Security 10809 Published by

IPFire 2.27 - Core Update 170 has been released for testing. IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 170 is available for testing

he next Core Update is available for testing. It features new IP blocklists for the firewall engine, significant improvements to Pakfire, modernizes the default cryptographic algorithm selection for IPsec connections, as well as a new kernel, and a plethora of bug fixes and security improvements under the hood.

IP-Reputation Blocking to keep known threats out

Based on prior development by Tim FitzGeorge, Stefan brought a new feature to the firewall engine, which allows the easy activation of various public IP-based blocklists, just by a single click.

All enabled blocklists are updated automatically at an appropriate interval (a technique we already deployed for  updating IPS rulesets), and protect against various threats, such as IP addresses or networks having a poor reputation, being involved with cyber crime hosting, or simply not allocated, hence no traffic should be routed to and from them.

You probably wonder why IPFire now comes with yet another way for IP-based blocking. There a several motivations behind this:

  • IP blocklists are already available for the  Intrusion Prevention System. However, it is a rather expensive way for dealing with network traffic that can already be safely dropped based on the reputation of involved IPs. There is no need to waste more CPU resources on it than absolutely necessary - why not let the firewall engine itself handle such traffic, and bother the IPS with more relevant stuff?
  • The  "drop all traffic from and to hostile networks" feature is meant as a basic level of network protection suitable for IPFire's entire user base, hence enabled by default. It protects against "the baddest of the bad" on the internet, and does not require any attention or maintenance whatsoever.
  • IP blocklists, as introduced with this Core Update, provide a more fine-grained level, and your mileage may vary: Blocking  Tor traffic might be appropriate for some IPFire users, but certainly not for all of them. Some may find certain blocklists to be too aggressive for their use-case.

One size doesn't always fit all. The IP blocklist feature is IPFire's way of take this into account, and make further protection against network threats easy and resource-efficient.

IPsec: MODP-2048 is ejected for new connections in favour of ECP-384/-521

Following recommendations not to use Diffie-Hellman groups shorter than 3,000 bits after 2022, MODP-2048 has been dropped from  the default cryptographic algorithm selection for new IPsec connections. To provide a more performant alternative to MODP-3072 and MODP-4096 and to be more compatible to other vendors in the default configuration, the NIST-standardized elliptic curves ECP-384 and ECP-512 have been added to the defaults for new IPsec connections.

Existing IPsec connections remain unchanged. However, IPFire users operating IPsec connections are advised to revise the cryptographic settings for these, and drop using weak algorithms, if possible.

Linux Kernel 5.15.59

Among bug fixes throughout the kernel including security fixes and hardware support improvements, the updated kernel also adds mitigations against  Retbleed, another CPU vulnerability affecting various Intel and AMD processors. IPFire's web interface has been updated to  display the mitigation state of Retbleed accordingly.

The following kernel-related changes have been made in addition:

  • On x86_64, Intel DMA Remapping Devices (better known as IOMMU) are enabled by default during boot, if available.
  • To reduce attack surface, legacy DRM drivers are no longer available. Since the respective kernel modules have already been blocklisted for a long time, thus unusable, this should not have an impact in production.
  • 64-bit ARM users experience improved KASLR thanks to the kernel's memory address now being randomized before unpacking it ( #12363).
  • Merging slab caches is no longer permitted, to prevent kernel heap overflows, and adversaries interfering with cache structures used by several programs.
  • Support for PCI pass-through has been enabled to allow mapping PCI devices into VMs running on IPFire ( #12754).

Miscellaneous

  • Robin Roevens contributed a series of improvements to Pakfire, such as better error handling on downloads, and refactored a lot of code under the hood.
  • He also updated and improved the  Zabbix agent add-on, which now features version 6.0.6 (LTS).
  • Support for assigning aliases to multiple RED interfaces has been added.
  • Non-unique hardware UUIDs as well as empty serial numbers are now ignored for computing Fireinfo profile IDs ( #12896).
  • The blocklist of the University of Toulouse is now downloaded via HTTPS ( #12891).
  • Logwatch summaries are now properly included in backups ( #12827).
  • ncurses terminfo files for tmux are now properly shipped, resolving  #12905.
  • All logged IPS events are now correctly  displayed in the web interface ( #12899).
  • Mount options of /boot have been hardened on both existing installations and new x86_64 IPFire instances.
  • On new installations, the partition's size has also been increased to 256 MiB, since components such as the kernel keep getting bigger and bigger.
  • amazon-ssm-agent is now available on 64-bit ARM as well.
  • pyfuse3 is now packaged for  BorgBackup ( #12611).
  • Updated packages: Bash 5.1.16, bind 9.16.31, GnuTLS 3.7.7, harfbuzz 4.4.1, hdparm 9.64, intel-microcode 20220809, kmod 30, krb5 1.20, logwatch 7.7, lsof 4.95.0, nano 6.4, ninja 1.11.0, OpenSSL 1.1.1q, rpcsvc-proto 1.4.3, screen 4.9.0, sqlite 33900000, suricata 5.0.10, unbound 1.16.2, usbutils 014, vim 9.0, xfsprogs 5.18.0, zlib to incorporate a fix for  CVE-2022-37434.
  • Updated add-ons: ClamAV 0.105.1, CUPS 2.4.2, fmt 9.0.0, git 2.37.1, gptfdisk 1.0.9, gutenprint 5.3.4, haproxy 2.6.0, htop 3.2.1, i2c-tools 4.3,iperf 2.1.7, mpd 0.23.8, netatalk 3.1.13, NRPE 4.1.0,
    openvmtools 12.0.5, pcengines-apu-firmware 4.17.0.1, python3-cryptography 36.0.2, qemu 7.0.0, qemu-ga 7.0.0, rsync to patch  CVE-2022-29154, Samba 4.16.4, shairport-sync 3cc1ec6

As always, we thank all people contributing to this release in whatever shape and form. Please  test this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback.



IPFire 2.27 - Core Update 170 is available for testing - The IPFire Blog