This is an invitation to take part in testing IPFire 2.15 – Core Update 80. It comes with lots of new features, some bugfixes and some minor security fixes.
There has been a crowdfunding on the IPFire wishlist which raised money for implementing a DNSSEC validating DNS proxy. The DNS proxy service that is running inside of IPFire has been forked and some features that were dropped in the upstream version have been backported.
IPFire now validates every DNS response of zones that are signed. If the DNSSEC signatures do not validate a DNS error is raised and therefore spoofing attacks are not longer possible. However, it is not sufficient for the internal DNS proxy to have DNSSEC enabled. Client systems should validate DNSSEC records, too, but we think that these changes block most spoofing attacks from the Internet and only DNS spoofing attacks from the local network are possible. The cache pool size has been increased so that dnsmasq is able to cache many DNS keys and signatures and that the verification does not harm the user experience.
It is required that the DNS servers from the Internet service providers validate DNSSEC as well. If not, you may change to one of those public DNS servers in this list. There is more information about DNS and IPFire on our wiki.
New dynamic DNS updater
A new tool to update dynamic DNS records has been written. It replaces the old, faulty and hard to maintain perl script
setddns.pl. The new client is written in Python and portable to other distributions as well. It is easily extensible and avoids duplicating code. The sources can be found on our own git server or on GitHub and we are happy to receive improvements and patches that add support for new providers.
The user interface has been simplified and obsolete and deprecated features like wildcard support have been dropped.
There is support for all DNS providers that have been formerly supported. Providers that don’t exist any more have been removed and some new ones have been added: all-inkl.com, dhs.org, dns.lightningwirelabs.com, dnspark.com, dtdns.com, dyndns.org, dynu.com, easydns.com, enom.com, freedns.afraid.org, namecheap.com, no-ip.com, nsupdate.info, ovh.com, regfish.com, selfhost.de, spdns.org, strato.com, twodns.de, udmedia.de, variomedia.de, zoneedit.com
- The lzo libary has been updated to version 2.08 because of a potential, but very unlikely security issue filed under CVE-2014-4607.
- wpa_supplicant has been updated to version 2.2.
- strongswan has been updated to version 5.2.0
- Ersan Yildirim submitted updates for the Turkish translation.
dhcrelaybinary and an initscript are shipped.
- The bind tools have been updated to version 9.9.5 to support DNSSEC, too.
- rng-tools have been updated to version 5 to support Intel processors that come with the RDRAND instruction, but without AES-NI.
- squid web proxy: The minimum and maximum object size of objects that are put into the cache is no longer ignored.
- Firewall hits by country: Fix chart for dial-up connections.
- Firewall GUI: Building the rule table has been speed up when no DNS servers are reachable.
- Static routes cannot be added twice into the configuration and must not be a part of any of the local networks.
- ownCloud – The private cloud – Documentation
- clamav 0.98.4
- hostapd 2.2
- sane 1.0.24
- tor 0.2.4.22
- transmission 2.84