Hello Michael, hello *,
I can confirm the testing update looks good so far.
These parts are working as expexcted: - DDNS - IPsec (N2N connections only) - Squid proxy (including upstream proxy) - OpenVPN (RW connections only) - Suricata (see below)
However, I observed OpenVPN RW connection throughput decreased to ~ 350 kB/sec - 1.1 MB/sec if Suricata is enabled and filtering traffic on RED interface. Otherwise, throughput is usually ~ 2.0 MB/sec (= 16 MBit/sec), which is not that fast on my testing machine using a 100 MBit/sec internet downlink, but the remote system or some general OpenVPN performance issues seem to be the bottleneck here.
This issue probably appeared before upgrading to Core 135, and I am still debugging why this is (Suricata configuration is identical to a productive firewall instance with better OpenVPN throughput).
Further, DNS resolution sometimes fails, but that issue has been around here for quite a while. If there is enough time left, I will send in patches for always allowing DNS traffic to root servers and enabling hyperlocal (see RFC 7706).
Running kernel is as follows:
[root@maverick ~]# uname -a Linux maverick 4.14.138-ipfire #1 SMP Sat Aug 10 00:53:30 GMT 2019 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux
Speaking about CPU vulnerabilities, I notice changes in kernel status output for Spectre v1 (CVE-2017-5753):
[root@maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
As far as I can recall, "usercopy/swapgs barriers" was not present before. No comments on hardware security landscape in general.
Things look good so far, thanks to everyone who worked on this. :-)
Thanks, and best regards, Peter Müller