Finally, the next major version of IPFire is ready to testing. We consider our new Intrusion Prevention System such an important change, that we are calling it "IPFire 2.23" from now on. This update also contains a number of other bug fixes and enhancements.

A New Intrusion Prevention System

We are finally shipping our recently announced IPS - making all of your networks more secure by deeply inspecting packets and trying to identify threats.

This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.

We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need. Please feel free to extend it wherever you can help out.

Migration from Snort

Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated.

Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.

If you restore an old backup, the IDS settings won't be converted.

The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.

OS Updates

This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost.

The wireless regulatory database has also been updated.

Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1

Misc.

  • SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server.
  • When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox.
  • A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before.
  • On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimised to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances.
  • Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default;
  • We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log.

Add-ons

  • Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0
  • tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now.
  • Wireless Access Point: It is now possible to enable client isolation so that wireless clients won't be able to communicate with each other through the access point.

New Packages

  • flashrom - A tool to update firmware

Just a couple of days after the release of IPFire 2.21 - Core Update 130, the next release is available. This is an emergency update with various bug fixes and a large number of security fixes.

Security

IPFire 2.21 - Core Update 130 contains security updates for the following packages:

  • Apache 2.4.39: The Apache Web Server, which runs the IPFire Web User Interface, was vulnerable for various privilege escalations (CVE-2019-0211), access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-2019-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsistency (CVE-2019-0220). They are all regarded to be of "low" severity.
  • wget 1.20.3: wget has had multiple vulnerabilities that allowed an attacker to execute arbitrary code (CVE-2019-5953).
  • clamav 0.101.2: ClamAV, the virus scanner, has had multiple vulnerabilities that allowed DoS and a buffer overflow in a bundled third-party library.

Although some of these vulnerabilities are only of low severity, we recommend to install this update as soon as possible!

IPsec Regression

The last update introduced a regression in the IPsec stack that caused that the firewall could no longer access any hosts on the remote side when the tunnel was run in tunnel mode without any VTI/GRE interfaces. This update fixes that.


Today, we have updated IPFire on AWS to IPFire 2.21 - Core Update 129 - the latest official release of IPFire.

This update brings you of course all the features that come with this new version and helps you to avoid updating a newly installed system.

AWS

This update makes the latest features in IPFire available on AWS:

Routed IPsec VPNs

This feature is going to be very interesting for people with need of high availability. Redundant instances of IPFire can now terminate IPsec tunnels in multiple Availability Zones and route traffic dynamically with BGP or other dynamic routing protocols.

This way, you will always have a connection from your office, your other data centre to your Amazon Cloud that will never let you down.

How to update?

For all customers that are already running on the latest image, there is nothing to do here but to make sure that you have all updates installed on your instance. New systems should of course be installed with

Go to IPFire on AWS