ipcop-user Mailing List for IPCop Firewall

Sorry, forgot to repply to the List...

Hi Darren

I essence we can take any text and images, and wrap it in xml markup to
create the documents, which is semi-automated,provided you have a suitable
build system. I tended to drop in chunjks of text and continually rebuild
the docs to catch errors as I went.

Then you need admin rights to add the changes to the SVN repo, and upload
the new html chunks to the IPCop website.

It's a while since I worked on the documentation, and I think the box that
I did it on my have been retired, so you may be in the hands of another
keen volunteer. It is all documented in SVN, but it can take a while to get
back up to speed :o)

Eric


On 27 March 2016 at 21:31, Darren Conway <dar...@xt...> wrote:

> Hello
>
> How do I contribute to IPCop documentation.
> I wrote a detailed set of instructions to PXEboot to a CF card on an
> Alix sbc.
> I posted these on a website that has now disappeared.
>
> I am currently programming a new CF and updating the list of tools. I am
> writing instructions as I go that I can follow myself next time.  Others
> may find them useful as well.
>
> Regards
>
> Darren Conway
>
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> IPCop-user mailing list
> IPC...@li...
> Manage your subscription or unsubscribe
> https://lists.sourceforge.net/lists/listinfo/ipcop-user
>

Hello

How do I contribute to IPCop documentation.
I wrote a detailed set of instructions to PXEboot to a CF card on an 
Alix sbc.
I posted these on a website that has now disappeared.

I am currently programming a new CF and updating the list of tools. I am 
writing instructions as I go that I can follow myself next time.  Others 
may find them useful as well.

Regards

Darren Conway



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Sunday 27 Mar 2016 13:04:24 Andrew McGlashan wrote:
> On 27/03/2016 1:44 PM, Jeffrey S. Russell wrote:
> > Version 3 will use systemd.  No idea currently of the release plan on
> > version 3.
> 
> No, stay away from that devil [systemd].
> 
> Time to use OPNSENSE I think.
> 
> https://opnsense.org/
> 
> Cheers
> AndrewM
> 
Do any of these firewall systems accept IPv6? BT claim that all their UK 
subscribers should have IPv6 by December 2016.
Chris Bell

On 27/03/2016 1:44 PM, Jeffrey S. Russell wrote:
> Version 3 will use systemd.  No idea currently of the release plan on
> version 3.

No, stay away from that devil [systemd].

Time to use OPNSENSE I think.

https://opnsense.org/

Cheers
AndrewM

Version 3 will use systemd.  No idea currently of the release plan on
version 3.

-----Original Message-----
From: Brad Morgan [mailto:b-m...@co...] 
Sent: Saturday, March 26, 2016 6:24 PM
To: 'Renaud (Ron) OLGIATI' <re...@ol...>;
ipc...@li...
Subject: Re: [IPCop-user] GNU C Library: Multiple vulnerabilities

> Does IPFire use systemd or sysvinit ?

IPFire uses sysvinit


 


----------------------------------------------------------------------------
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with Intel Data Analytics
Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
IPCop-user mailing list
IPC...@li...
Manage your subscription or unsubscribe
https://lists.sourceforge.net/lists/listinfo/ipcop-user

On Sat, 26 Mar 2016 16:23:39 -0600
"Brad Morgan" <b-m...@co...> wrote:

> > Does IPFire use systemd or sysvinit ?
> 
> IPFire uses sysvinit

Thank $DEITY !
 
And thanks for the info.

Cheers,
 
Ron.
-- 
                       We are upping our standards ...
                                          so up yours.
                          -- Pat Paulsen for President
                                    
                   -- http://www.olgiati-in-paraguay.org --
 

> Does IPFire use systemd or sysvinit ?

IPFire uses sysvinit


 

On Sat, 26 Mar 2016 12:24:50 -0600
"Brad Morgan" <b-m...@co...> wrote:

> I was a loyal IPCop user but I've switched to IPFire 

Does IPFire use systemd or sysvinit ?
 
Cheers,
 
Ron.
-- 
              Eschew sesquipedalian circumlocutory obfuscation.
                                    
                   -- http://www.olgiati-in-paraguay.org --
 

--------------------------------------------
On Sat, 26/3/16, Jeffrey S. Russell <jef...@ru...> wrote:

 Subject: Re: [IPCop-user] GNU C Library: Multiple vulnerabilities
 To: "'Ranbir'" <m3...@th...>, ipc...@li...
 Date: Saturday, 26 March, 2016, 19:59
 
 I've been using
 IPFire for two years now and am quite happy with it.  It
 has VRRP and IDS/IPS as well, which were good bonuses for my
 usage.  The core team is really good at getting updates
 out, especially for security fixes.
 
 -----Original Message-----
 From: Ranbir [mailto:m3...@th...]
 
 Sent: Saturday, March 26, 2016 12:22 PM
 To: ipc...@li...
 Subject: Re: [IPCop-user] GNU C Library:
 Multiple vulnerabilities
 
 On
 Sat, 2016-03-26 at 11:50 +0200, Tapani Tarvainen wrote:
 > While I understand developers are busy
 volunteers, patching security 
 > bugs
 fast is something I think a firewall distro should
 prioritize 
 > rather high.
 
 I love IPCop and it's been
 the only firewall distro I've ever used (over 10 years
 now). But, development is slow and it shouldn't be.
 Thus, I've been considering switching to
 something else that's much more active. The only problem
 is I don't know what to switch to. :/
 
 
 --
 Ranbir

-------------------------------------------------------------------------------
 


Don't like IpFire one bit .
I currently have only three sites using IpCop v1.4.x since I had
 a lot of issues with blocking traffic and DMZ on v2.1.x so I was
forced to downgrade back to v1.4.x.


For the rest of the sites I was _saved_ by Mikrotik.
It lacks some functionality that is paramount and easy to use
on IpCop but it saved me on remote locations where there
exist Voltagage outages and fluctuations.
Not the same with ipcop. Not because of ipcop per se. More
of the fact that it runs on PC hardware that is prone to faults
and very sensitive to such issues.


s.

> I love IPCop and it's been the only firewall distro I've ever used (over 10 years now). But, development is slow and it shouldn't be.
> Thus, I've been considering switching to something else that's much more active. The only problem is I don't know what to switch to. :/

I was a loyal IPCop user but I've switched to IPFire (http://www.ipfire.org/), originally cloned from IPCop but which is significantly more active. Latest release is 2.17 - Core Update 99 released March 5, 2016.

I've been using IPFire for two years now and am quite happy with it.  It has VRRP and IDS/IPS as well, which were good bonuses for my usage.  The core team is really good at getting updates out, especially for security fixes.

-----Original Message-----
From: Ranbir [mailto:m3...@th...] 
Sent: Saturday, March 26, 2016 12:22 PM
To: ipc...@li...
Subject: Re: [IPCop-user] GNU C Library: Multiple vulnerabilities

On Sat, 2016-03-26 at 11:50 +0200, Tapani Tarvainen wrote:
> While I understand developers are busy volunteers, patching security 
> bugs fast is something I think a firewall distro should prioritize 
> rather high.

I love IPCop and it's been the only firewall distro I've ever used (over 10 years now). But, development is slow and it shouldn't be.
Thus, I've been considering switching to something else that's much more active. The only problem is I don't know what to switch to. :/


--
Ranbir

On Sat, 2016-03-26 at 11:50 +0200, Tapani Tarvainen wrote:
> While I understand developers are busy volunteers, patching security
> bugs fast is something I think a firewall distro should prioritize
> rather high.

I love IPCop and it's been the only firewall distro I've ever used
(over 10 years now). But, development is slow and it shouldn't be.
Thus, I've been considering switching to something else that's much
more active. The only problem is I don't know what to switch to. :/


-- 
Ranbir

There's still been no glibc patch for IpCop, and I just noticed
there wasn't even a ticket open about this (I opened one now).

This is getting a bit long in the tooth. I can't help wondering
if there's something in IpCop development process that makes
it difficult to do small patches quickly, or is there something
in this case that makes updating just glibc complicated.

While I understand developers are busy volunteers, patching security
bugs fast is something I think a firewall distro should prioritize
rather high.

--
Tapani Tarvainen

On Fri, Feb 19, 2016 at 07:44:46PM +0200, Tapani Tarvainen (ip...@ta...) wrote:

> Yes it is, at least CVE-2015-7547. And it should be patched ASAP.
> 
> As an interim band-aid, something like this in rc.firewall.local might help:
> 
> iptables -A CUSTOMINPUT -p udp -m udp --dport 53 -m length --length 513:65535 -j DROP
> iptables -A CUSTOMINPUT -p tcp -m tcp --dport 53 -m length --length 1025:65535 -j DROP
> 
> -- 
> Tapani Tarvainen
> 
> On Thu, Feb 18, 2016 at 07:21:47PM +0100, Dan Johansson (ip...@dm...) wrote:
> 
> > Hi All,
> > 
> > Does anyone here know if IPCop (2.1.9) is affected by these glibc
> > vulnerabilities:
> > 
> > * The Google Security Team and Red Hat discovered a stack-based buffer
> >   overflow in the send_dg() and send_vc() functions due to a buffer
> >   mismanagement when getaddrinfo() is called with AF_UNSPEC
> >   (CVE-2015-7547).
> > * The strftime() function access invalid memory when passed
> >   out-of-range data, resulting in a crash (CVE-2015-8776).
> > * An integer overflow was found in the __hcreate_r() function
> >   (CVE-2015-8778).
> > * Multiple unbounded stack allocations were found in the catopen()
> >   function (CVE-2015-8779).
> > 
> > Regards,
> > -- 
> > Dan Johansson
> > ***************************************************
> > This message is printed on 100% recycled electrons!
> > ***************************************************

On Sat, 27 Feb 2016 16:33:38 -0300, Renaud (Ron) OLGIATI wrote:

> In reply to a query about configuring Debian as a firewall, I suggested
> using IPCop instead.
> 
> This provoked the heated reply I am forwarding below.
> 
> Would any IPCop guru care to comment ?
> 
> Cheers,
>  
> Ron.
> 
> 
> Begin forwarded message:
> 
>  Reco <rec...@gm...> wrote:
> 
>> > I know that is possible to build a firewall using Debian.
>  
>> It is possible, but why go to the bother when you have dedicated
>> distributions like IPCop that come ready to go, and are by design more
>> secure than a specially-configured Debian will be.
> 
> Please. "Out-of-the-box" IPCop (version 2.1.8 I just grabbed from the
> Sourceforge) does have:
> 
> 1) No meaningful DNSSEC capability.
> 
> 2) Presence of libfontconfig.so *and* fonts for no good reason.
> 
> 3) Bunch of questionable quality root-owner SUID binaries in
> /usr/local/bin, intended to be called from Web-interface.
> 
> 4) Lack of any pre-installed IDS.
> 
> 5) Outdated kernel 3.4, configured *without* SELinux, Apparmor or tomoyo
> support.
> 
> 
> Oh, did I mention that *primary* download mirror for this distribution
> is the Sourceforge?
> 
> IPCop can be an interesting solution for a host on an internal network,
> which nobody intends to poke, but suggesting putting *this* to serve as
> a firewall from an Internet is a joke.
> 
> Reco
> 
> 


He lost me at SELinux and similar programs. Those are aimed at multiple 
users logged into a machine and controlling access as to which user can 
execute, read, or what to which process. SELinux, APParmour and the like 
have always seemed like solutions looking for a problem in the decade plus 
they have been here. While I swear by Debian as a server OS, as a MythTV 
appliance base (uses third party repos) and even as a decent laptop OS, 
Workstation OS etc, I prefer a dedicated, hardened, specific, non bloated 
tiny OS for firewall/routing that was developed to only run as a dedicated 
firewall appliance. He may be doing Debian a disservice with his noisy 
negativist rant. 

IDS, well, I have yet to see a decent one in Linux. When IPCop had it it 
was the most misunderstood and misused feature it had plus it would eat up 
over 100MB of ram per monitored interface, give mostly false positives 
caused by bogus rules and then some of those bogus rules would be removed 
on the next rules update, new rules added and then some of those new rules 
would end up being bogus and throwing false positives. This cycle runs 
from from here to eternity.

To those considering PFsense, I recommend looking at Opnsense which forked 
from PFsense when Netgate bought PFsense and closed down much of the 
access to the code. Pfsense was a fork of Monowall. The author of Monowall 
endorsed Opnsense as the worthy successor and discontinued Monowall as 
having served it's purpose. 

Dave Studeman
http://www.raqcop.com