IPFire 2.25 - Core Update 141 released

by Michael Tremer, February 24, Updated February 24

The first exciting big update of the year is ready: IPFire 2.25 - Core Update 141! It comes with a totally reworked DNS system which adds many new features like DNS-over-TLS.

On top of that, this update fixes many bugs.

DNS Updates

The biggest set of changes in this release is around DNS. We have cleaned up many scripts and the UI which allowed us to add new functionality:

  • A unified page with all DNS settings
  • More than two DNS servers can be added for better load-balancing and resiliency. The fastest servers will be used automatically.
  • Enhanced privacy with DNS-over-TLS and strict QNAME minimisation
  • Safe Search, to filter adult content from the entire network without using the web proxy
  • Better workarounds for users with ISPs that filter DNS responses/break DNSSEC. TLS and TCP can be used as transport instead.
  • Faster boot because of fewer checks being executed at boot time

In order to combat MTU issues, we are following guidelines and have set the EDNS buffer size to 1232 bytes. This avoids large DNS replies being fragmented even on Internet lines with smaller MTUs.

All DNS settings will automatically be converted. This is also compatible when older backups are being restored.

Updates Under The Hood

IPFire is a modern distribution as we change and update many essential system components regularly. That allows us to keep you safe, support new features and of course be fast by taking advantage of modern hardware.

In this update, we have rebased the system on GCC 9 and added support for Go and Rust. We have included Python 3 to the base system and deprecated Python 2 which is out of support by now. Not everything has been converted to use Python 3 yet, but we will hopefully soon be able to drop support for Python 2 altogether.

Unfortunately the system is growing larger and larger with every update. Software in general is quite bloated although we are trying our best to keep IPFire as small as possible. On systems that have a 2GB root partition and many add-ons installed, disk space might be running out. This update clears a lot of files that are no longer needed. We have also improved stripping our binary files from debugging symbols which are not needed on a production system in order to keep those files smaller.

  • elinks, the text-based browser is also no longer an add-on any more, but shipped with the core system.
  • LVM devices are now supported in IPFire.
  • Updated packages: efivar 35, gcc 9.2.0, file 5.38, knot 2.9.2, libhtp 0.5.32, mdadm 4.1, mpc 1.1.0, mpfr 4.0.2, rust 1.39, suricata 4.1.6. unbound 1.9.6
  • New packages: rfkill

Misc.

  • The Intrusion Prevention System now filters packets from and to OpenVPN clients, too
  • Pakfire initially used HTTP for downloading the first mirror list. It would have been redirected to HTTPS by the server, but this has been now changed that the first connection attempt is using HTTPS.
  • As announced in a separate blog post, we are shipping the latest version of Maxmind's GeoIP database
  • IPsec: To enhance compatibility with many clients, newly generated root certificates will include a valid Subject Alternative Name which can also be freely configured

Add-ons

  • Updated: dehydrated 0.6.5, libseccomp 2.4.2, nano 4.7, openvmtools 11.0.0, tor 0.4.2.5, tshark 3.0.7
  • New: amazon-ssm-agent for better integration into the Amazon cloud