This is the official release announcement of IPFire 2.15 (Core Update 77). It is the release with the most changes since the beginning of the IPFire 2 series. Those changes of course include major work on the base of the system, security has been improved in lots of ways and there are many changes regarding the user interface, that introduce new functionality and make managing the firewall easier.
If you want to support the IPFire project, you can do this by donating. Your contributions will help to extend our activities and improve the IPFire distribution and are of course very much needed and appreciated.
This changelog is very long, but we recommend that you read through it, because there are so many exciting changes that make IPFire so much better, but of course we cannot headline them all.
New firewall GUI
The firewall GUI has been in development for over a year now and has been massively extended so that almost everything is possible now. There are groups which make creating rules for multiple hosts or services very easy and help you to hold your nerves, even with complex rule sets.
All your rules will be automatically converted, but we recommend to double check that everything works as it is intended.
On decent sized hardware, IPFire never had any performance issues, but in this release, we still spent some time to make it even better. The connection tracking has been improved so that malformed packets (e.g. invalid TCP flags) are dropped earlier and less rules have to be evaluated for every packet that transits the firewall.
Therefore, performance especially on slow hardware has been improved in terms of throughput and latency.
The base system
The Linux kernel – now grsecurity-enabled
IPFire 2.15 is based on Linux 3.10 and patched with grsecurity. grsecurity hardens the kernel and the system so that even if there are bugs in an application, that these cannot be exploited by an attacker. Therefore, it provides pro-active security at the cost of a small performance decrease.
The new kernel also provides lots of new device drivers and supports more recent hardware:
- Support for the synthetic drivers of Microsoft’s Hyper-V has been enabled.
- For the
igbdrivers for Intel network hardware, the kernel driver has been replaced by the official one by Intel that just supports more recent cards.
- Support for the Geos router has been added.
- Thank you for lending us the hardware for testing.
- Support for the PC Engines APU has been added.
- Thank you as well for sending us the hardware for testing.
glibc and other essential libraries
Essential system libraries like glibc have been updated or patched for performance and to fix security issues.
A more important one is the openssl library that has been updated to version 1.0.1g. Additionally to the ciphers and other algorithms that have been supported in openssl 0.9.8, there is now support for more ciphers that are used to secure communication with the IPFire web user interface and VPN services. The library has been modified to never propose weak algorithms.
All packages are now compiled with stack smashing protection and
-fPIC when ever possible.
Updated software packages
apache 2.2.26, beep 1.3, fireinfo 2.1.9, iptables 1.4.21, iw 3.10, kmod 13 (replaces module-init-tools), libnl 1.1.4, libxml 2.6.32, lm_sensors 3.3.4, linux-firmware 52d77db, lzo 2.06, memtest 5.01, Net::SSLeay 1.55, ntp 4.2.6p5, openssh 6.6p1, perl-DBI 1.631, strongswan 5.1.2, udev 208, usb-modeswitch 2.01 and database version 20131113, usbutils 007, util-linux 2.24, vim 7.4, wget 1.14, xz 5.0.5
Raising the perimeter: Increasing security of Virtual Private Networks (VPNs)
Despite the new firewall and hardening the base system, we laid focus on improving cryptography, both security and performance. All sorts of algorithms that are supported by the kernel and openssl have been enabled and added to the GUI so that they can be used.
strongswan, the software that provides the IPsec functionality in IPFire, has been updated to version 5.1.2 and the
farp plugin have been enabled.
The Camellia cipher has been added with supported key lengths of 256, 192 and 128 bits. Camellia is a competitor to AES with no affiliation to the government of the United States of America. For IKE group types, MODP-2048 with subgroups has been added as well as the Brainpool Elliptic Curves. These are an alternative to the curves specified by NIST (National Institute of Standards and Technology of the USA).
The “advanced settings” page has been redesigned so that the many algorithms that are now supported fit on the page. Options for the “Dead Peer Detection” have been added so that these are changeable by the user, too.
As well as IPsec VPNs, OpenVPN supports the Camellia cipher, too. For new installations, the default cipher for the Roadwarrior server is AES-256-CBC instead of Blowfish.
Utilising Hardware Random Number Generators (HWRNGs)
IPFire 2.15 now feeds entropy from hardware random number generators directly into the kernel, so that there will always be sufficient randomness for cryptographic applications like VPNs or generating certificates. This will make these operations stronger against some attacks and also faster.
Unfortunately, only a few systems come with HWRNGs. There is a list on the wiki with supported hardware. Please don’t forget to add your hardware if it is supported as well.
There is a new entropy graph that shows how much entropy is available in the kernel’s entropy pool, which size has also been increased.
Enhanced Wireless Capabilities
The wireless access point that can be created with a simple wireless card and the
hostapd addon now supports working on channels in the 5 GHz band that require DFS (radar detection). Therefore more of the frequency space can be used to create wireless networks with better throughput because of less interference.
The GUI shows some more information now about the status of the wireless hardware and connected clients.
Utilising hardware cryptography chips
On systems which provide a chip that is able to encrypt/decrypt data and on those systems which have a CPU that comes with special instructions, cryptographic operations are substantially faster.
IPFire is able to use the AES-NI instructions of newer CPUs and other crypto hardware like VIA Padlock, etc. Check our wiki for a full list of supported hardware.
OpenSSH has been updated to 6.6p1 and uses
ed25519 of both client and server support it. ec25519 is an elliptic curve specified by a team led by Daniel J. Bernstein.
The ARM version of IPFire now ships an experimental multi-platform kernel. This means that this kernel is able to run on not just one board as it has been before, but on many boards of the same kind.
- u-boot has been updated to 2013.10
- Wanboard (Only quad-core version tested)
- A10 SoCs (untested)
- Armada XP (untested)
Unfortunately, the Raspberry PI computer is not able to boot the multi-platform kernel, but there is an extra image with a Raspberry PI image. The kernel has been patched with Raspberry PI patchset of version 943b563.
There is also an extra kernel for Marvell Kirkwood-based systems.
New Web User Interface style
The web user interface has got a new default theme. It makes the configuration pages easier to navigate and gives them a clean appearance. The generated HTML output of many CGI scripts has been improved and validates as HTML5.
Some pages got a bigger redesign to put the most important information in focus. Others have received some smaller changes which might not be notable right away. Overall, the pages should be cleaner and faster to render for the browser.
If you want to stick with the old one, it will still be there called “ipfire-legacy”. A rounded version of the new default theme is available as well as a theme called “darkdos” by Logan Schmidt.
Stronger Ciphers for the Web User Interface
The web user interface now requires a certain set of ciphers that must be supported by the client as well. Broken or weak ciphers like RC4 are not used any more and AES-128 and AES-256 in Galois/Counter Mode are preferred in that order. If GCM is not supported, apache will try to use CBC. Using SSLv2 is forbidden and TLSv1.2 is preferred, if available.
- udmedia.de is supported as a Dynamic DNS provider.
setddns.plscript now recognises the DS-Lite address range correctly.
There are no more USB installation images, as the ISO now can be booted from an USB key.
- For installations on big harddisks, the installed will partition the disk with GPT.
- It is possible to use the identification function of NICs, so that finding the right one when installing for the first time get easier. The LEDs of the network adapter will simply flash for a couple of seconds so you know where to put in the right cable.
Quality of Service
- The Quality of Service now accepts rules for subnets and not only single IP addresses.
- beep has been updated to version 1.3 and supports more beepers.
- fireinfo did not properly read harddisk serial numbers if those were shorter than 10 characters. This may cause some systems to change their fireinfo ID.
- The boot process has been improved so that the system should boot up slightly faster.
- OpenVPN net-to-net connections sometimes stuck in WAIT state. The user interface now shows reliably if a connection is established or not.
- Insertion of thousands of hosts of the wireless access page has been improved.
- Command line parsing of the setuid binaries has been improved as it was possible to let those commands crash because of a stack buffer overflow.
- Statistics of the Solus PCI DSL modems are shown in the web user interface.
- The update accelerator supports Archlinux packages now and does not stumble upon files with a colon (:) in the URL.
tor has been updated to version 0.2.4.20, which uses a new hand-shake algorithm that requires much less resources and it also uses stronger ciphers for data packets. The limit of max. concurrent connections has been raised.
Guardian now reacts on brute-force attacks against the local SSH server in pre-auth stage. That means that testing user/password combinations is almost instantly blocked.
- New packages:
- mysql has been updated to version 5.0.96.
- cups has been updated to version 1.7.0 and uses libusb to communicate with USB printers.
- gutenprint has been updated to version 5.2.9 and comes with support for many new printers.
- foomatic has been updated to version 4.09/4.0.17 (20131023) and provides even more drivers for printers.
- miniupnpd has been updated to version 1.8.
- fetchmail has been updated to version 6.3.26.
- git has been updated to version 126.96.36.199.
- nginx has been updated to version 1.4.4.
- clamav has been updated to version 0.98.1.
- rsync has been updated to version 3.1.0.
- samba has been updated to version 3.6.19.
- vdr has been updated to version 2.0.5.
- w_scan has been updated to version 20130331.
Number of changes and Contributors
The number of changes in this release is bigger than it never was. We received some great contributions, but we still wish that there will be more in the future. One thing that needs some care is translations other than English and German, as there are no people in the team who speak any of the other languages that are “supported”.
The commit-wise biggest contribution is the firewall GUI that has been written by Alexander Marx (over 400 commits). Other contributions have been submitted by Alf Høgemark, Erik Kapfer, Ben Schweikert, Ersan Yildirim, Kim Wölfel, Logan Schmidt, Hans Horsten and Bernhard Bitsch.
We would like to thank all people who have directly or indirectly contributed to this release and we are looking forward to accept your contributions as well. There are many things to do, like translations, bug fixes, or new features. All of them are important to make IPFire to what it is.