Firewalla key Linux applications not being updated??

Comments

11 comments

  • Avatar
    Stuart

    There's no need to upgrade just for the sake of upgrading. In other words, unless there's a specific reason to upgrade something - like an exploitable vulnerability or a serious bug - sticking with the current, tested version is the best bet.

    There's also no need to fix things that don't apply to Firewalla. I've seen examples of published vulnerabilities that just don't matter for Firewalla. For example, https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent

    That doesn't apply to Firewalla since I don't think anyone is using their Firewalla as a desktop computer, nor does Firewalla by default use forwarded ssh-agent. Yes, it's "an OpenSSH vuln.," but that's not really meaningful for Firewalla in this case.

    I've seen that Firewalla _does_ push upgrades for packages when needed. I don't think they're just skipping all updates. They're just not upgrading when it's not necessary.

    Don't forget that Firewalla is not a general-purpose laptop or desktop computer, nor is it a server. It's a limited-purpose Firewall network appliance. Those get maintained in a different fashion than a regular computer that you're used to is.

    Yes, I'm sure Firewalla could put in place a dev team, QA team, early access and beta test programs, etc. and upgrade all the things whenever there's a new package update from Ubuntu or upstream. That would require extra resources to do on a regular basis though. I don't think we as users would gain much from it, and I'd rather they devote the resources to other things that matter more.

    It's best to look at Firewalla as an appliance. It offers you a set of features and services. Firewalla the company is responsible for keeping it safe and secure, adding new features as they can, and supporting it for you.

    In the enterprise, a lot of these types of appliances don't even give you a login to the OS, and they certainly don't give you root access. Firewalla is nice to us and does give us these things, but I view it as more of a way to look at system load, drive space, etc. I don't spend a lot of time logged-in to my Firewalla. If I need to work on a Linux system, I have plenty of those that I keep safe behind my Firewalla.

    I also feel that it's best to not make changes to what Firewalla has provided. It's the security center of my network, it guards my network from the WAN (internet) (this type of system is sometimes called a bastion host), and I'd rather leave it alone to do what it does best.

    I'm not a fan of running third-party software in containers or otherwise on my Firewalla - software that hasn't been vetted and provided by Firewalla and isn't managed by them. If I need extra software or services running that Firewalla doesn't include, I'll run it on a separate system where it can be isolated and where it doesn't possibly add attack surfaces to my network's critical router and firewall.

    My advice is to treat your Firewalla more or less as a black box. Before buying it, do some research and make sure it has the features you want. After that, just let it do its thing.

    If after purchase Firewalla adds some new features that you find to be valuable, that's great. I don't expect that though, and I buy devices like this based upon what they can do at the moment that I buy them. That's what drives my decision to spend the money - or not.

    My Firewalla Gold does what I expected it to, is very stable and reliable, is proven to help keep my family safe and protected, and just performs really well. The fact that since I bought it they've added some features I find to be useful is a bonus!

    You mention confidence. I have confidence in Firewalla. I can see that they're doing the right thing and that they offer great products.

     

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    A good example is something shared on reddit https://www.reddit.com/r/firewalla/comments/1alrw4e/linux_shim_vulnerability/

    Here the vulnerability is Linux booting using HTTP ... This may be a big deal for boxes that boot from http, but for firewalla ... which always boot from disk, is not a concern. 

     

    0
    Comment actions Permalink
  • Avatar
    bob

    Thank you for your response, I am fully aware of the strategy Firewalla has taken with regards to maintaining the base Ubuntu LTS 24.04.1, only relevant patches and fixes based on impact and services actually used by firewall.

    My question is focused not on the OS but the underlying Open Source applications Firewalla uses to provide its functionality

    • Dnscrypt (DNS overt HTTPS DoH)
    •  Unbound (Recursive DNS)
    •  DNSMasq (DNS /DHCP) 
    •  Suricata (IDS/IPS)
    •  Zeek (NSM)

    These are the fundamental services, based on what I see running on my Gold Plus box.  All listed apps are updated and maintained  by their developers, yet Firewalla have  not updated any of these.

     The issue is not Ubuntu its things like Dnscrypt, Zeek, DNSmasq, etc. 

    I don't want updates for the sake of updating to a newer version. But ignoring years of developer effort to fix underly issues, bugs, memory leaks and security in there applications, seems strange for a commercial product.  

    Simple example ;

    Suricata was updated to a full release in July 2023 7.0.0 what I see on my Firewalla Gold Plus running is 7.0.0-dev from 2022. the latest support version is 7.0.3.

    Why is the box not even running a proper production release? 

    Zeek new LTS family is 6.x.x , the last 5.x.x was a security release 5.1.13, firewall running 5.01

    https://zeek.org/2023/03/06/introducing-zeek-5-2/

    https://docs.zeek.org/en/lts/ (latest LTS release) 

    DNSCrypt from 2019! current version 2023 , firewalla  DoH service uses this from what I gather.

    https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/ChangeLog

     

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Stuart

    My comments above apply to the applications running on my Firewalla as well as to Ubuntu itself. I wasn't singling out Ubuntu and I'm not sure why you would have formed that impression.

    Picking another example from your list, what's wrong with DNSCrypt on Firewalla? Is it definitely a 2019 release without any patches? Even if it is a 2019 release, if it performs its task and doesn't have any problems there's no need to upgrade it.

    Or what's the bugbear with "not even running a proper production release" of Suricata? Do you think that there's some magic dust that gets sprinkled on the production release that makes it superior? If it's doing what it's supposed to, it's doing what it's supposed to.

    Maybe Firewalla isn't the product for you? I'd suggest OPNSense for you since they release updates often. (Too often IMO.) Or, since you know what software Firewalla uses, create your own firewall using whatever versions of all that software please you the most.

    There are plenty of other, more important things to worry about, dude. I think you're kind of clutching at straws here.

     

    0
    Comment actions Permalink
  • Avatar
    bob

    @stuart: thanks for your insight and  comments.

     

    As a customer I am simplying asking the firewalla team a question. look forward to their response.

     

    0
    Comment actions Permalink
  • Avatar
    Stuart

    These are community forums. There's no guarantee of a response from Firewalla here, nor any expectation that the community will not respond.

    Have a nice day! :-)

    0
    Comment actions Permalink
  • Avatar
    bob

    @firewalla

     

    Any chance you can update the root.hints file the installed is from 2022, the B root server has changed so unbound is no longer running with a complete and correct set of root server.

     

    I rasied a ticket a few weeks back - not heard anything back; also any taregt on when you are updateing teh unound/dnsmasq binaries - following the recent cve's/

     

     

    Thanks

     

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    @bob

    May I know which file you are looking at? we do have a private copy of unbound, want to make sure you are not looking at the wrong files. 

    Second note, if you are talking about the dnssec CVE, that one only impact unbound, we are likely to update it in the next release. 

    -1
    Comment actions Permalink
  • Avatar
    b0red0m

    Where is the full source code for Firewalla? I'm pretty sure it has to be supplied upon request in order to comply with the open source licensing. I'd like to fork the code so that I can better update my Firewalla to keep in line with my own personal threat model. Thank you.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    https://github.com/firewalla/firewalla

    1
    Comment actions Permalink
  • Avatar
    Braedach

    I understand the above concerns and the counter arguments to those concerns, but I basically agree with the original post.  We are told time and time again to patch our software and to remove software that is not been used to mitigate vulnerabilities in our systems.

    Firewalla is a firewall.  It is our first line of defense.  The assumption that it will be only attacked from outside the network is false and requires a serious change of logic.  After all most attacks originate from inside via phishing attacks via email (subsequent clicks on installation of malware and so forth on an endpoint)

    Firewalla IMHO should not be altering the open-source software it is utilizing to such an extent that it requires vigorous testing on an update of said software to ensure its integrity.

    However, saying this, I appreciate the product and the team behind it.  I am also interested in why Zeek has been so neglected in these forums considering its abilities - including clustering (interested in this via the MSP offering via firewalla - meshing) along with RITA and Suricata and the ability later of direct AI integration - not yet possible as I keep searching for a Zeek AI that can create the appropriate scripts on the fly.

    pi@Firewalla:/bspool/manager (Perth) $ systemctl status suricata
    ○ suricata.service - Suricata IDS
         Loaded: loaded (/etc/systemd/system/suricata.service; static)
         Active: inactive (dead)
    pi@Firewalla:/bspool/manager (Perth) $

    This box has the ability to be an application level firewall, vet file downloads and feed hashes to VT via a common API key across all firewalla owners to share the costs, and various other functions that are yet to be implemented and whilst many of us are watching the new white gold box if you unalias apt or apt-get you will be surprised at what you see.  Docker needs some serious work as well.  You can start by using the non-legacy implementation of GPG keys in Ubuntu (it's been a while so this may have been rectified.)

    Having said my two bobs worth, I have never read of a Firewalla product been breached, unlike Barracuda or Cisco devices and whilst Firewalla products continue to use open-source software that is interrogated via various security researchers I still have enough confidence in the product to commit my dollars to it.

    However open source is no longer secure as the latest XZ utilities breach demonstrated, along with the Linux kernel and various others, and the millions of docker containers that have being compromised.

    “If you think you know-it-all about cybersecurity, this discipline was probably ill-explained to you.”
    ― Stephane Nappo

    Regards

     

    0
    Comment actions Permalink

Please sign in to leave a comment.