Autor Thema: Firewall-Distributionen diverses  (Gelesen 5616 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 157
« Antwort #77 am: 25 Juni, 2021, 22:00 »
Release Notes

After a little break, IPFire 2.25 - Core Update 157 is out! This is the largest release in size we have ever had and updates various parts of the operating system and brings an updated kernel.

Since IPFire is built from source and not based on any distribution, we get to select the best versions of open source software to be a part of it. This release is the second part of our "spring clean" release which updates various software packages and we have also dropped software that we no longer need. The vast amount of this work has been done by Adolf Belka who has been spending many nights in front of a compiler trying to make it all work. If you want to support him and the entire development team, please help us with your donation.
Deprecating Python 2

We have made huge efforts to migrate away from Python 2 which has reached its end of life on January 1st of this year. That includes repackaging third-party modules for Python 3 and migrating our own software to Python 3.

The work will continue over the next couple of weeks and we are hopeful to remove all Python 2 code with the next release. We will keep Python 2 around for a little bit longer to give everyone with custom scripts a little bit of time to migrate them away, too.
Misc.

    The IPFire kernel has been rebased on Linux 4.14.232 which brings various security and stability fixes
    Updated packages: bash 5.1.4, boost 1.76.0, cmake 3.20.2, curl 7.76.1, dejavu-fonts-ttf 2.37, expat 2.3.0, file 5.40, fuse 3.10.3, gdb 10.2, glib 2.68.1, iproute2 5.12.0, less 581.2, libaio 0.3.112, libarchive 3.5.1, libcap-ng 0.8.2, libedit 20210419-3.1, libevent2 2.1.12, libexif 0.6.22, libgcrypt 1.9.3, libgpg-error 1.42, libtiff 4.3.0, libupnp 1.14.6, libxcrypt 4.4.20, libxml2 2.9.10, lm_sensors 3.6.0, lua 5.4.3, meson 0.58.0, OpenSSH 8.6p1, perl-Canary-Stability, perl-Convert-TNET 0.18, perl-Convert-UUlib 1.8, perl-Crypt-PasswdMD5 1.41, perl-Digest 1.19, pixman 0.40.0, poppler 21.05.0 (and poppler-data 0.4.10), pppd 2.4.9, readline 8.1, sqlite 3.35.5, squid 4.15, sudo 1.9.7, wireless-regdb 2020.11.20, xfsprogs 5.11.0
    Some packages that are no longer needed for the build process have been dropped
    Peter Müller has cleaned up the web server configuration for the web user interface and removed various quirks and hacks for old software like Microsoft Internet Explorer 8
    Leo-Andres Hofmann has contributed some cosmetic changes for the live graphs
    A security vulnerability has been reported by Mücahit Saratar (#12619) where it was possible to change a script as an unprivileged user due to a file permission error which could later be executed as root. Thank you for reporting this to us.

Add-ons

    Updated packages: cifs-utils 6.13, cups 2.3.3op2, cups-filters 1.28.8, dnsdist 1.6.0, elfutils 0.184, fetchmail 6.4.19, ffmpeg 4.4, libmicrohttpd 0.9.73, mpd 0.22.6, ncat 7.91, nmap 7.91, samba 4.14.4, Tor 0.4.5.8

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 158
« Antwort #78 am: 22 Juli, 2021, 22:00 »
Release Notes

IPFire 2.25 - Core Update 158 is generally available. It comes with one-click VPNs for Apple iOS and Mac OS devices as well as with various fixes across the board including security fixes.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

IPsec with Apple iOS & Mac OS

It is now possible to export IPsec road warrior connections for Apple devices so that they can easily be imported into those with only a few clicks. This makes creating secure connections with these devices quick and fool-proof - even when certificates are involved.

Various smaller changes come with these changes: Certificates now have sane expiry times (instead of a hundred years).

Unfortunately time did not allow to provide any detailed documentation for this feature, but this will be added in the near future. If you want to help the team, you can do this with your donation.

Misc.

    IPsec
        Curve448 is now listed above Curve25519 since it provides better security, but is computationally more expensive at the same time
        There will no longer be any safety rules installed for IPsec connections in "on-demand" mode. Leaking packets is not possible in this mode and it makes certain configurations easier when it is not necessary to work around the block rules
    The web proxy removed options to fake the Referrer and User-Agent. This is practically not effective since the majority of connections are encrypted where this feature did not work.
    We have progressed in removing Python 2 from the system by porting fireinfo to Python 3
    Leo-Andres Hofmann fixed the memory usage table which showed inconsistent values
    Updated packages of the core system: apache 2.4.48, bind 9.11.32, cmake 3.20.4, curl 7.77.0, dmidecode 3.3, ethtool 5.12, expat 2.4.1, fuse 3.10.4, glib 2.68.3, gnutls 3.6.16, gzip 1.10, iputils 20210202, knot 3.0.7, libcap 2.50, libedit 20210522-3.1, libnl-3 3.5.0, libpcap 1.10.1, libusb 1.0.24, libxcrypt 4.4.22, linux-firmware 20210511 as preparation for a new kernel, nettle 3.7.3, pcre2 10.37, perl-CGI 4.53, perl-TimeDate 2.33, perl-XML-Parser 2.46, python3-setuptools, python3-pyparsing 2.4.7, qpdf 10.3.2, rng-tools 6.12, smartmontools 7.2, sudo 1.9.7p1, vnstat 2.7, xfsprogs 5.12.0, zd1211-firmware 1.5, zerofree 1.1.1, zstd 1.5.0
    Microcode updates for Intel processors are shipped in this release (20210608) to address these hardware security vulnerabilities:
        INTEL-SA-00442 - 2021.1 IPU - Intel® VT-d Advisory
        INTEL-SA-00464 - 2021.1 IPU - Intel® Processor Advisory
        INTEL-SA-00465 - 2021.1 IPU - Intel Atom® Processor Advisory
    IPFire is also vulnerable where an authenticated third-party could inject and execute shell commands as a non-privileged user (#12616, CVE-2021-33393). This has been fixed by going through over 65000 lines of code to investigate where this is possible. The underlying reason is the Perl function to call shell commands unexpectedly performs shell expansion and might perform more than just the intended command. Functions that no longer allow this behaviour have been written, tested and replaced any vulnerable places. Unfortunately this vulnerability was published without responsible disclosure.
    The root partition of the flash image has been increased to 1600 MiB by default. The minimum required disk size is still 2GB, but it is getting tight...

Add-ons

    dnsdist received an improved initscript which will print any configuration issues before trying to start or restart the daemon
    Updated packages: cups-filter 1.28.9, elfutils 0.185, flac 1.3.3, libogg 1.3.5, nano 5.8, netsnmpd 5.9.1, Postfix 3.6.1, sarg 2.4.0, tcpdump 4.99.1, tmux 3.2a, Tor 0.4.6.5

Some packages have been dropped since they didn't have a maintainer for a long while, the upstream project has been discontinued, or it is unlikely that there are any users left out there. We recommend to install these applications on a different machine than the firewall itself: Asterisk, dpfhack, lcd4linux, miniupnpd, motion, SANE, sendEmail. They will automatically be uninstalled on all systems.

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
OPNsense 21.7
« Antwort #79 am: 02 August, 2021, 18:30 »
OPNsense is an open-source, easy-to-use, and easy-to-build HardenedBSD based firewall and routing platform.

License: Open Source

Release Notes -> https://opnsense.org/opnsense-21-7-released/

https://opnsense.org/about/about-opnsense/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 160
« Antwort #80 am: 06 Oktober, 2021, 18:00 »
Release Notes

This is the release announcement for IPFire 2.27 - Core Update 160. It comes with a large number of bug fixes and package updates and prepares for removing Python 2 which has reached its end of life.

Before we talk about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

Improving Network Throughput

In recent days and months, the development team has spent a lot of time on finding bottlenecks and removing those. Our goal is to increase throughput on hardware and bringing latency down, for a faster network.

This update brings a first change which will enable network interfaces that support it, to send packets that belong to the same stream to the same processor core. This allows taking advantage of better cache locality and the firewall engine as well as the Intrusion Prevention System benefit from this, especially with a large number of connections and especially on hardware with smaller CPU caches.

This feature is automatically enabled on all hardware that supports it.

Removing Python 2

Python 2 has reached its end-of-life (EOL) at January 1st, 2021. In the past months and years, we have moved our own code to Python 3 which has been completed with this update.

However, Python 2 is still present in the distribution for all users who still have to port any custom scripts. With the next Core Update, we will remove Python 2 which means that you have to act now to port any custom scripts written in Python 2.

Misc.

    In the firewall engine, support for redirecting services as been added and long-standing bug #12265 has been fixed
    Some bugs have been fixed in the IPsec VPN scripts that prevented users to create certificate-based connections
    The web proxy can now be used on systems that do not have a GREEN network
    The firewall log viewer now displays IP protocol names instead of numbers.
    All graphs are now rendered in SVG format which makes any scaling in the browser smoother
    Updated packages: cURL 7.78.0, ddns 014, e2fsprogs 1.46.3, ethtool 5.13, glibc was patched for CVE-2021-33574 and a follow-up issue, iproute2 5.13.0, less 590, libloc 0.9.7, libhtp 5.0.38, libidn 1.38, libssh 0.9.6, OpenSSH 8.7p1, openssl 1.1.1k which fixes CVE-2021-3712 and CVE-2021-3711, pcre 8.45, poppler 21.07.0, sqlite3 3.36, sudo 1.9.7p2, strongswan 5.9.3, suricata 5.0.7, sysstat 12.5.4, sysfsutils 2.1.1

Add-ons

    Updated packages: alsa 1.2.5.1, bird 2.0.8, clamav 0.104.0, faad2 2.10.0, freeradius 3.0.23, frr 8.0.1, Ghostscript 9.54.0, hplip 3.21.6, iperf3 3.10.1, lynis 3.0.6, mc 7.8.27, monit 5.28.1, minidlna 1.3.0, ncat 7.91, ncdu 1.16, taglib 1.12, Tor 0.4.6.7, traceroute 2.1.0, Postfix 3.6.2, spice 0.15.0

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 161 Test
« Antwort #81 am: 11 November, 2021, 22:00 »
Release Notes

A new update is available for testing: IPFire 2.27 - Core Update 161. It comes with a huge performance improvement for the Intrusion Prevention System which allows it to deliver excellent throughput even on smaller hardware. On top of that come a brand new kernel and various security and bug fixes.

Please note, that this update will reconnect any PPP connections and we recommend performing a reboot after the update has been installed.
Boosting Intrusion Prevention System Performance

The most notable change in this update is a large increase of throughput of the IPS. It can now decide to no longer see traffic from a certain IP connection and tell the kernel to bypass it. That removes all overhead for these connections and therefore increases throughput.

On systems like the Lightning Wire Labs Mini Appliance which comes with four CPU cores each at 1 GHz clock speed, it boosts throughput from about 120 MBit/s on full CPU load to 1 GBit/s on about 20% load on one CPU core for this type of connection. This releases more CPU time for scanning other traffic and allowing this device being properly used on connections with more than 100 MBit/s throughput.

For this change, a lot of work around the QoS and VPNs were necessary because of touch points in the firewall engine. Here, we were also able to tidy up code and make the system more efficient.
Fast Flux Detection in Web Proxy

This update brings Fast Flux Detection as introduced by Peter.

Updated OS Kernel

The IPFire kernel is now based on Linux 5.10.76 and various configuration changes have been made:

    Hardening of stack variables: All of those will now be zero-initialised to avoid any information leak inside the kernel's memory space
    TPM hardware is now being used as a source for entropy if available
    The kernel will now wake up more often in order to keep packet forward latency down and make the system more responsive.
    Some debugging/overhead functions have been disabled for slight performance gains

Misc.

    Python 2 has been removed from IPFire with this release
    IPFire now supports ExFAT
    Logwatch now includes status of software RAID configurations
    Regressions in the disk utilization stats due to a change in iostat(8)'s output have been fixed
    After launching an update, the Pakfire page did not correctly show the locked state
    The web proxy will now always hide its version number due avoid any information leaks
    Support for FriendlyARM NanoPI R2S has been added
    Updated packages: apache 2.4.51 fixing CVE-2021-42013 introduced due to an incomplete fix for CVE-2021-41773, curl 7.79.1, dosfsutils 4.2, GD-Graph 1.54, gd 2.3.3, iproute2 5.14.0, perl-GD 2.73, strongSwan 5.9.4

Add-ons

    Tor will now use any hardware acceleration for cryptographic operations if available
    Updated packages: 7zip 17.04, cups-filters 1.28.10, Ghostscript 9.55.0, Git 2.33.1, htop 3.1.1, krb5 1.19.2, monit 5.29.0, nano 5.9, pcengines-apu-firmware 4.14.0.4, shairport-sync 3.3.8
    avahi's and minidlna's confguration is now correctly backed up and restored on updates

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
OPNsense 22.1
« Antwort #82 am: 27 Januar, 2022, 21:00 »
Changelog


o system: improved visibility and flexibility of tunables
o system: move multiple sysctl manipulations to tunables framework to allow overriding them
o system: prevent more than one default route by default
o system: sync recovery utility contents with FreeBSD 13
o system: prevent syslog-ng from crashing after update due to "syslog-ng-ctl reload" use
o system: add severity to syslog output and allow to filter for it
o system: create latest.log links for easier log consumption
o system: added opnsense-log utility to inspect logs on the console
o system: removed circular logging support
o system: background all cron backend command invokes
o system: unified cron start between legacy and MVC components
o system: improve the fallback after failing to look up specific IPv4 address match for dpinger
o system: use correct IPv6 interface for dpinger gateway monitoring when using 6RD
o system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
o system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
o system: fix potential issues with "search" syntax in resolv.conf
o system: fix general settings PHP warnings that only appear when validation fails
o system: allow additional search domain (Pierre Fevre)
o system: make /var MFS work when /var directories are mount points, e.g. on ZFS
o system: optionally disconnect PPP interfaces when going into CARP backup mode
o system: fix new PPP CARP hook function call (contributed by Markus Reiter)
o system: separate core and thread count in information widget
o system: MSDOS file system awareness in information widget for new /boot/efi partition
o system: no longer display duplicated mounted partitions on the dashboard
o system: remove spurious XML validation that cannot cope with attributes from backup restore
o system: refactor GUI rebind protection and remove its os-dyndns/os-rfc2136 references
o reporting: fix display of total in/out traffic values
o interfaces: LAGG support in console port assignment (contributed by sarthurdev)
o interfaces: improve LAGG/VLAN assignments via console option
o interfaces: repair get_interface_list() for console use
o interfaces: aligned the name and use of special /tmp files for internal interface handling
o interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
o interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
o interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
o interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
o interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
o interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
o interfaces: VIPs now support the "no bind" option to exclude them from automatic service use when configured
o interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
o interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
o interfaces: interfaces_scoped_address6() is now being used throughout the code
o interfaces: "tentative" state now leads to the address being ignored during configuration like "deprecated"
o interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
o interfaces: reworked interface creation on boot up
o interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
o interfaces: added permanent promiscuous mode setting
o interfaces: add the interface description via ifconfig to its respective device
o interfaces: stop special treatment of bridge interfaces on linkup
o interfaces: improve validations and fix defaults for bridges
o interfaces: allow bridges to attach to VXLAN on boot
o interfaces: background all interface reconfiguration script hooks
o interfaces: no longer allow and apply media configuration for non-parent devices
o interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
o interfaces: remove defunct link support for GRE
o interfaces: align GIF configuration with base system options
o firewall: properly kill all connections from and to a WAN IPv4 on an address change
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: display interface descriptions on normalisation rules (contributed by vnxme)
o firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
o firewall: removed obsolete kill states option on gateway failure
o firewall: removed the $aliastable cache
o firewall: support "no scrub" option in normalisation rules
o firewall: correctly handle IPv6 NAT in states view
o firewall: plain log default logging severity selection is now "informational"
o firewall: improve maximum shaper value validation and add Gbit/s support
o captive portal: prevent session removal crashing when no IP address was registered
o dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
o dhcp: allow router advertisements to use a specific link-local VIP alias
o dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
o dhcp: rework router advertisement "static" mode flags to separate advanced options
o dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
o dnsmasq: no-hosts option (contributed by agh1467)
o firmware: add a "status_reboot" variable to API return data to make clear it belongs to the offered minor update or major upgrade
o firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
o firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
o firmware: implement cross-ABI reinstall of all packages for future use
o firmware: opnsense-update: exclude /boot/efi permission reset from base set extract
o firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
o firmware: return product info for status endpoint even when no firmware check was done
o installer: fix installation of rc.conf keymap setting selected earlier during installation
o installer: add EFI partition as a default mount point
o installer: increase EFI partition size to 260 MB
o installer: improve disk and ZFS pool scan and display
o intrusion detection: prevent config migration from crashing
o intrusion detection: update to ET-Open to version 6
o ipsec: update security of default settings when creating new phase 1 and 2
o ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
o ipsec: migrated tunnel settings page to MVC
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o lang: demote Italian to development-only language due to lowered translation ratio
o monit: move logging to own target
o network time: add iburst option and stop using it by default (contributed by Patrick M. Hausen)
o network time: detach "limited" from "kod" option (contributed by Zsolt Zsiros)
o network time: remove PID file use as it can be unreliable
o openvpn: kill by common name when kill by address does not work
o unbound: disable do-not-query-localhost on local address server use
o unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
o update: opnsense-bootstrap: -z snapshot mode
o update: opnsense-bootstrap: improved type detection
o update: opnsense-code: -r for repository removal
o update: opnsense-fetch: emit error message of failed download
o update: opnsense-update: handle kernel debug directory like /boot/kernel
o update: opnsense-update: removed "firmware-upgrade" file support
o update: opnsense-verify: synced shared code with FreeBSD 13
o backend: unify use of configctl utility
o images: removed deprecated os-dyndns plugin from default installation
o mvc: fix logging of configd errors
o mvc: Add BlankDesc to ModelRelationField (contributed by agh1467)
o mvc: emulation versioning empty nodes for the legacy configuration sections
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: add hint support for text fields (contributed by agh1467)
o ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
o ui: universal striping adjustment for MVC components (contributed by kulikov-a)
o ui: move storing jQuery Bootgrid settings in browser from core to bootgrid (contributed by Manuel Faux)
o src: FreeBSD 13-STABLE as of 4ee9fbcd853
o src: migrated to LUA boot loader (contributed by Kyle Evans)
o src: revert upstream permission change for /root directory
o src: fix kernel build creating wrong linkers.hint file
o src: carp: fix send error demotion recovery
o src: ixgbe: prevent subsequent I2C bus read timeouts
o src: reworked shared forwarding
o plugins: os-acme-client 3.8[2]
o plugins: os-bind 1.20[3]
o plugins: os-ddclient 1.0 as an eventual replacement for os-dyndns
o plugins: os-dyndns adds local copy of get_dyndns_ip()
o plugins: os-freeradius 1.9.18[4]
o plugins: os-frr 1.26[5]
o plugins: os-haproxy 3.10[6]
o plugins: os-nginx 1.26[7]
o plugins: os-openconnect 1.4.2[8]
o plugins: os-postfix 1.21[9]
o plugins: os-rfc2136 adds local copy of get_dyndns_ip()
o plugins: os-telegraf 1.12.4[10]
o plugins: os-wireguard 1.10[11]
o plugins: os-wol adds cron support for wake action (contributed by digitalshow)
o plugins: os-zabbix-proxy 1.7[12]
o ports: expat 2.4.2[13]
o ports: filterlog 0.6[14]
o ports: flock 2.37.2
o ports: hostapd 2.10[15]
o ports: lighttpd 1.4.63[16]
o ports: nss 3.74[17]
o ports: openssl 1.1.1m[18]
o ports: openvpn 2.5.5[19]
o ports: pecl-psr 1.2.0[20]
o ports: phalcon 4.1.3[21]
o ports: php 7.4.27[22]
o ports: pkg fixes validation failures on HTTPS fetch in static binary[23]
o ports: sqlite 3.37.2[24]
o ports: syslog-ng 3.35.1[25]
o ports: unbound 1.14.0[26]
o ports: wpa_supplicant 2.10[27]

Known issues and limitations:

o This release contains a new major operating system version and should be carried out with the necessary care.  Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.  Except for ZFS boot environments rollbacks between major operating system versions are extremely fragile and a reinstall of an older version should be attempted in the worst case.  For more information please consult the FreeBSD 13.0 release notes[28].
o IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream.  If you are using MD5, Blowfish, DES, 3DES, or CAST128 in your phase 2 please move to more secure settings prior to the upgrade.  Note that phase 1 settings are unaffected, but insecure settings should still be avoided.  For more information see the FreeBSD commit in question[29].
o The Realtek vendor driver is no longer bundled with the updated FreeBSD kernel.  If unsure whether FreeBSD 13 supports your Realtek NIC please install the os-realtek-re plugin prior to upgrading to retain operability of your NICs.
o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface.  This can introduces unwanted configuration due to previous side effects in the code.  Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
o Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect.  This can introduce unwanted configuration due to previous side effects in the code.  If the parent interface was not previously assigned please assign it to reapply the required media settings.
o NTPD defaults changed to exclude the "iburst" option by default.  "limited" setting was detached from "kod" option.  In both cases configuration adjustments can achieve previous behaviour if required.
o Rebind checks through os-dyndns or os-rfc2136 will no longer work due to the deprecation of both plugins.  Please add your rebind hosts manually or disable rebind protection prior to the upgrade.
o GRE link1 support has been removed and needs a static route to function now.
o Circular logging support has been removed.  No user interaction is required.

[close]

https://opnsense.org/about/about-opnsense/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
OPNsense 22.7
« Antwort #83 am: 29 Juli, 2022, 21:00 »
Changelog


o Europe: https://opnsense.c0urier.net/releases/22.7/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.7/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/22.7/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.7/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 22.1.10:

o system: changed certificate revocation to use the phpseclib library
o system: performance improvement for set_single_sysctl()
o system: restart syslog fully and only once after all services have been started
o system: new setting for deployment mode to control PHP error flow
o system: /tmp MFS now uses a maximum of 50% of RAM by default and can be adjusted
o system: /var MFS becomes /var/log MFS and uses a maximum of 50% of RAM by default and can be adjusted
o system: previous special /var MFS content is now permanently stored under /var to ensure full operability
o system: flush all core Python pyc files on updates
o system: protect syslog-ng against out of memory kills
o system: add filter to system log widget (contributed by kulikov-a)
o system: disable RRD and NetFlow shutdown backups by default
o system: render interfaces in convert_config()
o system: apply default firewall policy before interface configuration
o system: move remote backup script to proper file system location
o system: disable flag was not removing static route
o system: Net_IPv6::compress() should not compress "::" to ""
o system: fix RADIUS config validation for port requirement (contributed by Josh Soref)
o system: remove last bits of circular logging (CLOG) support
o system: removed legacy Diffie-Hellman parameter handling
o interfaces: refactored LAGG, wireless and static ARP handling
o interfaces: provide automatic startup of Loopback, IPsec, OpenVPN, VXLAN devices
o interfaces: removed the side effect reliance on /var/run/booting file
o interfaces: add dynamic reload of required devices
o interfaces: add WPA enterprise configuration for infrastructure mode (contributed by Manuel Faux)
o interfaces: fix "Allow service binding" for multiple aliases per interface (contributed by Adam Dawidowski)
o interfaces: auto-detect far gateway requirement for default route
o interfaces: switch to MVC/API variant for DNS lookup page
o interfaces: refactor DHCP and PPPoE scripts to use ifctl exclusively
o interfaces: prevent the removal of default routes in dhclient-script
o interfaces: fix inconsistencies in wireless handling
o interfaces: fix unable to bring up multiple loopback (contributed Johnny S. Lee)
o interfaces: fix unable to bring up multiple VXLAN
o interfaces: check if int before passing to convert_seconds_to_hms()
o interfaces: disable IPv6 inside 4in6 and 4in4 GIF tunnels (contributed by Maurice Walker)
o interfaces: ping diagnostics tool must explicitly set IP version (contributed by Maurice Walker)
o interfaces: remove other inconsistencies regarding ping utility changes in FreeBSD 13
o interfaces: correct regex validation for dhcp6c expire statement (contributed by Josh Soref)
o interfaces: add missing scope to link-local GIF host route
o interfaces: add iwlwiwi(4) to wireless devices
o firewall: improved port alias performance
o firewall: obsoleted notices inside the synchronization code
o firewall: support logging in NPT rules
o firewall: append missing link-local to inet6 :network selector
o firewall: move inspect action into its own async API action to prevent long page loads
o firewall: internal aliases cannot be disabled
o firewall: performance improvement for reading live log
o firewall: ignore age/expire when not provided or empty in sessions page
o firewall: add general firewall log for alias and filter system log messages
o dhcp: no longer automatically add a link-local address to bridges if IPv6 service is running on it
o dhcp: allow running relay service on bridges
o dhcp: clean up IPv6 prefixes script
o dhcp: include ddns-hostname and other cleanups (contributed by Sascha Buxhofer)
o dhcp: remove duplicated ddnsupdate static mapping switch
o dhcp: remove print_content_box() use
o dhcp: switch to shell-based DHCPv6 lease watcher
o dhcp: rewrite prefix merge for dynamic IPv6 tracking to support bitwise selection
o dnsmasq: switch to a Python-based DHCP lease watcher
o firmware: console script can now show changelog using "less" before update
o firmware: disable crash reporter in development deployment mode
o firmware: limit changelog-based update check on dashboard to release version
o firmware: provide an upgrade log audit
o intrusion detection: remove dead link to McAfee rule references
o ipsec: add "IPv4+6" protocol for mobile phase 1 entries (contributed by vnxme)
o ipsec: mobile property boolean duplication in phase 2
o ipsec: remember phase 1 setting for next action
o ipsec: switch to MVC/API variants of SPD, SAD and connection pages
o ipsec: small UX tweaks in status page
o openvpn: pinned Diffie-Hellman parameter to RFC 7919 4096 bit key
o unbound: prevent crash of DHCP lease watcher due to unhandled CalledProcessError exception
o lang: bring back Italian and update all languages to latest available translations
o mvc: bugfix search and sort issues for searchRecordsetBase()
o mvc: add support for non-persistent (memory) models
o mvc: throw when no mount found in model (contributed by agh1467)
o mvc: fix rowCount when all is selected in searchRecordsetBase()
o mvc: fix two regressions in BaseField for Phalcon 5
o mvc: store configuration changes only when actual changes exist
o ui: removed Internet Explorer support
o ui: boostrap-select ignored header height
o ui: merge option objects instead of replacing them in bootgrid (contributed by agh1467)
o ui: correct required API for command-info in bootgrid (contributed by agh1467)
o ui: add catch undefined TypeError in SimpleActionButton (contributed by agh1467)
o ui: fix assorted typos in the code base (contributed by Josh Soref)
o ui: handle HTTP 500 error gracefully in MVC pages
o plugins: os-apcupsd 1.0[2] (contributed by David Berry, Dan Lundqvist and Nicola Pellegrini)
o plugins: os-boot-delay is no longer available[3]
o plugins: os-crowdsec 1.0[4]
o plugins: os-nginx fix for missing DH parameter file
o plugins: os-postfix fix for missing DH parameter file
about plugins: os-tayga 1.2[5]
o plugins: os-tor no longer available on LibreSSL due to incompatibilities with newer Tor versions
o plugins: os-web-proxy-useracl is no longer available, no updates since 2017
o src: FreeBSD 13.1-RELEASE[6]
o src: axgbe: also validate configuration register in GPIO expander
o src: pf: ensure that pfiio_name is always nul terminated
o src: pf: make sure that pfi_update_status() always zeros counters
o src: igc: change default duplex setting
o src: e1000: try auto-negotiation for fixed 100 or 10 configuration
o ports: php 8.0.20[7]
o ports: sqlite 3.39.0[8]
o ports: suricata 6.0.6[9]
o ports: unbound 1.16.1[10]

A hotfix release was issued as 22.7_4:

o system: IXR_Library using incorrect constructor format for PHP 8
o interfaces: fix issues with PPP uptime display in PHP 8
o firewall: do not emit link-local address on IPv6 network outbound NAT
o mvc: remove stray error_reporting(E_ALL) calls

Known issues and limitations:

o The DH parameter is no longer available in OpenVPN server configuration and now fixed to the RFC 7919 4096 bit key.  The only downside may be lower performance on older machines.
o The infamous /var MFS feature was reduced to the /var/log scope in order to avoid future issues with plugins requiring persistent storage under /var.  In practice people who used /var MFS had no benefit over it with software that required persistent storage under /var to operate in the first place.  Periodic configuration file writes to /var are negligible on SSD-based systems.
o The os-dyndns plugin is still available due to the fact that ddclient did not release a non-development release so far since we started os-ddclient.  Availability thereof might change later in 22.7.x.
o The console firmware update will now display text-based changelogs for the update to be installed if available.  Use the arrow keys to scroll the changelog and type "q" to resume the update process.
o The manual DHCPv6 tracking mode now requires a proper prefix range given like its counterpart with a static address.  If a previous prefix ID type input is detecte

[close]

https://opnsense.org/about/about-opnsense/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 170
« Antwort #84 am: 19 September, 2022, 19:00 »
Release Notes

The next Core Update is released: IPFire 2.27 - Core Update 170. It features new IP blocklists for the firewall engine, significant improvements to Pakfire, modernizes the default cryptographic algorithm selection for IPsec connections, as well as a new kernel, and a plethora of bug fixes and security improvements under the hood.
IP-Reputation Blocking to keep known threats out

Based on prior development by Tim FitzGeorge, Stefan brought a new feature to the firewall engine, which allows the easy activation of various public IP-based blocklists, just by a single click.

All enabled blocklists are updated automatically at an appropriate interval (a technique we already deployed for updating IPS rulesets), and protect against various threats, such as IP addresses or networks having a poor reputation, being involved with cyber crime hosting, or simply not allocated, hence no traffic should be routed to and from them.

You probably wonder why IPFire now comes with yet another way for IP-based blocking. There are several motivations behind this:

    IP blocklists are already available for the Intrusion Prevention System. However, it is a rather expensive way for dealing with network traffic that can already be safely dropped based on the reputation of involved IPs. There is no need to waste more CPU resources on it than absolutely necessary - why not let the firewall engine itself handle such traffic, and bother the IPS with more relevant stuff?
    The "drop all traffic from and to hostile networks" feature is meant as a basic level of network protection suitable for IPFire's entire user base, hence enabled by default. It protects against "the baddest of the bad" on the internet, and does not require any attention or maintenance whatsoever.
    IP blocklists, as introduced with this Core Update, provide a more fine-grained level, and your mileage may vary: For example, blocking Tor traffic might be appropriate for some IPFire users, but certainly not for all of them. Some may find certain blocklists to be too aggressive for their use-case.

One size doesn't always fit all. The IP blocklist feature is IPFire's way of take this into account, and make further protection against network threats easy and resource-efficient.
IPsec: MODP-2048 is ejected for new connections in favour of ECP-384/-521

Following recommendations not to use Diffie-Hellman groups shorter than 3,000 bits after 2022, MODP-2048 has been dropped from the default cryptographic algorithm selection for new IPsec connections. To provide a more performant alternative to MODP-3072 and MODP-4096 and to be more compatible to other vendors in the default configuration, the NIST-standardized elliptic curves ECP-384 and ECP-521 have been added to the defaults for new IPsec connections.

Existing IPsec connections remain unchanged. However, IPFire users operating IPsec connections are advised to revise the cryptographic settings for these, and drop using weak algorithms, if possible.
Linux Kernel 5.15.59

Among bug fixes throughout the kernel including security fixes and hardware support improvements, the updated kernel also adds mitigations against Retbleed, another CPU vulnerability affecting various Intel and AMD processors. IPFire's web interface has been updated to display the mitigation state of Retbleed accordingly.

The following kernel-related changes have been made in addition:

    On x86_64, Intel DMA Remapping Devices (better known as IOMMU) are enabled by default during boot, if available.
    To reduce attack surface, legacy DRM drivers are no longer available. Since the respective kernel modules have already been blocklisted for a long time, thus unusable, this should not have an impact in production.
    64-bit ARM users experience improved KASLR thanks to the kernel's memory address now being randomized before unpacking it (#12363).
    Merging slab caches is no longer permitted, to prevent kernel heap overflows, and adversaries interfering with cache structures used by several programs.
    Support for PCI pass-through has been enabled to allow mapping PCI devices into VMs running on IPFire (#12754).

Miscellaneous

    Robin Roevens contributed a series of improvements to Pakfire, such as better error handling on downloads, and refactored a lot of code under the hood.
    He also updated and improved the Zabbix agent add-on, which now features version 6.0.6 (LTS).
    Support for assigning aliases to multiple RED interfaces has been added.
    Non-unique hardware UUIDs as well as empty serial numbers are now ignored for computing Fireinfo profile IDs (#12896).
    The blocklist of the University of Toulouse is now downloaded via HTTPS (#12891).
    Logwatch summaries are now properly included in backups (#12827).
    ncurses terminfo files for tmux are now properly shipped, resolving #12905.
    All logged IPS events are now correctly displayed in the web interface (#12899).
    Mount options of /boot have been hardened on both existing installations and new x86_64 IPFire instances.
    On new installations, the partition's size has also been increased to 256 MiB, since components such as the kernel keep getting bigger and bigger.
    amazon-ssm-agent is now available on 64-bit ARM as well.
    pyfuse3 is now packaged for BorgBackup (#12611).
    Two stored XSS vulnerabilities have been fixed, thanks to JPCERT for reaching out (#12925).
    Updated packages: Bash 5.1.16, bind 9.16.31, GnuTLS 3.7.7, harfbuzz 4.4.1, hdparm 9.64, intel-microcode 20220809, kmod 30, krb5 1.20, logwatch 7.7, lsof 4.95.0, nano 6.4, ninja 1.11.0, OpenSSL 1.1.1q, rpcsvc-proto 1.4.3, screen 4.9.0, sqlite 33900000, suricata 5.0.10, unbound 1.16.2, usbutils 014, vim 9.0, xfsprogs 5.18.0, zlib to incorporate a fix for CVE-2022-37434.
    Updated add-ons: ClamAV 0.105.1, fmt 9.0.0, git 2.37.1, gptfdisk 1.0.9, gutenprint 5.3.4, haproxy 2.6.0, htop 3.2.1, i2c-tools 4.3,iperf 2.1.7, mpd 0.23.8, NRPE 4.1.0, openvmtools 12.0.5, pcengines-apu-firmware 4.17.0.1, python3-cryptography 36.0.2, qemu 7.0.0, qemu-ga 7.0.0, rsync to patch CVE-2022-29154, Samba 4.16.4, shairport-sync 3cc1ec6

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 171
« Antwort #85 am: 20 Oktober, 2022, 21:00 »
Release Notes

Today, we release IPFire 2.27 - Core Update 171. It updates major parts of the distribution, such as the kernel and the IPS engine, and features bug fixes as well as stability and security improvements - most notably, upstream fixes against a strain of vulnerabilities in the kernel's WiFi components. Particularly IPFire users running WiFi networking hardware are advised to install this update as soon as possible, and reboot their systems afterwards.

Also, this Core Update initiates the deprecation of IPFire support for 32-bit ARM hardware, ultimately taking effect on February 28, 2023.

Modernizing system components

Several core parts of IPFire have been updated and modernized:

    Suricata has been updated to the 6.x versioning branch, after a show-stopping issue (#12548) has been resolved upstream. IPFire users will benefit from more stable, secure, and versatile IPS functionality.
    The Linux kernel has been updated to 5.15.71, providing IPFire users with hardware support improvements and security fixes.
        Most notably, it resolves issues affecting ASIX USB3-to-LAN adapters using the ax88179-178a driver.
        Upstream patches for fixing CVE-2022-41674 and CVE-2022-42719 to CVE-2022-42722 have been incorporated, plugging several security vulnerabilities in the kernel's WiFi components that could have lead to RCE and DoS attacks, simply by emitting crafted WiFi beacons.
        To cut attack surface, some debugging functionalities have been removed, for which there is no legitimate use-case on an IPFire machine.
        ARM installations will experience a security benefit thanks to seccomp support enabled. Doing so previously caused issues on some boards, hence it was enabled on x86 only.
        Mathew McBride submitted patches to add support for the 64-bit ARM Traverse Ten64 board family.

Sunsetting 32-bit ARM support

Back in the glory days, the IPFire development team was optimistic about ARM becoming an affordable yet powerful alternative to the x86 architecture. Support was added in IPFire 2.11, 13 years ago. Soon, we finally would see some diversification among the hardware landscape, forcing competition and ultimately better products - or so we hoped.

Disappointment kicked in just two years later, when we realized hardware vendors were just dumping new SoCs on the marked without caring about proper operating system support at all. Existing boards disappeared quicker than the kernel developers could reverse engineer them and implement drivers. Very few of these boards actually met IPFire's demands, such as having at least two properly connected NICs.

Things did not improve afterwards, as we had to assess that there was no innovation on the market, and given the hardware specifications of the vast majority of 32-bit ARM boards, the architecture quickly became very much a legacy burden to us. Maintaining our own ARM kernel patchset started to eat into the spare time of IPFire's developers, while the amount of IPFire installations actually running on ARM never exceeded 10%. At some point, we decided not to support any additional SoCs without proper mainline kernel drivers, to prevent the situation from escalating to a DDoS against the people behind IPFire.

Today, despite significant efforts on our part, we are left with a patchy list of ARM boards supported, scanty upstream support (much like 32-bit x86), and a general disinterest in this architecture. Unsurprisingly, at the time of writing, only 0.86% of all IPFire installations out there run on 32-bit ARM.

Due to all these reasons, we decided to discontinue IPFire support for 32-bit ARM on February 28, 2023. Users are recommended to replace their hardware; after that date, IPFire won't provide updates for this architecture anymore.

64-bit ARM board support will continue, and while it is not a mainstream architecture to us (backing only 1.25% of all IPFire installations), supporting it is much less of a hassle, thanks to better upstream development and big server vendors and cloud providers rapidly shifting to 64-bit ARM. As to be expected, the boards available are much more powerful and suitable for firewalling purposes as well. We hope our decision will gain us resources to focus on more important work, such as the development of IPFire 3.

Miscellaneous

    Perl, all its modules and related packages were updated to 5.36.0, resolving functional and security issues.
    The toolchain, comprising of glibc, binutils and more, was modernized as well.
    linux-firmware, the conglomerate of proprietary 3rd-party firmware files, has been updated as well. By removing some firmware files related to unsupported hardware, especially Bluetooth devices, we save a couple of megabytes.
    Creating full-ISO backups is now possible again, resolving #12932.
    libsodium is now shipped with the core system, required as a dependency to some add-ons (#12929).
    Faulty links to IP blocklist source websites have been fixed (#12938).
    Orphaned RRD graphs are now cleaned automatically on a weekly basis, saving disk space.
    NUT logs can now be viewed in the web interface (#12921).
    Connections to literal IPv6 addresses no longer crash IPFires' proxy (#12826).
    IPFire's default domain is now used for DHCP leases where no domain can be determined, rather than defaulting to localdomain.
    Updated packages: bind 9.16.33, binutils 2.39, curl 7.84.0, dhcp 4.4.3-P1, efibootmgr 18, efivar 38, expat 2.4.9, glibc 2.36, iproute2 5.19.0, kbd 2.5.1, libarchive 3.6.1, libhtp 0.5.41, linux-firmware 20220913, nettle 3.8.1, OpenVPN 2.5.7, Perl 5.36.0, sqlite 3390200, Squid 5.7, strongSwan 5.9.7, Suricata 6.0.8, udev 3.2.11, Unbound 1.16.3, util-linux 2.38.1, wireless-regdb 2022-08-12
    Updated add-ons: elfutils 0.187, fetchmail 6.4.32, hplip 3.22.6, lcdproc 0e2ce9b, ncat 7.92, rsync 2.3.6, Tor 0.4.7.10

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 172
« Antwort #86 am: 29 Dezember, 2022, 21:00 »
Release Notes

Shortly after Christmas, we release IPFire 2.27 - Core Update 172. It comes with cryptography improvements for IPsec and OpenVPN, as well as security improvements under the hood, a plethora of package updates and various bugs fixed across the place.

Future-proofing VPN cryptography

This Core Update updates the key lengths of host certificates for both IPsec and OpenVPN clients/peers to 4,096 bit RSA, since the previous default of 2,048 bit is no longer recommended for long-term security purposes.

Both IPsec and OpenVPN root CA length has always been 4,096 bit, as has the key pair generated for IPFire's web interface - no action is required on that front. Unfortunately, existing IPsec/OpenVPN client/peer configurations cannot be migrated automatically, and have to be phased-out manually. Thanks to the respective CA certificates not requiring an update, complete disruptions of VPN infrastructure can, however, be avoided.

OpenVPN is automatically reconfigured to use a secure Diffie-Hellman parameter, both of sufficient length of 4,096 bit and standardized (see RFC 7919, section A.3, bug #12632). All OpenVPN clients and peers will automatically benefit from this cryptography improvement; no manual action is required. This also obsoletes the necessity of generating or uploading Diffie-Hellman parameters while configuring OpenVPN, saving a lot of time, as the generation of such parameters could have taken hours on slower hardware.

For early 2023, we anticipate post-quantum cryptography (PQC) to land in IPFire for IPsec, for which there is a strong (and growing) need, thanks to so-called "capture now, decrypt later" attacks endangering the confidentiality of information with long-term secrecy demand, such as biometric and health data.

Miscellaneous

    IPFire's trust store has been updated to incorporate Mozilla's decision to distrust the root certificates of TrustCor Systems S. DE R.L. (further media coverage)1
    Displaying the status and actions of add-ons whose service names differed from their package names is fixed (#12935). The same page has also seen some translation improvements.
    Certificate Revocation Lists (CRLs) of OpenVPN are now properly backed up and reloaded before OpenVPN is (re-)started.
    Adolf Belka submitted a massive patchset for updating Python.
    Roberto Peña updated and improved the Spanish translation of IPFire's web interface.
    Some unnecessary files from linux-firmware are no longer shipped and automatically removed from existing installations to keep the system as lean as possible.
    Various file permissions have been tightened as a defense in-depth measure.
    The obsolete gnu-netcat add-on has been dropped.
    Updated packages: arm-trusted-firmware 2.7, bash 5.2, bind 9.16.35, conntrack-tools 1.4.7, curl 7.86.0, elinks 0.15.1, ethtool 6.0, expat 2.5.0, iana-etc 20221107, intel-microcode 20221108, iproute2 6.0.0, libedit 20221030-3.1, libhtp 0.5.42, libloc 0.9.15, libnetfilter_conntrack 1.0.9, libpng , 1.6.39, libtasn1 4.19.0, libtiff 4.4.0, libuv 1.44.2, libxcrypt 4.4.33, libxml2 2.10.3, linux-firmware 20221109, memtest86+ 6.00, nano 7.0, OpenSSH 9.1p1, OpenSSL 1.1.1s, OpenVPN 2.5.8, poppler 22.11.0, python3 3.10.8, readline 8.2, sed 4.9, sqlite 3400000, strongswan 5.9.8, sudo 1.9.12p1, suricata 6.0.9, sysstat 12.7.1, tzdata 2022e, u-boot 2022.10, unbound 1.17.0, usbutils 015, vnstat 2.10, xz 5.2.8, zlib 1.2.13
    Updated add-ons: cups-filters 1.28.16, ddrescue 1.26, dehydrated 0.7.1, fetchmail 6.4.34, ffmpeg 5.1.2, flac1.4.2, fmt 9.1.0, git 2.38.1, libassuan 2.5.5, libvirt 8.9.0, mpd 0.23.10, nginx 1.22.1, pcengines-apu-firmware 4.17.0.2, qemu 7.1.0, qemu-ga 7.1.0, rsync 3.2.7, samba 4.17.3, sdl2 2.26.0, Tor 0.4.7.12

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
OPNsense 23.1
« Antwort #87 am: 27 Januar, 2023, 19:00 »
Changelog


o system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
o system: introduced a service boot log
o system: the LibreSSL flavour has been discontinued
o system: simplify gateway monitoring setup code
o system: add option to skip gateway monitor host route
o system: populate /etc/hosts file with IPv6 addresses too
o system: simplify and guard host route creation
o system: merge system_staticroutes_configure() into system_routing_configure()
o system: do not yield process after calling shutdown command
o system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
o system: show size of ZFS ARC (adaptive replacement cache) in system widget
o system: introduce support tier annotations for core and plugins[2]
o system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
o system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
o reporting: add Unbound DNS statistics frontend including client drill-down
o interfaces: heavy cleanup of the wireless device integration
o interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
o interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
o interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
o interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
o interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
o interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
o interfaces: simplified get_real_interface() function
o interfaces: removed obsolete "defaultgw" files
o interfaces: simplified rc.linkup script
o interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
o interfaces: converted virtual IPs to MVC/API
o interfaces: add MAC filtering to packet capture
o interfaces: convert ARP/NDP pages to server-side searchable variant
o interfaces: create null route for DHCPv6 delegated prefix
o interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
o firewall: remove deprecated "Dynamic state reset" mechanic
o firewall: invalidate port forward rule entry when no target is specified
o firewall: hide deprecated source OS rule setting under advanced
o firewall: add group option to prevent grouping in interfaces menu
o firewall: safeguard against missing name from the alias API call
o intrusion detection: keep grid to prevent widgets being removed
o intrusion detection: reload grid after log drop (contributed by kulikov-a)
o intrusion detection: add verbose logging mode selector
o ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
o ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
o ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
o ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
o ipsec: rewrote lease status page in MVC/API
o ipsec: add configurable "unique" setting to phase 1
o ipsec: missing correct phase 1 to collect "Network List" option
o monit: support start timeout setting (contributed by spoutin)
o openvpn: add unique daemon name to each instance
o unbound: add statistics database backend
o unbound: add exact domain blocking
o mvc: call plugins_interfaces() optionally on service reconfigure
o mvc: match UUID for multiple values (contributed by kulikov-a)
o mvc: convert setBase() to an upsert operation
o mvc: change default sorting to case-insensitive
o mvc: add TextField tests (contributed by agh1467)
o mvc: implement required getRealInterface() variant
o ui: assorted improvements in bootgrid and form controls
o ui: switch to pure JSON data in bootgrids
o plugins: os-bind 1.25[3]
o plugins: os-ddclient 1.11[4]
o plugins: os-dyndns end of life note moves to 23.7
o plugins: os-freeradius 1.9.22[5]
o plugins: os-frr 1.32[6]
o plugins: os-haproxy 4.0[7]
o plugins: os-puppet-agent 1.1[8]
o plugins: os-sslh 1.0[9] (contributed by agh1467)
o plugins: os-theme-cicada 1.32 (contributed by Team Rebellion)
o plugins: os-upnp 1.5[10]
o plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
o src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
o ports: php 8.1.14[11]
o ports: sudo 1.9.12p2[12]

Migration notes, known issues and limitations:

o LibreSSL flavour has been discontinued.  Switch to OpenSSL flavour to proceed with the upgrade.
o StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases.  Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
o The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf.  Legacy tunnel settings cannot be managed from the API and are not migrated.

Stay safe,
Your OPNsense team

[close]

https://opnsense.org/about/about-opnsense/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 173
« Antwort #88 am: 27 Februar, 2023, 19:00 »
Release Notes

The first Core Update in 2023 has been released: IPFire 2.27 - Core Update 173. It introduces support for 4G and 5G modems that use the QMI interface, features a kernel fresh from the latest 6.1 stable series, as well as the usual plethora of package updates, security improvements and bug fixes.

IPFire users running 32-bit ARM devices should note that support for this architecture will sunset at the end of this month, and are advised to migrate their installations to a hardware architecture supported by IPFire now. Consequently, this will be the last update released for this architecture.
Introducing QMI support

The Qualcomm MSM Interface is a proprietary interface increasingly used by 4G and 5G cellular modems. Commencing with this Core Update, IPFire supports interacting with such modems, thus significantly expanding its hardware compatibility to QMI-only cellular modems, and providing a faster and more modern interface.

Thanks to Michael for implementing this feature. On that occasion, he also refactored related networking code.
Linux Kernel 6.1.11

Arne has updated the Linux kernel to the most recent stable series, 6.1.11, which has become the new long-term series. Aside from the usual improvements such major kernel updates bring like bug fixes, improved hardware support and security improvements, we took the occasion to bring several new hardening changes to IPFire users:

    System calls permitting processes to read or write other processes' memory are no longer provided by the kernel.
    On EFI systems supporting it, the firmware is now instructed to wipe all memory when rebooting, to hamper cold boot attacks.
    Landlock support has been enabled.
    GCC's "latent entropy" plugin has been disabled, since it does not generate cryptographically secure entropy.
    To cut attack surface, support for both the ACPI configuration file system and obsolete PCMCIA/CardBus subsystem has been removed.
    On 64-bit ARM installations, direct memory access via malicious PCI devices is no longer possible.

Miscellaneous

    The OpenVPN 2FA authenticator will no longer enter an infinite loop if the socket connection to OpenVPN is lost (#12963).
    A user group necessary for interaction between D-Bus and Avahi is now properly created while installing the latter add-on (#13017).
    The OpenVPN GUI has seen minor improvements and cleanups (#13030).
    A bug in the firewall engine permitting the creation of rules with invalid sources has been resolved.
    Input like *.example.com is now properly treated as a wildcard domain by the web interface (#12937).
    libtirpc is now part of the core system, since it is needed as a dependency by lsof (#13015).
    The obsolete spandsp add-on has been dropped.
    Updated packages: Apache 2.4.55, bind 9.16.37, curl 7.87.0, ethtool 6.1, file 5.44, fontconfig 2.14.1, fuse 3.13.0, grep 3.8, harfbuzz 6.0.0, iana-etc 20221226, iproute2 6.1.0, ipset 7.17, iptables 1.8.9, iputils 20221126, iw 5.19, jquery 3.6.3, json-c 0.16, keyutils 1.6.3, knot 3.2.4, krb5 1.20.1, lcms2 2.14, less 608, libarchive 3.6.2, libcap 2.66, libconfig 1.7.3, libffi 3.4.4, libgpg-error 1.46, libidn 1.41, libinih r56, libjpeg 2.1.4, libloc 0.9.16, libmpc 1.3.1, libpcap 1.10.3, libssh 0.10.4, libstatgrab 0.92.1, libtiff 4.5.0, libtool 2.4.7, libusb 1.0.26, libxslt 1.1.37, libyang 2.1.4, linux-firmware 20221214, logrotate 3.21.0, lz4 1.9.4, memtest86+ 6.01, mpfr 4.2.0, nano 7.2, ncurses 6.4, OpenSSH 9.2p1, OpenSSL 1.1.1t, pcre2 10.42, perl-HTML-Parser 3.78, pixman 0.42.2, poppler 23.01.0, psmisc 23.6, rust 1.65, sdl2 2.26.2, shadow 4.13, sqlite 3400100, squid-asnbl 0.2.4 (resolving #13023), strongswan 5.9.9, sudo 1.9.12p2, suricata 6.0.10, xfsprogs 6.1.1, xz 5.4.1
    Updated add-ons: alsa 1.2.8, bird 2.0.11, borgbackup 1.2.3 (resolving #13032), ClamAV 1.0.1, dbus 1.14.4, dnsdist 1.7.3, ghostscript 10.0.0, haproxy 2.7.1, igmpproxy 0.4, iotop 1.22, iperf 2.1.8, iperf3 3.12, libcdada 0.4.0, libexif 0.6.24, libpciaccess 0.17, libshout 2.4.6, libtalloc 2.3.4, libusbredir 0.13.0, libvirt 8.10.0, mc 4.8.29, nfs 2.6.2, nqptp ad384f9, pcengines-apu-firmware 4.17.0.3, python3-packaging 23.0, samba 4.17.4, shairport-sync 4.1.1, strace 6.1, tcpdump 4.99.3, Tor 0.4.7.13

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 189144
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 174
« Antwort #89 am: 18 April, 2023, 20:00 »
Release Notes

The next Core Update has been released: IPFire 2.27 - Core Update 174. It is a traditional spring clean release which updates major parts of the core system and comes with a large number of bug fixes throughout.

This update also comes with a number of security patches in Apache, cURL and more, but none of them have been assessed as being exploitable on IPFire. Nevertheless, we intend to bring those updates to all of our users as soon as possible, and encourage speedy installation of Core Update 174.
Updated Toolchain

The "toolchain" includes the most basic parts to build software and consists of GCC as the compiler, Binutils as the assembler and linker, and glibc as the C standard library. They have been updated to their latest versions improving performance for all generated code and fixing bugs.

Although they are not as exciting for our users, they are the building blocks IPFire is founded on and make it the modern, fast and secure distribution that it is.
Bug Fixes

    The OpenVPN CGI will now display the expiry date of certificates.
    Duplicate address issuance by the DHCP server in case of overlapping fixed leases has been corrected (#10629).
    Customizing the Snort/VRT GPLv2 Community IPS ruleset has been fixed (#12948).
    The logs of apcupsd are now accessible through the system log viewer (#12950), as are the logs of the HAProxy add-on (#12922).
    Several CGIs have received CSS cleanups, resulting in better appearance (#13024, #13039).
    The Content-Type header of e-mails generated by the core system itself and various add-ons has been changed from multipart/mixed to multipart/alternative to avoid useless attachment icon display in some MUAs (#13040).
    Faulty CGI behaviour after toggling logging of dropped packages by the IP blocklists firewall component has been fixed (#12979).
    An overly permissive regular expression for parsing unbound log data has been corrected.
    The external traffic status page will now always use the correct interface to display traffic data from.
    efivar is now properly instructed to adjust instructions to the target architecture rather than that of the build host.
    The CPU graph has been redesigned for systems with large numbers of processor cores (#12890).
    Reloading IP blocklists after an update has been fixed (#13072).

Miscellaneous

    rng-tools has been moved from the core system to an add-on (#12900).
    Conversely, perl-TimeDate is now part of the core system, since it became a dependency of the OpenVPN CGI.
    Arne has worked a lot on bringing the RISC-V build up to speed.
    IPFire's trust store has been synced against Mozilla's current trusted CA certificate bundle.
    Useless Qualcomm Bluetooth firmware files are no longer shipped (IPFire dropped Bluetooth support a long time ago due to security reasons), saving a couple of megabytes on new and existing IPFire installations alike.
    Updated packages: apache 2.4.56, apr 1.7.2, bind 9.16.38, binutils 2.40, boost 1.81.0, curl 7.88.1, elinks 0.16.0, ethtool 6.2, freetype 2.13.0, gcc 12.2.0, glibc 2.37, gnutls 3.8.0, grep 3.9, harfbuzz 7.0.1, intel-microcode 20230214, iproute2 6.2.0, libtirpc 1.3.3, liburcu 0.14.0, linux-firmware 20230210, lmdb 0.9.30, logwatch 7.8, lsof 4.98.0, pango 1.50.13, poppler 23.03.0, poppler-data 0.4.12, qpdf 11.3.0, rust 1.67.0, squid 5.8, strongswan 5.9.10 (fixes CVE-2023-26463, which is not exploitable on IPFire unless heavily customized IPsec connections have been configured using the CLI rather than the IPsec web interface), sudo 1.9.13p3, tzdata 2022g, wireless-regdb 2023-02-12, zstd 1.5.4
    Updated add-ons: cups 2.4.2, dbus 1.14.6, epson-inkjet-printer-escpr 1.7.23, fetchmail 6.4.36, HAProxy 2.7.4, htop 3.2.2, make 4.4.1, monit 5.33.0, pcengines-apu-firmware 4.19.0.1, python3-setuptools 67.5.1, samba 4.17.5

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )