Hello all,
after testing too little in the past months, I am hereby trying to catch up for announced Core Update 132.
Most services are running as expected: - IPsec - OpenVPN (tested with RW connections only) - DDNS - Squid (non-transparent, including upstream proxy) - Suricata (IPS mode, activated on all interfaces)
Tor suffers from missing libseccomp dependency and a permission bug (see #12088), but starts correctly after installing the library and fixing /var/lib/tor permissions manually.
I can confirm IDS rulesets download works in combination with an upstream proxy now (tested with Emerging Threats).
Suricata seems to drop some packets (as internal connections sometimes take ages to establish), but does not log anything. This requires some further investigation, and it is kind of an evident-missing blame at the moment.
Talking about the <sarcasm>all-new-and-improved Intel CPU vulnerabilities</sarcasm>, disabling SMT automatically seems to work:
[root@maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
(CPU is an Intel Celeron N3150 4x 1.60 GHz .)
However, the new WebUI CGI is partly missing German translations, and claims "Simultaneous Multi-Threading (SMT) is not supported". The latter is confusing, as the system states the opposite.
Talking about aesthetics, the CGI is a bit messy, but that is not a functionality problem and might be fixed in an upcoming update.
Thanks, and best regards, Peter Müller
Hi,
On 27 May 2019, at 21:26, Peter Müller peter.mueller@ipfire.org wrote:
Hello all,
after testing too little in the past months, I am hereby trying to catch up for announced Core Update 132.
Cool!
Most services are running as expected:
- IPsec
- OpenVPN (tested with RW connections only)
- DDNS
- Squid (non-transparent, including upstream proxy)
- Suricata (IPS mode, activated on all interfaces)
Tor suffers from missing libseccomp dependency and a permission bug (see #12088), but starts correctly after installing the library and fixing /var/lib/tor permissions manually.
I can confirm IDS rulesets download works in combination with an upstream proxy now (tested with Emerging Threats).
Suricata seems to drop some packets (as internal connections sometimes take ages to establish), but does not log anything. This requires some further investigation, and it is kind of an evident-missing blame at the moment.
Yes. I am aware of this and we have a ticket for it:
https://bugzilla.ipfire.org/show_bug.cgi?id=12078
Talking about the <sarcasm>all-new-and-improved Intel CPU vulnerabilities</sarcasm>, disabling SMT automatically seems to work:
[root@maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
You got a royal flush there. Almost hit them all.
(CPU is an Intel Celeron N3150 4x 1.60 GHz .)
However, the new WebUI CGI is partly missing German translations, and claims "Simultaneous Multi-Threading (SMT) is not supported". The latter is confusing, as the system states the opposite.
This is what we get from the kernel.
Talking about aesthetics, the CGI is a bit messy, but that is not a functionality problem and might be fixed in an upcoming update.
Yes I know. I mentioned I did this as quickly as possible to make the release. Please send in patches :)
-Michael
Thanks, and best regards, Peter Müller -- The road to Hades is easy to travel. -- Bion of Borysthenes
-
Michael Tremer -
Peter Müller