IPFire 2.19 - Core Update 106 released

The IPFire Project ipfire-announce at lists.ipfire.org
Tue Nov 1 21:48:51 CET 2016


This is the official release announcement for IPFire 2.19 – Core Update 106
which comes with a number of exciting new features, many bug fixes and a few
security improvements.

Change of the DNS Proxy

IPFire used dnsmasq as DNS proxy before which is now replaced by unbound. The
latter is in contrast to the former software that is specifically designed as an
DNS forwarding proxy or DNS recursor and implemented DNSSEC from early on.

Because of our decision to enable DNSSEC by default and various problems in
dnsmasq we have been toying with the idea of replacing it for a very long time.
Unfortunately development resources are tight and because of this being a
substantial part of the system and hooked into many other things, this was a
very time-consuming project.

Finally, this new solution should now bring various advantages:


unbound is multi-threaded and IPFire will start one thread per CPU core that is
available. That will allow execution of multiple queries in parallel which
should increase responsiveness and throughput.

The cache size is adjusted based on memory available on the system. Bigger
systems will have a significantly bigger DNS cache which will speed up browsing
especially in larger environments like universities with a large number of

Better DNSSEC reliability

DNSSEC is enabled by default (as it was before). However, unbound does not rely
on the upstream servers being validating resolvers, too. This will bring DNSSEC
to many more users. DNS servers are now tested before being passed on for use
and any malfunctioning DNS servers won’t be used. Status of this can be seen on
the user web interface.

Please see this list of various DNS services [1] on the Internet for more

If none of the DNS servers configured or received from the provider can be used,
unbound will fall back to full recursor mode.

With the next key rollover of the DNS root zone [2], IPFire will automatically
download and validate the new key according to RFC5011.

Enhanced Features

DHCP leases will be published into the local DNS zone as before. Static leases
are imported as well which is a new feature. Everything IP address will resolve
to its hostname by publishing PTR records.


* Passwords are now saved with a stronger hash (SHA512) which was MD5 before.
  Please change the root password using the setup tools to store your passwords
  with the improved hash.
* Firewall: An incorrect validation of destination IP addresses for rules that
  use Destination NAT caused that some valid addresses were not accepted. This
  is fixed now.
* PPP connections no longer require a password being set (some providers require
  these being empty)
* The NTP client now waits correctly for WiFi connections being established
  before continuing to boot
* The samba add-on enables SMBv2 by default
* IPFire now ships the firmware for MediaTek 7601 series devices
* Various old software components that are not used any more are cleaned
  up from the systems
* The iptables page on the web user interface has been improved to be more

Updated Packages

This update installs a large number of updated packages:

* openssl 1.0.2j which fixes some implementation errors and DoS introduced in
  the 1.0.2i update
* strongswan has been updated to version 5.5.0
* attr 2.4.47, dejagnu 1.6, diffutils 3.5, expat 2.2.0, file 5.28, flex 2.6.1,
  gettext, gnupg 1.4.21, iproute2 4.7.0, ipset 6.29, libassuan 2.4.3,
  libgcrypt 1.7.3, libidn 1.33, libgpg-error 1.24, libnetfilter_conntrack
  1.0.6, libmnl 1.0, make 4.2.1, smartmontools 6.5, squid 3.5.21, usb_modeswitch
  2.4.0, usb_modeswitch_data 20160803


The new Guardian 2.0 add-on's user interface received some cosmetic changes

Updated Packages

* asterisk 11.23.1
* krb 1.14.4
* Midnight Commander 4.8.18
* monit 5.19.0
* nano 2.6.3
* transmission 2.92

We are currently crowdfunding a Captive Portal [3] for IPFire and would like you
to ask to check it out and support us!

Please help us to support the work on IPFire Project with your donation [4].

[1] http://wiki.ipfire.org/en/dns/public-servers
[2] https://www.icann.org/resources/pages/ksk-rollover
[3] http://wishlist.ipfire.org/wish/the-ipfire-captive-portal
[4] http://www.ipfire.org/donate

More information about the IPFire-Announce mailing list