IPFire 2.15 – Core Update 79 is finally arriving with many bug fixes and enhancements. Among the big changes with this update are lots feature enhancements that massively increase the security level of OpenVPN connections, some enhancements of the web user interface and a lot more awesome stuff under the hood.
The OpenVPN capabilities have been massively extended by Erik Kapfer:
The certificate authority that can be created on the OpenVPN page now uses much better hashes to protect the integrity of itself. The CA root certificate uses a SHA512 hash and a RSA key with length of 4096 bit. All new created host certificates use a RSA key with 2048 bit length and a SHA256 hash.
Additionally, a set of Diffie-Hellman parameters can be generated for better protection of the session keys. The length of the pregenerated DH parameters can be chosen in the web interface.
The cipher that is used for each net-to-net connection can be changed now to for example take benefit of hardware crypto processors. To the list of already supported ciphers came SEED.
ATTENTION: Some other ciphers that are evidently broken have been removed for use with the roadwarrior server. Those are: DES-CBC, RC2-CBC, RC2-64-CBC and RC2-40-CBC. If you are using one of these, please replace all your roadwarrior connections.
To ensure that the transmitted data has not been altered on the way from sender to receiver a hash function is used. This hash is now configurable with a couple of options: SHA2 (512, 384 and 256 bit), Whirpool (512 bit) and SHA1 (160 bit).
To mitigate DoS attacks against the OpenVPN server, the tls-auth option can be enabled which uses a HMAC function that lets the server very quickly decide if a packet is coming from a legitimate sender and needs to be decrypted (which is a very costly operation) or if it is just some spoofed data sent to slow down the server. In the latter case the HMAC does not match and the packet can be discarded right away.
All this may sound a bit complicated, but in the end the OpenVPN feature is usable just in the same and easy way as you know it in IPFire. Everything described here works under the hood and gives you better protection for your data.
The Linux kernel running inside IPFire has been updated to version 3.10.44 which adds better support for some hardware, comes with lots of stability fixes and closes some security issues. The vendor drivers for Intel network adapters have been updated, too.
One of the most significant changes is that the system now uses the PCIe ASPM configuration from the BIOS. The former option was to save as much power as possible which may lead to instabilities with some PCIe periphery. It is now possible to easily configure the desired operation mode in the BIOS of the system.
Various changes have been applied to the Xen image so installing IPFire on para-virtualized systems runs much more smoothly now.
pppd, the Point-to-Point-Protocol Daemon, has been updated to version 2.4.6 which comes with some stability and security fixes. For PPPoE sessions, the system will try to connect to the Internet for a longer time now before giving up. This helps us to establish a connection even if there is some really weird modems around that need some time to initialize when the network link goes up (seen with radio link antennas).
The IPFire web interface got a new status page for modems. This includes all serial modems from 56k analogue modems up to LTE and 3G modems. On this page there will be various information about the connected network, signal quality and SIM card if one is available.
The Squid web proxy server has been updated to version 3.4.5. As this is a major version update, several deprecated things and incompatibilities had to be resolved. The redirect wrapper process has been rewritten and all the redirect helpers (URL-Filter, Update Accelerator and squidclamav) have been patched to be able to communicate with the proxy process again.
proxy.pac for automatic client configuration, please note that access to the web proxy is now only granted for the actual subnets of the firewall and not for the entire private RFC1918 address space any more. In addition to that, accessing resources of the same subdomain as the clients (i.e. internet network access) circumvents the proxy as well.
Support for the internal Quality of Service has been compiled in.
snort, the Intrusion Detection System, has been updated to version 22.214.171.124. Downloading of rules will be possible for some time now.
vnstatwhich is a tool to measure the consumed traffic on each network interface and generates beautiful graphs out of it.
net-utilswhich provided the basic tools like
pinghas been removed and now only the version of
pingthat comes with the
iputilspackage is used. The
hostnamecommand has been replaced by a version that is maintained by Debian.
Some new dynamic DNS providers have been added: spdns.de (Bernhard Bitsch), twodns.de, variomedia.de (Stefan Ernst)
Unfortunately, there has been very poor participation in testing this update. It would help us a lot if more people would engage in testing new releases and support our efforts. You can do that by donating or in various other ways.
This update requires a reboot.
Published by Michael Tremer, July 7, 2014 at 8:00 pm