Dear Community,
It is time for the last push of the year: The upcoming release of IPFire is ready to be tested by you, our awesome community. It comes with a refreshed kernel and includes a lot of changes that have been developed at the recent IPFire Developer Meetup. It is scheduled to be the last update for the year, so let's make it an extra special one before we all sign off for the holidays.
Please support the development team in testing this update and on our general mission to bring you the best open source firewall in the world with your donation.
A Fresh Kernel
The IPFire kernel has been rebased on Linux 6.6.63. This brings us the latest bunch of security and stability fixes from the Linux kernel maintainers and might be the last kernel that we are going to ship based on the 6.6.x kernel line.
Hardening Firewall Administration
We are starting the path to remove RSA from the IPFire web UI and SSH. On new installations, RSA keys won't be generated any more. On existing installations, this update removes the RSA key from the web UI, but we keep the RSA key for SSH to not break any monitoring tools, etc. We still believe that RSA is strong enough to be used in today's world, but since there is sufficient browser and SSH client support for Elliptic Curve Cryptography which is considered to be much stronger, we want to raise the bar for any potential future attacks on RSA.
IPFire is also now using post-quantum cryptography for SSH key exchanges: Streamlined NTRU Prime sntrup761 and X25519 with SHA-512 (sntrup761x25519-sha512) and Module-Lattice-based Key-Encapsulation Mechanism (MK-KEM, mlkem768x25519-sha256) have been enabled.
Misc.
- The RED interface can now be configured to no longer require the RFC4039 Rapid Commit option. This is a default option in almost all DHCP clients for over 20 years, but we have recently observed ISPs running broken DHCP servers which no longer work if this option is enabled. It can now be enabled or disabled using the
setup
command. - IPS: It is now possible to individually enable or disable scanning IPsec traffic. Before, IPsec traffic was always scanned when scanning the RED interface was enabled.
- Formerly, firewall rules that use the new SYN Flood Protection feature were not flushed on changes. This has now been fixed.
- A few smaller bugs have been fixed in the Unbound/DHCP-Leases bridge. Static leases could have accidentally been dropped from DNS and expired leases were sometimes still exported to DNS.
- The boot process has been improved to show fewer warnings or informational messages. None of those were critical, but we would like to have a cleaner and less cluttered boot process.
- IPsec can now handle pre-shared keys that contain a comma.
- A bug that failed to render the OpenVPN connection settings page was fixed when a roadwarrior connection was using static pools.
- On UEFI-enabled systems, the installer is now offering a serial console installation option.
- Updated packages: APR 1.7.5, BIND 9.20.3, cURL 8.10.0, dhcpcd 10.1.0, intel-microcode 20241029, libhtp 0.5.49, libpng 1.6.44, liburcu 0.14.1, lmdb 0.9.33, logrotate 3.22.0, LVM2 2.03.26, monit 5.34.2, nettle 3.10, ninja 1.12.1, OpenSSH 9.9p1, PPP 2.5.1, protobuf 28.1, squid 6.12, suricata 7.0.7, texinfo 7.1.1, unbound 1.22.0
- The CA certificate bundle has been updated and we have removed the malicious "e-commerce monitoring GmbH" entity
Add-ons
- Wireless Support - We currently have a couple of changes for the wireless support for IPFire in the pipeline to get ready for WiFi 7 and are already shipping a couple of smaller improvements and bug fixes
- By default, IPFire will now search for the best channel. This not supported by all wireless modules, but for those that support it, it will find you the best possible channel for more bandwidth and a more stable connection. Neighbourhood Scan is also enabled by default.
- Some internal parts of the web UI have been rewritten and several bugs have been fixed that made configuring the wireless access point functionality more difficult
- hostapd is now logging a lot more to syslog which makes debugging substantially easier
- A bug has been fixed that made all packages appear as zero bytes in size
- Updated packages: dnsdist 1.9.6, hostapd 64d60bb4, mympd 18.0.0, NFS 2.7.1, nano 8.2, netatalk 3.2.8, nginx 1.26.2, samba 4.21.0, transmission 4.0.6, tshark 4.4.1, VDR 2.6.9
- Removed packages:
- With this update, we have decided to remove mpfire and lcdproc. Two packages, that have only very few users and have not been maintained for several years. This is part of our effort to streamline the distribution and allocate developer time to those features that are used by a large part of user base. We are always happy for people to stand up and contribute to improve the features and software that we are currently providing with IPFire and to even add more features.
- Deprecation Notice:
- In two Core Updates time (so early in the new year) we will remove CUPS from the distribution. CUPS is the Common Unix Printing System and has been a great addition to IPFire back in the day when USB or even parallel port printers needed to be made available over the network. A real game changer in a small office. Since modern printers are now all network-enabled, there is very little use for CUPS on IPFire now. Since there have recently been a couple of security vulnerabilities and because upstream has abandoned the project, we have decided to remove it from IPFire, too. If you are using this add-on, please migrate away to a different solution.