Firewalla key Linux applications not being updated??

Comments

8 comments

  • Avatar
    Stuart

    There's no need to upgrade just for the sake of upgrading. In other words, unless there's a specific reason to upgrade something - like an exploitable vulnerability or a serious bug - sticking with the current, tested version is the best bet.

    There's also no need to fix things that don't apply to Firewalla. I've seen examples of published vulnerabilities that just don't matter for Firewalla. For example, https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent

    That doesn't apply to Firewalla since I don't think anyone is using their Firewalla as a desktop computer, nor does Firewalla by default use forwarded ssh-agent. Yes, it's "an OpenSSH vuln.," but that's not really meaningful for Firewalla in this case.

    I've seen that Firewalla _does_ push upgrades for packages when needed. I don't think they're just skipping all updates. They're just not upgrading when it's not necessary.

    Don't forget that Firewalla is not a general-purpose laptop or desktop computer, nor is it a server. It's a limited-purpose Firewall network appliance. Those get maintained in a different fashion than a regular computer that you're used to is.

    Yes, I'm sure Firewalla could put in place a dev team, QA team, early access and beta test programs, etc. and upgrade all the things whenever there's a new package update from Ubuntu or upstream. That would require extra resources to do on a regular basis though. I don't think we as users would gain much from it, and I'd rather they devote the resources to other things that matter more.

    It's best to look at Firewalla as an appliance. It offers you a set of features and services. Firewalla the company is responsible for keeping it safe and secure, adding new features as they can, and supporting it for you.

    In the enterprise, a lot of these types of appliances don't even give you a login to the OS, and they certainly don't give you root access. Firewalla is nice to us and does give us these things, but I view it as more of a way to look at system load, drive space, etc. I don't spend a lot of time logged-in to my Firewalla. If I need to work on a Linux system, I have plenty of those that I keep safe behind my Firewalla.

    I also feel that it's best to not make changes to what Firewalla has provided. It's the security center of my network, it guards my network from the WAN (internet) (this type of system is sometimes called a bastion host), and I'd rather leave it alone to do what it does best.

    I'm not a fan of running third-party software in containers or otherwise on my Firewalla - software that hasn't been vetted and provided by Firewalla and isn't managed by them. If I need extra software or services running that Firewalla doesn't include, I'll run it on a separate system where it can be isolated and where it doesn't possibly add attack surfaces to my network's critical router and firewall.

    My advice is to treat your Firewalla more or less as a black box. Before buying it, do some research and make sure it has the features you want. After that, just let it do its thing.

    If after purchase Firewalla adds some new features that you find to be valuable, that's great. I don't expect that though, and I buy devices like this based upon what they can do at the moment that I buy them. That's what drives my decision to spend the money - or not.

    My Firewalla Gold does what I expected it to, is very stable and reliable, is proven to help keep my family safe and protected, and just performs really well. The fact that since I bought it they've added some features I find to be useful is a bonus!

    You mention confidence. I have confidence in Firewalla. I can see that they're doing the right thing and that they offer great products.

     

     

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    A good example is something shared on reddit https://www.reddit.com/r/firewalla/comments/1alrw4e/linux_shim_vulnerability/

    Here the vulnerability is Linux booting using HTTP ... This may be a big deal for boxes that boot from http, but for firewalla ... which always boot from disk, is not a concern. 

     

    1
    Comment actions Permalink
  • Avatar
    bob

    Thank you for your response, I am fully aware of the strategy Firewalla has taken with regards to maintaining the base Ubuntu LTS 24.04.1, only relevant patches and fixes based on impact and services actually used by firewall.

    My question is focused not on the OS but the underlying Open Source applications Firewalla uses to provide its functionality

    • Dnscrypt (DNS overt HTTPS DoH)
    •  Unbound (Recursive DNS)
    •  DNSMasq (DNS /DHCP) 
    •  Suricata (IDS/IPS)
    •  Zeek (NSM)

    These are the fundamental services, based on what I see running on my Gold Plus box.  All listed apps are updated and maintained  by their developers, yet Firewalla have  not updated any of these.

     The issue is not Ubuntu its things like Dnscrypt, Zeek, DNSmasq, etc. 

    I don't want updates for the sake of updating to a newer version. But ignoring years of developer effort to fix underly issues, bugs, memory leaks and security in there applications, seems strange for a commercial product.  

    Simple example ;

    Suricata was updated to a full release in July 2023 7.0.0 what I see on my Firewalla Gold Plus running is 7.0.0-dev from 2022. the latest support version is 7.0.3.

    Why is the box not even running a proper production release? 

    Zeek new LTS family is 6.x.x , the last 5.x.x was a security release 5.1.13, firewall running 5.01

    https://zeek.org/2023/03/06/introducing-zeek-5-2/

    https://docs.zeek.org/en/lts/ (latest LTS release) 

    DNSCrypt from 2019! current version 2023 , firewalla  DoH service uses this from what I gather.

    https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/ChangeLog

     

    Thanks

    -1
    Comment actions Permalink
  • Avatar
    Stuart

    My comments above apply to the applications running on my Firewalla as well as to Ubuntu itself. I wasn't singling out Ubuntu and I'm not sure why you would have formed that impression.

    Picking another example from your list, what's wrong with DNSCrypt on Firewalla? Is it definitely a 2019 release without any patches? Even if it is a 2019 release, if it performs its task and doesn't have any problems there's no need to upgrade it.

    Or what's the bugbear with "not even running a proper production release" of Suricata? Do you think that there's some magic dust that gets sprinkled on the production release that makes it superior? If it's doing what it's supposed to, it's doing what it's supposed to.

    Maybe Firewalla isn't the product for you? I'd suggest OPNSense for you since they release updates often. (Too often IMO.) Or, since you know what software Firewalla uses, create your own firewall using whatever versions of all that software please you the most.

    There are plenty of other, more important things to worry about, dude. I think you're kind of clutching at straws here.

     

    0
    Comment actions Permalink
  • Avatar
    bob

    @stuart: thanks for your insight and  comments.

     

    As a customer I am simplying asking the firewalla team a question. look forward to their response.

     

    -1
    Comment actions Permalink
  • Avatar
    Stuart

    These are community forums. There's no guarantee of a response from Firewalla here, nor any expectation that the community will not respond.

    Have a nice day! :-)

    0
    Comment actions Permalink
  • Avatar
    bob

    @firewalla

     

    Any chance you can update the root.hints file the installed is from 2022, the B root server has changed so unbound is no longer running with a complete and correct set of root server.

     

    I rasied a ticket a few weeks back - not heard anything back; also any taregt on when you are updateing teh unound/dnsmasq binaries - following the recent cve's/

     

     

    Thanks

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @bob

    May I know which file you are looking at? we do have a private copy of unbound, want to make sure you are not looking at the wrong files. 

    Second note, if you are talking about the dnssec CVE, that one only impact unbound, we are likely to update it in the next release. 

    0
    Comment actions Permalink

Please sign in to leave a comment.