The next Core Update is available for testing. It features new IP blocklists for the firewall engine, significant improvements to Pakfire, modernizes the default cryptographic algorithm selection for IPsec connections, as well as a new kernel, and a plethora of bug fixes and security improvements under the hood.
IP-Reputation Blocking to keep known threats out
Based on prior development by Tim FitzGeorge, Stefan brought a new feature to the firewall engine, which allows the easy activation of various public IP-based blocklists, just by a single click.
All enabled blocklists are updated automatically at an appropriate interval (a technique we already deployed for updating IPS rulesets), and protect against various threats, such as IP addresses or networks having a poor reputation, being involved with cyber crime hosting, or simply not allocated, hence no traffic should be routed to and from them.
You probably wonder why IPFire now comes with yet another way for IP-based blocking. There are several motivations behind this:
- IP blocklists are already available for the Intrusion Prevention System. However, it is a rather expensive way for dealing with network traffic that can already be safely dropped based on the reputation of involved IPs. There is no need to waste more CPU resources on it than absolutely necessary - why not let the firewall engine itself handle such traffic, and bother the IPS with more relevant stuff?
- The "drop all traffic from and to hostile networks" feature is meant as a basic level of network protection suitable for IPFire's entire user base, hence enabled by default. It protects against "the baddest of the bad" on the internet, and does not require any attention or maintenance whatsoever.
- IP blocklists, as introduced with this Core Update, provide a more fine-grained level, and your mileage may vary: For example, blocking Tor traffic might be appropriate for some IPFire users, but certainly not for all of them. Some may find certain blocklists to be too aggressive for their use-case.
One size doesn't always fit all. The IP blocklist feature is IPFire's way of take this into account, and make further protection against network threats easy and resource-efficient.
IPsec: MODP-2048 is ejected for new connections in favour of ECP-384/-521
Following recommendations not to use Diffie-Hellman groups shorter than 3,000 bits after 2022, MODP-2048 has been dropped from the default cryptographic algorithm selection for new IPsec connections. To provide a more performant alternative to MODP-3072 and MODP-4096 and to be more compatible to other vendors in the default configuration, the NIST-standardized elliptic curves ECP-384 and ECP-521 have been added to the defaults for new IPsec connections.
Existing IPsec connections remain unchanged. However, IPFire users operating IPsec connections are advised to revise the cryptographic settings for these, and drop using weak algorithms, if possible.
Linux Kernel 5.15.59
Among bug fixes throughout the kernel including security fixes and hardware support improvements, the updated kernel also adds mitigations against Retbleed, another CPU vulnerability affecting various Intel and AMD processors. IPFire's web interface has been updated to display the mitigation state of Retbleed accordingly.
The following kernel-related changes have been made in addition:
x86_64, Intel DMA Remapping Devices (better known as IOMMU) are enabled by default during boot, if available.
- To reduce attack surface, legacy DRM drivers are no longer available. Since the respective kernel modules have already been blocklisted for a long time, thus unusable, this should not have an impact in production.
- 64-bit ARM users experience improved KASLR thanks to the kernel's memory address now being randomized before unpacking it (#12363).
- Merging slab caches is no longer permitted, to prevent kernel heap overflows, and adversaries interfering with cache structures used by several programs.
- Support for PCI pass-through has been enabled to allow mapping PCI devices into VMs running on IPFire (#12754).
- Robin Roevens contributed a series of improvements to Pakfire, such as better error handling on downloads, and refactored a lot of code under the hood.
- He also updated and improved the Zabbix agent add-on, which now features version 6.0.6 (LTS).
- Support for assigning aliases to multiple RED interfaces has been added.
- Non-unique hardware UUIDs as well as empty serial numbers are now ignored for computing Fireinfo profile IDs (#12896).
- The blocklist of the University of Toulouse is now downloaded via HTTPS (#12891).
- Logwatch summaries are now properly included in backups (#12827).
ncursesterminfo files for
tmuxare now properly shipped, resolving #12905.
- All logged IPS events are now correctly displayed in the web interface (#12899).
- Mount options of
/boothave been hardened on both existing installations and new
- On new installations, the partition's size has also been increased to 256 MiB, since components such as the kernel keep getting bigger and bigger.
amazon-ssm-agentis now available on 64-bit ARM as well.
pyfuse3is now packaged for BorgBackup (#12611).
- Two stored XSS vulnerabilities have been fixed, thanks to JPCERT for reaching out (#12925).
- Updated packages: Bash 5.1.16,
bind9.16.31, GnuTLS 3.7.7,
ninja1.11.0, OpenSSL 1.1.1q,
zlibto incorporate a fix for CVE-2022-37434.
- Updated add-ons: ClamAV 0.105.1,
mpd0.23.8, NRPE 4.1.0,
rsyncto patch CVE-2022-29154, Samba 4.16.4,
As always, we thank all people contributing to this release in whatever shape and form. Please test this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback.
IPFire is backed by volunteers - should you like what we are doing, please donate to keep the lights on.