IPFire 2.25 - Core Update 158 is generally available. It comes with one-click VPNs for Apple iOS and Mac OS devices as well as with various fixes across the board including security fixes.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

IPsec with Apple iOS & Mac OS

It is now possible to export IPsec road warrior connections for Apple devices so that they can easily be imported into those with only a few clicks. This makes creating secure connections with these devices quick and fool-proof - even when certificates are involved.

Various smaller changes come with these changes: Certificates now have sane expiry times (instead of a hundred years).

Unfortunately time did not allow to provide any detailed documentation for this feature, but this will be added in the near future. If you want to help the team, you can do this with your donation.

Misc.

  • IPsec
    • Curve448 is now listed above Curve25519 since it provides better security, but is computationally more expensive at the same time
    • There will no longer be any safety rules installed for IPsec connections in "on-demand" mode. Leaking packets is not possible in this mode and it makes certain configurations easier when it is not necessary to work around the block rules
  • The web proxy removed options to fake the Referrer and User-Agent. This is practically not effective since the majority of connections are encrypted where this feature did not work.
  • We have progressed in removing Python 2 from the system by porting fireinfo to Python 3
  • Leo-Andres Hofmann fixed the memory usage table which showed inconsistent values
  • Updated packages of the core system: apache 2.4.48, bind 9.11.32, cmake 3.20.4, curl 7.77.0, dmidecode 3.3, ethtool 5.12, expat 2.4.1, fuse 3.10.4, glib 2.68.3, gnutls 3.6.16, gzip 1.10, iputils 20210202, knot 3.0.7, libcap 2.50, libedit 20210522-3.1, libnl-3 3.5.0, libpcap 1.10.1, libusb 1.0.24, libxcrypt 4.4.22, linux-firmware 20210511 as preparation for a new kernel, nettle 3.7.3, pcre2 10.37, perl-CGI 4.53, perl-TimeDate 2.33, perl-XML-Parser 2.46, python3-setuptools, python3-pyparsing 2.4.7, qpdf 10.3.2, rng-tools 6.12, smartmontools 7.2, sudo 1.9.7p1, vnstat 2.7, xfsprogs 5.12.0, zd1211-firmware 1.5, zerofree 1.1.1, zstd 1.5.0
  • Microcode updates for Intel processors are shipped in this release (20210608) to address these hardware security vulnerabilities:
  • IPFire is also vulnerable where an authenticated third-party could inject and execute shell commands as a non-privileged user (#12616, CVE-2021-33393). This has been fixed by going through over 65000 lines of code to investigate where this is possible. The underlying reason is the Perl function to call shell commands unexpectedly performs shell expansion and might perform more than just the intended command. Functions that no longer allow this behaviour have been written, tested and replaced any vulnerable places. Unfortunately this vulnerability was published without responsible disclosure.
  • The root partition of the flash image has been increased to 1600 MiB by default. The minimum required disk size is still 2GB, but it is getting tight...

Add-ons

  • dnsdist received an improved initscript which will print any configuration issues before trying to start or restart the daemon
  • Updated packages: cups-filter 1.28.9, elfutils 0.185, flac 1.3.3, libogg 1.3.5, nano 5.8, netsnmpd 5.9.1, Postfix 3.6.1, sarg 2.4.0, tcpdump 4.99.1, tmux 3.2a, Tor 0.4.6.5

Some packages have been dropped since they didn't have a maintainer for a long while, the upstream project has been discontinued, or it is unlikely that there are any users left out there. We recommend to install these applications on a different machine than the firewall itself: Asterisk, dpfhack, lcd4linux, miniupnpd, motion, SANE, sendEmail. They will automatically be uninstalled on all systems.


Another update is available for testing and it is packed a one-click VPNs for Apple iOS and Mac OS devices as well as with various fixes across the board including security fixes.

IPsec with Apple iOS & Mac OS

It is now possible to export IPsec road warrior connections for Apple devices so that they can easily be imported into those with only a few clicks. This makes creating secure connections with these devices quick and fool-proof - even when certificates are involved.

Various smaller changes come with these changes: Certificates now have sane expiry times (instead of a hundred years).

Detailed documentation for this feature is not available yet, but will be added before the release.

Misc.

  • IPsec
    • Curve448 is now listed above Curve25519 since it provides better security, but is computationally more expensive at the same time
    • There will no longer be any safety rules installed for IPsec connections in "on-demand" mode. Leaking packets is not possible in this mode and it makes certain configurations easier when it is not necessary to work around the block rules
  • The web proxy removed options to fake the Referrer and User-Agent. This is practically not effective since the majority of connections are encrypted where this feature did not work.
  • We have progressed in removing Python 2 from the system by porting fireinfo to Python 3
  • Leo-Andres Hofmann fixed the memory usage table which showed inconsistent values
  • Updated packages of the core system: apache 2.4.48, bind 9.11.32, cmake 3.20.4, curl 7.77.0, dmidecode 3.3, ethtool 5.12, expat 2.4.1, fuse 3.10.4, glib 2.68.3, gnutls 3.6.16, gzip 1.10, iputils 20210202, knot 3.0.7, libcap 2.50, libedit 20210522-3.1, libnl-3 3.5.0, libpcap 1.10.1, libusb 1.0.24, libxcrypt 4.4.22, linux-firmware 20210511 as preparation for a new kernel, nettle 3.7.3, pcre2 10.37, perl-CGI 4.53, perl-TimeDate 2.33, perl-XML-Parser 2.46, python3-setuptools, python3-pyparsing 2.4.7, qpdf 10.3.2, rng-tools 6.12, smartmontools 7.2, sudo 1.9.7p1, vnstat 2.7, xfsprogs 5.12.0, zd1211-firmware 1.5, zerofree 1.1.1, zstd 1.5.0
  • Microcode updates for Intel processors are shipped in this release (20210608) to address these hardware security vulnerabilities:
  • IPFire is also vulnerable where an authenticated third-party could inject and execute shell commands as a non-privileged user (#12616, CVE-2021-33393). This has been fixed by going through over 65000 lines of code to investigate where this is possible. The underlying reason is the Perl function to call shell commands unexpectedly performs shell expansion and might perform more than just the intended command. Functions that no longer allow this behaviour have been written, tested and replaced any vulnerable places. Unfortunately this vulnerability was published without responsible disclosure.
  • The root partition of the flash image has been increased to 1600 MiB by default. The minimum required disk size is still 2GB, but it is getting tight...

Add-ons

  • dnsdist received an improved initscript which will print any configuration issues before trying to start or restart the daemon
  • Updated packages: cups-filter 1.28.9, elfutils 0.185, flac 1.3.3, libogg 1.3.5, nano 5.8, netsnmpd 5.9.1, Postfix 3.6.1, sarg 2.4.0, tcpdump 4.99.1, tmux 3.2a, Tor 0.4.6.5

Some packages have been dropped since they didn't have a maintainer for a long while, the upstream project has been discontinued, or it is unlikely that there are any users left out there. We recommend to install these applications on a different machine than the firewall itself: Asterisk, dpfhack, lcd4linux, miniupnpd, motion, SANE, sendEmail. They will automatically be uninstalled on all systems.


This is another very large update (in both, size and number of changes) and we would like you to help us testing it. If you find any problems, please report them to our bugtracker or search help on our Community Portal.


After a little break, IPFire 2.25 - Core Update 157 is out! This is the largest release in size we have ever had and updates various parts of the operating system and brings an updated kernel.

Since IPFire is built from source and not based on any distribution, we get to select the best versions of open source software to be a part of it. This release is the second part of our "spring clean" release which updates various software packages and we have also dropped software that we no longer need. The vast amount of this work has been done by Adolf Belka who has been spending many nights in front of a compiler trying to make it all work. If you want to support him and the entire development team, please help us with your donation.

Deprecating Python 2

We have made huge efforts to migrate away from Python 2 which has reached its end of life on January 1st of this year. That includes repackaging third-party modules for Python 3 and migrating our own software to Python 3.

The work will continue over the next couple of weeks and we are hopeful to remove all Python 2 code with the next release. We will keep Python 2 around for a little bit longer to give everyone with custom scripts a little bit of time to migrate them away, too.

Misc.

  • The IPFire kernel has been rebased on Linux 4.14.232 which brings various security and stability fixes
  • Updated packages: bash 5.1.4, boost 1.76.0, cmake 3.20.2, curl 7.76.1, dejavu-fonts-ttf 2.37, expat 2.3.0, file 5.40, fuse 3.10.3, gdb 10.2, glib 2.68.1, iproute2 5.12.0, less 581.2, libaio 0.3.112, libarchive 3.5.1, libcap-ng 0.8.2, libedit 20210419-3.1, libevent2 2.1.12, libexif 0.6.22, libgcrypt 1.9.3, libgpg-error 1.42, libtiff 4.3.0, libupnp 1.14.6, libxcrypt 4.4.20, libxml2 2.9.10, lm_sensors 3.6.0, lua 5.4.3, meson 0.58.0, OpenSSH 8.6p1, perl-Canary-Stability, perl-Convert-TNET 0.18, perl-Convert-UUlib 1.8, perl-Crypt-PasswdMD5 1.41, perl-Digest 1.19, pixman 0.40.0, poppler 21.05.0 (and poppler-data 0.4.10), pppd 2.4.9, readline 8.1, sqlite 3.35.5, squid 4.15, sudo 1.9.7, wireless-regdb 2020.11.20, xfsprogs 5.11.0
  • Some packages that are no longer needed for the build process have been dropped
  • Peter Müller has cleaned up the web server configuration for the web user interface and removed various quirks and hacks for old software like Microsoft Internet Explorer 8
  • Leo-Andres Hofmann has contributed some cosmetic changes for the live graphs
  • A security vulnerability has been reported by Mücahit Saratar (#12619) where it was possible to change a script as an unprivileged user due to a file permission error which could later be executed as root. Thank you for reporting this to us.

Add-ons

  • Updated packages: cifs-utils 6.13, cups 2.3.3op2, cups-filters 1.28.8, dnsdist 1.6.0, elfutils 0.184, fetchmail 6.4.19, ffmpeg 4.4, libmicrohttpd 0.9.73, mpd 0.22.6, ncat 7.91, nmap 7.91, samba 4.14.4, Tor 0.4.5.8