2.2508 Feb 2020 03:05
The first exciting big update of the year is ready for testing: IPFire 2.25 - Core Update 141! It comes with a totally reworked DNS system which adds many new features like DNS-over-TLS. On top of that, this update many.
DNS Updates. The biggest set of changes in this release is around DNS. We have cleaned up many scripts and the UI which allowed us to add new functionality: A unified page with all DNS settings. More than two DNS servers can be added for better load-balancing and resiliency. The fastest servers will be used automatically.. Enhanced privacy with DNS-over-TLS and strict QNAME minimisation. Safe Search, to filter adult content from the entire network without using the web proxy. Better workarounds for users with ISPs that filter DNS responses/break DNSSEC. TLS and TCP can be used as transport instead.. Faster boot because of fewer checks being executed at boot time.
In order to combat MTU, we are following guidelines and have set the EDNS buffer size to 1232 bytes. This avoids large DNS replies being fragmented even on Internet lines with smaller MTUs.. All DNS settings will automatically be converted. This is also compatible when older backups are being restored.
Updates Under The Hood. IPFire is a modern distribution as we change and update many essential system components regularly. That allows us to keep you safe, support new features and of course be fast by taking advantage of modern hardware.. In this update, we have rebased the system on GCC 9 and added support for Go and Rust. We have included Python 3 to the base system and deprecated Python 2 which is out of support by now. Not everything has been converted to use Python 3 yet, but we will hopefully soon be able to drop support for Python 2 altogether.. Unfortunately the system is growing larger and larger with every update. Software in general is quite bloated although we are trying our best to keep IPFire as small as possible. On systems that have a 2GB root partition and many add-ons i
2.2324 Apr 2019 14:05
Finally, the next major version of IPFire is ready to testing. We consider our new Intrusion Prevention System such an important change, that we are calling it "IPFire 2.23" from now on. This update also contains a number of other and enhancements.
A New Intrusion Prevention System. We are finally shipping our recently announced IPS - making all of your networks more secure by deeply inspecting packets and trying to identify threats.. This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.. We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need. Please feel free to extend it wherever you can help out.
Migration from Snort. Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated.. Please note that the automatic migration will enable the new IPS, but in. monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.. If you restore an old backup, the IDS settings won't be converted.. The. guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.
OS Updates. This release rebases the IPFire kernel on 4.14.113 which brings various and security. We have disabled some deging functionality that we no longer need which will give all IPFire systems a small performance boost.. The wireless regulatory database has also been updated.. Updated packages: gnutls 18.104.22.168. lua 5.3.5. nettle 3
2.2101 Aug 2018 10:25
This is the official release announcement for IPF ire 2.21 #8211; Core Update 122. It rebases the distribution on the long-term supported Linux kernel 4.14 and many more improvements and have found their way into the distribution.. Please help us to support everyone #8217;s work with your donation !.. Please note, that we have split this update into two parts. First, you will need to install IPF ire 2.19 #8211; Core Update 121 and then, the second part will automatically be installed after. Please be patient and let the system complete the update. When everything is done, please reboot into the new kernel.. Highlight: Linux 4.14. The distribution was rebased from our old long-term supported kernel to the new kernel 4.14.50.. Most importantly, this kernel improves the security of the system, increases performance and makes the core of IPF ire more up to date and modern again. This update also enables mitigation against Meltdown and Spectre on some architectures. On Intel-based platforms, we update the microcode of the CPU s when the system boots up to avoid any performance penalties caused by the mitigation techniques.. Unfortunately, grsecurity is incompatible with any newer kernels and has been removed. This is connected to the decision of the grsecurity project to no longer open source their patches. Luckily the kernel developers have backported many features so that this kernel is still hardened and secure.. ARM systems won #8217;t be able to install this update due to the kernel change which also requires changes on some bootloaders. For those users, we recommend to backup the system, reinstall and then restore the backup. The re-installed system will only come with a single ARM kernel instead of multiple for different platforms that we had before. It helps us to keep the distribution smaller and makes development efforts easier.. Misc... Updated packages: apache 2.4. beep 1.3 with for CVE -2018-0492. bwm-ng 0.6.1-f54b3fa. cmake 3.11.2. crda 3.1
2.1915 Apr 2016 13:05
It is a great moment to us and we are very proud to release the 100th Core Update today.. This update will bring you IPF ire 2.19 which we release for 64 bit on Intel (x86_64) for the first time. This release was delayed by the various security vulnerabilities in. openssl and. glibc, but is packed with many improvements under the hood and various.. 64 bit. There will be no automatic update path from a 32 bit installation to a 64 bit installation. It is required to manually reinstall the system for those who want to change, but a previously generated backup can be restored so that the entire procedure takes usually less than half an hour.. There are not too many advantages over a 64 bit version except some minor performance increases for some use cases and of course the ability to address more memory. IPF ire is able to address up to 64GB of RAM on 32 bit, so there is not much need to migrate. We recommend to use 64 bit images for new installations and stick with existing installations as they are.. Kernel Update. As with all major releases, this one comes with an updated Linux kernel to and improve hardware compatibility. Linux 3.14.65 with many backported drivers from Linux 4.2 is also hardened stronger against common attacks like stack buffer overflows.. Many firmware blobs for wireless cards and other components have been updated just as the hardware database.. Hyper-V performance. A backport of a recent version of the Microsoft Hyper-V network driver module will allow transferring data at higher speeds again. Previous versions had only very poor throughput on some versions of Hyper-V.. Firewall Updates. It is now possible to enable or disable certain connection tracking modules. These Application Layer Gateway ( ALG ) modules help certain protocols like SIP or FTP to work with NAT. Some VoIP phones or PBX es have problems with those so that they can now be disabled. Some need them.. The firewall has also been optimised to allow more throughput with
2.17 - Core Update 9013 Jun 2015 01:26
Comes with some new features, many updates of software packages and
various minor bug fixes.
SSLv3 and SSLv2 are now disabled by default.
Removing legacy code.
strongSwan has been updated to version 5.3.0. It provides much better
stability of IPsec VPN connections.
The kernel has been updated to version 3.14.43.
glibc: Fix CVE-2013-7423 and CVE-2015-1781
Apache will not show its version and loaded modules any more in the server
Connections in the list of connections that are using Destination NAT are
Now coloured in the colour of the new destination host.
dnsmasq has been fixed so that it will correctly fall back to TCP for DNS
replies larger than the DNS packet size.
udev: Network interface names are now assigned from the configuration in
/var/ipfire/ethernet/settings instead of the setup tool generating a native
/udev configuration file.
ovpnmain.cgi: Some certificate authority (CA) related elements have been
/displayed outside the site layout.
2.15 Core 7909 Jul 2014 17:42
The kernel has been updated to 3.10.44 for better support for some hardware. Feature enhancements that massively increase the security level of OpenVPN connections. Some enhancements of the web user interface, update of the Squid web proxy, new features in general and many other changes.