Another Core Update is available for testing. It comes with significant improvements to the Intrusion Prevention System (IPS), various security improvements, an updated version of Linux' firmware bundle, as well as a heap of updated packages and bug fixes.

Intrusion Prevention System improvements

Stefan contributed a patch series for notably improving the IPS, particularly when it comes to handling of ruleset providers. While many of the changes are done under the hood, the following are visible to the web interface:

  • Monitoring mode can now be enabled for each ruleset provider individually. This makes baselining and testing much less of a hassle, since newly introduced IPS ruleset providers can now first be used for logging only, without risking disruptions or unintended side-effects.
  • Parsing and restructuring changed or updated rulesets has been improved and is now faster by orders of magnitude.
  • The downloader will now automatically check whether a ruleset has been updated on its providers' server by checking the ETag HTTP header. This allows us to drop the update interval selection; every IPS ruleset will now updated automatically on the appropriate interval.

3rd party firmware updates

linux-firmware, the conglomerate of 3rd party firmware required for all sorts of hardware has been updated. Similar to a kernel update, this brings support for new devices requiring proprietary firmware, fixes bugs and plugs some security holes.

Firmware for APU borards has been updated as well, finally enabling their hardware-based random number generator to work properly. On APU-based IPFire installations, this will speed up cryptography operations (such as VPN traffic handling) a lot.

Security improvements

  • IPFire now drops any packet that is received on a different interface than it would have been routed back to. This thwarts entire classes of network spoofing attacks, particularly originating from or targeting internal networks.
  • OpenSSH has been updated to 9.0p1, introducing (among other changes) quantum-resistant cryptography. IPFire's custom OpenSSH configuration has been updated to make use of it. Also, spoofable TCP-based keep-alive messages are no longer sent, preventing MITM attackers to force-keep an established SSH connection opened.
  • As a defense-in-depth measure, various file permissions have been tightened to prevent any unprivileged attacker from reading potentially sensitive configuration on an IPFire installation.

Miscellaneous

  • CUPS configuration is now properly processed while creating backups and restoring them.
  • Various CGIs received fixes for HTML syntax validity and solving bugs, most notably the Pakfire CGI.
  • Unnecessary vnstat calls have been removed from initscripts.
  • Updated packages: bind 9.16.28, curl 7.83.0, efibootmgr 17, expat 2.4.8, freetype 2.12.1, fribidi 1.0.12, harfbuzz 4.2.0, iana-etc 20220414, intel-microcode 20220510, ipset 7.15, knot 3.1.7, libaio 0.3.113, libcap 2.64, libcap-ng 0.8.3, libgcrypt 1.10.1, libhtp 0.5.40, libinih r55, libmnl 1.0.5, libnfnetlink 1.0.2, linux-firmware 20220411, logwatch 7.6, man 2.10.2, man-pages 5.13, meson 0.62.1, mpfr 4.1.0 (plus additional upstream patches), multipath-tools 0.8.9, nano 6.3, nasm 2.15.05, openjpeg 2.4.0, openldap 2.6.1, OpenSSH 9.0p1, OpenSSL 1.1.1o, OpenVPN 2.5.6, pango 1.50.6, pciutils 3.0.8, pcre2 10.40, perl-libwww 6.62, poppler 22.04.0, procps 4.0.0, strongswan 5.9.6, sqlite 3380300, Squid 5.5, Suricata 5.0.9, vnstat 2.9, whois 5.5.13
  • Updated add-ons: bird 2.0.9, borgbackup 1.2.0, dbus 1.14.0, git 2.36.0, haproxy 2.5.5, hplip 3.22.4, ipvsadm 1.31, keepalived 2.2.7, lcdproc 0.5.9, libseccomp 2.5.4, lynis 3.0.7, mc 4.8.28, mcelog 181, mpc 0.34, mpd 0.23.6, mtr 0.95, ncdu 1.17, nfs 2.6.1, nginx 1.20.2, nut 2.8.0, oci-cli 3.7.3, oci-python-sdk 2.64.0, openvmtools 12.0.0, parted 3.5, pcengines-apu-firmware 4.16.0.3, Postfix 3.7.1, powertop 2.14, python3-botocore 1.24.37,python3-charset-vomailzer 2.0.12, python3-click 8.1.2, python3-flit 3.7.1, python3-jmespath 1.0.0, python3-pyparsing 3.0.7, python3-pytz 2022.1, python3-s3transfer 0.5.2, python3-semantic-version 2.9.0, python3-setuptools-rust 1.2.0, python3-setuptools-scm 6.4.2, python3-tomli 2.0.1, python3-typing-extensions 4.1.1, python3-urllib3 1.26.9, rsync 3.2.4, samba 4.16.0, sdl2 2.0.22, spectre-meltdown-checker 0.45, strace 5.17, stress 1.0.5, stunnel 5.63, Tor 0.4.7.7, tshark 3.6.3

As always, we thank all people contributing to this release in whatever shape and form. Please test this update, especially if you are using exotic hardware or uncommon network setups, and provide feedback. IPFire is backed by volunteers - should you like what we are doing, please donate to keep the lights on.


Another update of IPFire is ready: IPFire 2.27 - Core Update 167. It brings an updated kernel in which we continue our efforts to harden IPFire even further; various package updates including bug and security fixes as well as smaller improvements throughout the distribution.

Linux Kernel 5.15.35

As usual, the updated kernel comes with a heap of bug fixes, security fixes, and hardware support improvements from upstream. In addition to that, Michael contributed a patch, which is not only fixing bug #12760, but also believed to cure some long-standing quirks, causing especially VoIP calls not to be established properly every now and then. Should the patch pass testing successfully, we will of course upstream it to the Linux kernel in order to let the whole open-source community benefit from it. Also, we took the opportunity to continue to harden the kernel even further.

Miscellaneous

  • dracut has been updated to version 056 and improved to compress initial ramdisks better and faster. This also fixes boot issues on Xen hypervisors (#12773).
  • Support for ReiserFS has been dropped from the installer, as this filesystem is now marked as deprecated in the Linux kernel since it is not compatible and won't be made compatible for the Y2k38 problem. Existing installations will continue to be supported for the time being.
  • ARM: OrangePi Zero Plus and NanoPi R1S H5 are now supported
  • Stefan contributed various fixes and improvements to the Intrusion Prevention System, resolving a couple of bugs
  • In addition, he and Michael squashed some bugs in the firewall engine that were unfortunately not spotted during the testing phase for Core Update 165
  • unbound-dhcp-leases-bridge has received improvements to reliably propagate DHCP hosts to the DNS. Thanks go to Anthony Heading for his work on that front.
  • Text editor nano is now part of the core system, to provide users with an alternative to vim without needing to install an add-on
  • A GPG key rollover for Pakfire, IPFire's package management, was performed
  • Irrelevant parts of linux-firmware, such as firmware blobs for switches, are no longer shipped and installed, saving a couple of megabytes
  • A spring clean is performed on existing installation, removing orphaned system files accidentally left over from previous updates
  • Bernhard contributed patches for fixing the "hostile networks" in the firewall hits graph
  • The checksum algorithm for compilation routines and development has switched from MD5 to BLAKE2, requiring a couple of changes under the hood
  • Several improvements were made to the web interface by Matthias
  • After Core Update 165, Tor crashed due to its sandbox not permitting some syscalls required by updated glibc. This has now been fixed.
  • Updated packages: apache 2.4.53, bind 9.16.27, curl 7.82.0, gzip 1.12 to fix CVE-2022-1271 (xz was patched in this occasion as well), harfbuzz 3.4.0, iproute2 5.17.0, libdnet 1.14, libloc 0.9.13, nano 6.2, ntfs-3g 2021.8.22, OpenSSH 8.9p1, OpenSSL 1.1.1n, pango 1.50.4, perl-CGI 4.54, psmisc 23.4, rrdtool 1.8.0, smartmontools 7.3, sqlite 3380000, strongSwan 5.9.5, sudo 1.9.10, util-linux 2.38, wget 1.21.3, wireless-regdb 2022.02.18, zlib 1.2.12 to fix another vulnerability not covered in Core Update 166
  • Updated add-ons: cifs-utils 6.14, cups-filters 1.28.14, ghostscript 9.56.1, haproxy 2.4.15, hplip 3.22.2, monit 5.32.0, nmap 7.92, Postfix 3.7.0

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.


After the single-issue Core Update 166, the next regular update is available for testing. It brings an updated kernel in which we continue our efforts to harden IPFire even further; various package updates including bug and security fixes as well as smaller improvements throughout the distribution.

Linux Kernel 5.15.35

As usual, the updated kernel comes with a heap of bug fixes, security fixes, and hardware support improvements from upstream. In addition to that, Michael contributed a patch, which is not only fixing bug #12760, but also believed to cure some long-standing quirks, causing especially VoIP calls not to be established properly every now and then. Should the patch pass testing successfully, we will of course upstream it to the Linux kernel in order to let the whole open-source community benefit from it.

We took the opportunity to harden the kernel even further. Most notably, it now comes with the Linux Security Module (LSM), also known as kernel lockdown,1 preventing IPFire's kernel from being tampered with, even if an attacker managed to get root access to an IPFire installation.

Miscellaneous

  • dracut has been updated to version 056 and improved to compress initial ramdisks better and faster. This also fixes boot issues on Xen hypervisors (#12773).
  • Support for ReiserFS has been dropped from the installer, as this filesystem is now marked as deprecated in the Linux kernel since it is not compatible and won't be made compatible for the Y2k38 problem. Existing installations will continue to be supported for the time being.
  • ARM: OrangePi Zero Plus and NanoPi R1S H5 are now supported
  • Stefan contributed various fixes and improvements to the Intrusion Prevention System, resolving a couple of bugs
  • In addition, he and Michael squashed some bugs in the firewall engine that were unfortunately not spotted during the testing phase for Core Update 165
  • unbound-dhcp-leases-bridge has received improvements to reliably propagate DHCP hosts to the DNS. Thanks go to Anthony Heading for his work on that front.
  • Text editor nano is now part of the core system, to provide users with an alternative to vim without needing to install an add-on
  • A GPG key rollover for Pakfire, IPFire's package management, was performed
  • Irrelevant parts of linux-firmware, such as firmware blobs for switches, are no longer shipped and installed, saving a couple of megabytes
  • A spring clean is performed on existing installation, removing orphaned system files accidentally left over from previous updates
  • Bernhard contributed patches for fixing the "hostile networks" in the firewall hits graph
  • The checksum algorithm for compilation routines and development has switched from MD5 to BLAKE2, requiring a couple of changes under the hood
  • Several improvements were made to the web interface by Matthias
  • After Core Update 165, Tor crashed due to its sandbox not permitting some syscalls required by updated glibc. This has now been fixed.
  • Updated packages: apache 2.4.53, bind 9.16.27, curl 7.82.0, gzip 1.12 to fix CVE-2022-1271 (xz was patched in this occasion as well), harfbuzz 3.4.0, iproute2 5.17.0, libdnet 1.14, libloc 0.9.13, nano 6.2, ntfs-3g 2021.8.22, OpenSSH 8.9p1, OpenSSL 1.1.1n, pango 1.50.4, perl-CGI 4.54, psmisc 23.4, rrdtool 1.8.0, smartmontools 7.3, sqlite 3380000, strongSwan 5.9.5, sudo 1.9.10, util-linux 2.38, wget 1.21.3, wireless-regdb 2022.02.18, zlib 1.2.12 to fix another vulnerability not covered in Core Update 166
  • Updated add-ons: cifs-utils 6.14, cups-filters 1.28.14, ghostscript 9.56.1, haproxy 2.4.15, hplip 3.22.2, monit 5.32.0, nmap 7.92, Postfix 3.7.0

For the sake of completeness, compressing linux-firmware contents was heavily discussed and worked on during prior to this update. We ultimately had to step back from doing so, since we could not ship the compressed linux-firmware due to size limitations, and compressing the files on existing installations would have taken ages, especially on systems with a slower CPU.

As always, we thank all people contributing to this release in whatever shape and form. Please test this update, especially if you are using exotic hardware or uncommon network setups, and provide feedback. IPFire is backed by volunteers - should you like what we are doing, please donate to keep the lights on.


  1. Given the fact that LSM has been under development since 2012, the term "lockdown" was coined way before the pandemic. :-)