IPFire 2.17 - Core Update 95 released

The IPFire Project ipfire-announce at lists.ipfire.org
Fri Dec 11 21:10:21 CET 2015


This is the official release announcement for IPFire 2.17 – Core Update
95 which is a bigger release with a new kernel and various smaller
feature enhancements and bug fixes.

Linux Kernel Update

This update contains a minor update to the Linux kernel IPFire is using
based on Linux 3.14.57. Various device drivers for Intel network
controllers and some other hardware have been improved.

IPsec Update

strongswan has been updated to version 5.3.3 and much work was done on
the IPsec VPN stack. The changes include feature enhancements and bug

Support for multiple subnets per tunnel

It is now possible to configure more than one subnet per IPsec net-to
-net connection- That makes configuration for more complex networks
easier and also reduces the overhead for the IPsec connection.

Reject rules when a tunnel is not established

Formerly, packets that were supposed to be sent through an IPsec tunnel
were routed and then silently dropped when a tunnel was not
established. This caused that packets may be sent out towards the
Internet and that this connection was remembered in the connection
tracking table and in rare cases causes issues so that for example SIP
telephones where the PBX was on the other end of an IPsec tunnel could
not register properly any more.

Packets will now be rejected by the firewall if the IPsec tunnel is 
not established which improves security and also eliminated the issue 
described above.


Some deprecated (and non-functional) configuration options have been
removed from the IPsec GUI
DHCP Server

The DHCP is now able to submit DNS updates to an upstream name server
after a DHCP lease was handed out. Therefore the names of these systems
can be made available in an external DNS zone. It uses the mechanism
also known as RFC2136 which is operable with many major name servers
and requires TSIG keys to sign the updates.


* OpenVPN	
* * Static routes are now loaded for gateways behind the tunnel when a 
  tunnel comes up 
* * An extra client package is now downloadable with the configuration 
  and and certificates in the PEM format. That allows for those 
  connections to be easier importable to clients that don’t support
  the PKCS12 format like iOS devices.
* VLAN devices are now hotpluggable. That makes the bootup process more
robust when initialising a NIC takes longer than usual.
* snort was updated to version
* The initial download of the GeoIP database is now executed in 
  background. On some systems with slower uplink this caused a long 
  delay when connecting to the Internet for the first time.
* The ntp package was updated to version 4.2.8p4 which fixes various 
  security vulnerabilities
* dma, the new mailing component, was updated to version 0.10 which 
  handles unreachable mail servers better and tries to resend emails
* We ship the ipset and pgrep binaries which was requested by some 
* ddns, the Dynamic DNS Updater, was updated to version 009 which 
  improves handling of SSL errors and adds desec.io as a provider
* The lzo compression library was updated to version 2.09


Updated Add-ons

* asterisk was updated to version 11.20.0 which mainly contains 
  security and stability fixes
* monit was updated to version 5.14
* tor: Flag icons are now shown again

Please help us to sustain the work on IPFire Project with your
donation [1].

[1] http://www.ipfire.org/donate

More information about the IPFire-Announce mailing list