IPFire 2.21 - Core Update 127 released

by Michael Tremer, February 6, 2019

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

The first update of the year and it is packed with loads of new features, many many performance improvements as well as some security fixes. This is quite a long change log, but please read through it. It is worth it!

To support our project and keep us bringing these updates for you, please donate!

Squid 4.5 - Making the web proxy faster and more secure

We have finally updated to squid 4.5, the latest version of the web proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.

We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.

One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.

We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.

We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.

We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.

We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.

New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.

Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.

DNS Forwarding

The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.

These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.

Misc.

  • Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
  • Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
  • We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
  • fireinfo now supports authentication against any upstream web proxies
  • Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
  • Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
  • The description on which SSH port IPFire is listening has been fixed.
  • Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
  • GeoIP: Scripts have been updated to use a new format of the GeoIP database
  • Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1

Add-ons

  • Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
  • The haproxy package now correctly handles its backup