Can You Get Better Value For Money From AWS?

by Michael Tremer, August 30, Updated August 31

Today, we are launching IPFire on AWS ARM-based instances, making IPFire cheaper, more versatile and more secure for all your cloud-based projects.

Having been around for a little while, Lightning Wire Labs ported IPFire to the new ARM-based processors from AWS with IPFire 2.25 - Core Update 159.

The cloud is here to stay. Lightning Wire Labs proudly has a large customer base with large cloud envirtonments secured by IPFire.

One common question, we are getting often is How to reduce cost? Although running your setup in the cloud gives you a lot of flexibility, this does not come for free. As companies grow, more resources are required driving up costs, and with more financial pressure on most businesses due to the pandemic, reducing cloud spend is more important than ever.

With IPFire already being free of any license cost, the biggest opportunity to save money on the firewall is to use a smaller instance size. However, since IPFire does not use a lot of resources, a certain amount of oomph is required to keep your hosted services fast for your customers and to shift Gigabits of data.

AWS new ARM instances based on their new Graviton 2 processors come with more performance for a smaller price. Who wouldn’t want to take advantage of that?

AWS Graviton 2

For application as a firewall, the T4g, M6g and C6g instances have many advantages:

  • Faster processing power which decreases latency on the network
  • Cryptographic acceleration for more throughput over VPNs, easily saturating a multi-gigabit link
  • Using lightweight virtualisation, IOMMU and DMA allows for less virtualisation overhead which decreases processor usage when handling network packets and giving the system time to care about other things
  • ARM processors are less likely to be vulnerable for any speculation attacks such as Spectre and Meltdown, giving you a little bit of extra security in the cloud
  • Giving an overall 40% better price performance compared to x86-based instances

IPFire in the cloud brings all the features that cost a lot of extra money to AWS without extra charge. Setting up VPNs to connect to your on-premise firewall in the office, or securely connecting your staff to the servers they are working on. Hosting services for your clients and protecting your web applications against attackers using the Intrusion Protection System. There are many opportunities and they have now become more affordable for everyone.

Read more about IPFire in the cloud on our product page.


This is the official release announcement for the next major release of IPFire: IPFire 2.27 - Core Update 159. It comes with a brand new kernel based on Linux 5.10 and an updated toolchain as well as general bug fixes and a large number of improvements.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

The New Kernel - Better Security and Performance

This is a major update for IPFire, as it rebases the IPFire kernel on Linux 5.10, the latest long-term supported release of the Linux kernel. Arne has been working through a long spring getting IPFire ported on this release and it is now finally ready for prime-time. It features:

  • Support for many new drivers, improved support and performance for existing drivers making IPFire more compatible with new, and powerful with existing hardware. Most notably are many network drivers as well as virtualised communication with the hypervisor in the cloud.
  • Networking throughput has been increased through zero-copy TCP receive and UDP and Bottleneck Bandwidth and RTT congestion control (BBR). Those changes will also decrease the latency of the firewall in the network when forwarding packets.
  • Wireless will have improved throughput and better latency with Airtime Queue Limits which practically enables use of all the "Bufferbloat" algorithms on wireless
  • Support for 64-bit ARM hardware has been massively improved and we were able to drop a large amount of custom patches who have been upstreamed into the Linux kernel.
  • Furthermore we have improved security of the system through improved protection against CPU hardware bugs additional hardening from attacks from the user-space.

This update is a huge step for everything that is going on under the hood of IPFire. We are hopeful to build many new features on this and make IPFire a much more modern and better to use system. If you want to support this effort, please help us with your donation.

Another important part of every distribution is the toolchain. This is what developers call the collection of compilers, linkers, the C standard library and basic tools that are required to build the distribution. These tools have been updated to GCC 11.1, glibc 2.33, binutils 2.36.1

The 32 bit ARM architecture has been changed from armv5tel to armv6l. We originally selected the ARMv5 instruction set as a common denominator for all ARM systems. There were only a few systems on the the market which have now all long been discontinued. To be able to remain compatible with existing setups and code, we remained with this architecture which is however not very well supported any more. This release changes to the slightly more modern ARMv6 instruction set which allows us to make a seamless transition; but eventually we will drop support for 32 bit ARM altogether. If you are using hardware on either ARM or x86 that is capable of running a 64 bit system but still running a 32 bit version of IPFire, we recommend to upgrade as soon as possible.

Misc.

  • The system image on the ISO installation image is now compressed using Zstandard for faster decompression during installation and faster compression during the build process
  • Installer: The unattended mode is now started correctly even on EFI systems

Add-ons

  • Updated packages: clamav 0.103.3, samba 4.14.6, tftpd 5.2, tshark 3.4.7

And another update is available for testing, with a brand new kernel and an updated toolchain.

This is a major update for IPFire, as it rebases the IPFire kernel on Linux 5.10, the latest long-term supported release of the Linux kernel. Arne has been working through a long spring getting IPFire ported on this release and it is now finally ready for prime-time. It features:

  • Support for many new drivers, improved support and performance for existing drivers making IPFire more compatible with new, and powerful with existing hardware. Most notably are many network drivers as well as virtualised communication with the hypervisor in the cloud.
  • Networking throughput has been increased through zero-copy TCP receive and UDP and Bottleneck Bandwidth and RTT congestion control (BBR). Those changes will also decrease the latency of the firewall in the network when forwarding packets.
  • Wireless will have improved throughput and better latency with Airtime Queue Limits which practically enables use of all the "Bufferbloat" algorithms on wireless
  • Support for 64-bit ARM hardware has been massively improved and we were able to drop a large amount of custom patches who have been upstreamed into the Linux kernel.
  • Furthermore we have improved security of the system through improved protection against CPU hardware bugs additional hardening from attacks from the user-space.

This update is a huge step for everything that is going on under the hood of IPFire. We are hopeful to build many new features on this and make IPFire a much more modern and better to use system. If you want to support this effort, please help us with your donation.

Another important part of every distribution is the toolchain. This is what developers call the collection of compilers, linkers, the C standard library and basic tools that are required to build the distribution. These tools have been updated to GCC 11.1, glibc 2.33, binutils 2.36.1

The 32 bit ARM architecture has been changed from armv5tel to armv6l. We originally selected the ARMv5 instruction set as a common denominator for all ARM systems. There were only a few systems on the the market which have now all long been discontinued. To be able to remain compatible with existing setups and code, we remained with this architecture which is however not very well supported any more. This release changes to the slightly more modern ARMv6 instruction set which allows us to make a seamless transition; but eventually we will drop support for 32 bit ARM altogether. If you are using hardware on either ARM or x86 that is capable of running a 64 bit system but still running a 32 bit version of IPFire, we recommend to upgrade as soon as possible.

Misc.

  • The system image on the ISO installation image is now compressed using Zstandard for faster decompression during installation and faster compression during the build process
  • Installer: The unattended mode is now started correctly even on EFI systems

Add-ons

  • Updated packages: clamav 0.103.3, samba 4.14.6, tftpd 5.2, tshark 3.4.7