Today, we are releasing IPFire 2.25- Core Update 155 which comes with various security fixes to mitigate NAT Slipstreaming attacks and important fixes in the OpenSSL library which allowed that attackers could have crashed services that use TLS on the firewall.

Before we talk about what is new, I would like to as you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

We recommend installing this update as soon as possible and reboot the system.

Mitigating NAT Slipstreaming

Peter has recently announced our measures against NAT Slipstreaming. Through feedback from the community, we have seen that most people are not affected by these changes.

We are going to disable and remove support for all Application Layer Gateways. This includes SIP, FTP, H.323, IRC, PPTP and TFTP. They will be automatically disabled on systems that install this update and will no longer be available.

This change might require some attention if you are using any software that relies on the ALG. This is most likely the case for VoIP solutions that use SIP. From feedback during the testing period of this update, we can confirm that only a very small fraction of users is affected.

Spanning Tree Protocol support in Zone Configuration

The zone configuration allows configuring Spanning Tree Protocol (STP) for bridges. Since it is possible add multiple interfaces to the same bridge, it becomes a danger that loops are being created on the network. STP avoids those by disabling bridge ports when a loop is being detected.

Zone Configuration with STP

OpenSSL Security Vulnerabilities

The OpenSSL team released version 1.1.1k which fixes two rather severe security issues:

  • CVE-2021-3449: TLS servers could have been crashed with a maliciously crafted renegotiation message. In IPFire this could be used to deny service of the web user interface or some add-ons like haproxy
  • CVE-2021-3450: Enabling strict certificate checking caused the opposite effect that some certificates were evaluated as valid when they were actually not

We are also shipping fixes from an earlier OpenSSL release (1.1.1j) which were of lower severity: CVE-2021-23841, CVE-2021-23839 & CVE-2021-23840

Miscellaneous

  • The wireless client configuration is now processing priorities correctly. Before, wireless networks were prioritised in the opposite order
  • The QoS graphs will now have consistent colours in the downstream and upstream direction
  • The Update Accelerator "Passive Mode" option has been clarified
  • New packages: PCRE2, which is an improved version of PCRE, implementing Perl-compatible Regular Expressions
  • Updated packages: attr 2.4.48, autoconf 2.71, bind 9.11.28, freetype 2.10.4, iproute2 5.11.0, ipset 7.11, lcms2 2.12, libgcrypt 1.9.2, libhtp 0.5.37, libffi 3.3, libxcrypt 4.4.17 which replaces libcrypt which came bundled with glibc, lz4 1.9.3, lzo 2.10, mpage 2.5.7, net-tools 2.10, nettle 3.7.1, openssh 8.5p1, Python 3.8.7, qpdf 10.3.0, rust 1.50, sqlite3 3.34.1, squid 4.14, suricata 5.0.6, sysvinit 2.98, tar 1.34, tcl 8.6.11, unbound 1.13.1, wget 1.21.1
  • IPFire can experimentally be compiled for RISC-V for 64bit
  • Various older versions of operating system libraries have been removed. They were needed to keep older programs compatible without need of recompiling them. Those were: Berkeley DB, GMP, libjpeg, PCRE, readline
  • On i586, SSE2-optimised versions of performance-critical libraries have been dropped. This affects GMP and OpenSSL, which might result in lower VPN throughput with OpenVPN on affected systems. Support for this will be removed with the next release of glibc.
  • The unattended installer started in regular mode on serial consoles
  • Roberto Peña has contributed Spanish translation for the Captive Portal

Add-ons

  • Updated packages: elfutils 0.183, hplip 3.21.2, fireperf 0.2.0, krb5 1.19.1, mc 4.8.26, monit 5.27.2, nano 5.6, nagios_nrpe 4.0.3, nagios-plugins 2.3.3, stunnel 5.58, tor 0.4.5.6, tshark 3.4.3

The upcoming release IPFire 2.25 - Core Update 155 is available for testing. It comes with important security fixes for the NAT Slipstreaming attack which might require attention if you are currently using the Application Layer Gateways for SIP or FTP.

Mitigating NAT Slipstreaming

Peter has recently announced our measures against NAT Slipstreaming. Through feedback from the community, we have seen that most people are not affected by these changes.

We are going to disable and remove support for all Application Layer Gateways. This includes SIP, FTP, H.323, IRC, PPTP and TFTP. They will be automatically disabled on systems that install this update and will no longer be available.

Spanning Tree Protocol support in Zone Configuration

The zone configuration allows configuring Spanning Tree Protocol (STP) for bridges. Since it is possible add multiple interfaces to the same bridge, it becomes a danger that loops are being created on the network. STP avoids those by disabling bridge ports when a loop is being detected.

Zone Configuration with STP

Miscellaneous

  • The wireless client configuration is now processing priorities correctly. Before, wireless networks were prioritised in the opposite order
  • The QoS graphs will now have consistent colours in the downstream and upstream direction
  • The Update Accelerator "Passive Mode" option has been clarified
  • OpenSSL has been updated to 1.1.1j which fixes three security vulnerabilities: CVE-2021-23841, CVE-2021-23839 & CVE-2021-23840
  • New packages: PCRE2, which is an improved version of PCRE, implementing Perl-compatible Regular Expressions
  • Updated packages: attr 2.4.48, autoconf 2.71, bind 9.11.28, freetype 2.10.4, iproute2 5.11.0, ipset 7.11, lcms2 2.12, libgcrypt 1.9.2, libhtp 0.5.37, libffi 3.3, libxcrypt 4.4.17 which replaces libcrypt which came bundled with glibc, lz4 1.9.3, lzo 2.10, mpage 2.5.7, net-tools 2.10, nettle 3.7.1, openssh 8.5p1, Python 3.8.7, qpdf 10.3.0, rust 1.50, sqlite3 3.34.1, squid 4.14, suricata 5.0.6, sysvinit 2.98, tar 1.34, tcl 8.6.11, unbound 1.13.1, wget 1.21.1
  • IPFire can experimentally be compiled for RISC-V for 64bit
  • Various older versions of operating system libraries have been removed. They were needed to keep older programs compatible without need of recompiling them. Those were: Berkeley DB, GMP, libjpeg, PCRE, readline
  • On i586, SSE2-optimised versions of performance-critical libraries have been dropped. This affects GMP and OpenSSL, which might result in lower VPN throughput with OpenVPN on affected systems. Support for this will be removed with the next release of glibc.
  • The unattended installer started in regular mode on serial consoles
  • Roberto Peña has contributed Spanish translation for the Captive Portal

Add-ons

  • Updated packages: elfutils 0.183, hplip 3.21.2, fireperf 0.2.0, krb5 1.19.1, mc 4.8.26, monit 5.27.2, nano 5.6, nagios_nrpe 4.0.3, nagios-plugins 2.3.3, stunnel 5.58, tor 0.4.5.6, tshark 3.4.3

The first update of the year will be an enormous one. We have been working hard in the lab to update the underlying operating system to harden and improve IPFire and we have added WPA3 client support and made DNS faster and more resilient against broken Internet connections.

This is probably the release with the largest number of package updates. This is necessary for us to keep the system modern and adopt any fixes from upstream projects. Thank you to everyone who has contributed by sending in patches.

Before we talk about what is new, I would like to as you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

DNS Resolution Improvements

The DNS proxy working inside IPFire will now reuse any TLS and TCP connections for DNS resolution making it substantially faster. Before, a TCP or TLS connection had to be opened and closed after a response was received causing a lot of overhead.

Please consider if your setup can run DNS-over-TLS to protect your privcacy.

If you had a brief outage of your Internet connection, or if any or all of the upstream name servers did not respond, it could become possible that the DNS proxy no longer retried accessing them. This was due to some DoS protection being overly ambitious which has been changed to constantly try to reach any servers that are down.

WPA3 Client Support

The previous Core Update added WPA3 support for access points. This is now being complimented by adding it for the client side, too.

If you are running your RED interface as a client to another wireless, it can now use WPA3 to authenticate to the network and to encrypt packets. WPA2 has also been improved by optionally using SHA256 over SHA1 if the access point supports it.

Misc.

There is a number of various changes in this release:

  • Various command injections and privilege escalations where reported by Albert Schwarzkopf in the security layer between the web user-interface and the operating system. With those, an authenticated unprivileged user could gain root access to the operating system.
  • DDNS: The UI has been improved for providers that support "token authentication"
  • SSH sometimes failed to end itself when the system was shut down which caused an unnecessary delay
  • IPsec: XFRM policy lookup has been disabled for VTI interfaces
  • Keyboard support on virtualised systems on Microsoft Hyper-V was sometimes not working and has now been fixed.
  • Various cosmetic fixes for the web user interface and various code cleanup has been conducted by Matthias and Leo.
  • Updated packages: acl 2.2.53, acpid 2.0.32, automake 1.16.3, arping 2.21, bind 9.11.26, ccache 3.7.12, curl 7.75, dbus 1.12.20, dhcpcd 9.3.4, dma 0.13, fcron 3.2.1, findutils 4.8.0, fuse 3.10.1, hyperscan 5.4.0, iproute2 5.10.0, ipset 7.10, iptables 1.8.7, iw 5.9, less 563, libassuan 2.5.4, libgcrypt 1.9.1, libgpg-error 1.41, libhtp 0.5.36, libloc 0.9.5, libseccomp 2.5.1, logrotate 3.18.0, logwatch 7.5.5, lzip 1.22, kmod 28, knot 3.0.5, newt 0.52.21, OpenSSL 1.1.1j, PAM 1.5.1, pptp 1.10.0, sed 4.8, sqlite 3.34.0, texinfo 6.7, tzdata 2021a, procps 3.3.16, sudo 1.9.5p1, unbound 1.13.0, wget 1.21

Add-Ons

  • Updated packages: bacula 9.6.7, bird 2.0.7, c-ares 1.17.1, cifs-utils 6.12, clamav 0.103.1, cups-filters 1.28.7, ddrescue 1.25, dehydrated 0.7.0, elfutils 0.182, fireperf 0.1.0, firmware-update 20210107, flashrom 1.2, hostapd 2021-01-18, hplip 3.20.11, htop 3.0.5, iperf 2.0.14a, iperf3 3.9, kerberos 1.18.3, lvm2 2.02.187, lynis 3.0.3, minicom 2.8, monit 5.27.1, nano 5.5, p7zip 17.03, postfix 3.5.8, samba 4.13.4, screen 4.8.0, shairport-sync 3.3.7, sshfs 3.7.1, strace 5.10, stunnel 5.57, tor 0.4.4.7, tshark 3.4.2, QEMU 5.2.0, wpa_supplicant 2021-01-18

IPFire 2.25 - Core Update 153 released

by Michael Tremer, December 22, Updated December 22

This is the official release announcement for the last planned Core Update of this year: IPFire 2.25 - Core Update 153.

Before we talk about what is new, I would like to as you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate

Location Database

The location database has received significant updates that improve its accuracy. This was possible by importing more data into it and correlating it with existing data from other sources.

We have also improved performance of loading data from the database into the kernel for firewall rules which removes a class of issues where IP addresses could have matched more than one country.

Many weeks have been invested into this to optimise the database import and export algorithms to provide this functionality even on hardware that is weak on processor power and/or memory.

WPA3 - Making WiFi Safe Again

WPA3 is the new upcoming standard to protect wireless connections and is now supported in IPFire. It can be enabled together with WPA2 so that you can support any devices that do not support WPA3, yet.

WiFi can also be made more secure by optionally enable Management Frame Protection which hardens the network against any attackers that try to de-authenticate stations and therefore denial-of-service your network.

There is more on a detailed post about this new feature: IPFire Wireless Access Point: Introducing WPA3

Another Intel Security Vulnerability

We have of course spent a lot of our valuable development time on this month's security issues created by Intel. As you might have heard from the news, it is possible to profile instructions and extrapolate information through measuring the power consumption of the processor when that instruction is being executed.

We consider this not exploitable on IPFire, because we do not allow running any third-party code, but are of course shipping fixes in form of a patched Linux kernel based on 4.14.212 and updated microcode where available for all affected processors (version 20201118).

Misc.

  • The most recent OpenSSL security vulnerability CVE-2020-1971 has been patched by updating the package to version 1.1.1i
  • Safe Search now allows excluding YouTube
  • The zone configuration page now highlights network devices that are assigned to a zone. This change improves usability and avoids any mistakes
  • IPsec tunnels are now showing correctly when they are established or not. A programming error could show connected tunnels as "connecting..." before.
  • The log summary no longer shows useless entries for clients that have renewed their DHCP lease and the iptables summary has been removed, since it does not produce any useful output
  • The IP address information page is now showing the Autonomous System for each IP address
  • Some cosmetic improvements for the web user interface have been implemented by Matthias Fischer.
  • On systems with insufficient memory, some pages of the web user interface could not be loaded when they were using the new location library. Thanks to Bernhard Bitsch for reporting this problem.
  • DDNS: Support for DuckDNS has been reinstated after a significant API change
  • Updated packages: bash 5.0.18, curl 7.73.0, file 5.39, go 1.15.4, knot 3.0.2, libhtp 0.5.63, openvpn 2.5.0, pcengines-firmware 4.12.0.6, strongswan 5.9.1, suricata 5.0.5, tzdata 2020d, usb_modeswitch 2.6.1, usb_modeswitch_data 20191128

Add-ons

  • Updated packages: amazon-ssm-agent 3.0.356.0, aws-cli 1.18.188, ghostscript 9.53.3, libseccomp 2.4.4, lynis 3.0.1, python-botocore 1.19.28, python-urllib3, spectre-meltdown-checker 0.44, transmission 3.00, vdr 2.4.4
  • Tor has been updated to version 0.4.4.6 and is now using the new location database for showing the relay country. It is also now possible to define a list of exit nodes to use and to select certain countries to use for guard nodes.
  • amavis and spamassassin have been dropped because they have been unused and unmaintained for a long time
  • git has been fixed so that all features implemented in Perl can be used again.
  • The apcupsd package now correctly backups and restores its configuration

It is time for another Core Update: IPFire 2.25 - Core Update 152. It comes with various smaller bug fixes and improvements and updates the Windows File Sharing Add-on.

IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate

Changes

  • Intrusion Prevention System: The IPS has been updated to suricata 5.0.4 which fixes various bugs and security vulnerabilities
  • Leo-Andres Hofman contributed for the first time and cleaned up code that shows the DHCP leases on the web user interface. They are now sorted and expired leases are shown at the bottom of the list for better usability.
  • Steffen Klammer fixed a bug which rendered an invalid proxy.pac configuration file when subnets where added in the CIDR notation
  • Values for average, minimum and maximum were swapped in the firewall hits graph which has been corrected in this release
  • Updated packages: knot 3.0.1, libhtp 0.94, python 2.7.18, python3 3.8.2, unbound 1.12.0, yaml 0.2.5

Add-ons

  • Updated packages: mtr 0.94, nano 5.3, tor 0.4.4.5
  • Updated Python 3 packages: botocore 1.16.1, colorama 0.4.3, dateutil 2.8.1, docutils 0.16, jmespath 0.9.5, pyasn1 0.4.8, rsa 4.0, s3transfer 0.3.3, six 1.14.0,

Windows File Sharing Services

Samba, has been updated to 4.13.0. Because of various reasons and lack of development time, we were stuck on Samba 3 which is unmaintained for a while. With this new version of Samba, new protocol features like SMB3 and encryption are supported. We have also rewritten large parts of the web user interface, made them tidier and fixed some usability issues.

We also dropped some features which we believe are not being used any more. This mainly concerns compatibility to MS-DOS clients, WINS, and using IPFire as Primary Domain Controller for Windows NT domains.

The new streamlines web user interface provides fewer controls and we have changed some defaults to work in modern networks - or that were ineffective in the newer release of Samba.

New features are as follows:

  • Printing with CUPS now works out of the box
  • SMB file transfers are faster, because of some performance tuning
  • IPFire will now always try to become the master browser for its workgroup
  • The file sharing and printing services will be announced to the local network using mDNS with Avahi
  • Extensions for Mac OS X are enabled by default

Because of the vast amount of changes, we need some extra help to find any regressions introduced here. Please also consider if running this package is following best-practise rules in your organization.


IPFire 2.25 - Core Update 151 has been released. It comes with various package updates and a number of bug fixes in IPFire Location and security improvements in the SSH service.

Please support our project with your donation.

Improvements to IPFire Location

Since the rollout of our new location database, we have made various improvements on the software implementation to increase accuracy and speed. These are now all included in this Core Update.

In addition to that, we now show whether an IP address is marked as an "anonymous proxy", "satellite provider" or "anycast" which helps debugging network issues and investigating attacks.

Misc.

  • OpenSSH has been updated and no longer supports using SHA1 in the key exchange. Some outdated clients might not be able to connect to the IPFire SSH console any more. Please update your SSH client if you are encountering any problems.
  • A bug has been fixed that IPsec connections where not properly shut down when deleted on the web user interface. The connection was often re-established before it has been removed from the IPsec configuration which could keep it active until the next reboot.
  • Marcel Follert has contributed two new packages: ncdu - a graphical disk usage monitor, and lshw - a tool that shows installed hardware to the system
  • Updated packages: binutils 2.35.1, boost 1.71.0, cmake 3.18.3, dhcpcd 9.1.4, fontconfig 2.13.1, freetype 2.10.2, iptables 1.8.5, knot 3.0.0, lcms2 2.9, libgcrypt 1.8.6, libidn 1.36, libloc 0.9.4, libnetfilter_conntrack 1.0.8, libnetfilter_queue 1.0.5, lmdb 0.9.24, logwatch 7.5.4, openjpeg 2.3.1, openssl 1.1.1h, poppler 0.89.0, qpdf 10.0.1, strongswan 5.9.0
  • Various Perl modules have been updated by Matthias Fischer: Digest::SHA1 2.13, Digest::HMAC 1.03, Net::DNS 1.25, Net::SSLeay 1.88

Add-ons

  • Updated packages: avahi 0.8, bacula 9.6.6, cups 2.3.3, cups-filters 1.27.4, dnsdist 1.5.1, freeradius 3.0.21, Git 2.28.0, guardian, haproxy 2.2.4, iptraf-ng 1.2.1, keepalived 2.1.5, libmicrohttpd 0.9.71, libsolv 0.7.14, lynis 3.0.0, nginx 1.19.2, stunnel 5.56

Thanks to everyone who contributed to this update with either submitting patches or helping us testing it.


This is official release announcement for IPFire 2.25 - Core Update 150. A brand new update with a new kernel, various package updates, bug fixes and a new Connection Tracking Graph.

Please donate to help funding our development work, so that we can further improve IPFire and bring you new features.

Linux 4.14.198

The IPFire kernel is now based on Linux 4.14.198 which brings various security and stability fixes in the network stack as well as improvements throughout the whole rest of the kernel.

In connection with this, the new Location database has received some bug fixes. Formerly, some networks could not be found in the extracted part of the database which was loaded into the kernel. This has been fixed and there will be no more false-positives for selected countries.

Connection Tracking Graph

We have extended the monitoring features of IPFire which introduce a new graph with the size of the connection tracking table. It shows how many connections are open at the same time and helps to debug any networking issues or overload.

Connection Tracking Graph

In addition to that, the CPU graph has been fixed. An empty graph was rendered after the number of processor cores has changed.

Add-ons

  • Updated packages: clamav 0.103.0, htop 3.0.2, nano 5.2, postfix 3.5.7

We have been busy baking another large update for you which is full of oozy goodness. It includes an updated toolchain based on GCC 10 and glibc 2.32 and we have added a lot of tuning which makes IPFire 33% faster on some systems.

Toolchain Update

IPFire is based on glibc 2.32, the standard library for all C programs, and GCC 10.2, the GNU Compiler Collection. Both bring various bug fixes and improvements.

The most notable change is that we have decided to remove a mitigation Spectre 2 which caused that user space programs in IPFire were running about 50% slower due to using a microcode feature which is called "retpoline". Those "return trampolines" disable the branch prediction engine in out-of-order processors which was considered to help with mitigating leaking any information from any unaccessible kernel space.

This is however not as effective as thought and massively decreases performance in the user land which mainly affects features like our Intrusion Prevention System, Web Proxy and URL filter. We still use this mechanism to avoid leaking any kernel memory into the user space.

On top of that, we have updated various tools used for building IPFire as well as core libraries.

We have also enabled a new GCC feature called "stack clash protection" on x86_64 and aarch64 which adds additional checks to mitigate exploits and we have enabled "CF protection" which hardens all software against attackers gaining control over a program flow and circumventing security checks like password or signature validation.

BootHole, aka GRUB 2.04

As reported on the media, there were various security vulnerabilities in the GRUB boot loader which is used in IPFire on x86_64, i586 and aarch64. These have now been patched in IPFire and the new boot loader is installed automatically.

Intel Security Vulnerabilities & Virtual Machines

In May 2019, we have announced to disable SMT on all machines. This is now disabled for any virtual machines since the mitigation is required to be activated on the host system.

Emulated processors might run on multiple physical processors which IPFire in a virtual machine has no control over. However, we still recommend against running IPFire in a virtual environment.

Deprecating i586

This release also officially degrades the i586 architecture to a secondary architecture. On the download page, you will already find downloads for that architecture at the bottom of the page.

This is because various security mitigations are not available for i586 and development work on the Linux kernel and other software that IPFire relies on is mainly done for x86_64 or other modern 64 bit architectures. This is a development that we saw coming for a while now, and despite that we will try to keep IPFire available in this architecture.

We urge everyone who's hardware supports it to update their systems to x86_64. You will see a notification on the web user interface if you are affected.

Misc.

  • OpenSSL: We have removed all ciphers that do not support Perfect Forward Secrecy from the default cipher list. That means that all programs in IPFire that initiate TLS connections will no longer accept any "weak" ciphers without PFS.
  • OpenVPN
    • In order to make IPFire compliant with PCI DSS, OpenVPN requires all clients to use TLS 1.2 or newer. This change is automatically enabled on all systems and very old clients might need to be updated. Please check if you are using any outdated clients before updating.
    • The maximum number of simultaneous OpenVPN connections can now be set to up to 1024 and was limited to 255 before.
  • New packages: zstd, a modern and fast compression algorithm is now part of IPFire
  • Updated packages: apache 2.4.46, bind 9.11.21, bison 3.7.1, curl 7.71.1, GRUB 2.04, intel-microcode 20200616, hyperscan 5.3.0, iproute2 5.8.0, kbd 2.2.0, logrotate 3.17.0, lsof 4.91, mpfr 4.1.0, popt 1.18, unbound 1.11.0, xfsprogs 5.7.0

Add-ons

  • Updated: clamav 0.102.4, dnsdist 1.5.0, haproxy 2.2.2, fping 5.0, libvirt 6.5.0, minicom 2.7.1, nfs 2.5.1, postfix 3.5.6, qemu 5.0.0, rsync 3.2.3, spandsp 0.0.6, tor 0.4.3.6, tshark 3.2.6, usbredir 0.8.0, watchdog 5.16, WIO
  • Marcel Follert has contributed a new package: socat, a CLI tool which can be used to communicate with UNIX sockets.

Another update is available for IPFire: IPFire 2.25 - Core Update 147. It contains a vast amount of package updates and brings some security updates.

Security Updates

The squid web proxy had a number of security vulnerabilities that have been patched in version 4.12. Those are:

There was a third vulnerability in the TLS component of squid which is not activated in IPFire and therefore IPFire is not vulnerable (CVE-2020-14058).

Misc.

  • The Linux firmware package was updated to version 20200519 and brings various improvements to hardware components and adds support for more hardware.
  • A long-standing issue with forwarding GRE connections has been resolved. It was absolutely impossible to get such connections through the firewall, because IPFire's internal connection tracking refused to handle them.
  • Amazon Web Services: The firewall will now configure all zones to use jumbo frames by default. Since Amazon's network allows packets with up to 9001 bytes, this will increase bandwidth in the cloud. The RED interface is exempt, because the Internet still defaults to only 1500 bytes per packet.
  • Updated packages: bind 9.11.20, dhcpcd 9.1.2, GnuTLS 3.6.14, gmp 6.2.0, iproute2 5.7.0, libassuan 2.5.3, libgcrypt 1.8.5, libgpg-error 1.38, OpenSSH 8.3p1, squidguard 1.6.0

Add-ons

Updates

  • Bacula, a backup solution, was updated to version 9.6.5 by Adolf Belka
  • borgbackup 1.1.13
  • haproxy 2.1.7
  • Joe 4.6

It is time for another important and exciting update for IPFire. IPFire 2.25 - Core Update 146 is available for testing and updates the IPFire kernel and enhances its hardening against attacks as well as improving its performance.

Linux 4.14.184

Arne has rebased the IPFire kernel on version 4.14.184 from the Linux kernel developers and integrated our custom patches into this release. It brings various stability and security fixes.

This kernel brings mitigations for processor vulnerabilities in Intel's processors and includes updates of Intel's microcode.

Discontinuing support for 32 bit systems with PAE

Since it is becoming more and more difficult to support 32 bit architectures, we have taken the decision to slowly ease it out. This will free development time which currently only very few users benefit from and will help us focus on features that are used by larger groups of the community.

On 32 bit Intel (i.e. i586), we have removed the optional PAE kernel. This kernel allowed addressing more than 4GB of memory even on 32 bit systems and brought some hardening that it not possible on processors that doe not support PAE and the NX bit.

Those systems are very few now and we recommend to upgrade to 64 bit, since this hardware very often supports 64 bit, too. For those who are still running a pure 32 bit installation, we recommend upgrading your hardware soon.

For now, we will continue to support 32 bit, but it definitely has become a second-class architecture for the Linux kernel developers as well as plenty of other software. Many major distributions have retired their ix86 ports many years ago and so maintaining it falls with fewer and fewer developers who do the work for fewer and fewer users. Fixes for the recent vulnerabilities predominantly in Intel's processors have not fully been backported to 32 bit either.

Additionally, we have retired the Xen installer tool for 32 bit paravirtualised systems. This was used on systems that do not support hardware virtualisation and not used by many people any more.

Please support our work

Please support us by helping us test this release, so that we can release it as soon as possible and introducing as few regressions as possible.

You can also donate to the project to fund the developer's work and make IPFire better!


This is the official release announcement for IPFire 2.25 - Core Update 144. This contains a number of security fixes in OpenSSL, the squid web proxy, the DHCP client and more. We recommend to install it as soon as possible and reboot.

OpenSSL 1.1.1g

The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity.

Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension.

CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended.

The DHCP Client (#12354)

Some users using RED in DHCP mode might have seen various crashes of the client. This happened because of attackers sending forged DHCP replies from cloud-hosted networks across the Internet.

After the daemon crashed, the firewall would lose Internet connectivity until it is manually restarted.

Providers normally filter forged DHCP traffic, but some do not seem to do this correctly. We are in touch with them and try to find a solution.

The Squid Web Proxy

The web proxy is vulnerable to cross-site scripting attacks, cache poisoning and access control bypass when processing HTTP request messages.

These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-2020-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and #12386.

Misc.

  • Updated packages: apache 2.4.43, bind 9.11.18, dhcpcd 9.0.2, squid 4.11
  • The build system has changed the Go compiler from GCCGO to Golang which seems to be introducing fewer bugs into compiled programs

Hey all you cool cats and kittens,

this is the official release announcement for IPFire 2.25 - Core Update 143 - another update that brings you loads of improvements for IPFire and its build system. We have updated the toolchain and many other essential system libraries as well as including many bug and security fixes.

Toolchain

The toolchain - all tools to build the distribution like compilers, linkers and essential system libraries - have been updated and are now based on glibc 2.31, GCC 9.3.0, binutils 2.34.

The build system has also been optimised to take advantage of machines that have a lot of memory and uses less I/O resources by not writing any large temporary files to disk any more when this can be avoided.

Intrusion Prevention System

The Intrusion Prevention System has received many smaller fixes to make it run faster, generate fewer false-positives and of course more secure.

  • The DNS flood trigger has been disabled, since it was causing loads of false positives. This will lead to more solid DNS resolution on busy systems when the IPS is enabled with rules matching DNS flooding events.
  • All HTTP proxy from and to the web proxy is now being processed by the HTTP preprocessor, too.
  • Additional firewall rules have been added to work around a Linux kernel bug when packets that were destined to go through an IPsec VPN tunnel could break out unencrypted on the RED interface when the IPS has crashed unexpectedly.

Misc.

  • IPsec: The IKE lifetime can now be set to up to 24 hours again
  • OpenVPN: Net-to-Net connections will now be properly stopped when they are being deleted & all RRD files will be deleted, too
  • DNS: Some hostnames configured on the "Edit Hosts" page might not have been made public in unbound. This has now been fixed and unbound will search any local entries before using the global DNS.
  • The kernel has been hardened against unauthorised access to files that were symlinked or hardlinked.
  • The boot process could lock up for several minutes on some systems when searching for sensors. This scan is now being done in the background so it will no longer affect the boot process.
  • The IPFire-internal mail agent has now support for implicit TLS.
  • The Net Traffic page did not show any recent data on some systems. This is now being fixed.
  • Many strings in the German translation have been improved and unified for better clarity.
  • Updated packages: bind 9.11.17, cairo 1.16.0, coreutils 8.31, dhcp 4.4.2, dma 0.12, libtool 2.4.6, logwatch 7.5.3, ncurses 6.2, ntp 4.2.8p14, openssh 8.2p1, openssl 1.1.1f, smartmontools 7.1, strongswan 5.8.4, unbound 1.10.0, xz 5.2.5

Add-ons

Bluetooth

The Bluetooth add-ons has been dropped because there is no application for it in IPFire. Wireless modems could be used before, but since this is not widely used, we have decided to drop the add-on.

Updates

  • amazon-ssm-agent 2.3.930.0, keepalived 2.0.20, libssh 0.9.3, nano 4.9, nginx 1.17.8, postfix 3.5.0, pcengines-apu-firmware 4.11.0.5, spectre-meltdown-checker 0.43, tor 0.4.2.7, tshark 3.2.2

IPFire 2.25 - Core Update 142 released

by Michael Tremer, March 18, 2020, Updated March 19, 2020

This is the official release announcement for IPFire 2.25 - Core Update 142. This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.

We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.

Kernel Hardening

This update brings a new kernel which is based on Linux 4.14.173.

For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.

This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities.

Support for Marvel's Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in Fireinfo using this any more.

Suricata 5 - Our Intrusion Prevention System

suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.

This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.

This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can - by design of the language - not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.

Making Testing Easier

This release introduces a new configuration option for Pakfire. Users can now choose between the stable, and two testing branches to easier install unreleased builds.

We hope that this helping you to help us testing IPFire better and therefore be able to give us more valuable feedback on releases.

Misc.

  • pppd, the Point-to-Point protocol daemon which is used for DSL and LTE connections has a severe vulnerability which allowed Remote Code execution on the client and server side. It has also been updated to version 2.4.8 which fixes some more bugs.
  • Password for proxy users were limited to eight characters due to an old hash algorithm being used. This has now been upgraded and passwords of unlimited length can be used.
  • The squid web proxy has been updated to version 4.10 which closes a number of security vulnerabilities
  • ddns, our suite for dynamic DNS updates, has been updated to version 013. This release ports the software to Python 3 since support for Python 2 is deprecated now.
  • Wireless Access Point devices are now properly added to a network bridge at boot time
  • Some smaller aesthetic fixes for the new DNS Configuration page

Add-Ons

Updates

  • clamav has been updated 0.102.2 which closes a number of security vulnerabilities
  • dehydrated has been fixed to properly conduct a backup and restore when it is being updated
  • guardian has received fixes for its HTTP log parser
  • haproxy has been updated to 2.1.3 and support for Lua has been enabled
  • libpciaccess has been updated to 0.16. This library is used to pass PCI devices through to a virtual machine.
  • The qemu package has been stripped from any firmware blobs for architectures that cannot be used on IPFire in order to save disk space on the root partition.
  • Further package updates: dnsdist 1.4.0, mc 4.8.24, tmux 3.0a, tor 0.4.2.6, vdr 2.4.1, vdradmin 3.6.10, w_scan 20170107

Cleaned-up Packages

We have removed a number of packages that have been abandoned by the people who maintain them. We believe that it is better to not offer them instead of exposing your systems to any security risks:

  • arm a CLI monitoring tool for tor
  • batctl, to configure B.A.T.M.A.N., which unfortunately was never finished in IPFire
  • cyrus-imapd - An IMAP/POP daemon
  • multicat & bitstream: Two tools to capture and decode multimedia streams over a network. Has been submitted to IPFire but was sadly never updated by the maintainer.
  • check_mk_agent - A monitoring tool
  • DirectFB - Graphics drivers
  • ez-ipupdate - A tool for dynamic DNS updates, which is unused, because we have ddns
  • icecast, icecastgenerator & streamripper - A media relay for radio streams
  • setserial - A tool to manage serial connections on console
  • rtpproxy - A relay for RTP streams

We currently have very limited development resources and would prefer investing those on things where more people benefit from. Please donate to support us!


IPFire 2.25 - Core Update 141 released

by Michael Tremer, February 24, 2020, Updated February 24, 2020

The first exciting big update of the year is ready: IPFire 2.25 - Core Update 141! It comes with a totally reworked DNS system which adds many new features like DNS-over-TLS.

On top of that, this update fixes many bugs.

DNS Updates

The biggest set of changes in this release is around DNS. We have cleaned up many scripts and the UI which allowed us to add new functionality:

  • A unified page with all DNS settings
  • More than two DNS servers can be added for better load-balancing and resiliency. The fastest servers will be used automatically.
  • Enhanced privacy with DNS-over-TLS and strict QNAME minimisation
  • Safe Search, to filter adult content from the entire network without using the web proxy
  • Better workarounds for users with ISPs that filter DNS responses/break DNSSEC. TLS and TCP can be used as transport instead.
  • Faster boot because of fewer checks being executed at boot time

In order to combat MTU issues, we are following guidelines and have set the EDNS buffer size to 1232 bytes. This avoids large DNS replies being fragmented even on Internet lines with smaller MTUs.

All DNS settings will automatically be converted. This is also compatible when older backups are being restored.

Updates Under The Hood

IPFire is a modern distribution as we change and update many essential system components regularly. That allows us to keep you safe, support new features and of course be fast by taking advantage of modern hardware.

In this update, we have rebased the system on GCC 9 and added support for Go and Rust. We have included Python 3 to the base system and deprecated Python 2 which is out of support by now. Not everything has been converted to use Python 3 yet, but we will hopefully soon be able to drop support for Python 2 altogether.

Unfortunately the system is growing larger and larger with every update. Software in general is quite bloated although we are trying our best to keep IPFire as small as possible. On systems that have a 2GB root partition and many add-ons installed, disk space might be running out. This update clears a lot of files that are no longer needed. We have also improved stripping our binary files from debugging symbols which are not needed on a production system in order to keep those files smaller.

  • elinks, the text-based browser is also no longer an add-on any more, but shipped with the core system.
  • LVM devices are now supported in IPFire.
  • Updated packages: efivar 35, gcc 9.2.0, file 5.38, knot 2.9.2, libhtp 0.5.32, mdadm 4.1, mpc 1.1.0, mpfr 4.0.2, rust 1.39, suricata 4.1.6. unbound 1.9.6
  • New packages: rfkill

Misc.

  • The Intrusion Prevention System now filters packets from and to OpenVPN clients, too
  • Pakfire initially used HTTP for downloading the first mirror list. It would have been redirected to HTTPS by the server, but this has been now changed that the first connection attempt is using HTTPS.
  • As announced in a separate blog post, we are shipping the latest version of Maxmind's GeoIP database
  • IPsec: To enhance compatibility with many clients, newly generated root certificates will include a valid Subject Alternative Name which can also be freely configured

Add-ons

  • Updated: dehydrated 0.6.5, libseccomp 2.4.2, nano 4.7, openvmtools 11.0.0, tor 0.4.2.5, tshark 3.0.7
  • New: amazon-ssm-agent for better integration into the Amazon cloud

It is time for the first release of the year, IPFire 2.23 - Core Update 139. It is packed with improvements, software updates, and many many bug fixes.

Improved Booting & Reconnecting

Dialup scripts have been cleaned up to avoid any unnecessary delays after the system has been handed a DHCP lease from the Internet Service Provider. This allows the system to reconnect quicker after loss of the Internet connection and booting up and connecting to the Internet is quicker, too.

Improvements to the Intrusion Prevention System

Various smaller bug fixes have been applied in this Core Update which makes our IPS a little bit better with every release. To take advantage of deeper analysis of DNS packets, the IPS is now informed about which DNS servers are being used by the system.

TLS

IPFire is configured as securely as possible. At the same time we focus on performance, too. For connections to the web user interface, we do not allow using CBC any more. This cipher mode is begin to crack and the more robust GCM is available.

Whenever an SSL/TLS connection is being established to the firewall, we used to prefer ChaCha20/Poly1305 as a cipher. Since AESNI is becoming and more and more popular even on smaller hardware, it makes sense to prefer AES. A vast majority of client systems support this as well which will allow to communicate faster with IPFire systems and save battery power.

Misc.

  • The microcode for Intel processors has been updated again to mitigate vulnerabilities from the last Core Update
  • PC Engines APU LEDs are now controlled using the ACPI subsystem which is made possible using the latest BIOS version 4.10.0.3
  • Captive Portal: Expired clients are now automatically removed
  • Dynamic DNS: Support for NoIP.com has been fixed in ddns 12
  • Updated packages: Python 2.7.17, bash 5.0, bind 9.11.13, cpio 2.13, libarchive 3.4.0, logwatch 7.5.2, lz4 1.9.2, openvpn 2.4.8, openssh 8.1p1, readline 8.0 (and compat version 6.3), squid 4.9, unbound 1.9.5

Add-Ons

  • clamav has been updated to 0.102.1 which include various security fixes
  • libvirt has been updated to version 5.6.0 for various bug fixes or feature enhancements and support for LVM has been enabled.
  • qemu has been updated to 4.1.0
  • Various others: nano 4.6, postfix 3.4.8, spectre-meltdown-checker 0.42

IPFire 2.23 - Core Update 138 released

by Michael Tremer, November 18, 2019, Updated November 18, 2019

Just days after the last one, we are releasing IPFire 2.23 - Core Update 138. It addresses and mitigates recently announced vulnerabilities in Intel processors.

Intel Vulnerabilities

Intel has blessed us again with a variety of hardware vulnerabilities which need to be mitigated in software. Unfortunately those will further decrease the performance of your IPFire systems due to changes in Intel's microcodes which are also shipped with this Core Update.

If you would like to learn more about these vulnerabilities, please look here, here, here, and here.

We recommend to install this update as quickly as possible to prevent your system from being exploited through these vulnerabilities. A reboot is required to activate the changes.


We are happy to announce the release of IPFire 2.23 - Core Update 137. It comes with an updated kernel, a reworked Quality of Service and various bug and security fixes.

Development around the Quality of Service and tackling some of the bugs required an exceptional amount of team effort in very short time and I am very happy that we are now able to deliver the result to you to improve your networks. Please help us to keep these things coming to you with your donation!

An improved and faster QoS

As explained in detail in a separate blog post from the engine room, we have been working hard on improving our Quality of Service (QoS).

It allows to pass a lot more traffic on smaller systems as well as reduces packet latency on faster ones to create a more responsive and faster network.

To take full advantage of these changes, we recommend to reboot the system after installing the update.

Linux 4.14.150

The IPFire Kernel has been rebased on Linux 4.14.150 and equipped with our usual hardening and other patches.

The kernel has been tuned to deliver more throughput for IP connections as well as reducing latency to a minimum to keep your network as responsive and fast as possible.

An especially nasty bug that caused the system to drop DNS packets when the Intrusion Detection System was enabled has been tracked down by a large group of IPFire developers and additional help of the suricata team.

Misc.

  • Downloaded GeoIP databases were not always cleaned up from /tmp when a download was unsuccessful. This can cause that the script is filling up the root partition. You can reboot your system to free up space if this has happened to you, too. The script has now been cleaned up, and catches any errors to cleanup afterwards.
  • IPsec now supports Curve 448 with 224 bit of security. It is a lightweight and slightly faster alternative to Curve25519 and enabled by default for new connections.
  • Tim Fitzgeorge contributed a patch that restarts the syslog daemon after a backup is being restored to close old log files and write to the restored ones
  • /var/log/mail is now being rotated
  • Updated packages: bind 9.11.12, iptables 1.8.3, iproute2 5.3.0, knot 2.8.4, libhtp 0.5.30, libnetfilter_queue 1.0.4, libpcap 1.9.1, libssh 0.9.0, Net-SSLeay 1.88, pcre 8.43, strongswan 5.8.1, suricata 4.1.5, tzdata 2019c, unbound 1.9.4, wpa_supplicant 2.9

Add-ons

New: speedtest-cli

This is a handy tool to perform a regular speedtest on the console. It was packaged to test the QoS but is handy to test throughput of the firewall to and from the Internet on the console.

Updated Packages

  • bird 2.0.6 now supports RPKI validation by connecting to a process that holds the key material either via TCP or using SSH
  • sane has been updated to version 1.0.28 and now supports more hardware
  • A French translation is now available for the Who is Online? add-on
  • Others: clamav 0.102.0, hostapd 2.9, ipset 7.3, mtr 0.93, nano 4.5, ncat 7.80, nmap 7.80, shairport-sync 3.3.2, tcpdump 4.9.3, tor 0.4.1.6, tshark 3.0.5

IPFire 2.23 - Core Update 136 released

by Michael Tremer, October 10, 2019, Updated October 13, 2019

This is the official release announcement for IPFire 2.23 - Core Update 136. A new update packed with loads of security fixes, bug fixes and a couple of important new features.

Please donate to help our developers and keep bringing you new features. Thank you, it means a lot.

OpenSSL 1.1.1d

This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release:

  • CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
  • CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
  • CVE-2019-1563: Another padding oracle for large PKCS7 messages

All of these are classified as "low severity". However, we recommend to install this update as soon as possible.

Perl 5.30

Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.

GeoIP

Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.

There is now a script that converts the current data into the old format which allows us to provide a recent database again.

This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.

Misc.

  • The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
  • Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.15.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch 1.5.2
  • logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
  • Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
  • The toolchain now ships a compiler for Go

Add-ons

  • Updated packages: freeradius 3.0.19, haproxy 2.0.5, monit 3.25.3, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6
  • dnsdist has had its limit of open connections increased to work better in bigger environments
  • tor: A permission problem has been fixed so that the web UI can save settings again
  • wio: The RRD files will now be included in the backup as well as various UI improvements have been done

Please reboot!

This update needs a reboot of your IPFire system.


IPFire 2.23 - Core Update 136 is available for testing

by Arne Fitzenreiter, September 15, 2019, Updated September 15, 2019

Dear community,

the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.

OpenSSL 1.1.1d

This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release:

  • CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
  • CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
  • CVE-2019-1563: Another padding oracle for large PKCS7 messages

All of these are classified as "low severity". However, we recommend to install this update as soon as possible.

Perl 5.30

Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.

GeoIP

Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.

There is now a script that converts the current data into the old format which allows us to ship a recent database again.

This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.

Misc.

  • The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
  • Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch 1.5.2
  • logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
  • Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
  • The toolchain now ships a compiler for Go

Add-ons

  • Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6
  • dnsdist has had its limit of open connections increased to work better in bigger environments
  • tor: A permission problem has been fixed so that the web UI can save settings again
  • wio: The RRD files will now be included in the backup as well as various UI improvements have been done

Please reboot!

This update needs a reboot of your IPFire system.

Please join in to help us testing and make this another successful and bug-free release of IPFire. Please report any bugs to Bugzilla and if you cannot spare any of your time, you can of course help us out with your donation.


This is the official release announcement for IPFire 2.23 - Core Update 135, which is packed with a new kernel, various bug fixes and we recommend to install it as soon as possible.

Kernel Update

The IPFire Linux kernel has been rebased on 4.14.138 and various improvements have been added. Most notably, this kernel - once again - fixes CPU vulnerabilities.

Misc.

  • On x86_64, the effectiveness of KASLR has been improved which prevents attackers from executing exploits or injecting code
  • DNS: unbound has been improved so that it will take much less time to start up in case a DNS server is unavailable.
  • Scripts that boot up IPFire have been improved, rewritten and cleaned up for a faster boot and they now handle some error cases better
  • Updated packages: dhcpcd 7.2.3, nettle 3.5.1, squid 4.8, tzdata 2019b

Add-ons

Updated Packages

  • bird 2.0.4
  • clamav 0.101.3
  • iperf 2.0.13
  • iperf3 3.7
  • mc 4.8.23
  • pcengines-firmware 4.9.0.7

Hello,

after a little break with many things to fight, we are back with a brand new Core Update which is packed with various bug fixes and cleanup of a lot of code.

Kernel Update

The IPFire Linux kernel has been rebased on 4.14.138 and various improvements have been added. Most notably, this kernel - once again - fixes CPU vulnerabilities.

Misc.

  • On x86_64, the effectiveness of KASLR has been improved which prevents attackers from executing exploits or injecting code
  • DNS: unbound has been improved so that it will take much less time to start up in case a DNS server is unavailable.
  • Scripts that boot up IPFire have been improved, rewritten and cleaned up for a faster boot and they now handle some error cases better
  • Updated packages: dhcpcd 7.2.3, nettle 3.5.1, squid 4.8, tzdata 2019b

Add-ons

Updated Packages

  • bird 2.0.4
  • clamav 0.101.3
  • iperf 2.0.13
  • iperf3 3.7
  • mc 4.8.23
  • pcengines-firmware 4.9.0.7

This is the official release announcement for IPFire 2.23 - Core Update 134. This update ships security fixes in the Linux kernel for the "SACK Panic" attack as well as some other smaller fixes.

SACK Panic (CVE-2019-11477 & CVE-2019-11478)

The Linux kernel was vulnerable for two DoS attacks against its TCP stack. The first one made it possible for a remote attacker to panic the kernel and a second one could trick the system into transmitting very small packets so that a data transfer would have used the whole bandwidth but filled mainly with packet overhead.

The IPFire kernel is now based on Linux 4.14.129, which fixes this vulnerability and fixes various other bugs.

The microcode for some Intel processors has also been updated and includes fixes for some vulnerabilities of the Spectre/Meltdown class for some Intel Xeon processors.

Misc.

  • Package updates: bind 9.11.8, unbound 1.9.2, vim 8.1
  • The French translation has been updated by Stéphane Pautrel and translates various strings as well as improving some others
  • We now prefer other cipher modes over CBC when IPFire itself opens a TLS connection. CBC is now considered to be substantially weaker than GCM.
  • Email addresses entered in the web UI can now contain underscores.
  • The Captive Portal now comes up properly after IPFire is being rebooted.

It is time for the next Core Update. Number 133! Another bug-fix release with many changes under the hood. As always, we recommend to install this update as soon as possible to benefit from the fixes and to help us keeping those coming and to support our developers, please donate now!

Toolchain Updates

This update brings many updates on the core libraries of the system. Various changes to our build system are also helping us to build a more modern distribution, faster. The toolchain is now based on GCC 8.3.0, binutils 2.32 and glibc 2.29 which bring various bugfixes, performance improvements and some new features.

Although these might not be the most exciting changes, we recommend upgrading as soon as possible since this is essential hardening for backbone components of the user-space.

Disabling SMT - Intel's Security Issues

Disabling SMT has also been fine-tuned. It is now also being disabled on systems that are vulnerable to "Foreshadow". Probably all processors that are vulnerable to MDS are vulnerable to Foreshadow, too, so this won't affect many systems, but it is more correct to do so.

Increasing throughput of the new Intrusion Prevention System

As announced before, we were working on increasing the throughput of the IPS. This is being shipped now with this update and integrates a library from Intel which is optimised to perform pattern matching very fast on huge data sets. Its name is hyperscan.

This library comes in multiple versions which are all shipped at the same time and is being compiled with support for various CPU instructions which are enabled when the hardware supports them. Those are for example AVX2, AVX and of course all of the SSE series.

By utilising those optimised instructions, the processor can process more data by executing only one instruction which is a lot faster. We are soon going to release benchmarks, but first tests have shown that larger systems are benefitting hugely from this and even some smaller embedded processors gain slightly.

This feature is automatically configured and will always be enabled when supported.

Another change on the IPS is coming from Tim Fitzgeorge who investigated that the IPS was occasionally dropping some packets which it was not meant to without logging. The rule generation was patched accordingly so that won't happen any more and rules will automatically updated when installing this Core Update.

Misc.

  • A long-standing bug in adding fixed DHCP leases has been fixed. Those are now saved right away on the first click, but it is possible to edit the entry.
  • An incorrect list of cipher suites was generated for IPsec connections when PFS was disabled. This updates fixes that and updates all connections with the correct settings.
  • ddns: Some new provides have been added
  • Package updates: bind 9.11.7, jansson 2.12, knot 2.8.2, linux-pam 1.3.1, monit 5.25.3, openssl 1.1.1.c, rrdtool 1.7.2, squid 4.7, strongswan 5.8.0, wpa_supplicant 2.8

Add-ons

New Packages

  • tshark A CLI version of Wireshark which is like tcpdump, but has better support for decoding captured packets.

Updated Packages

  • hostapd has been updated to version 2.8 which fixes various security vulnerabilities and other bugs
  • tor: some bugs that didn't allow the service to start after the last update have been fixed
  • wio: A problem which caused the IPFire system to unexpectedly shut down has been solved
  • miau, an IRC bouncer, which was unmaintained since 2010 has been dropped

Hello,

it is time for the next Core Update. Number 133!

To help us keeping those coming and to support our developers, please donate now!

Toolchain Updates

This update brings many updates on the core libraries of the system. Various changes to our build system are also helping us to build a more modern distribution, faster. The toolchain is now based on GCC 8.3.0, binutils 2.32 and glibc 2.29 which bring various bugfixes, performance improvements and some new features.

Although these might not be the most exciting changes, we recommend upgrading as soon as possible since this is essential hardening for backbone components of the user-space.

Disabling SMT - Intel's Security Issues

Disabling SMT has also been fine-tuned. It is now also being disabled on systems that are vulnerable to "Foreshadow". Probably all processors that are vulnerable to MDS are vulnerable to Foreshadow, too, so this won't affect many systems, but it is more correct to do so.

Increasing throughput of the new Intrusion Prevention System

As announced before, we were working on increasing the throughput of the IPS. This is being shipped now with this update and integrates a library from Intel which is optimised to perform pattern matching very fast on huge data sets. Its name is hyperscan.

This library comes in multiple versions which are all shipped at the same time and is being compiled with support for various CPU instructions which are enabled when the hardware supports them. Those are for example AVX2, AVX and of course all of the SSE series.

By utilising those optimised instructions, the processor can process more data by executing only one instruction which is a lot faster. We are soon going to release benchmarks, but first tests have shown that larger systems are benefitting hugely from this and even some smaller embedded processors gain slightly.

This feature is automatically configured and will always be enabled when supported.

Another change on the IPS is coming from Tim Fitzgeorge who investigated that the IPS was occasionally dropping some packets which it was not meant to without logging. The rule generation was patched accordingly so that won't happen any more and rules will automatically updated when installing this Core Update.

Misc.

  • A long-standing bug in adding fixed DHCP leases has been fixed. Those are now saved right away on the first click, but it is possible to edit the entry.
  • An incorrect list of cipher suites was generated for IPsec connections when PFS was disabled. This updates fixes that and updates all connections with the correct settings.
  • ddns: Some new provides have been added
  • Package updates: bind 9.11.7, jansson 2.12, knot 2.8.2, linux-pam 1.3.1, monit 5.25.3, openssl 1.1.1.c, rrdtool 1.7.2, squid 4.7, strongswan 5.8.0, wpa_supplicant 2.8

Add-ons

New Packages

  • tshark A CLI version of Wireshark which is like tcpdump, but has better support for decoding captured packets.

Updated Packages

  • hostapd has been updated to version 2.8 which fixes various security vulnerabilities and other bugs
  • tor: some bugs that didn't allow the service to start after the last update have been fixed
  • wio: A problem which caused the IPFire system to unexpectedly shut down has been solved
  • miau, an IRC bouncer, which was unmaintained since 2010 has been dropped

The next version of IPFire is ready: IPFire 2.23 - Core Update 132. This update contains various security fixes and improvements to secure systems that are vulnerable to recently-published problems in Intel processors.

Intel Vulnerabilities: RIDL, Fallout & ZombieLoad

Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release.

Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts.

Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable.

To apply the fixes, please reboot your system.

There is a new GUI which will show you for which attacks your hardware is vulnerable and if mitigations are in place:

VLAN Configuration

Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.

The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.

Misc.

This update also contains a number of various bug fixes:

  • The new IPS now starts on systems with more than 16 CPU cores
  • For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
  • OpenVPN has received some changes to the UI and improvements of its security.
  • Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
  • Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted
  • The same type of stored cross-site scripting attack was resolved in the static routing UI
  • Log entries for Suricata now properly show up in the system log section
  • Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1

Add-ons

Wireless AP

The wireless AP add-on has received some new features:

  • For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
  • DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
  • Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.

Updates

  • igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1
  • Qemu is now being hardened with libseccomp which is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default

Finally, we are releasing another big release of IPFire. In IPFire 2.23 - Core Update 131, we are rolling out our new Intrusion Prevention System. On top of that, this update also contains a number of other bug fixes and enhancements.

Thank you very much to everyone who has contributed to this release. If you want to contribute, too, and if you want to support our team to have more new features in IPFire, please donate today!

A New Intrusion Prevention System

We are finally shipping our recently announced IPS - making all of your networks more secure by deeply inspecting packets and trying to identify threats.

This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.

We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need.

Migration from the older Intrusion Detection System

Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated. Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.

If you restore an old backup, the IDS settings won't be converted.

The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.

OS Updates

This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost.

Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1. The wireless regulatory database has also been updated.

Misc.

  • SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server.
  • When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox.
  • A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before.
  • On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimised to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances.
  • Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default;
  • We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log.

Add-ons

  • Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0
  • tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now.
  • Wireless Access Point: It is now possible to enable client isolation so that wireless clients won't be able to communicate with each other through the access point.

New Packages

  • flashrom - A tool to update firmware

Just a couple of days after the release of IPFire 2.21 - Core Update 130, the next release is available. This is an emergency update with various bug fixes and a large number of security fixes.

Security

IPFire 2.21 - Core Update 130 contains security updates for the following packages:

  • Apache 2.4.39: The Apache Web Server, which runs the IPFire Web User Interface, was vulnerable for various privilege escalations (CVE-2019-0211), access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-2019-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsistency (CVE-2019-0220). They are all regarded to be of "low" severity.
  • wget 1.20.3: wget has had multiple vulnerabilities that allowed an attacker to execute arbitrary code (CVE-2019-5953).
  • clamav 0.101.2: ClamAV, the virus scanner, has had multiple vulnerabilities that allowed DoS and a buffer overflow in a bundled third-party library.

Although some of these vulnerabilities are only of low severity, we recommend to install this update as soon as possible!

IPsec Regression

The last update introduced a regression in the IPsec stack that caused that the firewall could no longer access any hosts on the remote side when the tunnel was run in tunnel mode without any VTI/GRE interfaces. This update fixes that.


IPFire 2.21 - Core Update 129 released

by Michael Tremer, April 8, 2019, Updated April 8, 2019

This is the official release announcement for IPFire 2.21 - Core Update 129 - an update that introduces routed IPsec VPNs and comes with various other changes that update the core system and fix several bugs.

IPsec Reloaded

IPsec has been massively extended. Although IPsec in IPFire is already quite versatile and delivered high performance, some features for experts were required and are now available through the web UI:

  • Routed VPNs with GRE & VTI
  • Transport Mode for net-to-net tunnels
  • IPsec connections can now originate from any public IP address of the IPFire installation. This can be selected on a per-connection basis.

The code has also been cleaned up the UI has been made a little bit tidier to accommodate for the new settings.

Smaller changes include:

  • The "On-Demand" mode is finally the default setting. Tunnels will shut down when they are not used and they will be established again when they are required.

Misc.

  • DHCP: A crash has been fixed when filenames containing a slash have been entered for PXE boot.
  • DHCP: Editing static leases has been fixed
  • Domains in the "DNS Forwarding" section can now be disabled for DNSSEC validation. This is a dangerous change, but has been requested by many users.
  • Updated packages: bind 9.11.6, groff 1.22.4, ipset 7.1, iptables 1.8.2, less 530, libgcrypt 1.8.4, openssl 1.1.1b, openvpn 2.4.7, squid 4.6, tar 1.32, unbound 1.9.0, wpa_supplicant 2.7
  • New commands: kdig 2.8.0
  • The build system has been optimised to reduce build time of the whole distribution to around 4-5 hours on a fast machine.

Add-Ons

  • Alexander Koch has contributed zabbix_agentd which is the agent that is installed on the monitored machine. With this, IPFire can now be integrated into an environment that is monitored by Zabbix.
  • On that note, the SNMP daemon has also been updated to version 5.8 for people who use the SNMP protocol for monitoring.
  • tor has been updated to 0.3.5.8 and some minor bugs have been fixed in the web user interface
  • The spectre-meltdown-checker script is available as an add-on which allows IPFire users to test their hardware for vulnerabilities
  • Other updates: amavisd 2.11.1, hostapd 2.7, postfix 3.4.3

Thank you very much to everyone who contributed to this Core Update. Please support our project and donate today so that we can keep up our work!


The first update of the year and it is packed with loads of new features, many many performance improvements as well as some security fixes. This is quite a long change log, but please read through it. It is worth it!

To support our project and keep us bringing these updates for you, please donate!

Squid 4.5 - Making the web proxy faster and more secure

We have finally updated to squid 4.5, the latest version of the web proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.

We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.

One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.

We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.

We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.

We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.

We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.

New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.

Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.

DNS Forwarding

The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.

These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.

Misc.

  • Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
  • Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
  • We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
  • fireinfo now supports authentication against any upstream web proxies
  • Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
  • Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
  • The description on which SSH port IPFire is listening has been fixed.
  • Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
  • GeoIP: Scripts have been updated to use a new format of the GeoIP database
  • Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1

Add-ons

  • Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
  • The haproxy package now correctly handles its backup

IPFire 2.21 - Core Update 126 released

by Michael Tremer, December 28, 2018, Updated December 28, 2018

Finally, the next release of IPFire is available: IPFire 2.21 - Core Update 126 This update comes with a new kernel and security enhancements. This change log is rather short, but the changes are very important.

Thank you very much to all of you who have supported our Donations Challenge so far. We have received a lot of nice words and support from you, but we are not there, yet! Please support our project and donate!

Linux 4.14.86

The kernel has been updated to the latest version of the Linux 4.14.x branch which brings various improvements around stability, enhances performance and fixes some security vulnerabilities. This kernel also has major updates for the Spectre and Meltdown vulnerabilities that remove previously existent performance penalties in some use-cases.

The kernel's modules are now compressed with the XZ algorithm which will save some space on disk as the kernel is one of the largest components of IPFire.

Misc.

  • openssl has been updated to 1.1.0j and 1.0.2q which fixes some minor security issues and has various bug fixes
  • The bind package has now changed to ship shared libraries which it did not before. Those allow that commands like dig and host use those shared libraries and are no longer statically linked. This makes the files a lot smaller.
  • Stéphane Pautrel has substantially improved the French translation of IPFire. Thank you very much for that!

Add-ons

  • Updated packages: bird 2.0.2, nano 3.2
  • New packages: shairport-sync

Thanks for the people who contributed to this Core Update. Please support us and donate!


Finally, the next release of IPFire is available: IPFire 2.21 - Core Update 125 This update comes with various security and bug fixes as well as cleanups and some new features.

Thank you very much to all of you who have supported our Donations Challenge so far. We have received a lot of nice words and support from you, but we are not there, yet! Please support our project and donate!

802.11ac WiFi

The IPFire Access Point add-on now supports 802.11ac WiFi if the chipset supports it. This allows better coverage and higher network throughputs. Although IPFire might not be the first choice as a wireless access point in larger environments, it is perfect to run a single office or apartment.

Additionally, a new switch allows to disable the so called neighbourhood scan where the access point will search for other wireless networks in the area. If those are found, 40 MHz channel bandwidth is disabled leading to slower throughput.

Misc.

  • strongswan 5.7.1: This updated fixes various security vulnerabilities filed under CVE-2018-16151, CVE-2018-16152 and CVE-2018-17540. Several flaws in the implementation that parsed and verified RSA signatures in the gmp plugin may allow for Bleichenbacher-style low-exponent signature forgery in certificates and during IKE authentication.
  • The IO graphs now support NVMe disks
  • The SFTP subsystem is enabled again in the OpenSSH Server
  • Swap behaviour has been changed so that the kernel will make space for a large process when not enough physical memory is available. Before, sudden jumps in memory consumption where not possible and the process requesting that memory was terminated.
  • The backup scripts have been rewritten in Shell and now package all add-ons backups with the main backup. Now, it is no longer required to save any add-on configuration separately.
  • Updated packages: apache 2.4.35, bind 9.11.4-P2, coreutils 8.30, dhcpcd 7.0.8, e2fsprogs 1.44.4, eudev 3.2.6, glibc 2.28, gnutls 3.5.19, json-c 0.13.1, keyutils 1.5.11, kmod 25, LVM2 2.02.181, ntfs-3g 2017.3.23, reiserfsprogs 3.6.27, sqlite 3.25.2.0, squid 3.5.28, tzdata 2018g, xfsprogs 4.18.0

New Add-Ons

  • dehydrated - A lightweight client to retrieve certificates from Let's Encrypt written in bash
  • frr, an IP routing protocol suite and BGP and OSPF are supported on IPFire. Find out more on their website.
  • observium-agent - An xinet.d-based agent for Observium, a network monitoring platform

Updated Add-Ons

  • clamav has been updated to 0.100.2 and the virus database files have been moved to the /var partition. This makes more space available on the root partition.
  • nfs 2.3.3, haproxy 1.8.14, hostapd 2.6, libvirt 4.6.0, tor 0.3.4.9

Thanks for the people who contributed to this Core Update.

Please help us to support everyone’s work with your donation!