IPFire 2.17 - Core Update 90

IPFire 2.17 - Core Update 90

[The IPFire Project]

[-- Attachment #1: Type: text/plain, Size: 6738 bytes --]

[EN] http://www.ipfire.org/news/ipfire-2-17-core-update-90-released
[DE] http://www.ipfire.org/news/ipfire-2-17-core-update-90-freigegeben

This is the official release announcement of IPFire 2.17 – Core Update
90. This one comes with some new features, many updates of software
packages and various minor bug fixes.


GeoIP

Attackers originate from all sorts of places in the world. Often huge
networks of bots scan the entire Internet for services that are publicly
accessible and possible to exploit. With GeoIP-based blocking it is
possible to mitigate many of those scans to take off the load of the
firewall engine and to secure those publicly accessible services. With
GeoIP-based firewall rules it is possible to filter incoming and
outgoing traffic related on their source or desired destination
countries. Here are some examples what can be done with such a
GeoIP-filter:

* Prevent malware on your local systems to communicate with their
command and control (C&C) servers, which often are located in a certain
countries.
* Only allow remote administration from your own country.
* Create firewall rules for limit new connection attempts for countries
you usually don’t communicate that much with. This could help to prevent
from getting your mail servers flooded with spam from those countries.

The GeoIP feature successfully has been funded on the IPFire wishlist.

A pretty easy way to block any incoming traffic of several countries, a
new configuration page has been added to the IPFire web user interface.
On there, you can block incoming traffic from countries. You may also
define firewall rules where you can filter the originating country or
destination country.


Cryptography updates

SSLv3 and SSLv2 are now disabled by default

We have been disabling all possibly broken algorithms in the services
that IPFire itself is running and providing to the network. Now we are
making the even bigger step to disable support for SSLv2 and SSLv3 for
all SSL connections that are initiated by IPFire. Those two revisions of
the SSL protocol are very old and practically not used any more. They
are also considered as broken and should not be used any more.

Compatibility is still possible if the software you are using explicitly
requests for those protocols.

Performance improvements

We focussed very much on increasing the performance of ciphers in this
release. First of all we dropped support for cryptodev and replaced it
with optimising the user-space libraries so that these can use CPU
instructions when ever they are available for increasing throughput. The
AES algorithm was in spotlight of those efforts as it is the most
commonly used cipher. Others will benefit as well.

We updated the openssl package to version 1.0.2a and are shipping two
versions of libcrypto.so.10, which is the library that holds the
implementation of ciphers, hashes and those alike. The first shipped
version is compiled as usual and is used on all systems by default. If
there is SSE2 support available which is on more than 86% of all systems
known to fireinfo, an other version of libcrypto.so.10 will be loaded
which is compiled with various optimisations that require SSE and SSE2
instructions.

Hardware crypto processors like VIA Padlock and AES-NI are of course
used automatically when available.

Removing legacy code

We used to ship an extra copy of openssl version 0.9.8 for compatibility
reasons which is now removed with this update. The 0.9.8 branch of
openssl will not be discontinued by the openssl developers soon and the
libraries are not used any more. If you have a custom built program that
is linked against these, you will have to recompile it.


IPsec/strongSwan

strongSwan has been updated to version 5.3.0. It provides much better
stability of IPsec VPN connections.

Wolfgang Apolinarski sent in a patch that improves compatibility with
the internal Windows IPsec client and another one that increases key
sizes of the internal CA to 4096 bits for the root key and 2048 bits for
each client certificate. The SHA-512 and SHA-256 hash algorithm is used
respectively. Old certificates can not be converted for obvious reasons,
but new certificates will be created and signed with the new properties.

IKE fragmentation is now enabled by default which helps peers that
implement it to fragment IKE packets before they are sent over a path
with potentially broken routers that do not forward fragments.

Ciphers Selection

We have improved the selection of ciphers on the IPFire web user
interface where we added AES-GCM with various key and ICV sizes and we
ordered the ciphers by their strength so that it is easier to select the
strongest one possible.


Kernel Update

The kernel has been updated to version 3.14.43. It comes with various
security fixes and bug fixes throughout the entire tree.

The synthetic Hyper-V drivers have been patched to work with legacy
version of Microsoft Hyper-V (at least 2008). The igb driver module that
is maintained by Intel has been replaced by the default kernel module.
Bug fixes and other changes

* glibc: Fix CVE-2013-7423 and CVE-2015-1781
* apache will not show its version and loaded modules any more in the
  server signature
* Connections in the list of connections that are using Destination NAT
  are now coloured in the colour of the new destination host.
* dnsmasq has been fixed so that it will correctly fall back to TCP for
  DNS replies larger than the DNS packet size.
* udev: Network interface names are now assigned from the configuration
  in /var/ipfire/ethernet/settings instead of the setup tool generating
  a native udev configuration file.
* ovpnmain.cgi: Some certificate authority (CA) related elements have
  been displayed outside the site layout.

Updated packages

acpid 2.0.23, apache2 2.2.29, curl 7.40.0, cyrus-sasl 2.1.26, dhcp
4.3.1, dhcpcd 6.7.1, expat 2.1.0, glibc 2.12 (fixes for CVE-2013-7423
and CVE-2015-1781), groff 1.22.3, iputils s20121221, libjpeg 1.3.1,
logrotate 3.8.1, logwatch 7.4.1, nasm 2.11.06, openssh 6.8p1, squid
3.4.13 without SSL support, tzdata 2015d, wpa_supplicant 2.4, xz 5.2.1

Add-ons

* asterisk 11.17.1
* hostapd 2.4
  * The EAPOL timeout has been increased which gives some mobile devices
    more time to finish the wireless handshake
* libsrtp 1.5.2
* monit 5.12.1
* qemu 2.3.0
* squid-accounting – has been updated and fixes some issues with
  compressing the database and generating reports.
* tor 0.2.5.12

You can support this project by getting involved [2] into development,
writing documentation, support fellow IPFire users or with your donation
[3].

[1] http://fireinfo.ipfire.org/statistics/processors/x86
[2] http://www.ipfire.org/getinvolved
[3] http://www.ipfire.org/donate