It’s been a while since I’ve been active (it was the old forum), I’ve been kept busy on many accounts. So I thought I’d say hello again and start with my latest adventure.
Since I broke my system during upgrade, I had to reinstall, which gave me a good reason to do the write-up again. And now we’re going at it properly and thoroughly: flash > initial setup > system hardening
I have been using a Banana Pi R1 (BPI or Lamobo) for IPFire since… ages. At some point (on the old forum), I did a write-up on the speed challenges I was facing, after which I upgraded to an APU2D4. You might be able to find it somewhere: IPFire Community
The BPI is currently used for testing purposes, unfortunately the theme functionality was discontinued, because I wanted to spend some more time on the dashboard I made. But first, let’s get to business, how do I get this thing running again, as upgrading broke the installation.
Some of the steps can be found on the wiki, just thought I’d take the liberty to make it a little bit more verbose. See original here: wiki.ipfire.org - Lamobo R1
Prepare the SD-card
-
Format SD-card
-
Unmount the SD-card, otherwise you won’t be able to write to it
umount /dev/sdb -
XZCAT image to SD-card (note: this might take a while)
xzcat ipfire-image.img | sudo dd bs=1M of=/dev/sdX status=progress
I wanted to see that the SD-card was actually being written, so I added status=progress to the command.
- Mount partition 3 (root filesystem)
sudo mount /dev/sdb3 /mnt/USB
Replace /mnt/USB with any directory you want to mount to,then browse to /usr/share/u-boot/banana_pi
-
Flash (DD) sunxi boot filesystem (not to partition, but to the disk) at the start of the card
sudo dd if=u-boot-sunxi-with-spl.bin of=/dev/sdb bs=1K seek=8 -
Unmount the root filesystem, and mount partition 1 (boot)
sudo umount /dev/sdb3 && sudo mount /dev/sdb1 /mnt/USB -
Replace the DTBSUNXI reference (sun8i-h3-nanopi-r1.dtb > sun7i-a20-lamobo-r1.dtb)
sudo sed -i -- 's/DTBSUNXI=.*/DTBSUNXI=sun7i-a20-lamobo-r1.dtb/g' /mnt/USB/uEnv.txt
Or manually change the line to DTBSUNXI=sun7i-a20-lamobo-r1.dtb
Done! We can boot again 
Initial & network setup
Eth0 is the switchboard, it’s divided into four different sub-interfaces. Note: you should not use the root-device eth0. The fifth, stand-alone, port is used as trunk (all VLANs tagged).
You can connect to the JTAG connector (baudrate=115200) for easy configuration. Once you’re connected to the serial port, you can run setup from the command-line, the wizard starts automagically.
Obviously you picked very secure passwords for both root and admin!
Network setup; I use three networks: GREEN + RED + BLUE
RED = uplink
GREEN = LAN
BLUE = Wireless
Drivers and card assignments
RED = eth0.11
GREEN = eth0.12
BLUE = RTL8192CU (Realtek)
Address settings
RED = DHCP (lease from modem)
GREEN = 10.0.100.1/255.255.255.0
BLUE = 10.0.200.1/255.255.255.0
Finally enable DHCP for GREEN, after which the BPI will reboot (generating the RSA server key for HTTPS may take a while, you can grab a coffee).
Connecting to the management interface; i.e. the WUI
WUI stands for Web User Interface, we’ll just keep using WUI. Ok, so just connect your laptop/pc to the port which you used for GREEN (in my case, port 2 → note the port numbers from the wiki page). Then just connect to https://{gateway-ip}:444 (or in my case https://10.0.100.1:444). Don’t worry, it’s just lab info I’m sharing 
So now that I’m in, I need to install some of the basics. Let’s start with updating the package lists (IPFire/Pakfire > Refresh list) and install some packages:
- iperf3
- hostapd
- nano (I cannot work with vim)
Hardening the network
Also let’s get some of the basics out of the way. By default SSH is turned off, and if you need it, just turn it on for 15 minutes (it gives you that option). Also, you shouldn’t expose the management interface to the public internet, a management network with trusted hosts is preferred, but at least LAN-only.
Disclaimer: I’ll try to create separate posts (not threads) describing the below in more detail.
- Logging, let’s start with that. It’s preferred to use an external logging server, it provides you with redundancy and processing capacity.
- Logging again, you should be checking the log files regularly, but I understand you don’t want to be looking at logs all day. So your best bet is to use some kind of centralized logging facility (I use the ELK stack) and build meaningful dashboards and alerts.
- Configure the basics:
a. URL Filtering → filter everything you DON’T want (better would be to whitelist what you DO want, and block the rest, this is more of a Zero Trust play)
b. Apply geo-blocking (if you’re not hosting anything of course); block all countries that have no business in/at your network
c. Use a transparent proxy (SquidClamAV) to scan incoming files for virusses. Yes signature-based detection typically lags behind and ClamAV isn’t the best, but it doesn’t mean you shouldn’t use it at all.
Install the necessary add-ons:
+ clamav
+ squidclamav
Because it uses the proxy functionality, files are scanned inline and impact UX (user experience), then again, I’m more than happy to sacrifice some UX for better security.
d. Segment your network, yes, divide it into zones and apply inter-zone policy-rules. E.g. block guest-network clients from accessing the corporate network, or block BLUE (wireless) from accessing the WUI.
e. Leverage the built-in IPS, as the hardening guide mentions, it takes some effort to setup and maintain, but it’s worth it. Too many administrators think IPS is just fire-and-forget… well, it’s not. Signatures change, your network changes and the threat landscape is in constant motion.
Want to know how Suricata score against Snort2? See this paper: https://arxiv.org/ftp/arxiv/papers/1710/1710.04843.pdf
f. Employ DNS security, this has actually become much harder nowadays, as we’re facing DoT, DoH and various other forms. On the one-hand you want to enforce integrity (DNSSEC) and on the other hand you want privacy and malware protection (e.g. use OpenDNS or CloudFlare as upstream servers).
g. Decrypt everything that is not exempt, traffic today is more encrypted than it is not. Which means, to effectively prevent malware, you need to decrypt for detection. This does not go without cost, every re-encryption will cost you dearly on your CPU cycles. It’s the classic trade-off between security and performance… choose wisely.
The official IPFire guide also mentions installing HIDS software, but I have not read into this yet. It’s a good advice though, so you should definitely look into this. Myself, I just installed the Zabbix-agent and play around with that.
An NGFW (the defacto standard for enterprises according to research) comprises of the following:
- stateful inspection (basically what Firewall-1 started out with)
- VPN (both site-to-site and remote users)
- integrated intrusion prevention
- application control & awareness
- antivirus
- anti-spam
- URL filtering
- forward and reverse proxy with full decryption (and possible decryption brokerage for other elements in the security chain)
- DNS security
- leverage threat intelligence
- centralized management
A few of the newer capabilities include:
- sandboxing
- inline machine learning
- automation options
- integration into CASB, SWG and other solutions
IPFire can fulfill quite some of these capabilities, without costing you an arm and a leg. It just takes some effort and maintenance (COTS products will also come with a learning curve and maintenance). I’m not saying either it better or worse, this depends on YOUR (business) goals.
Performance testing
One of the reasons I’m doing this write-up is to provide clarity into the performance of the BPI, and possibly my APU2D4 (if/when I find the time). I’d like to standardize the tests as much as possible, so it’ll be easy to reproduce and give insights into what you need for your use-case (either your home or a small business).
What stats are meaningful in order to determine throughput? I’d say plain old throughput speed (hence iperf) and encryption speed.
- iPerf3: there are three scenario’s to test
- FW-to-internet
- client-to-FW
- client-to-internet
iperf3 -c {iperf-server}
- Encryption speed testing, this is basically using the openssl library and measuring speed. There are two scenario’s for this test:
- without AES-NI
- with AES-NI
AES-NI is basically hardware acceleration, which should improve speeds when available for the library. Just add -evp to use the EVP interface, which leverages the hardware acceleration.
Test without EVP
openssl speed aes-256-gcm
Test with EVP
openssl speed -evp aes-256-gcm
Why GCM? Because it’s considered more secure than CBC, put simply, it’s CBC + authentication. This also makes it more CPU-hungry, so pick your ciphers carefully, it’s again a matter of security vs performance (and security should win). If performance drops below acceptable, you should definitely upgrade your hardware instead of using weak(er) ciphers.
I do think, that for simple home use, it can be a good device to learn IPFire on.