From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Core Update 161 (testing) report Date: Tue, 02 Nov 2021 09:01:18 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3654880352397860403==" List-Id: --===============3654880352397860403== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello *, Core Update 161 (testing; no release announcement or changelog has been publi= shed, yet) is running here for about 12 hours by now without any major issues known so f= ar. During the upgrade, I noticed the Pakfire CGI still does not display log mess= ages as it used to do, but at least there is now a spinning loading icon displaying the = message that an operation is currently in progress. From a UX perspective, this is okay I = guess. The reconnection necessary for upgrading pppd went smooth, albeit Pakfire cou= ld not download add-on upgrades afterwards since the VPN did not came back in time, so I had = to do this manually. To my surprise, some IPsec N2N connections did not reconnect automatically, e= ven after rebooting the testing machine. After manually clicking on one of the "restart= " buttons on the IPsec CGI, they came back instantly, and have been stable ever since. This affected N2N connections not being in the "on-demand" mode only. While i= t is not really a show-stopper if someone is sitting in front of his/her/its IPFire ma= chine, remote upgrades might be tricky. Apart from that, this update looks quite good to me. The IPS changes are real= ly noticeable, and bring a throughput I think I never experienced with IPFire and the IPS tu= rned on. :-) This is certainly worth mentioning, as it finally makes the IPS suitable for = everyone, hence massively increasing security without worrying too much of performance = impacts. (For the sake of completeness: Unfortunately I did not yet have time do condu= ct a penetration test against this. Personally, I can imagine the IPS changes permitting some = attacks after Suricata decided it cannot analyse a connection further. Switching prot= ocols might be an issue, starting with TLS, while using something completely different af= terwards. While I do not really consider this to be a critical attack surface, I wanted= to look deeper into this as soon as I have some spare time to do so.) Tested IPFire functionalities in detail: - PPPoE dial-up via a DSL connection - IPsec (N2N connections only) - Squid (authentication enabled, using an upstream proxy) - OpenVPN (RW connections only) - IPS/Suricata (with Emerging Threats community ruleset enabled) - Guardian - Quality of Service - DNS (using DNS over TLS and strict QNAME minimisation) - Dynamic DNS - Tor (relay mode) I am looking forward to the release of Core Update 161. Thanks, and best regards, Peter M=C3=BCller --===============3654880352397860403==--