IPFire Changelog

What's new in IPFire 2.21 Core 139

Jan 9, 2020

Improved Booting & Reconnecting:
Dialup scripts have been cleaned up to avoid any unnecessary delays after the system has been handed a DHCP lease from the Internet Service Provider. This allows the system to reconnect quicker after loss of the Internet connection and booting up and connecting to the Internet is quicker, too.
Improvements to the Intrusion Prevention System:
Various smaller bug fixes have been applied in this Core Update which makes our IPS a little bit better with every release. To take advantage of deeper analysis of DNS packets, the IPS is now informed about which DNS servers are being used by the system.
TLS:
IPFire is configured as securely as possible. At the same time we focus on performance, too. For connections to the web user interface, we do not allow using CBC any more. This cipher mode is begin to crack and the more robust GCM is available.
Whenever an SSL/TLS connection is being established to the firewall, we used to prefer ChaCha20/Poly1305 as a cipher. Since AESNI is becoming and more and more popular even on smaller hardware, it makes sense to prefer AES. A vast majority of client systems support this as well which will allow to communicate faster with IPFire systems and save battery power.
Misc:
The microcode for Intel processors has been updated again to mitigate vulnerabilities from the last Core Update
PC Engines APU LEDs are now controlled using the ACPI subsystem which is made possible using the latest BIOS version 4.10.0.3
Captive Portal: Expired clients are now automatically removed
Dynamic DNS: Support for NoIP.com has been fixed in ddns 12
Updated packages: Python 2.7.17, bash 5.0, bind 9.11.13, cpio 2.13, libarchive 3.4.0, logwatch 7.5.2, lz4 1.9.2, openvpn 2.4.8, openssh 8.1p1, readline 8.0 (and compat version 6.3), squid 4.9, unbound 1.9.5
Add-Ons:
clamav has been updated to 0.102.1 which include various security fixes
libvirt has been updated to version 5.6.0 for various bug fixes or feature enhancements and support for LVM has been enabled.
qemu has been updated to 4.1.0
Various others: nano 4.6, postfix 3.4.8, spectre-meltdown-checker 0.42

New in IPFire 2.21 Core 138 (Nov 18, 2019)

New in IPFire 2.21 Core 137 (Nov 15, 2019)

An improved and faster QoS:
As explained in detail in a separate blog post from the engine room, we have been working hard on improving our Quality of Service (QoS).
It allows to pass a lot more traffic on smaller systems as well as reduces packet latency on faster ones to create a more responsive and faster network.
To take full advantage of these changes, we recommend to reboot the system after installing the update.
Linux 4.14.150:
The IPFire Kernel has been rebased on Linux 4.14.150 and equipped with our usual hardening and other patches.
The kernel has been tuned to deliver more throughput for IP connections as well as reducing latency to a minimum to keep your network as responsive and fast as possible.
An especially nasty bug that caused the system to drop DNS packets when the Intrusion Detection System was enabled has been tracked down by a large group of IPFire developers and additional help of the suricata team.
Misc:
Downloaded GeoIP databases were not always cleaned up from /tmp when a download was unsuccessful. This can cause that the script is filling up the root partition. You can reboot your system to free up space if this has happened to you, too. The script has now been cleaned up, and catches any errors to cleanup afterwards.
IPsec now supports Curve 448 with 224 bit of security. It is a lightweight and slightly faster alternative to Curve25519 and enabled by default for new connections.
Tim Fitzgeorge contributed a patch that restarts the syslog daemon after a backup is being restored to close old log files and write to the restored ones
/var/log/mail is now being rotated
Updated packages: bind 9.11.12, iptables 1.8.3, iproute2 5.3.0, knot 2.8.4, libhtp 0.5.30, libnetfilter_queue 1.0.4, libpcap 1.9.1, libssh 0.9.0, Net-SSLeay 1.88, pcre 8.43, strongswan 5.8.1, suricata 4.1.5, tzdata 2019c, unbound 1.9.4, wpa_supplicant 2.9
Add-ons:
New: speedtest-cli
This is a handy tool to perform a regular speedtest on the console. It was packaged to test the QoS but is handy to test throughput of the firewall to and from the Internet on the console.
Updated Packages:
bird 2.0.6 now supports RPKI validation by connecting to a process that holds the key material either via TCP or using SSH
sane has been updated to version 1.0.28 and now supports more hardware
A French translation is now available for the Who is Online? add-on
Others: clamav 0.102.0, hostapd 2.9, ipset 7.3, mtr 0.93, nano 4.5, ncat 7.80, nmap 7.80, shairport-sync 3.3.2, tcpdump 4.9.3, tor 0.4.1.6, tshark 3.0.5

New in IPFire 2.21 Core 136 (Oct 11, 2019)

OpenSSL 1.1.1d:
This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release...
CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
CVE-2019-1563: Another padding oracle for large PKCS7 messages
All of these are classified as "low severity". However, we recommend to install this update as soon as possible.
Perl 5.30:
Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.
GeoIP:
Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.
There is now a script that converts the current data into the old format which allows us to provide a recent database again.
This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.
Misc:
The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch 1.5.2
logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
The toolchain now ships a compiler for Go
Add-ons
Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6
dnsdist has had its limit of open connections increased to work better in bigger environments
tor: A permission problem has been fixed so that the web UI can save settings again
wio: The RRD files will now be included in the backup as well as various UI improvements have been done

New in IPFire 2.21 Core 135 (Sep 5, 2019)

New in IPFire 2.21 Core 134 (Jul 4, 2019)

New in IPFire 2.21 Core 133 (Jun 24, 2019)

Toolchain Updates:
This update brings many updates on the core libraries of the system. Various changes to our build system are also helping us to build a more modern distribution, faster. The toolchain is now based on GCC 8.3.0, binutils 2.32 and glibc 2.29 which bring various bugfixes, performance improvements and some new features.
Although these might not be the most exciting changes, we recommend upgrading as soon as possible since this is essential hardening for backbone components of the user-space.
Disabling SMT - Intel's Security Issues:
Disabling SMT has also been fine-tuned. It is now also being disabled on systems that are vulnerable to "Foreshadow". Probably all processors that are vulnerable to MDS are vulnerable to Foreshadow, too, so this won't affect many systems, but it is more correct to do so.
Increasing throughput of the new Intrusion Prevention System:
As announced before, we were working on increasing the throughput of the IPS. This is being shipped now with this update and integrates a library from Intel which is optimised to perform pattern matching very fast on huge data sets. Its name is hyperscan.
This library comes in multiple versions which are all shipped at the same time and is being compiled with support for various CPU instructions which are enabled when the hardware supports them. Those are for example AVX2, AVX and of course all of the SSE series.
By utilising those optimised instructions, the processor can process more data by executing only one instruction which is a lot faster. We are soon going to release benchmarks, but first tests have shown that larger systems are benefitting hugely from this and even some smaller embedded processors gain slightly.
This feature is automatically configured and will always be enabled when supported.
Another change on the IPS is coming from Tim Fitzgeorge who investigated that the IPS was occasionally dropping some packets which it was not meant to without logging. The rule generation was patched accordingly so that won't happen any more and rules will automatically updated when installing this Core Update.
Misc:
A long-standing bug in adding fixed DHCP leases has been fixed. Those are now saved right away on the first click, but it is possible to edit the entry.
An incorrect list of cipher suites was generated for IPsec connections when PFS was disabled. This updates fixes that and updates all connections with the correct settings.
ddns: Some new provides have been added
Package updates: bind 9.11.7, jansson 2.12, knot 2.8.2, linux-pam 1.3.1, monit 5.25.3, openssl 1.1.1.c, rrdtool 1.7.2, squid 4.7, strongswan 5.8.0, wpa_supplicant 2.8
Add-ons:
New Packages:
tshark A CLI version of Wireshark which is like tcpdump, but has better support for decoding captured packets.
Updated Packages:
hostapd has been updated to version 2.8 which fixes various security vulnerabilities and other bugs
tor: some bugs that didn't allow the service to start after the last update have been fixed
wio: A problem which caused the IPFire system to unexpectedly shut down has been solved
miau, an IRC bouncer, which was unmaintained since 2010 has been dropped

New in IPFire 2.21 Core 132 (Jun 8, 2019)

Intel Vulnerabilities: RIDL, Fallout & ZombieLoad:
Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release.
VLAN Configuration:
Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.
The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.
Misc:
The new IPS now starts on systems with more than 16 CPU cores
For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
OpenVPN has received some changes to the UI and improvements of its security.
Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted
The same type of stored cross-site scripting attack was resolved in the static routing UI
Log entries for Suricata now properly show up in the system log section
Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1
Add-ons:
Wireless AP:
For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.
Updates:
igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1
Qemu is now being hardened with libseccomp which is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default

New in IPFire 2.21 Core 130 (Apr 17, 2019)

New in IPFire 2.21 Core 129 (Apr 8, 2019)

New in IPFire 2.21 Core 128 (Mar 19, 2019)

Kernel Update:
The Linux kernel, the core of the IPFire operating system, has been updated to the latest release of the 4.14 branch. We have added some extra patches to improve hardware support and fix some security vulnerabilities. LEDs of PCengines' APU boards are now supported on newer versions of the mainboard and on those boards, the serial console is always enabled. On x86-based systems, we now support up to 64 processors.
OpenSSL 1.1.1 & TLS 1.3:
We have also updated the main TLS/SSL library to OpenSSL in version 1.1.1. This adds support for TLS 1.3 and of course brings various other improvements with it. On browsers that support it, the IPFire web user interface is now available over TLS 1.3 and any outgoing SSL connection from the firewall supports it, too. We ensure that those connections only use secure and performant ciphers to make connections as fast as they can be.
We have also updated the list of trusted Certificate Authorities (CAs).
We have removed any previous versions of OpenSSL from the system which will soon be end-of-life. If you have anything custom that you have compiled yourself on your system, please be aware of that and note that you might potentially rebuild your custom software.
Add-ons provided by the IPFire Project now support TLS 1.3 as well. If you are running a custom configuration for postfix or haproxy make sure that TLS 1.3 is not excluded from the supported TLS protocols.
Performance Tuning:
The system is now configured to be able to route more packets. During some benchmarks and testing we have discovered that IPFire does not always use the full performance of the hardware underneath it. While most system probably won't benefit much from these improvements, some systems with very fast processor cores will see a 5-10% increase in bandwidth from and to the firewall as well as routed through it. That comes at the cost of very slight increase of power consumption, but we figured that that is a price worth paying not only provide you a secure firewall, but also a fast one.
Misc:
A change of the firewall policy might potentially be backwards-incompatible, but we saw no other way to improve the security of the system: Previously, systems on the ORANGE network were always allowed to connect to the Internet on RED. This was carried over from the very beginning of IPFire when the firewall user interface was way more basic and rules to change this behaviour could not be configured at all. Now, it makes a lot more sense to not have this default which was also not well-known and allow users to create rules to either allow or deny traffic like this.
The kdig utility is now available on command line which supports DNS lookups via TLS
Updated packages: apache 2.4.38, apr 1.6.5, curl 7.64.0, dhcpcd 7.1.1, ghostscript 9.26, logrotate 3.15, openssl 7.9p1, postfix 3.3.2, strongswan 5.7.2, tzdata 2018i
Add-ons:
powertop has been updated to version 2.10
tor has been updated to version 0.3.5.7
sendEmail has been fixed by Rob. The script had a wrong file ownership.

New in IPFire 2.21 Core 127 (Feb 6, 2019)

Squid 4.5 - Making the web proxy faster and more secure:
We have finally updated to squid 4.5, the latest version of the web proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.
We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.
One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.
We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.
We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.
We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.
We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.
New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.
Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.
DNS Forwarding:
The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.
These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.
Misc:
Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
fireinfo now supports authentication against any upstream web proxies
Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
The description on which SSH port IPFire is listening has been fixed.
Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
GeoIP: Scripts have been updated to use a new format of the GeoIP database
Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1
Add-ons:
Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
The haproxy package now correctly handles its backup

New in IPFire 2.21 Core 126 (Jan 8, 2019)

New in IPFire 2.21 Core 125 (Nov 26, 2018)

802.11ac WiFi:
The IPFire Access Point add-on now supports 802.11ac WiFi if the chipset supports it. This allows better coverage and higher network throughputs. Although IPFire might not be the first choice as a wireless access point in larger environments, it is perfect to run a single office or apartment.
Additionally, a new switch allows to disable the so called neighbourhood scan where the access point will search for other wireless networks in the area. If those are found, 40 MHz channel bandwidth is disabled leading to slower throughput.
Misc:
strongswan 5.7.1: This updated fixes various security vulnerabilities filed under CVE-2018-16151, CVE-2018-16152 and CVE-2018-17540. Several flaws in the implementation that parsed and verified RSA signatures in the gmp plugin may allow for Bleichenbacher-style low-exponent signature forgery in certificates and during IKE authentication.
The IO graphs now support NVMe disks
The SFTP subsystem is enabled again in the OpenSSH Server
Swap behaviour has been changed so that the kernel will make space for a large process when not enough physical memory is available. Before, sudden jumps in memory consumption where not possible and the process requesting that memory was terminated.
The backup scripts have been rewritten in Shell and now package all add-ons backups with the main backup. Now, it is no longer required to save any add-on configuration separately.
Updated packages: apache 2.4.35, bind 9.11.4-P2, coreutils 8.30, dhcpcd 7.0.8, e2fsprogs 1.44.4, eudev 3.2.6, glibc 2.28, gnutls 3.5.19, json-c 0.13.1, keyutils 1.5.11, kmod 25, LVM2 2.02.181, ntfs-3g 2017.3.23, reiserfsprogs 3.6.27, sqlite 3.25.2.0, squid 3.5.28, tzdata 2018g, xfsprogs 4.18.0
New Add-Ons:
dehydrated - A lightweight client to retrieve certificates from Let's Encrypt written in bash
frr, an IP routing protocol suite and BGP and OSPF are supported on IPFire. Find out more on their website.
observium-agent - An xinet.d-based agent for Observium, a network monitoring platform
Updated Add-Ons:
clamav has been updated to 0.100.2 and the virus database files have been moved to the /var partition. This makes more space available on the root partition.
nfs 2.3.3, haproxy 1.8.14, hostapd 2.6, libvirt 4.6.0, tor 0.3.4.9

New in IPFire 2.21 Core 124 (Oct 15, 2018)

Kernel Hardening:
We have updated the Linux kernel to version 4.14.72 which comes with a large number of bug fixes, especially for network adapters. It has also been hardened against various attack vectors by enabling and testing built-in kernel security features that prohibit access to privileged memory by unprivileged users and similar mechanisms.
OpenSSH Hardening:
Peter has contributed a number of patches that improve security of the SSH daemon running inside IPFire. For those, who have SSH access enabled, it will now require latest ciphers and key exchange algorithms that make the key handshake and connection not only more secure, but also faster when transferring data.
For those admins who use the console: The SSH client has also been enabled to show a graphic representation of the SSH key presented by the server so that comparing those is easier and man-in-the-middle attacks can be spotted quickly and easily.
Unbound Hardening:
The settings of the IPFire DNS proxy unbound have been hardened to avoid and DNS cache poisoning and use aggressive NSEC by default. The latter will reduce the load on DNS servers on the internet through more aggressive caching and will make DNS resolution of DNSSEC-enabled domains faster.
EFI:
IPFire now supports booting in EFI mode on BIOSes that support it. Some newer hardware only supports EFI mode and booting IPFire on it was impossible before this update. EFI is only supported on x86_64.
Existing installations won’t be upgraded to use EFI. However, the flash image and systems installed with one of the installation images of this update are compatible to be booted in both, BIOS and EFI mode.
Although this change does not improve performance and potentially increases the attack vector on the whole firewall system because of software running underneath the IPFire operating system, we are bringing this change to you to support more hardware. It might be considered to disable EFI in the BIOS if your hardware allows for it.
Misc:
CVE-2018-16232: Remote shell command injection in backup.cgi: It has been brought to our attention that it was possible for an authenticated attacker to inject shell commands through the backup.cgi script of the web user interface. Those commands would have been executed as a non-priviledged user. Thanks to Reginald Dodd to spot this vulnerability and informing us through responsible disclosure.
The hostname of the system was set incorrectly in the kernel before and is now being set correctly
Firewall: Creating rules with the same network as source and destination is now possible and renaming a network/host group is now correctly updating all firewall rules
Cryptography: ChaCha20-Poly1305 is now working on ARM, too
IPsec: The status of connections in waiting state is now shown correctly at all times; before, they always showed up as enabled although they were disabled.
pakfire: Some old and unused code has been cleaned out and the mirror health check has been removed, because a download will fail-over to another available mirror anyways
Intrusion Detection: Emerging Threats rules are now being downloaded over HTTPS rather than HTTP
Updated packages: bind 9.11.4-P1, iproute2 4.18.0, ntp 4.2.8p12, openssh 7.8p1, parted 3.2, pciutils 3.5.6, rng-tools 6.4, syslinux 6.04-pre1, unbound 1.8.0
Add-Ons:
Updated packages: nano 3.1, postfix 3.3.1

New in IPFire 2.21 Core 123 (Sep 7, 2018)

New in IPFire 2.21 Core 122 (Jul 30, 2018)

Highlight: Linux 4.14:
The distribution was rebased from our old long-term supported kernel to the new kernel 4.14.50.
Most importantly, this kernel improves the security of the system, increases performance and makes the core of IPFire more up to date and modern again. This update also enables mitigation against Meltdown and Spectre on some architectures. On Intel-based platforms, we update the microcode of the CPUs when the system boots up to avoid any performance penalties caused by the mitigation techniques.
Unfortunately, grsecurity is incompatible with any newer kernels and has been removed. This is connected to the decision of the grsecurity project to no longer open source their patches. Luckily the kernel developers have backported many features so that this kernel is still hardened and secure.
ARM systems won’t be able to install this update due to the kernel change which also requires changes on some bootloaders. For those users, we recommend to backup the system, reinstall and then restore the backup. The re-installed system will only come with a single ARM kernel instead of multiple for different platforms that we had before. It helps us to keep the distribution smaller and makes development efforts easier.
Misc:
Updated packages: apache 2.4, beep 1.3 with fixes for CVE-2018-0492, bwm-ng 0.6.1-f54b3fa, cmake 3.11.2, crda 3.18, ISC dhcp 4.4.1, dhcpcd 6.11.5, diffutils 3.1.6, gcc 7.3.0, grub 2.02, htop 2.2.0, iw 4.14, libidn 1.34, nano 2.9.7, nmap 7.70, openssh 7.7p1, pcre 8.42, powertop 2.9, rng-tools 6.2, sarg 2.3.11, tar 1.30, u-boot 2018.03, unbound 1.7.1, wget 1.19.5, xtables-addons 2.13, xz 5.2.4
The list of trusted Certificate Authorities has been updated and many have been removed
Also we updated firmware for various drivers and baseboards
The Web User Interface now shows any users logged in on the console
Smaller images due to more efficient compression:
We have tried to make the download of the distribution faster and make it use less space on our servers. As a first step, the flash images have been merged together and there is only one image that boots on systems with serial console and normal video output. Secondly, we now compress all images with the XZ algorithm so that they download faster and even decompress quicker, too.
New partition layout:
This release also changes the partition layout of the distribution. We have dropped the /var partition which was used for log files and data that the system collected. This data is now located on a single partition together with the OS. The size of the /boot partition has been increased to 128MB in the default partition layout.
Updated add-ons:
clamav 0.100.0
nagios-nrpe 3.2.1

New in IPFire 2.19 Core 120 (Apr 30, 2018)

RAM-only Proxy:
In some installations it might be desirable to only let the proxy cache objects in memory and not on disk. Especially when Internet connectivity is fast and storage is slow this is most useful.
The web UI now allows to set the disk cache size to zero which will disable the disk cache entirely. Thanks to Daniel for working on this.
OpenVPN 2.4:
IPFire has migrated to OpenVPN 2.4 which introduces new ciphers of the AES-GCM class which will increase throughput on systems that have hardware acceleration for it. The update also brings various other smaller improvements.
Erik has been working on integration this which has required some work under the hood but is compatible with any previous configurations for both roadwarrior connections and net-to-net connections.
Improved Cryptography:
Cryptography is one of the foundations to a secure system. We have updated the distribution to use the latest version of the OpenSSL cryptography library (version 1.1.0). This comes with a number of new ciphers and major refacturing of the code base has been conducted.
With this change, we have decided to entirely deprecate SSLv3 and the web user interface will require TLSv1.2 which is also the default for many other services. We have configured a hardened list of ciphers which only uses recent algorithms and entirely removes broken or weak algorithms like RC4, MD5 and so on.
Please check before this update if you are relying on any of those, and upgrade your dependent systems.
Various packages in IPFire had to be patched to be able to use the new library. This major work was necessary to provide IPFire with the latest cryptography, migrate away from deprecated algorithms and take advantage of new technology. For example the ChaCha20-Poly1305 ciphersuite is available which performs faster on mobile devices.
The old version of the OpenSSL library (1.0.2) is still left in the system for compatibility reasons and will continue to be maintained by us for a short while. Eventually, this will be removed entirely, so please migrate any custom-built add-ons away from using OpenSSL 1.0.2.
Misc:
Pakfire has now learned which mirror servers support HTTPS and will automatically contact them over HTTPS. This improves privacy.
We have also started phase one of our planned Pakfire key rollover.
Path MTU Discovery has been disabled in the system. This has continuously created issues with the stability of IPsec tunnels that have chosen paths over networks that were incorrectly configured.
The QoS template could miscalculate the bandwidth which has now been fixed that the sum of the guaranteed bandwidth over all classes does not exceed 100%
Updated packages:
bind 9.11.3, curl 7.59.0, dmidecode 3.1, gnupg 1.4.22, hdparm 9.55, logrotate 3.14.0, Net-SSLeay 1.82, ntp 4.2.8p11, openssh 7.6p1, python-m2crypto 0.27.0, unbound 1.7.0, vnstat 1.18
Add-ons:
These add-ons have been updated: clamav 0.99.4, htop 2.1.0, krb5 1.15.2, ncat 7.60, nano 2.9.4, rsync 3.1.3, tor 0.3.2.10, wio 1.3.2

New in IPFire 2.19 Core 119 (Mar 14, 2018)

New in IPFire 2.19 Core 117 (Jan 5, 2018)

New in IPFire 2.19 Core 116 (Nov 7, 2017)

New in IPFire 2.19 Core 113 (Sep 4, 2017)

New in IPFire 2.19 Core 111 (Jun 14, 2017)

WPA Enterprise Authentication in Client Mode:
The firewall can now authenticate itself with a wireless network that uses Extensible Authentication Protocol (EAP). These are commonly used in enterprises and require a username and password in order to connect to the network.
IPFire supports PEAP and TTLS which are the two most common ones. They can be found in the configured on the “WiFi Client” page which only shows up when the RED interface is a wireless device. This page also shows the status and protocols used to establish the connection.
The index page also shows various information about the status, bandwidth and quality of the connection to a wireless network. That also works for wireless networks that use WPA/WPA2-PSK or WEP.
QoS Multi-Queueing:
The Quality of Service is now using all CPU cores to balance traffic. Before, only one processor core was used which caused a slower connection on systems with weaker processors like the Intel Atom series, etc. but fast Ethernet adapters. This has now been changed so that one processor is no longer a bottle neck any more.
New crypto defaults:
In many parts of IPFire cryptographic algorithms play a huge role. However, they age. Hence we changed the defaults on new systems and for new VPN connections to something that is newer and considered to be more robust.
IPsec:
The latest version of strongSwan supports Curve 25519 for the IKE and ESP proposals which is also available in IPFire now and enabled by default.
The default proposal for new connections now only allows the explicitly selected algorithms which maximises security but might have a compatibility impact on older peers: SHA1 is dropped, SHA2 256 or higher must be used; the group type must use a key with length of 2048 bit or larger
Since some people use IPFire in association with ancient equipment, it is now allowed to select MODP-768 in the IKE and ESP proposals. This is considered broken and marked so.
OpenVPN:
OpenVPN used SHA1 for integrity by default which has now been changed to SHA512 for new installations. Unfortunately OpenVPN cannot negotiate this over the connection. So if you want to use SHA512 on an existing system, you will have to re-download all client connections as well.
Various markers have been added to highlight that certain algorithms (e.g. MD5 and SHA1) are considered broken or cryptographically weak.
Misc.:
IPsec VPNs will be shown as “Connecting” when they are not established, but the system is trying to
A shutdown bug has been fixed that delayed the system shutting down when the RED interface was configured as static
The DNSSEC status is now shown correctly on all systems
The following packages have been updated: acpid 2.0.28, bind 9.11.1, coreutils 8.27, cpio 2.12, dbus 1.11.12, file 5.30, gcc 4.9.4, gdbm 1.13, gmp 6.1.2, gzip 1.8, logrotate 3.12.1, logwatch 7.4.3, m4 1.4.18, mpfr 3.1.5, openssl 1.0.2l (only bug fixes), openvpn 2.3.16 which fixes CVE-2017-7479 and CVE-2017-7478, pcre 8.40, pkg-config 0.29.1, rrdtool 1.6.0, strongswan 5.5.2, unbound 1.6.2, unzip 60, vnstat 1.17
Matthias Fischer contributed some cosmetic changes for the firewall log section
Gabriel Rolland improved the Italian translation
Various parts of the build system have been cleaned up
Add-ons:
New Add-ons:
ltrace: A tool to trace library calls of a binary
Updated Add-ons:
The samba addon has been patched for a security vulnerability (CVE-2017-7494) which allowed a remote code executing on writable shares.
ipset 6.32
libvirt 3.1.0 + python3-libvirt 3.6.1
git 2.12.1
nano 2.8.1
netsnmpd which now supports reading temperature sensors with help of lm_sensors
nmap 7.40
tor 0.3.0.7

New in IPFire 2.19 Core 110 (Apr 28, 2017)

On-Demand IPsec VPNs:
IPFire used to keep IPsec VPNs up all the time. This wastes resources if a connection is not used very often for example for a daily backup only.
Core Update 110 allows to configure IPsec VPNs in an On-Demand mode which will establish the connection as soon as it is needed and will close it after 15 minutes of inactivity to save resources.
This is especially handy for people who have a large number of IPsec net-to-net connections on either weak hardware or connections that are not required all the time like maintenance or backup connections, etc.
Performance Enhancements for DNS:
unbound, the DNS resolver working inside IPFire, has been tuned to allow more concurrent queries and assigned more memory to keep a larger DNS cache.
Especially in large networks or when a burst of DNS queries needs to be handled, there is a notable increase of performance.
Misc.:
Graphs in the web user interface are now larger to show more detail
Packets that are received from a bridge interface are not passed through the firewall engine any more
Apache allows more concurrent connections now, which speeds up distributing proxy.pac, updates from Update Accelerator and more
The GeoIP database is now regularly updated over HTTPS
Gabriel Rolland has updated the Italian translation
Jonatan Schlag reorganised all initscripts in the build system which makes packaging add-ons easier
setup allows now to set the subnet mask of the RED interface to 255.255.255.255. This is required with some web hosting companies which are trying to save IPv4 addresses and then need a host route for the default gateway.
Updated Packages:
apcupsd 3.14.14, bind 9.11.0-P3, cairo 1.14.8, conntrack-tools 1.4.4, fontconfig 2.12.1, freetype 2.7.1, lm_sensors 3.4.0, nettle 3.3, ntp 4.2.8p10, openssh 7.4p1 – for PCI compliance, pixman 0.34.0, squid 3.5.25, unbound 1.6.1, wget 1.19.1
Add-ons:
cups 2.2.2 & cups-filter, ffmpeg 3.2.4, ghostscript 9.20, mc 4.8.19, motion 4.0.1, tcpdump 4.9.0
New Packages:
gnutls, an SSL library
epson-inkjet-printer-escpr for EPSON printers
lcms2, an image library
qpdf and poppler PDF rendering libraries
Dropped Packages:
Avahi has been dropped because of lack of a maintainer

New in IPFire 2.19 Core 109 (Feb 17, 2017)

New in IPFire 2.19 Core 108 (Dec 22, 2016)

New in IPFire 2.19 Core 107 (Nov 9, 2016)

New in IPFire 2.19 Core 106 (Nov 2, 2016)

Change of the DNS Proxy:
IPFire used dnsmasq as DNS proxy before which is now replaced by unbound. The latter is in contrast to the former software that is specifically designed as an DNS forwarding proxy or DNS recursor and implemented DNSSEC from early on.
Because of our decision to enable DNSSEC by default and various problems in dnsmasq we have been toying with the idea of replacing it for a very long time. Unfortunately development resources are tight and because of this being a substantial part of the system and hooked into many other things, this was a very time-consuming project.
Finally, this new solution should now bring various advantages...
Performance:
unbound is multi-threaded and IPFire will start one thread per CPU core that is available. That will allow execution of multiple queries in parallel which should increase responsiveness and throughput.
The cache size is adjusted based on memory available on the system. Bigger systems will have a significantly bigger DNS cache which will speed up browsing especially in larger environments like universities with a large number of clients.
Better DNSSEC reliability:
DNSSEC is enabled by default (as it was before). However, unbound does not rely on the upstream servers being validating resolvers, too. This will bring DNSSEC to many more users. DNS servers are now tested before being passed on for use and any malfunctioning DNS servers won’t be used. Status of this can be seen on the user web interface.
If none of the DNS servers configured or received from the provider can be used, unbound will fall back to full recursor mode.
With the next key rollover of the DNS root zone, IPFire will automatically download and validate the new key according to RFC5011.
Enhanced Features:
DHCP leases will be published into the local DNS zone as before. Static leases are imported as well which is a new feature. Everything IP address will resolve to its hostname by publishing PTR records.
Misc:
Passwords are now saved with a stronger hash (SHA512) which was MD5 before. Please change the root password using the setup tools to store your passwords with the improved hash.
Firewall: An incorrect validation of destination IP addresses for rules that use Destination NAT caused that some valid addresses were not accepted. This is fixed now.
PPP connections no longer require a password being set (some providers require these being empty)
The NTP client now waits correctly for WiFi connections being established before continuing to boot
The samba add-on enables SMBv2 by default
IPFire now ships the firmware for MediaTek 7601 series devices
Various old software components that are not used any more are cleaned up from the systems
The iptables page on the web user interface has been improved to be more readable
Updated Packages:
openssl 1.0.2j which fixes some implementation errors and DoS introduced in the 1.0.2i update
strongswan has been updated to version 5.5.0
attr 2.4.47, dejagnu 1.6, diffutils 3.5, expat 2.2.0, file 5.28, flex 2.6.1, gettext 0.19.8.1, gnupg 1.4.21, iproute2 4.7.0, ipset 6.29, libassuan 2.4.3, libgcrypt 1.7.3, libidn 1.33, libgpg-error 1.24, libnetfilter_conntrack 1.0.6, libmnl 1.0, make 4.2.1, smartmontools 6.5, squid 3.5.21, usb_modeswitch 2.4.0, usb_modeswitch_data 20160803
Add-ons:
The new Guardian 2.0 add-on’s user interface received some cosmetic changes
Updated Packages:
asterisk 11.23.1
krb 1.14.4
Midnight Commander 4.8.18
monit 5.19.0
nano 2.6.3
transmission 2.92

New in IPFire 2.19 Core 105 (Sep 26, 2016)

New in IPFire 2.19 Core 104 (Sep 20, 2016)

New in IPFire 2.19 Core 103 (Jul 12, 2016)

New in IPFire 2.19 Core 102 (May 5, 2016)

New in IPFire 2.19 Core 101 (May 3, 2016)

Cross-Site-Scripting Vulnerability and Remote Code Execution in the IPFire Web User Interface:
Yann Cam, an independent security researcher, discovered to vulnerabilities in the IPFire Web User interface that could be used in some circumstances. In the ipinfo.cgi file, a cross-site scripting attack could be executed on logged in users and in two more CGI files (proxy.cgi and chpasswd.cgi), a remote code execution vulnerability was found which allowed attackers to use the aforementioned cross-site scripting attack to execute shell commands as an unprivileged user on the IPFire system.
These attacks are only possible to perform on an admin’s computer and only in that instance when the administrator is logged in to the web user interface. Of course we recommend to install this update as soon as possible to close these vulnerabilities.
We would like to thank Yann to look closely at the IPFire code and help us to improve it and we would like to invite everyone who wants to do so as well and report any bugs or security vulnerabilities that they may find.
Security Fixes in other packages:
The web proxy squid was patched against a vulnerability filed under CVE-2016-3947 that cannot be exploited in IPFire.
Connection Tracking Issues:
On many systems, some protocols that require special care by the connection tracking implementation failed to traverse NAT. These include FTP, SIP and PPTP and where unfortunately not discovered in the testing phase of Core Update 100 before.
Those connection tracking helpers are now enabled by default on all migrated systems.
Misc:
installer: A bug on x86_64 systems let the EXT4 filesystem creation fail if a previous XFS filesystem was installed on the target partition before.
dmidecode was added on x86. A tool to read information from the BIOS.
Fix 40 MHz channel bandwidth usage in some Atheros WiFi modules (ath9k).
Fix miscompiled 802.11 stack in the Raspberry Pi kernel.
Updated packages: bind utils 9.10.3-P4, dma 0.11, e2fsprogs 1.42.13, gmp 6.0.1, grep 2.23, libxml2 2.9.3, mpfr 3.1.3, nettle 3.2, patch 2.7.5, paxctl 0.9, pciutils 3.4.1, pkg-config 0.29, pcre 8.38, texinfo 5.2
Add-ons:
New packages:
iperf3
mcelog
Updated packages:
Please note the recent security updates in the samba package.
asterisk 11.21.1 (including libsrtp 1.5.4)
bwm-ng 0.6.1
clamav 0.99.1
git 2.7.4
htop 2.0.1
lcdproc 0.5.7
nano 2.5.3

New in IPFire 2.19 Core 100 (Apr 14, 2016)

This update will bring you IPFire 2.19 which we release for 64 bit on Intel (x86_64) for the first time. This release was delayed by the various security vulnerabilities in openssl and glibc, but is packed with many improvements under the hood and various bug fixes.
64 bit:
There will be no automatic update path from a 32 bit installation to a 64 bit installation. It is required to manually reinstall the system for those who want to change, but a previously generated backup can be restored so that the entire procedure takes usually less than half an hour.
There are not too many advantages over a 64 bit version except some minor performance increases for some use cases and of course the ability to address more memory. IPFire is able to address up to 64GB of RAM on 32 bit, so there is not much need to migrate. We recommend to use 64 bit images for new installations and stick with existing installations as they are.
Kernel Update:
As with all major releases, this one comes with an updated Linux kernel to fix bugs and improve hardware compatibility. Linux 3.14.65 with many backported drivers from Linux 4.2 is also hardened stronger against common attacks like stack buffer overflows.
Many firmware blobs for wireless cards and other components have been updated just as the hardware database.
Hyper-V performance issues:
A backport of a recent version of the Microsoft Hyper-V network driver module will allow transferring data at higher speeds again. Previous versions had only very poor throughput on some versions of Hyper-V.
Firewall Updates:
It is now possible to enable or disable certain connection tracking modules. These Application Layer Gateway (ALG) modules help certain protocols like SIP or FTP to work with NAT. Some VoIP phones or PBXes have problems with those so that they can now be disabled. Some need them.
The firewall has also been optimised to allow more throughput with using slightly less system resources.
Misc:
Many programs and tools of the toolchain that is used have been updated. A new version of the GNU Compiler Collections offers more efficient code, stronger hardening and compatibility for C++11
GCC 4.9.3, binutils 2.24, bison 3.0.4, grep 2.22, m4 1.4.17, sed 4.2.2, xz 5.2.2
dnsmasq, the IPFire-internal DNS proxy has been updated and many instability issues have been fixed
openvpn has been updated to version 2.3.7 and the generated configuration files have been updated to be compatible with upcoming versions of OpenVPN
IPFire will now wait with booting up when the time needs to synchronised and DHCP is used until the connection is established and then continue booting up
bind was updated to version 9.10.3-P2
ntp was updated to version 4.2.8p5
tzdata, the database for timezone definitions, was updated to version 2016b
Various cosmetic fixes were done on the web user interface
A bug causing VLAN devices not being created when the parent NIC comes up has been fixed
DHCP client: Resetting the MTU on broken NICs that lose link has been fixed
A ramdisk to store the databases of the graphs shown in the web user interface is now used by default again on installations that use the flash image when more than 400MB of memory is available
A bug that the Quality of Service could not be stopped has been fixed
Some old code has been refurbished and some unused code has been dropped in some internal IPFire components
Add-ons:
owncloud has been updated to version 7.0.11
nano has been updated to version 2.5.1
rsync has been updated to version 3.1.2

New in IPFire 2.17 Core 98 (Feb 23, 2016)

New in IPFire 2.17 Core 97 (Jan 29, 2016)

New in IPFire 2.17 Core 96 (Jan 21, 2016)

Ramdisk usage change:
IPFire uses round-robin databases to collect system data and generate beautiful graphs. The databases have usually been kept in memory. This change was made in early versions of IPFire to keep the amount of writes to the block device to a minimum. However, the number of the databases has been growing and many systems don’t have enough capacity in memory. The objective was also that ordinary flash storage is quite slow. These systems are now however less commonly used which makes this change unnecessary.
To give an example, many of the ALIX boards use very slow compact flash storage and do only have 256 or even 128 MB of memory. So neither is really an option. Systems you will purchase today usually come with fast SSD storage and a few gigabytes of memory. So both is a viable option to store these databases.
New installed IPFire systems will now only use the persistent storage to store these database files. All updates systems will stick with the old behaviour if they have about 512 MB of RAM or more. Otherwise upgraded systems will also fall back to the persistent storage.
Misc:
openssl has been updated to version 1.0.2e which fixes various security vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
The NTP service was unable to communicate with the local clock and therefore not able to provide time to the network.
strongswan is updated to version 5.3.5 which fixes various security issues
The connection list in the web user interface when IPsec subnets with multiple local or remote subnets are used.
The firewall engine handles SNAT rules more restrictive and avoids overmatching of packages that are sent over an IPsec network
Various patches to improve dnsmasq have been imported from upstream
curl wasn’t able to validate publicly signed SSL certificates because it could not find the certificate store. This is now fixed.
dma, the internal mail agent, now handles authentication against remote mail servers better due to a patch sent to the project by the IPFire developers
Support for cryptodev has been dropped
mdadm has been updated to version 3.3.4, arping has been updated to version 2.15, rrdtool has been updated to version 1.5.5, libnet 1.1.6 is now shipped with the core distribution
On x86-based systems, GRUB, the bootloader, has been patched against an integer overflow vulnerability filed under CVE-2015-8370 which allowed users to bypass authentication after pressing backspace for 28 times
Snort now also monitors alias address on red if any have been configured
The Turkish translation has been updated
Updated add-ons:
nano has been updated to 2.5.0
Midnight Commander has been updated to 4.8.15
clamav has been updated to version 0.99
openvmtools have been updated to version 10.0.5
squid-accounting has received minor bug fixes
tripwire has been dropped

New in IPFire 2.17 Core 95 (Dec 11, 2015)

Linux Kernel Update:
This update contains a minor update to the Linux kernel IPFire is using based on Linux 3.14.57. Various device drivers for Intel network controllers and some other hardware have been improved.
IPsec Update:
strongswan has been updated to version 5.3.3 and much work was done on the IPsec VPN stack. The changes include feature enhancements and bug fixes.
Support for multiple subnets per tunnel:
It is now possible to configure more than one subnet per IPsec net-to-net connection- That makes configuration for more complex networks easier and also reduces the overhead for the IPsec connection.
Reject rules when a tunnel is not established:
Formerly, packets that were supposed to be sent through an IPsec tunnel were routed and then silently dropped when a tunnel was not established. This caused that packets may be sent out towards the Internet and that this connection was remembered in the connection tracking table and in rare cases causes issues so that for example SIP telephones where the PBX was on the other end of an IPsec tunnel could not register properly any more.
Packets will now be rejected by the firewall if the IPsec tunnel is not established which improves security and also eliminated the issue described above.
Misc:
Some deprecated (and non-functional) configuration options have been removed from the IPsec GUI
DHCP Server:
The DHCP is now able to submit DNS updates to an upstream name server after a DHCP lease was handed out. Therefore the names of these systems can be made available in an external DNS zone. It uses the mechanism also known as RFC2136 which is operable with many major name servers and requires TSIG keys to sign the updates.
OpenVPN:
Static routes are now loaded for gateways behind the tunnel when a tunnel comes up
An extra client package is now downloadable with the configuration and and certificates in the PEM format. That allows for those connections to be easier importable to clients that don’t support the PKCS12 format like iOS devices.
VLAN devices are now hotpluggable. That makes the bootup process more robust when initialising a NIC takes longer than usual.
snort was updated to version 2.9.7.6
The initial download of the GeoIP database is now executed in background. On some systems with slower uplink this caused a long delay when connecting to the Internet for the first time.
The ntp package was updated to version 4.2.8p4 which fixes various security vulnerabilities
dma, the new mailing component, was updated to version 0.10 which handles unreachable mail servers better and tries to resend emails
We ship the ipset and pgrep binaries which was requested by some users
ddns, the Dynamic DNS Updater, was updated to version 009 which improves handling of SSL errors and adds desec.io as a provider
The lzo compression library was updated to version 2.09
Add-ons:
asterisk was updated to version 11.20.0 which mainly contains security and stability fixes
monit was updated to version 5.14
tor: Flag icons are now shown again

New in IPFire 2.17 Core 94 (Oct 28, 2015)

New in IPFire 2.17 Core 93 (Aug 18, 2015)

New in IPFire 2.17 Core 92 (Jul 15, 2015)

New in IPFire 2.17 Core 91 (Jun 13, 2015)

New in IPFire 2.17 Core 90 (May 28, 2015)

GeoIP:
Attackers originate from all sorts of places in the world. Often huge networks of bots scan the entire Internet for services that are publicly accessible and possible to exploit. With GeoIP-based blocking it is possible to mitigate many of those scans to take off the load of the firewall engine and to secure those publicly accessible services. With GeoIP-based firewall rules it is possible to filter incoming and outgoing traffic related on their source or desired destination countries. Here are some examples what can be done with such a GeoIP-filter...
Prevent malware on your local systems to communicate with their command and control (C&C) servers, which often are located in a certain countries.
Only allow remote administration from your own country.
Create firewall rules for limit new connection attempts for countries you usually don’t communicate that much with. This could help to prevent from getting your mail servers flooded with spam from those countries.
The GeoIP feature successfully has been funded on the IPFire wishlist.
A pretty easy way to block any incoming traffic of several countries, a new configuration page has been added to the IPFire web user interface. On there, you can block incoming traffic from countries. You may also define firewall rules where you can filter the originating country or destination country.
Cryptography updates:
SSLv3 and SSLv2 are now disabled by default
We have been disabling all possibly broken algorithms in the services that IPFire itself is running and providing to the network. Now we are making the even bigger step to disable support for SSLv2 and SSLv3 for all SSL connections that are initiated by IPFire. Those two revisions of the SSL protocol are very old and practically not used any more. They are also considered as broken and should not be used any more.
Compatibility is still possible if the software you are using explicitly requests for those protocols.
Performance improvements:
We focussed very much on increasing the performance of ciphers in this release. First of all we dropped support for cryptodev and replaced it with optimising the user-space libraries so that these can use CPU instructions when ever they are available for increasing throughput. The AES algorithm was in spotlight of those efforts as it is the most commonly used cipher. Others will benefit as well.
We updated the openssl package to version 1.0.2a and are shipping two versions of libcrypto.so.10, which is the library that holds the implementation of ciphers, hashes and those alike. The first shipped version is compiled as usual and is used on all systems by default. If there is SSE2 support available which is on more than 86% of all systems known to fireinfo, an other version of libcrypto.so.10 will be loaded which is compiled with various optimisations that require SSE and SSE2 instructions.
Hardware crypto processors like VIA Padlock and AES-NI are of course used automatically when available.
Removing legacy code:
We used to ship an extra copy of openssl version 0.9.8 for compatibility reasons which is now removed with this update. The 0.9.8 branch of openssl will not be discontinued by the openssl developers soon and the libraries are not used any more. If you have a custom built program that is linked against these, you will have to recompile it.
IPsec/strongSwan:
strongSwan has been updated to version 5.3.0. It provides much better stability of IPsec VPN connections.
Wolfgang Apolinarski sent in a patch that improves compatibility with the internal Windows IPsec client and another one that increases key sizes of the internal CA to 4096 bits for the root key and 2048 bits for each client certificate. The SHA-512 and SHA-256 hash algorithm is used respectively. Old certificates can not be converted for obvious reasons, but new certificates will be created and signed with the new properties.
IKE fragmentation is now enabled by default which helps peers that implement it to fragment IKE packets before they are sent over a path with potentially broken routers that do not forward fragments.
Ciphers Selection
We have improved the selection of ciphers on the IPFire web user interface where we added AES-GCM with various key and ICV sizes and we ordered the ciphers by their strength so that it is easier to select the strongest one possible.
Kernel Update:
The kernel has been updated to version 3.14.43. It comes with various security fixes and bug fixes throughout the entire tree.
The synthetic Hyper-V drivers have been patched to work with legacy version of Microsoft Hyper-V (at least 2008). The igb driver module that is maintained by Intel has been replaced by the default kernel module.
Bug fixes and other changes:
glibc: Fix CVE-2013-7423 and CVE-2015-1781
apache will not show its version and loaded modules any more in the server signature
Connections in the list of connections that are using Destination NAT are now coloured in the colour of the new destination host.
dnsmasq has been fixed so that it will correctly fall back to TCP for DNS replies larger than the DNS packet size.
udev: Network interface names are now assigned from the configuration in /var/ipfire/ethernet/settings instead of the setup tool generating a native udev configuration file.
ovpnmain.cgi: Some certificate authority (CA) related elements have been displayed outside the site layout.
Updated packages:
acpid 2.0.23, apache2 2.2.29, curl 7.40.0, cyrus-sasl 2.1.26, dhcp 4.3.1, dhcpcd 6.7.1, expat 2.1.0, glibc 2.12 (fixes for CVE-2013-7423 and CVE-2015-1781), groff 1.22.3, iputils s20121221, libjpeg 1.3.1, logrotate 3.8.1, logwatch 7.4.1, nasm 2.11.06, openssh 6.8p1, squid 3.4.13 without SSL support, tzdata 2015d, wpa_supplicant 2.4, xz 5.2.1
Add-ons:
asterisk 11.17.1
hostapd 2.4
The EAPOL timeout has been increased which gives some mobile devices more time to finish the wireless handshake
libsrtp 1.5.2
monit 5.12.1
qemu 2.3.0
squid-accounting – has been updated and fixes some issues with compressing the database and generating reports.
tor 0.2.5.12

New in IPFire 2.17 Core 89 (Apr 22, 2015)

OpenVPN Net-To-Net Statistics:
Connection statistics of OpenVPN net-to-net connections are now collected and graphed. They show incoming and outgoing traffic of the VPN connections and compression ratios.
Dynamic DNS Updater:
A database is used to track successful and failed updates. ddns will automatically back-off when an update could not be performed and will re-try after a longer time. nsupdate.info asked to never repeat any updates after one has failed for any reason.
New supported providers: changeip.com, ddnss.de, domains.google.com, domopoli.de, dyns.cx|net, loopia.se, myonlineportal.net, xlhost.de, zzzz.io
Token-based authentication is now supported for spdns.de
Support for easydns.com and zoneedit.com has been fixed which have changed their update protocols.
strato.de used to remove MX and backup MX records for every update. Additional parameters of the update request have been added so that the original settings are not changed any more.
Handle badagent response for all DynDNS2 protocol-compatible providers. ddns will respect if it has been blocked by the provider.
Improve error handling for various responses from the provider’s HTTP services.
Updated packages:
daq 2.0.4, ethtool 3.16, fcron 3.2.0, file 5.20, fuse 2.9.3, gnupg 1.4.18, grep 2.21, hdparm 9.45, libart 2.3.21, libassuan 2.1.3, libcap 1.6.2, libevent 2.0.21-stable, libffi 3.2.1, libpcap 1.6.2, ntfs-3g 2014.2.15, pcre 8.36, screen 4.2.1, smartmontools 6.3, snort 2.9.7.0, strongswan 5.2.2, sqlite 8.7.4, squid 3.4.9, tar 1.28, tzdata 2015a, wget 1.16, zlib 1.2.8
dnsmasq has been updated to a recent version with various fixes for DNSSEC and other bugs.
Add-ons:
asterisk 11.15.0 + support for TLS and SRTP, clamav 0.98.6, NEW haproxy 1.5, htop 1.0.3, libdvbpsi 1.2.0, lynis 1.6.4, mc 4.8.13, NEW monit 5.11, miniupnpd 1.9, nginx 1.6.2, nmap 6.47, owncloud 7.0.3, samba 3.6.25, tcpdump 4.6.2
Feature Enhancements & Bug fixes:
Firewall
Service groups are limited to 15 services per protocol. Due to a defect in the web GUI it was possible to create groups with up to 16 services which has been fixed now.
The remark of some firewall rules could not be removed when nothing else was changed. This has been fixed as well.
Fix setting rate-limiting rules. Those were not always applied correctly.
IPsec
Allow an IKE lifetime up to 24 hours.
OpenVPN
Allow setting an expiration time for net-to-net connection certificates.
Let openssl pick the sources for entropy that are used to initialize the random-number generator on its own.
The backup functionality is robust against filenames including hyphens.
squid-accounting: #10693 (last month of year leads to error (no data shown in webinterface))
fireinfo: Improve finding the vendor/model of ARM single-board-computers.
Installer: Cut off too long harddisk description strings

New in IPFire 2.17 Core 88 (Mar 20, 2015)

New in IPFire 2.17 Core 87 (Feb 27, 2015)

Kernel:
Most of the work has been done under the hood and in the Linux kernel. This has been updated to version 3.14 and brings better support for various hardware and stability fixes. Various device drivers have been backported from more recent versions of the Linux kernel to combine great stability with best hardware support.
Stability for various ARM platforms has been improved and support for more has been added. Among the new devices are the Banana Pi and Banana Pro boards. Please check out the list of supported ARM boards on the IPFire wiki.
Installer:
The installer program that helps to install IPFire has been very much improved. It is now easier to use and provides clearer error messages. It allows you to select the disk you want to install IPFire on and does not use the first one any more if there are more than one.
An other main feature is that the installer is now able to download the ISO image from the Internet. That allows it to be used on devices that can not boot from USB drives. Installations using the serial console are possible as well.
The installer allows you to use the XFS filesystem and supports installation on harddisks larger than 2TB by using GPT. The entire partitioning has been rewritten and is able to produce better partitioning layouts.
The unattended installation feature is now usable again and the Installation Guide on the IPFire wiki has been rewritten.
Changing bootloaders on x86:
We changed the bootloader on all x86 installations from GRUB-legacy to GRUB2. New systems will be installed right away with the new version and old ones will be migrated. Please make sure to create a backup of your installation in case this upgrade fails.
The huge benefit we get from migrating to GRUB2 is more flexibility for testing new kernels and much better reliability on various hardware.
Security fixes in third-party packages:
glibc has been patched against the GHOST vulnerability.
The ntp package has been updated because of recent security vulnerabilities that have been discovered
The openvpn package has been updated to version 2.3.6
Misc:
Timmothy Wilson suggested to use SHA256 for the SSL certificate that is used for accessing the web user interface. All new installations will use this.
iw was updated to version 3.14
wpa_supplicant and hostapd have been updated for more stable wireless connections
Erik Kapfer added tmux as an add-on package
Umberto Parma sent in an Italian translation for the web user interface
Updated add-ons:
Pound has been updated to version 2.7 stable which allows better protection against the POODLE vulnerability
mtr has been updated to version 0.86
fping has been updated to version 3.10

New in IPFire 2.15 Core 86 (Jan 24, 2015)

New in IPFire 2.15 Core 84 (Oct 17, 2014)

GNU bash fixes:
As you may have already seen on the news, the Shellshock issues made more people look into the code of the default shell of many *nix systems. Those people found many more programming errors and provided fixes for them which have been applied in this release. IPFire is now shipping GNU bash 4.3.30 and the companion library readline in version 6.3.
squid web proxy:
There have been some Denial-of-Service issues in the squid web proxy which have been fixed in release 3.4.8. Those are of minor severity only and quite possibly cannot be exploited to inject code.
Firewall changes:
The firewall got a couple of new features which I explained in detail in a post on the IPFire planet. Both enhance the firewall to better protect hosted services from Denial-of-Service attacks and similar things by limiting the number of new connections that can be opened within a certain span of time or by limiting the overall number of open connections by a host on the Internet.
Using NAT for rules where the source and destination is in the same subnet is now possible. Some code has been cleaned up and made more robust. The firewall.local script will now also be reloaded when settings of the firewall are changed on the web user interface.
P2P block:
The P2P block feature of the firewall has not been very effective for many protocols. The detection has now been improved and blocking unwanted P2P protocols from your network works now much better but will result in a bit more load.
DNS Proxy:
dnsmasq, the DNS proxy working inside of IPFire, has been updated to version 2.72 which includes some stability fixes and fixes some of the crashes some IPFire users have been experiencing especially in conjunction with (faulty) DNSSEC-enabled DNS recursors on the Internet.
Misc:
Applying static routes at boot has been improved, as sometimes not all routes were correctly applied.
URL-Filter
The “safe search” feature has been fixed for Google News and been introduced for Bing Search as well.
Blocking downloads of files by extension has been improved, too.
Some spelling fixes for the English language throughout the whole web interface.
parted has been updated to version 3.1.

New in IPFire 2.15 Core 83 (Sep 29, 2014)

New in IPFire 2.15 Core 81 (Aug 8, 2014)

New in IPFire 2.15 Core 80 (Aug 3, 2014)

DNSSEC:
There has been a crowdfunding on the IPFire wishlist which raised money for implementing a DNSSEC validating DNS proxy. The DNS proxy service that is running inside of IPFire has been forked and some features that were dropped in the upstream version have been backported.
IPFire now validates every DNS response of zones that are signed. If the DNSSEC signatures do not validate a DNS error is raised and therefore spoofing attacks are not longer possible. However, it is not sufficient for the internal DNS proxy to have DNSSEC enabled. Client systems should validate DNSSEC records, too, but we think that these changes block most spoofing attacks from the Internet and only DNS spoofing attacks from the local network are possible. The cache pool size has been increased so that dnsmasq is able to cache many DNS keys and signatures and that the verification does not harm the user experience.
It is required that the DNS servers from the Internet service providers validate DNSSEC as well. If not, you may change to one of those public DNS servers in this list. There is more information about DNS and IPFire on our wiki.
New dynamic DNS updater:
A new tool to update dynamic DNS records has been written. It replaces the old, faulty and hard to maintain perl script setddns.pl. The new client is written in Python and portable to other distributions as well. It is easily extensible and avoids duplicating code. The sources can be found on our own git server or on GitHub and we are happy to receive improvements and patches that add support for new providers.
The user interface has been simplified and obsolete and deprecated features like wildcard support have been dropped.
There is support for all DNS providers that have been formerly supported. Providers that don’t exist any more have been removed and some new ones have been added: all-inkl.com, dhs.org, dns.lightningwirelabs.com, dnspark.com, dtdns.com, dyndns.org, dynu.com, easydns.com, enom.com, entrydns.net, freedns.afraid.org, namecheap.com, no-ip.com, nsupdate.info, opendns.com ovh.com, regfish.com, selfhost.de, spdns.org, strato.com, twodns.de, udmedia.de, variomedia.de, zoneedit.com.
Misc:
The lzo libary has been updated to version 2.08 because of a potential, but very unlikely security issue filed under CVE-2014-4607.
wpa_supplicant has been updated to version 2.2.
strongswan has been updated to version 5.2.0
Ersan Yildirim submitted updates for the Turkish translation.
The dhcrelay binary and an initscript are shipped.
The bind tools have been updated to version 9.9.5 to support DNSSEC, too.
rng-tools have been updated to version 5 to support Intel processors that come with the RDRAND instruction, but without AES-NI.
squid web proxy: The minimum and maximum object size of objects that are put into the cache is no longer ignored.
Firewall hits by country: Fix chart for dial-up connections.
Static routes cannot be added twice into the configuration and must not be a part of any of the local networks.
Add-ons:
ownCloud – The private cloud – Documentation
Updates:
clamav 0.98.4
hostapd 2.2
sane 1.0.24
tor 0.2.4.22
transmission 2.84

New in IPFire 2.15 Core 79 (Jul 8, 2014)

OpenVPN:
The OpenVPN capabilities have been massively extended by Erik Kapfer...
Certificate Authorities:
The certificate authority that can be created on the OpenVPN page now uses much better hashes to protect the integrity of itself. The CA root certificate uses a SHA512 hash and a RSA key with length of 4096 bit. All new created host certificates use a RSA key with 2048 bit length and a SHA256 hash.
Additionally, a set of Diffie-Hellman parameters can be generated for better protection of the session keys. The length of the pregenerated DH parameters can be chosen in the web interface.
Ciphers:
The cipher that is used for each net-to-net connection can be changed now to for example take benefit of hardware crypto processors. To the list of already supported ciphers came SEED.
ATTENTION: Some other ciphers that are evidently broken have been removed for use with the roadwarrior server. Those are: DES-CBC, RC2-CBC, RC2-64-CBC and RC2-40-CBC. If you are using one of these, please replace all your roadwarrior connections.
HMAC/Hashing:
To ensure that the transmitted data has not been altered on the way from sender to receiver a hash function is used. This hash is now configurable with a couple of options: SHA2 (512, 384 and 256 bit), Whirpool (512 bit) and SHA1 (160 bit).
To mitigate DoS attacks against the OpenVPN server, the tls-auth option can be enabled which uses a HMAC function that lets the server very quickly decide if a packet is coming from a legitimate sender and needs to be decrypted (which is a very costly operation) or if it is just some spoofed data sent to slow down the server. In the latter case the HMAC does not match and the packet can be discarded right away.
All this may sound a bit complicated, but in the end the OpenVPN feature is usable just in the same and easy way as you know it in IPFire. Everything described here works under the hood and gives you better protection for your data.
Kernel Update
The Linux kernel running inside IPFire has been updated to version 3.10.44 which adds better support for some hardware, comes with lots of stability fixes and closes some security issues. The vendor drivers for Intel network adapters have been updated, too.
One of the most significant changes is that the system now uses the PCIe ASPM configuration from the BIOS. The former option was to save as much power as possible which may lead to instabilities with some PCIe periphery. It is now possible to easily configure the desired operation mode in the BIOS of the system.
Various changes have been applied to the Xen image so installing IPFire on para-virtualized systems runs much more smoothly now.
PPP dial-in:
pppd, the Point-to-Point-Protocol Daemon, has been updated to version 2.4.6 which comes with some stability and security fixes. For PPPoE sessions, the system will try to connect to the Internet for a longer time now before giving up. This helps us to establish a connection even if there is some really weird modems around that need some time to initialize when the network link goes up (seen with radio link antennas).
LTE/3G Modem Status:
The IPFire web interface got a new status page for modems. This includes all serial modems from 56k analogue modems up to LTE and 3G modems. On this page there will be various information about the connected network, signal quality and SIM card if one is available.
Squid Web Proxy Update:
The Squid web proxy server has been updated to version 3.4.5. As this is a major version update, several deprecated things and incompatibilities had to be resolved. The redirect wrapper process has been rewritten and all the redirect helpers (URL-Filter, Update Accelerator and squidclamav) have been patched to be able to communicate with the proxy process again.
When using proxy.pac for automatic client configuration, please note that access to the web proxy is now only granted for the actual subnets of the firewall and not for the entire private RFC1918 address space any more. In addition to that, accessing resources of the same subdomain as the clients (i.e. internet network access) circumvents the proxy as well.
Support for the internal Quality of Service has been compiled in.
Intrusion Detection System:
snort, the Intrusion Detection System, has been updated to version 2.9.6.1. Downloading of rules will be possible for some time now.
Misc:
Alf Høgemark contributed an updated version of vnstat which is a tool to measure the consumed traffic on each network interface and generates beautiful graphs out of it.
He also contributed a new log page on the IPFire web interface that shows from which country the most firewall hits originate from.
The new firewall GUI now supports blocking access to the GREEN firewall interface from the GREEN network.
The PIE packet scheduler has been added for experienced users to experiment.
Lots of cleanup of the generated HTML output of the CGI web interface scripts has been done.
The Turkish translating has been updated by Ersan Yildirim.
The net-utils which provided the basic tools like ping has been removed and now only the version of ping that comes with the iputils package is used. The hostname command has been replaced by a version that is maintained by Debian.
Updated packages: daq 2.0.2, libpcap 1.4.0, openvpn 2.3.4, sudo 1.8.10p3
The build system is now able to use qemu and compile for ARM on x86 machines.
Enabling the front LEDs on an ALIX system has been fixed when a RED device has been assigned but the system actually uses a dial-in connection.
Installer:
Installation on systems that only got a serial console is now possible from the ISO image. The baudrate has been set to 115200 throughout the entire process which has formerly been broken and it was needed to change the baudrate a couple of times.
The default size of the root partition has been increased.
The backup ISO that can be generated on the backup page of the IPFire web interface is now a hybrid image as well so that it can be put on an USB key instead of burning it on a disk.
Dynamic DNS providers:
Some new dynamic DNS providers have been added: spdns.de (Bernhard Bitsch), twodns.de, variomedia.de (Stefan Ernst)
Add-ons:
New Arrivals:
icinga 1.11.4 (The nagios package may be dropped in the near future)
sslscan 1.10.2 – A simple tool to scan which SSL features and ciphers a remote host supports
Updates:
cacti 0.8.8b
clamav 0.98.4
nut 2.7.2 (Dirk Wagner)
samba 3.6.24
transmission 2.83
Dropped add-ons:
icecc

New in IPFire 2.15 Core 78 (Jun 9, 2014)

New in IPFire 2.15 Core 77 (Jun 9, 2014)

New in IPFire 2.13 Core 76 (Apr 23, 2014)

New in IPFire 2.13 Core 75 (Jan 13, 2014)

New in IPFire 2.13 Core 73 (Nov 26, 2013)

New in IPFire 2.13 Core 72 (Aug 28, 2013)

The Core Update comes with a lot of feature enhancements for IPsec, smaller fixes for OpenVPN and fixed two denial-of-service attacks in the Squid web proxy.
strongswan 5.1.0:
strongswan, the software package that is responsible for IPsec VPN connections, has been updated to version 5.1.0. This is a major version, which fixes various kinds of bugs and also fixes a denial-of-service bug, which is of very little priority for IPFire users (CVE-2013-5013).
Elliptic Curve Cryptography:
It is now possible to use Elliptic Curve Cryptography (ECC) groups in the Internet Key Exchange (IKE) protocols in addition to the previously defined Diffie-Hellman groups. Advantages of using these include better efficiency because the underlying integer arithmetic is much faster than the binary field arithmetic MODP uses. Also ECC requires much smaller keys in order to achieve the same level of security than the Diffie-Hellman algorithm does. Therefore less entropy is consumed.
Smaller default keys:
As it has often been pointed out, it is a problem to gather enough entropy on some computers. This makes it hard to do a proper key exchange, because you need to generate keys for that which are of a certain length of random data. The default settings for the key length have been very high since IPFire 2.13 and are now lowered, because of the reasons above. Instead of 8192 bits, the highest selected MODP group uses 4096 bits long keys.
More technical reasons are to be found in the comments of #10396.
squid Web Proxy server
The squid web proxy server has got two denial-of-service issues that are fixed in this Core Update. It was able to crash the cache manager when authenticating and it was possible to crash the entire proxy server with requests with over-long domain names (more information about this).
OpenVPN fixes:
The OpenVPN GUI does now more precise validation of the subnet that is used as a transfer network for OpenVPN N2N connections. Incorrect data let the openvpnctrl binary crash when a new connection was started and no firewall rules were added.
It is now permitted to leave the “remote” field empty on a N2N server site, which makes creating connections with clients from dynamic IP addresses easier.
OpenVPN client connections with more than one space character in their names work again.
Misc Changes:
snort has been enabled to decode packets from non-Ethernet devices again.
Dynamic DNS supports all-inkl.com now.
This update comes with all the requirements you need for Tor.
Tor – Protecting Online Anonymity:
The Tor add-on is finally released together with Core Update 72, which you need to install first if you want to use Tor. Please make sure to reboot your IPFire system after the Tor add-on has been installed.
Documentation about this add-on can be found on our wiki: Tor documentation
We would like to thank all the people who contributed to this wish on the IPFire wishlist. If you want to, there are other things you can support, so those get implemented soon, too!

New in IPFire 2.13 Core 71 (Aug 7, 2013)

Wireless Client on RED:
It is now possible to assign a wireless adapter as the RED interface. A GUI has been written where you can configure wireless access points, to which the IPFire system will connect when in reach.
You will be able to configure backup access points, to which IPFire will switch when the first one is down or out of reach. You can prioritize them, so that you can connect to the best one when ever that is possible. All common encryption technologies are supported.
This was funded on the IPFire wishlist a while ago, but was delayed because of lack of testers.
DNS forwarding GUI:
A new GUI has been written on which you are able to define different name servers than the public name servers for your DNS zones. So, you can use your internal name server for internal name resolution instead of the public one on the Internet.
Performance improvement of squidclamav
Scanning all the HTTP traffic that is going through the proxy is very costly and makes browsing slow. In this update, we put the squidclamav process “in front of the proxy”. It now trusts the cache and won’t scan data that’s coming from the cache again which results in a huge performance increase. You now don’t even reckon that your traffic is scanned for viruses.
snort 2.9.5
The Intrusion Detection System (IDS) snort has been updated to version 2.9.5. Updating the official ruleset from sourcefire is now possible, again.
The VRT community rules package which was not available for a long time has been re-added to the list of rule sources again.
Smaller changes:
The USB modeswitch database has been updated. This software will configure UMTS/LTE/3G USB adapters that they can be used as modems. Now, more of this hardware is supported.
Allow squid, the Web proxy service, to open more files and connections at once (more open file descriptors). This will result in a higher performance and better stability under high loads.
The whois tool for whois lookups has been replaced by GNU jwhois. It is much more flexible and does not have an outdated database like the old one.
squidclamav freezing when accessing sites that are also available over IPv6 has been fixed.
MTU negotiation on PPPoE: The default MTU for DSL lines has been 1492 which is not working on all DSL lines. If not configured correctly, your DSL connection won’t be able to transport big packets. We now allow to leave that field empty so IPFire will try to negotiate an appropriate MTU on itself.
Add-ons:
VDR 2.0 has been pushed to the stable tree.
Tor from the IPFire wishlist:
Thanks to all the people who donated for integrating Tor into IPFire. You can still support this wish or support the advanced firewall GUI.
The Tor add-on is already well advanced, because we worked day and night on it for a couple of days. We are confident that we will be able to ship it with Core Update 72. For that, we will need testers, so please stay tuned for that.

New in IPFire 2.13 Core 70 (Jul 10, 2013)

New in IPFire 2.13 Core 69 (Jun 22, 2013)

New in IPFire 2.13 Core 68 (May 23, 2013)

New in IPFire 2.13 Core 67 (Mar 18, 2013)

New in IPFire 2.13 (Feb 19, 2013)

New in IPFire 2.11 Core 65 (Dec 19, 2012)

New in IPFire 2.11 Core 64 (Nov 21, 2012)

New in IPFire 2.11 Core 63 (Oct 20, 2012)

New in IPFire 2.11 Core 59 (May 18, 2012)

New in IPFire 2.11 Core 58 (May 14, 2012)

New in IPFire 2.11 Core 57 (Mar 7, 2012)

New in IPFire 2.11 Core 56 (Feb 2, 2012)

New in IPFire 2.11 Core 55 (Jan 8, 2012)

New in IPFire 2.11 (Nov 3, 2011)

New in IPFire 2.9 Core 47 (Mar 8, 2011)

New in IPFire 2.9 Core 45 (Feb 2, 2011)

New in IPFire 2.9 Core 44 (Jan 17, 2011)

Fireinfo:
The IPFire has got a new service that is called fireinfo. This can be enabled at your option and sends anonymous information about the system to the project.
We strongly recommend the users to enable this feature so that we can learn from the statistics that are made. It is important for the developers to make decisions about the project and these are very much easier if there is some information available.
Every user can (but does not have to) make his own profile public. It is very easy to compare hardware setups then and maybe we can build a hardware compatibility list, soon.
Please visit http://fireinfo.ipfire.org to learn more about fireinfo and to watch the charts, that are accessable by everybody.
You can find a link to your own profile (if you have enabled fireinfo) on your web interface. This is the URL you are supposed to share and if you want you can add a nice signature image to your forum signature (on the IPFire forum or any other forum, too).
Kernel Update:
IPFire 2.9 bases on the latest linux kernel 2.6.32.28 which will be maintained by the kernel developers for several years. So all of the integrated patches will get into IPFire as well, bringing hardware-compatibility, stability and most importantly security into the next releases of IPFire.
Additionally to the default kernel, there is a PAE-enabled kernel (physical address extension) that is able to handle more than 4GB of memory.
Besides of changes on the power-management, which makes IPFire less power consuming again, the most noteable change is the removal of the legacy IDE stack which was replaced by the new libata stack.
New hardware detection:
IPFire changed to dracut (http://sourceforge.net/apps/trac/dracut) which creates an initial ramdisk with lots of advantages for us. The most important one is, that you can take a harddisk that has IPFire installed, put it into any computer and IPFire will boot properly. The only thing to do is to reconfigure the network interfaces and so you are able to replace a broken machine with a backup harddrive within a minute.
IPFire boots within a couple of seconds, which is a very big boost compared to older releases.
Installer:
There have also been changes on the installer. We require users to accept the terms of the GNU General Public Licence when a new IPFire system is installed.
A new feature is that if there is no CDROM drive, the installation image can be downloaded from the internet (this requires at least 256 megabytes of memory).
Experienced users will also notice, that the initial setup of the network has moved after the first boot which makes it even simplier to install IPFire.
Ext4 is the preferred file system.
The little things
Lots of improvements in the web user interface for more usability and minor bugs were solved.
The network time daemon (NTP) is enabled by default.
Quality of Service: A miscalculation of the used bandwidth in VPN connections was fixed which cause a slow-down of those connections.
MTU problems on various connection types were solved: Some cable modems have a broken DHCP daemon that sends 576 bytes as default MTU which causes very slow connections. For all connections, there is an option to set a user-defined MTU.
Firewall groups are editable which brings more comfort to the configuration of the outgoing firewall.
Software updates: apache2 (2.2.17), dhcpcd (5.2.9), snort (2.9.0.2), strongswan (4.5.0), smartmontools (5.40), cpio (2.11), findutils (4.4.2), libcap (2.19), attr (2.4.43), iw (0.9.20), wpa_supplicant (0.7.3), hostapd (0.7.3), wireless-tools (30.pre9), kvm-kmod (2.6.34.1), v4l-dvb (2010-09-12), vim (7.2), syslinux (4.02), udev (125), usb_modeswitch (1.0.6/database 22.12.2010)

IPFire Changelog

What's new in IPFire 2.21 Core 139

New in IPFire 2.21 Core 138 (Nov 18, 2019)

New in IPFire 2.21 Core 137 (Nov 15, 2019)

New in IPFire 2.21 Core 136 (Oct 11, 2019)

New in IPFire 2.21 Core 135 (Sep 5, 2019)

New in IPFire 2.21 Core 134 (Jul 4, 2019)

New in IPFire 2.21 Core 133 (Jun 24, 2019)

New in IPFire 2.21 Core 132 (Jun 8, 2019)

New in IPFire 2.21 Core 130 (Apr 17, 2019)

New in IPFire 2.21 Core 129 (Apr 8, 2019)

New in IPFire 2.21 Core 128 (Mar 19, 2019)

New in IPFire 2.21 Core 127 (Feb 6, 2019)

New in IPFire 2.21 Core 126 (Jan 8, 2019)

New in IPFire 2.21 Core 125 (Nov 26, 2018)

New in IPFire 2.21 Core 124 (Oct 15, 2018)

New in IPFire 2.21 Core 123 (Sep 7, 2018)

New in IPFire 2.21 Core 122 (Jul 30, 2018)

New in IPFire 2.19 Core 120 (Apr 30, 2018)

New in IPFire 2.19 Core 119 (Mar 14, 2018)

New in IPFire 2.19 Core 117 (Jan 5, 2018)

New in IPFire 2.19 Core 116 (Nov 7, 2017)

New in IPFire 2.19 Core 113 (Sep 4, 2017)

New in IPFire 2.19 Core 111 (Jun 14, 2017)

New in IPFire 2.19 Core 110 (Apr 28, 2017)

New in IPFire 2.19 Core 109 (Feb 17, 2017)

New in IPFire 2.19 Core 108 (Dec 22, 2016)

New in IPFire 2.19 Core 107 (Nov 9, 2016)

New in IPFire 2.19 Core 106 (Nov 2, 2016)

New in IPFire 2.19 Core 105 (Sep 26, 2016)

New in IPFire 2.19 Core 104 (Sep 20, 2016)

New in IPFire 2.19 Core 103 (Jul 12, 2016)

New in IPFire 2.19 Core 102 (May 5, 2016)

New in IPFire 2.19 Core 101 (May 3, 2016)

New in IPFire 2.19 Core 100 (Apr 14, 2016)

New in IPFire 2.17 Core 98 (Feb 23, 2016)

New in IPFire 2.17 Core 97 (Jan 29, 2016)

New in IPFire 2.17 Core 96 (Jan 21, 2016)

New in IPFire 2.17 Core 95 (Dec 11, 2015)

New in IPFire 2.17 Core 94 (Oct 28, 2015)

New in IPFire 2.17 Core 93 (Aug 18, 2015)

New in IPFire 2.17 Core 92 (Jul 15, 2015)

New in IPFire 2.17 Core 91 (Jun 13, 2015)

New in IPFire 2.17 Core 90 (May 28, 2015)

New in IPFire 2.17 Core 89 (Apr 22, 2015)

New in IPFire 2.17 Core 88 (Mar 20, 2015)

New in IPFire 2.17 Core 87 (Feb 27, 2015)

New in IPFire 2.15 Core 86 (Jan 24, 2015)

New in IPFire 2.15 Core 84 (Oct 17, 2014)

New in IPFire 2.15 Core 83 (Sep 29, 2014)

New in IPFire 2.15 Core 81 (Aug 8, 2014)

New in IPFire 2.15 Core 80 (Aug 3, 2014)

New in IPFire 2.15 Core 79 (Jul 8, 2014)

New in IPFire 2.15 Core 78 (Jun 9, 2014)

New in IPFire 2.15 Core 77 (Jun 9, 2014)

New in IPFire 2.13 Core 76 (Apr 23, 2014)

New in IPFire 2.13 Core 75 (Jan 13, 2014)

New in IPFire 2.13 Core 73 (Nov 26, 2013)

New in IPFire 2.13 Core 72 (Aug 28, 2013)

New in IPFire 2.13 Core 71 (Aug 7, 2013)

New in IPFire 2.13 Core 70 (Jul 10, 2013)

New in IPFire 2.13 Core 69 (Jun 22, 2013)

New in IPFire 2.13 Core 68 (May 23, 2013)

New in IPFire 2.13 Core 67 (Mar 18, 2013)

New in IPFire 2.13 (Feb 19, 2013)

New in IPFire 2.11 Core 65 (Dec 19, 2012)

New in IPFire 2.11 Core 64 (Nov 21, 2012)

New in IPFire 2.11 Core 63 (Oct 20, 2012)

New in IPFire 2.11 Core 59 (May 18, 2012)

New in IPFire 2.11 Core 58 (May 14, 2012)

New in IPFire 2.11 Core 57 (Mar 7, 2012)

New in IPFire 2.11 Core 56 (Feb 2, 2012)

New in IPFire 2.11 Core 55 (Jan 8, 2012)

New in IPFire 2.11 (Nov 3, 2011)

New in IPFire 2.9 Core 47 (Mar 8, 2011)

New in IPFire 2.9 Core 45 (Feb 2, 2011)

New in IPFire 2.9 Core 44 (Jan 17, 2011)

New in IPFire 2.7 Core 40 (Sep 20, 2010)