July 5th, 2021

Channel

• Jitsi
• The dial code is 820405

Agenda

• News from IPFire 3.x ecosystem (Pakfire, installer)
• Status quo of Core Update 158 and beyond
• Assorted firewall.cgi bugs, especially #12265
• Users reporting ports reachable on RED
  • May 2020 incident: Caused by user configuration error in firewall.local
  • December 2020 incident: Unknown, some overcredulous SNAT rule in firewall.local suspected, but the user did not report back
  • June 26th incident: Unknown, seems to be gone after a reboot (?!), user is still investigating
  • June 28th incident: Port in question was apparently opened on a router before IPFires' RED interface, user refused to provide logs/command outputs

Attendees

• Arne
• Jonatan
• Michael
• Peter

Log

Core Update 158

• IPsec with Apple iOS & Mac OS still needs documentation
• sshctrl call still needs to be fixed
• Updates are quite big, and require a lot of disk space and RAM (while decrypting and verifying them)
• Not clear if the UDP fragmentation problem is solved or not
• No other major quirks known at the moment
• Some bugs introduced in Core Update 157, still awaiting fixes
• Root cause of broken Grub configs unknown, we need more feedback
• Rest is still awaiting patches, will be handed in eventually

Core Update 159

• We have a new Linux kernel - yay!!!
• armv5tel will be dropped: There are no compatible boards around anymore according to Fireinfo, we will require armv6l in future
• No other changes planned, the update is big enough already

firewall.cgi bugs

• Alex disappeared and/or does not respond anymore, we need to take care of this ourselves :-/
• Stefan volounteered to fix them peu a peu (many thanks)
• Will take time and require feedback
• By the way: The port redirect add-on seems to be an overkill, Stefan replaced this by a ~ 20-line patch...

Users reporting ports reachable on RED

• Except for one case are all incidents cleared
• Known penetration tests of IPFire never revealed a similar behaviour
• We do not believe to have a bug related to this...

"Das ist alles nur gecloud (eh-oh, eh-oh), / das ist alles nicht mehr deine..."

• Swiss government decided to toss their stuff to Alibaba m(
• Google Cloud suffers from an - um - interesting security vulnerability
• You cannot buy VMs at Hetzner and Exoscale without a public interface m(
• You cannot trust any cloud provider, hence we will never move our critical infrastructure to infrastructure located beyond our control
• However, we currently offer IPFire images on AWS, Hetzner, Exoscale, et al., it makes sense to extend this range to Alibaba and Tencent for APAC users

Pakfire & IPFire 3.x

• Mitigating ccache poisoning
  • Expensive, but necessary
  • Throwaway cloud VMs might be a solution for non-release builds
  • We need to use them efficiently to save money
• IPFire 3.x
  • Michael made major process
    • Pakfire has been re-implemented in C, almost feature complete
    • Signatures are still missing and TBD
    • Python module is merely a wrapper now
    • CLI needs to be cleaned up and some comfort features added
    • Debian Bullseye required (Linux kernel >= 5.4, libsolv > 4.7)
  • Next step: Move PBS to Python 3.x and integrate new Pakfire, Michaels' project for July
  • New installer: Bricklayer
    • Written in pure Python
    • We will support Btrfs only, primarily because of snapshot support (which still requires physical access or a KVM console)
    • Relatively feature-complete
    • Collateral usage: Installing IPFire out of other operating systems running, on loopback devices, etc.
    • Concrete implementation of network to be defined
  • Having PBS running will be a major milestone
  • Test Driven Development is tricky in build environments without networking
  • Michael is working on Pakfire and the IPFire 3.x ecosphere almost full-time in his spare time

Miscellaneous

• GitHub Copilot
  • Ignores Open Source licenses, including ours (we are quite pissed about this)
  • Smells like supply chain attacks incoming