IPFire 2.15 - Core Update 79 has been released
The IPFire Project
ipfire-announce at lists.ipfire.org
Mon Jul 7 23:16:50 CEST 2014
IPFire 2.15 - Core Update 79 is finally arriving with many bug fixes and
enhancements. Among the big changes with this update are lots feature
enhancements that massively increase the security level of OpenVPN
connections, some enhancements of the web user interface and a lot more
awesome stuff under the hood.
The OpenVPN capabilities have been massively extended by Erik Kapfer:
The certificate authority that can be created on the OpenVPN page now
uses much better hashes to protect the integrity of itself. The CA root
certificate uses a SHA512 hash and a RSA key with length of 4096 bit.
All new created host certificates use a RSA key with 2048 bit length and
a SHA256 hash.
Additionally, a set of Diffie-Hellman parameters can be generated for
better protection of the session keys. The length of the pregenerated DH
parameters can be chosen in the web interface.
The cipher that is used for each net-to-net connection can be changed
now to for example take benefit of hardware crypto processors. To the
list of already supported ciphers came SEED.
*ATTENTION*: Some other ciphers that are evidently broken have been
removed for use with the roadwarrior server. Those are: DES-CBC,
RC2-CBC, RC2-64-CBC and RC2-40-CBC. If you are using one of these,
please replace all your roadwarrior connections.
To ensure that the transmitted data has not been altered on the way from
sender to receiver a hash function is used. This hash is now
configurable with a couple of options: SHA2 (512, 384 and 256 bit),
Whirpool (512 bit) and SHA1 (160 bit).
To mitigate DoS attacks against the OpenVPN server, the tls-auth option
can be enabled which uses a HMAC function that lets the server very
quickly decide if a packet is coming from a legitimate sender and needs
to be decrypted (which is a very costly operation) or if it is just some
spoofed data sent to slow down the server. In the latter case the HMAC
does not match and the packet can be discarded right away.
_All this may sound a bit complicated, but in the end the OpenVPN
feature is usable just in the same and easy way as you know it in
IPFire. Everything described here works under the hood and gives you
better protection for your data._
The Linux kernel running inside IPFire has been updated to version
3.10.44 which adds better support for some hardware, comes with lots of
stability fixes and closes some security issues. The vendor drivers for
Intel network adapters have been updated, too.
One of the most significant changes is that the system now uses the PCIe
ASPM configuration from the BIOS. The former option was to save as much
power as possible which may lead to instabilities with some PCIe
periphery. It is now possible to easily configure the desired operation
mode in the BIOS of the system.
Various changes have been applied to the Xen image so installing IPFire
on para-virtualized systems runs much more smoothly now.
pppd, the Point-to-Point-Protocol Daemon, has been updated to version
2.4.6 which comes with some stability and security fixes. For PPPoE
sessions, the system will try to connect to the Internet for a longer
time now before giving up. This helps us to establish a connection even
if there is some really weird modems around that need some time to
initialize when the network link goes up (seen with radio link
LTE/3G Modem Status
The IPFire web interface got a new status page for modems. This includes
all serial modems from 56k analogue modems up to LTE and 3G modems. On
this page there will be various information about the connected network,
signal quality and SIM card if one is available.
h3. Squid Web Proxy Update
The Squid web proxy server has been updated to version 3.4.5. As this is
a major version update, several deprecated things and incompatibilities
had to be resolved. The redirect wrapper process has been rewritten and
all the redirect helpers (URL-Filter, Update Accelerator and
squidclamav) have been patched to be able to communicate with the proxy
When using proxy.pac for automatic client configuration, please note
that access to the web proxy is now only granted for the actual subnets
of the firewall and not for the entire private RFC1918 address space any
more. In addition to that, accessing resources of the same subdomain as
the clients (i.e. internet network access) circumvents the proxy as
Support for the internal Quality of Service has been compiled in.
Intrusion Detection System
snort, the Intrusion Detection System, has been updated to version
126.96.36.199. Downloading of rules will be possible for some time now.
* Alf Høgemark contributed an updated version of vnstat which is a tool
to measure the consumed traffic on each network interface and generates
beautiful graphs out of it.
* He also contributed a new log page on the IPFire web interface that
shows from which country the most firewall hits originate from.
* The new firewall GUI now supports blocking access to the GREEN
firewall interface from the GREEN network.
* The PIE packet scheduler has been added for experienced users to
* Lots of cleanup of the generated HTML output of the CGI web interface
scripts has been done.
* The Turkish translating has been updated by Ersan Yildirim.
* The net-utils which provided the basic tools like ping has been
removed and now only the version of ping that comes with the iputils
package is used. The hostname command has been replaced by a version
that is maintained by Debian.
* Updated packages: daq 2.0.2, libpcap 1.4.0, openvpn 2.3.4, sudo
* The build system is now able to use qemu and compile for ARM on x86
* Enabling the front LEDs on an ALIX system has been fixed when a RED
device has been assigned but the system actually uses a dial-in
* Installation on systems that only got a serial console is now possible
from the ISO image. The baudrate has been set to 115200 throughout the
entire process which has formerly been broken and it was needed to
change the baudrate a couple of times.
* The default size of the root partition has been increased.
* The backup ISO that can be generated on the backup page of the IPFire
web interface is now a hybrid image as well so that it can be put on an
USB key instead of burning it on a disk.
Dynamic DNS providers
Some new dynamic DNS providers have been added: spdns.de (Bernhard
Bitsch), twodns.de, variomedia.de (Stefan Ernst)
* icinga 1.11.4 (The nagios package may be dropped in the near future)
* sslscan 1.10.2 - A simple tool to scan which SSL features and ciphers
a remote host supports
* cacti 0.8.8b
* clamav 0.98.4
* nut 2.7.2 (Dirk Wagner)
* samba 3.6.24
* transmission 2.83
More information about the IPFire-Announce