IPFire 2.17 - Core Update 95 is available for testing

by Michael Tremer, November 16, 2015

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now


we have made the next Core Update available for testing. It comes with various feature enhancements, improvements, and security and bug fixes.

Linux Kernel Update

This update contains a minor update to the Linux kernel IPFire is using based on Linux 3.14.57. Various device drivers for Intel network controllers and some other hardware have been improved.

IPsec Update

strongswan has been updated to version 5.3.3 and much work was done on the IPsec VPN stack. The changes include feature enhancements and bug fixes.

Support for multiple subnets per tunnel

It is now possible to configure more than one subnet per IPsec net-to-net connection- That makes configuration for more complex networks easier and also reduces the overhead for the IPsec connection.

Reject rules when a tunnel is not established

Formerly, packets that were supposed to be sent through an IPsec tunnel were routed and then silently dropped when a tunnel was not established. This caused that packets may be sent out towards the Internet and that this connection was remembered in the connection tracking table and in rare cases causes issues so that for example SIP telephones where the PBX was on the other end of an IPsec tunnel could not register properly any more.

Packets will now be rejected by the firewall if the IPsec tunnel is not established which improves security and also eliminated the issue described above.


  • Some deprecated (and non-functional) configuration options have been removed from the IPsec GUI

DHCP Server

The DHCP is now able to submit DNS updates to an upstream name server after a DHCP lease was handed out. Therefore the names of these systems can be made available in an external DNS zone. It uses the mechanism also known as RFC2136 which is operable with many major name servers and requires TSIG keys to sign the updates.


  • OpenVPN
    • Static routes are now loaded for gateways behind the tunnel when a tunnel comes up
    • An extra client package is now downloadable with the configuration and and certificates in the PEM format. That allows for those connections to be easier importable to clients that don’t support the PKCS12 format like iOS devices.
  • VLAN devices are now hotpluggable. That makes the bootup process more robust when initialising a NIC takes longer than usual.
  • snort was updated to version
  • The initial download of the GeoIP database is now executed in background. On some systems with slower uplink this caused a long delay when connecting to the Internet for the first time.
  • The ntp package was updated to version 4.2.8p4 which fixes various security vulnerabilities
  • dma, the new mailing component, was updated to version 0.10 which handles unreachable mail servers better and tries to resend emails
  • We ship the ipset and pgrep binaries which was requested by some users
  • ddns, the Dynamic DNS Updater, was updated to version 009 which improves handling of SSL errors and adds desec.io as a provider
  • The lzo compression library was updated to version 2.09


Updated Add-ons

  • asterisk was updated to version 11.20.0 which mainly contains security and stability fixes
  • monit was updated to version 5.14
  • tor: Flag icons are now shown again