- Press - lists.ipfire.org

Announcing IPFire Location
by Michael Tremer 07 Aug '20

07 Aug '20

Hello Press, today, I would like to announce that we are ready to launch IPFire Location - a database to determine people’s location on the Internet. This database has been under development for a long time and will be the core of IPFire location blocking feature, which was formerly called “GeoIP filter”. Please see the full announcement here: https://blog.ipfire.org/post/a-new-location-database-for-the-internet It is going to replace Maxmind’s Database not only in IPFire, but many other software projects too, since we all have been sharing frustration and legal problems to use Maxmind’s database after some license change earlier this year. You can find more detail on this here: https://blog.ipfire.org/post/on-retiring-the-maxmind-geoip-database Our database is free, easy to integrate into other software projects and adds some new features like determining the Autonomous System as well. This will make it a great building block for any piece of software that needs location information like threat-detection, online shops, load-balancers, etc. The project’s home is https://location.ipfire.org/ where you can find a live demo, too. It would be great if you could help us making people aware of this new project inside the IPFire Project so that we gain more users and can all - as a community - make this database even better. Best, -Michael

1 0

IPFire 2.25 - Core Update 144 released
by Michael Tremer 24 Apr '20

24 Apr '20

https://blog.ipfire.org/post/ipfire-2-25-core-update-144-released This is the official release announcement for IPFire 2.25 - Core Update 144. This contains a number of security fixes in OpenSSL, the squid web proxy, the DHCP client and more. We recommend to install it as soon as possible and reboot. OpenSSL 1.1.1g The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity. Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension. CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended. The DHCP Client (#12354) Some users using RED in DHCP mode might have seen various crashes of the client. This happened because of attackers sending forged DHCP replies from cloud-hosted networks across the Internet. After the daemon crashed, the firewall would lose Internet connectivity until it is manually restarted. Providers normally filter forged DHCP traffic, but some do not seem to do this correctly. We are in touch with them and try to find a solution. The Squid Web Proxy The web proxy is vulnerable to cross-site scripting attacks, cache poisoning and access control bypass when processing HTTP request messages. These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-2020-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and #12386. Misc. * Updated packages: apache 2.4.43, bind 9.11.18, dhcpcd 9.0.2, squid 4.11 * The build system has changed the Go compiler from GCCGO to Golang which seems to be introducing fewer bugs into compiled programs

1 0

IPFire 2.25 - Core Update 141 released
by Michael Tremer 25 Feb '20

25 Feb '20

https://blog.ipfire.org/post/ipfire-2-25-core-update-141-release ATTENTION! You are receiving this email because you are subscribed to our announcement mailing list. This list is going to be shut down soon. To keep receiving important announcements like this one, please sign up at https://people.ipfire.org/register, if you did not already do so. The first exciting big update of the year is ready: IPFire 2.25 - Core Update 141! It comes with a totally reworked DNS system which adds many new features like DNS-over-TLS. On top of that, this update fixes many bugs. DNS Updates The biggest set of changes in this release is around DNS. We have cleaned up many scripts and the UI which allowed us to add new functionality: • A unified page with all DNS settings • More than two DNS servers can be added for better load-balancing and resiliency. The fastest servers will be used automatically. • Enhanced privacy with DNS-over-TLS and strict QNAME minimisation • Safe Search, to filter adult content from the entire network without using the web proxy • Better workarounds for users with ISPs that filter DNS responses/break DNSSEC. TLS and TCP can be used as transport instead. • Faster boot because of fewer checks being executed at boot time In order to combat MTU issues, we are following guidelines and have set the EDNS buffer size to 1232 bytes. This avoids large DNS replies being fragmented even on Internet lines with smaller MTUs. All DNS settings will automatically be converted. This is also compatible when older backups are being restored. Updates Under The Hood IPFire is a modern distribution as we change and update many essential system components regularly. That allows us to keep you safe, support new features and of course be fast by taking advantage of modern hardware. In this update, we have rebased the system on GCC 9 and added support for Go and Rust. We have included Python 3 to the base system and deprecated Python 2 which is out of support by now. Not everything has been converted to use Python 3 yet, but we will hopefully soon be able to drop support for Python 2 altogether. Unfortunately the system is growing larger and larger with every update. Software in general is quite bloated although we are trying our best to keep IPFire as small as possible. On systems that have a 2GB root partition and many add-ons installed, disk space might be running out. This update clears a lot of files that are no longer needed. We have also improved stripping our binary files from debugging symbols which are not needed on a production system in order to keep those files smaller. • elinks, the text-based browser is also no longer an add-on any more, but shipped with the core system. • LVM devices are now supported in IPFire. • Updated packages: efivar 35, gcc 9.2.0, file 5.38, knot 2.9.2, libhtp 0.5.32, mdadm 4.1, mpc1.1.0, mpfr 4.0.2, rust 1.39, suricata 4.1.6. unbound 1.9.6 • New packages: rfkill Misc. • The Intrusion Prevention System now filters packets from and to OpenVPN clients, too • Pakfire initially used HTTP for downloading the first mirror list. It would have been redirected to HTTPS by the server, but this has been now changed that the first connection attempt is using HTTPS. • As announced in a separate blog post, we are shipping the latest version of Maxmind's GeoIP database • IPsec: To enhance compatibility with many clients, newly generated root certificates will include a valid Subject Alternative Name which can also be freely configured Add-ons • Updated: dehydrated 0.6.5, libseccomp 2.4.2, nano 4.7, openvmtools 11.0.0, tor 0.4.2.5, tshark 3.0.7 • New: amazon-ssm-agent for better integration into the Amazon cloud

1 0

IPFire 2.25 - Core Update 141 released
by Michael Tremer 25 Feb '20

25 Feb '20

https://blog.ipfire.org/post/ipfire-2-25-core-update-141-release ATTENTION! You are receiving this email because you are subscribed to our announcement mailing list. This list is going to be shut down soon. To keep receiving important announcements like this one, please sign up at https://people.ipfire.org/register, if you did not already do so. The first exciting big update of the year is ready: IPFire 2.25 - Core Update 141! It comes with a totally reworked DNS system which adds many new features like DNS-over-TLS. On top of that, this update fixes many bugs. DNS Updates The biggest set of changes in this release is around DNS. We have cleaned up many scripts and the UI which allowed us to add new functionality: • A unified page with all DNS settings • More than two DNS servers can be added for better load-balancing and resiliency. The fastest servers will be used automatically. • Enhanced privacy with DNS-over-TLS and strict QNAME minimisation • Safe Search, to filter adult content from the entire network without using the web proxy • Better workarounds for users with ISPs that filter DNS responses/break DNSSEC. TLS and TCP can be used as transport instead. • Faster boot because of fewer checks being executed at boot time In order to combat MTU issues, we are following guidelines and have set the EDNS buffer size to 1232 bytes. This avoids large DNS replies being fragmented even on Internet lines with smaller MTUs. All DNS settings will automatically be converted. This is also compatible when older backups are being restored. Updates Under The Hood IPFire is a modern distribution as we change and update many essential system components regularly. That allows us to keep you safe, support new features and of course be fast by taking advantage of modern hardware. In this update, we have rebased the system on GCC 9 and added support for Go and Rust. We have included Python 3 to the base system and deprecated Python 2 which is out of support by now. Not everything has been converted to use Python 3 yet, but we will hopefully soon be able to drop support for Python 2 altogether. Unfortunately the system is growing larger and larger with every update. Software in general is quite bloated although we are trying our best to keep IPFire as small as possible. On systems that have a 2GB root partition and many add-ons installed, disk space might be running out. This update clears a lot of files that are no longer needed. We have also improved stripping our binary files from debugging symbols which are not needed on a production system in order to keep those files smaller. • elinks, the text-based browser is also no longer an add-on any more, but shipped with the core system. • LVM devices are now supported in IPFire. • Updated packages: efivar 35, gcc 9.2.0, file 5.38, knot 2.9.2, libhtp 0.5.32, mdadm 4.1, mpc1.1.0, mpfr 4.0.2, rust 1.39, suricata 4.1.6. unbound 1.9.6 • New packages: rfkill Misc. • The Intrusion Prevention System now filters packets from and to OpenVPN clients, too • Pakfire initially used HTTP for downloading the first mirror list. It would have been redirected to HTTPS by the server, but this has been now changed that the first connection attempt is using HTTPS. • As announced in a separate blog post, we are shipping the latest version of Maxmind's GeoIP database • IPsec: To enhance compatibility with many clients, newly generated root certificates will include a valid Subject Alternative Name which can also be freely configured Add-ons • Updated: dehydrated 0.6.5, libseccomp 2.4.2, nano 4.7, openvmtools 11.0.0, tor 0.4.2.5, tshark 3.0.7 • New: amazon-ssm-agent for better integration into the Amazon cloud

1 0

IPFire 2.25 - Core Update 141 released
by Michael Tremer 25 Feb '20

25 Feb '20

https://blog.ipfire.org/post/ipfire-2-25-core-update-141-release ATTENTION! You are receiving this email because you are subscribed to our announcement mailing list. This list is going to be shut down soon. To keep receiving important announcements like this one, please sign up at https://people.ipfire.org/register, if you did not already do so. The first exciting big update of the year is ready: IPFire 2.25 - Core Update 141! It comes with a totally reworked DNS system which adds many new features like DNS-over-TLS. On top of that, this update fixes many bugs. DNS Updates The biggest set of changes in this release is around DNS. We have cleaned up many scripts and the UI which allowed us to add new functionality: • A unified page with all DNS settings • More than two DNS servers can be added for better load-balancing and resiliency. The fastest servers will be used automatically. • Enhanced privacy with DNS-over-TLS and strict QNAME minimisation • Safe Search, to filter adult content from the entire network without using the web proxy • Better workarounds for users with ISPs that filter DNS responses/break DNSSEC. TLS and TCP can be used as transport instead. • Faster boot because of fewer checks being executed at boot time In order to combat MTU issues, we are following guidelines and have set the EDNS buffer size to 1232 bytes. This avoids large DNS replies being fragmented even on Internet lines with smaller MTUs. All DNS settings will automatically be converted. This is also compatible when older backups are being restored. Updates Under The Hood IPFire is a modern distribution as we change and update many essential system components regularly. That allows us to keep you safe, support new features and of course be fast by taking advantage of modern hardware. In this update, we have rebased the system on GCC 9 and added support for Go and Rust. We have included Python 3 to the base system and deprecated Python 2 which is out of support by now. Not everything has been converted to use Python 3 yet, but we will hopefully soon be able to drop support for Python 2 altogether. Unfortunately the system is growing larger and larger with every update. Software in general is quite bloated although we are trying our best to keep IPFire as small as possible. On systems that have a 2GB root partition and many add-ons installed, disk space might be running out. This update clears a lot of files that are no longer needed. We have also improved stripping our binary files from debugging symbols which are not needed on a production system in order to keep those files smaller. • elinks, the text-based browser is also no longer an add-on any more, but shipped with the core system. • LVM devices are now supported in IPFire. • Updated packages: efivar 35, gcc 9.2.0, file 5.38, knot 2.9.2, libhtp 0.5.32, mdadm 4.1, mpc1.1.0, mpfr 4.0.2, rust 1.39, suricata 4.1.6. unbound 1.9.6 • New packages: rfkill Misc. • The Intrusion Prevention System now filters packets from and to OpenVPN clients, too • Pakfire initially used HTTP for downloading the first mirror list. It would have been redirected to HTTPS by the server, but this has been now changed that the first connection attempt is using HTTPS. • As announced in a separate blog post, we are shipping the latest version of Maxmind's GeoIP database • IPsec: To enhance compatibility with many clients, newly generated root certificates will include a valid Subject Alternative Name which can also be freely configured Add-ons • Updated: dehydrated 0.6.5, libseccomp 2.4.2, nano 4.7, openvmtools 11.0.0, tor 0.4.2.5, tshark 3.0.7 • New: amazon-ssm-agent for better integration into the Amazon cloud

1 0

Pre-release announcement for IPFire 2.25 - Core Update 141
by Michael Tremer 15 Feb '20

15 Feb '20

Hello editors, this is a pre-announcement email to all editors out there who write about IPFire. We would like to let you know, that we are planning to release the next IPFire release, IPFire 2.25 Core Update 141, next Monday, February 24th, between 10:00 and 14:00 UTC. We are sending you this announcement to give you some time to prepare a news article about this new release of IPFire to help us make IPFire better-known and of course to make our existing users aware of this exciting new update being ready to be installed. We are very grateful for your support for our project! The changelog can be found here: https://blog.ipfire.org/post/ipfire-2-25-core-update-141-is-available-for-t… In this release we redesigned DNS. We removed loads of older code and setup options and they are now all combined on one new page. We then added features to improve privacy like DNS-over-TLS and QNAME minimisation: https://blog.ipfire.org/post/restoring-dns-privacy Safe Search can now be enabled to filter any adult content from search results on YouTube and many search engines: https://blog.ipfire.org/post/how-does-safe-search-work Please get in touch if you have any further questions. We will send you the final announcement when the update is officially released. Thank you very much for supporting our project! Best regards, -Michael

1 0

IPFire 2.23 - Core Update 139 released
by Michael Tremer 09 Jan '20

09 Jan '20

https://blog.ipfire.org/post/ipfire-2-23-core-update-139-released ATTENTION! You are receiving this email because you are subscribed to our announcement mailing list. This list is going to be shut down soon. To keep receiving important announcements like this one, please sign up at https://people.ipfire.org/register, if you did not already do so. It is time for the first release of the year, IPFire 2.23 - Core Update 139. It is packed with improvements, software updates, and many many bug fixes. Improved Booting & Reconnecting Dialup scripts have been cleaned up to avoid any unnecessary delays after the system has been handed a DHCP lease from the Internet Service Provider. This allows the system to reconnect quicker after loss of the Internet connection and booting up and connecting to the Internet is quicker, too. Improvements to the Intrusion Prevention System Various smaller bug fixes have been applied in this Core Update which makes our IPS a little bit better with every release. To take advantage of deeper analysis of DNS packets, the IPS is now informed about which DNS servers are being used by the system. TLS IPFire is configured as securely as possible. At the same time we focus on performance, too. For connections to the web user interface, we do not allow using CBC any more. This cipher mode is begin to crack and the more robust GCM is available. Whenever an SSL/TLS connection is being established to the firewall, we used to prefer ChaCha20/Poly1305 as a cipher. Since AESNI is becoming and more and more popular even on smaller hardware, it makes sense to prefer AES. A vast majority of client systems support this as well which will allow to communicate faster with IPFire systems and save battery power. Misc. • The microcode for Intel processors has been updated again to mitigate vulnerabilities from the last Core Update [1] • PC Engines APU LEDs are now controlled using the ACPI subsystem which is made possible using the latest BIOS version 4.10.0.3 • Captive Portal: Expired clients are now automatically removed • Dynamic DNS: Support for NoIP.com has been fixed in ddns 12 • Updated packages: Python 2.7.17, bash 5.0, bind 9.11.13, cpio 2.13, libarchive 3.4.0, logwatch7.5.2, lz4 1.9.2, openvpn 2.4.8, openssh 8.1p1, readline 8.0 (and compat version 6.3), squid 4.9, unbound 1.9.5 Add-Ons • clamav has been updated to 0.102.1 which include various security fixes • libvirt has been updated to version 5.6.0 for various bug fixes or feature enhancements and support for LVM has been enabled. • qemu has been updated to 4.1.0 • Various others: nano 4.6, postfix 3.4.8, spectre-meltdown-checker 0.42 [1] https://blog.ipfire.org/post/ipfire-2-23-core-update-138-released

1 0

IPFire 2.23 - Core Update 138 released
by Michael Tremer 18 Nov '19

18 Nov '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-138-released Just days after the last one, we are releasing IPFire 2.23 - Core Update 137. It addresses and mitigates recently announced vulnerabilities in Intel processors. Intel Vulnerabilities Intel has blessed us again with a variety of hardware vulnerabilities which need to be mitigated in software. Unfortunately those will further decrease the performance of your IPFire systems due to changes in Intel's microcodes which are also shipped with this Core Update. If you would like to learn more about these vulnerabilities, please look here [1], here [2], here [3], and here [4]. We recommend to install this update as quickly as possible to prevent your system from being exploited through these vulnerabilities. A reboot is required to activate the changes. [1] https://mdsattacks.com/#ridl-ng [2] https://software.intel.com/security-software-guidance/software-guidance/int… [3] https://software.intel.com/security-software-guidance/insights/deep-dive-in… [4] https://www.intel.com/content/dam/support/us/en/documents/processors/mitiga…

1 0

IPFire 2.23 - Core Update 137 released
by Michael Tremer 15 Nov '19

15 Nov '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-137-released We are happy to announce the release of IPFire 2.23 - Core Update 137. It comes with an updated kernel, a reworked Quality of Service and various bug and security fixes. Development around the Quality of Service and tackling some of the bugs required an exceptional amount of team effort in very short time and I am very happy that we are now able to deliver the result to you to improve your networks. Please help us to keep these things coming to you with your donation [1]! An improved and faster QoS As explained in detail in a separate blog post from the engine room [2], we have been working hard on improving our Quality of Service (QoS). It allows to pass a lot more traffic on smaller systems as well as reduces packet latency on faster ones to create a more responsive and faster network. To take full advantage of these changes, we recommend to reboot the system after installing the update. Linux 4.14.150 The IPFire Kernel has been rebased on Linux 4.14.150 and equipped with our usual hardening and other patches. The kernel has been tuned to deliver more throughput for IP connections as well as reducing latency to a minimum to keep your network as responsive and fast as possible. An especially nasty bug that caused the system to drop DNS packets when the Intrusion Detection System was enabled has been tracked down by a large group of IPFire developers and additional help of the suricata team. Misc. • Downloaded GeoIP databases were not always cleaned up from /tmp when a download was unsuccessful. This can cause that the script is filling up the root partition. You can reboot your system to free up space if this has happened to you, too. The script has now been cleaned up, and catches any errors to cleanup afterwards. • IPsec now supports Curve 448 with 224 bit of security. It is a lightweight and slightly faster alternative to Curve25519 and enabled by default for new connections. • Tim Fitzgeorge contributed a patch that restarts the syslog daemon after a backup is being restored to close old log files and write to the restored ones • /var/log/mail is now being rotated • Updated packages: bind 9.11.12, iptables 1.8.3, iproute2 5.3.0, knot 2.8.4, libhtp 0.5.30, libnetfilter_queue 1.0.4, libpcap 1.9.1, libssh 0.9.0, Net-SSLeay 1.88, pcre 8.43, strongswan 5.8.1, suricata 4.1.5, tzdata 2019c, unbound 1.9.4, wpa_supplicant 2.9 Add-ons New: speedtest-cli This is a handy tool to perform a regular speedtest on the console. It was packaged to test the QoS but is handy to test throughput of the firewall to and from the Internet on the console. Updated Packages • bird 2.0.6 now supports RPKI validation by connecting to a process that holds the key material either via TCP or using SSH • sane has been updated to version 1.0.28 and now supports more hardware • A French translation is now available for the Who is Online? add-on • Others: clamav 0.102.0, hostapd 2.9, ipset 7.3, mtr 0.93, nano 4.5, ncat 7.80, nmap 7.80, shairport-sync 3.3.2, tcpdump 4.9.3, tor 0.4.1.6, tshark 3.0.5 [1] https://www.ipfire.org/donate [2] https://blog.ipfire.org/post/on-quadrupling-throughput-of-our-quality-of-se…

1 0

Pre-release announcement for IPFire 2.23- Core Update 137
by Michael Tremer 12 Nov '19

12 Nov '19

Hello editors, this is a pre-announcement email to all editors out there who write about IPFire. We would like to let you know, that we are planning to release the next IPFire release, IPFire 2.23 Core Update 137, this Friday, November 15th, between 10:00 and 14:00 UTC. We are sending you this announcement to give you some time to prepare a news article about this new release of IPFire to help us make IPFire better-known and of course to make our existing users aware of this exciting new update being ready to be installed. We are very grateful for your support for our project! The changelog can be found here: https://blog.ipfire.org/post/ipfire-2-23-core-update-137-is-available-for-t… This release comes with a redesigned QoS which boost performance on smaller hardware: https://blog.ipfire.org/post/on-quadrupling-throughput-of-our-quality-of-se… This release also ships many updates under the hood. Most importantly a new release of the IPFire kernel based on Linux 4.14. Please get in touch if you have any further questions. We will send you the final announcement when the update is officially released. Thank you very much for supporting our project! Best regards, -Michael

1 0

2024

2023

2022

2021

2020

2019

2018

Press