May 23rd, 2013strongswan security update (version 5.0.4):
· The strongswan team released version 5.0.4, which fixes an authentication bypass for certificates that use Elliptic Curves. As we don’t use them in IPFire by default, this is not a too serious issue for us, but we still updated the strongswan package.
· The update also contains some changes that fix unstable IPsec connections, a minority of users was experiencing.
OpenVPN roadwarrior connections:
· Since Core Update 65, disabling OpenVPN roadwarrior connections had no effect, so that users could still connect. This has also been fixed with this release.
New status bar:
· The web user interface comes with a new status bar which now has a cleaner design and provides more information. Thanks to Jörn-Ingo Weigert for working on this.
Sortable connection tracking list:
· The connection list on the web user interface is now sortable in every possible way. Patches have been sent by Kay-Michael Köhler.
· Network modules have been added to the installer, so PXE installations work again.
· Installation with certain USB keyboards is now possible, because kernel modules have been added to the installer.
· The broken monospace font in graphs on the web interface has been fixed.
· The kernel module for Intel’s MEI chipsets has been blacklisted, because the buggy modules causes some Supermicro hardware to fail shutting down or to freeze on booting up.
· sysbench has been added as new package. It’s a system benchmark tool for command line.
March 18th, 2013
· Update Accelerator now supports caching of Microsoft Windows 8 updates.
· fireinfo has been updated to version 2.1.7, where a new hardware string has been put on the blacklist.
· squid is now compiled with --enable-cache-digests (#10311)
· OpenVPN client packages can now be downloaded when the server is not enabled.
· Duplicate mISDN modules have been removed. mISDN is functional again.
February 19th, 2013Base System:
· The most important components of the base system have been updated to include a brand new kernel based on the Linux 3.2 release. With that, IPFire now supports more hardware than ever before and many of the hardware problems from the past should be gone.
· The most basic system libraries have been replaced as well, giving us great performance and fixing some general security issues. If you’d like to know more about this specifically, please read this post on our planet.
Quality of Service with CoDeL:
· In case you are struggling with a slow internet connection, CoDeL is your solution. This new algorithm shares the bandwidth fairly between all connections. It doesn’t need any configuration at all, but when tied together with our Quality of Service features, CoDeL gives you the most out of your connection.
· Learn more about CoDeL in our planet post.
· We have finally declared the ARM versions of IPFire as stable. Since the very first testing release back in October 2011, a multitude of things have improved. As of today, IPFire runs on many different platforms, such as Marvell Kirkwood and Texas Instruments OMAP4-based systems, and of course, the Raspberry Pi computer.
· The vast amount of people who have already been using IPFire ARM since we began to port it to the ARM architecture know that there was never really any big trouble to begin with. You can find more about this over here.
IPsec VPNs with strongswan 5:
· The IPsec implementation strongswan recently released a new version which cleaned up a significant amount of old code, some of which has been in use for over a decade. If you want to know the details, check out the IPFire planet post.
· From our wishlist, we’ve implemented proper support for 5 GHz WLANs. Read this planet post to learn about the benefits.
December 19th, 2012OpenVPN CCD:
· Alexander Marx developed a graphical interfaces with help of which one can configure OpenVPN roadwarrior clients individually.
· It is possible to add routes, different DNS servers, static IP addresses to individual roadwarrior clients. One may also add networks from which IP addresses may be assigned to clients. Those subnets and static IP addresses can be used to create firewall rules and permit clients only to access certain parts of a network. More work in this area will be released in the future.
OpenVPN path MTU discovery:
· The second OpenVPN-related feature in this release will increase the performance of your VPN connections by chosing the perfect MTU value. This reduces overhead and puts as much data into the packets as possible.
· It’s easy to configure with just one box to check. More about this can be found in Stefan’s blog post and the testing announcement of this Core Update.
· Static routes can now be added when they are noted in the subnet mask format like 10.0.0.0/255.0.0.0.
· The Wake-on-LAN feature now sends two packets to the sleeping one host. One is sent to the target MAC address and one is sent to the broadcast address. Some BIOSes only start with one of those.
· The data archives of vnstat and collected are now included in the backup.
· The daq library which caused that snort did not start has been installed.
New add-ons and add-on updates:
· Samba 3.5.20 has been released and comes with some minor bugfixes.
· SARG can be installed and will analyse your proxy logs to create beautiful reports out of them.
November 21st, 2012
· Update accelerator: The path to the delete icon has been fixed as reported by Jörn-Ingo Weigert.
· pakfire can now use the XZ compression algorithm for the package payload.
October 20th, 2012
· This update fixes some minor problems and fixes two security issues in apache.
· apache2 – 2.2.23 – because of CVE-2012-2687 aka CVE-2008-0455 and CVE-2012-0883
· dhcp – 4.2.2 – because the older version got confused with VLANs
· fireinfo – 2.1.6 – Ignore some more invalid ID strings
Other bug fixes:
· The long awaited OpenVPN fragment/mssfix bug has been fixed and the network-vlans initscript is not too noisy any more.
· Despite that, some invalid HTML output was generated by the index.cgi script, which has been reported by mrkaehler. Thank you.
May 18th, 2012
· openssl (0.9.8x) – which mainly fixes a DoS issue: CVE-2012-2333
· php (5.3.13) – Fixes CVE-2012-2311. It was possible to add additionional parameters to a CGI call.
· python (2.7.3) – which mainly fixes the hash table collision bug that has been around for some time. It also contains a lot of minor bugfixes for the language itself.
May 14th, 2012
· strongswan: 4.6.2 – Minor bugfixes (#10037).
· fireinfo: 2.1.4 – Improved detection of number of CPUs on ARM devices.
· openvpn: Update to 2.2.2 and now compiled with —enable-password-save (#10036).
· vim: A small line at the bottom shows more information (#10021).
· The hardware database, GeoIP database and usb_modeswitch database have been updated to enable newest hardware to work with IPFire.
March 7th, 2012Software updates:
These components have been updated to address various security issues or potential DDoS attacks:
· php: security update to 5.3.10
· apache: security update to 2.2.22
· squid: update to 3.19
· A bug in the GUI of the outgoing firewall was fixed, which automatically disabled a rule after it has been edited (#10022).
· vim does now work better on remote consoles like PuTTY. Thanks for patches to Mathias Schneuwly (#10021).
· The welcome banner that is shown to Cisco’s roadwarrior VPN client is now customized and says “Welcome to IPFire – An Open Source Firewall Solution”.
Recently updated addons:
These addons have been updated in the last few weeks:
· cups: update to version 1.4.8
· nut: update to latest version 2.6.3
· pound: update to latest stable 2.6
February 2nd, 2012
· The most exciting new feature can be found in the preinstalled images, that automatically scale up the partitions at the first boot. If you use a 8GB SD card, you install the 2GB image and it will grow the partition sizes to use all space that is available on that SD card.
· Note: The minimum required size of flash media has changed from 1GB to 2GB. This is because the / partition was too small for installing bigger addons.
· Security updates
· An update of openssl to version 0.9.8t fixes a security flaw (CVE-2012-0050, upstream information) that could be exploited in a denial of service attack.
· usb-modeswitch: Update to 1.2.2 and database version 20120120. Handles now more UMTS and LTE hardware.
· Fix baud rate on flash images. Is now 115200 for bootloader and kernel.
· #10007 Reload static routes after connecting to the internet.
· #10006 Allow “:” character in configuration settings (needed for WEB.DE DSL connections).
· Fix changing passwords of proxy users.
· Fix block device detection for graphs and other scripts (no more floppy devices).
· Fix starting/stopping errors in the openvpn-control binary for net-to-net connections.
January 8th, 2012Package updates:
· squid 3.1.18
· snort 18.104.22.168 (daq 0.6.2)
· smartmontools (5.42)
· Intel network drivers (igb 3.2.10, e1000 8.0.53, e1000e 1.6.3)
· ath9k-htc (USB) firmware 1.3
· Timezone and hardware database
· GeoIP database
· Syntax error in DHCP client script
· H.323 connection tracking modules are not loaded when the system starts
November 3rd, 2011
· As in every single IPFire release we have made so far, there have been updates that brought new features and despite of that kept the systems always up to date.
· The biggest new feature in the now released version 2.11 of IPFire is the option to create net-to-net VPNs with OpenVPN. Until now, it was only possible to use OpenVPN to create roadwarrior networks, but we kept the easiness of configuring VPN tunnels by just sending configuration archives in ZIP format. To learn how that is working, see the reworked documentation on the wiki or go out and buy the latest issue of LinuxUser (German Linux magazine) which is available until 16th November 2011.
· IPsec-VPNs do now support the IKEv2 protocol which allows a more secure, faster and easier connection of the tunnels. It also is capable of creating IPsec VPNs through Carrier NAT.
· Additionally, there is a way to add static entries to the routing table.
March 8th, 2011
· Updated php to 5.3.5.
· Changed snort rule download to current snort version.
· Add ssh ecdsa hostkey for new encryption algorithms.
· Fix addon service pid/memory display if the addon name contains numbers.
· proxy.cgi: fix filename of NTLM authenticator.
· Add outgoing firewall group settings to backup.
February 2nd, 2011
· Update of fireinfo to version 2.0.4.
· Update of squid to version 3.1.10 and fixed “proxy unable to handle max download size correctly”.
· Update of snort to current stable 22.214.171.124 and disabled snort decoder events.
· Update of memtest86+ (4.20).
· Disabled geode_aes kernel module.
· Fixed unattended restore of backupiso cd.
· Improved vpn-watch.
· Removed core-updates from pakfire cache.
· fcron: disable mails and fix some cronjobs.
· Outgoing firewall rules now log with LOG prefix despite of the drop rules.
· Remove some httpd/cron errorlog entries.
January 17th, 2011Fireinfo:
· The IPFire has got a new service that is called fireinfo. This can be enabled at your option and sends anonymous information about the system to the project.
· We strongly recommend the users to enable this feature so that we can learn from the statistics that are made. It is important for the developers to make decisions about the project and these are very much easier if there is some information available.
· Every user can (but does not have to) make his own profile public. It is very easy to compare hardware setups then and maybe we can build a hardware compatibility list, soon.
· Please visit http://fireinfo.ipfire.org to learn more about fireinfo and to watch the charts, that are accessable by everybody.
· You can find a link to your own profile (if you have enabled fireinfo) on your web interface. This is the URL you are supposed to share and if you want you can add a nice signature image to your forum signature (on the IPFire forum or any other forum, too).
· IPFire 2.9 bases on the latest linux kernel 126.96.36.199 which will be maintained by the kernel developers for several years. So all of the integrated patches will get into IPFire as well, bringing hardware-compatibility, stability and most importantly security into the next releases of IPFire.
· Additionally to the default kernel, there is a PAE-enabled kernel (physical address extension) that is able to handle more than 4GB of memory.
· Besides of changes on the power-management, which makes IPFire less power consuming again, the most noteable change is the removal of the legacy IDE stack which was replaced by the new libata stack.
New hardware detection:
· IPFire changed to dracut (http://sourceforge.net/apps/trac/dracut) which creates an initial ramdisk with lots of advantages for us. The most important one is, that you can take a harddisk that has IPFire installed, put it into any computer and IPFire will boot properly. The only thing to do is to reconfigure the network interfaces and so you are able to replace a broken machine with a backup harddrive within a minute.
· IPFire boots within a couple of seconds, which is a very big boost compared to older releases.
· There have also been changes on the installer. We require users to accept the terms of the GNU General Public Licence when a new IPFire system is installed.
· A new feature is that if there is no CDROM drive, the installation image can be downloaded from the internet (this requires at least 256 megabytes of memory).
· Experienced users will also notice, that the initial setup of the network has moved after the first boot which makes it even simplier to install IPFire.
· Ext4 is the preferred file system.
· The little things
· Lots of improvements in the web user interface for more usability and minor bugs were solved.
· The network time daemon (NTP) is enabled by default.
· Quality of Service: A miscalculation of the used bandwidth in VPN connections was fixed which cause a slow-down of those connections.
· MTU problems on various connection types were solved: Some cable modems have a broken DHCP daemon that sends 576 bytes as default MTU which causes very slow connections. For all connections, there is an option to set a user-defined MTU.
· Firewall groups are editable which brings more comfort to the configuration of the outgoing firewall.
· Software updates: apache2 (2.2.17), dhcpcd (5.2.9), snort (188.8.131.52), strongswan (4.5.0), smartmontools (5.40), cpio (2.11), findutils (4.4.2), libcap (2.19), attr (2.4.43), iw (0.9.20), wpa_supplicant (0.7.3), hostapd (0.7.3), wireless-tools (30.pre9), kvm-kmod (184.108.40.206), v4l-dvb (2010-09-12), vim (7.2), syslinux (4.02), udev (125), usb_modeswitch (1.0.6/database 22.12.2010)
September 20th, 2010
· Added the french webinterface translation.
· Updated strongswan to 4.4.1
· Updated openvpn to 2.1.2
· Updated snort to 220.127.116.11
· Updated python to 2.7
· Updated cpio 2.11
· Intel igb network driver 2.3.4
· Support manual override of usbserial vendor/productid
· Add Huawei Android usbid's to option driver
· compat-wireless version 2.6.35-1
Changes on the outgoing firewall:
· Re-added the mac filter
· Fixes on firewall groups
Changes on the QoS module:
· Fixed QoS device detection on connection type change
· Changed QoS port field length to be able to enter port ranges
· Added IPTV over ADSL (entertain) support (Germany)
· Added DHCPd and dnsmasq configuration customization feature
· Fixed bug #0000711 - Unable to delete addon backups
Cleaned up the installer:
· Removed reiser4progs from installer system.
· Mkinitcpio: Reduced initrd size by removing unneeded filesystems
Small WebIF changes:
· Some cosmetic changes on time server
· Changed Update-Booster (link) to Update-Accelerator
· Default all processes to run with nice=0
· Increased /var/lock to 8MB