IPFire Changelog

New in version 2.17 Core 92

July 15th, 2015
  • Security Fixes:
  • openssl 1.0.2d. The openssl package has been updated to version 1.0.2d because of a high severity security fix filed under CVE-2015-1793.
  • This update comes with a patched version of squid to fix SQUID-2015:2.
  • Updated packages:
  • conntrack-tools 1.4.2, curl 7.43.0, dnsmasq 2.73, libgcrypt 1.63, libgpg-error 1.18, libnfnetlink 1.0.1, libnetfilter_conntrack 1.0.4, libnetfilter_queue 1.0.2, libnetfilter_cthelper (new package), libpcap 1.7.3, libusb 1.0.19 (replaces libusbx), python 2.7.10, rrdtool 1.5.3
  • Updated add-ons:
  • 7zip 9.38.1, asterisk 11.18.0, git 2.4.4 (and perl modules for git send-email: perl-Net-SMTP-SSL, perl-MIME-Base64, perl-Authen-SASL), keepalived 1.2.17, libassuan 2.2.0, nano 2.4.1, powertop 2.7, tcpdump 4.7.4, tor 0.2.6.9
  • Misc:
  • ipsec: Allow selection of ESP group type (#10860)
  • webaccess.cgi: Fix loading language
  • connections.cgi: Fix broken NAT rules when there is an empty destination IP address
  • url-filter: Use upstream proxy when downloading blacklists

New in version 2.17 Core 91 (June 13th, 2015)

  • OpenSSL security vulnerabilities:
  • There are six security vulnerabilities that are fixed in version 1.0.2b of openssl. This version contained an ABI breakage bug that required us to wait for a fix for that and rebuild this Core Update.
  • Among these are fixes for the Logjam vulnerability and others that are filed under CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, and CVE-2014-8176.
  • StrongSwan IPsec security vulnerability:
  • In strongSwan 5.3.1, a security vulnerability that is filed under CVE-2015-3991 was fixed. A denial-of-service and potential code execution was possible with specially crafted IKE messages.
  • IPFire ships now version 5.3.2 which fixes an second vulnerability (CVE-2015-4171).
  • Other package updates:
  • A number of other packages have been updated: libnet 1.16, libxml2 2.9.2, libxslt 1.1.28, newt 0.52.19, slang 2.3.0, pcre 8.37
  • Minor changes:
  • The P2P block feature is now disabled by default on new installations. There are many false-positive cases and the usage of P2P networks has declined in the past so that we do not consider this a good default setting any longer. Existing installations remain unchanged.
  • DHCP Server: The list of static leases is now searchable. Static leases created from the list of dynamic leases are now added and the user menu will allow editing the new entry right away.

New in version 2.17 Core 90 (May 28th, 2015)

  • GeoIP:
  • Attackers originate from all sorts of places in the world. Often huge networks of bots scan the entire Internet for services that are publicly accessible and possible to exploit. With GeoIP-based blocking it is possible to mitigate many of those scans to take off the load of the firewall engine and to secure those publicly accessible services. With GeoIP-based firewall rules it is possible to filter incoming and outgoing traffic related on their source or desired destination countries. Here are some examples what can be done with such a GeoIP-filter...
  • Prevent malware on your local systems to communicate with their command and control (C&C) servers, which often are located in a certain countries.
  • Only allow remote administration from your own country.
  • Create firewall rules for limit new connection attempts for countries you usually don’t communicate that much with. This could help to prevent from getting your mail servers flooded with spam from those countries.
  • The GeoIP feature successfully has been funded on the IPFire wishlist.
  • A pretty easy way to block any incoming traffic of several countries, a new configuration page has been added to the IPFire web user interface. On there, you can block incoming traffic from countries. You may also define firewall rules where you can filter the originating country or destination country.
  • Cryptography updates:
  • SSLv3 and SSLv2 are now disabled by default
  • We have been disabling all possibly broken algorithms in the services that IPFire itself is running and providing to the network. Now we are making the even bigger step to disable support for SSLv2 and SSLv3 for all SSL connections that are initiated by IPFire. Those two revisions of the SSL protocol are very old and practically not used any more. They are also considered as broken and should not be used any more.
  • Compatibility is still possible if the software you are using explicitly requests for those protocols.
  • Performance improvements:
  • We focussed very much on increasing the performance of ciphers in this release. First of all we dropped support for cryptodev and replaced it with optimising the user-space libraries so that these can use CPU instructions when ever they are available for increasing throughput. The AES algorithm was in spotlight of those efforts as it is the most commonly used cipher. Others will benefit as well.
  • We updated the openssl package to version 1.0.2a and are shipping two versions of libcrypto.so.10, which is the library that holds the implementation of ciphers, hashes and those alike. The first shipped version is compiled as usual and is used on all systems by default. If there is SSE2 support available which is on more than 86% of all systems known to fireinfo, an other version of libcrypto.so.10 will be loaded which is compiled with various optimisations that require SSE and SSE2 instructions.
  • Hardware crypto processors like VIA Padlock and AES-NI are of course used automatically when available.
  • Removing legacy code:
  • We used to ship an extra copy of openssl version 0.9.8 for compatibility reasons which is now removed with this update. The 0.9.8 branch of openssl will not be discontinued by the openssl developers soon and the libraries are not used any more. If you have a custom built program that is linked against these, you will have to recompile it.
  • IPsec/strongSwan:
  • strongSwan has been updated to version 5.3.0. It provides much better stability of IPsec VPN connections.
  • Wolfgang Apolinarski sent in a patch that improves compatibility with the internal Windows IPsec client and another one that increases key sizes of the internal CA to 4096 bits for the root key and 2048 bits for each client certificate. The SHA-512 and SHA-256 hash algorithm is used respectively. Old certificates can not be converted for obvious reasons, but new certificates will be created and signed with the new properties.
  • IKE fragmentation is now enabled by default which helps peers that implement it to fragment IKE packets before they are sent over a path with potentially broken routers that do not forward fragments.
  • Ciphers Selection
  • We have improved the selection of ciphers on the IPFire web user interface where we added AES-GCM with various key and ICV sizes and we ordered the ciphers by their strength so that it is easier to select the strongest one possible.
  • Kernel Update:
  • The kernel has been updated to version 3.14.43. It comes with various security fixes and bug fixes throughout the entire tree.
  • The synthetic Hyper-V drivers have been patched to work with legacy version of Microsoft Hyper-V (at least 2008). The igb driver module that is maintained by Intel has been replaced by the default kernel module.
  • Bug fixes and other changes:
  • glibc: Fix CVE-2013-7423 and CVE-2015-1781
  • apache will not show its version and loaded modules any more in the server signature
  • Connections in the list of connections that are using Destination NAT are now coloured in the colour of the new destination host.
  • dnsmasq has been fixed so that it will correctly fall back to TCP for DNS replies larger than the DNS packet size.
  • udev: Network interface names are now assigned from the configuration in /var/ipfire/ethernet/settings instead of the setup tool generating a native udev configuration file.
  • ovpnmain.cgi: Some certificate authority (CA) related elements have been displayed outside the site layout.
  • Updated packages:
  • acpid 2.0.23, apache2 2.2.29, curl 7.40.0, cyrus-sasl 2.1.26, dhcp 4.3.1, dhcpcd 6.7.1, expat 2.1.0, glibc 2.12 (fixes for CVE-2013-7423 and CVE-2015-1781), groff 1.22.3, iputils s20121221, libjpeg 1.3.1, logrotate 3.8.1, logwatch 7.4.1, nasm 2.11.06, openssh 6.8p1, squid 3.4.13 without SSL support, tzdata 2015d, wpa_supplicant 2.4, xz 5.2.1
  • Add-ons:
  • asterisk 11.17.1
  • hostapd 2.4
  • The EAPOL timeout has been increased which gives some mobile devices more time to finish the wireless handshake
  • libsrtp 1.5.2
  • monit 5.12.1
  • qemu 2.3.0
  • squid-accounting – has been updated and fixes some issues with compressing the database and generating reports.
  • tor 0.2.5.12

New in version 2.17 Core 89 (April 22nd, 2015)

  • OpenVPN Net-To-Net Statistics:
  • Connection statistics of OpenVPN net-to-net connections are now collected and graphed. They show incoming and outgoing traffic of the VPN connections and compression ratios.
  • Dynamic DNS Updater:
  • A database is used to track successful and failed updates. ddns will automatically back-off when an update could not be performed and will re-try after a longer time. nsupdate.info asked to never repeat any updates after one has failed for any reason.
  • New supported providers: changeip.com, ddnss.de, domains.google.com, domopoli.de, dyns.cx|net, loopia.se, myonlineportal.net, xlhost.de, zzzz.io
  • Token-based authentication is now supported for spdns.de
  • Support for easydns.com and zoneedit.com has been fixed which have changed their update protocols.
  • strato.de used to remove MX and backup MX records for every update. Additional parameters of the update request have been added so that the original settings are not changed any more.
  • Handle badagent response for all DynDNS2 protocol-compatible providers. ddns will respect if it has been blocked by the provider.
  • Improve error handling for various responses from the provider’s HTTP services.
  • Updated packages:
  • daq 2.0.4, ethtool 3.16, fcron 3.2.0, file 5.20, fuse 2.9.3, gnupg 1.4.18, grep 2.21, hdparm 9.45, libart 2.3.21, libassuan 2.1.3, libcap 1.6.2, libevent 2.0.21-stable, libffi 3.2.1, libpcap 1.6.2, ntfs-3g 2014.2.15, pcre 8.36, screen 4.2.1, smartmontools 6.3, snort 2.9.7.0, strongswan 5.2.2, sqlite 8.7.4, squid 3.4.9, tar 1.28, tzdata 2015a, wget 1.16, zlib 1.2.8
  • dnsmasq has been updated to a recent version with various fixes for DNSSEC and other bugs.
  • Add-ons:
  • asterisk 11.15.0 + support for TLS and SRTP, clamav 0.98.6, NEW haproxy 1.5, htop 1.0.3, libdvbpsi 1.2.0, lynis 1.6.4, mc 4.8.13, NEW monit 5.11, miniupnpd 1.9, nginx 1.6.2, nmap 6.47, owncloud 7.0.3, samba 3.6.25, tcpdump 4.6.2
  • Feature Enhancements & Bug fixes:
  • Firewall
  • Service groups are limited to 15 services per protocol. Due to a defect in the web GUI it was possible to create groups with up to 16 services which has been fixed now.
  • The remark of some firewall rules could not be removed when nothing else was changed. This has been fixed as well.
  • Fix setting rate-limiting rules. Those were not always applied correctly.
  • IPsec
  • Allow an IKE lifetime up to 24 hours.
  • OpenVPN
  • Allow setting an expiration time for net-to-net connection certificates.
  • Let openssl pick the sources for entropy that are used to initialize the random-number generator on its own.
  • The backup functionality is robust against filenames including hyphens.
  • squid-accounting: #10693 (last month of year leads to error (no data shown in webinterface))
  • fireinfo: Improve finding the vendor/model of ARM single-board-computers.
  • Installer: Cut off too long harddisk description strings

New in version 2.17 Core 88 (March 20th, 2015)

  • CVE-2015-0204 RSA silently downgrades to EXPORT_RSA
  • CVE-2015-0286 Segmentation fault in ASN1_TYPE_cmp
  • CVE-2015-0287 ASN.1 structure reuse memory corruption
  • CVE-2015-0289 PKCS7 NULL pointer dereferences
  • CVE-2015-0292 Base64 decode
  • CVE-2015-0293 DoS via reachable assert in SSLv2 servers
  • CVE-2015-0209 Use After Free following d2i_ECPrivatekey error
  • CVE-2015-0288 X509_to_X509_REQ NULL pointer deref

New in version 2.17 Core 87 (February 27th, 2015)

  • Kernel:
  • Most of the work has been done under the hood and in the Linux kernel. This has been updated to version 3.14 and brings better support for various hardware and stability fixes. Various device drivers have been backported from more recent versions of the Linux kernel to combine great stability with best hardware support.
  • Stability for various ARM platforms has been improved and support for more has been added. Among the new devices are the Banana Pi and Banana Pro boards. Please check out the list of supported ARM boards on the IPFire wiki.
  • Installer:
  • The installer program that helps to install IPFire has been very much improved. It is now easier to use and provides clearer error messages. It allows you to select the disk you want to install IPFire on and does not use the first one any more if there are more than one.
  • An other main feature is that the installer is now able to download the ISO image from the Internet. That allows it to be used on devices that can not boot from USB drives. Installations using the serial console are possible as well.
  • The installer allows you to use the XFS filesystem and supports installation on harddisks larger than 2TB by using GPT. The entire partitioning has been rewritten and is able to produce better partitioning layouts.
  • The unattended installation feature is now usable again and the Installation Guide on the IPFire wiki has been rewritten.
  • Changing bootloaders on x86:
  • We changed the bootloader on all x86 installations from GRUB-legacy to GRUB2. New systems will be installed right away with the new version and old ones will be migrated. Please make sure to create a backup of your installation in case this upgrade fails.
  • The huge benefit we get from migrating to GRUB2 is more flexibility for testing new kernels and much better reliability on various hardware.
  • Security fixes in third-party packages:
  • glibc has been patched against the GHOST vulnerability.
  • The ntp package has been updated because of recent security vulnerabilities that have been discovered
  • The openvpn package has been updated to version 2.3.6
  • Misc:
  • Timmothy Wilson suggested to use SHA256 for the SSL certificate that is used for accessing the web user interface. All new installations will use this.
  • iw was updated to version 3.14
  • wpa_supplicant and hostapd have been updated for more stable wireless connections
  • Erik Kapfer added tmux as an add-on package
  • Umberto Parma sent in an Italian translation for the web user interface
  • Updated add-ons:
  • Pound has been updated to version 2.7 stable which allows better protection against the POODLE vulnerability
  • mtr has been updated to version 0.86
  • fping has been updated to version 3.10

New in version 2.15 Core 86 (January 24th, 2015)

  • Security vulnerabilities:
  • openssl:
  • The openssl library which implements the TLS/SSL protocol and is used by various other packages in the system has been updated to version 1.0.1k. This release fixes eight security issues that have all been classified with “moderate” or less severity (CVE-2014-3571,
  • CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205,
  • CVE-2014-8275, CVE-2014-3570).
  • openvpn:
  • openvpn has been updated to version 2.3.6 which also fixes a security vulnerability (CVE-2014-8104) which allowed remote authenticated users to cause a denial of service.
  • strongswan:
  • strongswan has been updated to version 5.2.1 and we added a patch that fixes CVE-2014-9221. Before that it was possible to crash the service remotely with a custom DH key size.
  • Originally, Core Update 86 was planned to become IPFire 2.17. This release has been postponed because we still require some people to send us back their testing feedback, especially about updating the bootloader. If you want to join the group of testers, that would help us out a lot. If you want to support the project otherwise, please check out the current fundings running on the IPFire wishlist.

New in version 2.15 Core 84 (October 17th, 2014)

  • GNU bash fixes:
  • As you may have already seen on the news, the Shellshock issues made more people look into the code of the default shell of many *nix systems. Those people found many more programming errors and provided fixes for them which have been applied in this release. IPFire is now shipping GNU bash 4.3.30 and the companion library readline in version 6.3.
  • squid web proxy:
  • There have been some Denial-of-Service issues in the squid web proxy which have been fixed in release 3.4.8. Those are of minor severity only and quite possibly cannot be exploited to inject code.
  • Firewall changes:
  • The firewall got a couple of new features which I explained in detail in a post on the IPFire planet. Both enhance the firewall to better protect hosted services from Denial-of-Service attacks and similar things by limiting the number of new connections that can be opened within a certain span of time or by limiting the overall number of open connections by a host on the Internet.
  • Using NAT for rules where the source and destination is in the same subnet is now possible. Some code has been cleaned up and made more robust. The firewall.local script will now also be reloaded when settings of the firewall are changed on the web user interface.
  • P2P block:
  • The P2P block feature of the firewall has not been very effective for many protocols. The detection has now been improved and blocking unwanted P2P protocols from your network works now much better but will result in a bit more load.
  • DNS Proxy:
  • dnsmasq, the DNS proxy working inside of IPFire, has been updated to version 2.72 which includes some stability fixes and fixes some of the crashes some IPFire users have been experiencing especially in conjunction with (faulty) DNSSEC-enabled DNS recursors on the Internet.
  • Misc:
  • Applying static routes at boot has been improved, as sometimes not all routes were correctly applied.
  • URL-Filter
  • The “safe search” feature has been fixed for Google News and been introduced for Bing Search as well.
  • Blocking downloads of files by extension has been improved, too.
  • Some spelling fixes for the English language throughout the whole web interface.
  • parted has been updated to version 3.1.

New in version 2.15 Core 83 (September 29th, 2014)

  • This is the official release announcement for IPFire 2.15 Core Update 83. It mainly provides a fix for several security issues in the GNU bash package also known as “ShellShock” and filed under CVE-2014-6271 and CVE-2014-7169.
  • ShellShock:
  • It was possible to inject shell commands that were executed from the shell environment. IPFire uses CGI scripts for its web user interface. Therefore it was possible for authenticated users to execute shell commands with non-root privileges and of course users that had access to the shell on command line. Also other services that execute shell scripts like the DHCP client were vulnerable.
  • We regard this as a serious security issue and recommend to update as soon as possible. Please do not forget to reboot your machine afterwards and check for updates for your other *nix distribution as well because they are probably vulnerable, too.
  • It appears that there might be more problems in GNU bash for which there is no working fix available right now. So please stay tuned for more updates.
  • Misc:
  • squid – the Web Proxy – has been updated to version 3.4.7 due to various security and stability fixes
  • Several security and stability fixes have been added to glibc
  • The URL to detailed descriptions of the snort alerts has been updated
  • Various minor bug fixes.

New in version 2.15 Core 81 (August 8th, 2014)

  • This is the official release announcement for IPFire 2.15 – Core Update 81 comes with fixes for nine security vulnerabilities in the OpenSSL library and some other smaller bugfixes. We recommend to install this update as soon as possible and reboot your systems.
  • OpenSSL 1.0.1i:
  • Those OpenSSL security fixes are filed under CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, CVE-2014-3511, and CVE-2014-3512. They are all in various protocols and parts of the library, but all of moderate severity.
  • Misc:
  • The firewall has been extended to detect more types of port scans over the TCP protocol and connections that are marked as invalid by the connection tracking are from now on dropped. Some broken TCP/IP stacks (how we find them in Android) caused that packets could get from the internal networks to RED without being masqueraded.
  • ddns – The new dynamic DNS updater
  • The logging if no update has been performed has been silenced and is only visible in debugging mode. This was a request by users who use flash drives and would like to preserve a long lifetime of those.
  • Using special characters like “%” in passwords is now possible to use.
  • Support for regfish.com has been fixed.
  • lzo has been downgraded to version 2.06 because it did not work on ARM any more. However, the security fix from the last core update has been backported.
  • OpenVPN: When creating a new roadwarrior connection, a required field of the certificate form has not been validated correctly if no input was given.
  • Add-ons:
  • The tor addon has been updated to version 0.2.4.23 with a fix that users of the network cannot be de-anonymized easily.
  • check_mk_agent has been added.

New in version 2.15 Core 80 (August 3rd, 2014)

  • DNSSEC:
  • There has been a crowdfunding on the IPFire wishlist which raised money for implementing a DNSSEC validating DNS proxy. The DNS proxy service that is running inside of IPFire has been forked and some features that were dropped in the upstream version have been backported.
  • IPFire now validates every DNS response of zones that are signed. If the DNSSEC signatures do not validate a DNS error is raised and therefore spoofing attacks are not longer possible. However, it is not sufficient for the internal DNS proxy to have DNSSEC enabled. Client systems should validate DNSSEC records, too, but we think that these changes block most spoofing attacks from the Internet and only DNS spoofing attacks from the local network are possible. The cache pool size has been increased so that dnsmasq is able to cache many DNS keys and signatures and that the verification does not harm the user experience.
  • It is required that the DNS servers from the Internet service providers validate DNSSEC as well. If not, you may change to one of those public DNS servers in this list. There is more information about DNS and IPFire on our wiki.
  • New dynamic DNS updater:
  • A new tool to update dynamic DNS records has been written. It replaces the old, faulty and hard to maintain perl script setddns.pl. The new client is written in Python and portable to other distributions as well. It is easily extensible and avoids duplicating code. The sources can be found on our own git server or on GitHub and we are happy to receive improvements and patches that add support for new providers.
  • The user interface has been simplified and obsolete and deprecated features like wildcard support have been dropped.
  • There is support for all DNS providers that have been formerly supported. Providers that don’t exist any more have been removed and some new ones have been added: all-inkl.com, dhs.org, dns.lightningwirelabs.com, dnspark.com, dtdns.com, dyndns.org, dynu.com, easydns.com, enom.com, entrydns.net, freedns.afraid.org, namecheap.com, no-ip.com, nsupdate.info, opendns.com ovh.com, regfish.com, selfhost.de, spdns.org, strato.com, twodns.de, udmedia.de, variomedia.de, zoneedit.com.
  • Misc:
  • The lzo libary has been updated to version 2.08 because of a potential, but very unlikely security issue filed under CVE-2014-4607.
  • wpa_supplicant has been updated to version 2.2.
  • strongswan has been updated to version 5.2.0
  • Ersan Yildirim submitted updates for the Turkish translation.
  • The dhcrelay binary and an initscript are shipped.
  • The bind tools have been updated to version 9.9.5 to support DNSSEC, too.
  • rng-tools have been updated to version 5 to support Intel processors that come with the RDRAND instruction, but without AES-NI.
  • squid web proxy: The minimum and maximum object size of objects that are put into the cache is no longer ignored.
  • Firewall hits by country: Fix chart for dial-up connections.
  • Static routes cannot be added twice into the configuration and must not be a part of any of the local networks.
  • Add-ons:
  • ownCloud – The private cloud – Documentation
  • Updates:
  • clamav 0.98.4
  • hostapd 2.2
  • sane 1.0.24
  • tor 0.2.4.22
  • transmission 2.84

New in version 2.15 Core 79 (July 8th, 2014)

  • OpenVPN:
  • The OpenVPN capabilities have been massively extended by Erik Kapfer...
  • Certificate Authorities:
  • The certificate authority that can be created on the OpenVPN page now uses much better hashes to protect the integrity of itself. The CA root certificate uses a SHA512 hash and a RSA key with length of 4096 bit. All new created host certificates use a RSA key with 2048 bit length and a SHA256 hash.
  • Additionally, a set of Diffie-Hellman parameters can be generated for better protection of the session keys. The length of the pregenerated DH parameters can be chosen in the web interface.
  • Ciphers:
  • The cipher that is used for each net-to-net connection can be changed now to for example take benefit of hardware crypto processors. To the list of already supported ciphers came SEED.
  • ATTENTION: Some other ciphers that are evidently broken have been removed for use with the roadwarrior server. Those are: DES-CBC, RC2-CBC, RC2-64-CBC and RC2-40-CBC. If you are using one of these, please replace all your roadwarrior connections.
  • HMAC/Hashing:
  • To ensure that the transmitted data has not been altered on the way from sender to receiver a hash function is used. This hash is now configurable with a couple of options: SHA2 (512, 384 and 256 bit), Whirpool (512 bit) and SHA1 (160 bit).
  • To mitigate DoS attacks against the OpenVPN server, the tls-auth option can be enabled which uses a HMAC function that lets the server very quickly decide if a packet is coming from a legitimate sender and needs to be decrypted (which is a very costly operation) or if it is just some spoofed data sent to slow down the server. In the latter case the HMAC does not match and the packet can be discarded right away.
  • All this may sound a bit complicated, but in the end the OpenVPN feature is usable just in the same and easy way as you know it in IPFire. Everything described here works under the hood and gives you better protection for your data.
  • Kernel Update
  • The Linux kernel running inside IPFire has been updated to version 3.10.44 which adds better support for some hardware, comes with lots of stability fixes and closes some security issues. The vendor drivers for Intel network adapters have been updated, too.
  • One of the most significant changes is that the system now uses the PCIe ASPM configuration from the BIOS. The former option was to save as much power as possible which may lead to instabilities with some PCIe periphery. It is now possible to easily configure the desired operation mode in the BIOS of the system.
  • Various changes have been applied to the Xen image so installing IPFire on para-virtualized systems runs much more smoothly now.
  • PPP dial-in:
  • pppd, the Point-to-Point-Protocol Daemon, has been updated to version 2.4.6 which comes with some stability and security fixes. For PPPoE sessions, the system will try to connect to the Internet for a longer time now before giving up. This helps us to establish a connection even if there is some really weird modems around that need some time to initialize when the network link goes up (seen with radio link antennas).
  • LTE/3G Modem Status:
  • The IPFire web interface got a new status page for modems. This includes all serial modems from 56k analogue modems up to LTE and 3G modems. On this page there will be various information about the connected network, signal quality and SIM card if one is available.
  • Squid Web Proxy Update:
  • The Squid web proxy server has been updated to version 3.4.5. As this is a major version update, several deprecated things and incompatibilities had to be resolved. The redirect wrapper process has been rewritten and all the redirect helpers (URL-Filter, Update Accelerator and squidclamav) have been patched to be able to communicate with the proxy process again.
  • When using proxy.pac for automatic client configuration, please note that access to the web proxy is now only granted for the actual subnets of the firewall and not for the entire private RFC1918 address space any more. In addition to that, accessing resources of the same subdomain as the clients (i.e. internet network access) circumvents the proxy as well.
  • Support for the internal Quality of Service has been compiled in.
  • Intrusion Detection System:
  • snort, the Intrusion Detection System, has been updated to version 2.9.6.1. Downloading of rules will be possible for some time now.
  • Misc:
  • Alf Høgemark contributed an updated version of vnstat which is a tool to measure the consumed traffic on each network interface and generates beautiful graphs out of it.
  • He also contributed a new log page on the IPFire web interface that shows from which country the most firewall hits originate from.
  • The new firewall GUI now supports blocking access to the GREEN firewall interface from the GREEN network.
  • The PIE packet scheduler has been added for experienced users to experiment.
  • Lots of cleanup of the generated HTML output of the CGI web interface scripts has been done.
  • The Turkish translating has been updated by Ersan Yildirim.
  • The net-utils which provided the basic tools like ping has been removed and now only the version of ping that comes with the iputils package is used. The hostname command has been replaced by a version that is maintained by Debian.
  • Updated packages: daq 2.0.2, libpcap 1.4.0, openvpn 2.3.4, sudo 1.8.10p3
  • The build system is now able to use qemu and compile for ARM on x86 machines.
  • Enabling the front LEDs on an ALIX system has been fixed when a RED device has been assigned but the system actually uses a dial-in connection.
  • Installer:
  • Installation on systems that only got a serial console is now possible from the ISO image. The baudrate has been set to 115200 throughout the entire process which has formerly been broken and it was needed to change the baudrate a couple of times.
  • The default size of the root partition has been increased.
  • The backup ISO that can be generated on the backup page of the IPFire web interface is now a hybrid image as well so that it can be put on an USB key instead of burning it on a disk.
  • Dynamic DNS providers:
  • Some new dynamic DNS providers have been added: spdns.de (Bernhard Bitsch), twodns.de, variomedia.de (Stefan Ernst)
  • Add-ons:
  • New Arrivals:
  • icinga 1.11.4 (The nagios package may be dropped in the near future)
  • sslscan 1.10.2 – A simple tool to scan which SSL features and ciphers a remote host supports
  • Updates:
  • cacti 0.8.8b
  • clamav 0.98.4
  • nut 2.7.2 (Dirk Wagner)
  • samba 3.6.24
  • transmission 2.83
  • Dropped add-ons:
  • icecc

New in version 2.15 Core 78 (June 9th, 2014)

  • This update comes with important openssl security fixes and we recommend to install it as soon as possible.
  • OpenSSL 1.0.1h:
  • There have been several vulnerabilities discovered in the openssl library which is responsible for implementing the SSL/TLS protocol and other cryptographic tasks. All details about these can be found in the original openssl security advisory.

New in version 2.15 Core 77 (June 9th, 2014)

  • New firewall GUI
  • The Linux kernel – now grsecurity-enabled
  • ARM support
  • New Web User Interface style
  • Stronger Ciphers for the Web User Interface
  • beep has been updated to version 1.3 and supports more beepers.
  • fireinfo did not properly read harddisk serial numbers if those were shorter than 10 characters. This may cause some systems to change their fireinfo ID.
  • The boot process has been improved so that the system should boot up slightly faster.
  • OpenVPN net-to-net connections sometimes stuck in WAIT state. The user interface now shows reliably if a connection is established or not.
  • Insertion of thousands of hosts of the wireless access page has been improved.
  • Command line parsing of the setuid binaries has been improved as it was possible to let those commands crash because of a stack buffer overflow.
  • Statistics of the Solus PCI DSL modems are shown in the web user interface.
  • The update accelerator supports Archlinux packages now and does not stumble upon files with a colon (:) in the URL.
  • New packages: iotop, stunnel
  • mysql has been updated to version 5.0.96.
  • cups has been updated to version 1.7.0 and uses libusb to communicate with USB printers.
  • gutenprint has been updated to version 5.2.9 and comes with support for many new printers.
  • foomatic has been updated to version 4.09/4.0.17 (20131023) and provides even more drivers for printers.
  • miniupnpd has been updated to version 1.8.
  • fetchmail has been updated to version 6.3.26.
  • git has been updated to version 1.8.5.2.
  • nginx has been updated to version 1.4.4.
  • clamav has been updated to version 0.98.1.
  • rsync has been updated to version 3.1.0.
  • samba has been updated to version 3.6.19.
  • vdr has been updated to version 2.0.5.
  • w_scan has been updated to version 20130331.

New in version 2.13 Core 76 (April 23rd, 2014)

  • This release comes with a security fix for the strongswan package which is responsible for IPsec VPN connections. The vulnerability has got the number CVE-2014-2338. It was possible to bypass the authentication and therefore to overtake a VPN connection whilst the original peers are rekeying. IKEv1 connections are not vulnerable, but IKEv2.

New in version 2.13 Core 75 (January 13th, 2014)

  • OpenVPN TLS certificate validation:
  • Due to a change in OpenVPN 2.3, the common name of the certificate of the user that was connection was formatted in an other way than before. This led to that the certificate could not be properly validated because it was searched for one with a different name.
  • This update ships a fixed version of the verify script that can work with both formats of the common name.
  • OpenVPN connection configuration:
  • Because of a related cause, the route configuration was not pushed to some clients when they connected. This issue that is filed under bug id #10323 and has been addressed in this update.
  • Pakfire locking up:
  • When pakfire receives an empty mirror list, the process stalls while it is checking for a working mirror server. A fix for this problem has been introduced that will download packages from the main server, when none of the mirror servers is available.

New in version 2.13 Core 73 (November 26th, 2013)

  • IPFire 2.13 – Core Update 73 comes with a bunch of smaller bugfixes and updates. The most important ones of these are updates of the squid web proxy server, openssh and the PHP Hypertext Processor. It is recommend to update as soon as possible.
  • squid 3.3:
  • The squid web proxy server has been updated to version 3.3.10. The most notable changes since the current version of squid running in IPFire are better SMP scalability, an updated logging infrastructure and fixes all over the place.
  • The transparent mode has been dropped in favour of the more general intercept mode, which requires a different port than for the transparent mode. There is no intervention by the user required, when updating your IPFire system, as the a new port for this service will automatically chosen and configured.
  • Also, the default number of file descriptors has been increased for new installations.
  • php 5.3.27:
  • PHP has been updated to version 5.3.27, which fixes a whole bunch of bugs as usual. Modules for ZIP and sqlite2 are compiled in now.
  • Misc. changes:
  • openssh has been updated to version 6.4p1.
  • Wireless Client: You can now use an apostrophe (’) in the SSID string (#10427). There has also been some help added for the priority option (#10428).
  • Static Routes: Fix validating IP addresses (e.g. 10.0.0.0 was recognized as a wrong IP address).
  • Formerly, when a network interface for the blue or orange network zone has been assigned, but blue or orange were not enabled, various CGI scripts crashed. This has been fixed now.
  • The release of this Core Update was delayed because the developers are currently working on the next major version of IPFire. To support us all, please consider sending us a donation or join the team to help busting bugs!

New in version 2.13 Core 72 (August 28th, 2013)

  • The Core Update comes with a lot of feature enhancements for IPsec, smaller fixes for OpenVPN and fixed two denial-of-service attacks in the Squid web proxy.
  • strongswan 5.1.0:
  • strongswan, the software package that is responsible for IPsec VPN connections, has been updated to version 5.1.0. This is a major version, which fixes various kinds of bugs and also fixes a denial-of-service bug, which is of very little priority for IPFire users (CVE-2013-5013).
  • Elliptic Curve Cryptography:
  • It is now possible to use Elliptic Curve Cryptography (ECC) groups in the Internet Key Exchange (IKE) protocols in addition to the previously defined Diffie-Hellman groups. Advantages of using these include better efficiency because the underlying integer arithmetic is much faster than the binary field arithmetic MODP uses. Also ECC requires much smaller keys in order to achieve the same level of security than the Diffie-Hellman algorithm does. Therefore less entropy is consumed.
  • Smaller default keys:
  • As it has often been pointed out, it is a problem to gather enough entropy on some computers. This makes it hard to do a proper key exchange, because you need to generate keys for that which are of a certain length of random data. The default settings for the key length have been very high since IPFire 2.13 and are now lowered, because of the reasons above. Instead of 8192 bits, the highest selected MODP group uses 4096 bits long keys.
  • More technical reasons are to be found in the comments of #10396.
  • squid Web Proxy server
  • The squid web proxy server has got two denial-of-service issues that are fixed in this Core Update. It was able to crash the cache manager when authenticating and it was possible to crash the entire proxy server with requests with over-long domain names (more information about this).
  • OpenVPN fixes:
  • The OpenVPN GUI does now more precise validation of the subnet that is used as a transfer network for OpenVPN N2N connections. Incorrect data let the openvpnctrl binary crash when a new connection was started and no firewall rules were added.
  • It is now permitted to leave the “remote” field empty on a N2N server site, which makes creating connections with clients from dynamic IP addresses easier.
  • OpenVPN client connections with more than one space character in their names work again.
  • Misc Changes:
  • snort has been enabled to decode packets from non-Ethernet devices again.
  • Dynamic DNS supports all-inkl.com now.
  • This update comes with all the requirements you need for Tor.
  • Tor – Protecting Online Anonymity:
  • The Tor add-on is finally released together with Core Update 72, which you need to install first if you want to use Tor. Please make sure to reboot your IPFire system after the Tor add-on has been installed.
  • Documentation about this add-on can be found on our wiki: Tor documentation
  • We would like to thank all the people who contributed to this wish on the IPFire wishlist. If you want to, there are other things you can support, so those get implemented soon, too!

New in version 2.13 Core 71 (August 7th, 2013)

  • Wireless Client on RED:
  • It is now possible to assign a wireless adapter as the RED interface. A GUI has been written where you can configure wireless access points, to which the IPFire system will connect when in reach.
  • You will be able to configure backup access points, to which IPFire will switch when the first one is down or out of reach. You can prioritize them, so that you can connect to the best one when ever that is possible. All common encryption technologies are supported.
  • This was funded on the IPFire wishlist a while ago, but was delayed because of lack of testers.
  • DNS forwarding GUI:
  • A new GUI has been written on which you are able to define different name servers than the public name servers for your DNS zones. So, you can use your internal name server for internal name resolution instead of the public one on the Internet.
  • Performance improvement of squidclamav
  • Scanning all the HTTP traffic that is going through the proxy is very costly and makes browsing slow. In this update, we put the squidclamav process “in front of the proxy”. It now trusts the cache and won’t scan data that’s coming from the cache again which results in a huge performance increase. You now don’t even reckon that your traffic is scanned for viruses.
  • snort 2.9.5
  • The Intrusion Detection System (IDS) snort has been updated to version 2.9.5. Updating the official ruleset from sourcefire is now possible, again.
  • The VRT community rules package which was not available for a long time has been re-added to the list of rule sources again.
  • Smaller changes:
  • The USB modeswitch database has been updated. This software will configure UMTS/LTE/3G USB adapters that they can be used as modems. Now, more of this hardware is supported.
  • Allow squid, the Web proxy service, to open more files and connections at once (more open file descriptors). This will result in a higher performance and better stability under high loads.
  • The whois tool for whois lookups has been replaced by GNU jwhois. It is much more flexible and does not have an outdated database like the old one.
  • squidclamav freezing when accessing sites that are also available over IPv6 has been fixed.
  • MTU negotiation on PPPoE: The default MTU for DSL lines has been 1492 which is not working on all DSL lines. If not configured correctly, your DSL connection won’t be able to transport big packets. We now allow to leave that field empty so IPFire will try to negotiate an appropriate MTU on itself.
  • Add-ons:
  • VDR 2.0 has been pushed to the stable tree.
  • Tor from the IPFire wishlist:
  • Thanks to all the people who donated for integrating Tor into IPFire. You can still support this wish or support the advanced firewall GUI.
  • The Tor add-on is already well advanced, because we worked day and night on it for a couple of days. We are confident that we will be able to ship it with Core Update 72. For that, we will need testers, so please stay tuned for that.

New in version 2.13 Core 70 (July 10th, 2013)

  • Kernel Update:
  • Another kernel update to Linux 3.2.48 fixes various smaller bugs.
  • In addition to that, we switched back to the official in-tree drivers for Realtek r81xx-based network adapters. The kernel modules e1000e and igb which control Intel ethernet adapters have been updated as well.
  • Wireless Database:
  • IPFire brings some data for wireless networks which basically contains information about which frequencies may be used in which countries. This database has been updated and covers more places in the world.
  • OpenVPN Net-to-Net hides transfer networks:
  • OpenVPN Net-to-Net connections use transfer networks which are needed to route the packets. To avoid creating more firewall rules, we now hide them (and ban that they are used) from all other networks. Additionally, the firewall’s IP addresses get translated, so that they never use addresses from the transfer nets.
  • You may need to adjust your firewall rules. The changes are explained in detail on our wiki.
  • This change is a step towards the new firewall. Please support this project.
  • Other changes:
  • Use libjpeg-turbo instead of the legacy version libjpeg 6.
  • Ship squid error pages in Turkish.
  • VLAN: Allow red0 being a virtual device.
  • DDNS: Better compatibility with DS-lite connections (100.64.0.0/10).
  • igmpproxy has been patched with patches from Deutsche Telekom to improve compatibility with their networks.

New in version 2.13 Core 69 (June 22nd, 2013)

  • Kernel Update:
  • The Linux kernel has been updated, to address several security issues and other bugs.
  • The kernel is based on Linux 3.2.46 and comes with a newer wireless stack from kernel 3.8.3.
  • Some wireless hardware has got better support in term of stability and we have added some more drivers for several networking hardware like USB ethernet adapters and so on. Please report any new hardware on the corresponding hardware compatibility lists.
  • New boot menu:
  • The install disk has got a new bootloader, where you now can install other versions of IPFire as well. There are also some diagnostic tools and other installation options available.
  • Turkish Translation:
  • A brand new translation of the IPFire installer and Web User Interface into the Turkish language has been added. Thanks for that to Ersan Yildirim.

New in version 2.13 Core 68 (May 23rd, 2013)

  • strongswan security update (version 5.0.4):
  • The strongswan team released version 5.0.4, which fixes an authentication bypass for certificates that use Elliptic Curves. As we don’t use them in IPFire by default, this is not a too serious issue for us, but we still updated the strongswan package.
  • The update also contains some changes that fix unstable IPsec connections, a minority of users was experiencing.
  • OpenVPN roadwarrior connections:
  • Since Core Update 65, disabling OpenVPN roadwarrior connections had no effect, so that users could still connect. This has also been fixed with this release.
  • New status bar:
  • The web user interface comes with a new status bar which now has a cleaner design and provides more information. Thanks to Jörn-Ingo Weigert for working on this.
  • Sortable connection tracking list:
  • The connection list on the web user interface is now sortable in every possible way. Patches have been sent by Kay-Michael Köhler.
  • Misc. changes:
  • Network modules have been added to the installer, so PXE installations work again.
  • Installation with certain USB keyboards is now possible, because kernel modules have been added to the installer.
  • The broken monospace font in graphs on the web interface has been fixed.
  • The kernel module for Intel’s MEI chipsets has been blacklisted, because the buggy modules causes some Supermicro hardware to fail shutting down or to freeze on booting up.
  • sysbench has been added as new package. It’s a system benchmark tool for command line.

New in version 2.13 Core 67 (March 18th, 2013)

  • Update Accelerator now supports caching of Microsoft Windows 8 updates.
  • fireinfo has been updated to version 2.1.7, where a new hardware string has been put on the blacklist.
  • squid is now compiled with --enable-cache-digests (#10311)
  • OpenVPN client packages can now be downloaded when the server is not enabled.
  • Duplicate mISDN modules have been removed. mISDN is functional again.

New in version 2.13 (February 19th, 2013)

  • Base System:
  • The most important components of the base system have been updated to include a brand new kernel based on the Linux 3.2 release. With that, IPFire now supports more hardware than ever before and many of the hardware problems from the past should be gone.
  • The most basic system libraries have been replaced as well, giving us great performance and fixing some general security issues. If you’d like to know more about this specifically, please read this post on our planet.
  • Quality of Service with CoDeL:
  • In case you are struggling with a slow internet connection, CoDeL is your solution. This new algorithm shares the bandwidth fairly between all connections. It doesn’t need any configuration at all, but when tied together with our Quality of Service features, CoDeL gives you the most out of your connection.
  • Learn more about CoDeL in our planet post.
  • ARM:
  • We have finally declared the ARM versions of IPFire as stable. Since the very first testing release back in October 2011, a multitude of things have improved. As of today, IPFire runs on many different platforms, such as Marvell Kirkwood and Texas Instruments OMAP4-based systems, and of course, the Raspberry Pi computer.
  • The vast amount of people who have already been using IPFire ARM since we began to port it to the ARM architecture know that there was never really any big trouble to begin with. You can find more about this over here.
  • IPsec VPNs with strongswan 5:
  • The IPsec implementation strongswan recently released a new version which cleaned up a significant amount of old code, some of which has been in use for over a decade. If you want to know the details, check out the IPFire planet post.
  • Wireless LAN:
  • From our wishlist, we’ve implemented proper support for 5 GHz WLANs. Read this planet post to learn about the benefits.

New in version 2.11 Core 65 (December 19th, 2012)

  • OpenVPN CCD:
  • Alexander Marx developed a graphical interfaces with help of which one can configure OpenVPN roadwarrior clients individually.
  • It is possible to add routes, different DNS servers, static IP addresses to individual roadwarrior clients. One may also add networks from which IP addresses may be assigned to clients. Those subnets and static IP addresses can be used to create firewall rules and permit clients only to access certain parts of a network. More work in this area will be released in the future.
  • OpenVPN path MTU discovery:
  • The second OpenVPN-related feature in this release will increase the performance of your VPN connections by chosing the perfect MTU value. This reduces overhead and puts as much data into the packets as possible.
  • It’s easy to configure with just one box to check. More about this can be found in Stefan’s blog post and the testing announcement of this Core Update.
  • Minor bugfixes:
  • Static routes can now be added when they are noted in the subnet mask format like 10.0.0.0/255.0.0.0.
  • The Wake-on-LAN feature now sends two packets to the sleeping one host. One is sent to the target MAC address and one is sent to the broadcast address. Some BIOSes only start with one of those.
  • The data archives of vnstat and collected are now included in the backup.
  • The daq library which caused that snort did not start has been installed.
  • New add-ons and add-on updates:
  • Samba 3.5.20 has been released and comes with some minor bugfixes.
  • SARG can be installed and will analyse your proxy logs to create beautiful reports out of them.

New in version 2.11 Core 64 (November 21st, 2012)

  • Update accelerator: The path to the delete icon has been fixed as reported by Jörn-Ingo Weigert.
  • pakfire can now use the XZ compression algorithm for the package payload.

New in version 2.11 Core 63 (October 20th, 2012)

  • This update fixes some minor problems and fixes two security issues in apache.
  • Software updates:
  • apache2 – 2.2.23 – because of CVE-2012-2687 aka CVE-2008-0455 and CVE-2012-0883
  • dhcp – 4.2.2 – because the older version got confused with VLANs
  • fireinfo – 2.1.6 – Ignore some more invalid ID strings
  • Other bug fixes:
  • The long awaited OpenVPN fragment/mssfix bug has been fixed and the network-vlans initscript is not too noisy any more.
  • Despite that, some invalid HTML output was generated by the index.cgi script, which has been reported by mrkaehler. Thank you.

New in version 2.11 Core 59 (May 18th, 2012)

  • openssl (0.9.8x) – which mainly fixes a DoS issue: CVE-2012-2333
  • php (5.3.13) – Fixes CVE-2012-2311. It was possible to add additionional parameters to a CGI call.
  • python (2.7.3) – which mainly fixes the hash table collision bug that has been around for some time. It also contains a lot of minor bugfixes for the language itself.

New in version 2.11 Core 58 (May 14th, 2012)

  • strongswan: 4.6.2 – Minor bugfixes (#10037).
  • fireinfo: 2.1.4 – Improved detection of number of CPUs on ARM devices.
  • openvpn: Update to 2.2.2 and now compiled with —enable-password-save (#10036).
  • vim: A small line at the bottom shows more information (#10021).
  • The hardware database, GeoIP database and usb_modeswitch database have been updated to enable newest hardware to work with IPFire.

New in version 2.11 Core 57 (March 7th, 2012)

  • Software updates:
  • These components have been updated to address various security issues or potential DDoS attacks:
  • php: security update to 5.3.10
  • apache: security update to 2.2.22
  • squid: update to 3.19
  • Misc. changes:
  • A bug in the GUI of the outgoing firewall was fixed, which automatically disabled a rule after it has been edited (#10022).
  • vim does now work better on remote consoles like PuTTY. Thanks for patches to Mathias Schneuwly (#10021).
  • The welcome banner that is shown to Cisco’s roadwarrior VPN client is now customized and says “Welcome to IPFire – An Open Source Firewall Solution”.
  • Recently updated addons:
  • These addons have been updated in the last few weeks:
  • cups: update to version 1.4.8
  • nut: update to latest version 2.6.3
  • pound: update to latest stable 2.6

New in version 2.11 Core 56 (February 2nd, 2012)

  • The most exciting new feature can be found in the preinstalled images, that automatically scale up the partitions at the first boot. If you use a 8GB SD card, you install the 2GB image and it will grow the partition sizes to use all space that is available on that SD card.
  • Note: The minimum required size of flash media has changed from 1GB to 2GB. This is because the / partition was too small for installing bigger addons.
  • Security updates
  • An update of openssl to version 0.9.8t fixes a security flaw (CVE-2012-0050, upstream information) that could be exploited in a denial of service attack.
  • Package updates:
  • usb-modeswitch: Update to 1.2.2 and database version 20120120. Handles now more UMTS and LTE hardware.
  • Bug fixes:
  • Fix baud rate on flash images. Is now 115200 for bootloader and kernel.
  • #10007 Reload static routes after connecting to the internet.
  • #10006 Allow “:” character in configuration settings (needed for WEB.DE DSL connections).
  • Fix changing passwords of proxy users.
  • Fix block device detection for graphs and other scripts (no more floppy devices).
  • Fix starting/stopping errors in the openvpn-control binary for net-to-net connections.

New in version 2.11 Core 55 (January 8th, 2012)

  • Package updates:
  • squid 3.1.18
  • snort 2.9.1.2 (daq 0.6.2)
  • smartmontools (5.42)
  • Network drivers:
  • Intel network drivers (igb 3.2.10, e1000 8.0.53, e1000e 1.6.3)
  • ath9k-htc (USB) firmware 1.3
  • Timezone and hardware database
  • GeoIP database
  • Small bugfixes:
  • Syntax error in DHCP client script
  • H.323 connection tracking modules are not loaded when the system starts

New in version 2.11 (November 3rd, 2011)

  • As in every single IPFire release we have made so far, there have been updates that brought new features and despite of that kept the systems always up to date.
  • The biggest new feature in the now released version 2.11 of IPFire is the option to create net-to-net VPNs with OpenVPN. Until now, it was only possible to use OpenVPN to create roadwarrior networks, but we kept the easiness of configuring VPN tunnels by just sending configuration archives in ZIP format. To learn how that is working, see the reworked documentation on the wiki or go out and buy the latest issue of LinuxUser (German Linux magazine) which is available until 16th November 2011.
  • IPsec-VPNs do now support the IKEv2 protocol which allows a more secure, faster and easier connection of the tunnels. It also is capable of creating IPsec VPNs through Carrier NAT.
  • Additionally, there is a way to add static entries to the routing table.

New in version 2.9 Core 47 (March 8th, 2011)

  • Updated php to 5.3.5.
  • Changed snort rule download to current snort version.
  • Add ssh ecdsa hostkey for new encryption algorithms.
  • Fix addon service pid/memory display if the addon name contains numbers.
  • proxy.cgi: fix filename of NTLM authenticator.
  • Add outgoing firewall group settings to backup.

New in version 2.9 Core 45 (February 2nd, 2011)

  • Update of fireinfo to version 2.0.4.
  • Update of squid to version 3.1.10 and fixed “proxy unable to handle max download size correctly”.
  • Update of snort to current stable 2.9.0.3 and disabled snort decoder events.
  • Update of memtest86+ (4.20).
  • Disabled geode_aes kernel module.
  • Fixed unattended restore of backupiso cd.
  • Improved vpn-watch.
  • Removed core-updates from pakfire cache.
  • fcron: disable mails and fix some cronjobs.
  • Outgoing firewall rules now log with LOG prefix despite of the drop rules.
  • Remove some httpd/cron errorlog entries.

New in version 2.9 Core 44 (January 17th, 2011)

  • Fireinfo:
  • The IPFire has got a new service that is called fireinfo. This can be enabled at your option and sends anonymous information about the system to the project.
  • We strongly recommend the users to enable this feature so that we can learn from the statistics that are made. It is important for the developers to make decisions about the project and these are very much easier if there is some information available.
  • Every user can (but does not have to) make his own profile public. It is very easy to compare hardware setups then and maybe we can build a hardware compatibility list, soon.
  • Please visit http://fireinfo.ipfire.org to learn more about fireinfo and to watch the charts, that are accessable by everybody.
  • You can find a link to your own profile (if you have enabled fireinfo) on your web interface. This is the URL you are supposed to share and if you want you can add a nice signature image to your forum signature (on the IPFire forum or any other forum, too).
  • Kernel Update:
  • IPFire 2.9 bases on the latest linux kernel 2.6.32.28 which will be maintained by the kernel developers for several years. So all of the integrated patches will get into IPFire as well, bringing hardware-compatibility, stability and most importantly security into the next releases of IPFire.
  • Additionally to the default kernel, there is a PAE-enabled kernel (physical address extension) that is able to handle more than 4GB of memory.
  • Besides of changes on the power-management, which makes IPFire less power consuming again, the most noteable change is the removal of the legacy IDE stack which was replaced by the new libata stack.
  • New hardware detection:
  • IPFire changed to dracut (http://sourceforge.net/apps/trac/dracut) which creates an initial ramdisk with lots of advantages for us. The most important one is, that you can take a harddisk that has IPFire installed, put it into any computer and IPFire will boot properly. The only thing to do is to reconfigure the network interfaces and so you are able to replace a broken machine with a backup harddrive within a minute.
  • IPFire boots within a couple of seconds, which is a very big boost compared to older releases.
  • Installer:
  • There have also been changes on the installer. We require users to accept the terms of the GNU General Public Licence when a new IPFire system is installed.
  • A new feature is that if there is no CDROM drive, the installation image can be downloaded from the internet (this requires at least 256 megabytes of memory).
  • Experienced users will also notice, that the initial setup of the network has moved after the first boot which makes it even simplier to install IPFire.
  • Ext4 is the preferred file system.
  • The little things
  • Lots of improvements in the web user interface for more usability and minor bugs were solved.
  • The network time daemon (NTP) is enabled by default.
  • Quality of Service: A miscalculation of the used bandwidth in VPN connections was fixed which cause a slow-down of those connections.
  • MTU problems on various connection types were solved: Some cable modems have a broken DHCP daemon that sends 576 bytes as default MTU which causes very slow connections. For all connections, there is an option to set a user-defined MTU.
  • Firewall groups are editable which brings more comfort to the configuration of the outgoing firewall.
  • Software updates: apache2 (2.2.17), dhcpcd (5.2.9), snort (2.9.0.2), strongswan (4.5.0), smartmontools (5.40), cpio (2.11), findutils (4.4.2), libcap (2.19), attr (2.4.43), iw (0.9.20), wpa_supplicant (0.7.3), hostapd (0.7.3), wireless-tools (30.pre9), kvm-kmod (2.6.34.1), v4l-dvb (2010-09-12), vim (7.2), syslinux (4.02), udev (125), usb_modeswitch (1.0.6/database 22.12.2010)

New in version 2.7 Core 40 (September 20th, 2010)

  • Added the french webinterface translation.
  • Updated strongswan to 4.4.1
  • Updated openvpn to 2.1.2
  • Updated snort to 2.8.6.1
  • Updated python to 2.7
  • Updated cpio 2.11
  • Updated drivers:
  • Intel igb network driver 2.3.4
  • Support manual override of usbserial vendor/productid
  • Add Huawei Android usbid's to option driver
  • compat-wireless version 2.6.35-1
  • Changes on the outgoing firewall:
  • Re-added the mac filter
  • Fixes on firewall groups
  • Changes on the QoS module:
  • Fixed QoS device detection on connection type change
  • Changed QoS port field length to be able to enter port ranges
  • Added IPTV over ADSL (entertain) support (Germany)
  • Added DHCPd and dnsmasq configuration customization feature
  • Fixed bug #0000711 - Unable to delete addon backups
  • Cleaned up the installer:
  • Removed reiser4progs from installer system.
  • Mkinitcpio: Reduced initrd size by removing unneeded filesystems
  • Small WebIF changes:
  • Some cosmetic changes on time server
  • Changed Update-Booster (link) to Update-Accelerator
  • Default all processes to run with nice=0
  • Increased /var/lock to 8MB