Software Update: IPFire 2.23 – Core Update 132/131

IPFire is an open source firewall for i586, x86_64, and ARM systems. It includes an intrusion detection/prevention system, divides the network into zones, does stateful packet inspection and offers VPN capabilities. For more information, please refer to this page. The developers released Core Update 132 of version 2.23 for testing and a few days before that, Core Update 131 was released for production systems. The corresponding announcements look like this:

IPFire 2.23 – Core Update 132 is available for testing

Hi,
less than a week after the release of the new Intrusion Prevention System was released, and here we are with a packed new update: It contains security fixes for the latest vulnerabilities in Intel processors and …

Intel Vulnerabilities: RIDL, Fallout & ZombieLoad
Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both were shipped in this release.

Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts.

Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable.

To apply the fixes, please reboot your system.

VLAN Configuration
Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.

The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.

misc.
This update also contains a number of various bug fixes:

• The new IPS now starts on systems with more than 16 CPU cores
• For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
• OpenVPN has received some changes to the UI and improvements of its security.
• Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
• Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted
• The same type of stored cross-site scripting attack was resolved in the static routing UI
• Log entries for Suricata now properly show up in the system log section
• Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1

Add-ons

Wireless AP – The wireless AP add-on has received some new features:

• For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
• DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
• Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.

Updates

• igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1
• Qemu is now being hardened with libseccomp which is a “syscall firewall”. It limits what actions a virtual machine can perform and is enabled by default

IPFire 2.23 – Core Update 131 released

Finally, we are releasing another big release of IPFire. In IPFire 2.23 – Core Update 131, we are rolling out our new Intrusion Prevention System. On top of that, this update also contains a number of other bug fixes and enhancements.

Thank you very much to everyone who has contributed to this release. If you want to contribute, too, and if you want to support our team to have more new features in IPFire, please donate today!

A New Intrusion Prevention System
We are finally shipping our recently announced IPS – making all of your networks more secure by deeply inspecting packets and trying to identify threats.

This new system has many advantages over the old one in terms of performance, security and it simply put – more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.

We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need.

Migration from the older Intrusion Detection System
Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated. Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won’t break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.

If you restore an old backup, the IDS settings won’t be converted.

The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.

OS Updates
This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost.

Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1. The wireless regulatory database has also been updated.

misc.

• SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server.
• When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox.
• A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before.
• On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimized to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances.
• Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default;
• We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log.

Add-ons

• Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0
• tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now.
• Wireless Access Point: It is now possible to enable client isolation so that wireless clients won’t be able to communicate with each other through the access point.

New Packages

• flashrom – A tool to update firmware