Hello,
On 20 Mar 2022, at 10:35, Peter Müller peter.mueller@ipfire.org wrote:
Hello development folks,
Core Update 165 (testing, see: https://blog.ipfire.org/post/ipfire-2-27-core-update-165-is-available-for-te...) is running here for roughly a day, with some minor and one major issue(s) spotted so far.
While installing the update went smooth (the improved Pakfire GUI is really nice - thanks again to Leo!), I bumped into some IPS-related trouble afterwards: Network connections timed out frequently, no matter whether they were directed to IPFire itself or not, and the GUI (especially the graphs) took ages to load, if at all.
This is a worry to me and should not happen.
Stopping the IPS and starting it again via the GUI solved the problem - I believe we should do this in the update.sh script, but am not sure if there are cross-dependencies to something else. There is no bug raised for this yet.
This is even a bigger worry, because the IPS should not do this kind of stuff.
Also, I noticed Squid was not restarted during the update, which caused trouble until I ran "/etc/init.d/squid restart" manually. Bug #12810 has been filed for this, and I just submitted a patch fixing this a few minutes ago.
Since my IPFire machine is rebooting every night via a scheduled job, I usually do not conduct a manual reboot immediately after installing an update. This time, I felt it was a good thing to do.
Do people still do scheduled reboots?
Afterwards, Tor would not start again unless I disabled the "sandbox" feature manually. I believe this is not a general problem, but due to the fact that we did not ship libseccomp. Bug #12807 has been filed for this.
Thank you. Merged.
Today (i. e. another reboot later), I noticed charon emitting some iptables warnings while establishing an IPsec connection (filed as bug #12808), and, more important, some location- based firewall rules not being properly loaded, which rendered DDNS - and subsequently IPsec and OpenVPN - useless for me, since I am getting IP addresses assigned dynamically.
Do you have more details on this? Do you believe the two problems are related?
Bug #12809 has been filed for the latter, and I believe this is a show-stopper. Oddly enough, it did not appear after the first reboot, and _some_ location-based firewall rules were loaded correctly after the second one. Manually reloading the rules via the GUI "solved" the problem for now, but this is definitely something we need to have a look at before releasing C165.
Apart from these, things look good to me. Tested IPFire functionalities in detail:
- IPsec (N2N connections only)
- Squid (authentication enabled, using an upstream proxy)
- OpenVPN (RW connections only)
- IPS/Suricata (with Emerging Threats community ruleset enabled)
- Guardian
- Quality of Service
- DNS (using DNS over TLS)
- Dynamic DNS
- Tor (relay mode)
Thanks, and best regards, Peter Müller
-Michael