Security
IPFire 2.5: Firewalls and more
IPFire is a special-purpose Linux distribution that makes it easy to set up a firewall, in particular for users that want a secure gateway between internet and their home or small business. IPFire has an administrative web interface that aims to be clear to beginners but at the same time doesn't ignore experienced users.
The project started in 2005 as an IPCop derivative, but the 2.x version moved to Linux From Scratch as its base. There's no company behind IPFire, and the project is developed by a small but active core of developers (five core developers and about a dozen 'community developers' who develop new add-ons), under the supervision of project lead Michael Tremer. The latest release is IPFire 2.5 - Core 37, based on Linux kernel 2.6.27.42.
Straightforward installation
Your author downloaded IPFire 2.5 - Core 37. The download page offers the image in various formats: an installable CD image (via HTTP or a torrent, it's only 77 MB big), images for a USB stick, flash images for embedded x86 devices, and an image to run as a Xen guest.
IPFire has rather modest system requirements, but it's too heavy for real embedded use. A Pentium-class processor is the minimum, with a recommended clock frequency of at least 333 Mhz. The distribution requires 128 MB RAM but recommends 512 MB. The hard drive needs 1 GB, but 2 GB is recommended because of the need for log files. Of course if the firewall also acts as a file server, the hard drive should be much bigger, but combining these two purposes in one machine is not the most secure setup. And last but not least, the system needs at least two network cards: one for the WAN connection and one for the LAN. Add a wireless card for a wireless network.
The installation instructions guide the user through the installation process, which is rather straightforward and takes just a couple of minutes. It lets the user choose a target drive and a filesystem (the default ReiserFS, Reiser4, or ext3), partitions and formats the hard drive, and installs all files.
Colorful configuration
The configuration phase starts with the normal options, such as the keyboard layout, timezone, hostname and domain, and the root and admin passwords. After this comes the network configuration, but this introduces some new terminology; for "network type" there are the following possibilities: "GREEN + RED", "GREEN + RED + ORANGE", "GREEN + RED + BLUE", and "GREEN + RED + ORANGE + BLUE".
By default, IPFire configures a network of type "GREEN + RED", which means that it knows two networks: a green network for the LAN, and a red network for the WAN. Users that want a separate network for wireless clients should add a blue network, and users that want a separate server network (a "demilitarized zone"), should add the orange network.
Next, all the chosen networks will be assigned a network interface, IP address, and subnet mask. For the red interface, this obviously depends on the way the connection with the internet provider works. Users can choose from a static IP address, DHCP, or PPP dialup. In the following step, the DNS and gateway settings are made, but if the red interface uses DHCP, the correct values are already completed. In the last step, it's possible to enable the DHCP server and enter the IP range for the LAN. Users can redo the whole configuration procedure later using the command line program setup.
Add-ons and security
IPFire can be extended with add-ons, which are installed through the package manager Pakfire. Available add-ons include security and network tools like Tripwire, Guardian, Snort, or Squidclamav, but also file servers like Samba or NFS and Voice-over-IP packages such as Asterisk or Teamspeak, and some miscellaneous tools such as iftop, htop, or rsync. Right now, there are 97 add-ons available. Pakfire can be used from the web interface or from the console.
For a distribution that claims a focus on security, it's a bit strange to see that users have to do a full core update to get security fixes, but according Michael, users don't have to wait that long for fixes:
Web interface
Most of the features of IPFire can be configured using the web interface, available over the green network interface. The administrator has to log in using the admin username and password entered during the configuration. The web interface is subdivided into various "tabs": System, Status, Network, Services, Firewall, IPFire, and Logs. Each of them is again subdivided into different pages. The System tab contains IPFire's main settings: users can change the look and feel of the web interface, activate ssh access (which runs on port 222 by default to reduce brute force attacks) and save the configuration of their IPFire installation to a file to restore it later. The latter page even has an option that creates an ISO image with the current settings, which can be burned to a CD in order to reinstall the complete system with the same settings. It's also possible to back up the settings of the add-ons.
The Status tab gives access to graphs and tables about virtually anything users want to know about their firewall. There are graphs of the CPU usage and load, of the memory and swap usage, of the network traffic on each interface, of port scans and ping answer times, and so on. There's even a page with temporal data of hard disk and case temperature, and another one with SMART information and disk usage of the hard disk. Last but not least, the Services page gives a nice overview of the running services and diagrams of the memory usage of the processes. This page also allows the user to enable or disable the installed add-ons, which are mostly extra services.
The Network tab offers a lot of configuration options, from DHCP and DNS servers to Wake-on-LAN and a web proxy server (using Squid). The web proxy page is really extensive and allows some advanced settings, including a transparent mode which generates iptables rules with the nice effect that clients don't have to be configured for proxy use, and a URL filter that blocks access to specified web sites or web sites containing offensive words.
In the Services tab, users can configure the default services of IPFire. To create a virtual private network, IPSec or OpenVPN can be used. Dynamic DNS can be used to allocate a domain name to the dynamic IP address IPFire gets from the ISP, and IPFire is able to synchronize its time to an external server via NTP and serve its time to machines in the local network. On the Quality of Service page users can specify different classes of services and grant them a specific bandwidth usage, and the Intrusion Detection System page enables Snort to help detect malicious behaviour on the network.
The Firewall tab has settings for port forwarding, external access to the IPFire machine, and firewall rules for outgoing traffic. Add-ons can be installed in the IPFire tab. And last but not least, the Logs tab has pages with graphs and log files of a lot of services, and the behavior of syslog can be configured here.
All in all, the web interface gives access to a lot of functionality, but the pages are not laid out in the most consistent way. For example, the IP addresses and other connection information of the network interfaces is shown on the Home page under the System tab, while it would be more appropriate under the Status tab. And information about the services is interspersed between the Status - Services page and the pages under the Services tab. Moreover, services installed as an add-on can be started and stopped in the Status - Services menu, while the main services only show their status on the same page and have to be enabled or disabled on their own page. In addition, the pages in the Logs tab repeat a lot of information that is already shown in the Status tab, and shows some other information that would be more logically placed on other pages, such as the firewall logs and the logs of the intrusion detection system.
Development
In the meantime, the IPFire developers are working on the 3.x branch. It will probably be based on the stable Linux 2.6.32 kernel, patched by the IPFire developers with the grsecurity and PaX patches as well as the Open Cryptographic Framework for accelerated cryptographic primitives. The developers are also enabling the stack smashing protection of GCC to prevent buffer overflows.
For this new release, the developers will focus on the networking part of the distribution. According to Michael, there will definitely be support for IPv6, VLANs, more than the current four independent network zones, port trunking to increase bandwidth, and many more VPN features (e.g. using StrongSwan). The web interface will also be entirely rewritten with a focus on usability and configurability, and it will be based on Python instead of Perl. Pakfire will also be rewritten in Python. The first alpha release is already available.
The network zones model with the four colors will change slightly in the next release. According to Michael, it will be possible to create multiple zones of the same type, which could be interesting in a couple of cases:
As a consequence, the blue zone will be dropped in IPFire 3.0, and an additional network type will be added for the management of IPFire. The internet zone will be red, any local network would be green, the management network will be grey, and a DMZ zone would be orange.
Conclusion
IPFire is a nice solution for a secure network gateway for people that need a web interface, but that is the part of the distribution that still needs a lot of work. The web interface has too many options and doesn't show them in a consistent way, which will turn off many beginners. Fortunately, the web interface for the 3.x version will be entirely rewritten with a focus on usability.
New vulnerabilities
cacti: SQL injection
| Package(s): | cacti | CVE #(s): | |||||
| Created: | April 26, 2010 | Updated: | April 28, 2010 | ||||
| Description: | From the Debian advisory:
It was discovered that Cacti, a frontend to rrdtool for monitoring systems and services missed input sanitizing, making an SQL injection attack possible. | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2010-1188 | ||||||||||||||||||||||||||||||||||||
| Created: | April 27, 2010 | Updated: | November 12, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A use-after-free flaw was found in the tcp_rcv_state_process() function in the Linux kernel TCP/IP protocol suite implementation. If a system using IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote attacker could send an IPv6 packet to that system, causing a kernel panic (denial of service). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel kernel-pae | CVE #(s): | CVE-2010-1084 CVE-2010-1087 CVE-2010-1146 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 27, 2010 | Updated: | September 23, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Pardus advisory:
Linux kernel 2.6.18 through 2.6.33, and possibly other versions, allows remote attackers to cause a denial of service (memory corruption) via a large number of Bluetooth sockets, related to the size of sysfs files in (1) net/bluetooth/l2cap.c, (2) net/bluetooth/rfcomm/core.c, (3) net/bluetooth/rfcomm/sock.c, and (4) net/bluetooth/sco.c. (CVE-2010-1084) The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible. (CVE-2010-1087) The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exists, does not restrict read or write access to the .reiserfs_priv directory, which allows local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/. (CVE-2010-1146) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: arbitrary code execution
| Package(s): | krb5 | CVE #(s): | CVE-2010-1320 | ||||||||||||||||||||
| Created: | April 22, 2010 | Updated: | July 21, 2010 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: A double-free vulnerability was found in the KDC in MIT krb5 versions 1.7 and later. This flaw could allow an authenticated remote attacker to crash the KDC by inducing the KDC to perform a double-free, or to possibly allow for the execution of arbitrary code (although the latter is believed to be difficult). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
nano: multiple vulnerabilities
| Package(s): | nano | CVE #(s): | CVE-2010-1160 CVE-2010-1161 | ||||||||||||||||||||
| Created: | April 27, 2010 | Updated: | September 9, 2010 | ||||||||||||||||||||
| Description: | From the Pardus advisory:
GNU nano before 2.2.4 does not verify whether a file has been changed before it is overwritten in a file-save operation, which allows local user-assisted attackers to overwrite arbitrary files via a symlink attack on an attacker-owned file that is being edited by the victim. (CVE-2010-1160) Race condition in GNU nano before 2.2.4, when run by root to edit a file that is not owned by root, allows local user-assisted attackers to change the ownership of arbitrary files via vectors related to the creation of backup files. (CVE-2010-1161) | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
seamonkey: information disclosure
| Package(s): | seamonkey | CVE #(s): | CVE-2009-3385 | ||||||||
| Created: | April 22, 2010 | Updated: | June 14, 2010 | ||||||||
| Description: | From the NVD entry: The mail component in Mozilla SeaMonkey before 1.1.19 does not properly restrict execution of scriptable plugin content, which allows user-assisted remote attackers to obtain sensitive information via crafted content in an IFRAME element in an HTML e-mail message, as demonstrated by a Flash object that sends arbitrary local files during a reply or forward operation. | ||||||||||
| Alerts: |
| ||||||||||
X.org Server: privilege escalation
| Package(s): | xorg-x11-server | CVE #(s): | CVE-2010-1166 | ||||||||||||||||||||||||||||
| Created: | April 28, 2010 | Updated: | September 7, 2010 | ||||||||||||||||||||||||||||
| Description: | The X.org render extension can be forced to crash by an authorized client, leading to denial of service and potential privilege escalation vulnerabilities. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>