IPFire 2.27 - Core Update 179 released

by Michael Tremer, September 26

It is time to upgrade your systems to IPFire 2.27 - Core Update 179. It will bring you Indirect Brand Tracking in user space in order to better mitigate any injected code, a completely rewritten ExtraHD and a large number of package updates & the usual bunch of bug fixes.

But before we start talking about the changes in detail, we would like to take a moment and ask for your donation. We put a lot of effort into building and testing this update and could not do any of this without your donation. Please, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!

Indirect Branch Tracking for User Space

This technology uses a CPU extension which (if available) will check if a program returns from a function or jump correctly. If not, for example in case of injected code, an exception is being raised and the program is being terminated.

This is a follow-up after hardening our kernel against the same attack vector in Core Update 177 and had to be split off to keep updates an easier to handle smaller size.

ExtraHD

This feature that allows mounting any extra storage into IPFire has been entirely rewritten. The code was hard to extend and some smaller issues became hard to fix which resulted in us making the decision for a rewrite. It should now be a lot more robust and easy to use.

Misc.

An issue where connected OpenVPN clients were shown disconnected (#13190)
A non-critical validation error of location group names as been fixed.
Package updates: cURL 8.2.1, eudev 3.2.12, fmt 10.0.0, freefont 20100919, fuse 3.15.0, glib 2.77.0, GNU Gettext 0.22, GMP 6.3.0, groff 1.23.0, harfbuzz 8.1.1, libarchive 3.7.0, libxcrypt 4.4.36, libxml2 2.11.4, LVM2 2.03.22, meson 1.2.0, mpfr 4.2.0p12, ninja 1.11.1, ntfs-3g 2022.10.3, rpcsvc-proto 1.4.4, oauth-toolkit 2.6.9, OpenLDAP 2.6.5, openjpeg 2.5.0, OpenSSL 3.1.2, popt 1.19, poppler 23.08.0, PPP 2.5.0, qpdf 11.5.0, SDL2 2.28.1, smartmontools 7.4, suricata 6.0.14, GNU tar 1.35, xfsprogs 6.4.0, XZ 5.4.4
Samba has UNIX filesystem extensions disabled by default now (#13193)
Updated add-ons: ebtables 2.0.11, FreeRADIUS 3.2.3, FRR 8.5.2, Git 2.41.0, HAProxy 2.8.1, hplip 3.23.5, MPD 0.23.13, ncat 7.94, nmap 7.94, Observium Agent 23.1, oci-cli 3.29.4, oci-python-sdk 2.107.0, QEMU + Guest Agent 8.0.3, Zabbix Agent 6.0.19 (LTS)
The sox package has been dropped as it is only useful in combination with Asterisk which has been dropped some while ago

As always, we thank all people contributing to this release.

IPFire 2.27 - Core Update 178 released

by Michael Tremer, August 17

This is the release announcement for IPFire 2.27 - Core Update 178 which is a release that addresses the latest vulnerabilities in Intel and AMD processors called Downfall, Inception and Phantom as well as a bug in Hyper-V which caused IPFire to freeze at boot.

Before we start talking about the changes in detail, we would like to ask for your support. We put a lot of effort into building and testing this update and could not do any of this without you. Please, if you can, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!

Intel

Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.

AMD

Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations. As in the movie of the same name, Inception plants an “idea” in the CPU while it is in a sense “dreaming”, to make it take wrong actions based on supposedly self conceived experiences. Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs.

Phantom (CVE-2022-23825) enables an attacker to create a transient window at arbitrary instructions. Suddenly, a seemingly harmless XOR instruction can behave like a call instruction, and allow the attacker to create a transient window.

Hyper-V

Due to a bug in Hyper-V, the IPFire Kernel in Core Update 177 was unable to boot. This has been fixed in a workaround.

How is IPFire affected?

IPFire is not directly affected by any of these attacks as the firewall never executes untrusted code. All programs on IPFire come from our package management system which signs all updates. However, it might be possible for an attacker to inject any code remotely by some undiscovered vulnerability and using these CPU vulnerabilities might allow the attacker to create more damage. Therefore, we recommend to install this update as soon as possible and to reboot your firewall.

We recommend to install this update as soon as possible and reboot your IPFire system.

IPFire 2.27 - Core Update 177 released

by Michael Tremer, August 5

It is time for another release of IPFire: IPFire 2.27 - Core Update 177. A brand-new update which brings enhanced hardening for the IPFire OS on modern processors, a large number of package updates and fixes various security vulnerabilities in the Linux kernel, AMD processors, OpenSSH and more.

Indirect Branch Tracking by Default

This update comes with extended hardening for the kernel by using Indirect Branch Tracking wherever possible. This will prevent hackers to hijack functions calls and jump into injected code. This feature is currently only supported on Intel processors.

In the near future, we will extend this feature to the user-space and more processor types.

Security Updates

This update features a large number of package updates that patch security vulnerabilities:

Kernel Update: The IPFire kernel has been rebased to Linux 6.1.42 which amongst the usual improvements fixes the StackRot vulnerability (CVE-2023-3269).
OpenSSH (CVE-2023-38408) contains a vulnerability in the SSH agent component.
Zenbleed - An issue where vector registers leak their content.
Ghostscript contained a code execution vulnerability filed under CVE-2023-36664.

Misc.

Legacy OpenSSL version removed: OpenSSL 1.1.1 library files have been removed as previously announced
Package updates: Ghostscript 10.01.2, iproute2 6.4.0, Linux Firmware 20230625, memtest 6.20, ntp 4.2.8p17, OpenSSH 9.3p2, samba 4.18.5, Squid 6.1, sudo 1.9.14p2, util-linux 2.39.1
The Unbound/DHCP Leases bridge loads any leases into Unbound more efficiently than before due to Unbound recently adding the ability to reload its configuration.
dehydrated will try harder to update any remaining certificates if the update of one fails.
Fireinfo used to crash if the hypervisor IPFire is running on could not be detected (#13155)
Proxy ASN Blacklist: A crash that caused the proxy to restart has been fixed (#13023)
pmacct: #13159 has been fixed which fixes some invalid directives in the default configuration.
The SquidClamAV add-on has been removed: This used to be able to scan any plaintext content that passed through the web proxy. With Internet traffic being predominantly HTTPS and therefore not scannable, this feature does not serve any useful purpose and has therefore been removed.

Please reboot your system after installing this update.

IPFire 2.27 - Core Update 176 released

by Michael Tremer, July 11, Updated July 26

We are pleased to announce the release of IPFire 2.27 - Core Update 176. It features a large amount of package updates which include a security fixed and updated microcode for Intel processors as well as a couple of bug fixes.

Before we start talking about the changes in detail, we would like to ask for your donation. We have put a lot of effort into building and testing this update and could not do any of this without you. Please, if you can, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!

Bug Fixes

An edge case related to bug #13138, which caused IPsec root/host certificate generation to fail on the first attempt only, has been fixed.
While editing OpenVPN static IP address pools, spaces are now handled correctly again (#13136).
udev rules for LVM volumes have been fixed, allowing for configured LVM volumes to start properly on boot again (#13151).
Remove entries for additional mass storage via the web interface of the ExtraHD add-on have been fixed, partially resolving #12863.

Miscellaneous

Filesystem journal features are now always enabled for cloud images, and as soon as a disk with SMART support is detected.
misc-progs, the safety net between IPFire's web interface and the core system, have been improved under the hood to allow for better return code enumeration.
Stéphane Pautrel has contributed improvements to the French translation of IPFire's web interface.
Updated packages: curl 8.1.0, dhcpcd 10.0.1, diffutils 3.9, ed 1.19, ethtool 6.3, freetype 2.13.1, gawk 5.2.2, gcc 13.1.0, gdb 13.2, go 1.20.4, grep 3.11, harfbuzz 7.3.0, intel-microcode 20230613, less 633, libcap 2.69, libhtp 0.5.44, man 2.11.2, nettle 3.9, pam 1.5.3, pciutils 3.10.0, procps 4.0.3, sqlite 3420000, strongswan 5.9.11, suricata 6.0.13, texinfo 7.0.3, whois 5.5.17
Updated add-ons: CUPS 2.4.6, fping 5.1, minidlna 1.3.2, nginx 1.24.0, Postfix 3.8.1, strace 6.3, stress 1.0.7, stunnel 5.69, transmission 4.0.3, wavemon 0.9.4

Please reboot your system after installing this update if you are running on an Intel processor.

IPFire 2.27 - Core Update 175 released

by Michael Tremer, June 12, Updated July 26

Finally, the next update, IPFire 2.27 - Core Update 175, has been released! It updates OpenSSL to the 3.1 branch, features a kernel update as well as a large number of package updates and a variety of bug fixes.

Before we start talking about the changes in detail, we would like to ask for your support. This update has taken a lot of effort to put together and we can't do it without you. So please, if you can, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!

OpenSSL 3.1.1

IPFire heavily relies on cryptography which is being implemented by OpenSSL - a library that brings lots of cryptographic primitives and so on. Keeping it up to date is essential for the development team.

Since this release is bringing a major update to OpenSSL 3.1.1 with lots of API changes, a lot of work was necessary under the hood. I would like to highlight that Adolf from our team has been working a lot of overtime to finally get lots of problems especially with OpenVPN resolved (#13137, #13138).

To avoid breaking any custom software IPFire users may run on their installations, OpenSSL 1.1.1's files remain untouched on existing installations until the release of Core Update 176. However, please note that OpenSSL 1.1.1 is scheduled for end of life on September 11, 2023, and ensure any custom changes are made compatible to OpenSSL 3.1.x as soon as possible.

Linux 6.1.30

This Core Update features an update of the Linux kernel. Aside from the usual heap of hardware support improvements, bug fixes, and other improvements, this fixes CVE-2023-32233, a flaw in Linux' Netfilter subsystem permitting local privilege escalation; IPFire installations properly kept up-to-date are thus not considered to be affected. Nevertheless, IPFire users are advised to install Core Update 175 as soon as possible once released, and reboot their systems afterwards.

The kernel now also supports the Armada 38X RTC (#12856) and Intel's XHCI USB Role Switch feature. In addition, IPFire now supports both the OrangePi R1 Plus LTS and NanoPi R2C (plus) SoC.

Miscellaneous

The hostapd add-on now enables QCA vendor extensions to nl80211, improving performance and stability of WiFi networks provided by an IPFire system with Qualcomm and Atheros cards considerably.
Legacy firewall rules for PPPoE/PPTP have been dropped, since they are no longer needed, and pose a security risk to IPFire installations with QMI enabled.
In addition, any bogon filtering has been adjusted to no longer interfere with 224.0.0.0/4, used for multicasting services, such as IPTV.
rsnapshot has been contributed by Gerd Hoerst and Jon Murphy as a new add-on.
Downloading large backup files will no longer trigger the OOM killer (#13096).
The size of the boot partition has been extended to 512 MBytes, which is XFS' minimum requirement.
Firmware files for APU1 boards are now provided again, to ensure firmware-update can update even very outdated APU boards properly.
The powertop add-on has been removed, since it requires kernel functionalities which have been disabled due to security concerns in Core Update 171.
CUPS' HTTPS websites are now properly accessible again (#12924).
The dbus add-on is now properly terminated after uninstallation (#13094).
Robin Roevens contributed a patch for displaying the logs crated by Zabbix Agent in IPFire's web interface.
Installation and removal procedure of the alsa add-on have seen notable improvements (#13087).
FUSE mounts in BorgBackup are now working properly again (#13076).
Updated packages: acpid 2.0.34, apache 2.4.57, apr 1.7.4, aprutil 1.6.3, arping 2.23, automake 1.16.5, bash 5.2 (with patches 1 to 15), bind 9.16.39, grep 3.10, harfbuzz 7.2.0, iproute2 6.3.0, libcap 2.67, libgcrypt 1.10.2, libgpg-error 1.47, libhtp 0.5.43, libpcap 1.10.4, libxml2 2.11.1, linux-firmware 20230404, lvm2 2.03.21, memtest86+ 6.10, newt 0.52.23, OpenSSH 9.3p1, parted 3.6, pciutils 3.9.0, slang 2.3.3, sqlite 3410200, Squid 5.9, Suricata 6.0.12, tzdata 2023b, unbound 1.17.1, xfsprogs 6.2.0, zstd 1.5.5
Updated add-ons: 7zip 17.05, alsa 1.2.9, amazon-ssm-agent 3.2.582.0, aws-cli 1.27.100, bird 2.0.12, ClamAV 1.1.0, dnsdist 1.8.0, elfutils 0.189, ffmpeg 6.0, freeradius 3.0.26, ghostscript 10.01.1, nfs 2.6.3, opus 1.4, pmacct 1.7.8, Postfix 3.8.0, rng-tools 2.16, samba 4.18.1, sdl2 2.26.5, tcpdump 4.99.4, zabbix_agentd 6.0.16 (LTS)

As always, we thank all people contributing to this release. IPFire is backed by you, our community and so we would like to once again ask for your donation.

Enabling IPFire for 5G

by Michael Tremer, March 3

Are you using IPFire through a wireless connection? Do you need more bandwidth and lower latency no matter where you are? Then, we have you covered with support for 5G interfaces which also helps making 4G connections faster!

IPFire is now offering support for a new kind of wireless modem using the Qualcomm Management Interface - or QMI for short. It is a new way that is commonly used by 5G modems to talk to the operating system, but it is also used by newer 4G modems. It enables to communicate faster than before when every mobile 4G or 3G modem was emulating a serial interface like it has been used in dial-up modems of the 56k kind, or even slower.

Emulating this interface had a couple of downsides which have now been removed and more control is being given to the baseband which makes setting up 4G and 5G in IPFire even easier. Instead of typing rather complicated phone commands, now, you will only need to type your APN and - if your provider requires it - your username and password.

The Legacy Modem Interface

To IPFire, any 2G/3G/4G simply used to be a modem. Just like the 56k serial modems that we all used to have, it is controlled through exactly the same interface. Instead of using an actual serial connection, it is being emulated over USB. But since there is some emulation, and because the interface was designed for a different century, it is not the fastest any more.

Cell Tower

Is 5G here?

5G has not been rolled out just yet. Hardware is not readily available everywhere yet, and cell towers have not been upgraded unless you are in a big city. But it is happening fast...

IPFire users require more and more bandwidth as more and more applications are being rolled out. With fewer services on premise and video calls, data usage is only going up. And we like to work from wherever we are. Bringing IPFire with you, whether you are living in a remote location in the woods, you have a mobile home in a caravan, or whatever other application you have for a firewall that is on the move, we have you covered now.

This is just another step to make IPFire ready for the future and widen its application. Please send us feedback on how well this is working for you, and if you would like to support our work, please help funding our developers with your donation!

IPFire 2.27 - Core Update 173 released

by Peter Müller, February 27

The first Core Update in 2023 has been released: IPFire 2.27 - Core Update 173. It introduces support for 4G and 5G modems that use the QMI interface, features a kernel fresh from the latest 6.1 stable series, as well as the usual plethora of package updates, security improvements and bug fixes.

IPFire users running 32-bit ARM devices should note that support for this architecture will sunset at the end of this month, and are advised to migrate their installations to a hardware architecture supported by IPFire now. Consequently, this will be the last update released for this architecture.

Introducing QMI support

The Qualcomm MSM Interface is a proprietary interface increasingly used by 4G and 5G cellular modems. Commencing with this Core Update, IPFire supports interacting with such modems, thus significantly expanding its hardware compatibility to QMI-only cellular modems, and providing a faster and more modern interface.

Thanks to Michael for implementing this feature. On that occasion, he also refactored related networking code.

Linux Kernel 6.1.11

Arne has updated the Linux kernel to the most recent stable series, 6.1.11, which has become the new long-term series. Aside from the usual improvements such major kernel updates bring like bug fixes, improved hardware support and security improvements, we took the occasion to bring several new hardening changes to IPFire users:

System calls permitting processes to read or write other processes' memory are no longer provided by the kernel.
On EFI systems supporting it, the firmware is now instructed to wipe all memory when rebooting, to hamper cold boot attacks.
Landlock support has been enabled.
GCC's "latent entropy" plugin has been disabled, since it does not generate cryptographically secure entropy.
To cut attack surface, support for both the ACPI configuration file system and obsolete PCMCIA/CardBus subsystem has been removed.
On 64-bit ARM installations, direct memory access via malicious PCI devices is no longer possible.

Miscellaneous

The OpenVPN 2FA authenticator will no longer enter an infinite loop if the socket connection to OpenVPN is lost (#12963).
A user group necessary for interaction between D-Bus and Avahi is now properly created while installing the latter add-on (#13017).
The OpenVPN GUI has seen minor improvements and cleanups (#13030).
A bug in the firewall engine permitting the creation of rules with invalid sources has been resolved.
Input like *.example.com is now properly treated as a wildcard domain by the web interface (#12937).
libtirpc is now part of the core system, since it is needed as a dependency by lsof (#13015).
The obsolete spandsp add-on has been dropped.
Updated packages: Apache 2.4.55, bind 9.16.37, curl 7.87.0, ethtool 6.1, file 5.44, fontconfig 2.14.1, fuse 3.13.0, grep 3.8, harfbuzz 6.0.0, iana-etc 20221226, iproute2 6.1.0, ipset 7.17, iptables 1.8.9, iputils 20221126, iw 5.19, jquery 3.6.3, json-c 0.16, keyutils 1.6.3, knot 3.2.4, krb5 1.20.1, lcms2 2.14, less 608, libarchive 3.6.2, libcap 2.66, libconfig 1.7.3, libffi 3.4.4, libgpg-error 1.46, libidn 1.41, libinih r56, libjpeg 2.1.4, libloc 0.9.16, libmpc 1.3.1, libpcap 1.10.3, libssh 0.10.4, libstatgrab 0.92.1, libtiff 4.5.0, libtool 2.4.7, libusb 1.0.26, libxslt 1.1.37, libyang 2.1.4, linux-firmware 20221214, logrotate 3.21.0, lz4 1.9.4, memtest86+ 6.01, mpfr 4.2.0, nano 7.2, ncurses 6.4, OpenSSH 9.2p1, OpenSSL 1.1.1t, pcre2 10.42, perl-HTML-Parser 3.78, pixman 0.42.2, poppler 23.01.0, psmisc 23.6, rust 1.65, sdl2 2.26.2, shadow 4.13, sqlite 3400100, squid-asnbl 0.2.4 (resolving #13023), strongswan 5.9.9, sudo 1.9.12p2, suricata 6.0.10, xfsprogs 6.1.1, xz 5.4.1
Updated add-ons: alsa 1.2.8, bird 2.0.11, borgbackup 1.2.3 (resolving #13032), ClamAV 1.0.1, dbus 1.14.4, dnsdist 1.7.3, ghostscript 10.0.0, haproxy 2.7.1, igmpproxy 0.4, iotop 1.22, iperf 2.1.8, iperf3 3.12, libcdada 0.4.0, libexif 0.6.24, libpciaccess 0.17, libshout 2.4.6, libtalloc 2.3.4, libusbredir 0.13.0, libvirt 8.10.0, mc 4.8.29, nfs 2.6.2, nqptp ad384f9, pcengines-apu-firmware 4.17.0.3, python3-packaging 23.0, samba 4.17.4, shairport-sync 4.1.1, strace 6.1, tcpdump 4.99.3, Tor 0.4.7.13

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.

Our fight for Open Source Licenses

by Michael Tremer, October 24, 2022

The IPFire Project has been fighting a legal battle against someone who plagiarised our work and sold it as their own. This post is a summary about a fight in front of courts of law over the last couple of years and the lessons learned from it.

Free Software Licenses

IPFire is free software. That means that we, the people who contribute to it, grant people the right to use, study, share, and modify our software free of charge. What we, however, do not give you, is to do whatever you want - that includes giving you copyright to our work.

Copyright law governs who possesses the rights to a piece of music, film, or software. It is there to protect the interests of those people who create works that are easy to copy like all kinds of digital data. Licenses like the GNU General Public License grants exceptions like those outlined above.

In this particular case, someone has violated our software licenses as well as the law of the country by taking IPFire, rebranding it and selling it as their own product of which they hold all rights.

Collectively we spent a lot of time to decide whether and what we are going to do against it and we have come to the conclusion that there would be no need for software licenses unless we enforce them. Not to mention, there was of course a lot of anger that something we are working on so passionately every single day, has been taken away from us for the financial benefit of someone else.

What has happened? An IT company has set up a website with their own brand-new firewall that was written "from scratch" - I am not going to say who, because it does not matter for this story. Someone who purchased the plagiarised version from IPFire has contacted us because he recognised that "under the hood" IPFire was running. He asked us for support, because why get support from someone else when you can have the people who know it best?

You can imagine how surprised I was to find out all these details and how similar the feature set that was that was promoted on the website. Coincidence? No, not really. Writing a firewall like IPFire is not a small job. It will take a lot of experience and a lot of time from many people which clearly were not available in that organisation. The market is also very small and IPFire has quite a unique feature set and uses certain words for them - products of competitors might have the same feature, but call it something slightly different. These things usually give it away.

But to not bore you with a long story that you will have figured out already. The police confiscated the firewall that was purchased by this customer and a brief "forensic analysis" resulted in that it was indeed IPFire with a slightly changed design for the web user interface. Mainly the IPFire logo was replaced with the company logo, but they didn't even bother to change any colours. Therefore it was not a derivative product, but just a copy which still used our servers to download packages and updates.

The owner of this company was charged with copyright infringement (among other things) and a long legal process started that was unfortunately prolonged a lot by the pandemic. In a police statement, they have said that they do not believe at all that they have been doing anything wrong at all, and that IPFire was free to download on the internet. So what would stop them from doing what they were doing?

The answer is very simple:

Us, the Open Source Community

We know from conversations with other software projects, that this sadly is common practise. Many free software developers can tell stories about their software licenses infringed at some point. There are various license models ranging from "take my code, I do not care" to more restrictive licenses like the GPL, which requires that you will have to pass your software on under the same terms. To make that obvious for any end-users, you will have to give them a copy of the license and upon request the entire source code. This was of course denied to the customer, because that would have proven what they actually bought and paid a lot of money for.

I will again spare you the details of defamation and angry emails that we have been receiving from the person on trial. As things like this go, there was a lot of coercion, pressure and ugly words. There were lots of exceptional circumstances around this particular case which is why it ended up in front of a criminal court.

In the end, the owner of the company was sentenced and now has a criminal record. They also have to pay a fine as well as the procedural costs. Since this was a criminal case, neither the IPFire Project, nor anybody else involved has received any compensation for their time and their effort that they have spent.

What did we gain now? We have spent weeks of our own time putting together information that prosecution required. We have been internally debating this, got expertise from outsiders and have built a strategy. I am deeply disappointed that we had to spend so much time on this, when we could have invested that into development instead because of one player who is not following the rules. Instead of not only not supporting our project, they have actively damaged it. We know for a fact, that this is not the only case where someone is selling IPFire as their own software - without giving a penny back to the project. This is so damaging and incredibly disappointing.

The reason why I am telling you this whole story is, that we had the chance to bring this to court which we know has not been as easy for other software projects. Various organisations (e.g. The GPL Violations Project) have been trying to get free software licenses tested in a court of law and we had a unique opportunity and are happy that we could seize it.

I would like to use this post as a warning to everybody else who is taking advantage of IPFire or any other software project like ours. You are actively destroying the Open Source Community that you are at the same time abusing to run your business. You, your business and your customers rely on the software that you are stealing, and you rely on the maintainers to keep maintaining it. You make the whole free software ecosystem less sustainable. So many projects are underfunded and struggling due to this inacceptable behaviour.

But this does not mean that you cannot use IPFire commercially at all - the opposite is true. In fact, we want to work together with businesses who can help others to secure their business with a firewall. We want you to install IPFire at your customers' offices, data centers and everywhere else it fits. We build this software to be used, but...

We Need You To Give Back

If you have customers that can afford it, please donate. If you have customers that really do not care about money, have them donate even more. Get in touch if your organisation cannot donate for whatever reason. We have a massive backlog of things that we need to tackle, and this is the only way.

Report bugs back to us. We need to have feedback on how we are doing. Sometimes things break, but we wouldn't know. Help us test new releases, test new features and help us to make IPFire the best firewall that is out there. Your customers will all benefit from it and appreciate it, too.

Explain how you are using open source technology in your company. It is a miracle to me how their customers believe that a one-man IT company is building all these things that they have stolen on their own - it is absolute bollocks. Instead you will create more trust with your customers when you say: "We are using IPFire, which is a well-known product out there and we are well trained on it and experts who are ready to set it up in your business". And if there is a problem that you cannot solve on your own, it is good to work closely together with the developers.

If we are all going this way together, we will make the open source community stronger.

We make IPFire better and we make it possible for everyone to use it. We enable everyone in the world to secure their networks and contribute to make the Internet a nicer place to be. For that to become reality, we all need to contribute as much as we can. For some this is more, for some this is less. But that doesn't matter. If everyone supports their favourite free software projects as much as they can, we should easily achieve the required funding to take them all to the next level. And if you decide to not play on our side, rest assured that playing by the rules is way more affordable than a court trial.

Once again, if you can, please donate to the IPFire Project. If you are a business and you cannot donate, purchase an IPFire Open Source License from Lightning Wire Labs which will benefit the project just as well. It is very much appreciated by all of us here.

IPFire 2.27 - Core Update 171 released [SECURITY ADVISORY]

by Peter Müller, October 20, 2022

Today, we release IPFire 2.27 - Core Update 171. It updates major parts of the distribution, such as the kernel and the IPS engine, and features bug fixes as well as stability and security improvements - most notably, upstream fixes against a strain of vulnerabilities in the kernel's WiFi components. Particularly IPFire users running WiFi networking hardware are advised to install this update as soon as possible, and reboot their systems afterwards.

Also, this Core Update initiates the deprecation of IPFire support for 32-bit ARM hardware, ultimately taking effect on February 28, 2023.

Modernizing system components

Several core parts of IPFire have been updated and modernized:

Suricata has been updated to the 6.x versioning branch, after a show-stopping issue (#12548) has been resolved upstream. IPFire users will benefit from more stable, secure, and versatile IPS functionality.
The Linux kernel has been updated to 5.15.71, providing IPFire users with hardware support improvements and security fixes.
- Most notably, it resolves issues affecting ASIX USB3-to-LAN adapters using the ax88179-178a driver.
- Upstream patches for fixing CVE-2022-41674 and CVE-2022-42719 to CVE-2022-42722 have been incorporated, plugging several security vulnerabilities in the kernel's WiFi components that could have lead to RCE and DoS attacks, simply by emitting crafted WiFi beacons.
- To cut attack surface, some debugging functionalities have been removed, for which there is no legitimate use-case on an IPFire machine.
- ARM installations will experience a security benefit thanks to seccomp support enabled. Doing so previously caused issues on some boards, hence it was enabled on x86 only.
- Mathew McBride submitted patches to add support for the 64-bit ARM Traverse Ten64 board family.

Sunsetting 32-bit ARM support

Back in the glory days, the IPFire development team was optimistic about ARM becoming an affordable yet powerful alternative to the x86 architecture. Support was added in IPFire 2.11, 13 years ago. Soon, we finally would see some diversification among the hardware landscape, forcing competition and ultimately better products - or so we hoped.

Disappointment kicked in just two years later, when we realized hardware vendors were just dumping new SoCs on the marked without caring about proper operating system support at all. Existing boards disappeared quicker than the kernel developers could reverse engineer them and implement drivers. Very few of these boards actually met IPFire's demands, such as having at least two properly connected NICs.

Things did not improve afterwards, as we had to assess that there was no innovation on the market, and given the hardware specifications of the vast majority of 32-bit ARM boards, the architecture quickly became very much a legacy burden to us. Maintaining our own ARM kernel patchset started to eat into the spare time of IPFire's developers, while the amount of IPFire installations actually running on ARM never exceeded 10%. At some point, we decided not to support any additional SoCs without proper mainline kernel drivers, to prevent the situation from escalating to a DDoS against the people behind IPFire.

Today, despite significant efforts on our part, we are left with a patchy list of ARM boards supported, scanty upstream support (much like 32-bit x86), and a general disinterest in this architecture. Unsurprisingly, at the time of writing, only 0.86% of all IPFire installations out there run on 32-bit ARM.

Due to all these reasons, we decided to discontinue IPFire support for 32-bit ARM on February 28, 2023. Users are recommended to replace their hardware; after that date, IPFire won't provide updates for this architecture anymore.

64-bit ARM board support will continue, and while it is not a mainstream architecture to us (backing only 1.25% of all IPFire installations), supporting it is much less of a hassle, thanks to better upstream development and big server vendors and cloud providers rapidly shifting to 64-bit ARM. As to be expected, the boards available are much more powerful and suitable for firewalling purposes as well. We hope our decision will gain us resources to focus on more important work, such as the development of IPFire 3.

Miscellaneous

Perl, all its modules and related packages were updated to 5.36.0, resolving functional and security issues.
The toolchain, comprising of glibc, binutils and more, was modernized as well.
linux-firmware, the conglomerate of proprietary 3rd-party firmware files, has been updated as well. By removing some firmware files related to unsupported hardware, especially Bluetooth devices, we save a couple of megabytes.
Creating full-ISO backups is now possible again, resolving #12932.
libsodium is now shipped with the core system, required as a dependency to some add-ons (#12929).
Faulty links to IP blocklist source websites have been fixed (#12938).
Orphaned RRD graphs are now cleaned automatically on a weekly basis, saving disk space.
NUT logs can now be viewed in the web interface (#12921).
Connections to literal IPv6 addresses no longer crash IPFires' proxy (#12826).
IPFire's default domain is now used for DHCP leases where no domain can be determined, rather than defaulting to localdomain.
Updated packages: bind 9.16.33, binutils 2.39, curl 7.84.0, dhcp 4.4.3-P1, efibootmgr 18, efivar 38, expat 2.4.9, glibc 2.36, iproute2 5.19.0, kbd 2.5.1, libarchive 3.6.1, libhtp 0.5.41, linux-firmware 20220913, nettle 3.8.1, OpenVPN 2.5.7, Perl 5.36.0, sqlite 3390200, Squid 5.7, strongSwan 5.9.7, Suricata 6.0.8, udev 3.2.11, Unbound 1.16.3, util-linux 2.38.1, wireless-regdb 2022-08-12
Updated add-ons: elfutils 0.187, fetchmail 6.4.32, hplip 3.22.6, lcdproc 0e2ce9b, ncat 7.92, rsync 2.3.6, Tor 0.4.7.10

Celebrating 10 Years of Lightning Wire Labs (10% Off All Appliances)

by Michael Tremer, August 1, 2022

We are celebrating 10 years of Lightning Wire Labs!

A whole decade where we have been working to make the Internet a safer place. Time that has been moving fast, has been full of challenges, as well as a time that has been a great success for ourselves, and our customers and partners we work with.

To say Thank You to our loyal customers, we are offering a 10% discount on all our appliances on store.lightningwirelabs.com for all of August¹.

Happy 10 Years

In those 10 Years, we are proud:

That we have been working together with our great community, creating IPFire which is trusted by millions of users every day.
That we support customers ranging from Businesses of all shapes and sizes, Schools & Universities, Governments & Non-Governmental Organisations all over the world and help them to overcome their challenges.
We build tools to help people restoring their privacy from overreaching surveillance and data-collecting corporations.
We develop market-leading software so that anyone can make their business, organisation or home a secure place.

Thank you to everyone who has been on this journey together with us.

Cheers to the next 10 Years!

While stocks last. Offer ends on August 31st, 2022. Our terms & conditions apply. ↩

IPFire 2.27 - Core Update 168 released

by Peter Müller, June 13, 2022, Updated June 14, 2022

Another update of IPFire is ready: IPFire 2.27 - Core Update 168. It comes with significant improvements to the Intrusion Prevention System (IPS), various security improvements, an updated version of Linux' firmware bundle, as well as a heap of updated packages and bug fixes.

Heads up! IPFire running on software RAIDs will need to rebuild their RAIDs. It is possible, that the RAID was damaged since the last update due to failure to initialise it correctly at boot time (#12862). Systems affected by this problem, would have run just fine, but without the RAID. During the installation of this update, the RAID will be fixed. For that, a reboot is required after installing the update, and it might be necessary to be able to boot from the secondary RAID device.

Intrusion Prevention System improvements

Stefan contributed a patch series for notably improving the IPS, particularly when it comes to handling of ruleset providers. While many of the changes are done under the hood, the following are visible to the web interface:

Monitoring mode can now be enabled for each ruleset provider individually. This makes baselining and testing much less of a hassle, since newly introduced IPS ruleset providers can now first be used for logging only, without risking disruptions or unintended side-effects.
Parsing and restructuring changed or updated rulesets has been improved and is now faster by orders of magnitude.
The downloader will now automatically check whether a ruleset has been updated on its providers' server by checking the ETag HTTP header. This allows us to drop the update interval selection; every IPS ruleset will now updated automatically on the appropriate interval.

3rd party firmware updates

linux-firmware, the conglomerate of 3rd party firmware required for all sorts of hardware has been updated. Similar to a kernel update, this brings support for new devices requiring proprietary firmware, fixes bugs and plugs some security holes.

Firmware for APU borards has been updated as well, finally enabling their hardware-based random number generator to work properly. On APU-based IPFire installations, this will speed up cryptography operations (such as VPN traffic handling) a lot.

Security improvements

IPFire now drops any packet that is received on a different interface than it would have been routed back to. This thwarts entire classes of network spoofing attacks, particularly originating from or targeting internal networks.
OpenSSH has been updated to 9.0p1, introducing (among other changes) quantum-resistant cryptography. IPFire's custom OpenSSH configuration has been updated to make use of it. Also, spoofable TCP-based keep-alive messages are no longer sent, preventing MITM attackers to force-keep an established SSH connection opened.
As a defense-in-depth measure, various file permissions have been tightened to prevent any unprivileged attacker from reading potentially sensitive configuration on an IPFire installation.

Miscellaneous

CUPS configuration is now properly processed while creating backups and restoring them.
Various CGIs received fixes for HTML syntax validity and solving bugs, most notably the Pakfire CGI.
Unnecessary vnstat calls have been removed from initscripts.
All firewall rules required for IPsec N2N connections are now properly set up again after a tunnel comes up, resolving #12866.
Updated packages: bind 9.16.28, curl 7.83.0, efibootmgr 17, expat 2.4.8, freetype 2.12.1, fribidi 1.0.12, harfbuzz 4.2.0, iana-etc 20220414, intel-microcode 20220510, ipset 7.15, knot 3.1.7, libaio 0.3.113, libcap 2.64, libcap-ng 0.8.3, libgcrypt 1.10.1, libhtp 0.5.40, libinih r55, libmnl 1.0.5, libnfnetlink 1.0.2, linux-firmware 20220411, logwatch 7.6, man 2.10.2, man-pages 5.13, meson 0.62.1, mpfr 4.1.0 (plus additional upstream patches), multipath-tools 0.8.9, nano 6.3, nasm 2.15.05, openjpeg 2.4.0, openldap 2.6.1, OpenSSH 9.0p1, OpenSSL 1.1.1o, OpenVPN 2.5.6, pango 1.50.6, pciutils 3.0.8, pcre2 10.40, perl-libwww 6.62, poppler 22.04.0, procps 4.0.0, strongswan 5.9.6, sqlite 3380300, Squid 5.5, Suricata 5.0.9, vnstat 2.9, whois 5.5.13
Updated add-ons: bird 2.0.9, borgbackup 1.2.0, dbus 1.14.0, git 2.36.0, haproxy 2.5.5, hplip 3.22.4, ipvsadm 1.31, keepalived 2.2.7, lcdproc 0.5.9, libseccomp 2.5.4, lynis 3.0.7, mc 4.8.28, mcelog 181, mpc 0.34, mpd 0.23.6, mtr 0.95, ncdu 1.17, nfs 2.6.1, nginx 1.20.2, nut 2.8.0, oci-cli 3.7.3, oci-python-sdk 2.64.0, openvmtools 12.0.0, parted 3.5, pcengines-apu-firmware 4.16.0.3, Postfix 3.7.1, powertop 2.14, python3-botocore 1.24.37,python3-charset-vomailzer 2.0.12, python3-click 8.1.2, python3-flit 3.7.1, python3-jmespath 1.0.0, python3-pyparsing 3.0.7, python3-pytz 2022.1, python3-s3transfer 0.5.2, python3-semantic-version 2.9.0, python3-setuptools-rust 1.2.0, python3-setuptools-scm 6.4.2, python3-tomli 2.0.1, python3-typing-extensions 4.1.1, python3-urllib3 1.26.9, rsync 3.2.4, samba 4.16.0, sdl2 2.0.22, spectre-meltdown-checker 0.45, strace 5.17, stress 1.0.5, stunnel 5.63, Tor 0.4.7.7, tshark 3.6.3
Any changes to the system cron table will be lost during this update, but any custom scripts in /etc/fcron.* will remain in place.

IPFire 2.27 - Core Update 167 released

by Peter Müller, April 27, 2022, Updated April 30, 2022

Another update of IPFire is ready: IPFire 2.27 - Core Update 167. It brings an updated kernel in which we continue our efforts to harden IPFire even further; various package updates including bug and security fixes as well as smaller improvements throughout the distribution.

Linux Kernel 5.15.35

As usual, the updated kernel comes with a heap of bug fixes, security fixes, and hardware support improvements from upstream. In addition to that, Michael contributed a patch, which is not only fixing bug #12760, but also believed to cure some long-standing quirks, causing especially VoIP calls not to be established properly every now and then. Should the patch pass testing successfully, we will of course upstream it to the Linux kernel in order to let the whole open-source community benefit from it. Also, we took the opportunity to continue to harden the kernel even further.

Miscellaneous

dracut has been updated to version 056 and improved to compress initial ramdisks better and faster. This also fixes boot issues on Xen hypervisors (#12773).
Support for ReiserFS has been dropped from the installer, as this filesystem is now marked as deprecated in the Linux kernel since it is not compatible and won't be made compatible for the Y2k38 problem. Existing installations will continue to be supported for the time being.
ARM: OrangePi Zero Plus and NanoPi R1S H5 are now supported
Stefan contributed various fixes and improvements to the Intrusion Prevention System, resolving a couple of bugs
In addition, he and Michael squashed some bugs in the firewall engine that were unfortunately not spotted during the testing phase for Core Update 165
unbound-dhcp-leases-bridge has received improvements to reliably propagate DHCP hosts to the DNS. Thanks go to Anthony Heading for his work on that front.
Text editor nano is now part of the core system, to provide users with an alternative to vim without needing to install an add-on
A GPG key rollover for Pakfire, IPFire's package management, was performed
Irrelevant parts of linux-firmware, such as firmware blobs for switches, are no longer shipped and installed, saving a couple of megabytes
A spring clean is performed on existing installation, removing orphaned system files accidentally left over from previous updates
Bernhard contributed patches for fixing the "hostile networks" in the firewall hits graph
The checksum algorithm for compilation routines and development has switched from MD5 to BLAKE2, requiring a couple of changes under the hood
Several improvements were made to the web interface by Matthias
After Core Update 165, Tor crashed due to its sandbox not permitting some syscalls required by updated glibc. This has now been fixed.
Updated packages: apache 2.4.53, bind 9.16.27, curl 7.82.0, gzip 1.12 to fix CVE-2022-1271 (xz was patched in this occasion as well), harfbuzz 3.4.0, iproute2 5.17.0, libdnet 1.14, libloc 0.9.13, nano 6.2, ntfs-3g 2021.8.22, OpenSSH 8.9p1, OpenSSL 1.1.1n, pango 1.50.4, perl-CGI 4.54, psmisc 23.4, rrdtool 1.8.0, smartmontools 7.3, sqlite 3380000, strongSwan 5.9.5, sudo 1.9.10, util-linux 2.38, wget 1.21.3, wireless-regdb 2022.02.18, zlib 1.2.12 to fix another vulnerability not covered in Core Update 166
Updated add-ons: cifs-utils 6.14, cups-filters 1.28.14, ghostscript 9.56.1, haproxy 2.4.15, hplip 3.22.2, monit 5.32.0, nmap 7.92, Postfix 3.7.0

IPFire 2.27 - Core Update 166 released

by Michael Tremer, March 31, 2022

This is the release announcement for IPFire 2.27 - Core Update 166. It fixes the recently introduced backup issue and patches a security vulnerability in zlib.

zlib memory corruption on DEFLATE

CVE-2018-25032 has been assigned to an issue that allowed an attacker with some chosen content to crash the compressor. We do not believe that this is exploitable in IPFire.

We urge everyone to install this update as soon as possible and if you enjoy using IPFire, please donate.

IPFire 2.27 - Core Update 165 released

by Michael Tremer, March 29, 2022, Updated March 31, 2022

Shortly after the last one, the next release of IPFire is ready: IPFire 2.27 - Core Update 165. It comes with various updates for the firewall engine that improve its performance and increase its flexibility, as well as with an updated toolchain, Python 3.10 and various more bug and security fixes.

Before we talk in detail about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

Firewall Updates

The firewall engine has received various improvements for better performance, faster ruleset reloads, and easier code for developers:

The backend for the Location Filter, dropping traffic from hostile network, and more is now using ipset which is built into the Linux kernel instead the formerly used external kernel module called xt_geoip. This is important work which will allow us integrating new firewall features easier.
The Location Filter has been tuned so that it will load its rulesets faster and will consume less memory; this will improve any lookups and use less CPU resources and cause less level 2 cache congestion.
The P2P filter has been removed because it is outdated technology. Most of the P2P networks that were supported don't exist for a long time and those which do can easily work around this type of filtering. We recommend using the IPS for filtering this if you still need to.

Updated Toolchain

The toolchain - all programs that are required to build IPFire and the most basic system libraries - has been updated and is based on glibc 2.35, binutils 2.37 and GCC 11.1.0.

On x86, we now support Intel Control-flow Enforcement Technology (CET) which protects the C standard library with indirect branch tracking (IBT) and shadow stack (SHSTK). On aarch64, memory tagging has been enabled on processors that support it (ARMv8.5 and higher).

IPFire has been rebased to Python 3.10.1. All packages that provide or use any Python modules are being updated and shipped again.

It is now possible to completely cross-compile IPFire on any architecture for any other architecture. This is done by compiling a native toolchain with a different target architecture which will then be emulated using QEMU in userland. This is slow, but helpful to build IPFire for new architectures; currently we are conducting experiments with RISC-V without having any hardware.

Misc.

A long-standing bug with broken cable modems has been fixed: Some providers have cable modems which return an unusually small MTU of only 576 bytes which will cause that IPFire will fragment every packet larger than this before it can be sent out on the RED interface. This can now properly changed in the setup tool and IPFire will accept any custom value. This used to break video conferences over UDP which could not re-assemble the fragmented video stream and which did not automatically fall back to TCP (#12563).
Because of the growth of the operating system, the root partition of the flash image has been increased to 1800 MiB. This is the minimum to install the system and will be grown to the full size of the storage device on first boot.
IPsec: Due to a typo, Curve 25519 wasn't selected as default
OpenVPN: Due to an error in timezone handling, the usage charts could be incorrect which has been fixed now.
Wireless Client: Support for WEP has been removed which didn't work for a longer time.
OpenSSL has been updated to version 1.1.1n which fixes a denial-of-service attack filed under CVE-2022-0778.
More updated packages: bash 5.1.16, bind 9.16.26, cURL 7.81.0, ethtool 5.16, expat 2.4.6, findutils 4.9.0, gdbm 1.23, glib 2.71.1, harfbuzz 3.3.2, iproute2 5.16.0, lcms2 2.13.1, libarchive 3.6.0, libcap 2.63, libgpg-error 1.44, libloc 0.9.10, libusb 1.0.25, libwww-perl 6.61, libxcrypt 4.428, lua 5.4.4, mdadm 4.2, OpenSSL 1.1.1n, p11-kit 0.24.1, pango 1.50.3, poppler 22.02.0, SDL2 2.0.20, SQLite 3.37.2, sudo 1.9.9, wpa_supplicant 2.10, Zstandard 1.5.2

Add-ons

New packages:
- gptfdisk - A CLI tool to partition harddrives with GPT
- oci-cli - Command line tools for Oracle Cloud
Updated packages: borgbackup 1.1.17, CUPS 2.4.1, Git 2.35.1, hostapd 2.10, monit 5.31.0, nano 6.1, samba 4.15.5, stunnel 5.62, Tor 0.4.6.10
Proxy Accounting
- This package has been renamed to proxy-accounting from squid-accounting
- Alphanumerical post codes are now accepted as being used in the UK, Australia, Canada, etc.

IPFire 2.27 - Core Update 164 released

by Michael Tremer, March 10, 2022

A little but later than scheduled, it is finally here: IPFire 2.27 - Core Update 164 - coming with a vastly improved firewall engine, a new kernel under the hood, and of course with various security and bug fixes.

A New Kernel For IPFire

This update brings a new kernel for IPFire which is based on Linux 5.15. It comes with a large number of bug fixes, security fixes, and hardware support improvements. It brings improved performance for cryptographic operations on aarch64 and enables virtualisation support on this architecture, too.

Together with this new kernel, we are shipping the latest version of Intel's microcodes for various x86 processors fixing INTEL-SA-00528 and INTEL-SA-00532.

This release also patches the "Dirty Pipe" vulnerability (CVE-2022-0847), which has been discovered by Max Kellermann and allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.

Improved Firewall Capabilities

This update brings a couple of improvements for IPFire's firewall engine.

Dropping any hostile traffic: Our IPFire Location Database contains a list of networks that are considered "hostile" - a network nobody under any circumstance wants to communicate with at all like bullet-proof internet service providers or stolen/hijacked address space. This is enabled by default on new installations, but left disabled in this update. We strongly recommend for everyone to enable this on the Firewall Options page. Read more in a special post.
A better source routing validation is being performed: The firewall will now reject any packets from systems that it cannot reach according to its own routing table.
Packets that are not recognised by the connection tracking (because they might belong to an invalid connection) are now being logged to help with any debugging.
Extra logging has also been added for any spoofing attempts on the RED interface. If IPFire receives a packet with its own source IP address, this will be logged as a spoofing attempt.
Users will be able to monitor any firewall hits from spoofing in the graphs as well
In order to run a Tor relay whilst using the IPFire Location filter, any connections belonging to Tor will from now on not be checking the Location filter

Misc.

IPFire now hashes any passwords for system accounts using the YESCRYPT which is substantially stronger than the formerly used SHA512 (#12762)
URL Filter: The Shalla Secure Services and MESD blacklists have been removed, since they both have ceased service
Support for virtualisation on aarch64 with libvirt and KVM has been added
Pakfire is showing its status better on the web interface while installing updates or packages
Updated packages: expat 2.4.2, freetype 2.11.1, gdbm 1.20, hdparm 9.63, kmod 29, libxml2 2.9.12, libxslt 1.1.34, libusb 1.0.25, LVM2 2.02.188, pciutils 3.7.0, PCRE 2 10.39, perl-libwww 6.60, poppler-data 0.4.11, python3-setuptools 58.0.4, shadow 4.11.1, squid 5.4.1, tcl 8.6.12, zstd 1.5.1

Add-ons

A new package qemu-ga with QEMU's Guest Agent has been added. We recommend installing this on any system that runs in a virtualised KVM environment in order to integrate the system better with the hypervisor
Updated packages: ClamAV 0.104.2, dnsdist 1.7.0, libvirt 7.10.0, monit 5.30.0

IPFire 2.27 - Core Update 163 released

by Michael Tremer, February 8, 2022, Updated February 23, 2022

It is time to release another Core Update for IPFire. It comes with an improved Quality of Service based on CAKE and various bug fixes and a lot of package updates.

Before we talk about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

Everything is better with CAKE

CAKE is short for Common Applications Kept Enhanced and is the successor of CoDeL. It is an advanced queue management algorithm which aims to keep your internet connection snappy and fast.

CAKE comes with a couple of benefits over its predecessor of which requiring less CPU resources, more accurate bandwidth shaping due to working with bytes instead of packets the most important ones. In our experiments in the lab we have found no notable differences for fast lines, but there is a notable improvement of VoIP call quality on slower or saturated lines.

The Quality of Service in IPFire which used to be based on CoDel is now being based on CAKE. Any configuration will be automatically migrated. There are new options in the advanced settings which can be used to select any encapsulation of your internet connection which will help CAKE to more precisely estimate any overhead.

Misc.

Support for the i586 architecture has been removed
~~Passwords for system accounts will now be hashed using YESCRYPT for improved security against brute-force attacks with rainbow tables~~
IPsec: Corrupted certificates after download have been fixed
Booting IPFire on Xen has been fixed
Updated packages: Apache 2.4.52, bash 5.1.12, cURL 7.80.0, e2fsprogs 1.46.5, ethtool 5.15, exfatprogs 1.1.3, freetype 2.11.0, glib 2.70.1, grep 3.7, gzip 1.11, igmpproxy 0.3, iproute2 5.15.0, libarchive 3.5.2, libcap 2.61, libedit 20210910-3.1, libgcrypt 1.9.4, libgpg-error 1.43, libloc 0.9.9, libtasn1 4.18.0, linux-firmware 20211216, m4 1.4.19, meson 0.60.1, ncurses 6.3, PAM 1.5.2, pango 1.50.0, perl-Date-Manip 6.86, perl-Unix-Syslog 1.1, perl-URI 5.09, poppler 21.11.0,qpdf 10.4.0,rng-tools 6.14, sdparm 1.12, shadow 4.9, SQLite 3.37.0, squid 4.16, sudo 1.9.8p2, sysvinit 3.00, unbound 1.14.0 wget 1.21.2, xfsprogs 5.14.2

Add-Ons

Updated packages: elfutils 0.186, gdb 11.1, Git 2.34.1, htop 3.1.2, libsolv 0.7.19, lynis 3.0.6, nano 6.0, pcengines-apu-firmware 4.15.0.1, QEMU 6.1.0, sdl2 2.0.18, socat 1.7.4.2, Tor 0.4.6.9

Happy New Year

by Michael Tremer, December 31, 2021

As 2021 is nearing its end, I would like to take the opportunity to thank everyone who has helped us making it another successful year. Whether that is by being a loyal user, contributing to the project in any shape or form, or by helping us to promote the project and telling all your colleagues and friends about your most favourite firewall.

It has been a chaotic year - there is probably no way to hide that it has been a rollercoaster because of the pandemic still not being over. It has impacted us through a large loss of funding and motivating ourselves has been challenging throughout the year. But objectively, we have been strong and released a whopping eight releases. This is a little bit lower than last year, but the releases were bigger and packed a large number of improvements and new features:

We have massively boosted network throughput in IPFire, where especially smaller hardware is benefitting, but larger systems are able to transfer another couple of tens of gigabits. The Intrusion Detection System can offload any streams it can no longer analyse which bumps up throughput for those because there is no more overhead any more
One-Click IPsec VPNs with Mac OS X & iOS
We tackled some security problems that affected virtually any firewall in the world and got named NAT Slipstreaming
Live Graphs
Fast Flux Detection
WPA3 Client Support
Long-standing bugs around DNS have been resolved and we fixed hundreds of problems throughout the whole distribution making IPFire a lot smoother to use - even in difficult environments
We removed Python 2 and upgraded a large number of packets to keep IPFire a very modern and hardened operating system. Most important is that we migrated from Linux 4.14 to 5.15 (pun not intended).
IPFire runs on my hardware than ever since we have added loads of device drivers for modern networking hardware, support for many ARM single-board computers and we have added support for ARM on AWS

With just under 2000 commits to our master branch, it has been a record year with an increase of over 20% compare to 2020. And all that by only 17 contributors of which five have been first-time contributors. But of course development is only one part of the project. There have been plenty of people who have contributed to the documentation on our wiki spending endless days and night explaining how to use IPFire; plenty of people have been helping each other our debugging problems and giving advice on our IPFire Community Portal. All of this, and many more tasks are essential to keep the project going and I would like to thank each and everyone of you to be a part of our community.

Retiring i586 and Hardware Woes

As announced earlier this year, we are going to retire support for the i586 architecture, which will free up lots of time spent on testing. We urge everyone who didn't already to upgrade to the 64 bit version as soon as possible to get more performance and much better hardening for your system.

Just like the last couple of years, hardware security issues have kept us busy as well as security problems in some third-party software. The ecosystem is not in its best state which is causing us a lot of work where we, although there is a fix available, have to investigate whether IPFire is affected, what can be done and in the end test the fix for any regressions. Often that is difficult when we do not have access to hardware that is affected or where we simply have to act fast. Unfortunately this has limiting us a lot this year, and in the end there are often very small changesets committed to our source code repository and there is only one line in the change log - although it has been work for days and weeks.

We Are Ready For 2022!

Let's hope that things will change for the better in 2022. I am certainly looking forward to it and see it becoming the best year we have had, yet!

We have a lot planned and we hope that we can continue to grow and achieve our goals. Having started a lot of smaller projects within IPFire and having another update that is ready for testing, we have a very busy schedule and we are absolutely happy with that.

Please help us out, if you didn't already do so, and donate to the project. We really any support that we can get to bring IPFire forward and to keep doing what we are doing: Making the Internet a safer place for everyone.

If you already contributed, I would like to say Thank You an behalf of all of us here. We could not do it without the support from our community and it is great to have such a great one behind us.

Happy New Year!

IPFire 2.27 - Core Update 160 released

by Michael Tremer, October 5, 2021, Updated October 5, 2021

This is the release announcement for IPFire 2.27 - Core Update 160. It comes with a large number of bug fixes and package updates and prepares for removing Python 2 which has reached its end of life.

Improving Network Throughput

In recent days and months, the development team has spent a lot of time on finding bottlenecks and removing those. Our goal is to increase throughput on hardware and bringing latency down, for a faster network.

This update brings a first change which will enable network interfaces that support it, to send packets that belong to the same stream to the same processor core. This allows taking advantage of better cache locality and the firewall engine as well as the Intrusion Prevention System benefit from this, especially with a large number of connections and especially on hardware with smaller CPU caches.

Organised Lanes

This feature is automatically enabled on all hardware that supports it.

Removing Python 2

Python 2 has reached its end-of-life (EOL) at January 1st, 2021. In the past months and years, we have moved our own code to Python 3 which has been completed with this update.

However, Python 2 is still present in the distribution for all users who still have to port any custom scripts. With the next Core Update, we will remove Python 2 which means that you have to act now to port any custom scripts written in Python 2.

Misc.

In the firewall engine, support for redirecting services as been added and long-standing bug #12265 has been fixed
Some bugs have been fixed in the IPsec VPN scripts that prevented users to create certificate-based connections
The web proxy can now be used on systems that do not have a GREEN network
The firewall log viewer now displays IP protocol names instead of numbers.
All graphs are now rendered in SVG format which makes any scaling in the browser smoother
Updated packages: cURL 7.78.0, ddns 014, e2fsprogs 1.46.3, ethtool 5.13, glibc was patched for CVE-2021-33574 and a follow-up issue, iproute2 5.13.0, less 590, libloc 0.9.7, libhtp 5.0.38, libidn 1.38, libssh 0.9.6, OpenSSH 8.7p1, openssl 1.1.1k which fixes CVE-2021-3712 and CVE-2021-3711, pcre 8.45, poppler 21.07.0, sqlite3 3.36, sudo 1.9.7p2, strongswan 5.9.3, suricata 5.0.7, sysstat 12.5.4, sysfsutils 2.1.1

Add-ons

Updated packages: alsa 1.2.5.1, bird 2.0.8, clamav 0.104.0, faad2 2.10.0, freeradius 3.0.23, frr 8.0.1, Ghostscript 9.54.0, hplip 3.21.6, iperf3 3.10.1, lynis 3.0.6, mc 7.8.27, monit 5.28.1, minidlna 1.3.0, ncat 7.91, ncdu 1.16, taglib 1.12, Tor 0.4.6.7, traceroute 2.1.0, Postfix 3.6.2, spice 0.15.0

Can You Get Better Value For Money From AWS?

by Michael Tremer, August 30, 2021, Updated August 31, 2021

Today, we are launching IPFire on AWS ARM-based instances, making IPFire cheaper, more versatile and more secure for all your cloud-based projects.

Having been around for a little while, Lightning Wire Labs ported IPFire to the new ARM-based processors from AWS with IPFire 2.25 - Core Update 159.

The cloud is here to stay. Lightning Wire Labs proudly has a large customer base with large cloud envirtonments secured by IPFire.

One common question, we are getting often is How to reduce cost? Although running your setup in the cloud gives you a lot of flexibility, this does not come for free. As companies grow, more resources are required driving up costs, and with more financial pressure on most businesses due to the pandemic, reducing cloud spend is more important than ever.

With IPFire already being free of any license cost, the biggest opportunity to save money on the firewall is to use a smaller instance size. However, since IPFire does not use a lot of resources, a certain amount of oomph is required to keep your hosted services fast for your customers and to shift Gigabits of data.

AWS new ARM instances based on their new Graviton 2 processors come with more performance for a smaller price. Who wouldn’t want to take advantage of that?

AWS Graviton 2

For application as a firewall, the T4g, M6g and C6g instances have many advantages:

Faster processing power which decreases latency on the network
Cryptographic acceleration for more throughput over VPNs, easily saturating a multi-gigabit link
Using lightweight virtualisation, IOMMU and DMA allows for less virtualisation overhead which decreases processor usage when handling network packets and giving the system time to care about other things
ARM processors are less likely to be vulnerable for any speculation attacks such as Spectre and Meltdown, giving you a little bit of extra security in the cloud
Giving an overall 40% better price performance compared to x86-based instances

IPFire in the cloud brings all the features that cost a lot of extra money to AWS without extra charge. Setting up VPNs to connect to your on-premise firewall in the office, or securely connecting your staff to the servers they are working on. Hosting services for your clients and protecting your web applications against attackers using the Intrusion Protection System. There are many opportunities and they have now become more affordable for everyone.

Read more about IPFire in the cloud on our product page.

IPFire 2.25 - Core Update 157 released

by Michael Tremer, June 21, 2021

After a little break, IPFire 2.25 - Core Update 157 is out! This is the largest release in size we have ever had and updates various parts of the operating system and brings an updated kernel.

Since IPFire is built from source and not based on any distribution, we get to select the best versions of open source software to be a part of it. This release is the second part of our "spring clean" release which updates various software packages and we have also dropped software that we no longer need. The vast amount of this work has been done by Adolf Belka who has been spending many nights in front of a compiler trying to make it all work. If you want to support him and the entire development team, please help us with your donation.

Deprecating Python 2

We have made huge efforts to migrate away from Python 2 which has reached its end of life on January 1st of this year. That includes repackaging third-party modules for Python 3 and migrating our own software to Python 3.

The work will continue over the next couple of weeks and we are hopeful to remove all Python 2 code with the next release. We will keep Python 2 around for a little bit longer to give everyone with custom scripts a little bit of time to migrate them away, too.

Misc.

The IPFire kernel has been rebased on Linux 4.14.232 which brings various security and stability fixes
Updated packages: bash 5.1.4, boost 1.76.0, cmake 3.20.2, curl 7.76.1, dejavu-fonts-ttf 2.37, expat 2.3.0, file 5.40, fuse 3.10.3, gdb 10.2, glib 2.68.1, iproute2 5.12.0, less 581.2, libaio 0.3.112, libarchive 3.5.1, libcap-ng 0.8.2, libedit 20210419-3.1, libevent2 2.1.12, libexif 0.6.22, libgcrypt 1.9.3, libgpg-error 1.42, libtiff 4.3.0, libupnp 1.14.6, libxcrypt 4.4.20, libxml2 2.9.10, lm_sensors 3.6.0, lua 5.4.3, meson 0.58.0, OpenSSH 8.6p1, perl-Canary-Stability, perl-Convert-TNET 0.18, perl-Convert-UUlib 1.8, perl-Crypt-PasswdMD5 1.41, perl-Digest 1.19, pixman 0.40.0, poppler 21.05.0 (and poppler-data 0.4.10), pppd 2.4.9, readline 8.1, sqlite 3.35.5, squid 4.15, sudo 1.9.7, wireless-regdb 2020.11.20, xfsprogs 5.11.0
Some packages that are no longer needed for the build process have been dropped
Peter Müller has cleaned up the web server configuration for the web user interface and removed various quirks and hacks for old software like Microsoft Internet Explorer 8
Leo-Andres Hofmann has contributed some cosmetic changes for the live graphs
A security vulnerability has been reported by Mücahit Saratar (#12619) where it was possible to change a script as an unprivileged user due to a file permission error which could later be executed as root. Thank you for reporting this to us.

Add-ons

Updated packages: cifs-utils 6.13, cups 2.3.3op2, cups-filters 1.28.8, dnsdist 1.6.0, elfutils 0.184, fetchmail 6.4.19, ffmpeg 4.4, libmicrohttpd 0.9.73, mpd 0.22.6, ncat 7.91, nmap 7.91, samba 4.14.4, Tor 0.4.5.8

IPFire 2.25 - Core Update 155 released [SECURITY ADVISORY]

by Michael Tremer, March 27, 2021, Updated July 20, 2021

Today, we are releasing IPFire 2.25- Core Update 155 which comes with various security fixes to mitigate NAT Slipstreaming attacks and important fixes in the OpenSSL library which allowed that attackers could have crashed services that use TLS on the firewall.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

We recommend installing this update as soon as possible and reboot the system.

Mitigating NAT Slipstreaming

Peter has recently announced our measures against NAT Slipstreaming. Through feedback from the community, we have seen that most people are not affected by these changes.

We are going to disable and remove support for all Application Layer Gateways. This includes SIP, FTP, H.323, IRC, PPTP and TFTP. They will be automatically disabled on systems that install this update and will no longer be available.

This change might require some attention if you are using any software that relies on the ALG. This is most likely the case for VoIP solutions that use SIP. From feedback during the testing period of this update, we can confirm that only a very small fraction of users is affected.

Spanning Tree Protocol support in Zone Configuration

The zone configuration allows configuring Spanning Tree Protocol (STP) for bridges. Since it is possible add multiple interfaces to the same bridge, it becomes a danger that loops are being created on the network. STP avoids those by disabling bridge ports when a loop is being detected.

Zone Configuration with STP

OpenSSL Security Vulnerabilities

The OpenSSL team released version 1.1.1k which fixes two rather severe security issues:

CVE-2021-3449: TLS servers could have been crashed with a maliciously crafted renegotiation message. In IPFire this could be used to deny service of the web user interface or some add-ons like haproxy
CVE-2021-3450: Enabling strict certificate checking caused the opposite effect that some certificates were evaluated as valid when they were actually not

We are also shipping fixes from an earlier OpenSSL release (1.1.1j) which were of lower severity: CVE-2021-23841, CVE-2021-23839 & CVE-2021-23840

Miscellaneous

The wireless client configuration is now processing priorities correctly. Before, wireless networks were prioritised in the opposite order
The QoS graphs will now have consistent colours in the downstream and upstream direction
The Update Accelerator "Passive Mode" option has been clarified
New packages: PCRE2, which is an improved version of PCRE, implementing Perl-compatible Regular Expressions
Updated packages: attr 2.4.48, autoconf 2.71, bind 9.11.28, freetype 2.10.4, iproute2 5.11.0, ipset 7.11, lcms2 2.12, libgcrypt 1.9.2, libhtp 0.5.37, libffi 3.3, libxcrypt 4.4.17 which replaces libcrypt which came bundled with glibc, lz4 1.9.3, lzo 2.10, mpage 2.5.7, net-tools 2.10, nettle 3.7.1, openssh 8.5p1, Python 3.8.7, qpdf 10.3.0, rust 1.50, sqlite3 3.34.1, squid 4.14, suricata 5.0.6, sysvinit 2.98, tar 1.34, tcl 8.6.11, unbound 1.13.1, wget 1.21.1
IPFire can experimentally be compiled for RISC-V for 64bit
Various older versions of operating system libraries have been removed. They were needed to keep older programs compatible without need of recompiling them. Those were: Berkeley DB, GMP, libjpeg, PCRE, readline
On i586, SSE2-optimised versions of performance-critical libraries have been dropped. This affects GMP and OpenSSL, which might result in lower VPN throughput with OpenVPN on affected systems. Support for this will be removed with the next release of glibc.
The unattended installer started in regular mode on serial consoles
Roberto Peña has contributed Spanish translation for the Captive Portal

Add-ons

Updated packages: elfutils 0.183, hplip 3.21.2, fireperf 0.2.0, krb5 1.19.1, mc 4.8.26, monit 5.27.2, nano 5.6, nagios_nrpe 4.0.3, nagios-plugins 2.3.3, stunnel 5.58, tor 0.4.5.6, tshark 3.4.3

IPFire 2.25 - Core Update 154 released

by Michael Tremer, March 2, 2021, Updated July 20, 2021

The first update of the year will be an enormous one. We have been working hard in the lab to update the underlying operating system to harden and improve IPFire and we have added WPA3 client support and made DNS faster and more resilient against broken Internet connections.

This is probably the release with the largest number of package updates. This is necessary for us to keep the system modern and adopt any fixes from upstream projects. Thank you to everyone who has contributed by sending in patches.

DNS Resolution Improvements

The DNS proxy working inside IPFire will now reuse any TLS and TCP connections for DNS resolution making it substantially faster. Before, a TCP or TLS connection had to be opened and closed after a response was received causing a lot of overhead.

Please consider if your setup can run DNS-over-TLS to protect your privcacy.

If you had a brief outage of your Internet connection, or if any or all of the upstream name servers did not respond, it could become possible that the DNS proxy no longer retried accessing them. This was due to some DoS protection being overly ambitious which has been changed to constantly try to reach any servers that are down.

WPA3 Client Support

The previous Core Update added WPA3 support for access points. This is now being complimented by adding it for the client side, too.

If you are running your RED interface as a client to another wireless, it can now use WPA3 to authenticate to the network and to encrypt packets. WPA2 has also been improved by optionally using SHA256 over SHA1 if the access point supports it.

Misc.

There is a number of various changes in this release:

Various command injections and privilege escalations where reported by Albert Schwarzkopf in the security layer between the web user-interface and the operating system. With those, an authenticated unprivileged user could gain root access to the operating system.
DDNS: The UI has been improved for providers that support "token authentication"
SSH sometimes failed to end itself when the system was shut down which caused an unnecessary delay
IPsec: XFRM policy lookup has been disabled for VTI interfaces
Keyboard support on virtualised systems on Microsoft Hyper-V was sometimes not working and has now been fixed.
Various cosmetic fixes for the web user interface and various code cleanup has been conducted by Matthias and Leo.
Updated packages: acl 2.2.53, acpid 2.0.32, automake 1.16.3, arping 2.21, bind 9.11.26, ccache 3.7.12, curl 7.75, dbus 1.12.20, dhcpcd 9.3.4, dma 0.13, fcron 3.2.1, findutils 4.8.0, fuse 3.10.1, hyperscan 5.4.0, iproute2 5.10.0, ipset 7.10, iptables 1.8.7, iw 5.9, less 563, libassuan 2.5.4, libgcrypt 1.9.1, libgpg-error 1.41, libhtp 0.5.36, libloc 0.9.5, libseccomp 2.5.1, logrotate 3.18.0, logwatch 7.5.5, lzip 1.22, kmod 28, knot 3.0.5, newt 0.52.21, OpenSSL 1.1.1j, PAM 1.5.1, pptp 1.10.0, sed 4.8, sqlite 3.34.0, texinfo 6.7, tzdata 2021a, procps 3.3.16, sudo 1.9.5p1, unbound 1.13.0, wget 1.21

Add-Ons

Updated packages: bacula 9.6.7, bird 2.0.7, c-ares 1.17.1, cifs-utils 6.12, clamav 0.103.1, cups-filters 1.28.7, ddrescue 1.25, dehydrated 0.7.0, elfutils 0.182, fireperf 0.1.0, firmware-update 20210107, flashrom 1.2, hostapd 2021-01-18, hplip 3.20.11, htop 3.0.5, iperf 2.0.14a, iperf3 3.9, kerberos 1.18.3, lvm2 2.02.187, lynis 3.0.3, minicom 2.8, monit 5.27.1, nano 5.5, p7zip 17.03, postfix 3.5.8, samba 4.13.4, screen 4.8.0, shairport-sync 3.3.7, sshfs 3.7.1, strace 5.10, stunnel 5.57, tor 0.4.4.7, tshark 3.4.2, QEMU 5.2.0, wpa_supplicant 2021-01-18

Launching IPFire on Exoscale

by Michael Tremer, November 9, 2020

Today, we are launching IPFire on Exoscale, the GDPR-compatible European Cloud Provider based in Switzerland.

For the two years that IPFire is available on Amazon EC2, we have often received feedback from various customers about their data privacy concerns. GDPR and the generally higher data protection regulation in Europe is making it difficult for many people to find the right cloud provider that complies with those laws.

We are proud to offer an option for those customers.

With data centers in Germany, Switzerland, Austria, and Bulgaria, Exoscale is promising that your data won’t “travel halfway around the world”. Privacy has been built into the cloud from the first moment.

With competitive pricing and a user interface that is very easy to use, they are a brilliant alternative to the big, well-known cloud providers.

IPFire in the Cloud, just like you are used to it

IPFire in the cloud enables your business to grow above and beyond. It is the same firewall appliance that you know from your on-premise data center, just in the cloud - and therefore more versatile and flexible.

You can host your infrastructure of web servers, mail servers, and have it protected by a powerful firewall while accessing them easily through a secure VPN connection.

Your cloud infrastructure will grow with you to whatever size you need it to. Whether your website is becoming more popular, or your company is opening more branch offices that need to be securely connected to your central servers. Just upgrade your cloud instance and you have added more CPU power and memory to handle whatever challenges you face.

From a small prototype environment to a 10 Gigabit router. IPFire grows with you.

See some more examples on the detailed product page.

Try out IPFire on Exoscale for free today.

IPFire on AWS: Update to IPFire 2.25 - Core Update 146

by Michael Tremer, July 15, 2020

Today, we have updated IPFire on AWS to IPFire 2.25 - Core Update 146 - the latest official release of IPFire.

Since IPFire is available on AWS, we are gaining more and more users who are securing their cloud infrastructure behind an easy to configure, yet fast and secure firewall.

This update brings a new kernel as well as many other exciting changes.

The most important change for the cloud is that on AWS, IPFire will now default to a MTU of 9001 bytes for all internal interfaces. The RED interface will remain on 1500 bytes, since this is the Internet defaults to that size and we prefer IPFire performing any fragmentation and reassembly of packets over Amazon’s network stack.

This allows more network throughput with less overhead.

Try it out today for free!

There is a detailed installation guide available which helps you setting up your cloud correctly for IPFire.

How to update?

For all customers that are already running on the latest image, there is nothing to do here but to make sure that you have all updates installed on your instance.

Click here to go to IPFire on AWS

IPFire 2.25 - Core Update 142 released

by Michael Tremer, March 18, 2020, Updated March 19, 2020

This is the official release announcement for IPFire 2.25 - Core Update 142. This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.

We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.

Kernel Hardening

This update brings a new kernel which is based on Linux 4.14.173.

For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.

This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities.

Support for Marvel's Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in Fireinfo using this any more.

Suricata 5 - Our Intrusion Prevention System

suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.

This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.

This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can - by design of the language - not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.

Making Testing Easier

This release introduces a new configuration option for Pakfire. Users can now choose between the stable, and two testing branches to easier install unreleased builds.

We hope that this helping you to help us testing IPFire better and therefore be able to give us more valuable feedback on releases.

Misc.

pppd, the Point-to-Point protocol daemon which is used for DSL and LTE connections has a severe vulnerability which allowed Remote Code execution on the client and server side. It has also been updated to version 2.4.8 which fixes some more bugs.
Password for proxy users were limited to eight characters due to an old hash algorithm being used. This has now been upgraded and passwords of unlimited length can be used.
The squid web proxy has been updated to version 4.10 which closes a number of security vulnerabilities
ddns, our suite for dynamic DNS updates, has been updated to version 013. This release ports the software to Python 3 since support for Python 2 is deprecated now.
Wireless Access Point devices are now properly added to a network bridge at boot time
Some smaller aesthetic fixes for the new DNS Configuration page

Add-Ons

Updates

clamav has been updated 0.102.2 which closes a number of security vulnerabilities
dehydrated has been fixed to properly conduct a backup and restore when it is being updated
guardian has received fixes for its HTTP log parser
haproxy has been updated to 2.1.3 and support for Lua has been enabled
libpciaccess has been updated to 0.16. This library is used to pass PCI devices through to a virtual machine.
The qemu package has been stripped from any firmware blobs for architectures that cannot be used on IPFire in order to save disk space on the root partition.
Further package updates: dnsdist 1.4.0, mc 4.8.24, tmux 3.0a, tor 0.4.2.6, vdr 2.4.1, vdradmin 3.6.10, w_scan 20170107

Cleaned-up Packages

We have removed a number of packages that have been abandoned by the people who maintain them. We believe that it is better to not offer them instead of exposing your systems to any security risks:

arm a CLI monitoring tool for tor
batctl, to configure B.A.T.M.A.N., which unfortunately was never finished in IPFire
cyrus-imapd - An IMAP/POP daemon
multicat & bitstream: Two tools to capture and decode multimedia streams over a network. Has been submitted to IPFire but was sadly never updated by the maintainer.
check_mk_agent - A monitoring tool
DirectFB - Graphics drivers
ez-ipupdate - A tool for dynamic DNS updates, which is unused, because we have ddns
icecast, icecastgenerator & streamripper - A media relay for radio streams
setserial - A tool to manage serial connections on console
rtpproxy - A relay for RTP streams

We currently have very limited development resources and would prefer investing those on things where more people benefit from. Please donate to support us!

IPFire on AWS: Update to IPFire 2.25 - Core Update 141

by Michael Tremer, February 27, 2020

Today, we have updated IPFire on AWS to IPFire 2.25 - Core Update 141 - the latest official release of IPFire.

Since IPFire is available on AWS, we are gaining more and more users who are securing their cloud infrastructure behind an easy to configure, yet fast and secure firewall.

This update adds the rewritten DNS stack and brings many bug fixes to the cloud.

Managing DNS servers in IPFire has been re-imagined in this release of IPFire. Before, there were many places where DNS was configured which varied for each system depending on how it connected to the Internet.

For the cloud, we have added some changes that might be relevant for you:

For new installations, we won’t use Amazon’s DNS servers any more since they do not support DNSSEC. By default, the system runs in recursor mode which means that IPFire will contact authoritative DNS servers directly.

For that, Security Groups need to allow IPFire connecting UDP/53 and TCP/53 for any IP address on the Internet.

Systems that are upgraded will automatically carry the previous configuration over. We recommend reviewing those settings and ask you to consider to configure DNS-over-TLS.

Try it out today for free!

There is a detailed installation guide available which helps you setting up your cloud correctly for IPFire.

How to update?

For all customers that are already running on the latest image, there is nothing to do here but to make sure that you have all updates installed on your instance.

Click here to go to IPFire on AWS

Enhancements to our DNS Resolver

by Michael Tremer, February 12, 2020

Today, we have taken some important changes on our DNS Resolver into production. Having released support for DNS-over-TLS in 2018, we have now added TCP Fast Open and TLSv1.3.

Lightning Wire Labs is managing a DNS Resolver to provide an alternative to the large corporation who are trying to get the global DNS system under their control and use it for marketing purposes.

To not fall behind the technical development, we have now enabled some new features on our resolver to make it ready for the new DNS changes that are going to land with IPFire 2.25 - Core Update 141 very soon.

DNS-over-TLS

We are supporting DNS-over-TLS, for almost two years now, but with only few users. This is not surprising since IPFire did not DNS-over-TLS in the past, but this will now change.

We support TLSv1.3 and require at least TLSv1.2. ChaCha20-Poly1305, AES-GCM, Curve25519, and smaller ECSDA certificates are of course not missing either.

TCP Fast Open

For users who have an ISP that is filtering UDP queries or breaks DNSSEC in one way or the other, we are supporting TCP of course.

Since TCP requires a full 3-way handshake before any data can be sent, there is a small performance impact. To combat that, we now support TCP Fast Open which allows to send the DNS query with the first packet, even before the TCP connection is fully open.

This way, queries over TCP are just as fast as those over UDP.

How to use it?

The server is available at 2001:678:b28::54 and 81.3.27.54.

If you are using TLS, enter recursor01.dns.lightningwirelabs.com or recursor01.dns.ipfire.org as TLS hostname.

IPFire 2.23 - Core Update 139 released

by Michael Tremer, January 9, 2020

It is time for the first release of the year, IPFire 2.23 - Core Update 139. It is packed with improvements, software updates, and many many bug fixes.

Improved Booting & Reconnecting

Dialup scripts have been cleaned up to avoid any unnecessary delays after the system has been handed a DHCP lease from the Internet Service Provider. This allows the system to reconnect quicker after loss of the Internet connection and booting up and connecting to the Internet is quicker, too.

Improvements to the Intrusion Prevention System

Various smaller bug fixes have been applied in this Core Update which makes our IPS a little bit better with every release. To take advantage of deeper analysis of DNS packets, the IPS is now informed about which DNS servers are being used by the system.

TLS

IPFire is configured as securely as possible. At the same time we focus on performance, too. For connections to the web user interface, we do not allow using CBC any more. This cipher mode is begin to crack and the more robust GCM is available.

Whenever an SSL/TLS connection is being established to the firewall, we used to prefer ChaCha20/Poly1305 as a cipher. Since AESNI is becoming and more and more popular even on smaller hardware, it makes sense to prefer AES. A vast majority of client systems support this as well which will allow to communicate faster with IPFire systems and save battery power.

Misc.

The microcode for Intel processors has been updated again to mitigate vulnerabilities from the last Core Update
PC Engines APU LEDs are now controlled using the ACPI subsystem which is made possible using the latest BIOS version 4.10.0.3
Captive Portal: Expired clients are now automatically removed
Dynamic DNS: Support for NoIP.com has been fixed in ddns 12
Updated packages: Python 2.7.17, bash 5.0, bind 9.11.13, cpio 2.13, libarchive 3.4.0, logwatch 7.5.2, lz4 1.9.2, openvpn 2.4.8, openssh 8.1p1, readline 8.0 (and compat version 6.3), squid 4.9, unbound 1.9.5

Add-Ons

clamav has been updated to 0.102.1 which include various security fixes
libvirt has been updated to version 5.6.0 for various bug fixes or feature enhancements and support for LVM has been enabled.
qemu has been updated to 4.1.0
Various others: nano 4.6, postfix 3.4.8, spectre-meltdown-checker 0.42

IPFire on AWS: Update to IPFire 2.23 - Core Update 138

by Michael Tremer, December 2, 2019

Today, we have updated IPFire on AWS to IPFire 2.23 - Core Update 138 - the latest official release of IPFire.

This update includes security fixes for vulnerabilities in Intel processors as well as the new and improved Quality of Service.

We are very happy that from week to week, we are gaining more customers for IPFire in the cloud - where you now can manage your network just as you do it in your own data centre.

In contrast to Amazon’s own features, IPFire is easier to manage, performs just as well, but brings you even more features like standard IPsec VPNs, OpenVPN for on-the-road connectivity to the cloud, Intrusion Prevention for your cloud servers, detailed logging and reporting and many more features.

Try it out today for free!

There is a detailed installation guide available which helps you setting up your cloud correctly for IPFire.

How to update?

For all customers that are already running on the latest image, there is nothing to do here but to make sure that you have all updates installed on your instance.

Click here to go to IPFire on AWS

IPFire on AWS: Update to IPFire 2.23 - Core Update 136

by Michael Tremer, October 14, 2019

Today, we have updated IPFire on AWS to IPFire 2.23 - Core Update 136 - the latest official release of IPFire.

This update includes security fixes for OpenSSL and the Linux kernel, an updated Perl, and of course many other fixes throughout the whole system.

We are very happy that from week to week, we are gaining more customers for IPFire in the cloud - where you now can manage your network just as you do it in your own data center.

Try it out today for free!

There is a detailed installation guide available which helps you setting up your cloud correctly for IPFire.

How to update?

For all customers that are already running on the latest image, there is nothing to do here but to make sure that you have all updates installed on your instance.

Click here to go to IPFire on AWS

Job Opportunity for a Junior Developer (m/f/x)

by Michael Tremer, September 23, 2019, Updated September 28, 2019

We, Lightning Wire Labs, are offering an opportunity ideal for a student to become a Junior Developer.

As the leading organisation in the IPFire Project, we are growing our team to allow us to move it forward quicker as well as advancing other internal projects.

Are you a frequent contributor to Open Source projects, but want to develop your skills further?

Join our growing team to help us to achieve our ambitious goals and learn at the same time.

Required skills:

Fluent in Python, Shell Scripts, Git, HTML, CSS, JS
Good Linux and Networking Skills
Good communication skills with other staff and the community. English is mandatory, German is optional.

The focus will be working on the IPFire Project. Development of new features as well as fixing bugs and supporting the community will be essential parts. You will develop our internal applications and software stack as well.

This job offers great flexibility in terms of work hours and will be remote with occasional visits to our main office.

Please send your application including your CV to jobs@lightningwirelabs.com.

IPFire 2.23 - Core Update 134 released

by Michael Tremer, July 2, 2019

This is the official release announcement for IPFire 2.23 - Core Update 134. This update ships security fixes in the Linux kernel for the "SACK Panic" attack as well as some other smaller fixes.

SACK Panic (CVE-2019-11477 & CVE-2019-11478)

The Linux kernel was vulnerable for two DoS attacks against its TCP stack. The first one made it possible for a remote attacker to panic the kernel and a second one could trick the system into transmitting very small packets so that a data transfer would have used the whole bandwidth but filled mainly with packet overhead.

The IPFire kernel is now based on Linux 4.14.129, which fixes this vulnerability and fixes various other bugs.

The microcode for some Intel processors has also been updated and includes fixes for some vulnerabilities of the Spectre/Meltdown class for some Intel Xeon processors.

Misc.

Package updates: bind 9.11.8, unbound 1.9.2, vim 8.1
The French translation has been updated by Stéphane Pautrel and translates various strings as well as improving some others
We now prefer other cipher modes over CBC when IPFire itself opens a TLS connection. CBC is now considered to be substantially weaker than GCM.
Email addresses entered in the web UI can now contain underscores.
The Captive Portal now comes up properly after IPFire is being rebooted.

IPFire 2.23 - Core Update 132 released

by Michael Tremer, June 7, 2019, Updated May 21, 2021

The next version of IPFire is ready: IPFire 2.23 - Core Update 132. This update contains various security fixes and improvements to secure systems that are vulnerable to recently-published problems in Intel processors.

Intel Vulnerabilities: RIDL, Fallout & ZombieLoad

Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release.

Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts.

Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable.

To apply the fixes, please reboot your system.

There is a new GUI which will show you for which attacks your hardware is vulnerable and if mitigations are in place:

VLAN Configuration

Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.

The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.

Misc.

This update also contains a number of various bug fixes:

The new IPS now starts on systems with more than 16 CPU cores
For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
OpenVPN has received some changes to the UI and improvements of its security.
Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted (CVE-2020-19202, #12071)
The same type of stored cross-site scripting attack was resolved in the static routing UI
Log entries for Suricata now properly show up in the system log section
Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1

Add-ons

Wireless AP

The wireless AP add-on has received some new features:

For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.

Updates

igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1
Qemu is now being hardened with libseccomp which is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default

IPFire 2.23 - Core Update 131 released

by Michael Tremer, May 16, 2019

Finally, we are releasing another big release of IPFire. In IPFire 2.23 - Core Update 131, we are rolling out our new Intrusion Prevention System. On top of that, this update also contains a number of other bug fixes and enhancements.

Thank you very much to everyone who has contributed to this release. If you want to contribute, too, and if you want to support our team to have more new features in IPFire, please donate today!

A New Intrusion Prevention System

We are finally shipping our recently announced IPS - making all of your networks more secure by deeply inspecting packets and trying to identify threats.

This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.

We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need.

Migration from the older Intrusion Detection System

Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated. Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.

If you restore an old backup, the IDS settings won't be converted.

The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.

OS Updates

This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost.

Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1. The wireless regulatory database has also been updated.

Misc.

SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server.
When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox.
A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before.
On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimised to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances.
Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default;
We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log.

Add-ons

Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0
tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now.
Wireless Access Point: It is now possible to enable client isolation so that wireless clients won't be able to communicate with each other through the access point.

New Packages

flashrom - A tool to update firmware

IPFire 2.21 - Core Update 130 released

by Michael Tremer, April 16, 2019

Just a couple of days after the release of IPFire 2.21 - Core Update 130, the next release is available. This is an emergency update with various bug fixes and a large number of security fixes.

Security

IPFire 2.21 - Core Update 130 contains security updates for the following packages:

Apache 2.4.39: The Apache Web Server, which runs the IPFire Web User Interface, was vulnerable for various privilege escalations (CVE-2019-0211), access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-2019-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsistency (CVE-2019-0220). They are all regarded to be of "low" severity.
wget 1.20.3: wget has had multiple vulnerabilities that allowed an attacker to execute arbitrary code (CVE-2019-5953).
clamav 0.101.2: ClamAV, the virus scanner, has had multiple vulnerabilities that allowed DoS and a buffer overflow in a bundled third-party library.

Although some of these vulnerabilities are only of low severity, we recommend to install this update as soon as possible!

IPsec Regression

The last update introduced a regression in the IPsec stack that caused that the firewall could no longer access any hosts on the remote side when the tunnel was run in tunnel mode without any VTI/GRE interfaces. This update fixes that.

IPFire 2.21 - Core Update 129 released

by Michael Tremer, April 8, 2019, Updated April 8, 2019

This is the official release announcement for IPFire 2.21 - Core Update 129 - an update that introduces routed IPsec VPNs and comes with various other changes that update the core system and fix several bugs.

IPsec Reloaded

IPsec has been massively extended. Although IPsec in IPFire is already quite versatile and delivered high performance, some features for experts were required and are now available through the web UI:

Routed VPNs with GRE & VTI
Transport Mode for net-to-net tunnels
IPsec connections can now originate from any public IP address of the IPFire installation. This can be selected on a per-connection basis.

The code has also been cleaned up the UI has been made a little bit tidier to accommodate for the new settings.

Smaller changes include:

The "On-Demand" mode is finally the default setting. Tunnels will shut down when they are not used and they will be established again when they are required.

Misc.

DHCP: A crash has been fixed when filenames containing a slash have been entered for PXE boot.
DHCP: Editing static leases has been fixed
Domains in the "DNS Forwarding" section can now be disabled for DNSSEC validation. This is a dangerous change, but has been requested by many users.
Updated packages: bind 9.11.6, groff 1.22.4, ipset 7.1, iptables 1.8.2, less 530, libgcrypt 1.8.4, openssl 1.1.1b, openvpn 2.4.7, squid 4.6, tar 1.32, unbound 1.9.0, wpa_supplicant 2.7
New commands: kdig 2.8.0
The build system has been optimised to reduce build time of the whole distribution to around 4-5 hours on a fast machine.

Add-Ons

Alexander Koch has contributed zabbix_agentd which is the agent that is installed on the monitored machine. With this, IPFire can now be integrated into an environment that is monitored by Zabbix.
On that note, the SNMP daemon has also been updated to version 5.8 for people who use the SNMP protocol for monitoring.
tor has been updated to 0.3.5.8 and some minor bugs have been fixed in the web user interface
The spectre-meltdown-checker script is available as an add-on which allows IPFire users to test their hardware for vulnerabilities
Other updates: amavisd 2.11.1, hostapd 2.7, postfix 3.4.3

Thank you very much to everyone who contributed to this Core Update. Please support our project and donate today so that we can keep up our work!

IPFire 2.21 - Core Update 128 released

by Michael Tremer, March 13, 2019

This is the official release announcement for IPFire 2.21 - Core Update 128; another maintenance update with a brand new kernel, introducing TLS 1.3 throughout the whole system and of course a whole package of bug fixes and other improvements.

Thanks to everyone who has contributed to this Core Update with either sending in patches, testing, reporting bugs and many many other things. I am quite happy to see the team grow! Thank you very much as well to all of you who have supported our Donations Challenge so far. We have received a lot of nice words and support from you, but we are not there, yet! Please support our project and donate!

Kernel Update

The Linux kernel, the core of the IPFire operating system, has been updated to the latest release of the 4.14 branch. We have added some extra patches to improve hardware support and fix some security vulnerabilities. LEDs of PCengines' APU boards are now supported on newer versions of the mainboard and on those boards, the serial console is always enabled. On x86-based systems, we now support up to 64 processors.

OpenSSL 1.1.1 & TLS 1.3

We have also updated the main TLS/SSL library to OpenSSL in version 1.1.1. This adds support for TLS 1.3 and of course brings various other improvements with it. On browsers that support it, the IPFire web user interface is now available over TLS 1.3 and any outgoing SSL connection from the firewall supports it, too. We ensure that those connections only use secure and performant ciphers to make connections as fast as they can be.

We have also updated the list of trusted Certificate Authorities (CAs).

We have removed any previous versions of OpenSSL from the system which will soon be end-of-life. If you have anything custom that you have compiled yourself on your system, please be aware of that and note that you might potentially rebuild your custom software.

Add-ons provided by the IPFire Project now support TLS 1.3 as well. If you are running a custom configuration for postfix or haproxy make sure that TLS 1.3 is not excluded from the supported TLS protocols.

Performance Tuning

The system is now configured to be able to route more packets. During some benchmarks and testing we have discovered that IPFire does not always use the full performance of the hardware underneath it. While most system probably won't benefit much from these improvements, some systems with very fast processor cores will see a 5-10% increase in bandwidth from and to the firewall as well as routed through it. That comes at the cost of very slight increase of power consumption, but we figured that that is a price worth paying not only provide you a secure firewall, but also a fast one.

Misc.

A change of the firewall policy might potentially be backwards-incompatible, but we saw no other way to improve the security of the system: Previously, systems on the ORANGE network were always allowed to connect to the Internet on RED. This was carried over from the very beginning of IPFire when the firewall user interface was way more basic and rules to change this behaviour could not be configured at all. Now, it makes a lot more sense to not have this default which was also not well-known and allow users to create rules to either allow or deny traffic like this.
The kdig utility is now available on command line which supports DNS lookups via TLS
Updated packages: apache 2.4.38, apr 1.6.5, curl 7.64.0, dhcpcd 7.1.1, ghostscript 9.26, logrotate 3.15, openssl 7.9p1, postfix 3.3.2, strongswan 5.7.2, tzdata 2018i

Add-ons

powertop has been updated to version 2.10
tor has been updated to version 0.3.5.7
sendEmail has been fixed by Rob. The script had a wrong file ownership.

IPFire 2.21 - Core Update 127 released

by Michael Tremer, February 6, 2019

The first update of the year and it is packed with loads of new features, many many performance improvements as well as some security fixes. This is quite a long change log, but please read through it. It is worth it!

To support our project and keep us bringing these updates for you, please donate!

Squid 4.5 - Making the web proxy faster and more secure

We have finally updated to squid 4.5, the latest version of the web proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.

We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.

One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.

We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.

We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.

We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.

We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.

New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.

Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.

DNS Forwarding

The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.

These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.

Misc.

Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
fireinfo now supports authentication against any upstream web proxies
Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
The description on which SSH port IPFire is listening has been fixed.
Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
GeoIP: Scripts have been updated to use a new format of the GeoIP database
Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1

Add-ons

Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
The haproxy package now correctly handles its backup

IPFire 2.21 - Core Update 126 released

by Michael Tremer, December 28, 2018, Updated December 28, 2018

Finally, the next release of IPFire is available: IPFire 2.21 - Core Update 126 This update comes with a new kernel and security enhancements. This change log is rather short, but the changes are very important.

Thank you very much to all of you who have supported our Donations Challenge so far. We have received a lot of nice words and support from you, but we are not there, yet! Please support our project and donate!

Linux 4.14.86

The kernel has been updated to the latest version of the Linux 4.14.x branch which brings various improvements around stability, enhances performance and fixes some security vulnerabilities. This kernel also has major updates for the Spectre and Meltdown vulnerabilities that remove previously existent performance penalties in some use-cases.

The kernel's modules are now compressed with the XZ algorithm which will save some space on disk as the kernel is one of the largest components of IPFire.

Misc.

openssl has been updated to 1.1.0j and 1.0.2q which fixes some minor security issues and has various bug fixes
The bind package has now changed to ship shared libraries which it did not before. Those allow that commands like dig and host use those shared libraries and are no longer statically linked. This makes the files a lot smaller.
Stéphane Pautrel has substantially improved the French translation of IPFire. Thank you very much for that!

Add-ons

Updated packages: bird 2.0.2, nano 3.2
New packages: shairport-sync

Thanks for the people who contributed to this Core Update. Please support us and donate!

The end of another year

by Michael Tremer, December 24, 2018, Updated December 25, 2018

It is the end of another year and I would like to take this opportunity to simply say thank you. It has been an eventful year and we have come a long way.

The Stats

We have brought you eight Core Updates with probably the largest changes that we have had in a while. A new kernel 4.14 that is running better than ever before; we have had a spring clean and remove loads of old add-ons and other packages to make space for new ones as well as getting rid of some older cryptography; we fought Meltdown and Spectre; we have launched IPFire on AWS and added support for EFI and 802.11ac WiFi; we have added loads of new features that make IPFire simply better.

We are all proud of our achievements and I would like to thank everyone who has contributed. Whether that is by submitting patches, reporting bugs, writing documentation and all the other things. You guys know who I am talking about.

Take a couple of days off and enjoy the holidays. Merry Christmas if you are celebrating. Hope to see you all again next year!

Twenty-Nineteen

Of course we already have loads of plans for the next year. We have a bug tracker full of feature requests, error reports and ideas how to improve things. We also hope that we can finally move IPFire 3 over the line so that the project gains more traction - and a new Core Update is ready to be released, too!

We hope that our community keeps growing, more and more people keep installing IPFire and finally throw away their old gear. We have achieved a lot, but there is definitely loads to do, still.

Please Donate Today

Help us to achieve our goals! We are still running our donation challenge which unfortunately has not hit its goal, yet. Please consider to support our project and donate today. If you have already done so and set up a monthly donation, we thank you very very much for that.

IPFire 2.21 - Core Update 125 released

by Michael Tremer, November 26, 2018

Finally, the next release of IPFire is available: IPFire 2.21 - Core Update 125 This update comes with various security and bug fixes as well as cleanups and some new features.

802.11ac WiFi

The IPFire Access Point add-on now supports 802.11ac WiFi if the chipset supports it. This allows better coverage and higher network throughputs. Although IPFire might not be the first choice as a wireless access point in larger environments, it is perfect to run a single office or apartment.

Additionally, a new switch allows to disable the so called neighbourhood scan where the access point will search for other wireless networks in the area. If those are found, 40 MHz channel bandwidth is disabled leading to slower throughput.

Misc.

strongswan 5.7.1: This updated fixes various security vulnerabilities filed under CVE-2018-16151, CVE-2018-16152 and CVE-2018-17540. Several flaws in the implementation that parsed and verified RSA signatures in the gmp plugin may allow for Bleichenbacher-style low-exponent signature forgery in certificates and during IKE authentication.
The IO graphs now support NVMe disks
The SFTP subsystem is enabled again in the OpenSSH Server
Swap behaviour has been changed so that the kernel will make space for a large process when not enough physical memory is available. Before, sudden jumps in memory consumption where not possible and the process requesting that memory was terminated.
The backup scripts have been rewritten in Shell and now package all add-ons backups with the main backup. Now, it is no longer required to save any add-on configuration separately.
Updated packages: apache 2.4.35, bind 9.11.4-P2, coreutils 8.30, dhcpcd 7.0.8, e2fsprogs 1.44.4, eudev 3.2.6, glibc 2.28, gnutls 3.5.19, json-c 0.13.1, keyutils 1.5.11, kmod 25, LVM2 2.02.181, ntfs-3g 2017.3.23, reiserfsprogs 3.6.27, sqlite 3.25.2.0, squid 3.5.28, tzdata 2018g, xfsprogs 4.18.0

New Add-Ons

dehydrated - A lightweight client to retrieve certificates from Let's Encrypt written in bash
frr, an IP routing protocol suite and BGP and OSPF are supported on IPFire. Find out more on their website.
observium-agent - An xinet.d-based agent for Observium, a network monitoring platform

Updated Add-Ons

clamav has been updated to 0.100.2 and the virus database files have been moved to the /var partition. This makes more space available on the root partition.
nfs 2.3.3, haproxy 1.8.14, hostapd 2.6, libvirt 4.6.0, tor 0.3.4.9

Thanks for the people who contributed to this Core Update.

Please help us to support everyone’s work with your donation!

Donations Challenge

by Michael Tremer, November 18, 2018, Updated March 13, 2019

The IPFire Project is entirely independent and funded by donations which is quite a tough thing to do these days. It is hard to get donations when you don't have a budget for advertising and encourage people to do more. Unfortunately, donations are at a record low.

That is why we are starting a new challenge: 150 new long-standing donations by the end of the year. That will set up the project for a great year 2019 - and the future is all we are about!

Update from Wednesday, Mar 13 2019: So far, we have 19 monthly recurring donations :( We had hoped for more to be able to do more. Please donate today!

Update from Wednesday, Dec 12 2018: So far we have 17 monthly donations! Thank you for everyone who donated. We got an amazing number of smaller one-time donations which is amazing, too, but please consider setting up a monthly donation if you can!

Every donation matters

We appreciate everyone who contributed to the project in the past and we made very good use of every single penny ever donated to the project. That does not only go for financial contributions, but also all other contributions in form of code and time. But a long-term donation is better because it is not only a single event. It is an investment into the project and a commitment to support it and continuous improvement!

It does not matter if you give little or a lot, but it would be appreciated if everyone gives something. Help us to reach out to others and ask them to donate, too. The more people, the better and the more this becomes a community effort!

Instead of asking for a certain sum, we are just asking for a number of new people supporting us regularly. To help us out more, of course donating more helps more, so please try to give as much as you can.

We have a long way ahead of us and need your help

Through our new website and collaboration with Lightning Wire Labs, we are accepting monthly donations and we recommend to everyone to set up one instead of a one-time donation.

We have also improved on payment methods: We support credit card, SEPA Direct Debit and SEPA Bank Transfer to make it fast and easy for use as well as protect your privacy. Also, they do not collect any high fees which ensures that a maximum of the money is going to the project instead of the payment provider. We no longer support PayPal.

Become a donor today

Head over to our new donation page and help us creating change now! Select "Monthly", choose how much you would like to give and complete the form. Thank you!

IPFire 2.21 - Core Update 124 released

by Michael Tremer, October 15, 2018

Dear IPFire Community,

this is the official release announcement for IPFire 2.21 – Core Update 124. It brings new features and immensely improves security and performance of the whole system.

Thanks for the people who contributed to this Core Update. Please help us to support everyone’s work with your donation!

IPFire on Amazon Cloud

IPFire is now available on AWS EC2. This is sponsored by Lightning Wire Labs and provides a virtual cloud appliance that is set up within minutes and provides the full set of features of IPFire.

IPFire is ideal to securely connect your infrastructure to the cloud by using IPsec VPNs and provides throughput of multiple tens of gigabits per second! But IPFire can also be used as a small instance that protects your web, mail and other servers in the cloud with the IPFire Intrusion Detection and Prevention Systen, load balance web traffic and many things more.

Try it now!

Kernel Hardening

We have updated the Linux kernel to version 4.14.72 which comes with a large number of bug fixes, especially for network adapters. It has also been hardened against various attack vectors by enabling and testing built-in kernel security features that prohibit access to privileged memory by unprivileged users and similar mechanisms.

Due to this, the update requires a reboot after it has been installed.

OpenSSH Hardening

Peter has contributed a number of patches that improve security of the SSH daemon running inside IPFire. For those, who have SSH access enabled, it will now require latest ciphers and key exchange algorithms that make the key handshake and connection not only more secure, but also faster when transferring data.

For those admins who use the console: The SSH client has also been enabled to show a graphic representation of the SSH key presented by the server so that comparing those is easier and man-in-the-middle attacks can be spotted quickly and easily.

Unbound Hardening

The settings of the IPFire DNS proxy unbound have been hardened to avoid and DNS cache poisoning and use aggressive NSEC by default. The latter will reduce the load on DNS servers on the internet through more aggressive caching and will make DNS resolution of DNSSEC-enabled domains faster.

EFI

IPFire now supports booting in EFI mode on BIOSes that support it. Some newer hardware only supports EFI mode and booting IPFire on it was impossible before this update. EFI is only supported on x86_64.

Existing installations won’t be upgraded to use EFI. However, the flash image and systems installed with one of the installation images of this update are compatible to be booted in both, BIOS and EFI mode.

Although this change does not improve performance and potentially increases the attack vector on the whole firewall system because of software running underneath the IPFire operating system, we are bringing this change to you to support more hardware. It might be considered to disable EFI in the BIOS if your hardware allows for it.

Misc.

CVE-2018-16232: Remote shell command injection in backup.cgi: It has been brought to our attention that it was possible for an authenticated attacker to inject shell commands through the backup.cgi script of the web user interface. Those commands would have been executed as a non-priviledged user. Thanks to Reginald Dodd to spot this vulnerability and informing us through responsible disclosure.
The hostname of the system was set incorrectly in the kernel before and is now being set correctly
Firewall: Creating rules with the same network as source and destination is now possible and renaming a network/host group is now correctly updating all firewall rules
Cryptography: ChaCha20-Poly1305 is now working on ARM, too
IPsec: The status of connections in waiting state is now shown correctly at all times; before, they always showed up as enabled although they were disabled.
pakfire: Some old and unused code has been cleaned out and the mirror health check has been removed, because a download will fail-over to another available mirror anyways
Intrusion Detection: Emerging Threats rules are now being downloaded over HTTPS rather than HTTP
Updated packages: bind 9.11.4-P1, iproute2 4.18.0, ntp 4.2.8p12, openssh 7.8p1, parted 3.2, pciutils 3.5.6, rng-tools 6.4, syslinux 6.04-pre1, unbound 1.8.0

Add-Ons

Updated packages: nano 3.1, postfix 3.3.1

Launching IPFire on AWS

by Michael Tremer, October 6, 2018, Updated November 1, 2018

Today, we are launching IPFire on the Amazon Cloud, our first IPFire Appliance in the Cloud.

For everyone, who is already using IPFire in their own data centers, their offices or branches, figuring out AWS is now over. You can now run IPFire as you know it in the Cloud. Using all features as you are used to them and configure them easily through the IPFire web user interface.

Hosting infrastructure in the cloud is becoming more and more important for almost all businesses. It gives you flexibility to grow without a large financial commitment in the beginning and loads of technical features that are expensive to implement in your own data center.

AWS

Amazon is the market leader in the cloud business for years, offering a system that has by far the most advanced features. Anything is possible - given a generous budget. But with that large feature set, it is hard to configure this complex system and very often a simpler solution would have done the job.

IPFire is a lot easier to configure and offers powerful features for the cloud without requiring to be an expert on AWS:

In the Cloud, IPFire grows with you

IPFire runs on smallest hardware as well as on large rack-mounted appliances. It works the same in the cloud!

Starting with a small instance that costs only a few dollars a month to run, you can grow to a large instance that handles gigabits of traffic if you need to. On AWS, 10G and 25G interfaces are supported.

Use IPFire’s powerful set of features

IPFire comes with IPsec and OpenVPN on board making it perfect to securely connect your office, employees or IoT equipment to the cloud giving it access to all internal services you are hosting.

Firewall rules are quickly and easily configured and with the IPFire Intrusion Prevention System, you will find and block any malicious attackers.

See some more examples on the detailed product page.

IPFire is versatile

While setting up IPFire in the cloud, you can grow your business and infrastructre. When ever you decide to leave AWS, you can just backup your configuration and take it with you to the new place.

Whether that would be an on-premise appliance or another AWS region is entirely up to you. Migration is easy and done within minutes.

Try it out today

We have compiled comprehensive documenation on how to set up IPFire on AWS that doesn’t require you to be an expert at all. We also give you a free trial.

What are you waiting for? Try out IPFire on AWS today!

IPFire 2.21 - Core Update 123 released

by Michael Tremer, September 10, 2018

This is the release announcement for IPFire 2.21 – Core Update 123 – a house-keeping release with a large number of fixes and some fixes for security vulnerabilities.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

This release ships a large number of microcode updates for various processors (linux-firmware 30.7.2018, intel-microcode 20180807). Most notable, vulnerabilities in Intel processors might have been fixed or mitigations applied. Microcodes are now also being loaded into the processor earlier to avoid any attacks on the system at boot time.

This update also comes with a large number of smaller changes that improve security and fix bugs:

OpenSSL has been updated to versions 1.1.0i and for legacy applications version 1.0.2p (CVE-2018-0732 and CVE-2018-0737)
IPsec
- IPsec now supports ChaCha20/Poly1305 for encryption
- It also allows to configure a connection to passively wait until a peer initiates it. This is helpful in some environments where one peer is behind NAT.
OpenVPN
- Creating Diffie-Hellman keys with length of 1024 bits is no longer possible because they are considered insecure and not being supported by OpenVPN any more
- There is better warnings about this and other cryptographic issues on the web user interface
Intrusion Detection
- Links in the log files have been fixed to open the correct page with details about a certain attack
- Downloads of rulesets properly validate any TLS certificates
The /proc filesystem has been hardened so that no kernel pointers are being exposed any more
nss-myhostname is now being used to dynamically determine the hostname of the IPFire system. Before /etc/hosts was changed which is no longer required.
collectd: The cpufreq plugin has been fixed
Generating a backup ISO file has been fixed
Updated packages: apache 2.4.34, conntrack-tools 1.4.5, coreutils 8.29, fireinfo, gnupg 1.4.23, iana-etc 2.30, iptables 1.6.2, libgcrypt 1.8.3, libnetfilter_conntrack 1.0.7, libstatgrab 0.91, multipath-tools 0.7.7, openvpn 2.4.6, postfix 3.2.6, rng-tools 6.3.1, smartmontools 6.6, squid 3.5.28, strongswan 5.6.3, tzdata 2018e, unbound 1.7.3

Add-ons

Support for owncloud has been removed from guardian (version 2.0.2)
Updates: clamav 0.100.1, fping 4.0, hplip 3.18.6, ipset 6.38, lynis 2.6.4, mtr 0.92, nginx 1.15.1, tmux 2.7, tor 0.3.3.9
avahi has been brought back in version 0.7 as it is required as a dependency by cups which has been fixed to automatically find any printers on the local network automatically
asterisk is now compiled with any optimisation for the build system which was accidentally enabled by the asterisk build system

Announcing IPFire Nano Box - Our First ARM-based Appliance

by Michael Tremer, May 30, 2018, Updated November 1, 2018

We are proud to announce our first ARM-based appliance: The IPFire Nano Box

This small and versatile system will be our latest addition to our professional IPFire Appliance line and will make IPFire ready to deployed on the Internet of Things as well as in smallest locations like a remote working office or in industrial plants.

Together with our hardware parter TX-Team, and with input from many customers, we have designed this new appliance. For the first time, we layouted and are manufacturing the whole baseboard from scratch for an optimal firewall product and also to be able to act as cost-efficient as possible.

The proud result is up to our highest standards in performance, easy handling, versatile deployment where ever our customers need it, maximum extensibility for many different tasks and of course security.

In the weeks to come, I would like to tell you the stories behind our new product and how it came to be. It has been a long journey and we have invested so much effort and thought into creating this for you and - to us - many of those are worth sharing.

Although this is the smallest of all products, in some ways, it is the greatest.

The IPFire Nano Box

The IPFire Nano Box provides connectivity wherever needed and wherever possible. It has two Fast Ethernet ports and an optional WiFi and LTE/3G module.

A quad-core ARM Cortex-A7 processor has enough power to run multiple secure IPsec or OpenVPN connections to your company’s headquarter or data center where connected IoT applications can send their data to. It can also be used in places where our IPFire Duo Box is too large and where only limited performance is needed. For example to provide connectivity via DSL or 4G and WiFi for a remote worker at home.

Wherever the IPFire Nano Box is deployed, it provides the full range of functionality that the IPFire Distribution has which is much more than what most 4G or DSL routers provide. And of course using one software everywhere makes many things a lot easier, too!

In the basic configuration, the power consumption is only 2 watts which will allow the IPFire Nano Box to be battery-powered over a long time as well.

It is wrapped in an industrial aluminium case in a small form-factor, passively cooled of course and IP50 proof. Surrounding temperatures between zero and 60°C are not a problem and its wide-band voltage input of 12-24V allow deploying the system even under difficult circumstances.

As soon as we have released the product, we will also release our designs, plans and mockups as Open Hardware for everyone to audit and review. With this, we will provide you with a 100% transparent system on which you can build other applications if you want to.

Register Your Interest

We have just completed the prototyping stage of this new hardware and mass-production is starting soon. Since we have already received huge interest about our product in the conversations with our customers over the phone, we are excited to keep you updated about the status.

If you would like to know more about the IPFire Nano Box, or register your interest, please get in touch with our sales team at sales@lightningwirelabs.com.

Meltdown/Spectre - The chaotic story

by Michael Tremer, January 12, 2018, Updated November 6, 2018

I am sure that it has been unmissable: Every modern processor has unfixable security flaws. The story has now been boiling for weeks and has finally made the main news one week ago.

To make this article shorter, I won’t go into details of the technical issue. That has been discussed in many places so far and everyone of you can search around a bit to find an explanation to your desired detail. The most important piece of information that you should know is that the CPUs are allowing applications to access parts of the memory that they should not and that allows an attacker to get important information from the victim’s computer.

Although it took decades to find out about this fundamental design issue, it is very easy to exploit and even a little piece of Javascript executed in a web browser has been reported to be sufficient to execute the attack.

The most important question for us is: Is IPFire affected? And the unfortunate answer is yes, most likely. This is a hardware bug and if IPFire is running on hardware that is vulnerable, it is affected. The even worse news is that there is probably not many systems that are not affected. The IPFire kernel has been patched and hardened against multiple attack vectors and there is a possibility that we are able to mitigate at least some exploitation of this attack through grsecurity. However, this is not 100% confirmed, yet.

Another argument that probably weighs a bit more is that IPFire is never supposed to run untrusted code. The example with the javascript code in a browser might work on a desktop system, but the firewall does not do this. All code is reviewed and compiled by us, signed and verified before it is installed on every single IPFire system. As long as you haven’t installed any third-party software from any other source you should be safe. But any unknown and therefore unpatched remote code execution vulnerability in any of the many packages that IPFire is using would allow an attacker to execute an Meltdown/Spectre exploit. That means we cannot just lean back.

Talking about what we can do from a distribution point of view brings me to point that I have to raise first: I have never read so many speculations, false assumptions and comments that were just wrong about any vulnerability before. For me, new about this vulnerability are just breaking and so are the patches that are out there to mitigate the problem. Many things are just in the unknown until today. The biggest problem there seems to be the embargo that hasn’t been followed properly and one specific vendor who is following their own rules.

It is still officially unconfirmed if 32 bit architectures are affected as well. Logic tells us they are, but the Linux kernel maintainers who pride themselves in having delivered a good set of patches have only working on the 64 bit x86 version of it and not 32 bit. So all 32 bit systems remain unpatched.

The latest versions of the kernel (4.14 and 4.15-rc*) have received a patchset called KAISER which is supposed to mitigate the hardware bug. However, only an old version and parts of that patchset have been backported to older kernels. IPFire is always based on an older kernel that is on long-term support and well maintained just like many other distributions. Some have patched parts of the vulnerability but I think I can be certain that nobody fixes all of it. By that I certainly do not want to say that the kernel maintainers are doing a bad job. They are doing a great job, but of course their time is also limited and this is not a simple fix that requires a few lines like Heartbleed did. It requires major rework of some essential parts of the kernel and I am very grateful for them doing that work. My point is just that they are not done, yet and deploying half a fix is probably not a good idea. People have reported bugs in the other kernels that will probably never be fixed.

So what will IPFire do? Having said that we think that we might already mitigate some portion of that problem and that the distribution is not too easy to exploit, we are continuing to work on rebasing the distribution on 4.14 which is the latest long-term supported kernel. That will take some more time though since supporting ARM is a huge maintenance problem for us right now. It is holding up a release that is basically ready for beta. If a good patchset that is also compatible with grsecurity becomes available we will ship that with the current kernel, but I am not expecting that to happen in the near future.

That leaves me with saying that everyone who can should probably upgrade from 32 bit to 64 bit.

I cannot finish this article with having a rant about Intel and how they dealt with this issue. There are also some other groups who deserve some criticism and but clearly Intel did not handle this well and is still trying to play down the huge size of this problem. First of all it is the most severe hardware issue that has been around in probably all time. It is not only in a product that some people use, but probably every person who reads this article owns at least one Intel processor that has been produced in the last decade. Their power in the market is that huge that they have a monopoly.

Bugs happen. I do not want to point a finger at a certain person or group who did something wrong. Clearly they should have known better, but this has happened now, so we have to deal with it. But you should own your bugs. Take responsibility. Instead their PR department seems to have chosen a route to blame other vendors as well for a bug that only they had. Yes, ARM and yes, AMD is also affected by some problems that are also very severe, but there is one that only affects Intel processors. That is also the most severe one. They continue to put out benchmarks that only show a little performance impact but deliberately neglect older processors where the performance impact is a lot higher.

That is not a very good way to gain my trust. And not that I had the biggest trust in that company before, this did not help. So I am stuck in a world where I do not have many alternatives to what I can buy from the shelfs. Your products are inside every modern computer. Make yourself aware of that responsibility. That includes your CEO who apparently did not want to own that financial risk.

And the only reason why I care about this so much is, that secure software requires secure hardware. It does not matter how secure IPFire is, because when the hardware is compromised, the software is compromised, too.

Moving towards TLS-only

by Michael Tremer, November 1, 2017

Finally, we have made the move to host all of our services over TLS only. That means that any website or file that is being downloaded, any email that is being sent or received is being encrypted. Everything is secure now! Well… not really. This is a brief article about TLS considerations and some real-world issues with it.

Up until about two weeks ago, none of the IPFire web services had a certificate – with a few exceptions. If you went onto our main website, you would have just connected over HTTP and that is it. There was no TLS involved whatsoever. It didn’t need it really. At no time any personal data was being transferred. It was just our website which is publicly available for everyone.

For some web services like Bugzilla and some more we used our own CA. That allowed us to issue our own certificates with what ever settings we wanted and we could deploy them very easily. One main incentive was to avoid paying for a number of certificates at a public CA which wasn’t possible for such a number of certificates and being as underfunded as we are it was a wrong place to invest the money. I toyed around with DANE for a little bit, but since no web browser implements this, this is nothing better than a trial.

Let’s Encrypt everything!

But those days are gone now. Over the last weeks I abandoned the IPFire CA and replaced any existing certificates by certificates from Let’s Encrypt. It has been suggested many times by many users but I refused to do it because I do not really see the point of just encrypting everything for the sake of encryption. Encryption is from my point of view very useless in the case of our main website and mirror servers.

What convinced me now to do it is a completely different argument: Integrity. I do not want somebody else injecting some malicious Javascript code into our website. That is the only reason Let’s Encrypt makes sense. Encryption would technically work without a publicly signed certificate and of course in the case of the IPFire forums it is a necessity.

In addition to the sites that already had a certificate, I set up Let’s Encrypt for literally everything else, too. And since this only makes sense if everyone is using TLS, we now redirect every HTTP request to HTTPS first before having our web server replying to it. That means any website, any download is now going over HTTPS.

To enforce that, we use HTTP Strict Transport Security (or HSTS) which lets every browser remember, that “www.ipfire.org” is only available over HTTPS. The next time, you enter that domain into your address bar, the browser will remember to connect over HTTPS only.

Improving TLS performance

Additionally, we use OCSP Stapling, which will help to improve the speed of setting up the first TLS connection. The browser would contact the CA which is Let’s Encrypt in our case and check if the certificate that has been received from the web server is still valid or has been revoked. That takes some time since it is an extra TCP connection and the CA has to respond to a large number of these OCSP requests.

Instead, our web server does this for you and staples the OCSP response to the TLS handshake. It is signed and therefore the browser can trust it without having to contact the CA to verify.

On top of that, we cache TLS sessions to resume them faster.

Securing Encryption

We only allow the browsers to use TLS 1.2. Anything else is not possible since they are considered broken or cryptographically weak.

And finally, we reviewed the list of allowed ciphers and removed anything else but AES256 and AES128 in GCM mode or in CBC mode with SHA384 or SHA256. We introduced using ChaCha20 with Poly1305.

The key handshare is only possible using either the Elliptic Curve Diffie Hellman algorithm or ECDSA. None of which rely on a discrete logarithm.

Downsides of all of this

This is now all new and shiny with icing on top. Latest cryptography. Strongest ciphers. What could go wrong?

We will inevitably kick out a number of users here to enforce these new things. That is at least: Firefox 26 and older, Chrome 29 and older, IE 10 and older, Opera 16 and older, Safari 8 and older and Android 4 and older. Those devices and browser won’t be able to contact our web servers securely and more and since we insist using TLS only, they won’t be able to connect with us at all.

The idea is to try this out now. If you have issues connecting and it should work, please let us know. This will need to be a trade-off of what is good security and what people actually use. But I do have the intention to force you XP users out there to finally upgrade. It’s 2017.

Late spring cleaning in progress

All these things happened during our yearly security review and updating where we check if every part of our infrastructure is using the best possible security that is available to us.

Of course we also added Let’s Encrypt certificates to our other services like Mail and XMPP. But we are not fully done and will need to improve more when ever there is time to do so.

Under The Hood

Security Updates

Misc.

Toolchain Update

ReiserFS Deprecation

Misc.

Indirect Branch Tracking for User Space

ExtraHD

Misc.

Intel

AMD

Hyper-V

How is IPFire affected?

Indirect Branch Tracking by Default

Security Updates

Misc.

Bug Fixes

Miscellaneous

OpenSSL 3.1.1

Linux 6.1.30

Miscellaneous

The Legacy Modem Interface

Is 5G here?

Introducing QMI support

Linux Kernel 6.1.11

Miscellaneous

Free Software Licenses

Us, the Open Source Community

We Need You To Give Back

Modernizing system components

Sunsetting 32-bit ARM support

Miscellaneous

Intrusion Prevention System improvements

3rd party firmware updates

Security improvements

Miscellaneous

Linux Kernel 5.15.35

Miscellaneous

zlib memory corruption on DEFLATE

Firewall Updates

Updated Toolchain

Misc.

Add-ons

A New Kernel For IPFire

Improved Firewall Capabilities

Misc.

Add-ons

Everything is better with CAKE

Misc.

Add-Ons

Retiring i586 and Hardware Woes

We Are Ready For 2022!

Improving Network Throughput

Removing Python 2

Misc.

Add-ons

Deprecating Python 2

Misc.

Add-ons

Mitigating NAT Slipstreaming

Spanning Tree Protocol support in Zone Configuration

OpenSSL Security Vulnerabilities

Miscellaneous

Add-ons

DNS Resolution Improvements

WPA3 Client Support

Misc.

Add-Ons

How to update?

Kernel Hardening

Suricata 5 - Our Intrusion Prevention System

Making Testing Easier

Misc.

Add-Ons

Updates

Cleaned-up Packages

How to update?

DNS-over-TLS

TCP Fast Open

How to use it?