Re: IPFire 2.27 - Core Update 164 is available for testing

Re: IPFire 2.27 - Core Update 164 is available for testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1359 bytes --]

Hi All,

Just tested out CU164 on my vm testbed system.

The update went without any problems. You see the pakfire log status again on the wui page during the update.

OpenVPN RW setup ran without any issues. Connection successfully made.

IPS has the multiple providers option successfully in place. I eventually found the Force Update of rules button, which was very useful for my vm testbed as it is not running all the time and so the rules were a bit out of date.

As far as I can tell everything is working fine on it. No issues detected.

I will let it run over the next few days during the daytime and see how things go.

Regards,

Adolf.


On 20/02/2022 18:35, IPFire Project wrote:
> IPFire Logo
> 
> there is a new post from Michael Tremer on the IPFire Blog:
> 
> *IPFire 2.27 - Core Update 164 is available for testing*
> 
>     It is time to test another release for IPFire: IPFire 2.27 - Core Update 164. It comes with a vastly improved firewall engine, a new kernel and various security and bug fixes. Please help us testing this release and if you would like to support us, please donate.
> 
> Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-testing>
> 
> The IPFire Project
> Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>.
> 

Re: IPFire 2.27 - Core Update 164 is available for testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1725 bytes --]

Hi All,

One thing I have noticed is that the help button on the Intrusion Prevention System page take you to the IPS Logs wiki page and not to the IPS setup wiki page. I will submit a patch to fix that but it's not an issue to do specifically with CU164.


Regards,

Adolf.

On 21/02/2022 16:01, Adolf Belka wrote:
> Hi All,
>
> Just tested out CU164 on my vm testbed system.
>
> The update went without any problems. You see the pakfire log status again on the wui page during the update.
>
> OpenVPN RW setup ran without any issues. Connection successfully made.
>
> IPS has the multiple providers option successfully in place. I eventually found the Force Update of rules button, which was very useful for my vm testbed as it is not running all the time and so the rules were a bit out of date.
>
> As far as I can tell everything is working fine on it. No issues detected.
>
> I will let it run over the next few days during the daytime and see how things go.
>
> Regards,
>
> Adolf.
>
>
> On 20/02/2022 18:35, IPFire Project wrote:
>> IPFire Logo
>>
>> there is a new post from Michael Tremer on the IPFire Blog:
>>
>> *IPFire 2.27 - Core Update 164 is available for testing*
>>
>>     It is time to test another release for IPFire: IPFire 2.27 - Core Update 164. It comes with a vastly improved firewall engine, a new kernel and various security and bug fixes. Please help us testing this release and if you would like to support us, please donate.
>>
>> Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-testing>
>>
>> The IPFire Project
>> Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>.
>>

Re: IPFire 2.27 - Core Update 164 is available for testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2090 bytes --]

Hi All,

On 21/02/2022 16:08, Adolf Belka wrote:
> Hi All,
>
> One thing I have noticed is that the help button on the Intrusion Prevention System page take you to the IPS Logs wiki page and not to the IPS setup wiki page. I will submit a patch to fix that but it's not an issue to do 
> specifically with CU164.
>
The problem is related to the fact that ids is listed twice in the manualpages file, once for ids.cgi and the second time for ids.dat for the log page but the manualpages script doesn't differentiate between .cgi or .dat

I will probably raise this as a bug.

> Regards,
>
> Adolf.
>
> On 21/02/2022 16:01, Adolf Belka wrote:
>> Hi All,
>>
>> Just tested out CU164 on my vm testbed system.
>>
>> The update went without any problems. You see the pakfire log status again on the wui page during the update.
>>
>> OpenVPN RW setup ran without any issues. Connection successfully made.
>>
>> IPS has the multiple providers option successfully in place. I eventually found the Force Update of rules button, which was very useful for my vm testbed as it is not running all the time and so the rules were a bit out of date.
>>
>> As far as I can tell everything is working fine on it. No issues detected.
>>
>> I will let it run over the next few days during the daytime and see how things go.
>>
>> Regards,
>>
>> Adolf.
>>
>>
>> On 20/02/2022 18:35, IPFire Project wrote:
>>> IPFire Logo
>>>
>>> there is a new post from Michael Tremer on the IPFire Blog:
>>>
>>> *IPFire 2.27 - Core Update 164 is available for testing*
>>>
>>>     It is time to test another release for IPFire: IPFire 2.27 - Core Update 164. It comes with a vastly improved firewall engine, a new kernel and various security and bug fixes. Please help us testing this release and if you would like to support us, please donate.
>>>
>>> Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-testing>
>>>
>>> The IPFire Project
>>> Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>.
>>>

Re: IPFire 2.27 - Core Update 164 is available for testing

[Jon Murphy]

[-- Attachment #1: Type: text/plain, Size: 2437 bytes --]

Wow!  Nice find!

There is the same issue with "urlfilter" also.

#	Network menu
urlfilter=configuration/network/proxy/url-filter

#	Logs menu
urlfilter=configuration/logs/url-filter

> On Feb 21, 2022, at 9:28 AM, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi All,
> 
> On 21/02/2022 16:08, Adolf Belka wrote:
>> Hi All,
>> 
>> One thing I have noticed is that the help button on the Intrusion Prevention System page take you to the IPS Logs wiki page and not to the IPS setup wiki page. I will submit a patch to fix that but it's not an issue to do specifically with CU164.
>> 
> The problem is related to the fact that ids is listed twice in the manualpages file, once for ids.cgi and the second time for ids.dat for the log page but the manualpages script doesn't differentiate between .cgi or .dat
> 
> I will probably raise this as a bug.
> 
>> Regards,
>> 
>> Adolf.
>> 
>> On 21/02/2022 16:01, Adolf Belka wrote:
>>> Hi All,
>>> 
>>> Just tested out CU164 on my vm testbed system.
>>> 
>>> The update went without any problems. You see the pakfire log status again on the wui page during the update.
>>> 
>>> OpenVPN RW setup ran without any issues. Connection successfully made.
>>> 
>>> IPS has the multiple providers option successfully in place. I eventually found the Force Update of rules button, which was very useful for my vm testbed as it is not running all the time and so the rules were a bit out of date.
>>> 
>>> As far as I can tell everything is working fine on it. No issues detected.
>>> 
>>> I will let it run over the next few days during the daytime and see how things go.
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
>>> 
>>> On 20/02/2022 18:35, IPFire Project wrote:
>>>> IPFire Logo
>>>> 
>>>> there is a new post from Michael Tremer on the IPFire Blog:
>>>> 
>>>> *IPFire 2.27 - Core Update 164 is available for testing*
>>>> 
>>>>     It is time to test another release for IPFire: IPFire 2.27 - Core Update 164. It comes with a vastly improved firewall engine, a new kernel and various security and bug fixes. Please help us testing this release and if you would like to support us, please donate.
>>>> 
>>>> Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-testing>
>>>> 
>>>> The IPFire Project
>>>> Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>.
>>>> 

Re: IPFire 2.27 - Core Update 164 is available for testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2806 bytes --]



On 21/02/2022 18:44, Jon Murphy wrote:
> Wow!  Nice find!
I found it because I clicked on the help link to see if the wiki page had been updated or not for the multiple providers new option and found that I had been directed to the IPS Logs section.
> 
> There is the same issue with "urlfilter" also.
> 
> #	Network menu
> urlfilter=configuration/network/proxy/url-filter
> 
> #	Logs menu
> urlfilter=configuration/logs/url-filter
Well spotted. I'll include that info also in the bug report.

Regards,
Adolf.
> 
>> On Feb 21, 2022, at 9:28 AM, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> Hi All,
>>
>> On 21/02/2022 16:08, Adolf Belka wrote:
>>> Hi All,
>>>
>>> One thing I have noticed is that the help button on the Intrusion Prevention System page take you to the IPS Logs wiki page and not to the IPS setup wiki page. I will submit a patch to fix that but it's not an issue to do specifically with CU164.
>>>
>> The problem is related to the fact that ids is listed twice in the manualpages file, once for ids.cgi and the second time for ids.dat for the log page but the manualpages script doesn't differentiate between .cgi or .dat
>>
>> I will probably raise this as a bug.
>>
>>> Regards,
>>>
>>> Adolf.
>>>
>>> On 21/02/2022 16:01, Adolf Belka wrote:
>>>> Hi All,
>>>>
>>>> Just tested out CU164 on my vm testbed system.
>>>>
>>>> The update went without any problems. You see the pakfire log status again on the wui page during the update.
>>>>
>>>> OpenVPN RW setup ran without any issues. Connection successfully made.
>>>>
>>>> IPS has the multiple providers option successfully in place. I eventually found the Force Update of rules button, which was very useful for my vm testbed as it is not running all the time and so the rules were a bit out of date.
>>>>
>>>> As far as I can tell everything is working fine on it. No issues detected.
>>>>
>>>> I will let it run over the next few days during the daytime and see how things go.
>>>>
>>>> Regards,
>>>>
>>>> Adolf.
>>>>
>>>>
>>>> On 20/02/2022 18:35, IPFire Project wrote:
>>>>> IPFire Logo
>>>>>
>>>>> there is a new post from Michael Tremer on the IPFire Blog:
>>>>>
>>>>> *IPFire 2.27 - Core Update 164 is available for testing*
>>>>>
>>>>>      It is time to test another release for IPFire: IPFire 2.27 - Core Update 164. It comes with a vastly improved firewall engine, a new kernel and various security and bug fixes. Please help us testing this release and if you would like to support us, please donate.
>>>>>
>>>>> Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-testing>
>>>>>
>>>>> The IPFire Project
>>>>> Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>.
>>>>>
> 

Core Update 164 (testing) report

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1690 bytes --]

Hello development folks,

Core Update 164 (testing; see: https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-testing)
is running here for about three days by now without any major issues known so far.

While the updated kernel should fix XHCI issues affecting a relatively small fraction
of our userbase pretty badly (see #12750), I was unable to confirm it does, as I do
not have physical access to the only board affected in my environment. Also, I am not
aware of any community feedback on this, too. Let's hope we'll hear about this soon...

Although not mentioned in the testing announcement due to ${reasons}, this update
contains the "multiple IPS ruleset providers" by Stefan, also working fine. Thanks for
that, too!

While the DROP_HOSTILE stuff works well and I have not yet read any complaint about it,
there is a decent amount of apparently legitimate packets being logged (and subsequently)
dropped as conntrack INVALIDs. Other users notice this as well.

I do not really see this as an issue: We now _know_ conntrack is dropping substantially
more packets than we expected it to do, and can investigate on why it does this. Yay.

Tested IPFire functionalities in detail:
- PPPoE dial-up via a DSL connection
- IPsec (N2N connections only)
- Squid (authentication enabled, using an upstream proxy)
- OpenVPN (RW connections only)
- IPS/Suricata (with Emerging Threats community ruleset enabled)
- Guardian
- Quality of Service
- DNS (using DNS over TLS and strict QNAME minimisation)
- Dynamic DNS
- Tor (relay mode)

I am looking forward to the release of Core Update 164.

Thanks, and best regards,
Peter Müller

Core Update 186 (testing) report

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1121 bytes --]

Hello development folks,

Core Update 186 (testing; see: https://www.ipfire.org/blog/ipfire-2-29-core-update-186-is-available-for-testing)
is running here for a couple of days by now without any major issues known so far.

During the update, I merely noticed dracut complaining:

> dracut: Skipping program /bin/loginctl using in udev rule 71-seat.rules as it cannot be found

However, this does not appear to have any noticeable impact whatsoever.

The updated Lynis version now outputs significantly fewer warnings about deprecated
grep parameters, which previously made output hard to read sometimes.

Tested IPFire functionalities in detail:
- PPPoE dial-up via a DSL connection
- IPsec (N2N connections only)
- Squid (authentication enabled, using an upstream proxy)
- OpenVPN (RW connections only)
- IPS/Suricata (with Emerging Threats community ruleset enabled)
- Guardian
- Quality of Service
- DNS (using DNS over TLS and strict QNAME minimisation)
- Dynamic DNS
- Tor (relay mode)

I am looking forward to the release of Core Update 186.

Thanks, and best regards,
Peter Müller