This is the official release announcement of IPFire 2.15 (Core Update 77). It is the release with the most changes since the beginning of the IPFire 2 series. Those changes of course include major work on the base of the system, security has been improved in lots of ways and there are many changes regarding the user interface, that introduce new functionality and make managing the firewall easier.
If you want to support the IPFire project, you can do this by donating. Your contributions will help to extend our activities and improve the IPFire distribution and are of course very much needed and appreciated.
This changelog is very long, but we recommend that you read through it, because there are so many exciting changes that make IPFire so much better, but of course we cannot headline them all.
The firewall GUI has been in development for over a year now and has been massively extended so that almost everything is possible now. There are groups which make creating rules for multiple hosts or services very easy and help you to hold your nerves, even with complex rule sets.
All your rules will be automatically converted, but we recommend to double check that everything works as it is intended.
On decent sized hardware, IPFire never had any performance issues, but in this release, we still spent some time to make it even better. The connection tracking has been improved so that malformed packets (e.g. invalid TCP flags) are dropped earlier and less rules have to be evaluated for every packet that transits the firewall.
Therefore, performance especially on slow hardware has been improved in terms of throughput and latency.
IPFire 2.15 is based on Linux 3.10 and patched with grsecurity. grsecurity hardens the kernel and the system so that even if there are bugs in an application, that these cannot be exploited by an attacker. Therefore, it provides pro-active security at the cost of a small performance decrease.
The new kernel also provides lots of new device drivers and supports more recent hardware:
igbdrivers for Intel network hardware, the kernel driver has been replaced by the official one by Intel that just supports more recent cards.
Essential system libraries like glibc have been updated or patched for performance and to fix security issues.
A more important one is the openssl library that has been updated to version 1.0.1g. Additionally to the ciphers and other algorithms that have been supported in openssl 0.9.8, there is now support for more ciphers that are used to secure communication with the IPFire web user interface and VPN services. The library has been modified to never propose weak algorithms.
All packages are now compiled with stack smashing protection and
-fPIC when ever possible.
apache 2.2.26, beep 1.3, fireinfo 2.1.9, iptables 1.4.21, iw 3.10, kmod 13 (replaces module-init-tools), libnl 1.1.4, libxml 2.6.32, lm_sensors 3.3.4, linux-firmware 52d77db, lzo 2.06, memtest 5.01, Net::SSLeay 1.55, ntp 4.2.6p5, openssh 6.6p1, perl-DBI 1.631, strongswan 5.1.2, udev 208, usb-modeswitch 2.01 and database version 20131113, usbutils 007, util-linux 2.24, vim 7.4, wget 1.14, xz 5.0.5
Despite the new firewall and hardening the base system, we laid focus on improving cryptography, both security and performance. All sorts of algorithms that are supported by the kernel and openssl have been enabled and added to the GUI so that they can be used.
strongswan, the software that provides the IPsec functionality in IPFire, has been updated to version 5.1.2 and the
farp plugin have been enabled.
The Camellia cipher has been added with supported key lengths of 256, 192 and 128 bits. Camellia is a competitor to AES with no affiliation to the government of the United States of America. For IKE group types, MODP-2048 with subgroups has been added as well as the Brainpool Elliptic Curves. These are an alternative to the curves specified by NIST (National Institute of Standards and Technology of the USA).
The “advanced settings” page has been redesigned so that the many algorithms that are now supported fit on the page. Options for the “Dead Peer Detection” have been added so that these are changeable by the user, too.
As well as IPsec VPNs, OpenVPN supports the Camellia cipher, too. For new installations, the default cipher for the Roadwarrior server is AES-256-CBC instead of Blowfish.
IPFire 2.15 now feeds entropy from hardware random number generators directly into the kernel, so that there will always be sufficient randomness for cryptographic applications like VPNs or generating certificates. This will make these operations stronger against some attacks and also faster.
Unfortunately, only a few systems come with HWRNGs. There is a list on the wiki with supported hardware. Please don’t forget to add your hardware if it is supported as well.
There is a new entropy graph that shows how much entropy is available in the kernel’s entropy pool, which size has also been increased.
The wireless access point that can be created with a simple wireless card and the
hostapd addon now supports working on channels in the 5 GHz band that require DFS (radar detection). Therefore more of the frequency space can be used to create wireless networks with better throughput because of less interference.
The GUI shows some more information now about the status of the wireless hardware and connected clients.
On systems which provide a chip that is able to encrypt/decrypt data and on those systems which have a CPU that comes with special instructions, cryptographic operations are substantially faster.
IPFire is able to use the AES-NI instructions of newer CPUs and other crypto hardware like VIA Padlock, etc. Check our wiki for a full list of supported hardware.
OpenSSH has been updated to 6.6p1 and uses
ed25519 of both client and server support it. ec25519 is an elliptic curve specified by a team led by Daniel J. Bernstein.
The ARM version of IPFire now ships an experimental multi-platform kernel. This means that this kernel is able to run on not just one board as it has been before, but on many boards of the same kind.
Unfortunately, the Raspberry PI computer is not able to boot the multi-platform kernel, but there is an extra image with a Raspberry PI image. The kernel has been patched with Raspberry PI patchset of version 943b563.
There is also an extra kernel for Marvell Kirkwood-based systems.
The web user interface has got a new default theme. It makes the configuration pages easier to navigate and gives them a clean appearance. The generated HTML output of many CGI scripts has been improved and validates as HTML5.
Some pages got a bigger redesign to put the most important information in focus. Others have received some smaller changes which might not be notable right away. Overall, the pages should be cleaner and faster to render for the browser.
If you want to stick with the old one, it will still be there called “ipfire-legacy”. A rounded version of the new default theme is available as well as a theme called “darkdos” by Logan Schmidt.
The web user interface now requires a certain set of ciphers that must be supported by the client as well. Broken or weak ciphers like RC4 are not used any more and AES-128 and AES-256 in Galois/Counter Mode are preferred in that order. If GCM is not supported, apache will try to use CBC. Using SSLv2 is forbidden and TLSv1.2 is preferred, if available.
setddns.plscript now recognises the DS-Lite address range correctly.
There are no more USB installation images, as the ISO now can be booted from an USB key.
tor has been updated to version 0.2.4.20, which uses a new hand-shake algorithm that requires much less resources and it also uses stronger ciphers for data packets. The limit of max. concurrent connections has been raised.
Guardian now reacts on brute-force attacks against the local SSH server in pre-auth stage. That means that testing user/password combinations is almost instantly blocked.
The number of changes in this release is bigger than it never was. We received some great contributions, but we still wish that there will be more in the future. One thing that needs some care is translations other than English and German, as there are no people in the team who speak any of the other languages that are “supported”.
The commit-wise biggest contribution is the firewall GUI that has been written by Alexander Marx (over 400 commits). Other contributions have been submitted by Alf Høgemark, Erik Kapfer, Ben Schweikert, Ersan Yildirim, Kim Wölfel, Logan Schmidt, Hans Horsten and Bernhard Bitsch.
We would like to thank all people who have directly or indirectly contributed to this release and we are looking forward to accept your contributions as well. There are many things to do, like translations, bug fixes, or new features. All of them are important to make IPFire to what it is.
Published by Michael Tremer, May 10, 2014 at 2:00 pm