From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Core Update 165 (testing) report Date: Sun, 20 Mar 2022 10:35:37 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3936526039191241297==" List-Id: --===============3936526039191241297== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello development folks, Core Update 165 (testing, see: https://blog.ipfire.org/post/ipfire-2-27-core-= update-165-is-available-for-testing) is running here for roughly a day, with some minor and one major issue(s) spo= tted so far. While installing the update went smooth (the improved Pakfire GUI is really n= ice - thanks again to Leo!), I bumped into some IPS-related trouble afterwards: Network co= nnections timed out frequently, no matter whether they were directed to IPFire itself or not,= and the GUI (especially the graphs) took ages to load, if at all. Stopping the IPS and starting it again via the GUI solved the problem - I bel= ieve we should do this in the update.sh script, but am not sure if there are cross-dependenc= ies to something else. There is no bug raised for this yet. Also, I noticed Squid was not restarted during the update, which caused troub= le until I ran "/etc/init.d/squid restart" manually. Bug #12810 has been filed for this,= and I just submitted a patch fixing this a few minutes ago. Since my IPFire machine is rebooting every night via a scheduled job, I usual= ly do not conduct a manual reboot immediately after installing an update. This time, I = felt it was a good thing to do. Afterwards, Tor would not start again unless I disabled the "sandbox" feature= manually. I believe this is not a general problem, but due to the fact that we did not sh= ip libseccomp. Bug #12807 has been filed for this. Today (i. e. another reboot later), I noticed charon emitting some iptables w= arnings while establishing an IPsec connection (filed as bug #12808), and, more important, = some location- based firewall rules not being properly loaded, which rendered DDNS - and sub= sequently IPsec and OpenVPN - useless for me, since I am getting IP addresses assigned dynami= cally. Bug #12809 has been filed for the latter, and I believe this is a show-stoppe= r. Oddly enough, it did not appear after the first reboot, and _some_ location-based firewall = rules were loaded correctly after the second one. Manually reloading the rules via the GUI "sol= ved" the problem for now, but this is definitely something we need to have a look at before re= leasing C165. Apart from these, things look good to me. Tested IPFire functionalities in de= tail: - IPsec (N2N connections only) - Squid (authentication enabled, using an upstream proxy) - OpenVPN (RW connections only) - IPS/Suricata (with Emerging Threats community ruleset enabled) - Guardian - Quality of Service - DNS (using DNS over TLS) - Dynamic DNS - Tor (relay mode) Thanks, and best regards, Peter M=C3=BCller --===============3936526039191241297==--