https://blog.ipfire.org/post/ipfire-2-21-core-update-129-released
This is the official release announcement for IPFire 2.21 - Core Update 129 - an update that introduces routed IPsec VPNs and comes with various other changes that update the core system and fix several bugs.
IPsec Reloaded
IPsec has been massively extended. Although IPsec in IPFire is already quite versatile and delivered high performance [1], some features for experts were required and are now available through the web UI:
…
[View More]• Routed VPNs with GRE & VTI [2]
• Transport Mode for net-to-net tunnels
• IPsec connections can now originate from any public IP address of the IPFire installation. This can be selected on a per-connection basis.
The code has also been cleaned up the UI has been made a little bit tidier to accommodate for the new settings.
Smaller changes include:
• The "On-Demand" mode is finally the default setting. Tunnels will shut down when they are not used and they will be established again when they are required.
Misc.
• DHCP: A crash has been fixed when filenames containing a slash have been entered for PXE boot.
• DHCP: Editing static leases has been fixed
• Domains in the "DNS Forwarding" section can now be disabled for DNSSEC validation. This is a dangerous change, but has been requested by many users.
• Updated packages: bind 9.11.6, groff 1.22.4, ipset 7.1, iptables 1.8.2, less 530, libgcrypt 1.8.4, openssl 1.1.1b, openvpn 2.4.7, squid 4.6, tar 1.32, unbound 1.9.0, wpa_supplicant 2.7
• New commands: kdig 2.8.0
• The build system has been optimised to reduce build time of the whole distribution to around 4-5 hours on a fast machine.
Add-Ons
• Alexander Koch has contributed zabbix_agentd which is the agent that is installed on the monitored machine. With this [3], IPFire can now be integrated into an environment that is monitored by Zabbix.
• On that note, the SNMP daemon has also been updated to version 5.8 for people who use the SNMP protocol for monitoring.
• tor has been updated to 0.3.5.8 and some minor bugs have been fixed in the web user interface
• The spectre-meltdown-checker script is available as an add-on which allows IPFire users to test their hardware for vulnerabilities
• Other updates: amavisd 2.11.1, hostapd 2.7, postfix 3.4.3
Thank you very much to everyone who contributed to this Core Update. Please support our project and donate today [4] so that we can keep up our work!
[1] https://blog.ipfire.org/post/feature-spotlight-galois-counter-mode-ipsec-wi…
[2] https://blog.ipfire.org/post/routed-ipsec-vpns-are-landing-in-ipfire-2-21-c…
[3] https://wiki.ipfire.org/addons/zabbix_agentd
[4] https://www.ipfire.org/donate
[View Less]
Hello editors,
this is a pre-announcement email to all editors out there who write about
IPFire. We would like to let you know, that we are planning to release the next
IPFire release, IPFire 2.21 Core Update 129 next Monday, April 8th between 10:00
and 14:00 UTC.
We are sending you this announcement to give you some time to prepare a news
article about this new release of IPFire to help us make IPFire better-known and
of course to make our existing users aware of this exciting new update …
[View More]being
ready to be installed. We are very grateful for your support for our project!
The changelog can be found here:
https://blog.ipfire.org/post/ipfire-2-21-core-update-129-is-ready-for-testi…
In this release brings many extensions to the IPsec stack including support for
GRE/VTI tunnels and transport mode as well as many more smaller changes.
Please get in touch if you have any further questions.
We will send you the final announcement when the update is officially released.
Thank you very much for supporting our project!
Best regards,
-Michael
[View Less]
https://blog.ipfire.org/post/introducing-ipfire-s-new-intrusion-prevention-…
With the next IPFire release, we are going to release huge changes to our Intrusion Detection System. Those bring packet analysis that IPFire does to a new level and we are very excited to tell you more about it in this announcement!
A lesson in history
Snort [1] has been the de-factor Intrusion Detection System (IDS) for years. It started out a long time ago as a Host Intrusion Detection System and over time, …
[View More]features for analysing passing traffic have been added, too. Within its means, it was working perfectly inside of IPFire. During its lifetime, radical redesign never happened. It is only able to run on one processor core at a time and has some other limitations which make it slow and difficult to use.
Suricata [2] is the new kid on the block. Having been around for years now, too, and being started to overcome the shortcomings of Snort, it has a much more modern design and great new features. All in all, it is much better than Snort and therefore the IPFire developers have decided to migrate to it.
Actions instead of listening
One of the biggest changes we are now introducing is that the IDS will no longer just listen to traffic by default. Snort used to analyse a copy of every packet on the network. While it has been scanning it, it was passed on into the network. Any alarms that were raised had to be processed from a log file and potentially created iptables rules that blocked the host where the malicious packet came from. That leaves a tiny chance to an attacker to talk to a host on the network he wants to attack.
Suricata takes the packet, analyses it first, and when it has passed all checks, it is being sent onward. Therefore, it is very easy for Suricata to be an Intrusion Prevention System, too. If the packet has failed the tests, it is just being dropped and alert is logged - leaving no chance to even send a single packet to the internal network.
Because of that, we have renamed it on the IPFire Web UI and call it "Intrusion Prevention System". After all, that is what we all want: Preventing attacks, not just finding out about them and doing nothing. When we have found an attacker, we want to do something against it.
Alternatively, Suricata can operate in a "monitoring only" mode which is helpful for testing rulesets and which is what will automatically be enabled when you have been a user of Snort before.
Performance & Automatic Rule Updates
Since suricata is holding on to every packet until it is declared safe, this adds some delay to forwarding the packet. In reality this is not noticeable as long as the hardware is powerful enough.
In the last Core Update we have already shipped a couple of performance tuning changes that allow suricata to process more data. To make maximum use of your hardware, it uses all processor cores at the same time and analyses packets concurrently - unlike Snort which could only use one processor core at the same time.
Rules will also now automatically be updated daily or weekly. Having the latest ruleset allows to detect latest attack vectors and malicious traffic efficiently.
The work has been spearheaded by Stefan Schantl, but many days of work of the whole team has gone into this project over the last six months. Although on the surface this looks like small changes, this makes IPFire a much more powerful firewall.
Instead of filtering packets by IP address and port - which is highly important though - the new IPS can now look deep into the packets and detect malicious traffic easily. Spyware, malware, viruses as well as SQL injection attacks on web servers and so on are now stopped. With our performance improvements and on top of the IPFire OS, this runs well in large networks where highest security is required.
To support us doing this, please donate [3].
This is still not ready for prime-time, yet. We have run many tests, but of course any extra feedback that we can get on throughput, ease of use, or finding any bugs that we might have overlooked is helpful.
Help us testing
Suricata is available in the latest nightly builds [4].
To get in touch with the developers, sign up to our development mailing list [5] and report any bugs that you find to our bugtracker [6].
[1] https://www.snort.org/
[2] https://www.suricata-ids.org/
[3] https://www.ipfire.org/donate
[4] https://wiki.ipfire.org/devel/nightly-builds
[5] https://lists.ipfire.org/mailman/listinfo/development
[6] https://bugzilla.ipfire.org/
[View Less]
https://blog.ipfire.org/post/ipfire-2-21-core-update-128-released
This is the official release announcement for IPFire 2.21 - Core Update 128; another maintenance update with a brand new kernel, introducing TLS 1.3 throughout the whole system and of course a whole package of bug fixes and other improvements.
Thanks to everyone who has contributed to this Core Update with either sending in patches, testing, reporting bugs and many many other things. I am quite happy to see the team grow! Thank …
[View More]you very much as well to all of you who have supported our Donations Challenge [1] so far. We have received a lot of nice words and support from you, but we are not there, yet! Please support our project and donate!
Kernel Update
The Linux kernel, the core of the IPFire operating system, has been updated to the latest release of the 4.14 branch. We have added some extra patches to improve hardware support and fix some security vulnerabilities. LEDs of PCengines' APU boards are now supported on newer versions of the mainboard and on those boards, the serial console is always enabled. On x86-based systems, we now support up to 64 processors.
OpenSSL 1.1.1 & TLS 1.3
We have also updated the main TLS/SSL library to OpenSSL in version 1.1.1. This adds support for TLS 1.3 and of course brings various other improvements with it. On browsers that support it, the IPFire web user interface is now available over TLS 1.3 and any outgoing SSL connection from the firewall supports it, too. We ensure that those connections only use secure and performant ciphers to make connections as fast as they can be.
We have also updated the list of trusted Certificate Authorities (CAs).
We have removed any previous versions of OpenSSL from the system which will soon be end-of-life. If you have anything custom that you have compiled yourself on your system, please be aware of that and note that you might potentially rebuild your custom software.
Add-ons provided by the IPFire Project now support TLS 1.3 as well. If you are running a custom configuration for postfix or haproxy make sure that TLS 1.3 is not excluded from the supported TLS protocols.
Performance Tuning
The system is now configured to be able to route more packets. During some benchmarks and testing we have discovered that IPFire does not always use the full performance of the hardware underneath it. While most system probably won't benefit much from these improvements, some systems with very fast processor cores will see a 5-10% increase in bandwidth from and to the firewall as well as routed through it. That comes at the cost of very slight increase of power consumption, but we figured that that is a price worth paying not only provide you a secure firewall, but also a fast one.
Misc.
• A change of the firewall policy might potentially be backwards-incompatible, but we saw no other way to improve the security of the system: Previously, systems on the ORANGE network were always allowed to connect to the Internet on RED. This was carried over from the very beginning of IPFire when the firewall user interface was way more basic and rules to change this behaviour could not be configured at all. Now, it makes a lot more sense to not have this default which was also not well-known and allow users to create rules to either allow or deny traffic like this.
• The kdig utility is now available on command line which supports DNS lookups via TLS
• Updated packages: apache 2.4.38, apr 1.6.5, curl 7.64.0, dhcpcd 7.1.1, ghostscript 9.26, logrotate 3.15, openssl 7.9p1, postfix 3.3.2, strongswan 5.7.2, tzdata 2018i
Add-ons
• powertop has been updated to version 2.10
• tor has been updated to version 0.3.5.7
• sendEmail has been fixed by Rob. The script had a wrong file ownership.
[1] https://blog.ipfire.org/post/donations-challenge
[View Less]
Hello editors,
this is a pre-announcement email to all editors out there who write about
IPFire. We would like to let you know, that we are planning to release the next
IPFire release, IPFire 2.21 Core Update 128 next Wednesday, March 14 between 10:00
and 14:00 UTC.
We are sending you this announcement to give you some time to prepare a news
article about this new release of IPFire to help us make IPFire better-known and
of course to make our existing users aware of this exciting new update …
[View More]being
ready to be installed. We are very grateful for your support for our project!
The changelog can be found here:
https://blog.ipfire.org/post/ipfire-2-21-core-update-128-is-ready-for-testi…
In this release, we updated the our Linux kernel and have upgraded to OpenSSL 1.1.1
in order to introduce support for TLS 1.3 throughout the whole system. Furthermore
we have tuned the throughput of the system on powerful hardware.
Please get in touch if you have any further questions.
We will send you the final announcement when the update is officially released.
Thank you very much for supporting our project!
Best regards,
-Michael
[View Less]
I tried to download the new version (Core Update 127) for x86, both the
ISO and the IMG file. Both result in http error message 404 indicating
the file is not found. Looks like the new media hasn't synchronized
across the mirrors yet, or there is a problem with the download URL.
- Jesse
On 2/6/19 8:25 AM, The IPFire Project wrote:
> https://blog.ipfire.org/post/ipfire-2-21-core-update-127-released
>
> The first update of the year and it is packed with loads of new features, many …
[View More]many performance improvements as well as some security fixes. This is quite a long change log, but please read through it. It is worth it!
>
> To support our project and keep us bringing these updates for you, please donate [1]!
>
>
> Squid 4.5 - Making the web proxy faster and more secure
>
> We have finally updated to squid 4.5, the latest version of the web proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.
>
> We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.
>
> One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.
>
> We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.
>
> We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.
>
> We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.
>
> We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.
>
> New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.
>
> Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.
>
>
> DNS Forwarding
>
> The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.
>
> These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.
>
>
> Misc.
>
> • Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
> • Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
> • We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
> • fireinfo now supports authentication against any upstream web proxies
> • Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
> • Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
> • The description on which SSH port IPFire is listening has been fixed.
> • Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
> • GeoIP: Scripts have been updated to use a new format of the GeoIP database
> • Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1
>
>
> Add-ons
>
> • Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
> • The haproxy package now correctly handles its backup
>
> [1] https://www.ipfire.org/donate
>
[View Less]
https://blog.ipfire.org/post/ipfire-2-21-core-update-127-released
The first update of the year and it is packed with loads of new features, many many performance improvements as well as some security fixes. This is quite a long change log, but please read through it. It is worth it!
To support our project and keep us bringing these updates for you, please donate [1]!
Squid 4.5 - Making the web proxy faster and more secure
We have finally updated to squid 4.5, the latest version of the web …
[View More]proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.
We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.
One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.
We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.
We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.
We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.
We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.
New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.
Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.
DNS Forwarding
The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.
These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.
Misc.
• Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
• Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
• We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
• fireinfo now supports authentication against any upstream web proxies
• Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
• Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
• The description on which SSH port IPFire is listening has been fixed.
• Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
• GeoIP: Scripts have been updated to use a new format of the GeoIP database
• Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1
Add-ons
• Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
• The haproxy package now correctly handles its backup
[1] https://www.ipfire.org/donate
[View Less]
Hello editors,
this is a pre-announcement email to all editors out there who write about
IPFire. We would like to let you know, that we are planning to release the next
IPFire release, IPFire 2.21 Core Update 127 next Wednesday, Feb 6 between 10:00
and 14:00 UTC.
We are sending you this announcement to give you some time to prepare a news
article about this new release of IPFire to help us make IPFire better-known and
of course to make our existing users aware of this exciting new update …
[View More]being
ready to be installed.
The changelog can be found here:
https://blog.ipfire.org/post/ipfire-2-21-core-update-127-is-available-for-t…
In this release, we updated the Web Proxy to squid 4.5 which brings many performance
improvements as well as many other fixes for various security issues and updates for
many packages of the base system.
Please get in touch if you have any further questions.
We will send you the final announcement when the update is officially released.
Thank you very much for supporting our project!
Best regards,
-Michael
[View Less]
https://blog.ipfire.org/post/ipfire-2-21-core-update-126-released
Finally, the next release of IPFire is available: IPFire 2.21 - Core Update 126 This update comes with a new kernel and security enhancements. This change log is rather short, but the changes are very important.
Thank you very much to all of you who have supported our Donations Challenge [1] so far. We have received a lot of nice words and support from you, but we are not there, yet! Please support our project and donate!
…
[View More]Linux 4.14.86
The kernel has been updated to the latest version of the Linux 4.14.x branch which brings various improvements around stability, enhances performance and fixes some security vulnerabilities. This kernel also has major updates for the Spectre and Meltdown vulnerabilities that remove previously existent performance penalties in some use-cases.
The kernel's modules are now compressed with the XZ algorithm which will save some space on disk as the kernel is one of the largest components of IPFire.
Misc.
* openssl has been updated to 1.1.0j and 1.0.2q which fixes some minor security issues and has various bug fixes
* The bind package has now changed to ship shared libraries which it did not before. Those allow that commands like dig and host use those shared libraries and are no longer statically linked. This makes the files a lot smaller.
* Stéphane Pautrel has substantially improved the French translation of IPFire. Thank you very much for that!
Add-ons
* Updated packages: bird 2.0.2, nano 3.2
* New packages: shairport-sync
Thanks for the people who contributed to this Core Update. Please support us and donate!
[1] https://blog.ipfire.org/post/donations-challenge
[View Less]