IPFire 2.21 - Core Update 124 released

Michael Tremer michael.tremer at ipfire.org
Mon Oct 15 12:18:42 BST 2018


Dear IPFire Community,

this is the official release announcement for IPFire 2.21 – Core Update 124. It
brings new features and immensely improves security and performance of the whole

Thanks for the people who contributed to this Core Update. Please help us to
support everyone’s work with your donation [1]!

IPFire on Amazon Cloud

IPFire is now available on AWS EC2 [2]. This is sponsored by Lightning Wire Labs
and provides a virtual cloud appliance that is set up within minutes and
provides the full set of features of IPFire.

IPFire is ideal to securely connect your infrastructure to the cloud by using
IPsec VPNs and provides throughput of multiple tens of gigabits per second! But
IPFire can also be used as a small instance that protects your web, mail and
other servers in the cloud with the IPFire Intrusion Detection and Prevention
Systen, load balance web traffic and many things more.

Try it now [3]!

Kernel Hardening

We have updated the Linux kernel to version 4.14.72 which comes with a large
number of bug fixes, especially for network adapters. It has also been hardened
against various attack vectors by enabling and testing built-in kernel security
features that prohibit access to privileged memory by unprivileged users and
similar mechanisms.

Due to this, the update requires a reboot after it has been installed.

OpenSSH Hardening

Peter has contributed a number of patches that improve security of the SSH
daemon running inside IPFire. For those, who have SSH access enabled, it will
now require latest ciphers and key exchange algorithms that make the key
handshake and connection not only more secure, but also faster when transferring

For those admins who use the console: The SSH client has also been enabled to
show a graphic representation of the SSH key presented by the server so that
comparing those is easier and man-in-the-middle attacks can be spotted quickly
and easily.

Unbound Hardening

The settings of the IPFire DNS proxy unbound have been hardened to avoid and DNS
cache poisoning and use aggressive NSEC by default. The latter will reduce the
load on DNS servers on the internet through more aggressive caching and will
make DNS resolution of DNSSEC-enabled domains faster.


IPFire now supports booting in EFI mode on BIOSes that support it. Some newer
hardware only supports EFI mode and booting IPFire on it was impossible before
this update. EFI is only supported on x86_64.

Existing installations won’t be upgraded to use EFI. However, the flash image
and systems installed with one of the installation images of this update are
compatible to be booted in both, BIOS and EFI mode.

Although this change does not improve performance and potentially increases the
attack vector on the whole firewall system because of software running
underneath the IPFire operating system, we are bringing this change to you to
support more hardware. It might be considered to disable EFI in the BIOS if your
hardware allows for it.


* CVE-2018-16232: Remote shell command injection in backup.cgi: It has been
  brought to our attention that it was possible for an authenticated attacker to
  inject shell commands through the backup.cgi script of the web user interface.
  Those commands would have been executed as a non-priviledged user. Thanks to
  Reginald Dodd to spot this vulnerability and informing us through responsible
* The hostname of the system was set incorrectly in the kernel before and is now
  being set correctly
* Firewall: Creating rules with the same network as source and destination is
  now possible and renaming a network/host group is now correctly updating all
  firewall rules
* Cryptography: ChaCha20-Poly1305 is now working on ARM, too
* IPsec: The status of connections in waiting state is now shown correctly at
  all times; before, they always showed up as enabled although they were
* pakfire: Some old and unused code has been cleaned out and the mirror health
  check has been removed, because a download will fail-over to another available
  mirror anyways
* Intrusion Detection: Emerging Threats rules are now being downloaded over
  HTTPS rather than HTTP
* Updated packages: bind 9.11.4-P1, iproute2 4.18.0, ntp 4.2.8p12, openssh
  7.8p1, parted 3.2, pciutils 3.5.6, rng-tools 6.4, syslinux 6.04-pre1, unbound


Updated packages: nano 3.1, postfix 3.3.1

[1] https://www.ipfire.org/donate
[2] https://www.lightningwirelabs.com/products/ipfire/cloud
[3] https://aws.amazon.com/marketplace/pp/B07HYRD4FX

More information about the Press mailing list