January 3rd, 2022 - Happy New Year!

• Link to Conference Room

Agenda

• New IPS features from Stefan
• Core Update 163 and beyond
  • Kernel issues with USB networking devices
• Testing feedback?
  • CAKE
  • Firewall changes
• Changes to our donation process
• Date and place for this year's IPFire developer summit
• Deprecation of 32-bit ARM
• Analysis of Amit Klein: Subverting Stateful Firewalls with Protocol States

Attendees

• Adolf
• Arne
• Jonatan
• Michael
• Peter

Log

Core Update 163 and beyond

• Arne has access to a probably affected board, tries to reproduce USB networking device issues
• Depending on his findings, we are releasing a new kernel in a "emergency" Core Update
• linux-firmware needs to be updated, Peter takes care of this one
• Core Update 163 has some spare size left for linux-firmware

New IPS features by Stefan

• Troublesome development process, but is ready now
• Ready to go, will make it in C164 or beyond, depending on the kernel issue
• Looks good, needs some German translation updates
• URLhaus will be included, really makes sense for the masses
• Ready for testing: https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-providers-008.tar.gz
• Peter tests this, fixes typos, merges it into his temporary branch, and Arne can pick it up from there

Testing feedback?

• CAKE
  • Arne runs it, works fine but does not really introduces noticeable improvements
  • Ready to go, will be included with the next kernel
• Firewall changes
  • Exporting XD networks missing, Michael sends an mail
  • Blog post needed

Suricata DNS bug

• Appears on an IPFire behind an IPFire, running Suricata on the first one, behind a slow internet connection
• Unbound traffic blocked for some reason, nothing logged
• Issue with DNSSEC key material
• Stefan somehow enabled logging for this case
• Could be related to RFC 5011, only appears after a while (within the range of minutes or hours?)
• Peter raises a bug for this (EDIT: Done, see bug #12765)

Deprecation of 32-bit ARM

• Arne: No cheap hardware to replace it
• A tiny firewall being incapable of running IPS is better than no firewall at all, especially for poorer areas of the world
• Kernel situation is better than it was for 32-bit Intel
• Userspace support is diminishing slowly, 32-bit ARM has a limited lifetime
• Consent:
  • Michael will update hardware page on the wiki to discourage against buying new 32-bit ARM SoCs
  • Same for list of ARM devices supported

IPFire developer summit 2022

• Berlin is set as a location, Hamburg's out
• Michael asks Mozilla if COVID policies fit, checks other locations
• Michael prepares mail, creates date survey (late April, early May, ...)

Changes to our donation process

Analysis of Amit Klein: Subverting Stateful Firewalls with Protocol States