have personally been waiting for a long time: We finally roll out replacing Maxmind's GeoIP database by our own improved implementation.

IPFire Location

As we have already pre-announced some time ago this side-project inside the IPFire Project is finally ready for prime time.

It comes with a new implementation to build, organise and access a highly optimised database packages with loads of helpful data for our firewall engines, as well as our analytics to analyse where attacks against the firewall are originating from.

With it, IPFire can block attackers from certain countries, or do the opposite - only permit access to certain servers from certain places. Combining rules with the rate-limiting feature allows to limit connections from certain locations which is very helpful for DoS attacks.

No new features have been added, but those that we had have been massively improved. The database is now being updated once a week which makes it more accurate and we no longer require complicated scripts to convert it into different formats to be used in different parts of the operating system.

Instead the database can be opened and ready extremely quickly which allows access in realtime making pages on the web user interface load significantly faster.

We hope that many other projects choose to use our implementation as well, since we have chosen a truly open license for the data as well as the library that works behind it.

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 149
« Antwort #69 am: 04 September, 2020, 19:00 »
Release Notes



We have been busy baking another large update for you which is full of oozy goodness. It includes an updated toolchain based on GCC 10 and glibc 2.32 and we have added a lot of tuning which makes IPFire 33% faster on some systems.

Toolchain Update

IPFire is based on glibc 2.32, the standard library for all C programs, and GCC 10.2, the GNU Compiler Collection. Both bring various bug fixes and improvements.

The most notable change is that we have decided to remove a mitigation Spectre 2 which caused that user space programs in IPFire were running about 50% slower due to using a microcode feature which is called "retpoline". Those "return trampolines" disable the branch prediction engine in out-of-order processors which was considered to help with mitigating leaking any information from any unaccessible kernel space.

This is however not as effective as thought and massively decreases performance in the user land which mainly affects features like our Intrusion Prevention System, Web Proxy and URL filter. We still use this mechanism to avoid leaking any kernel memory into the user space.

On top of that, we have updated various tools used for building IPFire as well as core libraries.

We have also enabled a new GCC feature called "stack clash protection" on x86_64 and aarch64 which adds additional checks to mitigate exploits and we have enabled "CF protection" which hardens all software against attackers gaining control over a program flow and circumventing security checks like password or signature validation.

BootHole, aka GRUB 2.04

As reported on the media, there were various security vulnerabilities in the GRUB boot loader which is used in IPFire on x86_64, i586 and aarch64. These have now been patched in IPFire and the new boot loader is installed automatically.

Intel Security Vulnerabilities & Virtual Machines

In May 2019, we have announced to disable SMT on all machines. This is now disabled for any virtual machines since the mitigation is required to be activated on the host system.

Emulated processors might run on multiple physical processors which IPFire in a virtual machine has no control over. However, we still recommend against running IPFire in a virtual environment.

Deprecating i586

This release also officially degrades the i586 architecture to a secondary architecture. On the download page, you will already find downloads for that architecture at the bottom of the page.

This is because various security mitigations are not available for i586 and development work on the Linux kernel and other software that IPFire relies on is mainly done for x86_64 or other modern 64 bit architectures. This is a development that we saw coming for a while now, and despite that we will try to keep IPFire available in this architecture.

We urge everyone who's hardware supports it to update their systems to x86_64. You will see a notification on the web user interface if you are affected.

Misc.

    OpenSSL: We have removed all ciphers that do not support Perfect Forward Secrecy from the default cipher list. That means that all programs in IPFire that initiate TLS connections will no longer accept any "weak" ciphers without PFS.
    OpenVPN
        In order to make IPFire compliant with PCI DSS, OpenVPN requires all clients to use TLS 1.2 or newer. This change is automatically enabled on all systems and very old clients might need to be updated. Please check if you are using any outdated clients before updating.
        The maximum number of simultaneous OpenVPN connections can now be set to up to 1024 and was limited to 255 before.
    New packages: zstd, a modern and fast compression algorithm is now part of IPFire
    Updated packages: apache 2.4.46, bind 9.11.21, bison 3.7.1, curl 7.71.1, GRUB 2.04, intel-microcode 20200616, hyperscan 5.3.0, iproute2 5.8.0, kbd 2.2.0, logrotate 3.17.0, lsof 4.91, mpfr 4.1.0, popt 1.18, unbound 1.11.0, xfsprogs 5.7.0

Add-ons

    Updated: clamav 0.102.4, dnsdist 1.5.0, haproxy 2.2.2, fping 5.0, libvirt 6.5.0, minicom 2.7.1, nfs 2.5.1, postfix 3.5.6, qemu 5.0.0, rsync 3.2.3, spandsp 0.0.6, tor 0.4.3.6, tshark 3.2.6, usbredir 0.8.0, watchdog 5.16, WIO
    Marcel Follert has contributed a new package: socat, a CLI tool which can be used to communicate with UNIX sockets.

We ask everyone who can to install this update and report and feedback back to us. That way, you can help to make IPFire better and contribute to the community. If you cannot test, you can donate!

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 150
« Antwort #70 am: 29 September, 2020, 21:00 »
Release Notes

The upcoming Core Update is available for testing: It brings an updated kernel, various package updates and bug fixes.

Linux 4.14.198

The IPFire kernel is now based on Linux 4.14.198 which brings various security and stability fixes in the network stack as well as improvements throughout the whole rest of the kernel.

In connection with this, the new Location database has received some bug fixes. Formerly, some networks could not be found in the extracted part of the database which was loaded into the kernel. This has been fixed and there will be no more false-positives for selected countries.

Connection Tracking Graph

We have extended the monitoring features of IPFire which introduce a new graph with the size of the connection tracking table. It shows how many connections are open at the same time and helps to debug any networking issues or overload.

In addition to that, the CPU graph has been fixed. An empty graph was rendered after the number of processor cores has changed.

Add-ons

    Updated packages: clamav 0.103.0, htop 3.0.2, nano 5.2, postfix 3.5.7

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 152
« Antwort #71 am: 15 November, 2020, 09:00 »
Release Notes

It is time for another Core Update: IPFire 2.25 - Core Update 152. It comes with various smaller bug fixes and improvements and updates the Windows File Sharing Add-on.

IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate
Changes

    Intrusion Prevention System: The IPS has been updated to suricata 5.0.4 which fixes various bugs and security vulnerabilities
    Leo-Andres Hofman contributed for the first time and cleaned up code that shows the DHCP leases on the web user interface. They are now sorted and expired leases are shown at the bottom of the list for better usability.
    Steffen Klammer fixed a bug which rendered an invalid proxy.pac configuration file when subnets where added in the CIDR notation
    Values for average, minimum and maximum were swapped in the firewall hits graph which has been corrected in this release
    Updated packages: knot 3.0.1, libhtp 0.94, python 2.7.18, python3 3.8.2, unbound 1.12.0, yaml 0.2.5

Add-ons

    Updated packages: mtr 0.94, nano 5.3, tor 0.4.4.5
    Updated Python 3 packages: botocore 1.16.1, colorama 0.4.3, dateutil 2.8.1, docutils 0.16, jmespath 0.9.5, pyasn1 0.4.8, rsa 4.0, s3transfer 0.3.3, six 1.14.0,

Windows File Sharing Services

Samba, has been updated to 4.13.0. Because of various reasons and lack of development time, we were stuck on Samba 3 which is unmaintained for a while. With this new version of Samba, new protocol features like SMB3 and encryption are supported. We have also rewritten large parts of the web user interface, made them tidier and fixed some usability issues.

We also dropped some features which we believe are not being used any more. This mainly concerns compatibility to MS-DOS clients, WINS, and using IPFire as Primary Domain Controller for Windows NT domains.

The new streamlines web user interface provides fewer controls and we have changed some defaults to work in modern networks - or that were ineffective in the newer release of Samba.

New features are as follows:

    Printing with CUPS now works out of the box
    SMB file transfers are faster, because of some performance tuning
    IPFire will now always try to become the master browser for its workgroup
    The file sharing and printing services will be announced to the local network using mDNS with Avahi
    Extensions for Mac OS X are enabled by default

Because of the vast amount of changes, we need some extra help to find any regressions introduced here. Please also consider if running this package is following best-practise rules in your organization.

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 153
« Antwort #72 am: 12 Januar, 2021, 22:00 »
Release Notes

This is the official release announcement for the last planned Core Update of this year: IPFire 2.25 - Core Update 153.

Before we talk about what is new, I would like to as you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate
Location Database

The location database has received significant updates that improve its accuracy. This was possible by importing more data into it and correlating it with existing data from other sources.

We have also improved performance of loading data from the database into the kernel for firewall rules which removes a class of issues where IP addresses could have matched more than one country.

Many weeks have been invested into this to optimise the database import and export algorithms to provide this functionality even on hardware that is weak on processor power and/or memory.
WPA3 - Making WiFi Safe Again

WPA3 is the new upcoming standard to protect wireless connections and is now supported in IPFire. It can be enabled together with WPA2 so that you can support any devices that do not support WPA3, yet.

WiFi can also be made more secure by optionally enable Management Frame Protection which hardens the network against any attackers that try to de-authenticate stations and therefore denial-of-service your network.

There is more on a detailed post about this new feature: IPFire Wireless Access Point: Introducing WPA3
Another Intel Security Vulnerability

We have of course spent a lot of our valuable development time on this month's security issues created by Intel. As you might have heard from the news, it is possible to profile instructions and extrapolate information through measuring the power consumption of the processor when that instruction is being executed.

We consider this not exploitable on IPFire, because we do not allow running any third-party code, but are of course shipping fixes in form of a patched Linux kernel based on 4.14.212 and updated microcode where available for all affected processors (version 20201118).
Misc.

    The most recent OpenSSL security vulnerability CVE-2020-1971 has been patched by updating the package to version 1.1.1i
    Safe Search now allows excluding YouTube
    The zone configuration page now highlights network devices that are assigned to a zone. This change improves usability and avoids any mistakes
    IPsec tunnels are now showing correctly when they are established or not. A programming error could show connected tunnels as "connecting..." before.
    The log summary no longer shows useless entries for clients that have renewed their DHCP lease and the iptables summary has been removed, since it does not produce any useful output
    The IP address information page is now showing the Autonomous System for each IP address
    Some cosmetic improvements for the web user interface have been implemented by Matthias Fischer.
    On systems with insufficient memory, some pages of the web user interface could not be loaded when they were using the new location library. Thanks to Bernhard Bitsch for reporting this problem.
    DDNS: Support for DuckDNS has been reinstated after a significant API change
    Updated packages: bash 5.0.18, curl 7.73.0, file 5.39, go 1.15.4, knot 3.0.2, libhtp 0.5.63, openvpn 2.5.0, pcengines-firmware 4.12.0.6, strongswan 5.9.1, suricata 5.0.5, tzdata 2020d, usb_modeswitch 2.6.1, usb_modeswitch_data 20191128

Add-ons

    Updated packages: amazon-ssm-agent 3.0.356.0, aws-cli 1.18.188, ghostscript 9.53.3, libseccomp 2.4.4, lynis 3.0.1, python-botocore 1.19.28, python-urllib3, spectre-meltdown-checker 0.44, transmission 3.00, vdr 2.4.4
    Tor has been updated to version 0.4.4.6 and is now using the new location database for showing the relay country. It is also now possible to define a list of exit nodes to use and to select certain countries to use for guard nodes.
    amavis and spamassassin have been dropped because they have been unused and unmaintained for a long time
    git has been fixed so that all features implemented in Perl can be used again.
    The apcupsd package now correctly backups and restores its configuration

[close]

https://www.ipfire.org/download

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
OPNsense 21.1
« Antwort #73 am: 29 Januar, 2021, 21:00 »
OPNsense is an open-source, easy-to-use, and easy-to-build HardenedBSD based firewall and routing platform.

License: Open Source

Release Notes -> https://opnsense.org/opnsense-21-1-marvelous-meerkat-released/

https://opnsense.org/about/about-opnsense/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189183
  • Ohne Input kein Output
    • DVB-Cube
pfSense 2.5.0
« Antwort #74 am: 17 Februar, 2021, 20:00 »
Release Notes

We are excited to announce the release of pfSense® Plus software version 21.02 and pfSense Community Edition (CE) software version 2.5.0, now available for new installations and upgrades!

This is the first release of pfSense Plus software, formerly known as Factory Edition. For more details about the distinctions between pfSense Plus and pfSense CE, read the pfSense Plus Announcement. Customers running the Factory Edition of pfSense software version 2.4.5-p1 and older can upgrade in-place automatically to pfSense Plus software version 21.02 as with any other previous upgrade.

These versions are the result of an immense development effort taking place over the last several years. Over 550 issues are resolved, including bug fixes, new features, and other significant changes.

pfSense Plus software version 21.02-RELEASE updates are available now. For installation images, contact Netgate TAC.

pfSense software Community Edition version 2.5.0-RELEASE updates and installation images are available for download now.
Highlights

The new versions include a long list of significant changes.

Notably, pfSense Plus adds:

    Support for Intel® QuickAssist Technology, also known as QAT.
        QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
        Supported hardware includes many C3000 and C2000 systems sold by Netgate and some other types of built-in QAT support and add-on cards.
    Improved SafeXcel cryptographic accelerator support for the Netgate SG-2100 and Netgate SG-1100 which can improve IPsec performance.

    Updated IPsec profile export
        Exports Apple profiles compatible with current iOS and OS X versions
        New export function for Windows clients to configure tunnels using PowerShell

Both pfSense Plus and pfSense CE include:

    Base OS upgraded to FreeBSD 12.2-STABLE
    OpenSSL upgraded to 1.1.1
    Performance improvements

    Kernel WireGuard implementation, as mentioned in a previous WireGuard blog post
        WireGuard is a new VPN Layer 3 protocol designed for speed and simplicity
        The pfSense documentation site includes information on how to configure WireGuard as well as example configuration recipes

    IPsec enhancements
        Configuration for the strongSwan IPsec backend was changed from the deprecated ipsec.conf/stroke format to the new swanctl/VICI format
        Various improvements to tunnel configuration, including better options for lifetime and rekey to avoid duplicate security associations

    OpenVPN upgraded to 2.5.0
        OpenVPN 2.5.0 now mandates data cipher negotiation, but also tries to be friendly to older clients
        ChaCha20-Poly1305 is now supported, which is the same cipher used by WireGuard and may offer speed improvements on some platforms
        OpenVPN now disables compression by default because it is insecure, but it can still decompress traffic received from clients while not transmitting compressed packets

    Certificate Manager updates
        The GUI now supports renewing certificate manager entries (certificate authorities and certificates)
        Notifications are generated for expiring certificate entries
        Certificate keys and PKCS #12 archives can now be exported with password protection
        Support was added for elliptic curve (ECDSA) certificates
        Internal and imported CA entries can be added to the system-wide trust store
    Significant changes in Captive Portal backend and HA behavior

For more details, see the Release Notes and Redmine.

[close]

http://www.pfsense.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )