This is an important announcement with an upcoming change in the next Core Update of IPFire.

Because of the recent vulnerabilities in Intel processors, the IPFire team has decided, that - to keep systems as secure as possible - Simultaneous Multi-Processing (SMT) is automatically disabled if the processor is vulnerable to one of the attacks.

SMT is also called Intel(R) Hyper-Threading Technology and simulates more virtual cores than the system has. This allows to perform faster processing when applications benefit from it. Unfortunately with networking, we benefit from that. Therefore the effect of disabling SMT will be a very signifiant performance impact of around 30% or more. Applications that will be affected in IPFire are the firewall throughput itself as well as other CPU and memory-bound tasks like the web proxy and the Intrusion Prevention System. On systems that are not vulnerable for this attack, SMT is being left enabled. If you still want to disable it, please do so in the BIOS of your firewall.

We think that this step is inevitable to keep all IPFire systems secure. The mitigations that have been provided by the Linux kernel developers and the microcode updates that have been provided by Intel are not enough to close this vulnerability. Indeed the underlying hardware is broken and cannot be fixed.

Disabling SMT does not fix systems against this vulnerability either. According to the people who have discovered it, it "reduces the impact of MDS-based attacks without the cost of more complex mitigations". In short, keeping SMT switched on would require to perform so many checks that code would run slower than without having SMT enabled at all. A good technical insight of how the attack works can be found here.

This is a very unfortunate development and we do not look forward to roll out this code to all users. In recent months, there have been no steps to fix the underlying issues in the affected processors. Hardware that is currently available for purchase still has these issues and is not fit for purpose to be used in a firewall. Therefore we have to use all options available to use to mitigate any issues in software which always will come with these performance issues. If at any point in the future, a better mitigation is available, we will of course revert this precautionary step.

Ultimately security is more important than throughput and we pledge that we will keep doing uncomfortable things like this in the future. Some other vendors are recommending to disable SMT on affected processors, but we are making this the default since the firewall is especially exposed on the network and of course a good target for any intruder. The ZombieLoad vulnerability (CVE-2018-12130) could expose cryptographic keys and other sensitive material at risk, which brings anyone who obtains those into the position to cause large damage to any network.


Finally, we are releasing another big release of IPFire. In IPFire 2.23 - Core Update 131, we are rolling out our new Intrusion Prevention System. On top of that, this update also contains a number of other bug fixes and enhancements.

Thank you very much to everyone who has contributed to this release. If you want to contribute, too, and if you want to support our team to have more new features in IPFire, please donate today!

A New Intrusion Prevention System

We are finally shipping our recently announced IPS - making all of your networks more secure by deeply inspecting packets and trying to identify threats.

This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.

We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need.

Migration from the older Intrusion Detection System

Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated. Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.

If you restore an old backup, the IDS settings won't be converted.

The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.

OS Updates

This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost.

Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1. The wireless regulatory database has also been updated.

Misc.

  • SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server.
  • When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox.
  • A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before.
  • On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimised to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances.
  • Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default;
  • We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log.

Add-ons

  • Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0
  • tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now.
  • Wireless Access Point: It is now possible to enable client isolation so that wireless clients won't be able to communicate with each other through the access point.

New Packages

  • flashrom - A tool to update firmware

Hello fellow testers,

I would like to let you know that we have updated the latest Core Update in the testing branch. Some bugs have been found and fixed because of the help of you, but now you need to make sure that they are also fixed on your systems.

If you have installed the update before, please run these commands:

echo 130 > /opt/pakfire/db/core/mine
pakfire update --force
pakfire upgrade

This will re-install the update on your machine and get you the latest fixes.