IPFire

ipfire.org
IPFire Icon

A hardened, versatile, state-of-the-art open source firewall based on Linux. Its ease of use, high performance and extensibility make it usable for everyone.

Open Source

IPFire Source Code

Author

ipfire

Description

IPFire 2.x development tree

Homepage

License

Created

15 Jan 13

Last Updated

03 Sept 24

Latest version

v2.29-core188

Primary Language

Perl

Size

92,477 KB

Stars

157

Forks

73

Watchers

157

Language Usage

Language Usage

Star History

Star History

Recent Commits

  • Michael Tremer (03 Sept 24)

    core188: Ship OpenSSL Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (03 Sept 24)

    openssl: Update to 3.3.2 Possible denial of service in X.509 name checks (CVE-2024-6119) =============================================================== Severity: Moderate Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a "reference identifier" (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue. OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (29 Aug 24)

    .gitignore: Keep ignoring the deleted doc files Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (28 Aug 24)

    make.sh: Don't try to create a time NS on older kernels This is not supported on kernels < 5.6. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (28 Aug 24)

    make.sh: Bind-mount /proc as a workaround for unshare unshare seems to want to change the mount propagation for /proc before it has been mounted. In order to workaround that problem, we bind-mount /proc to itself before. Signed-off-by: Michael Tremer <[email protected]>

  • Adolf Belka (26 Aug 24)

    openssl: Update to version 3.3.1 - Update from 3.3.0 to 3.3.1 - Update of rootfile not required - This version has 2 CVE fixes both of which are classified as Low Severity so looks like they can wait for CU189 - Changelog 3.3.1 * Fixed potential use after free after SSL_free_buffers() is called. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. ([CVE-2024-4741]) * Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2024-4603]) * Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks. Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (27 Aug 24)

    core-updates: Honour the excluded file list This was not implement when refactoring the code to compress the updater's tarball. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (23 Aug 24)

    make.sh: Integrate the rootfile consistency check Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (23 Aug 24)

    make.sh: Refactor the broken rootfile check Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (23 Aug 24)

    core-update: Append the release number to the meta file Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (23 Aug 24)

    Merge branch 'next'

  • Michael Tremer (23 Aug 24)

    Run "./make.sh lang" Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (23 Aug 24)

    make.sh: Fix printing the total build time Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    Revert "make.sh: Swap mount propagation" This reverts commit f3c360cd6e8daf0431f684bfad9c55f64bad6c7f. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    make.sh: Remove the brackets from build options Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    core188: Ship suricata and arping because of SO bump in libnet Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    core188: Ship lang.pl Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    guardian.cgi: Use the new service widget Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    header.pl: Fix language loading We have been importing the language files many times when they are actually rather slow. This just tidies this up. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    header.pl: Remove an unused variable Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    lang.pl: Fix all sorts of whitespace issues No functional changes. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    index.cgi: Improve the warning box Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    samba.cgi: Fix styling of the configuration form Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    samba.cgi: Use the new service status widget Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    firewall.cgi: Fix messy table striping Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    CSS: Make the black less agressive Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    services.cgi: Search for suricata by its PID suricata renames itself and therefore we cannot find the process by its name. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    vpnmain.cgi: Fix colouring of the connection status when disconnected Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (21 Aug 24)

    unbound-dhcp-leases-bridge: Watch unbound This patch adds a watcher thread which monitors if Unbound is still alive. If not, it will wait until Unbound comes back, rewrite the leases file and reload Unbound to get it back into sync. Afterwards Unbound will receive updates as usual. Signed-off-by: Michael Tremer <[email protected]>

  • Michael Tremer (20 Aug 24)

    make.sh: Remove all traces of KCFG This variable is no longer been used and has been abused way too much in the past. May it rest in pieces. Signed-off-by: Michael Tremer <[email protected]>

IPFire Website

Website

www.ipfire.org - Welcome to IPFire

IPFire is a hardened, versatile, state-of-the-art Open Source firewall based on Linux.

Redirects

Does not redirect

Security Checks

All 66 security checks passed

Server Details

  • IP Address 81.3.27.38
  • Hostname fw01.ipfire.org
  • Location Datteln, Nordrhein-Westfalen, Germany, EU
  • ISP Visit www.ipfire.org
  • ASN AS24679

Associated Countries

  • US
  • GB
  • DE

Saftey Score

Website marked as safe

100%

Blacklist Check

www.ipfire.org was found on 0 blacklists

  • ThreatLog
  • OpenPhish
  • PhishTank
  • Phishing.Database
  • PhishStats
  • URLhaus
  • RPiList Not Serious
  • AntiSocial Blacklist
  • PhishFeed
  • NABP Not Recommended Sites
  • Spam404
  • CRDF
  • Artists Against 419
  • CERT Polska
  • PetScams
  • Suspicious Hosting IP
  • Phishunt
  • CoinBlockerLists
  • MetaMask EthPhishing
  • EtherScamDB
  • EtherAddressLookup
  • ViriBack C2 Tracker
  • Bambenek Consulting
  • Badbitcoin
  • SecureReload Phishing List
  • Fake Website Buster
  • TweetFeed
  • CryptoScamDB
  • StopGunScams
  • ThreatFox
  • PhishFort

Website Preview

IPFire Reviews

More Self-Hosted Network Security

About the Data: IPFire

API

You can access IPFire's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/networking/self-hosted-network-security/ipfire

The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.

About the Data

Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.

Share IPFire

Help your friends compare Self-Hosted Network Security, and pick privacy-respecting software and services.
Share IPFire and Awesome Privacy with your network!

View Self-Hosted Network Security (8)