The next Core Update is ready for testing: IPFire 2.27 - Core Update 174. It is a traditional spring clean release which updates major parts of the core system and comes with a large number of bug fixes throughout.

This update also comes with a number of security patches in Apache, cURL and more, but none of them have been assessed as being exploitable on IPFire. Nevertheless, we intend to bring those updates to all of our users as soon as possible, and encourage speedy installation of Core Update 174 after its testing phase has been completed successfully.

Updated Toolchain

The "toolchain" includes the most basic parts to build software and consists of GCC as the compiler, Binutils as the assembler and linker, and glibc as the C standard library. They have been updated to their latest versions improving performance for all generated code and fixing bugs.

Although they are not as exciting for our users, they are the building blocks IPFire is founded on and make it the modern, fast and secure distribution that it is.

Bug Fixes

• The OpenVPN CGI will now display the expiry date of certificates.
• Duplicate address issuance by the DHCP server in case of overlapping fixed leases has been corrected (#10629).
• Customizing the Snort/VRT GPLv2 Community IPS ruleset has been fixed (#12948).
• The logs of apcupsd are now accessible through the system log viewer (#12950), as are the logs of the HAProxy add-on (#12922).
• Several CGIs have received CSS cleanups, resulting in better appearance (#13024, #13039).
• The Content-Type header of e-mails generated by the core system itself and various add-ons has been changed from multipart/mixed to multipart/alternative to avoid useless attachment icon display in some MUAs (#13040).
• Faulty CGI behaviour after toggling logging of dropped packages by the IP blocklists firewall component has been fixed (#12979).
• An overly permissive regular expression for parsing unbound log data has been corrected.
• The external traffic status page will now always use the correct interface to display traffic data from.
• efivar is now properly instructed to adjust instructions to the target architecture rather than that of the build host.
• The CPU graph has been redesigned for systems with large numbers of processor cores (#12890)

Miscellaneous

• rng-tools has been moved from the core system to an add-on (#12900).
• Conversely, perl-TimeDate is now part of the core system, since it became a dependency of the OpenVPN CGI.
• Arne has worked a lot on bringing the RISC-V build up to speed.
• IPFire's trust store has been synced against Mozilla's current trusted CA certificate bundle.
• Useless Qualcomm Bluetooth firmware files are no longer shipped (IPFire dropped Bluetooth support a long time ago due to security reasons), saving a couple of megabytes on new and existing IPFire installations alike.
• Updated packages: apache 2.4.56, apr 1.7.2, bind 9.16.38, binutils 2.40, boost 1.81.0, curl 7.88.1, e2fsprogs 1.47.0, elinks 0.16.0, ethtool 6.2, freetype 2.13.0, gcc 12.2.0, glibc 2.37, gnutls 3.8.0, grep 3.9, harfbuzz 7.0.1, intel-microcode 20230214, iproute2 6.2.0, libtirpc 1.3.3, liburcu 0.14.0, linux-firmware 20230210, lmdb 0.9.30, logwatch 7.8, lsof 4.98.0, pango 1.50.13, poppler 23.03.0, poppler-data 0.4.12, qpdf 11.3.0, rust 1.67.0, squid 5.8, strongswan 5.9.10 (fixes CVE-2023-26463, which is not exploitable on IPFire unless heavily customized IPsec connections have been configured using the CLI rather than the IPsec web interface), sudo 1.9.13p3, tzdata 2022g, wireless-regdb 2023-02-12, zstd 1.5.4
• Updated add-ons: cups 2.4.2, dbus 1.14.6, epson-inkjet-printer-escpr 1.7.23, fetchmail 6.4.36, HAProxy 2.7.4, htop 3.2.2, make 4.4.1, monit 5.33.0, pcengines-apu-firmware 4.19.0.1, python3-setuptools 67.5.1, samba 4.17.5

As always, we thank all people contributing to this release in whatever shape and form. Please help testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.

Are you using IPFire through a wireless connection? Do you need more bandwidth and lower latency no matter where you are? Then, we have you covered with support for 5G interfaces which also helps making 4G connections faster!

IPFire is now offering support for a new kind of wireless modem using the Qualcomm Management Interface - or QMI for short. It is a new way that is commonly used by 5G modems to talk to the operating system, but it is also used by newer 4G modems. It enables to communicate faster than before when every mobile 4G or 3G modem was emulating a serial interface like it has been used in dial-up modems of the 56k kind, or even slower.

Emulating this interface had a couple of downsides which have now been removed and more control is being given to the baseband which makes setting up 4G and 5G in IPFire even easier. Instead of typing rather complicated phone commands, now, you will only need to type your APN and - if your provider requires it - your username and password.

The Legacy Modem Interface

To IPFire, any 2G/3G/4G simply used to be a modem. Just like the 56k serial modems that we all used to have, it is controlled through exactly the same interface. Instead of using an actual serial connection, it is being emulated over USB. But since there is some emulation, and because the interface was designed for a different century, it is not the fastest any more.

Is 5G here?

5G has not been rolled out just yet. Hardware is not readily available everywhere yet, and cell towers have not been upgraded unless you are in a big city. But it is happening fast...

IPFire users require more and more bandwidth as more and more applications are being rolled out. With fewer services on premise and video calls, data usage is only going up. And we like to work from wherever we are. Bringing IPFire with you, whether you are living in a remote location in the woods, you have a mobile home in a caravan, or whatever other application you have for a firewall that is on the move, we have you covered now.

This is just another step to make IPFire ready for the future and widen its application. Please send us feedback on how well this is working for you, and if you would like to support our work, please help funding our developers with your donation!

The first Core Update in 2023 has been released: IPFire 2.27 - Core Update 173. It introduces support for 4G and 5G modems that use the QMI interface, features a kernel fresh from the latest 6.1 stable series, as well as the usual plethora of package updates, security improvements and bug fixes.

IPFire users running 32-bit ARM devices should note that support for this architecture will sunset at the end of this month, and are advised to migrate their installations to a hardware architecture supported by IPFire now. Consequently, this will be the last update released for this architecture.

Introducing QMI support

The Qualcomm MSM Interface is a proprietary interface increasingly used by 4G and 5G cellular modems. Commencing with this Core Update, IPFire supports interacting with such modems, thus significantly expanding its hardware compatibility to QMI-only cellular modems, and providing a faster and more modern interface.

Thanks to Michael for implementing this feature. On that occasion, he also refactored related networking code.

Linux Kernel 6.1.11

Arne has updated the Linux kernel to the most recent stable series, 6.1.11, which has become the new long-term series. Aside from the usual improvements such major kernel updates bring like bug fixes, improved hardware support and security improvements, we took the occasion to bring several new hardening changes to IPFire users:

• System calls permitting processes to read or write other processes' memory are no longer provided by the kernel.
• On EFI systems supporting it, the firmware is now instructed to wipe all memory when rebooting, to hamper cold boot attacks.
• Landlock support has been enabled.
• GCC's "latent entropy" plugin has been disabled, since it does not generate cryptographically secure entropy.
• To cut attack surface, support for both the ACPI configuration file system and obsolete PCMCIA/CardBus subsystem has been removed.
• On 64-bit ARM installations, direct memory access via malicious PCI devices is no longer possible.

Miscellaneous

• The OpenVPN 2FA authenticator will no longer enter an infinite loop if the socket connection to OpenVPN is lost (#12963).
• A user group necessary for interaction between D-Bus and Avahi is now properly created while installing the latter add-on (#13017).
• The OpenVPN GUI has seen minor improvements and cleanups (#13030).
• A bug in the firewall engine permitting the creation of rules with invalid sources has been resolved.
• Input like *.example.com is now properly treated as a wildcard domain by the web interface (#12937).
• libtirpc is now part of the core system, since it is needed as a dependency by lsof (#13015).
• The obsolete spandsp add-on has been dropped.
• Updated packages: Apache 2.4.55, bind 9.16.37, curl 7.87.0, ethtool 6.1, file 5.44, fontconfig 2.14.1, fuse 3.13.0, grep 3.8, harfbuzz 6.0.0, iana-etc 20221226, iproute2 6.1.0, ipset 7.17, iptables 1.8.9, iputils 20221126, iw 5.19, jquery 3.6.3, json-c 0.16, keyutils 1.6.3, knot 3.2.4, krb5 1.20.1, lcms2 2.14, less 608, libarchive 3.6.2, libcap 2.66, libconfig 1.7.3, libffi 3.4.4, libgpg-error 1.46, libidn 1.41, libinih r56, libjpeg 2.1.4, libloc 0.9.16, libmpc 1.3.1, libpcap 1.10.3, libssh 0.10.4, libstatgrab 0.92.1, libtiff 4.5.0, libtool 2.4.7, libusb 1.0.26, libxslt 1.1.37, libyang 2.1.4, linux-firmware 20221214, logrotate 3.21.0, lz4 1.9.4, memtest86+ 6.01, mpfr 4.2.0, nano 7.2, ncurses 6.4, OpenSSH 9.2p1, OpenSSL 1.1.1t, pcre2 10.42, perl-HTML-Parser 3.78, pixman 0.42.2, poppler 23.01.0, psmisc 23.6, rust 1.65, sdl2 2.26.2, shadow 4.13, sqlite 3400100, squid-asnbl 0.2.4 (resolving #13023), strongswan 5.9.9, sudo 1.9.12p2, suricata 6.0.10, xfsprogs 6.1.1, xz 5.4.1
• Updated add-ons: alsa 1.2.8, bird 2.0.11, borgbackup 1.2.3 (resolving #13032), ClamAV 1.0.1, dbus 1.14.4, dnsdist 1.7.3, ghostscript 10.0.0, haproxy 2.7.1, igmpproxy 0.4, iotop 1.22, iperf 2.1.8, iperf3 3.12, libcdada 0.4.0, libexif 0.6.24, libpciaccess 0.17, libshout 2.4.6, libtalloc 2.3.4, libusbredir 0.13.0, libvirt 8.10.0, mc 4.8.29, nfs 2.6.2, nqptp ad384f9, pcengines-apu-firmware 4.17.0.3, python3-packaging 23.0, samba 4.17.4, shairport-sync 4.1.1, strace 6.1, tcpdump 4.99.3, Tor 0.4.7.13

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.