The next release is available for testing - presumably going to be last release in the 2.21 series before we bring some bigger changes. This update has a huge number and significant changes for IPsec as well as many updates to the core system and various smaller bug fixes.

IPsec Reloaded

IPsec has been massively extended. Although IPsec in IPFire is already quite versatile and delivered high performance, some features for experts were required and are now available through the web UI:

  • Routed VPNs with GRE & VTI
  • Transport Mode for net-to-net tunnels
  • IPsec connections can now originate from any public IP address of the IPFire installation. This can be selected on a per-connection basis.

The code has also been cleaned up the UI has been made a little bit tidier to accommodate for the new settings.

Smaller changes include:

  • The "On-Demand" mode is finally the default setting. Tunnels will shut down when they are not used and they will be established again when they are required.

Misc.

  • DHCP: A crash has been fixed when filenames containing a slash have been entered for PXE boot.
  • DHCP: Editing static leases has been fixed
  • Domains in the "DNS Forwarding" section can now be disabled for DNSSEC validation. This is a dangerous change, but has been requested by many users.
  • Updated packages: bind 9.11.6, groff 1.22.4, ipset 7.1, iptables 1.8.2, less 530, libgcrypt 1.8.4, openssl 1.1.1b, openvpn 2.4.7, squid 4.6, tar 1.32, unbound 1.9.0, wpa_supplicant 2.7
  • New commands: kdig 2.8.0
  • The build system has been optimised to reduce build time of the whole distribution to around 4-5 hours on a fast machine.

Add-Ons

  • Alexander Koch has contributed zabbix_agentd which is the agent that is installed on the monitored machine. With this, IPFire can now be integrated into an environment that is monitored by Zabbix.
  • On that note, the SNMP daemon has also been updated to version 5.8 for people who use the SNMP protocol for monitoring.
  • tor has been updated to 0.3.5.8 and some minor bugs have been fixed in the web user interface
  • The spectre-meltdown-checker script is available as an add-on which allows IPFire users to test their hardware for vulnerabilities
  • Other updates: amavisd 2.11.1, hostapd 2.7, postfix 3.4.3

To help testing, you can download the installation images from here.


The forthcoming Core Update will have some brilliant changes to our IPsec stack.

These changes were required for a project that Lightning Wire Labs has been doing and are potentially a little bit niche. We have backported these as well from IPFire 3 where this feature is even more advanced and - to me - a lot more exciting, too.

Routed VPNs

We are introducing support for routed IPsec VPNs. As mentioned, many users probably are perfectly happy with the IPsec tunnels that they have. They are fast, secure and route all the traffic between two IPFire instances. But sometimes you need a little bit more. In this case, we needed some dynamic routing and therefore needed this extra flexibility.

The corporate vendors like Cisco and Juniper usually wrap an extra layer around the IPsec tunnels. In the past that used to be GRE (Generic Routing Encapsulation) and nowadays it is VTI (Virtual Tunnel Interface). They both have the same functionality which is to encapsulate an IP packet so that it can be sent over any layer 3 network - in this case, is a kind of peer-to-peer VPN connection. All this adds a little bit of extra overhead which is why IPsec Transport Mode, which has some smaller headers, is supported now, too.

What is it for?

This way, we can route all sorts of traffic between two peers that have such a connection set up and trust each other. But why all this extra effort when a standard tunnelled IPsec connection can do the same trick?

We use IPFire as redundant gateways. That means that we have multiple IPsec connections to the other side. So there is a backup in case the primary connection becomes unavailable. Then, with a classic VPN tunnel, that traffic would not go anywhere any more. We need something that detects the outage and re-routes traffic: BGP

We use bird as our BGP routing daemon of choice (others are available) which talks to the other side and changes the routing tables to the connection that is active and preferred.

So, I guess we will leave it at this for this short post. There is some documentation on the wiki if you need to set up a redundant setup of IPsec tunnels. Or just contact our professional support.


This is the official release announcement for IPFire 2.21 - Core Update 128; another maintenance update with a brand new kernel, introducing TLS 1.3 throughout the whole system and of course a whole package of bug fixes and other improvements.

Thanks to everyone who has contributed to this Core Update with either sending in patches, testing, reporting bugs and many many other things. I am quite happy to see the team grow! Thank you very much as well to all of you who have supported our Donations Challenge so far. We have received a lot of nice words and support from you, but we are not there, yet! Please support our project and donate!

Kernel Update

The Linux kernel, the core of the IPFire operating system, has been updated to the latest release of the 4.14 branch. We have added some extra patches to improve hardware support and fix some security vulnerabilities. LEDs of PCengines' APU boards are now supported on newer versions of the mainboard and on those boards, the serial console is always enabled. On x86-based systems, we now support up to 64 processors.

OpenSSL 1.1.1 & TLS 1.3

We have also updated the main TLS/SSL library to OpenSSL in version 1.1.1. This adds support for TLS 1.3 and of course brings various other improvements with it. On browsers that support it, the IPFire web user interface is now available over TLS 1.3 and any outgoing SSL connection from the firewall supports it, too. We ensure that those connections only use secure and performant ciphers to make connections as fast as they can be.

We have also updated the list of trusted Certificate Authorities (CAs).

We have removed any previous versions of OpenSSL from the system which will soon be end-of-life. If you have anything custom that you have compiled yourself on your system, please be aware of that and note that you might potentially rebuild your custom software.

Add-ons provided by the IPFire Project now support TLS 1.3 as well. If you are running a custom configuration for postfix or haproxy make sure that TLS 1.3 is not excluded from the supported TLS protocols.

Performance Tuning

The system is now configured to be able to route more packets. During some benchmarks and testing we have discovered that IPFire does not always use the full performance of the hardware underneath it. While most system probably won't benefit much from these improvements, some systems with very fast processor cores will see a 5-10% increase in bandwidth from and to the firewall as well as routed through it. That comes at the cost of very slight increase of power consumption, but we figured that that is a price worth paying not only provide you a secure firewall, but also a fast one.

Misc.

  • A change of the firewall policy might potentially be backwards-incompatible, but we saw no other way to improve the security of the system: Previously, systems on the ORANGE network were always allowed to connect to the Internet on RED. This was carried over from the very beginning of IPFire when the firewall user interface was way more basic and rules to change this behaviour could not be configured at all. Now, it makes a lot more sense to not have this default which was also not well-known and allow users to create rules to either allow or deny traffic like this.
  • The kdig utility is now available on command line which supports DNS lookups via TLS
  • Updated packages: apache 2.4.38, apr 1.6.5, curl 7.64.0, dhcpcd 7.1.1, ghostscript 9.26, logrotate 3.15, openssl 7.9p1, postfix 3.3.2, strongswan 5.7.2, tzdata 2018i

Add-ons

  • powertop has been updated to version 2.10
  • tor has been updated to version 0.3.5.7
  • sendEmail has been fixed by Rob. The script had a wrong file ownership.