Changes in KaarPux version 2.1.0

KaarPux version 2.1.0 released on 2012-08-30

Security, Firefox 15, iptables, and more...

Security Updates

iptables improvements

Add ulogd for logging iptables packets in userspace

  • ADD: ulogd *: logging iptables packets in userspace (Commit 30042631)
  • FIX: build: move libpcap before ulogd (Commit 500f0e35)
  • FIX: iptables: mkdir ‘/etc/systemd/system/network.target.wants/’ (Commit aa0c5b0e)

Add ulogd and prerequisites:

  • libnfnetlink
  • libmnl
  • libnetfilter_acct
  • libnetfilter_conntrack
  • libnetfilter_log

Configure iptables to forward DROPped packets to ulogd.

Configure ulogd to start at boot and dump the dropped packets into /var/log/iptables_drop.pcap in pcap format.

Now we can analyze dropped packets using tcpdump, wireshark, or similar.

Add iptables connection tracking

  • IMPROVE: iptables: improved iptables configuration Commit 313a6249
  • IMPROVE: linux: config for netfilter connection tracking Commit b6fddddf
  • IMPROVE: iptables: default to remove all chains in all tables (Commit c7641e05)
  • MINOR: iptables: remove ftp RELATED, now that we have EXPECTED (Commit 2bf528c0)
  • IMPROVE: iptables: handle NetBIOS NameService (Commit 1870536b)

iptables is deprecating automatic assignment of connection tracking helpers. Instead, we now manually configure connection tracking by using the conntrack module. See Secure use of Connection Tracking Helpers for more information.

Configure the kernel for use of conntrack.

Disable automatic assignment of connection tracking helpers and use -m conntrack instead of -m state.

Manually assign helper for outgoing FTP and NetBIOS NameService.

Also correct DHCP rules to cover all interfaces, silently drop FTP and NetBIOS (unless originated from us), rate-limit incoming SSH connections, rate-limit logging of dropped packets.

Other Changes

  • UPD: wireshark: v 1.8.2 (Commit 651ed78c)
  • UPD: NetworkManager: v 0.9.6.0 (Commit ea302ec0)
  • IMPROVE: NetworkManager: –libexecdir=/usr/lib/NetworkManager (Commit 29f91935)
  • FIX: bluez: install conf files and systemd service (Commit a3ddb364)
  • IMPROVE: certdata: documentation and version check (Commit 37172e53)
  • IMPROVE: linux: make /run tmpfs 30% of available memory (Commit 28ea1fed)
  • MINOR: make_package_scripts: add possibility to disable automatic tests (Commit 58f75781)
  • FIX: make_package_scripts: do not disable automatic tests by default (Commit 6bcf148f)
  • MINOR: group: add kaarpux to ‘adm’ group (Commit eaa8adca)
  • IMPROVE: systemd: do not try to start services we do not want (Commit 735fb591)
  • Several minor documentation updates.

Upgrade instructions

The security fixes can be applied to a:program:KaarPux version 2.0.0 system by re-installing the packages in this recommended sequence:

  • linux
  • nss
  • certdata
  • xulrunner
  • firefox
  • thunderbird

The remaining fixes can be applied to a:program:KaarPux version 2.0.0 system by (re-)installing the packages in this recommended sequence:

  • libnfnetlink
  • libmnl
  • libnetfilter_acct
  • libnetfilter_conntrack
  • libnetfilter_log
  • ulogd
  • iptables
  • systemd
  • bluez
  • NetworkManager
  • wireshark