Router & Proxys

IPCOP

Documentationen (via www.ipcop.org)

IPCop Schnellstartanleitung (v1.x)

Installation Manual (v1.x)

Administration Manual (v1.x)

Netzwerkskizzen

Addon

URL-Filter (via urlfilter.net)

Advanced Proxy (via advproxy.net)

Net-Traffic (via blockouttraffic.de)

Installation von Addons

  • Nach dem Herunterladen des Addons muss es auf den IPCop kopiert werden
  • Kopieren Sie die Datei " Addon_VERSION.tar.gz " auf Ihren IPCop (mit Hilfe von SCP oder WinSCP bzw. FileZilla) nach " /tmp/ "
  • Entpacken des Archivs mit " tar zxvf Addon_VERSION.tar.gz "
  • Wechseln in den Ordner: " cd Addon_VERSION "
  • Installieren mit "./install" bzw. "./setup. (Readme lesen)
  • Nach erfolgreicher Installation kann der Ordner wieder gelöscht werden

IPCop Konfiguration in der internetLOUNGE

Hardware
Fujitsu Siemens
Pentium III
933 MHz
Software
IPCop Version: 1.4.21
Advanced Proxy
URL Filter
Net-Traffic

sonstige

IPCop Hardware Compatibility List (via rkaehler.de)

IPFIRE

Restoring DNS Privacy

Stefan and I have been taking last week to add DNS over TLS into IPFire - another step to make DNS more private. Here is what we have done.

Cleaning up some mess

IPFire has multiple places where DNS servers could be configured. If you were using PPP for your Internet connection, you would have set this up with your dialup settings. If you were using a static IP address, then you would have set up the DNS servers with it in the setup. If you were using DHCP, you had a page on the web user interface to go to. This is not only confusing for the user, but also there were the places in the code where those settings were applied.

Now, we have created an entire new page which combines all of it together! You will have a list where you can set all DNS servers and set new settings.

With that, there are a couple more features coming:

For those of you who are running IPFire in a school or at home with children, you can now enable Safe Search for multiple search engines and YouTube. If Safe Search is enabled, all adult and violent content will be filtered in the search results.

This used to be a feature of the web proxy, but since everyone is now using HTTPS everywhere, we can no longer edit the search query being sent to the search engine. Safe Search is now realised by sending the client to a different server which only returns the filtered results and can therefore not be disabled on the client any more.

QNAME Minimisation

To protect your privacy, the DNS proxy inside IPFire strips away any part of the domain name that is not required to resolve the query. That way, the resolver has less of a chance to know what website you are looking for. This will always be enabled, and was in IPFire for a long time, but a new option has been introduced: An ever stricter mode which works according to RFC 7816, but might make some records unresolvable if the upstream name server does not respond according to the standard.

DNS over TLS

Last but not least, we have added that you can choose the protocol used to talk to your DNS servers. UDP is the standard protocol and most compatible with all DNS servers, but some users are in an environment where it cannot be used. Some ISPs have been filtering DNS and TCP simply would work around this.

Even better is TLS. All queries to the DNS servers will be encrypted which makes it impossible for your ISP to eavesdrop on them. DNSSEC already makes sure that nobody can change them. All DNS servers need to have their "TLS hostname" configured to be used with TLS.

Currently DNS over TLS has a slight performance impact, because unbound, the DNS resolver used in IPFire, cannot reuse existing TLS connections, but opens a new one for each query which has a large overhead. This will be solved by the unbound team hopefully soon, so that in some time, this impact will go entirely.

IPFire already supports TLS 1.3 and TCP Fast Open - some further technology to make this secure and fast.

Get ready

This will be release with Core Update 140. Amongst the many new features, we have removed a lot of code that has caused us a lot of trouble in the past and rewritten many things entirely from scratch.

Help us test and please do not forget to donate, so that we can keep things like these coming and make IPFire the best firewall in the world.


On retiring the Maxmind GeoIP database

Maxmind, a US-based company who is quite well-known for providing their GeoIP database which fires a lot of services that need GeoIP data, has changed their usage policy on this database with effect of the beginning of this year. Unfortunately this makes it unusable for IPFire and we have decided to replace it. Here is how we are going to do it.

IPFire is using geo information for two things: We are showing flags next to DNS servers, firewall hits, etc. and we are using it to block connections from or to certain countries in the firewall.

We, the IPFire developers, have started a side-project to replace the Maxmind GeoIP databases in IPFire over two years ago. We felt that this was necessary because of the quality of the database getting worse and worse. Strict licences as well as changes like this December are very incompatible with the freedom that we want to provide for all IPFire users.

Introducing libloc

The code name is libloc and it is a library written in C which reads from our own location database.

The code is written in a portable way and runs on multiple operating systems so that it can be used by other projects, too. The library is tiny and the code can quickly be audited. Our focus was on easy usability and performance. Because of smart packing of the data into the database and intelligent search algorithms, we are approximately 10 times faster than Maxmind's code. Pages will load faster and libloc can be used in software where location information needs to be present as quickly as possible - for example in the Intrusion Prevention System or in a DNS server that performs load-balancing based on the geographical location of the user. With provided bindings for Python and Perl, it is easy to use in scripting languages, too.

To make sure that you are only using genuine data, the database is cryptographically signed and being automatically updated whenever needed.

It is a really awesome project and many hours of engineering work have been put into it. It is software design at its finest and I had a lot of fun working on the project.

The Changes For Now

Sadly, this project is not yet ready for production and so this is a slightly hurried announcement. Of course you can support us with your donation. Keep watching this blog for any further updates. But so far, here are the most important things:

If you install a new IPFire system with a release version before 2.23 - Core Update 140, you won't be able to use geo blocking. The reason is that Maxmind's database is not being shipped with IPFire because it was unclear if we could do that legally or not. A script regularly updated the database, but this service has now been deactivated by Maxmind.

With Core Update 140 we ship the last version of the database that is available under the old Creative Commons licence. Now, Maxmind requires to sign a new licence which we cannot do for various reasons and therefore we are looking to retire using this database altogether and use libloc.

Those changes will come with one of the following update. The code is already done and in a very good beta stage. What is not yet fully finished, is the actual database. We are writing and optimising scripts that gather the information we need and compile it. This is what we are working on right now and hopefully it won't be long.


FLI4L

Release der stabilen fli4l Version 3.10.18

Nach gut fünf Monaten Entwicklung stellt das fli4l-Team das nächste stabile Release der...

Release der stabilen fli4l Version 3.10.17

Nach gut drei Monaten Entwicklung stellt das fli4l-Team das nächste stabile Release der...

Release der stabilen fli4l Version 3.10.16

Nach gut drei Monaten Entwicklung stellt das fli4l-Team das nächste stabile Release der...

Release der stabilen fli4l Version 3.10.15

Nach gut drei Monaten Entwicklung stellt das fli4l-Team das nächste stabile Release der...

Release der stabilen fli4l Version 3.10.14

Nach gut drei Monaten Entwicklung stellt das fli4l-Team das nächste stabile Release der...

Release der stabilen fli4l Version 3.10.13

Nach gut drei Monaten Entwicklung stellt das fli4l-Team das nächste stabile Release der...

Release der stabilen fli4l Version 3.10.12

Nach etwas mehr als drei Monaten Entwicklungsphase stellt das fli4l-Team das nächste stabile...

Aktualisierung des wöchentlichen Tarballs verfügbar

Nachdem nun die neue Entwicklungsserver installiert und konfiguriert sind, nochmals vielen Dank an...

Release der stabilen fli4l Version 3.10.11

Nach knapp dreimonatiger Entwicklungsphase stellt das fli4l-Team das nächste stabile Release der...

Release der stabilen fli4l Version 3.10.10

Nach knapp dreimonatiger Entwicklungsphase stellt das fli4l-Team das nächste stabile Release der...

LEG LOS! Anlaufstelle für Jugendmedienarbeit Berlin-Lichtenberg 2006-2019