From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.23 - Core Update 131 released Date: Thu, 16 May 2019 13:13:29 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7746816364177582572==" List-Id: --===============7746816364177582572== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://blog.ipfire.org/post/ipfire-2-23-core-update-131-released Finally, we are releasing another big release of IPFire. In IPFire 2.23 - Cor= e Update 131, we are rolling out our new Intrusion Prevention System. On top = of that, this update also contains a number of other bug fixes and enhancemen= ts. Thank you very much to everyone who has contributed to this release. If you w= ant to contribute, too, and if you want to support our team to have more new = features in IPFire, please donate [1] today! A New Intrusion Prevention System We are finally shipping our recently announced IPS [2] - making all of your n= etworks more secure by deeply inspecting packets and trying to identify threa= ts. This new system has many advantages over the old one in terms of performance,= security and it simply put - more modern. We would like to thank the team at= Suricata [3] on which it is based for their hard work and for creating such = an important tool that is now working inside of IPFire. We have put together some documentation on how to set up the IPS [4], what ru= lesets are supported [5] and what hardware resources [6] you will need. Migration from the older Intrusion Detection System Your settings will automatically be converted if you are using the existing I= DS and replicated with the new IPS. However, you will need to select the rule= set and rules that you want to use again, since those cannot be migrated. Ple= ase note that the automatic migration will enable the new IPS, but in monitor= ing mode only. This is that we won't break any existing configurations. Pleas= e disable the monitoring mode if you want the IPS to filter packets, too. If you restore an old backup, the IDS settings won't be converted. The guardian add-on is no longer required any more for the IDS to work but st= ill provides means against SSH brute-force attacks and brute-force attacks ag= ainst the IPFire Web UI. OS Updates This release rebases the IPFire kernel on 4.14.113 which brings various bug a= nd security fixes. We have disabled some debugging functionality that we no l= onger need which will give all IPFire systems a small performance boost. Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdt= ool 1.7.1, unbound 1.9.1. The wireless regulatory database has also been upda= ted. Misc. =E2=80=A2 SSH Agent Forwarding: This can now be enabled on the IPFire SSH ser= vice which allows administrators to connect to the firewall and use SSH Agent= authentication when using the IPFire as a bastion host and connecting onward= s to an internal server. =E2=80=A2 When multiple hosts are created to overwrite the local DNS zone, a = PTR record was automatically created too. Sometimes hosts might have multiple= names which makes it desirable to not create a PTR record for an alias which= can now be done with an additional checkbox. =E2=80=A2 A bug in the firewall UI has been fixed which caused that the rule = configuration page could not be rendered when the GeoIP database has not been= downloaded, yet. This was an issue when a system was configured, but never c= onnected to the internet before. =E2=80=A2 On systems with a vast number of DHCP leases, the script that impor= ts them into the DNS system has been optimised to make sure that they are imp= orted faster and that at no time a half-written file is available on disk whi= ch lead unbound to crash under certain circumstances. =E2=80=A2 Some minor UI issues on the IPsec VPN pages have been fixed: On edi= ting existing connections, the MTU field is now filled with the default;=20 =E2=80=A2 We are no longer trying to search for any temperature sensors on AW= S. This caused a large number of error messages in the system log. Add-ons =E2=80=A2 Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18= , nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0 =E2=80=A2 tor has received an extra firewall chain for custom rules to contro= l outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that= originates from the local tor relay. The service is also running as an own u= ser now. =E2=80=A2 Wireless Access Point: It is now possible to enable client isolatio= n so that wireless clients won't be able to communicate with each other throu= gh the access point. New Packages =E2=80=A2 flashrom - A tool to update firmware [1] https://www.ipfire.org/donate [2] https://blog.ipfire.org/post/introducing-ipfire-s-new-intrusion-preventio= n-system [3] https://www.suricata-ids.org/ [4] https://wiki.ipfire.org/configuration/firewall/ips/start [5] https://wiki.ipfire.org/configuration/firewall/ips/rulesets [6] https://wiki.ipfire.org/configuration/firewall/ips/performance-considerat= ions --===============7746816364177582572==--