IPFire 2.17 - Core Update 95 released
The IPFire Project
ipfire-announce at lists.ipfire.org
Fri Dec 11 21:10:21 CET 2015
This is the official release announcement for IPFire 2.17 – Core Update
95 which is a bigger release with a new kernel and various smaller
feature enhancements and bug fixes.
Linux Kernel Update
This update contains a minor update to the Linux kernel IPFire is using
based on Linux 3.14.57. Various device drivers for Intel network
controllers and some other hardware have been improved.
strongswan has been updated to version 5.3.3 and much work was done on
the IPsec VPN stack. The changes include feature enhancements and bug
Support for multiple subnets per tunnel
It is now possible to configure more than one subnet per IPsec net-to
-net connection- That makes configuration for more complex networks
easier and also reduces the overhead for the IPsec connection.
Reject rules when a tunnel is not established
Formerly, packets that were supposed to be sent through an IPsec tunnel
were routed and then silently dropped when a tunnel was not
established. This caused that packets may be sent out towards the
Internet and that this connection was remembered in the connection
tracking table and in rare cases causes issues so that for example SIP
telephones where the PBX was on the other end of an IPsec tunnel could
not register properly any more.
Packets will now be rejected by the firewall if the IPsec tunnel is
not established which improves security and also eliminated the issue
Some deprecated (and non-functional) configuration options have been
removed from the IPsec GUI
The DHCP is now able to submit DNS updates to an upstream name server
after a DHCP lease was handed out. Therefore the names of these systems
can be made available in an external DNS zone. It uses the mechanism
also known as RFC2136 which is operable with many major name servers
and requires TSIG keys to sign the updates.
* * Static routes are now loaded for gateways behind the tunnel when a
tunnel comes up
* * An extra client package is now downloadable with the configuration
and and certificates in the PEM format. That allows for those
connections to be easier importable to clients that don’t support
the PKCS12 format like iOS devices.
* VLAN devices are now hotpluggable. That makes the bootup process more
robust when initialising a NIC takes longer than usual.
* snort was updated to version 22.214.171.124
* The initial download of the GeoIP database is now executed in
background. On some systems with slower uplink this caused a long
delay when connecting to the Internet for the first time.
* The ntp package was updated to version 4.2.8p4 which fixes various
* dma, the new mailing component, was updated to version 0.10 which
handles unreachable mail servers better and tries to resend emails
* We ship the ipset and pgrep binaries which was requested by some
* ddns, the Dynamic DNS Updater, was updated to version 009 which
improves handling of SSL errors and adds desec.io as a provider
* The lzo compression library was updated to version 2.09
* asterisk was updated to version 11.20.0 which mainly contains
security and stability fixes
* monit was updated to version 5.14
* tor: Flag icons are now shown again
Please help us to sustain the work on IPFire Project with your
More information about the IPFire-Announce